This section is made up of mini-tutorials that R a v e N used to send using our mailing list, back in the old days when he had more time to work on it (before we realized that sending out daily mini-tutorials meant almost no new tutorials nor other website features).
He also used to send trivia questions, so we'll put these as well, together with their answers.
Note: we are also adding new material that wasn't sent out through the mailing list.
Where the hell is the Local NT Security tutorial? (GREAT READING)
What is traceroute and how it works
What is ping and how it works
Why is RedHat good for newbies, and why is it one of the least secure Unix distribution by default (still better than Windows, though)
What is Wingate
Some Unix Stuff (the history of Unix)
Ping-flooding reboots Win98
Your friend fell into the toilet? Time for some hacking!
How to make diskette bombs (AWESOME!!)
How do you clear the screen in Unix or DOS
Stupid holes in MSN Instant Messanger (Incredibly Stupid! Worth reading)
How can you use a simple and lame ICQ message spoofer to make a person lose his entire contact list, how can you protect yourself against this kind of stuff and what is spoofing anyway
What the hell is UUEncode
What is a subnet (a logical subnet and a subnet mask)
How domain names really work
Where to find Unix password files
What is an RFC
My little "LILOish" adventure
Tips for using ICQ
The right portscanner for the right job
Spoofing webpages
Installing themes on Linux
The basics of probing + what is nmap (GREAT READING)
Various login prompts
Common passwords
Why I like the character #
Changing your remote/local login banners
Password files == world readable + how do password files look like?
What, who and why is INetD?
What is a network sniffer?
What is sysedit?
The SU command
What is SUID?
FAQ and guide to cracking (cracking into systems)
How the winner of the PCWeek SecureLinux contest did it
Which port is which? (very useful)
What are Unix runlevels? + an easy little runlevels-related hack
What are Winmodems, and why do they suck?
How do I recreate files which I have already removed from the recycle bin in Windows? (very useful)
More mini-tutorials coming soon! We will constantly update this section during the next few days. Bear with us!
Where the hell is the Local NT Security tutorial?
Once upon a time, Njan decided to write a tutorial about local security. This tutorial is known as Local NT Security (even though eventually he decided that he would write a tutorial about Windows in general, not only NT). The problem was that his tutorial looked suspiciously like another tutorial, called Standalone Security.
At first we wanted to make it more updated, but he said that this stuff was really new and good (at the time this page was written).
Together we decided to put up that tutorial here. In the meantime, Njan has written a hardware tutorial instead. You can download it at the tutorials page.
What is traceroute and how does it work
First, let me include some answers I got (this was a trivia question):
Matt Reynolds wrote:
Traceroute is a program that allows you to debug network connections. You may also use traceroute to find the servers that your request goes through. For instance, you may be having trouble connecting to site http://www.microsoft.com to find out the problem you could do one of two things. Ping MS's website or use traceroute to see which server is down. Usually if you are having trouble connecting to the desired site you will get a message somewhat like "host unreachable" and/or "Request timed out."
Felipe Nunes wrote:
Traceroute ->
A utility that traces a packet from your computer to an Internet host, showing how many hops the packet requires to reach the host and how long each hop takes. If you're visiting a web site and a page are appearing slowly, you can use traceroute to figure out where the longest delays are occurring.
The original traceroute is a Unix utility, but nearly all platforms have something similar.
Windows includes a traceroute utility called tracert. In Windows 95, you can run tracert by selecting Start->Run., and then entering tracert followed by the domain name of the host.
For example:
tracert www.anywhere.com
Traceroute utilities work by sending packets with low time to live (TTL) fields. The TTL value specifies how many hops the packet is allowed before it is returned. When a packet can't reach its destination because the TTL value is too low, the last host returns the packet and identifies itself. By sending a series of packets and incrementing the TTL value with each successive packet, traceroute finds out who all the intermediary hosts are.
Jeff Davis wrote:
Traceroute - a utility for 'tracing a route' to your destination ( a remote computer) using ICMP 's echo request and echo reply packets, it perfoms a DNS lookup and sends 3 pings on each router as it "hops" to the specified destination. displays the time in milliseconds for each hop.
Now, here's my answer:
Traceroute: a Unix utility that reveals the route a data packet goes through when reaching from point A (your computer) to point B (target computer).
Traceroute can be run from either Unix or Windows 95 and above by typing 'tracert target' (without the quotes) and replacing target with the IP or hostname of the target.
Traceroute works like this: every packet has a value called TTL, which stands for Time To Live (also see Modem Speedup section at blacksun.jemix.com). This value is decreased by one every time the packet goes through another router on it's way to the destination. When the TTL gets to zero the packet is killed and an ICMP error is sent back to the sender, so lost packets won't wander around the net forever.
Traceroute first sends a packet with TTL=1. The packet takes one step forward and dies, and it's ICMP error reveals the router which sent it. Then traceroute sends a packet with TTL=2, etc' etc' etc', until it reaches the destination. The use of traceroute: in addition to the uses mentioned above by our readers, traceroute can also be used to determine the upstream provider of your target. Hang on, I'll explain.
The Internet consists of users, regular ISPs and Backbones. Users are people who get their bandwitdh (a certain amount of speed that can be used for incoming and outgoing transfers) from another person/organization, but don't give any of it to others.
A regular ISP is a person/organization that both provides bandwidth but receives it's bandwidth from a different person/organization.
A backbone is an ISP which does not get it's bandwidth from another person/organization. That's why they are called backbones - these are part of the main infrastructures of the Internet.
Now, an upstream provider is a person/organization that gives our target it's bandwidth. When we traceroute out target, it's upstream would probably be just one or two hops before the last one. If we want to have a website shut down or a certain ISP user disconnected and we
think our reasons are legitimate enough, we can send an Email to the upstream provider and tell him all about why we think this website should be shut down or why this user should be kicked out of that ISP.
What is ping and how does it work
Let me show you some answers we got for this question first.
The Ender wrote:
Ping is a message that you can send through the Internet to a specific IP address. The ping message usually has an extremely high TTL (256) (editor's note: see Modem Speedup section at blacksun.jemix.com), and it is used to test your connection to the host and to test the speed of the connection. You can also use the ping message (which the target IP must to reply to this massage) to nuke another computer, if you have it's IP (you can get your target's IP in several different ways. One of the most common ways is through ICQ or IRC). It can also it is used to trace-route and to check the stability of the network.
To ping, all you have to do (in windows 95, while you are connected), is to write 'ping target_IP' (without the quotes) to ping 4 times, with ping length of 32 bits. If you want to nuke somebody (editor's note: this will only work on some Windows 95 machines), you can control the length of the ping by adding the flag "-l xxx", and replace xxx with the number of bits (editor's note: in my opinion The Ender is wrong, and xxx determines the number of bytes in the ping, not bits. Confused? We'll write a tutorial about bits and bytes soon, don't worry) you want your ping to contain (editor's note: this is called an SSping attack, or the ping of death. This works on unpatched Windows machines, and some Unix machines as well. Let me quote a text I found somewhere:
A malicious user constructs a large packet and sends it off. If the destination host is vulnerable, something bad happens. The problem lies in the reassembly of these large packets. Recall that we have 65,515 bytes of space in which to stuff data into. As it happens, a few misbehaved applications (and some specially crafted evil ones) will allow one to place slightly more data into the payload (say 65,520 bytes). This, along with a 20 byte IP header, violates the maximum packet size of 65,535 bytes. The IP module will then simply break this oversized packet into fragments and eschew them to their intended destination (target). The receiving host will queue all of the fragments until the last one arrives, then begin the process of reassembly. The problem will surface when the IP module finds that the packet is in
fact larger than the maximum allowable size as an internal buffer is overflowed. This is where something bad happens.
Anyway, you can construct this packet with Unix's or Windows's ping command. Pretty easy, huh?)
Also, the flag "-t" orders the ping command to ping to the target continously (editor's note: this is called a ping flood. It will waste both your bandwidth and the target's bandwidth, and it is considered extremely lame. You have to have more bandwidth than your target in order to completely overload the target's modem and force it to disconnect and reconnect to the Internet, or ask you politely to stop). I believe that this describes the ping command completely.
The Ender
Note about The Ender's answer:
Ping flooding will chew up your bandwidth, but it will chew up the target's bandwidth as well. For example: if you have a bandwidth of 3K per second, and your target has a bandwidth of 4K per second, you will lose your entire bandwidth as long as you flood, while your target will still have 1K per second left.
