{\rtf1\ansi\ansicpg1252\deff0{\fonttbl{\f0\fnil\fcharset0 Courier New;}}
{\colortbl ;\red0\green0\blue255;}
\viewkind4\uc1\pard\cf1\lang9225\b\f0\fs24\par
\par
\par
\par
\par
THE GUIDE\par
\par
FOR (mostly) HARMLESS\par
\par
HACKING\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
#Guides of the Beginner's Series: \par
\par
-So you want to be a harmless hacker? \par
-Hacking Windows 95! \par
-Hacking into Windows 95 (and a little bit of NT lore)! \par
-Hacking from Windows 3.x, 95 and NT \par
-How to Get a *Good* Shell Account, Part 1 \par
-How to Get a *Good* Shell Account, Part 2 \par
-How to use the Web to look up information on hacking. \par
-PGP for Newbies \par
-The Exploit Files: Basics of Breaking into Computers \par
-Computer hacking. Where did it begin and how did it grow? \par
\par
\par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series #1 \par
So you want to be a harmless hacker? \par
____________________________________________________________ \par
  \par
\par
\par
"You mean you can hack without breaking the law?" \par
\par
That was the voice of a high school freshman. He had me on the phone because his father had just taken away \par
his computer. His offense? Cracking into my Internet account. The boy had hoped to impress me with  how "kewl" he was. \par
But before I realized he had gotten in, a sysadmin at my ISP had spotted the \par
kid's harmless explorations and had alerted the parents. Now the boy wanted \par
my help in getting back on line. I told the kid that I sympathized with his father. \par
What if the sysadmin and I had been major grouches? This kid could have wound up in  \par
juvenile detention. Now I don't agree with putting harmless hackers in  jail, and I \par
would never have testified against him. But that's what some people do to folks who \par
go snooping in other people's computer accounts -- even when the culprit does no harm. \par
This boy needs to learn how to keep out of trouble! \par
Hacking is the most exhilarating game on the planet. But it stops being fun when you \par
end up in a cell with a roommate named "Spike." But hacking doesn't \par
have to mean breaking laws. In this series of Guides we teach safe hacking \par
so that you don't have to keep looking back over your shoulders for narcs \par
and cops. \par
What we're talking about is hacking as a healthy recreation, and as a free \par
education that can qualify you to get a high paying job. In fact, many \par
network systems administrators, computer scientists and computer security \par
experts first learned their professions, not in some college program, but \par
from the hacker culture. And you may be surprised to discover that \par
ultimately the Internet is safeguarded not by law enforcement agencies, not \par
by giant corporations, but by a worldwide network of, yes, hackers. \par
You, too, can become one of us. \par
And -- hacking can be surprisingly easy. Heck, if I can do it, anyone can! \par
Regardless of why you want to be a hacker, it is definitely a way to have \par
fun, impress your friends, and get dates. If you are a female hacker you \par
become totally irresistible to men. Take my word for it!;^D \par
These Guides to (mostly) Harmless Hacking can be your gateway into this \par
world. After reading just a few of these Guides you will be able to pull off \par
stunts that will be legal, phun, and will impress the heck out of your \par
friends. \par
These Guides can equip you to become one of the vigilantes that keeps the \par
Internet from being destroyed by bad guys. Especially spammers. Heh, heh, \par
heh. You can also learn how to keep the bad guys from messing with your \par
Internet account, email, and personal computer. You'll learn not to be \par
frightened by silly hoaxes that pranksters use to keep the average Internet \par
user in a tizzy. \par
If you hang in with us through a year or so, you can learn enough and meet \par
the people on our email list and IRC channel who can help you to become \par
truly elite. \par
However, before you plunge into the hacker subculture, be prepared for that hacker attitude. You have been warned. \par
So...welcome to the adventure of hacking! \par
\par
\par
\par
\par
WHAT DO I NEED IN ORDER TO HACK? \par
\par
You may wonder whether hackers need expensive computer equipment and a shelf full of technical manuals. \par
The answer is NO! Hacking can be surprisingly \par
easy! Better yet, if you know how to search the Web, you can find almost any \par
computer information you need for free. \par
In fact, hacking is so easy that if you have an on-line service and know how to send and read email, \par
you can start hacking immediately. The GTMHH  \par
Beginners' Series #2 will show you where you can download special \par
hacker-friendly programs for Windows that are absolutely free. And we'll \par
show you some easy hacker tricks you can use them for. \par
Now suppose you want to become an elite hacker? All you will really need is an \par
inexpensive "shell account" with an Internet Service Provider. In the \par
GTMHH  Beginners' Series #3 we will tell you how to get a shell account, log \par
on, and start playing the greatest game on Earth: Unix hacking! Then in \par
Vol.s I, II, and III of the GTMHH you can get into Unix hacking seriously. \par
You can even make it into the ranks of the Uberhackers without loading up on \par
expensive computer equipment. In Vol. II we introduce Linux, the free \par
hacker-friendly operating system. It will even run on a 386 PC with just 2 \par
Mb RAM!  Linux is so good that many Internet Service Providers use it to run \par
their systems. \par
In Vol. III we will also introduce Perl, the shell programming language \par
beloved of Uberhackers. We will even teach some seriously deadly hacker \par
"exploits" that run on Perl using Linux. OK, you could use most of these \par
exploits to do illegal things. But they are only illegal if you run them \par
against someone else's computer without their permission. You can run any \par
program in this series of Guides on your own computer, or your (consenting) \par
friend's computer -- if you dare! Hey, seriously, nothing in this series of \par
Guides will actually hurt your computer, unless you decide to trash it on \par
purpose. \par
We will also open the gateway to an amazing underground where you can stay \par
on top of almost every discovery of computer security flaws. You can learn \par
how to either exploit them -- or defend your computer against them! \par
\par
About the Guides to (mostly) Harmless Hacking \par
\par
We have noticed that there are lots of books that glamorize hackers. To read these books you would \par
think that it takes many years of brilliant work to \par
become one. Of course we hackers love to perpetuate this myth because it \par
makes us look so incredibly kewl. \par
But how many books are out there that tell the beginner step by step how to \par
actually do this hacking stuph? None! Seriously, have you ever read _Secrets \par
of a Superhacker_ by The Knightmare (Loomponics, 1994) or _Forbidden Secrets \par
of the Legion of Doom Hackers_ by Salacious Crumb (St. Mahoun Books, 1994)? \par
They are full of vague and out of date stuph. Give me a break. \par
And if you get on one of the hacker news groups on the Internet and ask \par
people how to do stuph, some of them insult and make fun of you.  OK, they \par
all make fun of you. \par
We see many hackers making a big deal of themselves and being mysterious and refusing \par
to help others learn how to hack. Why? Because they don't want you \par
to know the truth, which is that most of what they are doing is really very \par
simple! \par
Well, we thought about this. We, too, could enjoy the pleasure of insulting people who \par
ask us how to hack. Or we could get big egos by actually teaching thousands of people how to hack. Muhahaha. \par
\par
How to Use the Guides to (mostly) Harmless Hacking \par
\par
If you know how to use a personal computer and are on the Internet, you \par
already know enough to start learning to be a hacker. You don't even need to \par
read every single Guide to (mostly) Harmless Hacking in order to become a \par
hacker. \par
You can count on anything in Volumes I, II and III being so easy that you \par
can jump in about anywhere and just follow instructions. \par
But if your plan is to become "elite," you will do better if you read all \par
the Guides, check out the many Web sites and newsgroups to which we will \par
point you, and find a mentor among the many talented hackers who post to our \par
Hackers forum or chat on our IRC server at http://www.infowar.com, and on \par
the Happy Hacker email list (email hacker@techbroker.com with message \par
"subscribe"). \par
If your goal is to become an Uberhacker, the Guides will end up being only \par
