Newage Hacking labs

Still here!

2006-07-16T17:19:00.000-04:00

Haha, I'm not quite dead yet.

No, seriously, I'm really going to make an effort this time. And I'm going to try to keep the mount of rants down to a minimum (okay, thats probably a lie. But not intentional).

Yea, so, check back soon, I'll be updating...

peace,
--n3w7yp3

Looong time

2006-06-17T13:18:00.000-04:00

Yea, its been a long time since I've last updated this blog. Sorry. :-/ FoodLion has kept my hours pretty full, and when I get off work, I'm too tired to do much. :-S

Anyways, school's out for the summer! :-)

Hmm, I can't think of anything to rant about really, so I'm going to end this post now. BTW, read kay's blog, nulldigital.

peace,
--n3w7yp3

Various things

2006-05-22T13:59:00.000-04:00

Hey people. Sorry for the lack of updates, but I finally got foodLion to put me on the schedual, and they've had me working alot (granted, my first day was like 2 or 3 weeks ago, but...). They even called me in yestarday, asking me to work. Apperantly, they hadn't schedualed enough people. :-/

Also, I've been updating n3w7yp3.dajoob.com alot. The index pages may look a little bare, but there is actually a good amount of code on there. I'm going to upload a few more things, and then fix up the index pages. Until then, if there's anything that you want that you know I've been working on, just ask and I'll send you the link.

In my spare time this weekend (which wasn't much), I did learn multi-threading in Perl, as well as C. Its very cool. Suddenly, a whole lot of new coding opertunities have opened up to me. I'm thinking about doing some superfast stateless port scanners (a la scanrand, see doxpara), as well as maybe some password crackers. I've coded a VBulliten hash cracker, but it still needs some work. Maybe I'll multi-thread it. :-)

Okay, I'm off for now. Check back soon for more updates!

peace,
--n3w7yp3

DoS

2006-05-12T14:02:00.000-04:00

So, I was browsing CNet and I found this article. I was suprised to see that the Computer Misuse Act (in the UK) doesn't say anything about DoS attacks. They are quite prevelent these days, and can be quite destructive.

Still, I find it hard to believe that a mail server was crashed by simple mail bombing. What seems more likley is that the disk space was filled up, and thats what caused the problem. But I wasn't there and will probably never see the logs, so its impossible for me to say for sure.

peace,
--n3w7yp3

Erm.... Frag Dolls?

2006-05-09T13:51:00.000-04:00

So, I was browsing CNet news, and I stumbled across an article about the Frag Dolls, Ubisoft's all female gaming team. Kind of odd, kind of different, after all, most people don't usually think of girls as gamers. Ah well, its cool.

My original plan was to rant about this, and complain that CNet was running pointless stories about video games (looks like they're caught up in the E3 madness just like the rest of the world), while they ignored stories about a botnet attacking a hospital. But then, I realized that (believe it or not), I just didn't care. Hard to believe but true. I still do play video games occasionally, and am cursing Netflix for not having a copy of Final Fantasy VII: Advent Children avalible for me to rent.

But about the bot master attacking a hospital, how stupid can you get? Messing with the computers in the IC unit does *not* make you a hacker, no matter how leet and badass you may feel after endangering someones life. BTW, has anyone else noticed how there are a lot of articles about botnets recently? I saw one on SecutiyFocus (linked earlier), and there was one on CNet (read it). And then we have the Fantasy Soccer league virus. Looks like it infects Microsoft Excel spreadsheets. Doesn't seem like that big of a deal (IMO), all it does is upload a fake spread sheet and modify thier existing fantasy soccer ones. I can't really see it causing any damage at all.

Okay, thats quite enough for today. I'm out.

peace,
--n3w7yp3

Kuang

2006-05-08T13:55:00.000-04:00

Hmm, so, a few months ago, I started on a project called Kuang. Kuang is a *nix log file editor (and the name of the virus in Neuromancer. I've got to stop naming my projects at 0300...) coded in Perl.

Its pretty good, it can delete a log, overwriting it with random data, truncating it down to 0 bytes and then unlinking it (like `shred'). It can also search for a string and then delete any lines that contain it, or replace them with something else (for instance, you could have it search for your IP address in the logs and then replace it with 127.0.0.1 or something).

Kuang also uses stat[8] and stat[9] and utime() to set the last access and modified times.

The code is done, after all, its not exactly a hard thing to code string relacements in Perl. ;-)

I'm gonna kick it around for a bit, and then put it up on http://n3w7yp3.dajoob.com.

Alrighty, I got to get back to HTML. *sigh*

peace,
--n3w7yp3

Code reuse

2006-05-05T13:26:00.000-04:00

Was just skimming SecurityFocus, and read an article about how malware has 'familys' (common code trends, even some exact same bits). Suppposedly, this was a big surprise to the group that did the analysis, Sabre Security.

I don't see why this would come as a suprise, to be honest. Chances are, malware writers are not out to see if they can create the most elegant code (unless say they're developing a custom rootkit to deploy against a target, etc), but to get the most distrobution of thier malware. So, if somebody has already written a good IP generation algorithm, I can see how it would be attractive option for them to copy the code.

Hmm, sorry if that didn't make much sense. I'm in class, and the girl next to me is playing some rap really loud on the computer speakers, and it's hard to concentrate with it on. :-/

peace,
--n3w7yp3

XSS in 8e6 filters

2006-05-03T13:38:00.000-04:00

Product: 8e6 R3000 web content filter (and possibly others).
Vendor: 8e6.
Attack type: XSS (cross site scripting).
Details: This attack is possible because the filter does not properly filter HTML, which can lead to the insertion of malcious SCRIPT tags.
PoC:

Normal blocked content URL: http://192.168.1.1/cgi/block.cgi?URL=http://www.gamewinners.com/&IP=10.1.44.5&CAT=GGAMES&USER=IPGROUP

Malicious URL: http://192.168.1.1/cgi/block.cgi?URL=http://www.gamewinners.com/&IP=10.1.44.5&CAT=GGAMES&USER=%3cscript%3ealert("XSS%20vulnerable.%20--n3w7yp3");%3c/script%3e

Misc info: You can also manipulate the other fields to further warp what the users sees. For instance, if you change &CAT=GGAMES to &CAT=No%20real%20reason, the category field on the form will read, "No real reason."

Discovered by: n3w7yp3

End vulnerability info.

Proxies

2006-05-03T13:26:00.000-04:00

Okay, I'm back. Like two seconds after I posted that last post, I was reading some article on CNet about school proxies (you can find it here), and one system administrator at a school said that he had not had a student bypass a filter ever since he installed an 8e6 filter. That really ticked me off. I know of a few places that have 8e6 filters, and they're all vulnerable to that XSS attack that I discovered a *long* time ago (okay, so maybe it was like 2 or 3 months ago. But thats a long time). I have not disclosed the vulnerability to 8e6, mostly because I'm lazy, and its an ace in the hole, so to speak.

But I really do pity that admin if he thinks that 8e6 filters will stop students. I'm willing to bet that as soon as a kid comes along who has some knowledge (and maybe malicious intentions), he'll use the XSS attack that I've discovered to mess with the filter. Speaking of which, I'm posting a vulnerability announcement next.

peace,
--n3w7yp3

Do'h!

2006-05-03T13:21:00.000-04:00

Okay, I know, its been a while. But, I actually have a good excuse this time! You see, I have relatives over, and they're in my room, which is where my computers are. So, I've not been able to access as much as usual.

Sorry about the short post, but thats all for today.

Starting Thursday, things will be back to normal. :-)

peace,
--n3w7yp3

Google and firefox

2006-04-28T13:34:00.000-04:00

Heh, this is prety cool actually. I was in school today, and I opened up Internet Explorer (my school is standardized on Microsoft software). They have the IE homepage set to Google. In any event, there was an ad beneath the search bar that read:

"Firefox with Google Toolbar: tabbed browsing, safer surfing."

Looks like google has finally realized that FireFox is much better than IE. Clicking on the ad brings you to this page.

Pretty cool, IMO. :-)

peace,
--n3w7yp3

Site

2006-04-25T15:50:00.000-04:00

Hey, well I registered for a dajoob account, and put up a small site where I can post my code etc.

Let me know what you guys think, the site is n3w7yp3.dajoob.com.

peace,
--n3w7yp3

Break

2006-04-19T15:56:00.000-04:00

Well, sorry for the lack of updates, but I've been on spring break all week. I've spent most of the time on IRC, and catching up on missed sleep during the week.

Okay, thats all for now. I may put up my throughts on Microsoft silently patching vulns, if I can be bothered... :-/

peace,
--n3w7yp3

Job Interview

2006-04-11T13:36:00.000-04:00

Well, it looks like I may be getting a job at FoodLion. I have an interview with them tommorow.

Hopefully, it will all go well. Course, that will just add more stress to my load. I've got a *huge* English report due on Friday, and I'm working on that. It's about Open Source versus Propritary Software (in terms of security). I may post this one up for download, after I hand it in (I have to hand it in on turnitin.com, a website which checks for plagarism. UIf I publish it online first, and then hand it in, there is a small chance that it may be reported as 100% plagarised. And, since my english teacher doesn't know that n3w7yp3 is my nick, I could be in for a rough time).

Well, that looks like its gonna be all for today. I'm writing an artcile about HP networked printer security, an article about firewall penetration, and a mini-series about Cisco device hacking. Hopefully those will be finished soon. But hey, if not, I have Spring Break start at the end of this week!! :D

w00t for Spring Break!! :D

peace,
--n3w7yp3

The weekend

2006-04-10T13:19:00.000-04:00

Well, I had a nice relaxing weekened. Not much happened, and I managed to get some sleep, unlike during the week. :-P

I had Friday off, and Thursday night myself and a few friends got together and had an impromptu LAN party. It was pretty cool, and I was introduced to Pure Pwnage (with FPS Doug!). Its pretty funny.