Note about firewalls: no known firewall can prevent ping floods. Firewalls are only able to authorize/unauthorize incoming and/or outgoing connections/packets, but they will still chew up bandwidth. You can reduce the damage by 50%, though, by telling the firewall not to let the computer echo back. The only way to completely block ping floods is to put some kind of a firewall in one of the routers that routes packets from the attacker to your computer, and to tell that firewall not to let the router route these packets to you.
Note about lameness: ping flood can be very effective, but it is also very simple, hence considered lame. If you will start ping flooding people you will find out that your best friends start to disappear, or "move to Canada", as some might claim just to stay away from you and your lameness (not that I don't like Canada... in fact, I recommend going there at least once in a lifetime. Beautiful country).
Felipe Nunes wrote:
Ping -> The Ping (Packet Internet Groper) is a network tool that is used to query another system or host machine to ensure that the system is active.
It takes its name from a submarine sonar search - you send a short sound burst and listen for an echo - a ping - coming back. In an IP network, `ping' sends a short data burst - a single packet - and listens for a single packet in reply. Site Reporter will send five requests and after, will display a set of statistics for analysis. If a ping was unable to reach the remote machine or host, it will display error messages.
Ping is implemented using the required ICMP Echo function, documented in RFC 792 that all hosts should implement. Ping provides four important information:
* Whether TCP/IP software is functioning correctly
* Whether a local network device can be accessed.
* Whether a remote machine can be accessed.
* Verifying the software on the remote machine.
Note about Felipe Nunes's answer:
RFC stands for Request For Comment. These files are actually propositions for Internet stardards, and you can learn SOOOO much from them. You can search for RFCs at http://www.linuxberg.com. Oh, one more thing: you can change the amount of pings a single ping command sends. In fact, the defaults are actually either 4 or 6, depending on the operating system, not 1 like Felipe said.
My answer:
Note: instead of writing the full answer and repeating what the others already said, I will only write the details that I have to add.
Ping works like this on Unix: the simplest use is to type 'ping target' (without the quotes). For more information, uses and options, simply type 'man ping' (again, no quotes) to access ping's manual (man) pages.
The way ping works: ping simply sends a couple of packets (defined by the user or by the default value) to the destination computer into port 7. Everything that goes into port 7 is "echoed" back, hence the nickname - the echo port.
Why is RedHat good for newbies, and why is it one of the least secure Unix distribution by default (still better than Windows)
Nyaller wrote:
1. Of all the Linux distro's, RedHat is the easiest to install! If a WeeTodd like me can get it up and running, most anyone can.
2. RedHat is one of the most easily available distros. Even those with zilch for bandwith can go down to Borders, Barnes and Noble, Costco, Sams Club, etc....... and get RedHat!
Why is it less secure? Cuz it's full of holes! Last I read, there were over 200 different ways to root RedHat.
Hope these are the answers ya'll are looking for! If not, well then YCSAFMA!
Notes about Nyaller's answer
The first part was good, but the second part was rather incorrect, because:
1) there are many security holes (certainly more than 200) in every OS, but these depends on what programs the target computer runs and what versions.
2) This is not a reason.
But still, nice answer!
My answer:
Another reason why RedHat is good for beginners is because it comes with sooooo many utilities and programs with it. Why is RedHat one of the least secure Unix distribution (still more secure than Windows, though): the guys at RedHat release their stuff too fast, without running it through extensive beta testing (kinda like what Microsoft does, only that Microsoft tries to "bury" bug reports and "look secure", while RedHat fixes them real quick and notifies everyone about them in their mailing lists so they could grab the latest updates).
Note about money: RedHat, as all other Linux distributions is free, except for commercial packages (which come with commercial utilities within them). Linux was invented by a nice guy from Finland called Linus Torvalds. It can be legally distributed (the source code is free to download so you could make your own distribution of it) as long as you give it for free (not including shipping fees) and put the source code on the CD.
Before Linux was invented, you had to have a special type of computer to run Unix (please correct me if I'm wrong), so Linux is kinda like "Unix for PCs" (and Macs, I think).
Note2: Unix's original source code is free too, but there are some distributions which aren't free and don't come with the source.
What is Wingate
Here are some answers we got for this question:
KRom wrote:
A wingate is a type of proxy. Wingate is proxy software for Windoze 95/98... you can connect several pc's up to your main wingate server and use it's modem (for example) to cruise the net on many pc's at once, you can also use it to "forge" you IP address on the internet so you are not that easily traceable.
Note
The rest of the answers we got were nearly identical, besides this one:
Wingate is a proxy software package for windowze it allows you to share a dialup account across a local area network (LAN) It's pretty easy to set up, but is reportedly full of holes. I used it for a while, but I prefer Sygate when using Linux is not an option.
Ronnie, Hudson
So for anyone who has to install Wingate on his computer for some reason, just use Sygate instead. Thanks Ronnie!
My answer:
Well, KRom's answer was pretty good, but he missed a few important details.
You see, Wingate is a proxy software for Windows 95/98, as he described, but it contains many many many holes so you can use it to relay your data so it'll look like the "Wingated" computer is sending it, not you.
How to find Wingates: almost every lame "hacking" page has wingates scanners on it. These scanners go over entire subnets and look for Wingates on every machine. Try www.uha1.com, for example. They have a wingates section.
How to spoof your connection with Wingates:
Telnet to port 1080 on the "Wingated" machine. Once you get in, you will probably see a blinking text cursor. Don't worry, you're in. Now simply type 'ip-address port' (without the quotes) and the Wingated machine will send you the results.
For example: typing 'hackernews.com 80' will connect you to port 80 on hackernews.com, which is the webserver port. This means a web daemon will answer, and you'll need to send in some webserver commands (the same thing your browser does when you point it to hackernews.com).
You can also use Wingates to easily spoof your IP on IRC. Simply start your IRC client, find a place where it says something about firewalls and then tell it that you're using a SOCKS4 proxy (no, SOCKS doesn't have anything to do with socks. It's just an abbreviation for sockets, I think. Nevermind, you don't wanna know). When you are asked to insert the IP of the firewall, enter the IP of the wingated machine instead.
Tip: there's a list of Wingates at http://www.cyberarmy.com/lists/wingate/. They exist out of contributions, and they have some sort of script to check all the IPs every once in a while. Also try http://www.cyberarmy.com/lists for more interesting lists.
Note: for more information, read the Proxy/Wingate/SOCKS tutorial.
Some Unix stuff (the history of Unix)
Today's we're gonna discuss a little about Unix! Yay! Well, here we go. Oh, btw, I didn't write this, I found this at some text file. Unfortunately I don't remember where I found it. Don't worry, the rest of the file sucks, you're not missing anything. It teaches you some "elite" hacking tricks which don't work anymore anyway and aren't even worth learning.
Brief history: Back in the early sixties, during the development of third generation computers at MIT, a group of programmers studying the potential of computers, discovered their ability of performing two or more tasks simultaneously. Bell Labs, taking notice of this discovery, provided funds for their developmental scientists to investigate into this new frontier. After about 2 years of developmental research, they produced an operating system they called "Unix".
Sixties to Current: During this time Bell Systems installed the Unix system to provide their computer operators with the ability to multitask so that they could become more productive, and efficient. One of the systems they put on the Unix system was called "Elmos". Through Elmos many tasks (i.e. billing, and installation records) could be done by many people using the same mainframe.
Current: Today, with the development of micro computers, such multitasking can be achieved by a scaled down version of Unix (but just as powerful). Microsoft, seeing this development, opted to develop their own Unix like system for the IBM line of PC/XT's. Their result they called Xenix (pronounced zee-nicks). Both Unix and Xenix can be easily installed on IBM PC's and offer the same functions (just 2 different vendors).
Ping-flooding reboots Win98
Yes, this is true. Ping-flooding a Windows 98 (first edition) box for one minute will make it's connections buffer to overflow, causing it to simply reboot. Not even a blue screen, just a simple reboot.
Your friend fell into the toilet? Time for some hacking!
You come over to your friend's house. This friend of yours isn't much of a hacker (in fact, he never heard of Linux), but he thinks he's so cool because he put two (WOW!!) passwords on startup - one that pops up the minute you start the computer, and one that pops up the minute Windows starts (the password verification program that comes with Windows, not an external program).
Anyway, the guy has to go to "the little boys room", so he walks in, slips on something and falls into the toilet bowl. You call 911 but they'll only be here in 20 minutes (everyone is at the doughnut shop). Meanwhile, this looks like a good opportunity to look at your friend's secret files! But alas - the computer is shut down. Now, the question is: how do you bypass both passwords?
