 |
||||||||||
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
 |
||||||||
But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of
person who believes these things is important for you ? for helping you learn and keeping you motivated. As with all creative arts, the
most effective way to become a master is to imitate the mind-set of masters ? not just intellectually but emotionally as well.
Or, as the following modern Zen poem has it:
To follow the path:
look to the master,
follow the master,
walk with the master,
see through the master,
become the master.
So, if you want to be a hacker, repeat the following things until you believe them:
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Volume 1 , P/HUN Issue #2 , Phile #8 of 9
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
+++++++++++++++++++++++++++++++++++++++++++++++++
| The LOD/H Presents |
++++++++++++++++ ++++++++++++++++
\ A Novice's Guide to Hacking- 1989 edition /
\ ========================================= /
\ by /
\ The Mentor /
\ Legion of Doom/Legion of Hackers /
\ /
\ December, 1988 /
\ Merry Christmas Everyone! /
\+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++/
**********************************************************************
| The author hereby grants permission to reproduce, redistribute, |
| or include this file in your g-file section, electronic or print |
| newletter, or any other form of transmission that you choose, as |
| long as it is kept intact and whole, with no ommissions, delet- |
| ions, or changes. (C) The Mentor- Phoenix Project Productions |
| 1988,1989 512/441-3088 |
**********************************************************************
Introduction: The State of the Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
After surveying a rather large g-file collection, my attention was drawn to
the fact that there hasn't been a good introductory file written for absolute
beginners since back when Mark Tabas was cranking them out (and almost
*everyone* was a beginner!) The Arts of Hacking and Phreaking have changed
radically since that time, and as the 90's approach, the hack/phreak community
has recovered from the Summer '87 busts (just like it recovered from the Fall
'85 busts, and like it will always recover from attempts to shut it down), and
the progressive media (from Reality Hackers magazine to William Gibson and
Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice
of us for the first time in recent years in a positive light.
Unfortunately, it has also gotten more dangerous since the early 80's.
Phone cops have more resources, more awareness, and more intelligence that they
exhibited in the past. It is becoming more and more difficult to survive as
a hacker long enough to become skilled in the art. To this end this file
is dedicated . If it can help someone get started, and help them survive
to discover new systems and new information, it will have served it's purpose,
and served as a partial repayment to all the people who helped me out when I
was a beginner.
Contents
~~~~~~~~
This file will be divided into four parts:
Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety
Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,
Outdials, Network Servers, Private PADs
Part 3: Identifying a Computer, How to Hack In, Operating System
Defaults
Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,
Acknowledgements
Part One: The Basics
~~~~~~~~~~~~~~~~~~~~
As long as there have been computers, there have been hackers. In the 50's
at the Massachusets Institute of Technology (MIT), students devoted much time
and energy to ingenious exploration of the computers. Rules and the law were
disregarded in their pursuit for the 'hack'. Just as they were enthralled with
their pursuit of information, so are we. The thrill of the hack is not in
breaking the law, it's in the pursuit and capture of knowledge.
To this end, let me contribute my suggestions for guidelines to follow to
ensure that not only you stay out of trouble, but you pursue your craft without
damaging the computers you hack into or the companies who own them.
I. Do not intentionally damage *any* system.
II. Do not alter any system files other than ones needed to ensure your
escape from detection and your future access (Trojan Horses, Altering
Logs, and the like are all necessary to your survival for as long as
possible.)
III. Do not leave your (or anyone else's) real name, real handle, or real
phone number on any system that you access illegally. They *can* and
will track you down from your handle!
IV. Be careful who you share information with. Feds are getting trickier.
Generally, if you don't know their voice phone number, name, and
occupation or haven't spoken with them voice on non-info trading
conversations, be wary.
V. Do not leave your real phone number to anyone you don't know. This
includes logging on boards, no matter how k-rad they seem. If you
don't know the sysop, leave a note telling some trustworthy people
that will validate you.
VI. Do not hack government computers. Yes, there are government systems
that are safe to hack, but they are few and far between. And the
government has inifitely more time and resources to track you down than
a company who has to make a profit and justify expenses.
VII. Don't use codes unless there is *NO* way around it (you don't have a
local telenet or tymnet outdial and can't connect to anything 800...)
You use codes long enough, you will get caught. Period.
VIII. Don't be afraid to be paranoid. Remember, you *are* breaking the law.
It doesn't hurt to store everything encrypted on your hard disk, or
keep your notes buried in the backyard or in the trunk of your car.
You may feel a little funny, but you'll feel a lot funnier when you
when you meet Bruno, your transvestite cellmate who axed his family to
death.
IX. Watch what you post on boards. Most of the really great hackers in the
country post *nothing* about the system they're currently working
except in the broadest sense (I'm working on a UNIX, or a COSMOS, or
something generic. Not "I'm hacking into General Electric's Voice Mail
System" or something inane and revealing like that.)
X. Don't be afraid to ask questions. That's what more experienced hackers
are for. Don't expect *everything* you ask to be answered, though.
There are some things (LMOS, for instance) that a begining hacker
shouldn't mess with. You'll either get caught, or screw it up for
others, or both.
XI. Finally, you have to actually hack. You can hang out on boards all you
want, and you can read all the text files in the world, but until you
actually start doing it, you'll never know what it's all about. There's
no thrill quite the same as getting into your first system (well, ok,
I can think of a couple of bigger thrills, but you get the picture.)
One of the safest places to start your hacking career is on a computer
system belonging to a college. University computers have notoriously lax
security, and are more used to hackers, as every college computer depart-
ment has one or two, so are less likely to press charges if you should
be detected. But the odds of them detecting you and having the personel to
committ to tracking you down are slim as long as you aren't destructive.
If you are already a college student, this is ideal, as you can legally
explore your computer system to your heart's desire, then go out and look
for similar systems that you can penetrate with confidence, as you're already
familar with them.
So if you just want to get your feet wet, call your local college. Many of
them will provide accounts for local residents at a nominal (under $20) charge.
Finally, if you get caught, stay quiet until you get a lawyer. Don't vol-
unteer any information, no matter what kind of 'deals' they offer you.
Nothing is binding unless you make the deal through your lawyer, so you might
as well shut up and wait.
Part Two: Networks
~~~~~~~~~~~~~~~~~~
The best place to begin hacking (other than a college) is on one of the
bigger networks such as Telenet. Why? First, there is a wide variety of
computers to choose from, from small Micro-Vaxen to huge Crays. Second, the
networks are fairly well documented. It's easier to find someone who can help
you with a problem off of Telenet than it is to find assistance concerning your
local college computer or high school machine. Third, the networks are safer.
Because of the enormous number of calls that are fielded every day by the big
networks, it is not financially practical to keep track of where every call and
connection are made from. It is also very easy to disguise your location using
the network, which makes your hobby much more secure.
Telenet has more computers hooked to it than any other system in the world
once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
which you can connect to from your terminal.
The first step that you need to take is to identify your local dialup port.
This is done by dialing 1-800-424-9494 (1200 7E1) and connecting. It will
spout some garbage at you and then you'll get a prompt saying 'TERMINAL='.
This is your terminal type. If you have vt100 emulation, type it in now. Or
just hit return and it will default to dumb terminal mode.
You'll now get a prompt that looks like a @. From here, type @c mail <cr>
and then it will ask for a Username. Enter 'phones' for the username. When it
asks for a password, enter 'phones' again. From this point, it is menu
driven. Use this to locate your local dialup, and call it back locally. If
you don't have a local dialup, then use whatever means you wish to connect to
one long distance (more on this later.)
When you call your local dialup, you will once again go through the
TERMINAL= stuff, and once again you'll be presented with a @. This prompt lets
you know you are connected to a Telenet PAD. PAD stands for either Packet
Assembler/Disassembler (if you talk to an engineer), or Public Access Device
(if you talk to Telenet's marketing people.) The first description is more
correct.
Telenet works by taking the data you enter in on the PAD you dialed into,
bundling it into a 128 byte chunk (normally... this can be changed), and then
transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
then takes the data and hands it down to whatever computer or system it's
connected to. Basically, the PAD allows two computers that have different baud
rates or communication protocols to communicate with each other over a long
distance. Sometimes you'll notice a time lag in the remote machines response.
This is called PAD Delay, and is to be expected when you're sending data
through several different links.
What do you do with this PAD? You use it to connect to remote computer
systems by typing 'C' for connect and then the Network User Address (NUA) of
the system you want to go to.
An NUA takes the form of 031103130002520
\___/\___/\___/
| | |
| | |____ network address
| |_________ area prefix
|______________ DNIC
This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)
according to their country and network name.