So, yea, I pretty much did nothing over the weekend. I was too lazy to code, and spent most of my time on IRC.

Okay, thats all for today. Catch you all later. ;-)

peace,
--n3w7yp3

DHS busted?!

2006-04-06T13:35:00.000-04:00

Wow, I can't believe this one. Some guy in the US Department of Homeland Security (DHS) was arrested for the exploitation of children online. While he thought he was talking to a 14 year old girl, he was actually talking to a detective.

People can be so stupid. There was a report on NBC or CBS a while back that basically said "Child exploitation rings are getting more and more advanced. They now use live feed webcams and MSN messenger to transfer files!" All this jazz does is convince more and more people that the Internet is a bad place. Its only as bad as you make it out to be. Like, there are kids who go to my school, who put thier home phone number, cell phone number, and home address on thier myspace. Seriously, thats *really* dumb. And this isn't just the hacker paranoia talking here either. In real life, would you give that info out? Most likely not. They also post the thier class schedual in thier AIM profiles, along with their cell phone number. Again, thats pretty stupid. If people would just exercise some common sense, everything would be fine.

I actually have another little anecdote on this subject (/me listens to the sighs). I'm sure that this will mean almost nothing to 99% of you, but if you do some googleing, you may find more info on the topic. Well, anyways, about 4 or 5 years ago, a gilr in my town turned up dead. She was 13 and had been meeting a 21 year old man she had met online for sex at the mall. He had killed her. It was tragic, yea, but god, who would agree to meet someone like that? Thats a really bad idea. Anyways, for the longest time, after that, my mom wouldn't let me chat online with people that I didn't know in real life (IRL). This was a minor nuscance, because she'd read my emails over my shoulder to ensure that I was not invloved in a sexual relationship with any 21 year old guys (no worries there). Now, this next part may sound a bit self serving, but us hackers, we have a natural paranoia which prevents us from doing stuff like that. And, many of us also have another skill, which I like to call common sense. ;-)

So, yea back to my original point about the DHS. Not only have they taken away and restriced American civil liberties, but they now appear to have employeed a bunch of paedophiles. That can't be good...

Ah, yes, the link to the original article can be found here. Heh, you can find all osrts of things on SecurityFocus... ;-)

peace,
--n3w7yp3

Social Engineering

2006-04-05T13:40:00.000-04:00

Hey , I was reading this article on SecurityFocus. Wow, hasn't it been known forever that end users are the problem? Jeeze, what a shocker!! :o

Heh. Actually, there is a funny story in that whole "Yea, sure I'll accept the pop-up add that says I need to install this" attitude that the end users have. I was recently at a LAN party, and we all decided to play Diablo II on a LAN, via the TCP/IP game option. So, one of us had a legit copy of the game, the rest (myself included) didn't. We all installed the one copy, and then found and downloaded cracked copies of the game.exe file. Now, we all know how many popups and spywares those warez sites have, yes? Well, at the time I was on an old box that I had installed Windows 2000 on. Now, me being a Linux user, I'm not used to those popups. For a second I was actually heading towards yes, and then stopped and read it. I was laughing pretty hard (For the record, I clicked "No".). It gave the rest of the guys a laugh when I told them that I had almost voluntairly infected my box with spyware. But the end here is that I didn't. So, to any non-techincally oriented people who happen to be reading this, *don't* click yes! :-P

So, erm, yea, thats my slightly funny story...

peace,
--n3w7yp3

A week??

2006-04-05T13:36:00.000-04:00

Yea, I know, I missed a week. :-/

However, I have a good excuse. I have pretty much been sick this whole time, and just going to school has really taken it out of me. So, yea, sorry. :'(

Oh yes, about Rayne, I *did* complete it, but for some reason (probably because I finished it when I had a 101 degree F fever), it will only send 3 packets and then fail with a call to the Net::RawIP module, line 550, I believe. I'll try and sort it out ASAP.

If I can't work it out, I may just recode it using Net::Write, and then release that. I'll just have to see.

peace,
--n3w7yp3

Rayne release draws near

2006-03-31T13:43:00.000-05:00

Well, Rayne is almnost at completion. It will be released tonight, or tommorow early afternoon. I'm feeling sick ATM, so like I said, if its not out today, it *will* be out tommorow.

In other news, I'm writing an article on firewall enumeration and penetration. And its not a copy of Hacking Exposed either. No, this is more or less an account of my first hand expirences while coding Amerex and Serenity. And yes, Amerex is still in the works. ;-) The article will be out by Sunday night (unless I get really sick).

One last thing, if any here has a copy of the Microsoft DDK, or knows how to get a discount on it, can you contact me? I'm considering doing a Linux kernal rootkit (shrapnel) and its Windows counterpart (shrapnel32). I have the dev tools for the Linux version, but alas, without the DDK I can't progress any where on the Windows one. :-/

And before anyone gets all excited, the rootkit idea is still a concept, nothing final.

peace,
--n3w7yp3

Serenity and Rayne

2006-03-30T13:53:00.000-05:00

Howdy, sorry I missed 3 days. I know that I stated that I would be updating daily, but I have not had time. See, I usually blog from class, but we've been doing a test in Programming Class. So, no time to blog. :-/

Anyways, I've started on two new projects. Rayne and Serenity. I'll detail Rayne first.

Rayne is simply a tool that is designed to make an IDS go nuts. It can be used to hide your scans (or anything else) amid a flood of packets. It sends random TCP packets with a random source IP, random source port and a random payload to the host. You feed it a port range to use, and it blasts out its spoofed packets. Its really quite simple to code, and it is actually quite simple for the admins to block. But it should still help. After all, if the IDS generates 5000 alerts, its going to be much harder for them to find your nmap scan. ;-)

Rayne also has the potential to be used in IDS testing. A pen-tester could use it to see if the IDS on the target is configured correctly.

Serenity is a kind of like a cross between firewalk and hping3. It lets you send out custom generated TCP packets (header flags and so forth), and then it functions like firewalk, finding out the TTL of the target gateway, and then increasing it by one. While it may seem somewhat pointless, I got the idea for it one night while I was poking around. I encountered a firewall that was dropping SYN packets, but would let other packets through. I was able to scan the ACLs using hping3 and the --ttl option. So, out of that Serenity was born.

Both Serenity and Rayne are written in Perl. Rayne is nearing completion (I just have one more function to code), and *will* be released this weekend. Serenity was actually started a long time before Rayne, but I'm having some trouble with the Perl interface to pcap (there's a bunch to choose from, right now I'm using Net::PcapUtils, but last night I downloaded Net::Pcap 12 off CPAN, so I may switch to that). The raw sockets for both scripts is being done through Net::RawIP, but I may change Serenity to use Net::Write instead (its much newer than Net::RawIP). Rayne may be recoded using Net::Write in future releases.

Oh yes, remember dmap? Well, I've started on dmap 3.5. It will be a complete recoding of the current dmap release. It will also use Getopt::Std instead of the require 'getopts.pl' which I had been using at that time. Shortly after I made dmap public, zshzn recommended to me that I switch to Getopt::Std, and I have. Its much better, IMHO. This release of dmap will also be *pure* Perl. No more shell escapes for the reverse lookups. I may also be coding in some rules, and maybe intelligent subdomain guessing.

Okay, thats all for now. More to come later.

peace,
--n3w7yp3

Yestarday (and a bit of today)

2006-03-27T13:30:00.000-05:00

Yestarday was a total write off. I was dead tired the whole day, and didn't get much accomplished. I tried several times to install Fedora Core 5 (I thought that I may have foregotten to set my boot order in my BIOS), to no avail. My DVD-RW drive is well and truley dead. :-(

Most of my day was spent coding a new script called Rayne. Its a small Perl script that bombards the target with random TCP packets, from a random source IP address, with random destination ports, and with a random payload in the data section. And no, its not a DoS script. Its for IDS testing, and/or it can be used to make an IDS go nuts while a penetration tester does his thing (I'm not sure how effective this will be, but it strikes me as a good way). Of course, as was pointed out by switch in #hf, if you scan correctly, there is no need to worry about IDS. Techniques like idle scanning are very sneaky and nearly impossible to detect. And if you proxy the scan, you're home free.

I had filled out a systems application from from Cray, but they have not replied. I guess they don't give away 512 CPU XT3's... :-/

Ah yes, in other news, it appears that Microsoft is giving Apple security advice. Hmm, sounds like a great idea, eh? Apple has had some problems with Mac OS X, and some security professionals have even went so far as to say it was an easy target. But then Windows has not had a good track record itself. After all, two days after the Bugtraq post about the msshtml.dll (I think thats the file) overflow, a 0-day exploit was written, and posted on milw0rm. From my point of view, thats amazing. Two days is insanely fast to get a working exploit developed, especially for something like IE, with which you can only do gray box and black box audits (no source code). The even more shocking part was that the sploit was made public. An IE 0-day is worth a good amount in the underground, and to post it to milw0rm like that probably cost the guys who wrote it a few good trades.

Okay, I'm out. I'll probably try and post more later.

peace,
--n3w7yp3

DVD Drive

2006-03-25T11:35:00.000-05:00

Well, my DVD-RW drive is refusing to read my Fedora Core 5 install DVD. In fact, its refusing to read any DVDs. Strange part is, it will read CD's just fine.

So, now its either I buy a new DVD drive, or download 5 CD's worth of ISO's to install Fedora... :-/

peace,
--n3w7yp3

DRDoS with DNS

2006-03-24T14:08:00.000-05:00

I'm sure this is all old news to any one reading this. Heck, we've all known about this for a long time. But, today CNET published an article talking about Distributed Reflective Denial of Service attacks that use DNS. Basically, it floods the target with DNS replies. You can read the article here.