Anyway, here are some answers we got for this question:
KRom wrote:
The first password is the BIOS password, a relatively easy thing to remove. First you have to open up the computer and find the round quarter sized lithium battery (most computers have them). On some machines like a Compaq for example you are required to also reset a jumper and remove the battery. The jumper will be marked "reset CMOS". In most cases all you have to do is pop off the lithium battery and wait a good 15-30 seconds for the memory to be erased from the BIOS. Once this is done put the battery back, put the cover back on the computer and start it up. Most likely there will be an alert that the Bios was reset and most new motherboards will detect all of devices over again, so it's no biggie. Here comes Windoze... it's loading... loading... (COME ON!!!) loading....
Username:
Password:
click on the cancel button
<POOF>
Talk about tight security!
Your in like Flyn.
Now go to the DOS prompt and type: attrib -r -h -a -s msdos.sys
edit msdos.sys
change bootgui to GUI=0
(LOL)
save msdos.sys
attrib +r +h +a +s msdos.sys
type exit at DOS prompt
Start, shutdown... pull your friend out of the toilet... when he boots... no more windoze for him... will he know what to do at the dos prompt? Will he be able to get back into windoze?
Notes
The cancel option will only work if the login screen is actually for logging into a local network. Pressing cancel will not let you log into the network. On a regular password-protected computer, pressing cancel won't get you anywhere (Windows will tell you that you need to input the password). Read the next answers we got to learn more.
Note2: what the command attrib does is that it changes the "attributes" of files in DOS and Windows.
This is how it works: attrib options filename. Replace options with the options you want to set, and replace filename with the name of the file you want to tamper with.
The options: +r = readable. +h = hidden. +a = archive. +s = system file. Replace the plus with a minus to do the exact opposite.
Note3: KRom was the first to answer, while Syd Barret sent his answer about a minute later. Better luck next time, Syd ;-).
Someone* wrote:
To rid the two passwords. There are many paths. To get rid of the first password, one way is to try to boot up, press a startup key to go to the BIOS menu, and disable it there. Then boot to DOS, and use this command (without the quotes) "ren c:\Windows\*.pwl *.pwk" so windows can't see the password files. If he set a password to the BIOS menu, open his computer. Look on the motherboard for a small battery. Remove it, wait 1 min., then put it back in. If its an older computer you may have to set his hard drive and other settings. Then go about changing the Windows password files.
* sorry, whoever you are, for forgetting your name... :-( (note: this guy Emailed me and I mentioned his name the next day)
Notes
We already know how to bypass the BIOS password, but "someone" just told us how to bypass the Windows password... hmm... look at this... if you press F8 when you see the "starting windows 95/98" caption and you choose MS-DOS prompt you can change the names of the password files or even delete them so Windows won't ask for a password!
Note: you can disable the F8 key on your computer. This is why you might have to come prepared with a boot disk that contains MS-DOS only and boot from the disk instead of from the hard drive. If the BIOS is set to boot from the hard drive first, you can always get in and tell it to try to boot from drive A (or wherever your floppy drive is) first (if the BIOS settings would be password protected, we know what to do... ;-) ).
KngNthng wrote:
1> The BIOS passwd: Open the machine up, find the battery, remove it and then put it back in, BIOS reset including the passwd.
2> Win passwd:
Method 1: Boot into Safe-Mode
Method 2: Delete or rename *.pwl in the windows dir.
This worked for me. :)
See ya,
KngNthng
Frank Buerckling wrote:
Pretty lame cuz I didn't come up with myself but I'll give credit where credit is due: http://members.tripod.co.uk/gemadar/bios.htm
"j262" opens most versions of Award BIOS it works about 80% of the time. "AWARD_SW" and "AWARD_PW" work on some computers as well, but much less often. Other passwords that work as default passwords on various versions of various BIOS's, so they're worth trying are: condo, djonet, lkwpeter, biostar, biosstar.
If you have more than 20 minutes (911 is really backed up and your friend is REALLY stuck in the toilet) But this is pretty lame.
To clear the CMOS, you'll normally need to short a jumper on the motherboard. Most motherboards actually label the correct jumper, making your job easier. In most motherboards the jumper must be shorted while the computer is on. However, a small percentage of boards will be damaged if you try this. For that reason, try shorting the jumper with the computer off first, removing the jumper and turning the computer on. If that fails, then turn the computer on with the jumper in place. If you can't find the jumper, or it doesn't exist, unplug the computer. Find the internal battery and remove it. Most computers will clear CMOS anywhere between 10 seconds and 24 hours without any power.
If none of this helps you, you needn't give up quite yet. On some computers, flooding the keyboard buffer will crash the password routine and allow the computer to boot. Simply wait for the password prompt, then press ESC repeatedly. This may require 50 to 100 presses, and may not work in all machines, but its worked before, and its worth a try. If you have that nagging Bios password on any Award BIOS, there is a default password you can use: shift+s y x z
*********************************
If it's a toshiba laptop...None of the above will work. You've got to come to your friend's house prepared..... (I also lamed this from someone else.) I'm really a wannabe right now! Here's where it is: www.expage.com/page/toshibapassword
1) Using a second computer, a hex-editor and a floppy disk: change the first 5 bytes of Sector1 (not the boot sector (sector 0) but the one right after that) to hex: 4B 45 59 00 00 (actually if you use a blank disk or freshly formatted just change first 3 bytes to 4B 45 59. This spells K E Y in ascii.
2) Save that on the disk and then put the disk in the Toshiba laptop.
3) Power up the laptop and when it asks for the password hit enter.
4) You'll be asked if you want to reset the password. Pressing Y then enter will clear the boot password. Pressing N and enter will bypass the password and boot the computer w/out resetting password. If you do clear the password, you can now go into BIOS and set it to something of your choosing. Hee, Hee, Hee!!!
*********************************
I'll let someone else do the window's password thingy. It's pretty easy too though.
Have fun!
Dark Spector wrote:
Well, I would pop in the boot disk I carry everywhere and at the A:\ prompt, give the command: rename c:\windows\(his login name).pwl c:\windows\(my login name).zzz .Then i would turn off the computer and turn it back on.This time when it is turned on there is login window with no password, you don't have to type in a password so i click ok. When "starting windows" comes up on the screen i assume he isn't smart enough to have disabled the dos keys and hold down the F5 key and boot in though safe mode.then i would rumage though his secret files (i'm assuming it is porn since he is potentially the loneliest guy on earth).after that i shut down the comp pop the disk back and start it back up, use the command rename c:\windows\(my login name).pwl c:\windows\(original login name).pwl by then the EMT is probably there. Method 2: Boot up in DOS Mode.. Press F8 at the sys. configuration screen to get the boot menu... and choose option 7 for DOS Mode. .. then go to C:\WINDOWS\ and rename or delete *.pwl
Gendo Ikari wrote:
when i was going to school, the netadmin for my college installed Novell Netware (i think netware...), and windows 95
(enabled in network mode) on all of the machines. me being someone who always wants to know more, i started amateur hacking
one of the terminals (brute force password attempts, random key pressing, etc.). when you started up the computer, it never
gave the bios option, it always went straight to the novell login window. after entering a successful password and
username, windows comes up. i had no username, in fact i wasn't even s'pose to be there. anyway, when i was hitting random
characters on the keyboard, i notices that the taskmanager from windows was still available to me if i hit the windows key.
from the task manager, i could click file, run, then any application from the os. running any of which always loaded the
windows desktop and icons, then the application.i had access to every resource (internet, windows.ini, registry, etc.),
exept the printer (which i know can easily be rectified). even more, i had (i believe) netadmin access, because all of the
locked out applications (registry editor, etc.) that no one else had access to, i had acces to them.
Oh, and here is some interesting infomation I received from Parasitic. The usernames and passwords for the Windows password may also be stored on the registry (where lots of configurations and suchlikes are stored. Access it using regedit, which can be found at c:\windows\regedit.exe). Here are the keys that may store this information:
Here is a text file I dug up somewhere. This thing is damn cool!
Diskette Bombs by the Jolly Roger
You need:
- A disk
- Scissors
- White or blue kitchen matches (they MUST be these colors!)
- Clear nail polish
- Carefully open up the diskette (3.5" disks are best for this!)
- Remove the cotton covering from the inside.
- Scrape a lot of match powder into a bowl (use a wooden scraper,
metal might spark the matchpowder!)
- After you have a lot, spread it evenly on the disk.
- Using the nail polish, spread it over the match mixture
- Let it dry
- Carefully put the diskette back together and use the nail polish
to seal it shut on the inside (where it came apart).