DNIC Network Name Country DNIC Network Name Country
_______________________________________________________________________________
|
02041 Datanet 1 Netherlands | 03110 Telenet USA
02062 DCS Belgium | 03340 Telepac Mexico
02080 Transpac France | 03400 UDTS-Curacau Curacau
02284 Telepac Switzerland | 04251 Isranet Israel
02322 Datex-P Austria | 04401 DDX-P Japan
02329 Radaus Austria | 04408 Venus-P Japan
02342 PSS UK | 04501 Dacom-Net South Korea
02382 Datapak Denmark | 04542 Intelpak Singapore
02402 Datapak Sweden | 05052 Austpac Australia
02405 Telepak Sweden | 05053 Midas Australia
02442 Finpak Finland | 05252 Telepac Hong Kong
02624 Datex-P West Germany | 05301 Pacnet New Zealand
02704 Luxpac Luxembourg | 06550 Saponet South Africa
02724 Eirpak Ireland | 07240 Interdata Brazil
03020 Datapac Canada | 07241 Renpac Brazil
03028 Infogram Canada | 09000 Dialnet USA
03103 ITT/UDTS USA | 07421 Dompac French Guiana
03106 Tymnet USA |
There are two ways to find interesting addresses to connect to. The first
and easiest way is to obtain a copy of the LOD/H Telenet Directory from the
LOD/H Technical Journal #4 or 2600 Magazine. Jester Sluggo also put out a good
list of non-US addresses in Phrack Inc. Newsletter Issue 21. These files will
tell you the NUA, whether it will accept collect calls or not, what type of
computer system it is (if known) and who it belongs to (also if known.)
The second method of locating interesting addresses is to scan for them
manually. On Telenet, you do not have to enter the 03110 DNIC to connect to a
Telenet host. So if you saw that 031104120006140 had a VAX on it you wanted to
look at, you could type @c 412 614 (0's can be ignored most of the time.)
If this node allows collect billed connections, it will say 412 614
CONNECTED and then you'll possibly get an identifying header or just a
Username: prompt. If it doesn't allow collect connections, it will give you a
message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to
the right, and return you to the @ prompt.
There are two primary ways to get around the REFUSED COLLECT message. The
first is to use a Network User Id (NUI) to connect. An NUI is a username/pw
combination that acts like a charge account on Telenet. To collect to node
412 614 with NUI junk4248, password 525332, I'd type the following:
@c 412 614,junk4248,525332 <---- the 525332 will *not* be echoed to the
screen. The problem with NUI's is that they're hard to come by unless you're
a good social engineer with a thorough knowledge of Telenet (in which case
you probably aren't reading this section), or you have someone who can
provide you with them.
The second way to connect is to use a private PAD, either through an X.25
PAD or through something like Netlink off of a Prime computer (more on these
two below.)
The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area
Code that the computer is located in (i.e. 713 xxx would be a computer in
Houston, Texas.) If there's a particular area you're interested in, (say,
New York City 914), you could begin by typing @c 914 001 <cr>. If it connects,
you make a note of it and go on to 914 002. You do this until you've found
some interesting systems to play with.
Not all systems are on a simple xxx yyy address. Some go out to four or
five digits (914 2354), and some have decimal or numeric extensions
(422 121A = 422 121.01). You have to play with them, and you never know what
you're going to find. To fully scan out a prefix would take ten million
attempts per prefix. For example, if I want to scan 512 completely, I'd have
to start with 512 00000.00 and go through 512 00000.99, then increment the
address by 1 and try 512 00001.00 through 512 00001.99. A lot of scanning.
There are plenty of neat computers to play with in a 3-digit scan, however,
so don't go berserk with the extensions.
Sometimes you'll attempt to connect and it will just be sitting there after
one or two minutes. In this case, you want to abort the connect attempt by
sending a hard break (this varies with different term programs, on Procomm,
it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.
If you connect to a computer and wish to disconnect, you can type <cr> @
<cr> and you it should say TELENET and then give you the @ prompt. From there,
type D to disconnect or CONT to re-connect and continue your session
uninterrupted.
Outdials, Network Servers, and PADs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In addition to computers, an NUA may connect you to several other things.
One of the most useful is the outdial. An outdial is nothing more than a modem
you can get to over telenet- similar to the PC Pursuit concept, except that
these don't have passwords on them most of the time.
When you connect, you will get a message like 'Hayes 1200 baud outdial,
Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established
on Modem 5588'. The best way to figure out the commands on these is to
type ? or H or HELP- this will get you all the information that you need to
use one.
Safety tip here- when you are hacking *any* system through a phone dialup,
always use an outdial or a diverter, especially if it is a local phone number
to you. More people get popped hacking on local computers than you can
imagine, Intra-LATA calls are the easiest things in the world to trace inexp-
ensively.
Another nice trick you can do with an outdial is use the redial or macro
function that many of them have. First thing you do when you connect is to
invoke the 'Redial Last Number' facility. This will dial the last number used,
which will be the one the person using it before you typed. Write down the
number, as no one would be calling a number without a computer on it. This
is a good way to find new systems to hack. Also, on a VENTEL modem, type 'D'
for Display and it will display the five numbers stored as macros in the
modem's memory.
There are also different types of servers for remote Local Area Networks
(LAN) that have many machine all over the office or the nation connected to
them. I'll discuss identifying these later in the computer ID section.
And finally, you may connect to something that says 'X.25 Communication
PAD' and then some more stuff, followed by a new @ prompt. This is a PAD
just like the one you are on, except that all attempted connections are billed
to the PAD, allowing you to connect to those nodes who earlier refused collect
connections.
This also has the added bonus of confusing where you are connecting from.
When a packet is transmitted from PAD to PAD, it contains a header that has
the location you're calling from. For instance, when you first connected
to Telenet, it might have said 212 44A CONNECTED if you called from the 212
area code. This means you were calling PAD number 44A in the 212 area.
That 21244A will be sent out in the header of all packets leaving the PAD.
Once you connect to a private PAD, however, all the packets going out
from *it* will have it's address on them, not yours. This can be a valuable
buffer between yourself and detection.
Phone Scanning
~~~~~~~~~~~~~~
Finally, there's the time-honored method of computer hunting that was made
famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
Wargames. You pick a three digit phone prefix in your area and dial every
number from 0000 --> 9999 in that prefix, making a note of all the carriers
you find. There is software available to do this for nearly every computer
in the world, so you don't have to do it by hand.
Part Three: I've Found a Computer, Now What?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This next section is applicable universally. It doesn't matter how you
found this computer, it could be through a network, or it could be from
carrier scanning your High School's phone prefix, you've got this prompt
this prompt, what the hell is it?
I'm *NOT* going to attempt to tell you what to do once you're inside of
any of these operating systems. Each one is worth several G-files in its
own right. I'm going to tell you how to identify and recognize certain
OpSystems, how to approach hacking into them, and how to deal with something
that you've never seen before and have know idea what it is.
VMS- The VAX computer is made by Digital Equipment Corporation (DEC),
and runs the VMS (Virtual Memory System) operating system.
VMS is characterized by the 'Username:' prompt. It will not tell
you if you've entered a valid username or not, and will disconnect
you after three bad login attempts. It also keeps track of all
failed login attempts and informs the owner of the account next time
s/he logs in how many bad login attempts were made on the account.
It is one of the most secure operating systems around from the
outside, but once you're in there are many things that you can do
to circumvent system security. The VAX also has the best set of
help files in the world. Just type HELP and read to your heart's
content.
Common Accounts/Defaults: [username: password [[,password]] ]
SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB
OPERATOR: OPERATOR
SYSTEST: UETP
SYSMAINT: SYSMAINT or SERVICE or DIGITAL
FIELD: FIELD or SERVICE
GUEST: GUEST or unpassworded
DEMO: DEMO or unpassworded
DECNET: DECNET
DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES
UNIX- There are dozens of different machines out there that run UNIX.
While some might argue it isn't the best operating system in the
world, it is certainly the most widely used. A UNIX system will
usually have a prompt like 'login:' in lower case. UNIX also
will give you unlimited shots at logging in (in most cases), and
there is usually no log kept of bad attempts.