Of course, this has been known about for a long time. The famous ihateperl.pl and drdos.pl scripts have implemented these attacks long ago. I wonder why they're just now getting noticed...

peace,
--n3w7yp3

New sendmail hole

2006-03-23T14:09:00.000-05:00

Well, surprise surprise, another Sendmail hole! Who'da thunk it?

Seriously, at times sendmail strikes me as hopeless as WU-FTPd...

Anyways, this hole has been picked up by the media. CNET has even published an article on it.

The hole itself appears to be somewhat dangerous, in fact, FrSIRT rates it as "Critical". It gives remote code execution on the target machine. It appears to effect most *nix OS's (including Linux) running the vulnerable sendmail deamon, but not Windows (at least not yet...).

Supposedly, there is no vuln "in the wild", but as we all know, the blackhats will probably have something. So, yea, that was just my 0.02...

Oh yes, the FrSIRT adviosery is here.

Okay, I'm out.

peace,
--n3w7yp3

Fedora Core 5

2006-03-23T13:58:00.000-05:00

Howdy,

Yes, I know this is old news, but Red Hat Fedora Core 5 was released on 2006-3-20 (March 20th, 2006). I plan on upgrading tommorow, so I'll post my thoughts about it then.

Also, according to an article on securityfocus, there are three main OS's,: Windows, Mac OS X and Red Hat Fedora Core. Seems like Fedora is becoming synonymous with Linux now... admitedly, it is one of the more popular and far reaching distros (and my personal favorite), but the OS is still Linux (well, actually GNU/Linux), not Fedora. I've once even heard someone on IRC remark, "Linux is the kernel, Red Hat is the OS." You can read the securityfocus article where thats mentioned here. The actual quote is:

"Yes, it's fast. Fast enough to give me visions of OS X native apps running alongside both Windows Vista and Fedore Core inside two virtual machines. It would make for a nice, highly portable security lab to test all three major operating systems." -- Kelly Martin http://www.securityfocus.com/columnists/393

Anyways, I'll post more about Red Hat's new release tommorow or the day after... I just hope that Net::RawIP will install, unlike in Fedora Core 4...

BTW, for anyone looking to learn more about Fedora, the link is: http://fedora.redhat.com.

peace,
--n3w7yp3

FrSIRT and milw0rm

2006-03-22T13:41:00.000-05:00

Well, it looks like FrSIRT has finally bowed to pressure from the French government and taken the exploits and PoC code off its site. It now only offers adviosories. Thats a *huge* step, considering I have several memories of them posting 0-day exploits. I'd expect that from milw0rm but not FrSIRT. FrSIRT now offers a program where you pay them money and you are able to browse a section of the site where they do keep have the exploits. They do offer a 14 day free trial, but it is avalible only for businesses and the like. I wonder how many "small local business" will be signing up for it. In any case, its a shame to see another great security site bow to pressure and sell out like that.

Also, speaking of milw0rm, str0ke has put up a section of papers. milw0rm has become much more than just a site for exploits. It now offers an MD5 and LANMAN hash database/cracker service, tutorials, videos, IRC and of course exploits and payloads. There also is a bzip2'ed tarball of the exploits avalible for download, as well as a wordlist (which I assume is the plaintext found in their hash databases). So, it looks like milw0rm is really stepping up. Who knows, one day it might even rival securityfocus in terms of content. Of course, that wouldn't be anytime soon, but who knows what will happen in 5 years?

Okay, I'm out for now.

peace,
--n3w7yp3

Area-6

2006-03-22T13:36:00.000-05:00

Well, It looks as though the wonderful area-6.net has gone down for good. jimmyj recently tok down the IRC server, and now the website has gone down as well. Unfortuntatly, I had not recieved any notice of this from anyone. So, if any a6'ers are reading this, drop a comment, or stop by irc.hackersfoundation.org #hf.

On a similar note, isn't m101's site, fatetek.net hosted by Blu-tek, which was jimmyj's hosting company? Is it going to go down as well?

And is xlordt ever going to finish recoding h4ckerx.net?

peace,
--n3w7yp3

Daily updates

2006-03-22T13:35:00.000-05:00

Hey all,

Well, Its been quite a long time since I have updated my blog. Once again, I apologize. I will now be blogging daily, sometimes maybe even more than once.

Anyways, if anybody is reading this, pass it around, okay?

peace,
--n3w7yp3

All sorts of stuff...

2006-02-03T13:45:00.000-05:00

Hey,

I know its been some time since I last updated here, and I apologize. I've made the regionals team for swimming, and practice has been crazy. I just have not had the energy to blog much. In fact, irs been a while since I've coded much..

Well, the regionals meet is next Friday, and next week I'm handing in three big projects for school. After that, its back to hacking and coding. :-)

Course, just because I've been lazy for the last few weeks does not mean that I've not been keeping up with the news. I'm sure you all know by now, but it looks like a group of Russian hackers sold the WMF vuln for about $4,000 (USD), before it was public. I think I also read that it was used in the attack againist the English Parliment. Article is on securityfocus's briefs.

Also, the Kama Sutra (Blackmal, whatever) appears to have done no damage, despite the reports that it would kill half the Internet... Once again, the mass media attempted to get everyone hyped and scared... Also, Sober's relaunch did absolutley nothing. Kudos to the AV guys who worked hard to put out signitures to disinfect the vitcims, as well as everyone else who contributed.

In local news, HF is *almost* up! dbr and BobbyB have been working extremly hard these past few days, getting it ready. You can view the site at http://hf.dajoob.com. Also, #hf has moved from irc.nullnetwork.net to irc.xelix.net (channel is still the same). The reasons for the move were many, but we left on friendly terms. If you ever find yourself on nn, drop by #nullnetwork, #perl and #c for some great info and discussion. If you're on xelix, drop by #controlthesystem.

One last remark about the IRC, TMC (aka The_MystiC) from humpmeg has generously agreed to give us our own server to use for IRC. The IRCd is up and ready, but there are still a few kinks to work out. It'll probably be ready soon. Server is irc.hackersfoundation.org.

Okay, thats all for now. More to come soon!

peace,
--n3w7yp3

dmap

2006-01-21T17:35:00.000-05:00

Ahoy,

Well, dmap has finally been finished and released! I'd like to give a big thanks to Nemesis_mk2 for hosting the dmap tarball.

If you don't know what dmap is, then you're missing out! dmap is a tool that uses DNS to discover hosts. Doesn't sound like much? Well, if you've read Stealing the Network: How to 0wn the box, you'll remember the tool dnsmap that the character Dex used in chapter 5. Well, dmap is like that on steroids. dmap also beats out the DNS enumeration tools profiled in The Penetration Testers Open Source Toolkit.

Anyways, you can get dmap at http://nemesismk2.freesuperhost.com/code/dmap_3.0.0_pre.tar.gz

peace,
--n3w7yp3

Ground Zero

2006-01-06T13:55:00.000-05:00

Well, the 6th is here. Sober is going to be released today. Symmantec's threat meter on securityfocus is at level 3 (the highest I have ever seen). So, they're clearly worried. However, they were worried about the Snort vulnerability, and MS05-051, which didn't have much effect at all.

I have read several articles that stated the attack has been stopped by F-Secure and thier discovery of the URLs that Sober will be updating from. Personally, I think the attack still will happen. (you can read one such article at: InformationWeek). However, I don't know if these sources are will informed or not.

An article was published today on CNet that Sober may actually come later than expected, due to all the publicity surrounding it. You can read the article here.

If indeed Sober does launch today, there should be some activety by 21:00 GMT -5. So, lets just keep our fingers crossed till then.

Also, a message to any end users out there: Update your AV signitures, apply OS patches, setup a firewall, and don't download ANY email attachments. Doing all these will help to stop Sober.

Also, the 0-day WFM exploit has been making waves. The metasploit dev team has released an exploit module for it, making it easy for anyone to code thier own varient.

peace,
--n3w7yp3

Holidays

2005-12-26T17:14:00.000-05:00

Ahoy,

Well, I'd just like to drop all my readers a line wishing them a happy holiday season. I know that I missed christmas, but meh, still in time for new years. ;-)

Still, better late then never.

BTW, I've finished coding a banner grabber for the Metasploit 2.x branch. Code will be up on www.area-6.net soon, but I still have a few kinks to work out (Perl appears to think that I called a subroutine at line 61, but since when is if() a subroutine?!).

Next up is a connection sweeper. Now, I know you're all gonna think "Oh god, he's truning this into Nessus or Core IMPACT. When will he stop?" Well, I'm not. I'm not coding anything to automate attacks. Just a discovery suite of tools.

Well, I'm out.

peace,
--n3w7yp3

PS: I'm going to publish that 8e6 XSS exploit *soon*(ish).

Sober

2005-12-21T15:57:00.000-05:00

Howdy,

Well, as you may have noticed, Symantec's threat meter on securityfocus is at a 2. I had no idea why and after asking on IRC, CdPirate reminded me that Sober is schedualed to be updated and released.

F-Secure did a good job of releaseing the list of URLs (see their advisory at: http://www.f-secure.com/weblog/archives/archive-122005.html#00000729.

Also, Sober has actually done some good. I'm sure that it is common knowledge by now, but Sober.Y (the one that sends fake emails) sent an email to a German citizen claiming to be from law enforcement. The man apperantly freaked out, and turned himself in. He apperantly had child porn on his box. You can find more info about this at securityfocus news.