the first in a mountain of material that you will need to study. However, we \par
offer a study strategy that can aid you in your quest to reach the pinnacle \par
of hacking. \par
\par
How to Not Get Busted \par
\par
One slight problem with hacking is that if you step over the line, you can \par
go to jail. We will do our best to warn you when we describe hacks that \par
could get you into trouble with the law. But we are not attorneys or experts \par
on cyberlaw.  In addition, every state and every country has its own laws. \par
And these laws keep on changing. So you have to use a little sense. \par
However, we have a Guide to (mostly) Harmless Hacking Computer Crime Law \par
Series to help you avoid some pitfalls. \par
But the best protection against getting busted is the Golden Rule. If you \par
are about to do something that you would not like to have done to you, \par
forget it. Do hacks that make the world a better place, or that are at least \par
fun and harmless, and you should be able to keep out of trouble. \par
So if you get an idea from the Guides to (mostly) Harmless Hacking that \par
helps you to do something malicious or destructive, it's your problem if you \par
end up being the next hacker behind bars.  Hey, the law won't care if the \par
guy whose computer you trash was being a d***. It won't care that the giant \par
corporation whose database you filched shafted your best buddy once. They \par
will only care that you broke the law. \par
To some people it may sound like phun to become a national sensation in the latest \par
hysteria over Evil Genius hackers. But after the trial, when some \par
reader of these Guides ends up being the reluctant "girlfriend" of a convict \par
named Spike, how happy will his news clippings make him? \par
\par
Conventions Used in the Guides \par
\par
You've probably already noticed that we spell some words funny, like "kewl" and "phun." These are hacker slang terms. Since we often communicate with \par
each other via email, most of our slang consists of ordinary words with \par
extraordinary spellings. For example, a hacker might spell "elite" as \par
"3l1t3," with 3's substituting for e's and 1's for i's. He or she may even \par
spell "elite" as "31337. The Guides sometimes use these slang spellings to \par
help you learn how to write email like a hacker. \par
Of course, the cute spelling stuph we use will go out of date fast. So we do not guarantee that if you use this slang, people will read your email and \par
think, "Ohhh, you must be an Evil Genius! I'm sooo impressed!" \par
Take it from us, guys who need to keep on inventing new slang to prove they are "k-rad 3l1t3" are often lusers and lamers. So if you don't want to use \par
any of the hacker slang of these Guides, that's OK by us. Most Uberhackers \par
don't use slang, either. \par
\par
Who are You? \par
\par
We've made some assumptions about who you are and why you are reading these Guides: \par
\'b7 You own a PC or Macintosh personal computer \par
\'b7 You are on-line with the Internet \par
\'b7 You have a sense of humor and adventure and want to express it by hacking \par
\'b7 Or -- you want to impress your friends and pick up chicks (or guys) by \par
making them think you are an Evil Genius \par
So, does this picture fit you? If so, OK, d00dz, start your computers. Are \par
you ready to hack? \par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series #2, Section One. \par
Hacking Windows 95! \par
____________________________________________________________ \par
\par
\par
\par
Important warning: this is a beginners lesson. BEGINNERS. Will all you super k-rad elite haxors out there just skip reading this one, instead reading it and feeling all insulted at how easy it is and then emailing me to bleat \par
"This GTMHH iz 2 ezy your ****** up,wee hate u!!!&$%" Go study something \par
that seriously challenges your intellect such as "Unix for Dummies," OK? \par
Have you ever seen what happens when someone with an America Online account posts to a hacker news group, email list, or IRC chat session? It gives you a true understanding of what "flame" means, right? \par
Now you might think that making fun of dumb.newbie@aol.com is just some \par
prejudice. Sort of like how managers in big corporations don't wear \par
dreadlocks and fraternity boys don't drive Yugos. \par
But the real reason serious hackers would never use AOL is that it doesn't \par
offer Unix shell accounts for its users. AOL fears Unix because it is the \par
most fabulous, exciting, powerful, hacker-friendly operating system in the \par
Solar system... gotta calm down ... anyhow, I'd feel crippled without Unix. \par
So AOL figures offering Unix shell accounts to its users is begging to get \par
hacked. \par
Unfortunately, this attitude is spreading. Every day more ISPs are deciding to stop offering shell accounts to their users. \par
But if you don't have a Unix shell account, you can still hack. All you need is a computer that runs Windows 95 and just some really retarded on-line \par
account like America Online or Compuserve. \par
In this Beginner's Series #2 we cover several fun things to do with Windows and even the most hacker-hostile Online services. And, remember, all these things are really easy. You don't need to be a genius. You don't need to be a computer scientist. You don't need to won an expensive computer. These are \par
things anyone with Windows 95 can do. \par
Section One: Customize your Windows 95 visuals. Set up your startup, \par
background and logoff  screens so as to amaze and befuddle your non-hacker \par
friends. \par
Section Two: Subvert Windows nanny programs such as Surfwatch and the setups many schools use in the hope of keeping kids from using unauthorized \par
programs. Prove to yourself -- and your friends and coworkers -- that \par
Windows 95 passwords are a joke. \par
Section Three: Explore other computers -- OK, let's be blatant -- hack -- \par
from your Windows home computer using even just AOL for Internet access. \par
\par
HOW TO CUSTOMIZE WINDOWS 95 VISUALS \par
\par
OK, let's say you are hosting a wild party in your home. You decide to show your buddies that you are one of those dread hacker d00dz. So you fire up \par
your computer and what should come up on your screen but the logo for \par
"Windows 95." It's kind of lame looking, isn't it? Your computer looks just \par
like everyone else's box. Just like some boring corporate workstation \par
operated by some guy with an IQ in the 80s. \par
Now if you are a serious hacker you would be booting up Linux or FreeBSD or some other kind of Unix on your personal computer. But your friends don't \par
know that. So you have an opportunity to social engineer them into thinking \par
you are fabulously elite by just by customizing your bootup screen. \par
Now let's say you want to boot up with a black screen with orange and yellow flames and the slogan " K-Rad Doomsters of the Apocalypse." This turns out to be super easy. \par
Now Microsoft wants you to advertise their operating system every time you \par
boot up. In fact, they want this so badly that they have gone to court to \par
try to force computer retailers to keep the Micro$oft bootup screen on the \par
systems these vendors sell. \par
So Microsoft certainly doesn't want you messing with their bootup screen, \par
either. So M$ has tried to hide the bootup screen software. But they didn't \par
hide it very well. We're going to learn today how to totally thwart their \par
plans. \par
\par
*********************************************** \par
Evil Genius tip: One of the rewarding things about hacking is to find hidden \par
files that try to keep you from modifying them -- and then to mess with them \par
anyhow. That's what we're doing today. \par
The Win95 bootup graphics is hidden in either a file named c:\\logo.sys \par
and/or ip.sys. To see this file, open File Manager, click "view", then click \par
"by file type," then check the box for "show hidden/system files." Then, \par
back on "view," click "all file details." To the right of the file logo.sys \par
you will see the letters "rhs." These mean this file is "read-only, hidden, \par
system." \par
The reason this innocuous graphics file is labeled as a system file -- when it really is just a graphics file with some animation added -- is because \par
Microsoft is afraid you'll change it to read something like "Welcome to \par
Windoze 95 -- Breakfast of Lusers!" So by making it a read-only file, and \par
hiding it, and calling it a system file as if it were something so darn \par
important it would destroy your computer if you were to mess with it, \par
Microsoft is trying to trick you into leaving it alone. \par
*********************************************** \par
\par
The easiest way to thwart these Windoze 95 startup and shut down screens is to go to http://www.windows95.com/apps/ and check out their programs. But \par