Common Accounts/Defaults: (note that some systems are case
sensitive, so use lower case as a general rule. Also, many times
the accounts will be unpassworded, you'll just drop right in!)
root: root
admin: admin
sysadmin: sysadmin or admin
unix: unix
uucp: uucp
rje: rje
guest: guest
demo: demo
daemon: daemon
sysbin: sysbin
Prime- Prime computer company's mainframe running the Primos operating
system. The are easy to spot, as the greet you with
'Primecon 18.23.05' or the like, depending on the version of the
operating system you run into. There will usually be no prompt
offered, it will just look like it's sitting there. At this point,
type 'login <username>'. If it is a pre-18.00.00 version of Primos,
you can hit a bunch of ^C's for the password and you'll drop in.
Unfortunately, most people are running versions 19+. Primos also
comes with a good set of help files. One of the most useful
features of a Prime on Telenet is a facility called NETLINK. Once
you're inside, type NETLINK and follow the help files. This allows
you to connect to NUA's all over the world using the 'nc' command.
For example, to connect to NUA 026245890040004, you would type
@nc :26245890040004 at the netlink prompt.
Common Accounts/Defaults:
PRIME PRIME or PRIMOS
PRIMOS_CS PRIME or PRIMOS
PRIMENET PRIMENET
SYSTEM SYSTEM or PRIME
NETLINK NETLINK
TEST TEST
GUEST GUEST
GUEST1 GUEST
HP-x000- This system is made by Hewlett-Packard. It is characterized by the
':' prompt. The HP has one of the more complicated login sequences
around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
Fortunately, some of these fields can be left blank in many cases.
Since any and all of these fields can be passworded, this is not
the easiest system to get into, except for the fact that there are
usually some unpassworded accounts around. In general, if the
defaults don't work, you'll have to brute force it using the
common password list (see below.) The HP-x000 runs the MPE operat-
ing system, the prompt for it will be a ':', just like the logon
prompt.
Common Accounts/Defaults:
MGR.TELESUP,PUB User: MGR Acct: HPONLY Grp: PUB
MGR.HPOFFICE,PUB unpassworded
MANAGER.ITF3000,PUB unpassworded
FIELD.SUPPORT,PUB user: FLD, others unpassworded
MAIL.TELESUP,PUB user: MAIL, others unpassworded
MGR.RJE unpassworded
FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96 unpassworded
MGR.TELESUP,PUB,HPONLY,HP3 unpassworded
IRIS- IRIS stands for Interactive Real Time Information System. It orig-
inally ran on PDP-11's, but now runs on many other minis. You can
spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
in, and keeps no logs of bad attempts. I don't know any default
passwords, so just try the common ones from the password database
below.
Common Accounts:
MANAGER
BOSS
SOFTWARE
DEMO
PDP8
PDP11
ACCOUNTING
VM/CMS- The VM/CMS operating system runs in International Business Machines
(IBM) mainframes. When you connect to one of these, you will get
message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
just like TOPS-10 does. To login, you type 'LOGON <username>'.
Common Accounts/Defaults are:
AUTOLOG1: AUTOLOG or AUTOLOG1
CMS: CMS
CMSBATCH: CMS or CMSBATCH
EREP: EREP
MAINT: MAINT or MAINTAIN
OPERATNS: OPERATNS or OPERATOR
OPERATOR: OPERATOR
RSCS: RSCS
SMART: SMART
SNA: SNA
VMTEST: VMTEST
VMUTIL: VMUTIL
VTAM: VTAM
NOS- NOS stands for Networking Operating System, and runs on the Cyber
computer made by Control Data Corporation. NOS identifies itself
quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE
SYSTEM. COPYRIGHT CONTROL DATA 1978,1987'. The first prompt you
will get will be FAMILY:. Just hit return here. Then you'll get
a USER NAME: prompt. Usernames are typically 7 alpha-numerics
characters long, and are *extremely* site dependent. Operator
accounts begin with a digit, such as 7ETPDOC.
Common Accounts/Defaults:
$SYSTEM unknown
SYSTEMV unknown
Decserver- This is not truly a computer system, but is a network server that
has many different machines available from it. A Decserver will
say 'Enter Username>' when you first connect. This can be anything,
it doesn't matter, it's just an identifier. Type 'c', as this is
the least conspicuous thing to enter. It will then present you
with a 'Local>' prompt. From here, you type 'c <systemname>' to
connect to a system. To get a list of system names, type
'sh services' or 'sh nodes'. If you have any problems, online
help is available with the 'help' command. Be sure and look for
services named 'MODEM' or 'DIAL' or something similar, these are
often outdial modems and can be useful!
GS/1- Another type of network server. Unlike a Decserver, you can't
predict what prompt a GS/1 gateway is going to give you. The
default prompt it 'GS/1>', but this is redifinable by the
system administrator. To test for a GS/1, do a 'sh d'. If that
prints out a large list of defaults (terminal speed, prompt,
parity, etc...), you are on a GS/1. You connect in the same manner
as a Decserver, typing 'c <systemname>'. To find out what systems
are available, do a 'sh n' or a 'sh c'. Another trick is to do a
'sh m', which will sometimes show you a list of macros for logging
onto a system. If there is a macro named VAX, for instance, type
'do VAX'.
The above are the main system types in use today. There are
hundreds of minor variants on the above, but this should be
enough to get you started.
Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
Occasionally you will connect to a system that will do nothing but sit
there. This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time. The following list will usually
make *something* happen.
1) Change your parity, data length, and stop bits. A system that won't re-
spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term
program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
While having a good term program isn't absolutely necessary, it sure is
helpful.
2) Change baud rates. Again, if your term program will let you choose odd
baud rates such as 600 or 1100, you will occasionally be able to penetrate
some very interesting systems, as most systems that depend on a strange
baud rate seem to think that this is all the security they need...
3) Send a series of <cr>'s.
4) Send a hard break followed by a <cr>.
5) Type a series of .'s (periods). The Canadian network Datapac responds
to this.
6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does
a MultiLink II.
7) Begin sending control characters, starting with ^A --> ^Z.
8) Change terminal emulations. What your vt100 emulation thinks is garbage
may all of a sudden become crystal clear using ADM-5 emulation. This also
relates to how good your term program is.
9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
answers. If they do, try some social engineering.
Password List
=============
aaa daniel jester rascal
academia danny johnny really
ada dave joseph rebecca
adrian deb joshua remote
aerobics debbie judith rick
airplane deborah juggle reagan
albany december julia robot
albatross desperate kathleen robotics
albert develop kermit rolex
alex diet kernel ronald
alexander digital knight rosebud
algebra discovery lambda rosemary
alias disney larry roses
alpha dog lazarus ruben
alphabet drought lee rules
ama duncan leroy ruth
amy easy lewis sal
analog eatme light saxon
anchor edges lisa scheme
andy edwin louis scott
andrea egghead lynne scotty
animal eileen mac secret
answer einstein macintosh sensor
anything elephant mack serenity
arrow elizabeth maggot sex
arthur ellen magic shark
asshole emerald malcolm sharon
athena engine mark shit
atmosphere engineer markus shiva
bacchus enterprise marty shuttle
badass enzyme marvin simon
bailey euclid master simple
banana evelyn maurice singer
bandit extension merlin single
banks fairway mets smile
bass felicia michael smiles
batman fender michelle smooch
beauty fermat mike smother
beaver finite minimum snatch
beethoven flower minsky snoopy
beloved foolproof mogul soap
benz football moose socrates
beowulf format mozart spit
berkeley forsythe nancy spring
berlin fourier napoleon subway
beta fred network success
beverly friend newton summer
bob frighten next super
brenda fun olivia support
brian gabriel oracle surfer
bridget garfield orca suzanne
broadway gauss orwell tangerine
bumbling george osiris tape
cardinal gertrude outlaw target
carmen gibson oxford taylor
carolina ginger pacific telephone
caroline gnu painless temptation
castle golf pam tiger
cat golfer paper toggle
celtics gorgeous password tomato
change graham pat toyota
charles gryphon patricia trivial
charming guest penguin unhappy
charon guitar pete unicorn
chester hacker peter unknown
cigar harmony philip urchin
classic harold phoenix utility
coffee harvey pierre vicky
coke heinlein pizza virginia
collins hello plover warren
comrade help polynomial water
computer herbert praise weenie
condo honey prelude whatnot
condom horse prince whitney
cookie imperial protect will
cooper include pumpkin william
create ingres puppet willie
creation innocuous rabbit winston
creator irishman rachmaninoff wizard
cretin isis rainbow wombat
daemon japan raindrop yosemite
dancer jessica random zap
******************************************************************************
References:
1) Introduction to ItaPAC by Blade Runner
Telecom Security Bulletin #1
2) The IBM VM/CMS Operating System by Lex Luthor
The LOD/H Technical Journal #2
3) Hacking the IRIS Operating System by The Leftist
The LOD/H Technical Journal #3
4) Hacking CDC's Cyber by Phrozen Ghost
Phrack Inc. Newsletter #18
5) USENET comp.risks digest (various authors, various issues)
6) USENET unix.wizards forum (various authors)
7) USENET info-vax forum (various authors)
Recommended Reading:
1) Hackers by Steven Levy
2) Out of the Inner Circle by Bill Landreth
3) Turing's Man by J. David Bolter
4) Soul of a New Machine by Tracy Kidder
5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all
by William Gibson
6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
California, 94704, 415-995-2606
7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.
well now what.. now the SMTP service is mine..