So, who knows what the updated Sober will actually bring? I don't (I have not been following Sober during the last outbreak[s]), so, if you do, drop a comment enlightening me. ;-)

But back to the Sober updates, it appears its going to be released on the 5th of January, 2006 (2006-1-5) (which, incidently, is the anniversary of the founding of the Nazi party. I'm sure you all know this by now, but Sober was spreading righ-wing neo-Nazi propaganda for a little while). F-secure mentioned that it would reach critical mass by the 6th of January (2006-1-6). CdPirate made a good point stating that "By the 6th, the Internet won't be online, due to all the bots spreading". Hopefully the end users out there will have updated AV definitions, a good firewall and all the latest patches for Windows, but realistically, I doubt that will be the case. If this varient is mass mailing, it could potentially (and (un?)intentionally) perform a DoS attack against the backbones, simply from the sheer volume of email being sent (remember the MyDoom Google searches?).

So, I think its safe to say that it will be an eventful few weeks after the holidays, but nothing that can't be handled. And remember, don't buy into the panic that the AV vendors are spreading. Just keep a clear head and everything will be okay.

Thats all for now.

peace,
--n3w7yp3

Thanks to CdPirate for providing much of the info used in this article

Metasploit Portscanner Module

2005-12-16T17:49:00.000-05:00

Ahoy all,

Well, I got the alpha release of Metasploit 3.0 yesterday. I must say that I was quite impressed with it, although I was innitally uncertain about how it due to its in Ruby (and you guys know me, I'm a Perl fanatic ;-) ).

I noticed that It had a new class of modules, dubbed recon moduels. One of these was a scanner. So, I created a portscanner (TCP and UDP) for the 2.x branch. The code is avalible at: http://www.area-6.net.

To use it, copy and paste the code into the exploits directory on the framework root. Name the file msf_scan.pm.

BTW, You may have noticed that in the comments, I put that this is in a series of modules. I also want to do a banner grabber, and a TDP/UDP connection sweeper.

Enjoy!

peace,
--n3w7yp3

Swim team and XSS

2005-12-09T14:36:00.000-05:00

Ahoy,

Hey, I know its been a while since I last updated, and I'm sorry for that. So, lets catch up...

Well, as everybody from #hf knows, I recenlty joined swim team. Its quite fun and we have practice everyday (Monday - Friday). At our last meet, i swam 50 meters in 29.13 seconds and 100 meters in 1 minuet 8 seconds, which is a big improvement from my previous time of 1 minuet 22 seconds. Its alot of work, but I enjoy it.

Back on the techincal side, i have recently discovered an XXS vuln in 8e6's R3000 Internet content filter. This is an application that serves to block "inappropriate" content from reaching users (as well as sites that the admins have black listed). While I'm not a fan of censorship, it is a security risk to have users browsing around where ever they want to at work.

The vuln is quite easy to exploit. There are several parameters in the URL that correspond with fields in the resulting page. For example, the IPGROUP variable returns the IP Address of the filter machine (usually the webproxy as well). Normally it would read something like:

IPGROUP=192.168.1.100

However, its possible to insert any values into these fields. At first I just played with them making them say wacky things and showing it to my friends for laughs. One day, on a whim, i tried to HREF a link to Google. When it was successful, I tried playing around with "SCRIPT" tags and HREFing javascript: calls in. They all worked okay. With this vuln, its possible to get a users cookie values, and to bypass the filter entirley.

Okay, I'm out. Expect more updates soon!

peace,
--n3w7yp3

Worms, a follow up

2005-10-28T16:48:00.000-04:00

Well, it looks like my predictions were off. Symmantec lowered their threat level, and there was no Snort worm.

Course, even if there was a new worm, they don't seem that bad after NIMDA, Code Red (II), Slammer, and Blaster. Those were pretty bad, but more importantly, they also got admins to patch their systems. So, maybe some good came out of it....

peace,
--n3w7yp3

Possible Worms?

2005-10-21T14:02:00.000-04:00

Ahoy people,

well, we've all heard about MS05-050 (hopefully. if you have not, check it out at MS technet MS05-050 ).

So, the big question is, "Will this be another Windows worm?" supposedly, this vuln is easy to exploit and it leads to remote code execution (remote control). It also effects nearly every version of Windows. I seem to remember that on securityfocus they said it might, as well as on Cnet news. Of course, the comapnies love to give out these adviosories as it gets tham money (point in case, Zotob. It was not bad at all).

So, maybe it will and maybe it won't.

There was also the recently announced snort vuln that was deemed to be wormable (http://www.securityfocus.com/news/11349). While it would cause an impact, Snort is not that widespread (unfortunalty, it is a great NIDS and i say its a great product).

BTW, if you notice symmantecs world wide threat meter is at 2, which means an attack is expected.

So, what are your thoughts? Is it hype or is it for real?

peace,
--n3w7yp3

Free Cisco

2005-10-01T20:28:00.000-04:00

Ahoy,

For those of you that don't know, routeviews.org offer free anonymous telnet access to their Cisco routers (see routeviews.org/aaa.html for more) To login, telnet to route-views.oregon-ix.net:23 and give the username rviews

Then, have fun learning about cisco, hands on!

peace,
--n3w7yp3

OpenVMS

2005-09-18T19:33:00.000-04:00

Howdy,

i just found out about a cool little machine (deathrow.vistech.net). Its an OpenVMS box that provides free shells, or if you'd rather not give out your email address or get a permenate shell, they have a demo account. to connect simply telnet to port 23 or SSH on in. further instructions are provided in the welcome banner.

now, idk about you guys, but i've never messed with OpenVMS before. however, I have been playing with it, and it seems to be like mix of UNIX and Windows (the power of UNIX with some Windows style command syntaxes). The best part is, they don't mind you hacking the system (as they say "feel free to attack however gets you off, but no DoS)!

this is a cool thing. i highly recommend checking it out.

peace,
--n3w7yp3

Office Depot

2005-09-18T19:29:00.000-04:00

Ahoy,

well, today I went to office depot, and started playing with those nifty laptops that they have on display. They had a WLAN whcih was subdivided into seperate VLANs. however, host security was the worst i've ever seen. I would have done something about it (like turn on the already installed Norton Internet Security suite), but, i figured it was better not to get in trouble atm.

But, i did change the screen savers a tad. now they all say stuff like "Hack the Planet!", etc. Childish i know, but no damage was caused, and imo, changing a screen saver is not blackhat. who knows, maybe this will convince them to limit the users power on the laptops?

peace,
--n3w7yp3

Amerex

2005-09-13T15:15:00.000-04:00

Hey people,

If any of you guys have been in the Hackers Foundation IRC channel (irc.humpmeg.net #hf), you'll know that a project called Amerex is currently in the works. I have been asked many times, what is amerex? Well, here I have come forward with more details than normal. Here it is and enjoy!

What is amerex?

Amerex is a tool (coded in C) that is designed to enumerate hosts in order to determin if they are a firewall, penetrate the firewall, and establish a transperant connect through the firewall (if possible).

How does it work?

Well, amerex first gathers info about the target. It performs the following actions:

R/DNS lookup.
ICMP slam
ICMP traceroute
UDP traceroute
Parasitic TCP traceroute
Stateless SYN portscan (a la scanrand; thank you Dan Kaminsky)
Active OS identiftication
Passive OS identification
Trys to determin the hosts role (router, gateway, etc)
Makes a guess if the host is a firewall

Okay, during the ICMP slam, we'll be sending the target host every ICMP code, just to see what ICMP types they respond to. The Parasitic TCP traceroute will be used if the ICMP and/or UDP traceroutes fail. It will be run after we do the SYN scan. Once we find an open port, a full connection (SYN, SYN/ACK, ACK) would be established. Then we would preform the parasitic traceroute, a la paratrace (once again, thank you Dan Kaminsky).

The reason why we do a passive OS id and an active OS id is simple: that way we can cross refernce them in an attempt to gain greater accuracy.

the info will then be dumped to STDOUT in a nice neat report :-)

Okay, now we're ready to start the actual firewall enumeration.

First the attacks on the firewall:

Source port attacks
State attacks
Fragged packet slam
Mangled headers
Source routed packets
Just general wierd packets
Firewalking
Protocol Tunnels
Combinations of the above

Okay, those should be pretty much self explanitory.

Now, if conditions look good (eg: we get a reply from one of our packets from a host behind the firewall, amerex will attempt to establish a transpertan tunnel through the firewall.
Methods that will be used are:

Fragged packets
ICMP tunnel
UDP tunnel
Source port
State attacks
Mangled headers
Protocol tunnels

Not that protocol tunnles will only be used rarley, if everything else fails.

What language is amerex written in?

Amerex is being written in C.

When will amerex come out?

No idea. It is still in development, and is not yet ready for a beta release.

Well, thats all for today.

peace,
--n3w7yp3

Awstats.pl

2005-08-26T23:30:00.000-04:00

Ahoy,

Well, I just coded my second professional level exploit. Once again, I didn't discover the vulnerability, but the guy who did had not even submitted it to securityfocus. So I did for him, taking care to enclose all his original and stressing several times that I didn't discover this and that he did. I also included my code (which I wrote). I just sent it off like 3 mins ago, but hey, I can hope, right? lol. Anyways, here is my code.

Hopefully there will be a link to securityfocus for that code soon. But I really hope that they don't credit the discovery to me... I'd feel bad for the original dude...

peace,
--n3w7yp3

Updates

2005-08-24T20:20:00.000-04:00

Howdy,

well I finally came to a conclusion: my blog looks like it was made by a 9 year old! So, over the course of the next few days, I will be customizing my blog to fit my needs. Any advice and/or critisims are welcome.

peace,
--n3w7yp3

CdPirate

2005-08-23T12:08:00.000-04:00

Hey,

CdPirate just got his blog up. check it out at: cdpirate.blogspot.com.

also, hackersfoundation.org is almost finished getting set up!

peace,
--n3w7yp3

w00t!