we're hackers, so we like to do things ourselves. So here's how to do this \par
without using a canned program. \par
We start by finding the MSPaint program. It's probably under the accessories folder. But just in case you're like me and keep on moving things around, here's the fail-safe program finding routine: \par
1) Click "Start" on the lower left corner of your screen. \par
2) Click "Windows Explorer" \par
3) Click "Tools" \par
4) Click "Find" \par
5) Click "files or folders" \par
6) After "named" type in "MSPaint" \par
7) After "Look in" type in 'C:" \par
8) Check the box that says "include subfolders" \par
9) Click "find now" \par
10) Double click on the icon of a paint bucket that turns up in a window. This loads the paint program. \par
11) Within the paint program, click "file" \par
12) Click "open" \par
OK, now you have MSPaint. Now you have a super easy way to create your new \par
bootup screen: \par
13) After "file name" type in c:\\windows\\logos.sys. This brings up the \par
graphic you get when your computer is ready to shut down saying "It's now \par
safe to turn off your computer." This graphic has exactly the right format \par
to be used for your startup graphic. So you can play with it any way you \par
want (so long as you don't do anything on the Attributes screen under the \par
Images menu) and use it for your startup graphic. \par
14) Now we play with this picture. Just experiment with the controls of \par
MSPaint and try out fun stuff. \par
15) When you decide you really like your picture (fill it with frightening \par
hacker stuph, right?), save it as c:\\logo.sys. This will overwrite the \par
Windows startup logo file. From now on, any time you want to change your \par
startup logo, you will be able to both read and write the file logo.sys. \par
16) If you want to change the shut down screens, they are easy to find and \par
modify using MSPaint. The beginning shutdown screen is named \par
c:\\windows\\logow.sys. As we saw above, the final  "It's now safe to turn off \par
your computer" screen graphic is named c:\\windows\\logos.sys. \par
17) To make graphics that will be available for your wallpaper, name them \par
something like c:\\windows\\evilhaxor.bmp (substituting your filename for \par
"exilhaxor" -- unless you like to name your wallpaper "evilhaxor.") \par
\par
******************************************************** \par
Evil Genius tip: The Microsoft Windows 95 startup screen has an animated bar \par
at the bottom. But once you replace it with your own graphic, that animation \par
is gone. However, you can make your own animated startup screen using the \par
shareware program BMP Wizard. Some download sites for this goodie include: \par
http://www.pippin.com/English/ComputersSoftware/Software/Windows95/graphic.html\par
http://search.windows95.com/apps/editors.html \par
http://www.windows95.com/apps/editors.html \par
Or you can download the program LogoMania, which automatically resizes any \par
bitmap to the correct size for your logon and logoff screens and adds \par
several types of animation as well. You can find it at.ftp.zdnet.com/pcmag/1997/0325/logoma.zip \par
******************************************************** \par
\par
Now the trouble with using one of the existing Win95 logo files is that they only allow you to use their original colors. If you really want to go wild, \par
open MSPaint again. First click "Image," then click "attributes." Set width \par
320 and height to 400. Make sure under Units that Pels is selected. Now you \par
are free to use any color combination available in this program. Remember to \par
save the file as c:\\logo.sys for your startup logo, or  c:\\windows\\logow.sys \par
and or c:\\windows\\logos.sys for your shutdown screens. \par
But if you want some really fabulous stuff for your starting screen, you can steal graphics from your favorite hacker page on the Web and import them \par
into Win95's startup and shutdown screens. Here's how you do it. \par
1) Wow, kewl graphics! Stop your browsing on that Web page and hit the \par
"print screen" button. \par
2) Open MSPaint and set width to 320 and height to 400 with units Pels. \par
3) Click edit, then click paste. Bam, that image is now in your MSPaint \par
program. \par
4) When you save it, make sure attributes are still 320X400 Pels. Name it \par
c:\\logo.sys, c:\\windows\\logow.sys, c:\\windows\\logos.sys, or \par
c:\\winodws\\evilhaxor.bmp depending on which screen or wallpaper you want to \par
display it on. \par
Of course you can do the same thing by opening any graphics file you choose in MSPaint or any other graphics program, so long as you save it with the \par
right file name in the right directory and size it 320X400 Pels. \par
Oh, no, stuffy Auntie Suzie is coming to visit and she wants to use my \par
computer to read her email!  I'll never hear the end of it if she sees my \par
K-Rad Doomsters of the Apocalypse startup screen!!! \par
Here's what you can do to get your boring Micro$oft startup logo back. Just change the name of c:logo.sys to something innocuous that Aunt Suzie won't \par
see while snooping with file manager. Something like logo.bak. Guess what \par
happens? Those Microsoft guys figured we'd be doing things like this and hid \par
a copy of their boring bootup screen in a file named "io.sys." So if you \par
rename or delete their original logo.sys, and there is no file by that name \par
left, on bootup your computer displays their same old Windows 95 bootup \par
screen. \par
Now suppose your Win95 box is attached to a local area network (LAN)? It \par
isn't as easy to change your bootup logo, as the network may override your \par
changes. But there is a way to thwart the network. If you aren't afraid of \par
your boss seeing your "K-Rad Dommsters of the Apocalypse" spashed over an \par
x-rated backdrop, here's how to customize your bootup graphics. \par
0.95 policy editor (comes on the 95 cd) with the default admin.adm will let you change this. Use the policy editor to open the registry, select 'local \par
computer' select network, select 'logon' and then selet 'logon banner'. \par
It'll then show you the current banner and let you change it and save it \par
back to the registry. \par
  \par
************************************** \par
Evil genius tip: Want to mess with io.sys or logo.sys? Here's how to get \par
into them. And, guess what, this is a great thing to learn in case you ever \par
need to break into a Windows computer -- something we'll look at in detail \par
in the next section. \par
Click "Start" then "Programs" then "MS-DOS." At the MS_DOS prompt enter the commands: \par
ATTRIB -R -H -S C:\\IO.SYS \par
ATTRIB -R -H -S C:\\LOGO.SYS \par
Now they are totally at your mercy, muhahaha! \par
But don't be surprised is MSPaint can't open either of these files. MSPaint only opens graphics files. But io.sys and logo.sys are set up to be used by animation applications. \par
************************************** \par
\par
OK, that's it for now.  You 31337 hackers who are feeling insulted by \par
reading this because it was too easy, tough cookies. I warned you. But I'll \par
bet my box has a happier hacker logon graphic than yours does. K-Rad \par
Doomsters of the apocalypse, yesss! \par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series #2, Section  Two. \par
Hacking into Windows 95 (and a little bit of NT lore)! \par
____________________________________________________________ \par
\par
\par
\par
Important warning: this is a beginners lesson. BEGINNERS. Will all you \par
geniuses who were born already knowing 32-bit Windows just skip reading this \par
one, OK? We don't need to hear how disgusted you are that not everyone \par
already knows this. \par
\par
PARENTAL DISCRETION ADVISED! \par
\par
This lesson will lay the foundation for learning how to hack what now is the most commonly installed workstation operating system: Windows NT. In fact, \par
Windows NT is coming into wide use as a local area network (LAN), Internet, \par
intranet, and Web server. So if you want to call yourself a serious hacker, \par
you'd better get a firm grasp on Win NT. \par
In this lesson you will learn serious hacking techniques useful on both \par
Windows 95 and Win NT systems while playing in complete safety on your own \par
computer. \par
\par
In this lesson we explore: \par
\'b7       -Several ways to hack your Windows 95 logon password \par
\'b7       -How to hack your Pentium CMOS password \par
\'b7       -How to hack a Windows Registry -- which is where access control on \par
Windows-based LANs, intranets and Internet and Webs servers are hidden! \par
\par
Let's set the stage for this lesson. You have your buddies over to your home to see you hack on your Windows 95 box. You've already put in a really \par