- When that disk is in a drive, the drive head attempts to read
the disk, which causes a small fire (ENOUGH HEAT TO MELT THE DISK
DRIVE AND FUCK THE HEAD UP!!). ahahahahaha! Let the fuckhead try
and fix THAT!!!
-= DiGiTaL NiGhTmArE =-
How to clear the screen in Unix or DOS
Simple.
On Unix, type clear to clear the screen (when in text mode, of course).
On DOS, type cls to clear the screen.
Note: if you're running a terminal window from X-Windows (Unix's GUI), you may be able to scroll up and see what was on the screen before it got cleared.
Stupid holes in MSN Instant Messanger
I got this from the BugTraq mailing list. You can subscribe to it at http://www.securityfocus.com.
Hi.
Having just downloaded and briefly examined the newly released Microsoft's MSN
Messenger, (Microsoft's alternative to ICQ, AIM and other instant messaging clients) I
must say that Microsoft has not learn a single thing from serious security design mistakes
made by other instant
messengers. Here is a list of vulnerabilities that I have found in the first 30 minutes of
using it:
1. Password (which is the same as your Hotmail e-mail password) and contact list are
stored in the Registry (HKEY_CURRENT_USER\Identities). They are both stored as
ASCII values in a binary field (Does Microsoft actually believe that such amateur trick is
going to stop a serious hacker?)
2. The instant messages are sent unencrypted in MIME format. Curiously, there is a
mention of "security software licensed from RSA Data Security, Inc" in the About box of
the application and the program is apparently using Crypto API Hash functions for
_something_ but it's unclear for which purpose. It might actually send a password hash,
instead of the real password, in it'scommunication with the server, but I have not been able
to check that yet.
3. The program is using Hotmail as its user base. So, if you do not have a Hotmail
account, you apparently cannot use the program until you register one (nice marketing
technique). However, this also presents a big security problem. Hotmail has a policy to
terminate user accounts after 120 days of inactivity. So, you might find yourself in a
situation where you've been unable to access your Hotmail account for 3 months and
someone else has registered your account and is impersonating you on MSN Messenger!
These are only the most noticeable problems that I've discovered by just examining
program's operation, the registry, and very briefly looking at the packets sent by the
program. A closer and more thorough examination of the packet exchange might reveal
further and maybe even
more serious security weaknesses.
Yours truly,
Dmitri Alperovitch
Encryption Software - Developers of TSM for ICQ, an ICQ encryption add-on
http://www.encrsoft.com
dmitri@encrsoft.com
How can you use a simple and lame ICQ message spoofer to make a person lose his entire contact list, how can you protect yourself against this kind of stuff and what is spoofing anyway
First of all, spoofing is faking your identity. For example:
IP Spoofing - faking your IP. For more info, go to the books section and read the one called "IP Spoofing Demystified".
Message Spoofing - making an Email message, an ICQ message etc' appear it's coming from a different location.
There are plenty of ICQ "utilities" out there that will fake messages for you, but it is also possible to use these to 'cause a person to lose his entire contact list (DB Wipeout).
Simply send this person a fake message that will appear to be coming from a person with the same UIN as his. Once this person adds himself to his contact list, he will lose his entire ICQ database, including his contact list, personal details etc' on the next time ICQ restats.
To protect yourself against this kind of stuff, go to http://come.to/isoaq, download their all-in-one crack-pack and apply the "add yourself" crack on your ICQ.
What the hell is UUEncode
Have you ever noticed that when you send a message and/or a file through Email it gets a little bigger?
This is because of a little thing called UUEncode.
You see, there are compatibility problems between DOS/Windows, Unix, Macs and what not, so when you send a file to another computer it might get screwed up in the middle or something.
Even if you and the recepient have 100% identical computers, the file might still get screwed up because the mail servers and the routers that will pass it along the way might not know how to properly handle it.
Even text messages may get screwed up on the way (more info on the projects page, at the Unix2DOS section).
Now, in order to solve this UUEncode was invented. Whenever you send a message, it gets UUEncoded and then sent to your mail server. That way the message won't get screwed on the way. When it reaches it's recipient, it gets UUDecoded on the recepient's computer. Different computers will UUDecode files differently, but UUEncode them on the exact same way.
Unfortunately, UUEncoding files makes them a little bigger... oh, well...
What is a subnet
There's a logical subnet and a subnet mask. Before you learn what subnet masks are, you need to learn what logical subnets are (which most newbies would call just call a subnet).
What is a logical subnet
Well, kiddies, there are different kinds of logical subnets. Currently, there's a C-class subnet, a B-class subnet and an A-class subnet.
Here's an example for a C-class subnet: 62.0.147.x (x can be anywhere from 0 to 255). The person who owns the subnet 62.0.147.x actually owns all IP addresses that match the following wildcard: 62.0.147.0-255.
A B-class subnet could be 75.14.x.x, and an A-class subnet is 202.x.x.x (these are all just examples. Different logical subnets have different numbers. Ignore the numbers, just note the x's).
Now, your ISP should buy a couple of subnets, according to the number of users it wishes to support at the same time, before it can give people Internet connections. The ISP's subnets are also called IP ranges, or the ISP's IP range.
This form of subnets is called IPv4.
Now, this is not completely true... there are also D-class and E-class subnets. D-class subnets are used for multicastgroups, and E-class is... well... experimental... not sure about it, though, so please correct me if I'm wrong.
More info about logical subnets here (thanks to Cypress Hill for this URL).
What is a subnet mask
I've decided to include this tutorial (actually, it's an IRC log, but nevermind) which was written by a nice guy called Teolicy.
How do domain names really work
Have you ever wondered how domain names really work?
Well, you cannot actually connect to, say, hackernews.com. It's impossible. You can only connect to IP addresses.
But why would a person want to remember long IP addresses just to get into a website, an FTP, a mail server, a shell account etc'? This is the part where DNSs come into place.
DNS stands for Domain Name Server. These servers hold large databases of domain names and their IP address. Oh... so a domain name is actually just an alias for an IP address? Now you're getting it.
Now, this is how it works (roughly). Your ISP has a DNS. Your OS is configured to use this DNS and has it's IP. Now, suppose you wish to go to hackernews.com. Your computer goes to the DNS server and starts a conversation.
Your computer: Hello. Umm... I know you're pretty busy, but...
DNS: Yes?
Your computer: may I have hackernews.com's IP address?
DNS: Umm... okay... wait, let me see...
Now two things can happen.
1) DNS: Okay, found it. Here you go...
Your computer: Umm, yummy... thanks man.
2) DNS: Oops, looks like I don't have it... well, I'm not exactly the only DNS server in the world, you know. There are more important DNS servers (higher-level DNS servers). Let's ask them.
DNS: Hello, DNS2 (the higher-level DNS server). Do you happen to know hackernews.com's IP address?
DNS2: Yes, I do. Here you go.
DNS: Thanks. Now where is that guy...
Your computer: You mean me?
DNS: Yes, you. Here you go, I found that IP address you were looking for.
Your computer: Thanks.
Anyway, if the higher-level DNS server won't have the IP address, it will ask a higher DNS server etc'. Once your DNS server receives the IP address it will add it to his own database so he won't have to bother other DNSs again and slow down the net.
Oh, by the way, you can have your own little database on your own computer so you won't have to bother DNS servers (and not have to wait for them to give you the IP as well). On Unix, this can be done by entering IPs and then their hostnames at /etc/hosts. On Windows, this can be done using the c:\windows\hosts file (read c:\windows\hosts.sam for instructions).
This is how hosts files should look like:
the-hostname the-ip
Or:
the-hostname the-ip #a comment
Everything that is written after the # on thsi line will be disregarded by your computer, and can be used to insert comments into the file. Also, if you want to remove certain lines without losing them, you could put a # in the beginning of the line so your computer will disregard them but you won't have to delete them.
This isn't exactly how things work. What I just described here was a very general description of how DNS works. Here, let me explain:
Suppose you want to get blacksun.box.sk's IP. What do you do? Well, first, your DNS server has to get to a ROOT-ns computer. ROOT-ns computers are responsible for that last bit in domain names (in this case, sk. In www.whitehouse.gov, the ROOT-ns bit is gov, in www.hackernews.com, the ROOT-ns bit is com, etc'). It has a list of ROOT-ns computers and their IP addresses (not their domain names, because if it had to resolve their domain names, it would have needed to access ROOT-ns computers first, and then... well, you get the point). Then, your DNS server asks the sk ROOT-ns server (btw ns stands for name server) what's box.sk's IP. Then, it goes to box.sk and asks what is blacksun.box.sk's IP.