2005-08-21T15:07:00.000-04:00

Hey,

I just discoverd something. The exploit code that I submitted to www.securityfocus.com, was accepted! Admittidly, I didn't find this vuln, (it was discovered by Reed Arvin), but i recoded my own version, and submitted it!

check out the following URLs for more info:

Heh, idk about you, but i think that this is pretty cool!

NOTE: DoS is lame. dont ever do it. ever. i just wrote this script on a whim and submitted to it to securityfocus just to see what would happen.

heh, I got my code published!

/me does a little dance

peace,
--n3w7yp3

Comment!

2005-07-26T17:35:00.000-04:00

Hey if you are reading my blog could you take a second to comment? i'm trying to get s sense of how many peopel actually read this ;-)

thanks in advance.

peace,
--n3w7yp3

Password cracker

2005-07-26T17:28:00.000-04:00

hey guys i made an interesting password cracker in Perl. it'll do a dictionary attack against DES, SHA1, and MD5. check out the source here: www.area-6.net (its the second one i posted).

enjoy!

back

2005-07-26T17:27:00.000-04:00

Well i got back from vacation a few weeks ago. Time to update!

myspace

2005-06-07T12:25:00.000-04:00

heh, after that last post this is starting to look like myspace...

don't worry, i'm not gonna turn this into some sorta angsty place, it will remain a technical blog.. ;)

Busy

2005-06-07T12:20:00.000-04:00

hey guys,

sorry about the long down time (yet again!). i have had one hell of a time...

i'm tyrying to get www.hackersfoundation.org off the ground with CdPirate. hf is a site that i will be hosting (he's covering the domain name). we'll have some code and some tuts as well as a forum and maybe a tag board. i hope to make my own subsection of the site where so technical discussions can take place...

wow... i just found out yestarday that a person i know committed suicide on Sunday... it's been a crazy time...

hopefully after my life settles down a bit, i'll be able to update daily. who knows, this may even turn intop an actual blog ;)

Tools

2005-05-04T12:22:00.000-04:00

All,

hey, sorry for the long down time. I have been hard at work coding some stuff (some of which you may find interesting) so i have not been able to blog much.

i'll be posting the code on another site and then linking to it (beacuse if i post it here all the formatting will be messed up ;) ).

anyways heres a baisc rundown of the programs:

dnsscan2.pl: a small idea that i had. It does DNS lookups on a domain that you find in an attempt to identify subdomains. it will find things like, mail servers, VPNs, firewalls, etc. Handy! ;)
sweep.pl: A TCP/UDP sweeper, it is used to identify hosts that are alive.
portscan.pl: a small port scanner. it is not stealthy at all. It supports UDP and TCP scans.

okay thats all for now. links will be up soon!

peace,
--n3w7yp3

Admin issue 1

2005-04-20T18:29:00.000-04:00

Well, here it is: Under Ground Admining Issue 1. Enjoy...:

-=-{UNDERGROUND ADMINING}-=- [isssue 1] [by: n3w7yp3] [this paper can be freely distibuted as long as credit is given to me and it is whole and unchanged] +{_INTRO_}+ Okay, this is my first paper in my new _Underground__Admining_ series. This series focuses on how to effectively secure a network. It is *not* however, some super technical "end-all" book that you would buy from Borders. Instead I will point out various issues (propose fixes, too) and in general my goal here is to get the admin to think like a hacker. Lets get to it... +{_REMOTE_}+ We will first be discussing remote issues. Now, you will find that I will not propose solutions for the newest 0-days, instead my goal is to address the fundamental issues in the network. Lets first look at the gateway... The gateway is basically the door into your network. It is all that stands between the untested Internet and your trusted intranet. Thus, we obviously need to take special measures when securing it. A good place to start would be the TCP/IP protocol suite... Lets look at UDP first. UDP is the *U*ser *D*atagram *P*rotocol. Unlike TCP, it is connectionless and unrealible. UDP, however, has several uses to an attacker. Because it is connectionless, it can be used to trace the route to a host (traceroute). It also has several other uses but they don't concern us at the moment. Your gateway should be set to drop all incoming UDP to the floor. If it simply ignores the packets, you are still vulnerable to a technique called _firewalking_. Bascially, this technique sends a UDP packet with a TTL 1 greater than need to to reach the remote host (in this case, your gateway). Also, a host is specified *behind* the gateway (firewalking only works agains gateways). So, the gateway would ignore the packet but would still hand it off to the remote system inside the network. Using this technique, an attacker could easily map out your whole internal network. However, if the gateway drops the packet to the floor, this technique would be rendered irrevelant. Many admins feel that having the gateway ignore incoming packets is enough. In simple terms: it is _not_ enough. Drop those packets to the floor! Next lets examine ICMP. ICMP is the *I*nternet *C*ontrol *M*essage *P*rotocol. it is used for the smooth running of networks (espically at the IP layer), and to check things like connectivety and bandwidth. However it also has (many) negative uses. Your gateway should be automatically configured to drop all incoming ICMP_ECHO_REQUEST packets to the floor. If it is not, then we might have a problem.... I don't see why you need incoming ICMP packets at all to be honest. Put 'em all on the floor! If you're still not convinced about the dangers of ICMP, lets look at ICMP tunneling. In this technique, ICMP packets are used to pierce through firewalls. Once inside, an attacker can ping your whole IP range, and get all your hosts in one grab. ICMP can also be used to nuke network connections and in a variety of D/DoS attacks. Now, I am sure that no one wants any of this happening to their network. So, drop all incoming ICMP packets to the floor. ARP is our next suspect. ARP is the *A*ddress *R*esolution *P*rotocol. It is used to convert between physical MAC (*M*edia *A*ccess *C*ontrol) addresses and IP addresses. Now I'll put this plainly: You should never receive an incoming ARP request from the Internet. Its that simple. If you do it could be a sign that a Man-in-the-Middle (MiM) attack is taking place. Again, your gateway should put all incoming ARP packets on the floor (in the unlikely event that you do get one). More serious is ARP on your intranet. It can be used in *ARP chache poisoning*. This attack ccan either be used by it self or in conjunction with a MiM attack. It is very unlikley that there will be an oppertunity for an attacker to use a MiM attack on your network; but all ARP should be handled suspiciously. DNS is a little different. Most firewalls and gateways will accept packets as long as the have port 53 (the deafult DNS port) listed as thier source port. DNS is the *D*omain *N*ame *S*ervice. It converts hostnames to IPs and vice versa. DNS is essential to the runing of a network. If you have the resources, give your network a designated DNS server and don't let any incoming request in. Now, you're probably thinking, "Wait. DNS is a service not a protocol!" And you're absolutely right. But i put it in here to illustrate an important point: Do not let packets in based on their source port. That is trival to spoof.... Lets move on to TCP. TCP is the *T*ransmission *C*ontrol *P*rotocol. It is the most widely used protocol. It is connection based and reliable. Unfortunatly, there is no easy way to deal with TCP. If we drop all the packets, we won't be able to communicate with the outside Internet (not deserible). The solution is to make sure that your firewall/gateway tracks _states_. By this I mean that it will not admit a SYN/ACK from x.x.x.x unless a system on your LAN set a SYN to x.x.x.x. If you get an unsolisitated packet, you might want to drop it (espically SYNs). Following ths setup will greatly harden your network. However, security dows not stop at the peremiter. Since the internal workings of a network are so varied, there is no easy solution as we wittnessed above. Here is a short incomplete bullet list of things to think about: * NetBIOS. Try not to rely on it. * RPC. Try not to *USE* them. * Don't rely on "trusted" hosts. * Keep all systems on the latest patch level. * Segragate the network. Don't let hosts interact with each other if they don't have to. * If multiple intranets use the same IP range, and are inter-connected (like a school system), make sure that school A can't be access from school B, and vice versa. These are just a few things to think about. But, now, lets move onto local access. Physical access. Yes, even your own useres cannot be trusted.... +{_LOCAL_}+ Okay lets discuss local problems. These occur when a user is physically sitting in front of a terminal. to get a better sense of things, make yourself a standard user level account. If you admin a school, make it a student level account. No special privilages. Now, walk down to a computer that a normal user would use. Sit down. Login on the normal user account. Start checking things. Can you right click on the desktop? Can you right click in programs? Can you access "My Computer"? Can you start a shell from the Start menu? Most likely not. Now open Internet Explorer and type in the IP of anther host on your intranet. Can you access it? Can you access drives from IE? Again, probably not (by deafult any URL with a backslash in it is rejected). Now lets take a closer look.... The next thing to do is the following: 1. Open Notepad 2. Type in the following: [HTML] [HEAD] [TITLE]test[/TITLE] [/HEAD] [BODY] [P][A HREF="file:///C:"]C:\[/A][/P] [/BODY] [/HTML] 3. Save it as test.html 4. Run it. NOTE: Remove the [ ] and replace them with the normal HTML tags. Now this code is nothing special. Just a *.html with a link to the C: drive. When you click on it, does the drive open? If not, good. If it does (which is more likley), then we've got a problem. Navigate to the command line (on Windows XP it is C:\WINDOWS\SYSTEM32\). Now click on cmd.exe. It should be disabled. Okay, lets try command.com. Most admins forget about command.com. If command.com opens try to use the AT command. Read the help to try to get it to open cmd.exe in one minuet or so. Notice how you're SYSTEM level now? Of course, AT is most likley disabled. Now you hopefully understand what to look for. But we'er not done yet! 1. Start Notepad. 2. type in the following: START [path to command.com] 3. Save it as test.bat *and* again as test.cmd. 4. Run it. After START, type in the path to command.com that we discovered earlier. run both files. Two nice new shells pop up. Try out the following commands: AT ipconfig /all ipconfig /displaydns hostname nslookup (set type=all. Query your name server) new view /domain net view /domain:[domain name] net use net view nbtstat -A [computer] nbtstat -a [computer] netstat -an arp -a route print Hopefully, most of these commands will be locked down. If not, well, now you have a list of hosts, shares and DNS info along with other other valuable information. See how easy that was? Now, if someone does get local access, pray to your religious diety of choice that they are a hacker with lots of technical knowledge. If they are not, they are more likley to cause damage accidently. Also, don't punish people with local access. Instead, find out what they did, get as much info on the problem/breach as possible, and give them a warning. Or offer them a job. Whatever... +{_CLOSING_}+ As an administrator you are responsible for your network and all that it contains. Do you job well, and you will be respected. Here is a little "Admin Ethic" that I have prepared: 1. As as admin *you* are responsible for your network and all it contains. 2. Admining is a balance betwwen ease of use and security. 3. Don't insult your users. 4. Normal users will always prefer ease of use over security. 5. However, normal users want to feel secure. 6. There needs to be a balance between ease of use and security. 7. However, security is paramount and in the event of a conflict between security and ease of use, security takes priority. Well, I hope you learned something here. Remember, "Set a hacker to catch a cracker". peace, --n3w7yp3 PS: For those of you who are wondering why this was Windows ony, well Windows is the numnber 1 used OS in the world. I don't like it at all. My OS of choice is Linux (it is what I run now). Future papers in this series will cover more OSs than just Windows. -=EOF=-