I just played around with it? well if you
are not used with telnet commands just type
HELP after your connected and you will get
the list of all the commands supported by
the webserver.
Anyway I am going to show how I send a fake
mail using simple commands supported by all
ESMTP sever (ESMTP = Extended Simple Mail
Transfer Protocol)
Here we go :
Telnet>open anisurrahman.net 25
Connecting?.
Connected to anisurrahman.net
220 Welcome to anisurrahman.net ESMTP service
8.9.3
HELO Abhisek
220 Welcome to sendmail Abhisek
MAIL FROM:abhisek@fakemail.com
240 Sender set to abhisek@fakemail.com
RCPT TO:me@anisurrahman.net
240 Recipient set to me@anisurrahman.net
DATA
220 End with "."
Subject : Hello Rony
Hey whats up boss? I am sending fake mail
using you SMTP service? Don't be angry on
me? Sorry..
.
240 CA55910 Message accepted for delivery..
Note: thinking what the values 240 , 220
or CA55910 is..
Don't think much.. the values 240 or 220
are just message code of the server. For
example the server will response with 220
for displaying a banner in here.. see all
the banners has come up with 220.. the server
has denote confirmation with 240 in here?
its not much important according to me..
And about CA55910..its the MSGID or Message
ID? in the logs of the server this ID denotes
the mail that you just send along.
Note: This is my earnest request to each
and everybody who reads this manual.. please
do not send any fake mail at me@anisurrahman.net
and please do not use the service at anisurrahman.net
He is a very good friend of mine.. I have
learnt many things regarding web designing
and web programming from him..
Please note: sometimes you may get Relay
Denied error on some server.. well I wont
go into much details about this topic cause
I guess I don't have enough knowledge about
it..
Bingo !! I have send a fake mail !!! I am
a hacker !!! yes !!
Well nothing to think like that cause sending
fake mails doesn't make you a hacker. Well
it has nothing to do with hacking. Fake mails
can also easily be traced down and your ISP
can be found out easily. Then if the victim
sends a mail at abuse@ISP.net and complains
about your activity then sorry boy you may
lose you ISP account..
Anyway try sending some fake mails to yourself
and get used with telnet.
Hey guys [and gals if any] don't get excited
and get going to hack with telnet cause things
are not that easy as it seems to be. I have
made myself in only to the SMTP service of
anisurrahman.net I haven't yet got root on
it.
Well there are many more games which you
can play using telnet. For example you can
start a raw session of IRC using telnet.
I guess you all are familiar with IRC(internet
relay chat). You may use mIRC, Pirc etc softwares
to start an IRC session. But there you don't
have to do much as the software will do things
for you.
Well I think here I need to explain some
basics of IRC and how IRC servers works.
Well for starting an IRC session you need
to connect to an IRC server on the port running
the IRC daemon. The default ports are 7000,6667
etc. in mIRC when you wish to connect to
a server the default port used is 6667.
Type /server irc.dal.net [port] in mIRC window.
Note : in place of port type the port number
without []
If you leave it blank then the default port
will be taken as 6667.
This command will connect to irc.dal.net
server then by typing /join #channelname
you can join any channel and start you IRC
session.
Tip : To know the IP address or the host
name of a person in IRC session is the easiest.
Just type /whois
Now I guess your familiar with basic IRC
command which you can use in mIRC.
Now lets come to our point..ie. starting
a raw IRC session using telnet.
Generally many IRC warfare technique writers
or others have written many manuals on starting
a raw IRC session using telnet but I think
they are not really intended for newbies.
In here I am going to explain things in a
simple easy to understand way.
When you connect to an IRC server it authenticates
you only by your username and host address
and asks for a nick. While using mIRC these
infos are provided by the software itself
as provided by the user. But while connecting
to an IRC server in raw mode.. ie. using
telnet you need to provide these infos.
Note : Some servers doesn't support raw IRC
session as it is quite a bit insecure..
Now to start.. telnet in to an IRC server
on port 7000 or 6667
Tip: In raw mode you don't need to give a
/ before commands as in mIRC.
Telnet>open irc.servername.net 6667
nick
user
please note: don't give the <> sign..
I have used these signs only to distinguish
the commands that I have to type in to the
terminal.
you are now connected to an IRC server using
telnet.. you can use mIRC commands here but
without /
to send a private message the command is
:
PRIVMSG NICK MESSAGE :
Now I guess you are quite familiar with the
workings and usage of telnet.
With telnet you can know surely use the resources
of a remote computer provided that you are
allowed the access the resources?. If not?
then what else but to hack into it.
Generally telnet is used to connect to a
particular daemon running on a particular
port on a target system. Well the very aim
of using telnet to connect to the daemons
is to get root on the system. But if you
are thinking that you'll connect to the SMTP
server of your ISP and will get root in your
ISP's system then forget it pal. What hackers
do is first port scan the target system and
find out the open ports and the daemons running
the open ports.
Note: you can use nMAP. It is a very fast
and so called SYN Stealth port scanner available
for download with source file at http://www.insecure.org
but remember if your ISP kick your ass for
port scanning their system then don't get
flamed on me..
Now as you have found an open port say port
21 running an ftp server. Well all you need
to do is to telnet in to the port. But things
are not that easy and you wont get root easily..
some ftp servers or better to say 98% of
the daemons running on a server allow access
only to valid users thus asking for user
name and password. In such case when your
facing an username and password prompt either
you have to make the sysadmin's daughter
you girl friend and then trick her to know
the password or you have to play around with
other methods like brute force hacking..
etc.
Well another vulnerability existing on various
daemons is the trust-relationship. Well often
servers authenticates an user only by his
IP considering that the server has trust-relationship
with the client and the clients IP is already
in the database of the trusted IP's. Now
if you can spoof your IP according to one
of the trusted IP's of the server then you
can get yourself inside a system. Spoofing
IP is a complicated subject though apparently
its definition stands as "Faking the
actual IP with some other". Its not
really easy to spoof your IP and exploit
a trust-relationship as you have to block
the trusted client with DoS attack so that
it cannot reply to the SYN/ACK packets send
by the server to it. If it receives the SYN/ACK
packets from the sever unexpectedly then
surely it will reply with a FIN packet so
as to end the connection.
Anyway I wont go into much details about
IP Spoofing since it's a very complicated
subject and you have to understand it thoroughly
in order to execute it.
Note: Please don't get angry on me for using
terms like SYN/ACK packets FIN Packets in
the above paragraph if you are not familiar
with it.. well its common terms in IP spoofing..
I just came across a very good IP Spoofing
manual.. you can come across it..
"IP Spoofing Demystified" available
for download in the books section of http://blacksun.box.sk
Well that's it for now.. the second part
of this manual will be up soon.. if anybody
of you know about some more fun with telnet
do let me know about it or write an article
by yourself and I'll be glad to publish it
on HC
Abhisek Datta
http://hackersclub.focusindia.com
abhisekdatta@hotmail.com
"But did you, in your three- piece psychology
and 1950's
techno brain, ever take a look behind the
eyes of the hacker?
Did you ever wonder what made him trick,
what forces shaped him, what may have molded
him?
I am a hacker, enter my world..."
("The Conscience of a Hacker",
The Mentor)
Part I: The Magic of DOS
In this guide you will learn how to telnet,
forge email, and use nslookup with Windows
XP.
So you have the newest, glitziest, "Fisher
Price" version of Windows: XP. How can
you use XP in a way that sets you apart from
the boring millions of ordinary users?
****************
Luser Alert: Anyone who thinks this GTMHH
will reveal how to blow up people's TV sets
and steal Sandra Bullock's email is going
to find out that I won't tell them how.
****************
The key to doing amazing things with XP is
as simple as D O S. Yes, that's right, DOS
as in MS-DOS, as in MicroSoft Disk Operating
System. Windows XP (as well as NT and 2000)
comes with two versions of DOS. Command.com
is an old DOS version. Various versions of
command.com come with Windows 95, 98, SE,
ME, Window 3, and DOS only operating systems.