So as you can see, each time your DNS server goes one level down until it gets the IP it needs.
How do sub-domains work?
Make sure you read this before reading this mini-tutorial.
Ok, moving on. Now, I assume you know how domain name work (unless you havn't read the previous mini-tutorial).
First, a subdomain can look either like any of the following:
1) blah.narf.com
2) bloop.blah.narf.com
3) frrrrrrr.grrrrrrrr.nose.fran.org
4) etc' etc' etc'...
Anyway, I hope you get the picture.
So once you try to resolve a subdomain (get it's IP), your computer first gets the IP of the domain that hosts this subdomain (suppose the subdomain is bleah.host.com, then the domain that hosts it is host.com), and then goes to dns.host.com and asks for this subdomain's IP.
This is also why you can register as many subdomains you'd like to for free once you have a domain (you have access to the DNS server, so why would it cost you any money to register subdomains?).
Where to find Unix password files
Note: token is the character that is being inserted inside the unshadowed password file (usually /etc/passwd) instead of the passwords if they are shadowed. To read more about password shadowing, click here.
UNIX System Type
Path
Token
AIX 3
/etc/security/passwd
or
/tcb/auth/files/<first letter of username>/<username>
!
or
#
A/UX 3.Os
/tcb/files/auth/*
*
BSD4.3-Reno
/etc/master.passwd
*
ConvexOS 10
/etc/shadpw
*
Convex0S 11
/etc/shadow
*
DG/UX
/etc/tcb/aa/user
*
EP/IX
/etc/shadow
x
HP-UX
/.secure/etc/passwd
*
IRIX 5
/etc/shadow
x
Linux 1.1
/etc/shadow
*
OSF/1
/etc/passwd[.dir|.pag]
*
SCO UNIX #.2.x
/tcb/auth/files/<first letter of username>/<username>
*
SunOS 4.1+c2
/etc/security/passwd.adjunct
##
SunOS 5.0
/etc/shadow
System V 4.0
/etc/shadow
x
System V 4.2
/etc/security/* database
Ultrix 4
/etc/auth[.dir|.pag]
*
UNICOS
/etc/udb
*
Taken from UnderWarrior's website.
What is an RFC
Some answers we got:
Parasitic wrote:
Well there is two different RFC's that I know of. One RFC is short for "Request for Comments" which is just a Informational Internet document that gets reviewed and changed until (I think) everyone agrees about it's contents.
The other RFC is short for "Remote Function Call" which is a API (application program interface) which is somewhat self-explanatory.
Lenny wrote:
RFC = Request to Comment
They are text documents used for publishing standards, primarily for internet technologies. Following them is not required, but is an advantage to make sure your software/hardware is compatible with others.
Aneurysm wrote:
An RFC is a Request For Comments. It is a file that details the specifications of certain protocols. There are RFCs on everything from the SMTP to the IRC protocal, in fact, there's one for pretty much everything. It is put together by someone, and it details commands, structures, syntax and everything for that protocal.
Athesdan wrote:
An RFC is a Request for Comments, it details information about a bug in a daemon, protocol etc...
Yoink wrote:
RFC's are: Request For Comments, it is the documentation maintained by NIC (Network Information Center [no not NICs which are Network Interface Cards]) relating to Internet Protocols, adressing, routing, configuartion, and other related internet topics.
My answer:
RFC stands for Request For Comments. These start as drafts for network standards and they are being discussed over and modified by the IETF (Internet Engineering Task Force) until everyone agrees on it. You could learn a lot from RFCs, so if you read a tutorial or an article or whatever and see a reference to a certain RFC, go read it.
You can search for RFCs at http://howto.linuxberg.com.
My little "LILOish" adventure
Let me tell you a little story...
I keep both Linux and Windows on my computer because I'm not the only one who uses it, and the other users know nothing about Unix. Oh, by the way, I was using RedHat 6.0 at that time.
I used LILO to switch between OSs. Here, let me explain.
When you install Windows it puts some crap on your hard drive's primary boot sectors so it'll load up Windows upon startup. Of course Linux needs a different kind of "boot crap", so if you want to use both Linux and Windows you have two options:
1) Install only one boot, so either Windows or Linux will boot up, but make a boot disk for the other OS (the one that doesn't boot from your HD) and insert it when you want to use that OS.
2) Install LILO (comes with RedHat 6.0 and other Linux distributions). LILO stands for Linux Loader. If you install LILO or a similar application, it puts itself on your boot sectors, and then you are asked which OS you want to boot up upon startup.
Since option 1 isn't possible on RedHat because RH's boot disk gets you to the installation screen instead of into the actual OS, I had to use option 2.
Anyway, a couple of days after I installed RH Windows started making weird errors and some important programs didn't work. Why? Because it's Windows (note: the problems I experienced in Windows didn't have anything to do with installing RH. It's because of some stupid program I installed). I looked at some readme files and I found out that I have to reinstall Windows. Oh, well... but once I finished reinstalling, I discovered that LILO was gone! Windows' installation program has overwritten it and put Windows' boot stuff instead!
This means I can't switch to Linux, because I can't use a boot disk to get in! The only option I had was to reinstall Linux... but of course, I didn't wanna do that... read on...
If you're using RH, use Slackware's boot disk. Simply ask a friend or find someone on IRC who has Slackware and ask for Slackware's .img files. Then under Windows go to the RedHat CD, go to the directory called 'dosutils' (without the quotes, of course) and find a program called rawrite. The program will ask you to insert a disk into your floppy drive and then give it the location of the .img files (remember to use the Slackware "images" you got, not the RH ones).
Anyway, this is what I did. Once I got back into Linux, I typed lilo and it let me reinstall LILO without reinstalling Windows.
Tips for using ICQ
Here is a text file I dug up somewhere. Some of it is quite outdated, but most of it is still relevant these days.
Property Of....
[Image]
[Image]
Visit the Top45~!
[Image]
-=ICQ Stuff Written By SYXx=-
ICQ Chat Stuff- If you invite someone to a chat session and put on Sleep or
minimize the window, you will not see the person's writing and will have to
reset the screen or switch layout.
While messing around with myself on my Contact List (mentioned in General
Section), I`ve sent myself chat requests, had a chat with a single person
in it (me), and kicked myself out of a chat.
If you ever find yourself sitting with someone in a chatroom, and you know
they are typing, but you don't see it, click layout then click reset. This
also works for when the chat windows overlap, screw up, basically
anything. If clicking reset does not work for you, I suggest chaning the
layout to IRC Style then going back and then reset the layout. Or you ma
just have the Freeze button clicked on, which you'll find near there name.
If you like messing around in chat, try a beep bomb. Simply press and hold
Ctrl-G and watch 'em get mad. If you find yourself being beep bombed,
simply click other then un-click Enable Sounds.
The sleep feature is very nice when you are chatting with 2-3 people.
Essentially whenever someone types something, the chat windows pops back
up. You can either click the button on the tool bar or press Ctrl-S. One
odd thing I noticed when someone uses Ctrl-S to sleep, it will leave an
ASCII box in thier window, which they cannot see.
Scrolling is lame, and if you do not know how to do it your lame, so I am
not going to tell you how. Alright I will, the most efficient way to
scroll is go into IRC style and sit and press ENTER, however cutting and
pasting something into the box a bunch then pressing Enter often will lag
the people in the chat to hell. For instance, set the font size to 1 and
copy a line of @ or something then Ctrl-V, Enter, Ctrl-V, Enter, etc...
Another cool thing to do is if you have any old IRC macro's, save them into
a .TXT file then copy them to clipboard. Go into a chat, make sure your
buds do not have Override Format on, then take your font size to about 3 or
6, then paste it. The Terminal font usually is best for macro's, because
it will fit as it does in your .TXT file.
If you find yourself annoyed by really small or really large fonts, or just
all the colors, click Display then Override Format, and everything will
look like your font and background settings.
If you are sick of the default ICQ chat colors, click Display, then Color,
or Back Color, and you can choose colors from the entire palette. Warning
though, if you are on 32-Bit color, do not choose the same colors at
different depths, as many people use 256 color settings and will not see
your fonts.
If you have a lot written or the chat screen, or just wrote something nasty
and want to erase it on your side, click File, and Clear Buffer. If you
want to save something, click File and Save Buffer.
A lot of people attempt to create mega-chat parties, where they invite like
200 people. These DO NOT work, you will not see everyone in the chat,
which is another bug in ICQ Chat Module. Also in normal chat's sometimes,
people will leave on someone's screen, etc... There is no way to fix this
except to leave then re-invite yourself.