New Series 2005-04-20T18:22:00.000-04:00 All: i have sttarted a new series of guides. It is called Under Ground Admining. I will post the first issue shortly. peace, --n3w7yp3 Guide 2005-04-02T10:09:00.000-05:00 okay here is Hack Guide Issue 1. Enjoy! [this guide can be freely distributed as long as it remains] [whole and unchanged and credit is given to me] +{INTRO}+ well,here we have my 3rd attempt to write a hacking guide. My first one was completed but had many flaws, and alot of the info was wrong. My second attempt was good and accurate but was extremly long and i lost track of where i was when i moved and was forced to abondon it for a few weeks. So, in this attempt i have decided to take a different approach. This version will be a broken up guide, with the new issue coming out once a week (hopefully). at the end you will have a complete guide sitting on your HD, it will just be broken up into sections, thus making it eaiser to read. Or, if you prefer the long single text file type of guides, you can simply make a file called "hack_guide" and reassemble it using your version of the *nix cat command and some output redirection (for example: [bash]$ cat issue1_intro >> hack_guide ) okay enough explaining. lets get to it! +{THE STATE OF THE HACK}+ The state of the hacking scene is so much different now than it was even a few years ago. with skript kiddies seeminly everywhere, and crackers and black-hats breaking into and defacing websites and in general causing damage, its getting to be pretty bad in the Underground. i personally hope that the scene returns to the way it was back in the earlier times. +{INTRODUCTION TO THE UNDERGROUND}+ The underground is where the hackers are. its a place that values knowledge more than anything. In it you are encouredged to ask questions and seek answers and expirement to discover new things. Probably the best description that i have ever read appeared in LOA/H's guide: The underground is not a physical thing; it's an essence. An essence that combines all means of communications to gain knowledge. Computers, telephones, electronics, credit cards...all communications of the present, and of the future. The very backbone of society, the computer, simply runs the world. There is no piece of data that is not stored and/or maintained somewhere on a computer. Thus, those who know how to run a computer, know how to run the world. The underground is a combintation of people, attitudes, beliefs, ideas, and cultures. No one owns it, no one controls it, it is the one truly free thing on this Earth. A means to communicate, freedom of speech and of expression...no regulations...just people, ideas, utopia. Become the owner of society, the only free human being on this planet, become the hacker. +{HACKERS: A SHORT HISTORY}+ Hackers have been around as long as there have been people who have been curious about the world around them. From the guy who first made the 3 legged stool, to the dude who discovereed that if you take sand and put it on a piece of paper it can smooth out wood. However, the first "official" hackers were the now legendary MIT model train club back in the 1950's. They took switches and made them able to recive phone calls (in effect turning them into modems), so you caould change track position remotly. Later they moved onto computers. In their programs they strove for elegance. Elegance was achived when a program preformed a function in less lines of code and in less time. The first hackers were more or less very good programmers. In the 1960's UNIX was invented at Bell Labs in Califorina. UNIX would change the face of the newly created internet. UNIX was a powerful multiuser OS, capable of doing things that less powerful OS's (MS-DOS) couldn't dream of. Also around this time a new group of people were emerging. They were called phone phreaks. phreakers were the hackers of the telephone systems. they could pretty much do anything from getting free calls to talking to outboard operators in Romania. the phreaks were influential in the development of hackers and hackerdom. in the late 1970's when computers were getting more popular, phreakers and hackers were coming together. at that time there was no such thing as HTML, so there was no World Wide Web. actually, there was no internet. It was called the ARPANet. at this time it was command line driven and unfriendly. instead of typing a URL into your browseres address bar, you would literally call sites by using their phone numbers. Also, sinde there was no WWW, there were no websites. you would log onto Bulliten Board Systems (BBSs). programs would be downloaded of a File Transfer Protocal (FTP) server. so as you can tell, it is very diffent then what we have today. it was also very expensive. at that time long distance calls even to just one state over cost a fortune. so just imagine how much it would cost to call a BBS in London from New York. so most of the time (if not all the time) hackers would phreak their way onto the ARPANet and make these calls for free. In 1984, the scene changed yet again. 2600 magazine was founded by Emmanuel Goldstein. 2600hz was the frequency used by phone phreaks to blue box and red box (methods of making free calls). Also, a young hacker whose handle was Lex Luthor founded the Legion of Doom (later called Legion of Doom/Hackers). The guys in LoD/H were pretty much widly recocgnized as sum of the best hackers around. some people in LoD/H were: Erik Bloodaxe, The Mentor, Prophet, Knight Lightning (who served a short time as the editor of PHRACK magazine; another excellent e-zine) and as best as i can tell from old txt files, Kevin Mitnick was involved in LoD/H for a while. Later, in the late 1980's/early 1990's Erik Bloodaxe had a disagreement with Phiber Optik and Phiber Optik left LoD/H and formed MoD with sum other phreaks and hackers. It is uncertain exactly as to what MoD stood for; depending on who they were talking to it was either called the Masters of Deception or the Masters of Destruction. MoD was a good hacker group and soon aquired a reputation as such. LoD/H and MoD then had a contest to see which group had the better members. It soon evolved into a full scale hacker war, with phone lines being tapped, servers being hacked, and all sorts of hackerly nonsense being perpatrated by both groups. It came to an abrupt end when Erik Bloodaxe discovered that some members of MoD were tapping the phone at his office. So he called the FBI (who were already investigating some members of MoD). At the end of the day Phiber Optik, Scorpion, Acid Phreak, and Corrupt (all of MoD) were prosecuted and jailed. in 1991 thru the mid 1990's (like till 1993) a curious cracker named Phantom Dialer (sum times abbreviated to phantomd) was taking over the internet. Phantomd was a brain damaged kid who had extrodinary patience. He was one of the most successful crackers in history. He learned from the cracker Grok, and even taught Jsz, who in turn taught Kevin Mitnick. After a small down time he changed his nick to Infomaster and took over the internet backbone using a sendmail exploit to get an account and a siniffer coded by Jsz to snare password. (Jsz could program; Infomaster could not). Eventually, Infomaster was busted byy the FBI, but they decided to to press charges for various reasons. +{CLOSING STATEMENT}+ Well, that looks like enough for one issue. As you can probably tell by now, hackers hold different values and belifes than other people. Hackers belive that knowledge is power, and that knowledge is never bad to have. Its all about what you use thaet knowledge for. In the next issue I will be covering some things like; The Hacker Ethic, and hopefully some technical stuff (if i have space). okay well, untill the next issue, peace --n3w7yp3 [this issue of Hack Guide was written on a RedHat Linux 9 box in vim] updates 2005-03-29T12:43:00.000-05:00 All: i am currently in the process of writing a small guide to protecting yourself (unfourtantly my Linux paper got pushed back) and i also just re-discovered a PERL tut that i had started god-knows-how long ago. so i have 3 papers in progres, along with the new issue of Hack Guide. so i am going to have a bussy time ahead ;). also, i will be hosting CdPirates site, hackersfoundation.org. i will have a subdomain of it up for my site (newage.hackersfoundation.org). i plan to move sometime after then end of the month. look for some new papers soon! peace, --n3w7yp3 (2005-3-29) New Paper 2005-03-22T12:06:00.000-05:00 All: after writing my guide to linux, i received some input from CdPirate on IRC requesting that i write another paper on LInux, this time detailing everyday usage. I agreed. i hope to get this paper finished this week. i go on spring break on friday (2005-3-25), so I hope to get some papers written then (and hopefully start Hack Guide issue2... which reminds me that i need to post issue 1..). So expect a paper soon! peace, --n3w7yp3 Intro To Linux 2005-03-18T19:37:00.000-05:00 +{OPENING}+ i've heard alot of newbies asking questions about Linux. From the very simple "What is it?" to stuff about how to use the shell and "wtf do all these crazy symbols mean?" in here i will be answering some of those questions (hopefully). this should also help a newbie choose the right distro for their needs and will explain how to get their system up and running. +{BASIC STUFF}+ lets discuss some basic points: WHAT IS LINUX? -------------- Linux is a free Open Source Operating System. it is extremely stable. It was developed in the early 1990's by a young student. his name was Linus Travoldus. He started with the old MINIX source code (MINIX was a varient of UNIX), and crreated the Linux kernal. Linux is similar to UNIX in many ways. WHAT IS A DISTRO? ----------------- A distro is a company distrobution of Linux. You see, Linux is not made by one single company like how Microsoft makes Windows. Linux is made by many companies. the distros all have basically the same kernal, but each have thier own special features. so company XYZ's Linux might be intended for publishing and come with Open Office and some other publishing software. By contrast, company ABC's distro might be intended for programmers and would come with gcc, g77, g++, PERL and some other programming tools. HOW DO I OBTAIN A DISTRO AND HOW MUCH DOES IT COST? --------------------------------------------------- Obatining a distro of Linux is very easy. there are 3 ways to obatin a distro: 1) Download the distro off the companys website 2) Order a boxed set of CD-ROMs 3) Buy a book that comes with distro CDs Now, as for the cost of Linux, its free (if you download it off the internet)! to download a distro just goto a companys website (e.g: if you want a RedHat distro you would goto www.redhat.com) and follow the links to the lateset build and download it. Also while you downloading