industrial haxor-looking bootup screen, so they are already trembling at the \par
thought of what a tremendously elite d00d you are. So what do you do next? \par
How about clicking on "Start," clicking "settings" then "control panel" then "passwords." Tell your friends your password and get them to enter a secret \par
new one. Then shut down your computer and tell them you are about to show \par
them how fast you can break their password and get back into your own box! \par
This feat is so easy I'm almost embarrassed to tell you how it's done. \par
That's because you'll say "Sheesh, you call that password protection? Any \par
idiot can break into a Win 95 box! And of course you're right. But that's \par
the Micro$oft way. Remember this next time you expect to keep something on \par
your Win95 box confidential. \par
And when it comes time to learn Win NT hacking, remember this Micro$oft \par
security mindset. The funny thing is that very few hackers mess with NT \par
today because they're all busy cracking into Unix boxes. But there are \par
countless amazing Win NT exploits just waiting to be discovered. Once you \par
see how easy it is to break into your Win 95 box, you'll feel in your bones \par
that even without us holding your hand, you could discover ways to crack Win \par
NT boxes, too. \par
But back to your buddies waiting to see what an elite hacker you are. Maybe you'll want them to turn their backs so all they know is you can break into a Win95 box in less than one minute. Or maybe you'll be a nice guy and show \par
them exactly how it's done. \par
But first, here's a warning. The first few techniques we're showing work on most home Win 95 installations. But, especially in corporate local area \par
networks (LANs), several of these techniques don't work. But never fear, in \par
this lesson we will cover enough ways to break in that you will be able to \par
gain control of absolutely *any* Win 95 box to which you have physical \par
access. But we'll start with the easy ways first. \par
\par
Easy Win 95 Breakin #1: \par
\par
Step one: boot up your computer. \par
Step two: When the "system configuration" screen comes up, press the "F5" \par
key. If your system doesn't show this screen, just keep on pressing the F5 \par
key. \par
If your Win 95 has the right settings, this boots you into "safe mode." \par
Everything looks weird, but you don't have to give your password and you \par
still can run your programs. \par
Too easy! OK, if you want to do something that looks a little classier, \par
here's another way to evade that new password. \par
\par
Easy Win 95 Breakin #2: \par
\par
Step one: Boot up. \par
Step two: when you get to the "system configuration" screen, press the F8 \par
key. This gives you the Microsoft Windows 95 Startup Menu. \par
Step three: choose number 7. This puts you into MS-DOS. At the prompt, give the command "rename c:\\windows\\*pwl c:\\windows\\*zzz." \par
\par
**************************** \par
Newbie note: MS-DOS stands for Microsoft Disk Operating System, an ancient \par
operating system dating from 1981. It is a command-line operating system, \par
meaning that you get a prompt (probably c:\\>) after which you type in a \par
command and press the enter key. MS-DOS is often abbreviated DOS. It is a \par
little bit similar to Unix, and in fact in its first version it incorporated \par
thousands of lines of Unix code. \par
***************************** \par
\par
Step four: reboot. You will get the password dialog screen. You can then \par
fake out your friends by entering any darn password you want. It will ask \par
you to reenter it to confirm your new password. \par
Step five: Your friends are smart enough to suspect you just created a new \par
password, huh? Well, you can put the old one your friends picked. Use any \par
tool you like -- File Manager, Explorer or MS-DOS -- to rename *.zzz back to \par
*.pwl. \par
Step six: reboot and let your friends use their secret password. It still \par
works! \par
Think about it. If someone where to be sneaking around another person's Win 95 computer, using this technique, the only way the victim could determine \par
there had been an intruder is to check for recently changed files and \par
discover that the *.pwl files have been messed with \par
\par
**************************** \par
Evil genius tip: Unless the msdos.sys file bootkeys=0 option is active, the \par
keys that can do something during the bootup process are F4, F5, F6, F8, \par
Shift+F5, Control+F5 and Shift+F8. Play with them! \par
**************************** \par
\par
Now let's suppose you discovered that your Win 95 box doesn't respond to the bootup keys. You can still break in. \par
If your computer does allow use of the boot keys, you may wish to disable \par
them in order to be a teeny bit more secure. Besides, it's phun to show your \par
friends how to use the boot keys and then disable these so when they try to \par
mess with your computer they will discover you've locked them out. \par
The easiest -- but slowest -- way to disable the boot keys is to pick the \par
proper settings while installing Win 95. But we're hackers, so we can pull a \par
fast trick to do the same thing. We are going to learn how to edit the Win \par
95 msdos.sys file, which controls the boot sequence. \par
\par
\par
Easy Way to Edit your Msdos.sys File: \par
\par
Step zero: Back up your computer completely, especially the system files. \par
Make sure you have a Windows 95 boot disk. We are about to play with fire! \par
If you are doing this on someone else's computer, let's just hope either you have permission to destroy the operating system, or else you are so good you \par
couldn't possibly make a serious mistake. \par
\par
******************************* \par
Newbie note: You don't have a boot disk? Shame, shame, shame! Everyone ought \par
to have a boot disk for their computer just in case you or your buddies do \par
something really horrible to your system files. If you don't already have a \par
Win 95 boot disk, here's how to make one. \par
To do this you need an empty floppy disk and your Win 95 installation \par
disk(s). Click on Start, then Settings, then Control Panel, then Add/Remove \par
Programs, then Startup Disk.  From here just follow instructions. \par
******************************** \par
\par
Step one: Find the file msdos.sys. It is in the root directory (usually \par
C:\\). Since this is a hidden system file, the easiest way to find it is to \par
click on My Computer, right click the icon for your boot drive (usually C:), \par
left click Explore, then scroll down the right side frame until you find the \par
file "msdos.sys." \par
Step two: Make msdos.sys writable. To do this, right click on msdos.sys, \par
then left click "properties." This brings up a screen on which you uncheck \par
the "read only" and "hidden" boxes. You have now made this a file that you \par
can pull into a word processor to edit. \par
Step three: Bring msdos.sys up in Word Pad. To do this, you go to File \par
Manager. Find msdos.sys again and click on it. Then click "associate" under \par
the "file" menu. Then click on "Word Pad." It is very important to use Word \par
Pad and not Notepad or any other word processing program! Then double click \par
on msdos.sys. \par
Step four: We are ready to edit. You will see that Word Pad has come up with msdos.sys loaded. You will see something that looks like this: \par
[Paths] \par
WinDir=C:\\WINDOWS \par
WinBootDir=C:\\WINDOWS \par
HostWinBootDrv=C \par
[Options] \par
BootGUI=1 \par
Network=1 \par
; \par
;The following lines are required for compatibility with other programs. \par
;Do not remove them (MSDOS>SYS needs to be >1024 bytes). \par
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \par
;xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx \par
 \par
To disable the function keys during bootup, directly below [Options] you \par
should insert the command "BootKeys=0." \par
Or, another way to disable the boot keys is to insert the command \par
BootDelay=0. You can really mess up your snoopy hacker wannabe friends by \par
putting in both statements and hope they don't know about BootDelay. Then \par
save msdos.sys. \par
Step five: since msdos.sys is absolutely essential to your computer, you'd \par
better write protect it like it was before you edited it. Click on My \par
Computer, then Explore, then click the icon for your boot drive (usually \par
C:), then scroll down the right side until you find the file "msdos.sys." \par
Click on msdos.sys, then left click "properties." This brings back that \par
screen with the "read only" and "hidden" boxes. Check "read only." \par
Step six: You *are* running a virus scanner, aren't you? You never know what your phriends might do to your computer while your back is turned. When you \par
next boot up, your virus scanner will see that msdos.sys has changed. It \par