To kick people from chat, click File, Kick User, then double-click the user
you wish to dispose of. This will bring up a voting dialog. However
kicking in party chat's is not effective, as often there are other people
who will re-invite them.
If you get a chat request from a lamer, click Decline, then Enter Reason,
then put a period (.) and then hit and hold Enter until the window is
unable to hold anymore, then click OK. Then the window will be to large to
fit in their screen, and they will not be able to close it unless they
press Spacebar,enter, or Alt-F4.
ICQ Message / URL Stuff-
In ICQ 98 you can double-click a name and it will open up the Message box.
To annoy someone, you can send them Message Bombs, just by repeatedly
opening a window, saying something, then sending. There are also Programs
which do this, which you will find at the bottom of this page.
To send a Mass Message, open the message box, click More, Multiple
Recipients, then click all the names you wish to send to.
ICQ File Tricks & Bug Stuff-
If you want to send multipe files, simply hold Shift, and then select the
files you want to send. Note when you send files like this, the reciever
will not see the files name, rather "X files", so put a description of
them.
To send 2 or more specific files, in the Select Files window, find the
files you want to send. Once you know the file name nad extensions, put
them into the box next to each other. Once done, put quotation (" ") marks
around the files. Note when you send files like this, the reciever will
not see the files name, rather "X files", so put a description of them. A
simpler method of this is simply hold CTRL down while selecting files.
General Tips & Bugs of ICQ-
You can add yourself to your own Contact List by going to the directory UIN
under ICQ, then adding yourself or asking your authorization. Then simply
click yourself and add yourself! WARNING! Please backup your Contact List
before you do this. Otherwise once you shut off ICQ, you will lose your
whole Contact List!
Did you realize that Do not Accept is spelled wrong when you send an
Internet Phone/Game request to someone! Take a look for yourself!
If you place a - in front of your nick name and restart ICQ, the fields
'Nick Name, First Name, and Last Name' will be changed to 'Category,
Company, and Department' Thanks to o0o-CHeeTo-o0o for this! Also I played
around with it some and if you place a &- it will change nick name to chat
room instead of company and not change last name.
When for some reason you want to seem off-line to everyone, use the
Invisible status. However whenever you send a message in this mode, the
reciever will know you are on invisible status. If you do this, just go
Off-line on ICQ, then go back on Invisible status.
Hate it when ICQ servers go down? Try rapidly clicking On-line, Off-line,
and Invisible. This works for me and many other users, try it!
To hide yourself from a specific lamer, or seem away, Right-Click their
name. Thel goto Alert/Accept Modes, amd choose Invisible to user, away to
user, or Visible to user. Visisble to user will allow them to see whenever
your on ICQ, even in Invisible mode.
If you have your ICQ setup to automatically set Away on after X minutes,
and if you have it setup to goto N/A after X minutes, note that when it
goes on N/A, your away message will be lost.
If you find yourself unable to connect to ICQ, try going Off-line, then
On-line repeatedly, sometimes you can force your way on.
Click the ICQ button, hold it, then drag your mouse over to the Contact
List, notice the ICQ button is stuck in.
Maintain your Invisible, Visible, and Ignore lists by clicking the ICQ
button, then Security & Privacy. You can also Mask your IP address in this
window.
After you have around 200+ users on your Contact List, you will begin
losing ones you do not contact often.
If you would like to save your Contact List, look for the directory DB, in
your ICQ directory. Then just copy all the files somewhere.
Many of the higher UINs (60000, 70000, 80000, etc...) belong to ICQ
officials. If you would like Arik's, the CEO of Mirabilis, I believe. It
is 60000.
To mess someone's e-mail express up, E-mail bomb UIN#@pager.mirabilis.com,
substitute UIN# with there UIN.
To page someone, goto http://wwp.mirabilis.com/UIN#, substituting UIN# with
there UIN. Note once sent, your IP will be stamped on the message, so do
not harrass anyone in this way.
You can Ignore Mass message and other types of message by clicking Security
& Privacy, then Ignore List. You`ll see it there.
With ICQ 98, you can right-click anything with explorer in Win95 and send
it to a user. However if your Contact List has to many people on-line, you
will not see all names.
In your About box if you use a ' it will come out as a ", so use ` for it.
This also happens in regular messages with some users.
If you find yourself being harrassed by someone, I suggest you put them on
Ignore, or hide from them with Invisible.
[Submit your site to 100+ directories]
Use Submit It!, the leader in Web site marketing services,
to promote your Web site on the Internet.
Site ╪f The Month w/ FREE Access
[PORN TV! FREE!]
NEW! Log in with my ID ( USRENAME: PyRo ) and you get to watch FREE PORN
daily 24-7!
This page is all copyright 1998 and written by, SYXx. You may not reproduce
these, or any parts of my other pages without prior consent of the SITE
AUTHOR & CREATOR. Failure to do so is COPYRIGHT(r) INFRIGEMENT, and
Punishable by LAW! .
The right portscanner for the right job
A lot of newbies often ask me why they can't detect some ports that they know are open on remote hosts. Well, this is because all Windows portscanners suck.
Here, let me explain to you why. Let's say you're some script kiddie that wants to flood someone else on ICQ with lots of messages. First, he needs his ICQ port. ICQ assigns a port for itself for incoming events, such as messages, URLs etc'. This port is randomly generated each time, but it can always be found in a reasonable range (somewhere above 1024 and below 2000). This is why all message flooders for ICQ need the ICQ port in order to operate properly.
So anyway, this script kiddie runs his portscanner on his target, but finds absolutely nothing. Why? Because most Windows portscnners have a timeout of about 20ms! This means they give up if they don't receive an answer in 20ms. Of course, such a thing is impossible. You will almost never establish a connection with a remote host over the Internet in 20ms.
Some portscanners let you change this factor, but the default is still about 20ms. This is probably because the people who made the portscanner want it to look fast.
So anyway, if you want to find someone's ICQ port, or any other port, increase the timeout to at least 1000ms.
Now, Unix portscanners are much better. Take nmap for example. Nmap stands for Network Mapper.
Nmap does something that is called a stealth portscan. Here, let me explain.
On the TCP protocol, a connection is established like this: first the creator of the connection sends a packet with the SYN flag on to it's target on the specific port it wants to contact. The target will either reply with a packet with both the SYN and the ACK flags on, which means it accepts the connection, or reply with a packet with the RST flag, which usually means "forget about it, dump everything". If the target replies with a SYN+ACK (often referred to as a SYN/ACK), the creator of the connection will reply with an ACK. Once this ACK packet gets to the target, the connection is initiated and gets logged. This is called the TCP 3-way handshake.
Now, picture this: we send out a SYN, the target replies with a SYN+ACK, and we reply with an RST. What exactly happened here?
Okay, the first step (sending out the SYN) notified the target computer that someone else wishes to create a connection with it on a certain port. Then, the target computer agrees, and sends back a SYN+ACK. On this step, out computer knows the target has this port open, because it accepted our connection. But the connection is logged only after we send back an ACK, right? Then we send an RST instead. This will tell the target to kill the connection. That way the connection won't get logged, because it never had the chance to get fully established, but we'll know that the target has this port open and accepts connections from us.
This is what nmap does. Yes, I know there are programs that detect nmap activity, but they won't always work, and I certainly never seen one for Windows...
Spoofing webpages
First, if you don't know what spoofing is, read this. You also need to know how do domain names really work, so if you don't, please read this.
Now, don't get me wrong. I am not going to teach you how to do illegal stuff. This is a simple and legal trick you can play on your friends.
First, let's suppose your friend's URL is 'members.xoom.com/some_url' (without the quotes, of course). Your first step would be to open a website with a similar URL (for example: www.geocities.com/some_url, members.tripod.com/some_url, www.anrki.com/some_url etc'). Put your version of his website on this page. Then, you need to have both members.xoom.com's IP address and the IP of the server that hosts you (for example: if your URL is www.anrki.com/some_url, you'll need www.anrki.com's URL. If your URL is members.tripod.com/some_url, you'll need members.xoom.com's IP. From now on, let's suppose your URL is www.anrki.com/some_url, and your friend's URL is members.xoom.com/some_url).
Now, here comes the hard part. You need access to your friends hosts file (on Unix: /etc/hosts, on Windows: c:\windows\hosts). I suggest coming to his place for a while and getting this file while he's at the bathroom or something. Then, add this line to his hosts file:
www.anrki.com's_IP_address members.xoom.com
Replace www.anrki.com's_IP_address with www.anrki.com's IP address.
The next time he goes to members.xoom.com/some_url, he will get to www.anrki.com/some_url instead without even knowing, and it'll look like his website has been defaced.