the distro you should download somthing called an ISO, which is a disk image that allows you to make a boot disk. This download process can be lengthy and you should only do it if you have ADSL of faster internet (cable, T3 etc.). If you order a boxed set of CD-ROMs you will have to pay (its usually around $20[US]). then all you do is wait for them to arrive and install them. The CDs included will sometimes have more packages than the public free download will. If you buy a book that comes with the CDs (for example: The RedHat Linux Bible, by Christopher Negus) it will cost you more (this time around $50[US]), but it will alos come with even more packages. It is up to you to decide how you want to get the distro. WHAT ARE SOME COMMON DISTROS? ----------------------------- Here are a list of some of the more common distros: RedHat: Prehaps one of the best known linux distros, this comapny has 2 main products, Fedora and Linux. Fedora is ment more for servers, while thier version of Linux is intended for both home and server use. Their Linux distro is pretty good, providing the ease of use that newbies need but has all the power of a distro like Gentoo. RedHat is one of my favorite distros. Mandrake: A french linux distro, this distro is designed to give the user the ease of use that windows provides. If you are a Linux newbie this distro and a KDE desktop will be one of your best bets. SuSe: A german distro, SuSe is a real power distro. this miht not be your best choice for a first distro, but you should definatly check it out later. (NOTE: SuSe has been recently aquired by Novell. Also, SuSe does not offer a free download) Slackware: this is no frills linux. it basically contains the kernal, a GNOME desktop ad not much else. if you're a newbie this is not the distro for you. go with somthing like RedHat or Mandrake. Gentoo: a linux metadistrobution. Gentoo offers a unique hyperlinked interface during the free download process that makes it very easy to build a custom system. However, it requires a little more expertise than normal to set it up. Debian: a distro that takes free software very seriously. They don't include any programs that are copyrighted or that any portions of the code may be copyrighted. It has a powerful package handeling system that makes it easy to upgrade your system. Dyn:bolic : This distro is designed to be a competetor to the Mac OS in terms of graphic design capabilities. Grerat if you like all that artsy stuff. Okay, that list was pretty short. some distros that i did not include are: Open Linux and Caldera. There are also many others , so get on google and find out witch distro sounds good to you! INSTALLING ---------- Installing Linux is pretty straight forward. all you do is either make your CD's from the free download, or you just get the CD's that you ordered. Make a floppy boot disk by copying the boot images off of the CD's. then, inset the floppy in to the floppy drive, and reboot. it will come up with the Linux install screen. Insert the CD's and and follow the onscreen instructions. Congrats, you will have installed Linux very soon! see, it was that easy! peace, --n3w7yp3 Paper 2005-03-16T17:16:00.000-05:00 all: I am going to be releaasing a new paper soon. I have not planned a deadline because I am bad at keeping deadlines. also, I'm sorry abouy the lack of updates, i havnt been able to blog much latley due to circumstance... Apology 2005-03-08T12:02:00.000-05:00 All: Recently there was a rumor on HTS that area-6 was a a honeypot for the US government. unfortunatly, i posted some extremly harsh thing on Area-6 and accidently insulted HTS. So too all the HTS members who are reading this I apologize. i have already put up apologys in the approprite threads on area-6 and HTS. i wasn't intending to insult HTS at all. in fact, i really like HTS. i hope that we can all forget about this misunderstanding. peace --n3w7yp3 New Policy 2005-03-07T12:25:00.000-05:00 I have decided upon a new policy. Upon release of my telnet guide, I posted it on HTS and hackerscode. i was accused of having ripped it off of HTS, when i was the one who posted it! So, now i will release all my papers here 2 days before any where else. so, in order to get the latest, check back here at regular intervals. peace --n3w7yp3 guide to telnet 2005-02-28T08:46:00.000-05:00 okay here is my guide to telnet. i have alredy posted it on HTS and hackerscode enjoy! _______________________ / -=Guide to telnet=- * +by: n3w7yp3 + * \ / ----------------------- +{OPENING}+ Telnet is probablay one of the most confusing things for a newbie. You see alot of guides on it, but then still newbies post questions. Hopefully, I've created a guide that will explain telnet and aleviate the need for questions to be asked (although i doubt it). okay enough talk, lets get to it! +{TELNET}+ Telnet is a terminal emulation program. You see once upon a time, terminals were hardwired next to a console. Then with the rise of the PC and the Internet, a standard was needed. so they made telnet. nowadays telnet is pretty much obsolete. with the world wide web, you just use a browser, and SSH is used to login to shell accounts. but telnet is still a good thing to know. +{USING TELNET}+ there are several ways to start your telnet client. if your on windows 9x click start then programs, and then MS-DOS Prompt. once in the DOS prompt type telnet at the prompt. there that GUI windows is your telnet screen. or you can just click start>run and then type telnet and press . either way it will be the same. on Win2K/XP you can start telnet 2 ways. the first is to start a shell (start>run and type cmd and press ) and then type telnet at the prompt. the prompt will change to somthing like: Microsoft telnet> or you can do the start>run and type telnet and press method. either way will work. on Linux start a shell and type telnet. okay now that the telnet client is open we're ready to connect. well, almost. if you're on windows we need to make some configuration changes first. for windows 9x click prefrences and check "Localecho on". on widows 2K/XP type the following at the prompt: Microsoft telnet> set term vt100 Microsoft telnet> set localecho there now we're ready to go. what we just did was turn on the localecho. there is a bug(?) in MS telnet that won't display the text you type unless localecho is on. and also the telnet client in Win 2K/XP ships with the deafult term type as ANSI. but vt100 is the preferrerd term type. Linux telnet clients ship all set up and ready to go. now lets connect. for the Win 9x useres click connect>remote system. then in the host box type www.google.com. in the port box type 80. for the rest of us, just type the following (NOTE: in this part of the guide to telnet we're using the HTTP port. this port is used for the Internet. its number is 80. the deamon that runs on it is called the HTTPD): telnet> open www.google.com 80 now hit connect or press and wait to connect. when your connected you will see a message like: Trying 64.233.161.104... Connected to www.google.com. Escape character is '^]'. it may be a little different. now what this all mean? well, 64.233.161.104 is google's IP. the thing about the escape character means that if you push ctrl+] it will cump you back in the shell on you machine at the telnet prompt. you can then type close to close the connection. the reason for this is because sometimes the service you connected to wont do anything when you type a command, co you need to close the connection, but quit, close, exit, and kill don't bring about a reply. so thats when you hit the escape character (win 9x useres: you dont have an escape character. to close your connection connect>disconnect). now by this time the connection will have probably timed out, do we have co connect again. after connecting again let's try out some HTTP requests. the first HTTP request to learn is the GET request (NOTE: HTTP is case sensitive). to issue a GET request type the following: GET / HTTP/1.0 now press twice. whoa look at all that stuff!! that is the codee to google's main page, just like we would get if we did a right click>view source. now why did google close our connection? well its because HTTP is a stateless protocal (like UDP). so since there is no actual connection between you and the site (accept at the moment of transfer) your browser needs to reconnect every time you request a new page. however, there is a way to stay connected. did you know why you had to press twice after you connected? well, its because after the request (that was the GET) you are supposed to issue HTTP commands. there tell the server many things, including your user agent, browser type, and conection type (and alot more!). but before we get into those, lets take a closer look at that HTTP request we just issued: GET = The request type. there are many of these. (i've included a list later in the guide) / = the page. now when you tpye in a site name (http://www.google.com/) the computer connects to that site. now even if you dont type the / after .com its still the same site. you see the / is the sites homepage. HTTP/1.0 = this is the protocal type. a GET request is a HTTP/1.0 request, so thats what you type. heres a list of some common requests: name usage what it does ---- ----- ------------ CONNECT CONNECT proxy-server HTTP/1.1 sets up a tunnel through proxys (useful Host: site.to.connect.to to avoid web-filters) DELETE DELETE /uri HTTP/1.1 deletes the file specified by /uri Host: localhost GET GET /uri HTTP/1.0 gets the file specified by /uri HEAD HEAD /uri HTTP/1.0 returns the header of /uri. used in a technique called a banner grab; which is used to identify the OS being ran on the server. OPTIONS OPTIONS * HTTP/1.1 returns info about the target host. if "*" is specified it Host: localhost returns info abouit the server it self. other wise it return -=OR=- info associated with the specified /uri OPTIONS /uri HTTP/1.1 Host: localhost POST POST /uri HTTP/1.1 adds data to /uri. the request defines content length. it may Host: localhost include binary data. Content-length: N \n \n data PUT PUT /uri HTTP/1.1 adds data in the path specified by /uri (data like a new page Host: localhost etc) Content-Length: N \n \n data TRACE TRACE / HTTP/1.1 causes a server to respond with all the headers contained in Host: localhost the original request. TRACK TRACK / HTTP/1.1 an alias for TRACE. its only used in IIS. Host: localhost okay now you should be able to do alot of stuff but just using telnet to connect to the site. okay lets get on to those HTTP commands that i mentioned. now as i stated earlier, these comamnds do lost of stuff. the most useful would probably be the Connection: keep-alive command. this makes the connection stay alive so you can pump through command after comamnd. lets try it: telnet> open www.google.com 80 Trying 64.233.161.99... Connected