will assume the worst and want to make your msdos.sys file look just like it \par
did before. You have to stop it from doing this. I run Norton Antivirus, so \par
all I have to do when the virus warning screen comes up it to tell it to \par
"innoculate." \par
\par
Hard Way to Edit your (or someone else's) Msdos.sys File. \par
\par
Step one: This is useful practice for using DOS to run rampant someday in \par
Win NT LANs, Web and Internet servers. Put a Win 95 boot disk in the a: \par
drive. Boot up. This gives you a DOS prompt A:\\. \par
Step one: Make msdos.sys writable. Give the command "attrib -h -r -s \par
c:\\msdos.sys" (This assumes the c: drive is the boot disk.) \par
Step two: give the command "edit msdos.sys" This brings up this file into \par
the word processor. \par
Step three: Use the edit program to alter msdos.sys. Save it. Exit the edit program. \par
Step four: At the DOS prompt, give the command "attrib +r +h +s \par
c:\\msdos.sys" to return the msdos.sys file to the status of hidden, \par
read-only system file. \par
OK,  now your computer's boot keys are disabled. Does this mean no one can \par
break in? Sorry, this isn't good enough. \par
As you may have guessed from the "Hard Way to Edit your Msdos.sys" \par
instruction, your next option for Win 95 breakins is to use a boot disk that \par
goes in the a: floppy drive. \par
\par
How to Break into a Win 95 Box Using a Boot Disk \par
\par
Step one: shut down your computer. \par
Step two: put boot disk into A: drive. \par
Step three: boot up. \par
Step four: at the A:\\ prompt, give the command: rename c:\\windows\\*.pwl \par
c:\\windows\\*.zzz. \par
Step four: boot up again. You can enter anything or nothing at the password prompt and get in. \par
Step five: Cover your tracks by renaming the password files back to what \par
they were. \par
Wow, this is just too easy! What do you do if you want to keep your \par
prankster friends out of your Win 95 box? Well, there is one more thing you \par
can do. This is a common trick on LANs where the network administrator \par
doesn't want to have to deal with people monkeying around with each others' \par
computers. The answer -- but not a very good answer -- is to use a CMOS \par
password. \par
\par
How to Mess With CMOS #1 \par
\par
The basic settings on your computer such as how many and what kinds of disk drives and which ones are used for booting are held in a CMOS chip on the \par
mother board. A tiny battery keeps this chip always running so that whenever \par
you turn your computer back on, it remembers what is the first drive to \par
check in for bootup instructions. On a home computer it will typically be \par
set to first look in the A: drive. If the A: drive is empty, it next will \par
look at the C: drive. \par
On my computer, if I want to change the CMOS settings I press the delete key at the very beginning of the bootup sequence. Then, because I have \par
instructed the CMOS settings to ask for a password, I have to give it my \par
password to change anything. \par
If I don't want someone to boot from the A: drive and mess with my password file, I can set it so it only boots from the C: drive. Or even so that it only boots from a remote drive on a LAN. \par
So, is there a way to break into a Win 95 box that won't boot from the A: \par
drive? Absolutely yes! But before trying this one out, be sure to write down \par
*ALL* your CMOS settings. And be prepared to make a total wreck of your \par
computer. Hacking CMOS is even more destructive than hacking system files. \par
Step one: get a phillips screwdriver, solder sucker and soldering iron. \par
Step two: open up your victim. \par
Step three: remove the battery . \par
Step four: plug the battery back in. \par
Alternate step three: many motherboards have a 3 pin jumper to reset the \par
CMOS to its default settings. Look for a jumper close to the battery or look \par
at your manual if you have one. \par
For example, you might find a three pin device with pins one and two \par
jumpered. If you move the jumper to pins two and three and leave it there \par
for over five seconds, it may reset the CMOS. Warning -- this will not work \par
on all computers! \par
Step five: Your victim computer now hopefully has the CMOS default settings. \par
Put everything back the way they were, with the exception of setting it to \par
first check the A: drive when booting up. \par
\par
******************************* \par
You can get fired warning: If you do this wrong, and this is a computer you \par
use at work, and you have to go crying to the systems administrator to get \par
your computer working again, you had better have a convincing story. \par
Whatever you do, don't tell the sysadmin or your boss that "The Happy Hacker made me do it"! \par
******************************* \par
\par
Step six: proceed with the A: drive boot disk break-in instructions. \par
Does this sound too hairy? Want an easy way to mess with CMOS? There's a \par
program you can run that does it without having to play with your mother \par
board. \par
\par
How to Mess with CMOS #2 \par
\par
Boy, I sure hope you decided to read to the end of this GTMHH before taking solder gun to your motherboard. There's an easy solution to the CMOS \par
password problem. It's a program called KillCMOS which you can download from \par
http://www.koasp.com. (Warning: if I were you, I'd first check out this site \par
using the Lynx browser, which you can use from Linux or your shell account). \par
Now suppose you like to surf the Web but your Win 95 box is set up so some \par
sort of net nanny program restricts access to places you would really like \par
to visit. Does this mean you are doomed to live in a Brady Family world? No \par
way. \par
There are several ways to evade those programs that censor what Web sites \par
you visit. \par
Now what I am about to discuss is not with the intention of feeding \par
pornography to little kids. The sad fact is that these net censorship \par
programs have no way of evaluating everything on the Web. So what they do is \par
only allow access to a relatively small number of Web sites. This keeps kids \par
form discovering many wonderful things on the Web. \par
As the mother of four, I understand how worried parents can get over what \par
their kids encounter on the Internet. But these Web censor programs are a \par
poor substitute for spending time with your kids so that they learn how to \par
use computers responsibly and become really dynamite hackers! Um, I mean, \par
become responsible cyberspace citizens. Besides, these programs can all be \par
hacked way to easily. \par
The first tactic to use with a Web censor program is hit control-alt-delete. This brings up the task list. If the censorship program is on the list, turn it off. \par
Second tactic is to edit the autoexec.bat file to delete any mention of the web censor program. This keeps it from getting loaded in the first place. \par
But what if your parents (or your boss or spouse) is savvy enough to check \par
where you've been surfing? You've got to get rid of those incriminating \par
records whowing that you've been surfing Dilbert! \par
It's easy to fix with Netscape. Open Netscape.ini with either Notepad or \par
Word Pad. It probably will be in the directory C:\\Netscape\\netscape.ini. \par
Near the bottom you will find your URL history. Delete those lines. \par
But Internet Explorer is a really tough browser to defeat. \par
Editing the Registry is the only way (that I have found, at least) to defeat the censorship feature on Internet Explorer. And, guess what, it even hides several records of your browsing history in the Registry. Brrrr! \par
\par
************************* \par
Newbie note: Registry! It is the Valhalla of those who wish to crack \par
Windows. Whoever controls the Registry of a network server controls the \par
network -- totally. Whoever controls the Registry of a Win 95 or Win NT box \par
controls that computer -- totally. The ability to edit the Registry is \par
comparable to having root access to a Unix machine. \par
************************* \par
\par
How to edit the Registry: \par
\par
Step zero: Back up all your files. Have a boot disk handy. If you mess up \par
the Registry badly enough you may have to reinstall your operating system. \par
\par
****************************** \par
You can get fired warning: If you edit the Registry of a computer at work, \par
if you get caught you had better have a good explanation for the sysadmin \par
and your boss. Figure out how to edit the Registry of a LAN server at work \par
and you may be in real trouble. \par
******************************* \par
\par
******************************* \par
You can go to jail warning: Mess with the Registry of someone else's \par
computer and you may be violating the law. Get permission before you mess \par