Now, what exactly happened here? The hosts file can contain a small database of hostnames and their IPs, so when you try to dnslookup these hostnames you won't have to wait for DNS servers to give you the IP. Now, what exactly happens when he normally goes to members.xoom.com/some_url? His computer asks members.xoom.com for /some_url. If he goes to members.xoom.com/some_url/some-picture.jpg, his computer asks members.xoom.com for /some_url/some-picture.jpg.
Now, what we did was simply telling your friend's computer to go to www.anrki.com's IP address whenever the user asks him to go to members.xoom.com, so instead of requesting /some_url from members.xoom.com, your friend's computer will request /some_url from www.anrki.com, which will actually be the defaced website.
Important: there are programs out there that scan your browser's history and your bookmarks, dnslookup them all and add them to this little database in order to speed your Internet connection. You must make sure he doesn't have such a program, and if he has one, look for members.xoom.com's line and simply change the IP to www.anrki.com's IP.
Insalling themes on Linux
First of all, you may download themes for Linux at themes.linuxberg.com.
In order to install them, read the howto here.
The basics of probing
Probing is essential before securing a system (finding out which OS, which daemons, which software etc' the box or network you need to secure is using), cracking into it (for the same reasons as securing it - you need to know what the target host is running in order to start looking for holes) or learning more about it (for example: learning about a new ISP before signing up a one year contract with it).
Here is a paper taken from nmap's homepage (www.insecure.org/nmap). Nmap stands for Network Mapper, and it is the best portscanner out there.
It has many many options, such as stealth portscanning and much more (more information on how this works at nmap's homepage). Anyway, this article explains about OS detection and nmap's enormous capabilities in that field.
Various login prompts
Login prompts for different OSes
This is a listing of login prompts for many different OSes. Many people are puzzled by what OS a box is running. Well use this handy guide compiled by Mr. Photon (haxor@technologist.com)
--[ Apple Printer ]--
Apple Computer, Inc.
LaserWriter 16/600 PS
TCP/IP Printer Configuration Utility
--[ Ascend Router ]--
(ROUTER_NAME) Enter password:
--[ OS/2 Box ]--
OS/2 Version 2.3 (computername)M
--[ Windows NT or 95 ]--
Hummingbird Communications Ltd., Windows NT, Telnetd Version 6.0 (COMP.NAME)
login:
--[ VAX/VMS ]--
VIRTUAL MACHINE/ENTERPRISE SYSTEMS ARCHITECTURE
--[ HP-UX ]--
HP-UX fake.com B.10.10 A 9000/712 (ttyname)
--[ SPP-UX ]--
fake.com [Convex Exemplar SPP-UX V5.2.1 1200/XA-16] Authorized use only.
--[ AIX ]--
AIX telnet V.4 (computername)
--[ SunOS ]--
SunOS UNIX (computername)
--[ IRIX (Silicon Graphics Workstation) ]--
IRIX (computername)
--[ Solaris ]--
UNIX(r) System V Release 4.0 (computername)
--[ Terminal Server for Dialin Access ]--
User Access VerificationPassword:
--[ Cisco Switch ]--
Cisco Systems Console
Enter password:
--[ Red Hat Linux ]--
Red Hat Linux release 4.1 (ComputerName)
Kernel 2.0.27 on an i486
--[ Old BSD ]--
4.2 BSD UNIX (computername)
--[ SunOS Unix ]--
SunOS 5.6
--[ AIX ]--
telnet (computername)
AIX Version 4
(C) Copyrights by IBM and by others 1982, 1996.
login:
--[ Hewlett Packard Printer ]--
HP JetDirect
Please type "?" for HELP, or "/" for current settings
On Unix systems, your command prompt should be displayed like this:
$SP1 char
Here, let me explain. $SP1 means the system variable SP1. It contains the way your command prompt will look like. You can play around with it and make it show the current directory (stored in the system variable $PWD. PWD is also a command, and it stands for Print Working Directory. The command PWD simply does this: echo $PWD).
Now, char is a single character. In most cases, it will be a $ or a %. But if you have root priviledges (UID=0, GID=0) it will be a #.
Now you understand why I like this character... ;-)
Changing your remote/local login banners
/etc/issue and /etc/issue.net contain your remote and local login banners (/etc/issue = local, /etc/issue.net = remote). Go check these files out to see what I mean.
You could either change them and make up something yourself or use a cool program called LinuxLogo to create colorful banners (the colors won't be shown if a Windows user is telnetting into your computer, though. Instead, the user will see all the characters in monochrome). Go download it from linuxberg.com (run a search from their site for the phrase "linuxlogo", without the quotes, of course).
Password files == world readable + how do password files look like?
First of all, a file that is world readable is a file that can be read by ANYONE on the system, even the most inferior user.
Now, let's continue. On most systems today, the password file (usually /etc/passwd) is world readable. Does this mean ANYONE can get the encrypted passwords and decrypt them? Definetly not!
A password file consists of several (or one) lines, when each line represents a user. The password file looks like this:
Password - the user's password, encrypted using altered DES encryption (can be cracked, though).
UID - User ID. If your UID is 0, you have root priviledges (nothing can stop you, and you can even type "su username" (without the quotes) to become a different user. Type exit to return to your root shell after you're done. Btw SU stands for Switch User). If two users have the same UID, they'll have identical permissions.
GID - Group ID. The same as UID, with root being GID=0. GID let's you set ownership patterns and access patterns for a group of users (or a single user) who have different or identical UIDs but have the same GID.
Free text - some free text about the user. For info on how to exploit this field in order to get private information about people, read the Info Gathering tutorial here.
Home directory - where the user's private configurations files are stored. Usually /root if you are root, or /usr/your-username or /home/your-username if you're another user.
Shell - the program that gets executed once you log in. Usually a command interpreter (a program that receives commands from you and executes them).
Now, most systems will make /etc/passwd world-readable, but don't put the passwords in it. Instead, they will put a single character, such as *. The passwords will be stored at the shadow file, which is not world-readable, and is usually stored at /etc/shadow.
The /etc/passwd has to be world readable if you want to:
1) Find out what's the username of a certain UID. Very useful in some situations. For example: each file has an owner. The owner can change access patterns for this file, or change it's ownership. Root can own all files if he/she wants to. The owner's UID is inserted into the file. Programs such as ls (ls stands for list. It views the contents of a directory. For more info about it and it's uses, type "man ls" without the quotes on a Unix system) can tell you who owns a file. If they don't have access to the password file (programs run with your priviledges, unless they are SUID, in which case they run with the priviledges of the user who SUIDed them. People try not to use SUID, because it poses lots of security threats), they will only be able to present you with the UID of the owner. But if they have access to the password file, they can find the appropriate username for this UID.
2) Find out information about people (what's their home directory, what's their shell, what's written in their free text area etc').
3) Etc' etc' etc'... be creative!
For more info, read this.
What, who and why is INetD?
First of all, I hope you know what a daemon is. If not, read out tutorials here.
Now, let's assume that you understand what a daemon is. So anyway, daemons run as TSRs. TSR stands for "Terminate and Stay Resident". A TSR, once executed, will stay on your system's memory and wait for a certain action to take place (in our case: a connection on a certain port), and then do something about it.
Now, common sense says that a machine that is running multiple daemons will need lots of system resources for that. This is where INetD comes to place.
INetD stands for Internet (I-Net) Daemon (D). It is often called "the mother of all daemons". Why? Because it is a single TSR that is in charge of invoking other daemons.
Here, let me quote from the book Maximum Security (read it online or buy it online. If you order it, 15% of the money would go to us):
Common sense tells you that running a dozen or more daemon processes could eat up machine resources. So rather than do that, why not create one
daemon that could listen for all the others? That is what inetd does. It listens for connection requests from the void. When it receives such a request, it
evaluates it. This evaluation seeks to determine one thing only: What service does the requesting machine want? For example, does it want FTP? If so,
inetd starts the FTP server process. The FTP server can then process the request from the void. At that point, a file transfer can begin. This all happens
within the space of a second or so.
TIP: inetd isn't just for UNIX anymore. For example, Hummingbird Communications has developed (as part of its Exceed 5 product line) a
version of inetd for use on any platform that runs Microsoft Windows or OS/2. There are also non- commercial versions of inetd, written by
students and other software enthusiasts. One such distribution is available from TFS software and can be found at
To learn what is a network sniffer, plus tons of information about them and how to catch and remove them, read this excellent tutorial which I dug up somewhere.
What is sysedit?