to www.google.com. Escape character is '^]'. oaky, now lets try out the HEAD request combined with the Connection: Keep-alive command: HEAD / HTTP/1.0 Connection: Keep-alive HTTP/1.0 200 OK Cache-Control: private Content-Type: text/html Set-Cookie: PREF=ID=752b22c0c0526756:TM=1109357543:LM=1109357543:S=ntZTEgMD7QQDP6cP; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com Server: GWS/2.1 Content-Length: 0 Date: Fri, 25 Feb 2005 18:52:23 GMT Connection: Keep-Alive kewl, the connection didn't drop. so now we can issue more requests with out having to reconnect. however to keep the connection alive, we need to specifiy this after every request. another common HTTP command sets your user-agent. the user-agent is used to identify the OS and browser that the client (you) is running. heres a log of a telnet session to google in which I issue a full HTTP request and specify all the parameters: telnet> open www.google.com 80 Trying 64.233.161.99... Connected to www.google.com. Escape character is '^]'. HEAD / HTTP/1.0 Connectiion: Keep-Alive Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Charset: iso-8859-1,*,utf-8 Accept-Language: en Host: localhost User-Agent: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20040913 HTTP/1.0 200 OK Cache-Control: private Content-Type: text/html Set-Cookie: PREF=ID=2e727971cb330368:TM=1109358158:LM=1109358158:S=IpSi5XsS1Eqo7hby; expires=Sun, 17-Jan-2038 19:14:07 GMT; path=/; domain=.google.com Server: GWS/2.1 Content-Length: 0 Date: Fri, 25 Feb 2005 19:02:38 GMT Connection: Keep-Alive okay there, that was a proper session, just like your browser would do. but we mostly dont bother with all that stuff, just a Connection: Keep-Alive will do just fine ;). anyways; here are some HTTP response headers: name what it means ---- ------------- Accept-Ranges The server indicates it will accept partial requests (requests within the accepted range) for the resource. Age the servers guess in seconds of how old the cached object is ETag Entity Tag. Used in cache control when the server doesnt track time-stamps. a strong validator when the browser is deciding if it should refresh a cached object Location Redirects the client to a different source to a URI Proxy-Authenticate carrys authentication creditals for proxy servers Referer Specifies the URI from which the request was generated. it shouldnt be relied upon for security testing. Server identify the server product, OS, and other info. usually modded to block unsofisticated attacks and incompetent attackers. Vary used to control the caching of objects WWW-Authenticate Get user Authentication so now you know what all that stuff in the servers reply means. now you may wonder what the "HTTP/1.0 200 OK" means. well this is called the status code. 200 indicates a successful transfer. heres what the ranges mean: 1xx: i'm not sure what this means; its rarley used 2xx: successful completion of the HTTP request 3xx: unsuccessful due to moving of ducuments (URIs) 4xx: client side error (an error on your end) 5xx: server side error the 2 most common status codes returned are 200 OK (you get this every time a connection works and you successfuly retreive a page) and 404 which means file not found (you clicked on a bad link, etc). well now that you know a good deal about HTTP and port 80 in general, lets duscuss the most common use of these commands proxy tunneling. have you ever been at school and you try to show your friend a cool website and its blocked for sum bogus reason? wouldn't you like to get around that damn web-content filter? well trust me you can. the first thing to do is open up internet explorer. then click tools>>internet options>>LAN settings. (or sumthing similar) now you should see somthing like 'Address: webproxy Port: 80'. this is the arddress of your web proxy that the school makes you pipe all your requests through. but what if it wont let you access the tools tab in IE? what then? the first thing to do in that case is to open a shell (use you imagination on how to do this). later i will make a paper on how to get command line access when your not supposed to have it ;). now type netstat -n at the prompt. you should get some results. one of them will look something like this: 10.1.44.5:80 ESTABLISHED the IP will probably not be the same at your school as it is at mine, but it does not matter. the important part is what comes after the colon. thats the port number. in this case it is the standard HTTP port (80). but what if you dont see one that has the port as 80? well look for 8080. thats a common proxy port. if you are absolutly stumped, you can simply telnet yo all the ports on all the computers that you are connected to under the netstat -n screen and issue a HEAD request. when you get a positive reply, you're in business! now that we have identified the webproxy lets tunnel out. issue the follow commands after connection: CONNECT http://www.blockedsite.com HTTP/1.1 Host: localhost now press enter. you should see "HTTP/1.1 200 OK Connection established" from the proxy. and boom we're connected to www.blockedsite.com. now just use the different requests discussed earlier to get the HTML source code of the site and its various pages and compy and paste them into notepad. save it as a .html file, open up 'My Computer' and click on the newly created .html file to view the site as you normally would. when you want to click on a link (lets say its called 'hacking') reconnect to the proxy, tunnel out and request the source of the hacking link (for instance: GET /hacking HTTP/1.0). there, now that annoying web filter cant stop us!! of course we can connect to any port on a computer not just 80. so lets look at another one of my personal favorites, port 25 (SMTP). port 25 is the port used to send email. it runs the Simple Mail Transfer Protocal Deamon (SMTPD). with this port we can do lots of kewl stuff, including: 1) verifying user accounts on the system 2) preforming a banner grab to determin the OS being run on the system 3) sending forged email now the most exciting one for you right now would be sending forged email. haven't you ever wanted to send an email to someone but wanted to use a fake name? well its pretty easy to do! the first thing to do is to connect to a mail server over port 25 (NOTE: because most sysadmins don't like people abuing thier mail servers to send fake email, i'm not using any real mail servers in this section. you'll have to find some on your own. [well, i'll tell you in a minuet how to find a vulnerable mail server]. also don't even consider using hotmail.com or gmail.google.com or another big company for this purpose. if you do you will get into deep dark shit! period). the hard part is finding a mail server to connect to. however there are ways: the first thing to do is to type nslookup at the prompt. then type "set type=all". okay now consider your friend email addres. it is split up into 2 parts the user name and the host. say you wanna send a fake email to buddy@yahoo.com . so now we know that we wanna goto yahoo.com over port 25 (NOTE: that warning i gave earlier was just my attempt at getting you tto read the part on nslookup. you can relax now :) . but seriously, pls dont use the expan and verfy commands! they get logged as suspicious!) so now type "yahoo.com" (no quotes). see all those entries? well if you see one like: mx1.yahoo.com thats a mail server. generally if its mail.example.com or mx.example.com its a mail server. NOTE: for those of us who use linux, our nslookup uses different commands to get the right resource record use the type "set type=any" and then yahoo.com okay so now we know the mail server. time to fire up telnet. this time though point it at port 25. NOTE: theres an even eaiser way to telnet. just open up a shell and type "telnet www.site.com XX" where www.site.com is a hostname or IP and XX is a port number to connect to. So to telnet to the mail server using our new method we would type the following at the prompt: telnet mx1.yahoo.com 25 yay now we're connected. so now the kewl thing about the SMTP deamon is that you can ask it for help (unlike the HTTPD). for this paper i set up a sendmail server on my home LAN (its not connected to the internet!!). sendmail is probably the buggiest deamon, and one of the most helpful. nowadays, sendmail isnt that common, but hey just look around and you might find a sendmail deamon around. okay so after connection, we see somthing like: 220-localhost.localdomain sendmail 8.6.12/8.9.6 ready at Fri, 25Feb 2005 19:34:53 GMT 220 ESMTP spoken here what is all this? it is called the deamon banner. it tells us what version of sendmail the server is running and with a littel hunting on google we can use this info to identify the OS of the server. okay lets ask it for help: HELP 214- Commands: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB 214- for more info use "HELP " 214- to report bugs 214- for 214- end of help info there now we no what commands are avalible. the second to last and the third to last lines i snipped their output, because i felt like it :). oaky again heres the commands along with what they do: SMTP command What it does ------------ ------------ HELO/EHLO greets the server RCPT specifies the recipent of the mail MAIL specifies the sender of mail DATA body of email VERB turn on verbose mode EXPN expand and email alias to full list of recipents VRFY verify that the account exists HELP display a help message QUIT exit the server NOOP do nothing now that we kno the commands faking the email should be easy as pie. heres a sample session in which i'll forge an email: HELO whitehouse.gov MAIL FROM: dhs@whitehouse.gov RCPT TO: n3w7yp3@localhost.localdomain DATA We're on to you you punk kid!! . QUIT there that was really choppy. i cut off all the server replies because i felt like it :) (seriously though it's late and i'm tired ;) ). now when i check my mail box on my computer sure enough, an email for dhs@whitrhouse.gov (DHS is an acronym for Department of Homeland Security)! however sometime the header wil give it away. but mostly the email client doesnt show the full hader so it does not really matter. plus, normal people don't/can't red email headers. well, good luck and stay outta trouble! ;). +{CLOSING}+ well, i hope that somebody out there learned something from this guide. also, please dont be a black-hat/cracker and mess up stuff with the knowledge you will obtain in the future. well, good luck and happy hacking! --n3w7yp3 -=EOF=- hello world 2005-02-09T17:50:00.000-05:00 [CODE] #!/usr/bin/perl print "hello world"; exit; [/CODE] there now that ive gotten that over with, this blog is pretty much a hacking/coding/phreaking/what ever the hell u wanna post blog. ill be posting sum white papers and tuts later. anyone is welcome to contribute. also feel free to post sum code (i'm gonna post sum)