The other DOS, which comes only with XP,
2000 and NT, is cmd.exe. Usually cmd.exe
is better than command.com because it is
easier to use, has more commands, and in
some ways resembles the bash shell in Linux
and other Unix-type operating systems. For
example, you can repeat a command by using
the up arrow until you back up to the desired
command. Unlike bash, however, your DOS command
history is erased whenever you shut down
cmd.exe. The reason XP has both versions
of DOS is that sometimes a program that won?t
run right in cmd.exe will work in command.com
****************
Flame Alert: Some readers are throwing fits
because I dared to compare DOS to bash. I
can compare cmd.exe to bash if I want to.
Nanny nanny nah nah.
****************
DOS is your number one Windows gateway to
the Internet, and the open sesame to local
area networks. From DOS, without needing
to download a single hacker program, you
can do amazingly sophisticated explorations
and even break into poorly defended computers.
****************
You can go to jail warning: Breaking into
computers is against the law if you do not
have permission to do so from the owner of
that computer. For example, if your friend
gives you permission to break into her Hotmail
account, that won't protect you because Microsoft
owns Hotmail and they will never give you
permission.
****************
****************
You can get expelled warning: Some kids have
been kicked out of school just for bringing
up a DOS prompt on a computer. Be sure to
get a teacher's WRITTEN permission before
demonstrating that you can hack on a school
computer.
****************
So how do you turn on DOS?
Click All Programs -> Accessories ->
Command Prompt
That runs cmd.exe. You should see a black
screen with white text on it, saying something
like this:
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\>
Your first step is to find out what commands
you can run in DOS. If you type "help"
at the DOS prompt, it gives you a long list
of commands. However, this list leaves out
all the commands hackers love to use. Here
are some of those left out hacker commands.
TCP/IP commands:
telnet
netstat
nslookup
tracert
ping
ftp
NetBIOS commands (just some examples):
nbtstat
net use
net view
net localgroup
TCP/IP stands for transmission control protocol/Internet
protocol. As you can guess by the name, TCP/IP
is the protocol under which the Internet
runs. along with user datagram protocol (UDP).
So when you are connected to the Internet,
you can try these commands against other
Internet computers. Most local area networks
also use TCP/IP.
NetBIOS (Net Basic Input/Output System) protocol
is another way to communicate between computers.
This is often used by Windows computers,
and by Unix/Linux type computers running
Samba. You can often use NetBIOS commands
over the Internet (being carried inside of,
so to speak, TCP/IP). In many cases, however,
NetBIOS commands will be blocked by firewalls.
Also, not many Internet computers run NetBIOS
because it is so easy to break in using them.
We will cover NetBIOS commands in the next
Guide to XP Hacking.
The queen of hacker commands is telnet. To
get Windows help for telnet, in the cmd.exe
window give the command:
C:\>telnet /?
Here's what you will get:
telnet [-a][-e escape char][-f log file][-l
user][-t term][host
[port]]
-a Attempt automatic logon. Same as --l option
except uses the currently logged on user's
name.
-e Escape character to enter telnet cclient
prompt.
-f File name for client side logging
-l Specifies the user name to log in with
on the remote system. Requires that the remote
system support the TELNET ENVIRON option.
-t Specifies terminal type. Supportedd term
types are vt100, vt52, ansi and vtnt only.
host Specifies the hostname or IP address
of the remote computer to connect to.
port Specifies a port number or service name.
****************
Newbie note: what is a port on a computer?
A computer port is sort of like a seaport.
It's where things can go in and/or out of
a computer. Some ports are easy to understand,
like keyboard, monitor, printer and modem.
Other ports are virtual, meaning that they
are created by software. When that modem
port of yours (or LAN or ISDN or DSL) is
connected to the Internet, your computer
has the ability to open or close any of over
65,000 different virtual ports, and has the
ability to connect to any of these on another
computer - if it is running that port, and
if a firewall doesn?t block it.
****************
****************
Newbie note: How do you address a computer
over the Internet? There are two ways: by
number or by name.
****************
The simplest use of telnet is to log into
a remote computer. Give the command:
C:/>telnet targetcomputer.com (substituting
the name of the computer you want to telnet
into for targetcomputer.com)
If this computer is set up to let people
log into accounts, you may get the message:
login:
Type your user name here, making sure to
be exact. You can't swap between lower case
and capital letters. For example, user name
Guest is not the same as guest.
****************
Newbie note: Lots of people email me asking
how to learn what their user name and password
are. Stop laughing, darn it, they really
do. If you don't know your user name and
password, that means whoever runs that computer
didn't give you an account and doesn't want
you to log on.
****************
Then comes the message:
Password:
Again, be exact in typing in your password.
What if this doesn't work?
Every day people write to me complaining
they can't telnet. That is usually because
they try to telnet into a computer, or a
port on a computer that is set up to refuse
telnet connections. Here's what it might
look like when a computer refuses a telnet
connection:
C:\ >telnet 10.0.0.3
Connecting To 10.0.0.3...Could not open connection
to the host, on port 23. A connection attempt
failed because the connected party did not
properly respond after a period of time,
or established connection failed because
connected host has failed to respond.
Or you might see:
C:\ >telnet techbroker.com
Connecting To techbroker.com...Could not
open connection to the host, on port 23.
No connection could be made because the target
machine actively refused it.
If you just give the telnet command without
giving a port number, it will automatically
try to connect on port 23, which sometimes
runs a telnet server.
**************
Newbie note: your Windows computer has a
telnet client program, meaning it will let
you telnet out of it. However you have to
install a telnet server before anyone can
telnet into port 23 on your computer.
*************
If telnet failed to connect, possibly the
computer you were trying to telnet into was
down or just plain no longer in existence.
Maybe the people who run that computer don't
want you to telnet into it.
Even though you can't telnet into an account
inside some computer, often you can get some
information back or get that computer to
do something interesting for you. Yes, you
can get a telnet connection to succeed -without
doing anything illegal --against almost any
computer, even if you don't have permission
to log in. There are many legal things you
can do to many randomly chosen computers
with telnet. For example:
C:/telnet freeshell.org 22
SSH-1.99-OpenSSH_3.4p1
That tells us the target computer is running
an SSH server, which enables encrypted connections
between computers. If you want to SSH into
an account there, you can get a shell account
for free at http://freeshell.org . You can
get a free SSH client program from http://winfiles.com
.
***************
You can get punched in the nose warning:
Your online provider might kick you off for
making telnet probes of other computers.
The solution is to get a local online provider
and make friends with the people who run
it, and convince them you are just doing
harmless, legal explorations.
*************
Sometimes a port is running an interesting
program, but a firewall won't let you in.
For example, 10.0.0.3, a computer on my local
area network, runs an email sending program,
(sendmail working together with Postfix,
and using Kmail to compose emails). I can
use it from an account inside 10.0.0.3 to
send emails with headers that hide from where
I send things.
If I try to telnet to this email program
from outside this computer, here's what happens:
C:\>telnet 10.0.0.3 25
Connecting To 10.0.0.3...Could not open connection
to the host, on port 25. No connection could
be made because the target machine actively
refused it.
However, if I log into an account on 10.0.0.3
and then telnet from inside to port 25, here's
what I get:
Last login: Fri Oct 18 13:56:58 2002 from
10.0.0.1
Have a lot of fun...
cmeinel@test-box:~> telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection
refused
Trying 127.0.0.1... [Carolyn's note: 127.0.0.1
is the numerical address meaning localhost,
the same computer you are logged into]
Connected to localhost.
Escape character is '^]'.
220 test-box.local ESMTP Postfix
The reason I keep this port 25 hidden behind
a firewall is to keep people from using it
to try to break in or to forge email. Now
the ubergeniuses reading this will start
to make fun of me because no Internet address
that begins with 10. is reachable from the
Internet. However, sometimes I place this
"test-box" computer online with
a static Internet address, meaning whenever
it is on the Internet, it always has the
same numerical address. I'm not going to
tell you what its Internet address is because
I don't want anyone messing with it. I just
want to mess with other people's computers
with it, muhahaha. That's also why I always
keep my Internet address from showing up
in the headers of my emails.
***************
Newbie note: What is all this about headers?
It's stuff at the beginning of an email that
may - or may not - tell you a lot about where
it came from and when. To see full headers,
in Outlook click view -> full headers.
In Eudora, click the "Blah blah blah"
icon.