with Registries of computers you don't own. \par
******************************* \par
\par
Step one: Find the Registry. This is not simple, because the Microsoft \par
theory is what you don't know won't hurt you. So the idea is to hide the \par
Registry from clueless types. But, hey, we don't care if we totally trash \par
our computers, right? So we click Start, then Programs, then Windows \par
Explorer, then click on the Windows directory and look for a file named \par
"Regedit.exe." \par
Step two: Run Regedit. Click on it. It brings up several folders: \par
HKEY_CLASSES_ROOT \par
HKEY_CURRENT_USER \par
HKEY_LOCAL_MACHINE \par
HKEY_USERS \par
HKEY_CURRENT_CONFIG \par
HKEY_DYN_DATA \par
What we are looking at is in some ways like a password file, but it's much \par
more than this. It holds all sorts of settings -- how your desk top looks, \par
what short cuts you are using, what files you are allowed to access. If you \par
are used to Unix, you are going to have to make major revisions in how you \par
view file permissions and passwords. But, hey, this is a beginners' lesson \par
so we'll gloss over this part. \par
\par
**************************** \par
Evil genius tip: You can run Regedit from DOS from a boot disk. Verrrry \par
handy in certain situations... \par
**************************** \par
Step three: Get into one of these HKEY thingies. Let's check out \par
CURRENT_USER by clicking the plus sign to the left of it. Play around \par
awhile. See how the Regedit gives you menu choices to pick new settings. \par
You'll soon realize that Microsoft is babysitting you. All you see is \par
pictures with no clue of who these files look in DOS. It's called "security \par
by obscurity." This isn't how hackers edit the Registry. \par
Step four: Now we get act like real hackers. We are going to put part of the Registry where we can see -- and change -- anything. First click the \par
HKEY_CLASSES_ROOT line to highlight it. Then go up to the Registry heading \par
on the Regedit menu bar. Click it, then choose "Export Registry File." Give \par
it any name you want, but be sure it ends with ".reg". \par
Step five: Open that part of the Registry in Word Pad. It is important to \par
use that program instead of Note Pad or any other word processing program. \par
One way is to right click on it from Explorer. IMPORTANT WARNING: if you \par
left click on it, it will automatically import it back into the Registry. If \par
you were messing with it and accidentally left click, you could trash your \par
computer big time. \par
Step six: Read everything you ever wanted to know about Windows security \par
that Microsoft was afraid to let you find out. Things that look like: \par
[HKEY_CLASSES_ROOT\\htmlctl.PasswordCtl\\CurVer] \par
@="htmlctl.PasswordCtl.1" \par
[HKEY_CLASSES_ROOT\\htmlctl.PasswordCtl.1] \par
@="PasswordCtl Object" \par
[HKEY_CLASSES_ROOT\\htmlctl.PasswordCtl.1\\CLSID] \par
@="\{EE230860-5A5F-11CF-8B11-00AA00C00903\}" \par
The stuff inside the brackets in this last line is an encrypted password \par
controlling access to a program or features of a program such as the net \par
censorship feature of Internet Explorer. What it does in encrypt the \par
password when you enter it, then compare it with the unencrypted version on \par
file. \par
Step seven: It isn't real obvious which password goes to what program. I say delete them all! Of course this means your stored passwords for logging on \par
to your ISP, for example, may disappear. Also, Internet Explorer will pop up \par
with a warning that "Content Advisor configuration information is missing. \par
Someone may have tried to tamper with it." This will look really bad to your parents! \par
Also, if you trash your operating system in the process, you'd better have a good explanation for your Mom and Dad about why your computer is so sick. \par
It's a good idea to know how to use your boot disk to reinstall Win 95 it \par
this doesn't work out. \par
Step eight: (optional): Want to erase your surfing records? For Internet \par
Explorer you'll have to edit HKEY_CURRENT_USER, HKEY_LOCAL_MACHINE and \par
HKEY_USERS. You can also delete the files c:\\windows\\cookies\\mm2048.dat and \par
c:\\windows\\cookies\\mm256.dat. These also store URL data. \par
Step nine: Import your .reg files back into the Registry. Either click on \par
your .reg files in Explorer or else use the "Import" feature next to the \par
"Export" you just used in Regedit. This only works if you remembered to name \par
them with the .reg extension. \par
Step ten: Oh, no, Internet Explorer makes this loud obnoxious noise the \par
first time I run it and puts up a bright red "X" with the message that I \par
tampered with the net nanny feature! My parents will seriously kill me! \par
Or, worse yet, oh, no, I trashed my computer! \par
All is not lost. Erase the Registry and its backups. These are in four \par
files: system.dat, user.dat, and their backups, system.da0 and user.da0. \par
Your operating system will immediately commit suicide. (This was a really \par
exciting test, folks, but I luuuv that adrenaline!) If you get cold feet, \par
the Recycle bin still works after trashing your Registry files, so you can \par
restore them and your computer will be back to the mess you just made of it. \par
But if you really have guts, just kill those files and shut it down. \par
Then use your Win 95 boot disk to bring your computer back to life. \par
Reinstall Windows 95. If your desk top looks different, proudly tell \par
everyone you learned a whole big bunch about Win 95 and decided to practice \par
on how your desk top looks. Hope they don't check Internet Explorer to see \par
if the censorship program still is enabled. \par
And if your parents catch you surfing a Nazi explosives instruction site, or if you catch your kids at bianca's Smut Shack, don't blame it on Happy \par
Hacker. Blame it on Microsoft security -- or on parents being too busy to \par
teach their kids right from wrong. \par
So why, instead of having you edit the Registry, didn't I just tell you to \par
delete those four files and reinstall Win 95? It's because if you are even \par
halfway serious about hacking, you need to learn how to edit the Registry of \par
a Win NT computer. You just got a little taste of what it will be like here, \par
done on the safety of your home computer. \par
You also may have gotten a taste of how easy it is to make a huge mess when messing with the Registry. Now you don't have to take my work for it, you \par
know first hand how disastrous a clumsy hacker can be when messing in \par
someone else's computer systems. \par
So what is the bottom line on Windows 95 security? Is there any way to set \par
up a Win 95 box so no one can break into it? Hey, how about that little key \par
on your computer? Sorry, that won't do much good, either. It's easy to \par
disconnect so you can still boot the box. Sorry, Win 95 is totally \par
vulnerable. \par
In fact, if you have physical access to *ANY* computer, the only way to keep you from breaking into it is to encrypt its files with a strong encryption \par
algorithm. It doesn't matter what kind of computer it is, files on any \par
computer can one way or another be read by someone with physical access to \par
it -- unless they are encrypted with a strong algorithm such as RSA. \par
We haven't gone into all the ways to break into a Win 95 box remotely, but \par
there are plenty of ways. Any Win 95 box on a network is vulnerable, unless \par
you encrypt its information. \par
And the ways to evade Web censor programs are so many, the only way you can make them work is to either hope your kids stay dumb, or else that they will \par
voluntarily choose to fill their minds with worthwhile material. Sorry, \par
there is no technological substitute for bringing up your kids to know right \par
from wrong. \par
\par
****************************** \par
Evil Genius tip: Want to trash most of the policies can be invoked on a \par
workstation running Windows 95? Paste these into the appropriate locations \par
in the Registry. Warning: results may vary and you may get into all sorts of \par
trouble whether you do this successfully or unsuccessfully. \par
[HKEY_LOCAL_MACHINE\\Network\\Logon] \par
[HKEY_LOCAL_MACHINE\\Network\\Logon] \par
"MustBeValidated"=dword:00000000 \par
"username"="ByteMe" \par
"UserProfiles"=dword:00000000 \par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies] \par
"DisablePwdCaching"=dword:00000000 \par
"HideSharePwds"=dword:00000000 \par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer] \par
\par
"NoDrives"=dword:00000000 \par
"NoClose"=dword:00000000 \par
"NoDesktop"=dword:00000000 \par
"NoFind"=dword:00000000 \par
"NoNetHood"=dword:00000000 \par
"NoRun"=dword:00000000 \par
"NoSaveSettings"=dword:00000000 \par
"NoRun"=dword:00000000 \par
"NoSaveSettings"=dword:00000000 \par