If you're using any version of Windows at the moment, try hitting start, run and then typing "sysedit" (without the quotes, of course). See this nice application? It let's you edit your basic configuration files. Try playing around with them for a while, but remember to back everything up before you touch it... ;-)
The SU command
SU is a very useful Unix command. SU stands for Switch User. SU let's you run a sub-shell with the priviledges of another user within your current shell.
Basic usage: suppose you know someone else's password, whether he gave it to you or you hacked his account. Simply type "su user password" (without the quotes), and replace user with this person's username, and replace password with his/her password.
For root access: if no account is provided (just su and a single parameter. For example: "su blah"), your system assumes that you want to su to root, and checks if this is root password. If you entered the correct password, you get root access (unless the admin played around with the password file and gave root false permissions. In such a case, simply find the password file, find a user who has UID 0 and GID 0 and su to it (assuming that you have his/her password, of course. If not, try some common passwords)).
When su'ing from root: remember that if you have root priviledges, nothing is supposed to stop you. So why would you need to have someone's password just to switch to his/her user? Simply type "su username" (without the quotes) to login as that user.
When su'ing to a passwordless user: type "su username -" (without the quotes).
To exit the sub-shell: simply type "exit" (without the quotes) to exit the sub-shell and return to your normal shell.
How the hell can su read the shadow file?: first of all, if you don't know what the shadow file is, read this. Now, su is an SUID-root program. This is why it can read the shadow file, which only users with root access can read. To learn about SUID files, click here.
A nifty usage : most systems will block remote root logins, so people won't be able to get root even if they know root's password. But, if you know someone else's password, you could login as this user, get a shell and type "su root's-password" (without the quotes, of course).
What is SUID?
SUID stands for Set User ID. Here, let me explain.
Now, as you should know by now, every program or command you execute runs with YOUR priviledges. Right? WRONG!
SUID files can be run with the priviledges of the person who SUIDed them. You see, when you SUID a program, it puts your user ID somewhere inside the program so the system will know to run it with the SUIDer's priviledges. Of course, if you have root access, this should not trouble you, because you already have maximum priviledges.
SUID programs also pose a great security threat, especially SUID-root programs. If someone finds a way to make these programs do something they shouldn't do, he can do it with root priviledges. For example: if you could make an SUID-root program execute a command for you, you could tell it to execute sh to run a Bourne Shell (or BASH for Bourne Again Shell, CSH for C Shell, TCSH for Turbo C Shell, KSH for Korn Shell etc') with root priviledges (or in other words, a root shell).
Sometimes, on the other hand, you have to use SUID programs (such as SU, for example), so make sure you don't screw up with your security.
Want to learn how to SUID files? Read chmod's man page by typing 'man chmod'.
FAQ and guide to cracking
Read this excellent text about cracking into systems while trying not to get caught (WARNING: Don't be stupid. You will eventually get caught. Use this info to secure yourself and/or your network).
How the winner of the PCWeek SecureLinux contest did it
Read this excellent paper by the winner of the PCWeek SecureLinux contest on how he broke in and won the contest.
Which port is which?
Here is an excellent and very useful guide on what every port is for, different types of ports etc'. A must read for all those newbies out there.
What are Unix runlevels?
If you've been paying attention to what your Unix box does during startup, you should have noticed that it says: "Entering runlevel x" (where x is a number between 1 and 5) at one point of the bootup stage (after it mounts your root filesystem (your "/" directory) into read-write mode, sets up sound, finds your RPMs ("Finding module dependencies...") etc'). A runlevel is a bootup/shutdown sequence. It consists of a list of commands to run on startup and a list of commands to run on shutdown (or when switching to different runlevels).
Now, first of all, let's see how you can switch runlevels. Bah, that's easy. Simply type init x, where x is a number between 0 and 6. Runlevel 0 is for "halt" (turning off your computer, if you have APM -Advanced Power Management, and if you have APMD - APM Daemon, installed. All modern CPUs have APM), runlevel 6 is for reboot and the rest are various runlevels. 5 will bootup everything - it will even automatically run X (by default, of course. You can change this). Runlevel 1 is considered the single-mode runlevel. It does the least possible (kinda like "safe mode" in Windows) and doesn't even require you to enter a password (but only root can switch runlevels, so you have to be either root or have physical access to the computer during startup (we'll get to that later)).
To edit your runlevel list, you can either:
a) Go to /etc/rc.d/rcx.d/ (where x is the runlevel's number) and play around within this directory. It contains symbolic links (kinda like shortcuts in Windows. For more information about symbolic links (otherwise known as "symlinks"), type man ln) to programs (including their parameters) that will be executed, and symbolic links to programs that will be killed on shutdown. Play around to find out more (but ALWAYS make backups!!).
b) (this should work on most Unix boxes) Switch to the runlevel you want to edit. Then type setup. Go to system services, and select/unselect the services u want to run on startup and kill on shutdown).
c) The easiest way - on most systems, you will be able to type the command control-panel within an xterm (a "virtual terminal" - a console window within X-Windows) and get a nice little window thingi with lots of buttons and suchlikes. Find the button that says "runlevel editor" when you put the mouse above it for a second or two. Then click on this button and play around with the programs. I'm sure you'll figure out how to use it yourself. It's quite self-explanitory, and it contains help files and documentation if you really need help.
And now, for a nice little runlevels-related hack.
Now, if you're reading this document, you're probably a Unix newbie, so you probably use Redhat Linux, Mandrake Linux etc'. If so, you should have a prompt saying "boot:" or "LILO boot:" or "LILO:" when you start your computer, and you could either type Windows or Linux (you can change these names into, say, sucky-OS for Windows and Stable_and_secure_OS for Linux, or anything else you want. Use the linuxconf program to edit LILO's preferences, and use your imagination... :-) ). Now, what happens if you type linux 5? Of course! It boots up Linux in runlevel 5!! But wait! What happens if you type linux 1 or linux single? It runs on runlevel 1 - single user mode, which means... automatic root access! No password needed. :-)
Most people simply don't realize how dangerous this could be.
What are Winmodems, and why do they suck?
First of all, what is a MODEM anyway? The initials modem stand for modulator/demodulator. To make a long story short, a modem translates digital signals which your computer sends it into signals that can be transferred through the phone line (if it's a cable modem or some other kind of modem, it'll translate computer signals into whatever signals that can be transferred through the communications line it is supposed to run on), and then receives back phone signals and translates them into bits and bytes your computer can read and understand.
Note: of course, your modem does more than that. For example: it provides the actual connection with the phone line, and quite a variety of other things which are currently unimportant to us.
This whole modulating (turning computer signals into phone signals) and demodulating (duh... the opposite of modulating. Turning phone signals into computer signals) process requires some software, and of course, a computer to run it. So your modem actually contains a little computer that does the modulating and demodulating.
Then what is a Winmodem? A Winmodem is a modem that does not do the modulating and demodulating thing. Instead, it leaves it up to your computer to do that. It comes with the software necessary for your computer to perform these convertions.
So why do they suck so much? Because:
a) This whole convertion process takes up some resources from your computer, such as memory and CPU time.
b) If your computer slows down for some reason, you might get disconnected all of a sudden.
c) They don't run on any version of Unix. Why? Simply because there is no Winmodem software for Unix. The vendor didn't bother making them, I assume (silly bunch of lamers... :-) ).
So why would a person want to buy a Winmodem? Simply because they cost less (I guess you could figure out why at this point).
How do I recreate files which I have already removed from the recycle bin in Windows?
Once upon a time, in times when people either used versions of Windows prior to 95 or didn't use Windows at all (see the history of DOS paper), there was a utility called undelete. It served as a recovery tool for deleted files that were deleted less than a week ago, and used to save a lot of work and tears. That was all nice and smooth, until Windows 95 came up with it's "recycle bin".
Wow, looky here! Whenever I delete a file, it goes straight to the recycle bin! Ooh, I'd bet that's new...
The recycle bin isn't some magical bin thing, it's just a hidden directory. On every Windows 95 or above hard-drive, you have a directory called recycled. Whenever you send a file to the recycle bin, it is actually moved to this directory. Sophisticated, isn't it?
But here's the problem: most people don't like the recycle bin. They either press shift+delete to delete files without transferring them through the recycle bin or empty the recycle bin right after they send a file to it. But then, when you realize that you've made a mistake, you cannot recreate the file. Or is it so? ...
You can use DOS's undelete to recreate deleted files that were removed less than a week ago. If the file was on the recycle bin prior to it's "final and unrecoverable deletion" (yeah, right), you will find it in your recycled directory. Can't get any easier than this.