****************
Want a computer you can telnet into and mess
around with, and not get into trouble no
matter what you do to it? I've set up my
techbroker.com (206.61.52.33) with user xyz,
password guest for you to play with. Here's
how to forge email to xyz@techbroker.com
using telnet. Start with the command:
C:\>telnet techbroker.com 25
Connecting To Techbroker.com
220 <techbroker.com> Service ready
Now you type in who you want the message
to appear to come from:
helo santa@techbroker.com
Techbroker.com will answer:
250 <techbroker.com> host ready
Next type in your mail from address:
mail from:santa@techbroker.com
250 Requested mail action okay, completed
Your next command:
rcpt to:xyz@techbroker.com
250 Requested mail action okay, completed
Your next command:
data
354 Start main input; end with <CRLF>.<CRLF>
Carolyn's note: <CRLF> just means hit
return. In case you can't see that little
period between the <CRLF>s, what you
do to end composing your email is to hit
enter, type a period, then hit enter again.
Anyhow, try typing:
This is a test.
.
250 Requested mail action okay, completed
quit
221 <techbroker.com> Service closing
transmission channel
Connection to host lost.
Using techbroker's mail server, even if you
enable full headers, the message we just
composed looks like:
Status: R
X-status: N
This is a test.
That's a pretty pathetic forged email, huh?
No "from", no date. However, you
can make your headers better by using a trick
with the data command. After you give it,
you can insert as many headers as you choose.
The trick is easier to show than explain:
220 <techbroker.com> Service ready
helo santa@northpole.org
250 <techbroker.com> host ready
mail from:santa@northpole.com
250 Requested mail action okay, completed
rcpt to:cmeinel@techbroker.com
250 Requested mail action okay, completed
data
354 Start main input; end with <CRLF>.<CRLF>
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
.
250 Requested mail action okay, completed
quit
221 <techbroker.com> Service closing
transmission channel
Connection to host lost.
The message then looks like:
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
The trick is to start each line you want
in the headers with one word followed by
a colon, and the a line followed by "return".
As soon as you write a line that doesn't
begin this way, the rest of what you type
goes into the body of the email.
Notice that the santa@northpole.com from
the "mail from:" command didn't
show up in the header. Some mail servers
would show both "from" addresses.
You can forge email on techbroker.com within
one strict limitation. Your email has to
go to someone at techbroker.com. If you can
find any way to send email to someone outside
techbroker, let us know, because you will
have broken our security, muhahaha! Don't
worry, you have my permission.
Next, you can read the email you forge on
techbroker.com via telnet:
C:\>telnet techbroker.com 110
+OK <30961.5910984301@techbroker.com>
service ready
Give this command:
user xyz
+OK user is known
Then type in this:
pass test
+OK mail drop has 2 message(s)
retr 1
+OK message follows
This is a test.
If you want to know all possible commands,
give this command:
help
+OK help list follows
USER user
PASS password
STAT
LIST [message]
RETR message
DELE message
NOOP
RSET
QUIT
APOP user md5
TOP message lines
UIDL [message]
HELP
Unless you use a weird online provider like
AOL, you can use these same tricks to send
and receive your own email. Or you can forge
email to a friend by telnetting to his or
her online provider's email sending computer(s).
With most online providers you need to get
the exact name of their email computer(s).
Often it is simply mail.targetcomputer.com
(substitute the name of the online provider
for targetcomputer). If this doesn't work,
you can find out the name of their email
server with the DOS nslookup program, which
only runs from cmd.exe. Here's an example:
C:\ >nslookup
Default Server: DNS1.wurld.net
Address: 206.61.52.11
> set q=mx
> dimensional.com
Server: DNS1.wurld.net
Address: 206.61.52.11
dimensional.com MX preference = 5, mail exchanger
=
mail.dimensional.com
dimensional.com MX preference = 10, mail
exchanger =
mx2.dimensional.com
dimensional.com MX preference = 20, mail
exchanger =
mx3.dimensional.com
dimensional.com nameserver = ns.dimensional.com
dimensional.com nameserver = ns-1.dimensional.com
dimensional.com nameserver = ns-2.dimensional.com
dimensional.com nameserver = ns-3.dimensional.com
dimensional.com nameserver = ns-4.dimensional.com
mail.dimensional.com internet address = 206.124.0.11
mx2.dimensional.com internet address = 206.124.0.30
mx3.dimensional.com internet address = 209.98.32.54
ns.dimensional.com internet address = 206.124.0.10
ns.dimensional.com internet address = 206.124.26.254
ns.dimensional.com internet address = 206.124.0.254
ns.dimensional.com internet address = 206.124.1.254
ns.dimensional.com internet address = 209.98.32.54
ns.dimensional.com internet address = 206.124.0.32
ns.dimensional.com internet address = 206.124.0.30
ns.dimensional.com internet address = 206.124.0.25
ns.dimensional.com internet address = 206.124.0.15
ns.dimensional.com internet address = 206.124.0.21
ns.dimensional.com internet address = 206.124.0.9
ns-1.dimensional.com internet address = 206.124.26.254
ns-2.dimensional.com internet address = 209.98.32.54
ns-3.dimensional.com internet address = 206.124.1.254
ns-4.dimensional.com internet address = 206.124.0.254
>
The lines that tell you what computers will
let you forge email to people with @dimensional.com
addresses are:
dimensional.com MX preference = 5, mail exchanger
=
mail.dimensional.com
dimensional.com MX preference = 10, mail
exchanger =
mx2.dimensional.com
dimensional.com MX preference = 20, mail
exchanger =
mx3.dimensional.com
MX stands for mail exchange. The lower the
preference number, the more they would like
you to use that address for email.If that
lowest number server is too busy, then try
another server.
Sometimes when you ask about a mail server,
nslookup will give you this kind of error
message:
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [207.217.120.202] timed-out
To get around this problem, you need to find
out what are the domain servers for your
target online provider. A good place to start
looking is http://netsol.com/cgi-bin/whois/whois
. If this doesn't work, see http://happyhacker.org/HHA/fightback.shtml
for how to find the domain servers for any
Internet address.
****************
Newbie note: A domain name server provides
information on the names and numbers assigned
to computers on the Internet. For example,
dns1.wurld.net and dns2.wurld.net contain
information on happyhacker.org, techbroker.com,
securitynewsportal.com, thirdpig.com and
sage-inc.com. When you query dns1.wurld.net
about other computers, it might have to go
hunting for that information from other name
servers. That's why you might get a timed
out failure.
***************
Once you know the domain servers for an online
service, set one of them for the server for
your nslookup program. Here's how you do
it:
C:\ >nslookup
Default Server: DNS1.wurld.net
Address: 206.61.52.11
Now give the command:
> server 207.217.126.41
Default Server: ns1.earthlink.net
Address: 207.217.126.41
Next command should be:
> set q=mx
> earthlink.net
Server: ns1.earthlink.net
Address: 207.217.126.41
earthlink.net MX preference = 5, mail exchanger
= mx04.earthlink.net
earthlink.net MX preference = 5, mail exchanger
= mx05.earthlink.net
earthlink.net MX preference = 5, mail exchanger
= mx06.earthlink.net
earthlink.net MX preference = 5, mail exchanger
= mx00.earthlink.net
earthlink.net MX preference = 5, mail exchanger
= mx01.earthlink.net
earthlink.net MX preference = 5, mail exchanger
= mx02.earthlink.net
earthlink.net MX preference = 5, mail exchanger
= mx03.earthlink.net
earthlink.net nameserver = ns3.earthlink.net
earthlink.net nameserver = ns1.earthlink.net
earthlink.net nameserver = ns2.earthlink.net
mx00.earthlink.net internet address = 207.217.120.28
mx01.earthlink.net internet address = 207.217.120.29
mx02.earthlink.net internet address = 207.217.120.79
mx03.earthlink.net internet address = 207.217.120.78
mx04.earthlink.net internet address = 207.217.120.249
mx05.earthlink.net internet address = 207.217.120.31
mx06.earthlink.net internet address = 207.217.120.23
ns1.earthlink.net internet address = 207.217.126.41
ns2.earthlink.net internet address = 207.217.77.42
ns3.earthlink.net internet address = 207.217.120.43
>
Your own online service will usually not
mind and may even be glad if you use telnet
to read your email. Sometimes a malicious
person or faulty email program will send
you a message that is so screwed up that
your email program can't download it. With
telnet you can manually delete the bad email.
Otherwise tech support has to do it for you.
If you think about it, this ability to forge
email is a huge temptation to spammers. How
can your online provider keep the bad guys
from filling up a victim's email box with
garbage? The first time a bad guy tries this,
probably nothing will stop him or her. The
second time the online provider might block
the bad guy at the firewall, maybe call the
bad guy's online provider and kick him or
her and maybe get the bad guy busted or sued.