"NoSetFolders"=dword:00000000 \par
"NoSetTaskbar"=dword:00000000 \par
"NoAddPrinter"=dword:00000000 \par
"NoDeletePrinter"=dword:00000000 \par
"NoPrinterTabs"=dword:00000000 \par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Network] \par
\par
"NoNetSetup"=dword:00000000 \par
"NoNetSetupIDPage"=dword:00000000 \par
"NoNetSetupSecurityPage"=dword:00000000 \par
"NoEntireNetwork"=dword:00000000 \par
"NoFileSharingControl"=dword:00000000 \par
"NoPrintSharingControl"=dword:00000000 \par
"NoWorkgroupContents"=dword:00000000 \par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] \par
\par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System] \par
\par
"NoAdminPage"=dword:00000000 \par
"NoConfigPage"=dword:00000000 \par
"NoDevMgrPage"=dword:00000000 \par
"NoDispAppearancePage"=dword:00000000 \par
"NoDispBackgroundPage"=dword:00000000 \par
"NoDispCPL"=dword:00000000 \par
"NoDispScrSavPage"=dword:00000000 \par
"NoDispSettingsPage"=dword:00000000 \par
"NoFileSysPage"=dword:00000000 \par
"NoProfilePage"=dword:00000000 \par
"NoPwdPage"=dword:00000000 \par
"NoSecCPL"=dword:00000000 \par
"NoVirtMemPage"=dword:00000000 \par
"DisableRegistryTools"=dword:00000000 \par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp \par
\par
 [END of message text] \par
  [Already at end of message] \par
  PINE 3.91   MESSAGE TEXT   Folder: INBOX  Message 178 of 433 END \par
  \par
[HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\WinOldApp \par
\par
] \par
"Disabled"=dword:00000000 \par
"NoRealMode"=dword:00000000 \par
  \par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series #2, Section 3. \par
Hacking from Windows 3.x, 95 and NT \par
____________________________________________________________ \par
\par
\par
\par
This lesson will tell you how, armed with even the lamest of on-line \par
services such as America Online and the Windows 95 operating system, you can \par
do some fairly serious Internet hacking -- today! \par
\par
In this lesson we will learn how to: \par
\'b7       -Use secret Windows 95 DOS commands to track down and port surf computers used by famous on-line service providers. \par
\'b7       -Telnet to computers that will let you use the invaluable hacker tools of whois, nslookup, and dig. \par
\'b7       -Download hacker tools such as port scanners and password crackers designed for use with Windows. \par
\'b7       -Use Internet Explorer to evade restrictions on what programs you can run on your school or work computers. \par
\par
Yes, I can hear jericho and Rogue Agent and all the other Super Duper \par
hackers on this list laughing. I'll bet already they have quit reading this \par
and are furiously emailing me flames and making phun of me in 2600 meetings. \par
Windows hacking? Pooh! \par
Tell seasoned hackers that you use Windows and they will laugh at you. \par
They'll tell you to go away and don't come back until you're armed with a \par
shell account or some sort of Unix on your PC. Actually, I have long shared \par
their opinion. Shoot, most of the time hacking from Windoze is like using a \par
1969 Volkswagon to race against a dragster using one of VP Racing's \par
high-tech fuels. \par
But there actually is a good reason to learn to hack from Windows. Some of \par
your best tools for probing and manipulating Windows networks are found only \par
on Windows NT. Furthermore, with Win 95 you can practice the Registry \par
hacking that is central to working your will on Win NT servers and the \par
networks they administer. \par
In fact, if you want to become a serious hacker, you eventually will have to learn Windows. This is because Windows NT is fast taking over the Internet \par
from Unix. An IDC report projects that the Unix-based Web server market \par
share will fall from the 65% of 1995 to only 25% by the year 2000. The \par
Windows NT share is projected to grow to 32%.  This weak future for Unix Web \par
servers is reinforced by an IDC report reporting that market share of all \par
Unix systems is now falling at a compound annual rate of decline of -17% for \par
the foreseeable future, while Windows NT is growing in market share by 20% \par
per year. (Mark Winther, "The Global Market for Public and Private Internet \par
Server Software," IDC #11202, April 1996, 10, 11.) \par
So if you want to keep up your hacking skills, you're going to have to get \par
wise to Windows. One of these days we're going to be sniggering at all those \par
Unix-only hackers. \par
Besides, even poor, pitiful Windows 95 now can take advantage of  lots of \par
free hacker tools that give it much of the power of Unix. \par
Since this is a beginners' lesson, we'll go straight to the Big Question: \par
"All I got is AOL and a Win 95 box. Can I still learn how to hack?" \par
Yes, yes, yes! \par
The secret to hacking from AOL/Win 95 -- or from any on-line service that \par
gives you access to the World Wide Web -- is hidden in Win 95's MS-DOS (DOS \par
7.0). \par
DOS 7.0 offers several Internet tools, none of which are documented in \par
either the standard Windows or DOS help features. But you're getting the \par
chance to learn these hidden features today. \par
So to get going with today's lesson, use AOL or whatever lame on-line \par
service you may have and make the kind of connection you use to get on the \par
Web (this will be a PPP or SLIP connection). Then minimize your Web browser \par
and prepare to hack! Next, bring up your DOS window by clicking Start, then \par
Programs, then MS-DOS. \par
For best hacking I've found it easier to use DOS in a window with a task bar which allows me to cut and paste commands and easily switch between Windows \par
and DOS programs. If your DOS comes up as a full screen, hold down the Alt \par
key while hitting enter, and it will go into a window. Then if you are \par
missing the task bar, click the system menu on the left side of the DOS \par
window caption and select Toolbar. \par
Now you have the option of  eight TCP/IP utilities to play with: telnet, \par
arp, ftp, nbtstat, netstat, ping, route, and tracert. \par
Telnet is the biggie. You can also access the telnet program directly from \par
Windows. But while hacking you may need the other utilities that can only be \par
used from DOS, so I like to call telnet from DOS. \par
With the DOS telnet you can actually port surf almost as well as from a Unix telnet program. But there are several tricks you need to learn in order to \par
make this work. \par
First, we'll try out logging on to a strange computer somewhere. This is a \par
phun thing to show your friends who don't have a clue because it can scare \par
the heck out them. Honest, I just tried this out on a neighbor. He got so \par
worried that when he got home he called my husband and begged him to keep me \par
from hacking his work computer! \par
To do this (I mean log on to a strange computer, not scare your neighbors) \par
go to the DOS prompt C:\\WINDOWS> and give the command "telnet." This brings \par
up a telnet screen. Click on Connect, then click Remote System. This brings up a box that asks you for "Host Name." Type "whois.internic.net" into this box. Below that it asks for "Port" and has the default value of "telnet." Leave in "telnet" for the port selection. Below that is a box for "TermType."  I recommend picking VT100 because, well, just because I like it best. \par
The first thing you can do to frighten your neighbors and impress your \par
friends is a "whois." Click on Connect and you will soon get a prompt that \par
looks like this: \par
   [vt100]InterNIC> \par
Then ask your friend or neighbor his or her email address. Then at this \par
InterNIC prompt, type in the last two parts of your friend's email address. \par
For example, if the address is "luser@aol.com," type in "aol.com." \par
Now I'm picking AOL for this lesson because it is really hard to hack. \par
Almost any other on-line service will be easier. \par
For AOL we get the answer: \par
  [vt100] InterNIC > whois aol.com \par
  Connecting to the rs Database . . . . . . \par
  Connected to the rs Database \par
  America Online (AOL-DOM) \par
         12100 Sunrise Valley Drive \par
         Reston, Virginia 22091 \par
         USA \par
         Domain Name: AOL.COM \par
         Administrative Contact: \par
         O'Donnell, David B  (DBO3)  PMDAtropos@AOL.COM \par
         703/453-4255 (FAX) 703/453-4102 \par
         Technical Contact, Zone Contact: \par
         America Online  (AOL-NOC)  trouble@aol.net \par
         703-453-5862 \par
         Billing Contact: \par
         Barrett, Joe  (JB4302)  BarrettJG@AOL.COM \par
         703-453-4160 (FAX) 703-453-4001 \par
         Record last updated on 13-Mar-97. \par
         Record created on 22-Jun-95. \par
         Domain servers in listed order: \par
         DNS-01.AOL.COM   152.163.199.42 \par
         DNS-02.AOL.COM   152.163.199.56 \par