**************
You can go to jail warning: Sending hundreds
or thousands of junk emails to bomb someone's
email account is a felony in the US.
***************
***************
You can get sued warning: Spamming, where
you send only one email to each person, but
send thousands or millions of emails, is
borderline legal. However, spammers have
been successfully sued when they forge the
email addresses of innocent people as senders
of their spam.
****************
Now that you know how to read and write email
with telnet, you definitely have something
you can use to show off with. Happy hacking!
Oh, here's one last goodie for advanced users.
Get netcat for Windows. It's a free program
written by Weld Pond and Hobbit, and available
from many sites, for example
http://www.atstake.com/research/tools/#network_utilities
. It is basically telnet on steroids. For
example, using netcat, you can set up a port
on your Windows computer to allow people
to telnet into a DOS shell by using this
command:
C:\>nc -L -p 5000 -t -e cmd.exe
You can specify a different port number than
5000. Just make sure it doesn't conflict
with another port by checking with the netstat
command. Then you and your friends, enemies
and random losers can either telnet in or
netcat in with the command:
C:\>nc -v [ipaddress of target] [port]
Of course you will probably get hacked for
setting up this port. However, if you set
up a sniffer to keep track of the action,
you can turn this scary back door into a
fascinating honeypot. For example, you could
run it on port 23 and watch all the hackers
who attack with telnet hoping to log in.
With some programming you could even fake
a unix-like login sequence and play some
tricks on your attackers.
For more on how to hack with telnet, see
the Beginners? Guide #8 at http://www.happyhacker.org/gtmhh/begin11.shtml
___________________________________________________________________
Where are those back issues of GTMHHs and
Happy Hacker Digests? Check out the official
Happy Hacker Web page at http://www.happyhacker.org.
We are against computer crime. We support
good, old-fashioned hacking of the kind that
led to the creation of the Internet and a
new era of freedom of information. But we
hate computer crime. So don't email us about
any crimes you may have committed!
Steps To Deface A Webpage (About Defacers)
By b0iler
First of all, I do not deface, I never have
(besides friends sites as jokes and all in
good fun), and never will. So how do I know
how to deface? I guess I just picked it up
on the way, so I am no expert in this. If
I get a thing or two wrong I apoligize. It
is pretty simple when you think that defacing
is just replacing a file on a computer. Now,
finding the exploit in the first place, that
takes skill, that takes knowledge, that is
what real hackers are made of. I don't encourage
that you deface any sites, as this can be
used get credit cards, get passwords, get
source code, billing info, email databases,
etc.. (it is only right to put up some kind
of warning. now go have fun ;)
This tutorial will be broken down into 3
main sections, they are as followed:
1. Finding Vuln Hosts.
2. Getting In.
3. Covering Your Tracks
It really is easy, and I will show you how
easy it is.
1. Finding Vuln Hosts
This section needs to be further broken down
into two catigories of script kiddies: ones
who scan the net for a host that is vuln
to a certain exploit and ones who search
a certain site for any exploit. The ones
you see on alldas are the first kind, they
scan thousands of sites for a specific exploit.
They do not care who they hack, anyone will
do. They have no set target and not much
of a purpose. In my opinion these people
should either have a cause behind what they
are doing, ie. "I make sure people keep
up to date with security, I am a messanger"
or "I am spreading a political message,
I use defacments to get media attention".
People who deface to get famous or to show
off their skills need to grow up and relize
there is a better way of going about this
(not that I support the ones with other reasons
ether). Anyways, the two kinds and what you
need to know about them:
Scanning Script Kiddie: You need to know
what signs of the hole are, is it a service?
A certain OS? A CGI file? How can you tell
if they are vuln? What version(s) are vuln?
You need to know how to search the net to
find targets which are running whatever is
vuln. Use altavista.com or google.com for
web based exploits. Using a script to scan
ip ranges for a certain port that runs the
vuln service. Or using netcraft.com to find
out what kind of server they are running
and what extras it runs (frontpage, php,
etc..) nmap and other port scanners allow
quick scans of thousands of ips for open
ports. This is a favorate technique of those
guys you see with mass hacks on alldas.
Targetted Site Script Kiddie: More respectable
then the script kiddies who hack any old
site. The main step here is gathering as
much information about a site as possible.
Find out what OS they run at netcraft or
by using: telnet www.site.com 80 then GET
/ HTTP/1.1 Find out what services they run
by doing a port scan. Find out the specifics
on the services by telnetting to them. Find
any cgi script, or other files which could
allow access to the server if exploited by
checking /cgi /cgi-bin and browsing around
the site (remember to index browse)
Wasn't so hard to get the info was it? It
may take awhile, but go through the site
slowly and get all the information you can.
2. Getting In
Now that we got the info on the site we can
find the exploit(s) we can use to get access.
If you were a scanning script kiddie you
would know the exploit ahead of time. A couple
of great places to look for exploits are
Security Focus and packetstorm. Once you
get the exploit check and make sure that
the exploit is for the same version as the
service, OS, script, etc.. Exploits mainly
come in two languages, the most used are
C and perl. Perl scripts will end in .pl
or .cgi, while C will end in .c To compile
a C file (on *nix systems) do gcc -o exploit12
file.c then: ./exploit12 For perl just do:
chmod 700 file.pl (not really needed) then:
perl file.pl. If it is not a script it might
be a very simple exploit, or just a theory
of a possible exploit. Just do alittle research
into how to use it. Another thing you need
to check is weither the exploit is remote
or local. If it is local you must have an
account or physical access to the computer.
If it is remote you can do it over a network
(internet).
Don't go compiling exploits just yet, there
is one more important thing you need to know
Covering Your Tracks
So by now you have gotten the info on the
host inorder to find an exploit that will
allow you to get access. So why not do it?
The problem with covering your tracks isn't
that it is hard, rather that it is unpredictable.
just because you killed the sys logging doesn't
mean that they don't have another logger
or IDS running somewhere else. (even on another
box). Since most script kiddies don't know
the skill of the admin they are targetting
they have no way of knowing if they have
additional loggers or what. Instead the script
kiddie makes it very hard (next to impossible)
for the admin to track them down. Many use
a stolden or second isp account to begin
with, so even if they get tracked they won't
get caught. If you don't have the luxery
of this then you MUST use multiple wingates,
shell accounts, or trojans to bounce off
of. Linking them together will make it very
hard for someone to track you down. Logs
on the wingates and shells will most likely
be erased after like 2-7 days. That is if
logs are kept at all. It is hard enough to
even get ahold of one admin in a week, let
alone further tracking the script kiddie
down to the next wingate or shell and then
getting ahold of that admin all before the
logs of any are erased. And it is rare for
an admin to even notice an attack, even a
smaller percent will actively pursue the
attacker at all and will just secure their
box and forget it ever happend. For the sake
of arugment lets just say if you use wingates
and shells, don't do anything to piss the
admin off too much (which will get them to
call authoritizes or try to track you down)
and you deleting logs you will be safe. So
how do you do it?
We will keep this very short and too the
point, so we'll need to get a few wingates.
Wingates by nature tend to change IPs or
shutdown all the time, so you need an updated
list or program to scan the net for them.
You can get a list of wingates that is well
updated at http://www.cyberarmy.com/lists/wingate/
and you can also get a program called winscan
there. Now lets say we have 3 wingates:
212.96.195.33 port 23
202.134.244.215 port 1080
203.87.131.9 port 23
to use them we go to telnet and connect to
them on port 23. we should get a responce
like this:
CSM Proxy Server >
to connect to the next wingate we just type
in it's ip:port
CSM Proxy Server >202.134.244.215:1080
If you get an error it is most likely to
be that the proxy you are trying to connect
to isn't up, or that you need to login to
the proxy. If all goes well you will get
the 3 chained together and have a shell account
you are able to connect to. Once you are
in your shell account you can link shells
together by:
[j00@server j00]$ ssh 212.23.53.74
You can get free shells to work with until
you get some hacked shells, here is a list
of free shell accounts. And please remember
to sign up with false information and from
a wingate if possible.
SDF (freeshell.org) - http://sdf.lonestar.org
GREX (cyberspace.org) - http://www.grex.org
NYX - http://www.nxy.net
ShellYeah - http://www.shellyeah.org
HOBBITON.org - http://www.hobbiton.org
FreeShells - http://www.freeshells.net
DucTape - http://www.ductape.net
Free.Net.Pl (Polish server) - http://www.free.net.pl
XOX.pl (Polish server) - http://www.xox.pl
IProtection - http://www.iprotection.com
CORONUS - http://www.coronus.com
ODD.org - http://www.odd.org
MARMOSET - http://www.marmoset.net
flame.org - http://www.flame.org
freeshells - http://freeshells.net.pk
LinuxShell - http://www.linuxshell.org
takiweb - http://www.takiweb.com
FreePort - http://freeport.xenos.net
BSDSHELL - http://free.bsdshell.net
ROOTshell.be - http://www.rootshell.be
shellasylum.com - http://www.shellasylum.com
Daforest - http://www.daforest.org
FreedomShell.com - http://www.freedomshell.com
LuxAdmin - http://www.luxadmin.org
shellweb - http://shellweb.net
blekko - http://blekko.net
once you get on your last shell you can compile
the exploit, and you should be safe from
being tracked. But lets be even more sure
and delete the evidence that we were there.
Alright, there are a few things on the server
side that all script kiddies need to be aware
of. Mostly these are logs that you must delete
or edit. The real script kiddies might even
use a rootkit to automaticly delete the logs.
Although lets assume you aren't that lame.
There are two main logging daemons which
I will cover, klogd which is the kernel logs,
and syslogd which is the system logs. First
step is to kill the daemons so they don't
log anymore of your actions.
[root@hacked root]# ps -def | grep syslogd
[root@hacked root]# kill -9 pid_of_syslogd
in the first line we are finding the pid
of the syslogd, in the second we are killing
the daemon. You can also use /etc/syslog.pid
to find the pid of syslogd.
[root@hacked root]# ps -def | grep klogd
[root@hacked root]# kill -9 pid_of_klogd
Same thing happening here with klogd as we
did with syslogd.
now that killed the default loggers the script
kiddie needs to delete themself from the
logs. To find where syslogd puts it's logs
check the /etc/syslog.conf file. Of course
if you don't care if the admin knows you
were there you can delete the logs completely.
Lets say you are the lamest of the script
kiddies, a defacer, the admin would know
that the box has been comprimised since the
website was defaced. So there is no point
in appending the logs, they would just delete
them. The reason we are appending them is
so that the admin will not even know a break
in has accurd. I'll go over the main reasons
people break into a box:
To deface the website. - this is really lame,
since it has no point and just damages the
system.
To sniff for other network passwords. - there
are programs which allow you to sniff other
passwords sent from and to the box. If this
box is on an ethernet network then you can
even sniff packets (which contain passwords)
that are destine to any box in that segment.
To mount a DDoS attack. - another lame reason,
the admin has a high chance of noticing that
you comprimised him once you start sending
hundreds of MBs through his connection.
To mount another attack on a box. - this
and sniffing is the most commonly used, not
lame, reason for exploiting something. Since
you now how a rootshell you can mount your
attack from this box instead of those crappy
freeshells. And you now have control over
the logging of the shell.
To get sensitive info. - some corperate boxes
have alot of valueable info on them. Credit
card databases, source code for software,
user/password lists, and other top secret
info that a hacker may want to have.
To learn and have fun. - many people do it
for the thrill of hacking, and the knowledge
you gain. I don't see this as horrible a
crime as defacing. as long as you don't destroy
anything I don't think this is very bad.
Infact some people will even help the admin
patch the hole. Still illegal though, and
best not to break into anyone's box.
I'll go over the basic log files: utmp, wtmp,
lastlog, and .bash_history
These files are usually in /var/log/ but
I have heard of them being in /etc/ /usr/bin/
and other places. Since it is different on
alot of boxes it is best to just do a find
/ -iname 'utmp'|find / -iname 'wtmp'|find
/ -iname 'lastlog'. and also search threw
the /usr/ /var/ and /etc/ directories for
other logs. Now for the explanation of these
3.
utmp is the log file for who is on the system,
I think you can see why this log should be
appended. Because you do not want to let
anyone know you are in the system. wtmp logs
the logins and logouts as well as other info
you want to keep away from the admin. Should
be appended to show that you never logged
in or out. and lastlog is a file which keeps
records of all logins. Your shell's history
is another file that keeps a log of all the
commands you issued, you should look for
it in your $ HOME directory and edit it,
.sh_history, .history, and .bash_history
are the common names. you should only append
these log files, not delete them. if you
delete them it will be like holding a big
sign infront of the admin saying "You've
been hacked". Newbie script kiddies
often deface and then rm -rf / to be safe.
I would avoid this unless you are really
freaking out. In this case I would suggest
that you never try to exploit a box again.
Another way to find log files is to run a
script to check for open files (and then
manually look at them to determine if they
are logs) or do a find for files which have
been editted, this command would be: find
/ -ctime 0 -print
A few popular scripts which can hide your
presence from logs include: zap, clear and
cloak. Zap will replace your presence in
the logs with 0's, clear will clear the logs
of your presence, and cloak will replace
your presence with different information.
acct-cleaner is the only heavily used script
in deleting account logging from my experience.
Most rootkits have a log cleaning script,
and once you installed it logs are not kept
of you anyways. If you are on NT the logs
are at C:\winNT\system32\LogFiles\, just
delete them, nt admins most likely don't
check them or don't know what it means if
they are deleted.
One final thing about covering your tracks,
I won't go to into detail about this because
it would require a tutorial all to itself.
I am talking about rootkits. What are rootkits?
They are a very widely used tool used to
cover your tracks once you get into a box.
They will make staying hidden painfree and
very easy. What they do is replace the binaries
like login, ps, and who to not show your
presence, ever. They will allow you to login
without a password, without being logged
by wtmp or lastlog and without even being
in the /etc/passwd file. They also make commands
like ps not show your processes, so no one
knows what programs you are running. They
send out fake reports on netstat, ls, and
w so that everything looks the way it normally
would, except anything you do is missing.
But there are some flaws in rootkits, for
one some commands produce strange effects
because the binary was not made correctly.
They also leave fingerprints (ways to tell
that the file is from a rootkit). Only smart/good
admins check for rootkits, so this isn't
the biggest threat, but it should be concidered.
Rootkits that come with a LKM (loadable kernel
module) are usually the best as they can
pretty much make you totally invisible to
all others and most admins wouldn't be able
to tell they were comprimised.
In writting this tutorial I have mixed feelings.
I do not want more script kiddies out their
scanning hundreds of sites for the next exploit.
And I don't want my name on any shouts. I
rather would like to have people say "mmm,
that defacing crap is pretty lame" especially
when people with no lives scan for exploits
everyday just to get their name on a site
for a few minutes. I feel alot of people
are learning everything but what they need
to know inorder to break into boxes. Maybe
this tutorial cut to the chase alittle and
helps people with some knowledge see how
simple it is and hopefully make them see
that getting into a system is not all it's
hyped up to be. It is not by any means a
full guide, I did not cover alot of things.
I hope admins found this tutorial helpful
aswell, learning that no matter what site
you run you should always keep on top of
the latest exploits and patch them. Protect
yourself with IDS and try finding holes on
your own system (both with vuln scanners
and by hand). Also setting up an external
box to log is not a bad idea. Admins should
have also seen alittle bit into the mind
of a script kiddie and learned a few things
he does.. this should help you catch one
if they break into your systems.
On one final note, defacing is lame. I know
many people who have defaced in the past
and regret it now. You will be labeled a
script kiddie and a lamer for a long, long
time.(Dont worry, no one has a past here at HACK THE PLANET!
First, put a DVD in your computer and run DVD Shrink. Hit the Open Disc button or select File -> Open Disc. DVD Shrink will take a minute or two to analyze the disc and then you'll see the DVD structure in the right pane and the compression settings on the left. For our purposes, we're going to keep all of this at the default settings (so video compression remains set to "Automatic").
Next hit the Backup! button or go to File -> Backup.... In the Backup DVD pop-up, you should tell DVD Shrink where you want your DVD rips saved (i.e., the target folder). You should use something like C:\DVDs\DVD Name (though, naturally, DVD Name should be replaced by the name of your to-be-ripped DVD). The VIDEO_TS and AUDIO_TS folders (which can be played with your software DVD player) for the DVD will be saved in this directory. Setting this default now is important, because when the automated rip runs, it will use the folder path up to the last folder (i.e., C:\DVDs), creating a new folder with a name you provide (normally the name of the DVD). Hit OK and the backup will begin. At this point, cancel the rip so you can try it with your fancy new one-click rip (be sure to delete any files that may have already been ripped).
If your interested in editing the ahk script it can be found here.
Source
I HOPE YOU LEARNED SOMTHING!
Heres a link to a list of proxys
Keep on Hacking!-Admin