         DNS-AOL.ANS.NET  198.83.210.28 \par
These last three lines give the names of some computers that work for \par
America Online (AOL). If we want to hack AOL, these are a good place to \par
start. \par
\par
********************************* \par
Newbie note: We just got info on three "domain name servers" for AOL. \par
"Aol.com" is the domain name for AOL, and the domain servers are the \par
computers that hold information that tells the rest of the Internet how to \par
send messages to AOL computers and email addresses. \par
********************************* \par
\par
********************************* \par
Evil genius tip: Using your Win 95 and an Internet connection, you can run a \par
whois query from many other computers, as well. Telnet to your target \par
computer's port 43 and if it lets you get on it, give your query. \par
Example: telnet to nic.ddn.mil, port 43. Once connected type "whois \par
DNS-01.AOL.COM," or whatever name you want to check out. However, this only \par
works on computers that are running the whois service on port 43. \par
Warning: show this trick to your neighbors and they will really be \par
terrified. They just saw you accessing a US military computer! But it's OK, \par
nic.ddn.mil is open to the public on many of its ports. Check out its Web \par
site www.nic.ddn.mil and its ftp site, too -- they are a mother lode of \par
information that is good for hacking. \par
********************************* \par
\par
Next I tried a little port surfing on DNS-01.AOL.COM but couldn't find any \par
ports open. So it's a safe bet this computer is behind the AOL firewall. \par
\par
********************************** \par
Newbie note: port surfing means to attempt to access a computer through \par
several different ports. A port is any way you get information into or out \par
of a computer. For example, port 23 is the one you usually use to log into a \par
shell account. Port 25 is used to send email. Port 80 is for the Web. There \par
are thousands of designated ports, but any particular computer may be \par
running only three or four ports. On your home computer your ports include \par
the monitor, keyboard, and modem. \par
********************************** \par
\par
So what do we do next? We close the telnet program and go back to the DOS \par
window. At the DOS prompt we give the command "tracert 152.163.199.42." Or \par
we could give the command "tracert DNS-01.AOL.COM." Either way we'll get the \par
same result. This command will trace the route that a message takes, hopping \par
from one computer to another, as it travels from my computer to this AOL \par
domain server computer. Here's what we get: \par
C:\\WINDOWS>tracert 152.163.199.42 \par
Tracing route to dns-01.aol.com [152.163.199.42] \par
over a maximum of 30 hops: \par
  1 *** Request timed out. \par
  2   150 ms   144 ms   138 ms  204.134.78.201 \par
  3   375 ms   299 ms   196 ms  glory-cyberport.nm.westnet.net \par
[204.134.78.33] \par
  4   271 ms *  201 ms  enss365.nm.org [129.121.1.3] \par
  5   229 ms   216 ms   213 ms  h4-0.cnss116.Albuquerque.t3.ans.net \par
[192.103.74.45] \par
  6   223 ms   236 ms   229 ms  f2.t112-0.Albuquerque.t3.ans.net \par
[140.222.112.221] \par
  7   248 ms   269 ms   257 ms  h14.t64-0.Houston.t3.ans.net [140.223.65.9] \par
  8   178 ms   212 ms   196 ms  h14.t80-1.St-Louis.t3.ans.net [140.223.65.14] \par
  9   316 ms *  298 ms  h12.t60-0.Reston.t3.ans.net [140.223.61.9] \par
 10   315 ms   333 ms   331 ms  207.25.134.189 \par
 11 *** Request timed out. \par
 12 *** Request timed out. \par
 13  207.25.134.189  reports: Destination net unreachable. \par
What the heck is all this stuff? The number to the left is the number of \par
computers the route has been traced through. The "150 ms" stuff is how long, \par
in thousandths of a second, it takes to send a message to and from that \par
computer. Since a message can take a different length of time every time you \par
send it, tracert times the trip three times. The "*" means the trip was \par
taking too long so tracert said "forget it." After the timing info comes the \par
name of the computer the message reached, first in a form that is easy for a \par
human to remember, then in a form -- numbers -- that a computer prefers. \par
"Destination net unreachable" probably means tracert hit a firewall. \par
Let's try the second AOL domain server. \par
C:\\WINDOWS>tracert  152.163.199.56 \par
Tracing route to dns-02.aol.com [152.163.199.56] \par
over a maximum of 30 hops: \par
  1 *** Request timed out. \par
  2   142 ms   140 ms   137 ms  204.134.78.201 \par
  3   246 ms   194 ms   241 ms  glory-cyberport.nm.westnet.net [204.134.78.33] \par
  4   154 ms   185 ms   247 ms  enss365.nm.org [129.121.1.3] \par
  5   475 ms   278 ms   325 ms  h4-0.cnss116.Albuquerque.t3.ans.net [192.103.74.45] \par
  6   181 ms   187 ms   290 ms  f2.t112-0.Albuquerque.t3.ans.net [140.222.112.221] \par
  7   162 ms   217 ms   199 ms  h14.t64-0.Houston.t3.ans.net [140.223.65.9] \par
  8   210 ms   212 ms   248 ms  h14.t80-1.St-Louis.t3.ans.net [140.223.65.14] \par
  9   207 ms *  208 ms  h12.t60-0.Reston.t3.ans.net [140.223.61.9] \par
 10   338 ms   518 ms   381 ms  207.25.134.189 \par
 11 *** Request timed out. \par
 12 *** Request timed out. \par
 13  207.25.134.189  reports: Destination net unreachable. \par
Note that both tracerts ended at the same computer named h12.t60-0.Reston.t3.ans.net. Since AOL is headquartered in Reston, Virginia, it's a good bet this is a computer that directly feeds stuff into AOL. But we notice that h12.t60-0.Reston.t3.ans.net , h14.t80-1.St-Louis.t3.ans.net, h14.t64-0.Houston.t3.ans.net and Albuquerque.t3.ans.net all have numerical names beginning with 140, and names that end with "ans.net." So it's a good guess that they all belong to the same company. Also, that "t3" in each name suggests these computers are routers on a T3 communications backbone for the Internet. \par
Next let's check out that final AOL domain server: \par
C:\\WINDOWS>tracert 198.83.210.28 \par
Tracing route to dns-aol.ans.net [198.83.210.28] \par
over a maximum of 30 hops: \par
  1 *** Request timed out. \par
  2   138 ms   145 ms   135 ms  204.134.78.201 \par
  3   212 ms   191 ms   181 ms  glory-cyberport.nm.westnet.net [204.134.78.33] \par
  4   166 ms   228 ms   189 ms  enss365.nm.org [129.121.1.3] \par
  5   148 ms   138 ms   177 ms  h4-0.cnss116.Albuquerque.t3.ans.net [192.103.74.45] \par
  6   284 ms   296 ms   178 ms  f2.t112-0.Albuquerque.t3.ans.net [140.222.112.221] \par
  7   298 ms   279 ms   277 ms  h14.t64-0.Houston.t3.ans.net [140.223.65.9] \par
  8   238 ms   234 ms   263 ms  h14.t104-0.Atlanta.t3.ans.net [140.223.65.18] \par
  9   301 ms   257 ms   250 ms  dns-aol.ans.net [198.83.210.28] \par
Trace complete. \par
Hey, we finally got all the way through to something we can be pretty \par
certain is an AOL box, and it looks like it's outside the firewall! But look \par
at how the tracert took a different path this time, going through Atlanta \par
instead of  St. Louis and Reston. But we are still looking at ans.net \par
addresses with T3s, so this last nameserver is using the same network as the \par
others. \par
Now what can we do next to get luser@aol.com really wondering if you could \par
actually break into his account? We're going to do some port surfing on this \par
last AOL domain name server! But to do this we need to change our telnet \par
settings a bit. \par
Click on Terminal, then Preferences. In the preferences box you need to \par
check "Local echo." You must do this, or else you won't be able to see \par
everything that you get while port surfing. For some reason, some of the \par
messages a remote computer sends to you won't show up on your Win 95 telnet \par
screen unless you choose the local echo option. However, be warned, in some \par
situations everything you type in will be doubled. For example, if you type \par
in "hello" the telnet screen may show you "heh lelllo o. This doesn't mean \par
you mistyped, it just means your typing is getting echoed back at various \par
intervals. \par
Now click on Connect, then Remote System. Then enter the name of that last \par
AOL domain server, dns-aol.ans.net. Below it, for Port choose Daytime. It \par
will send back to you the day of the week, date and time of day in its time \par
zone. \par
Aha! We now know that dns-aol.ans.net is exposed to the world, with at least one open port, heh, heh.  It is definitely a prospect for further port \par
surfing. And now your friend is wondering, how did you get something out of \par
that computer? \par
\par
****************************** \par
Clueless newbie alert: If everyone who reads this telnets to the daytime \par
port of this computer, the sysadmin will say "Whoa, I'm under heavy attack \par
by hackers!!! There must be some evil exploit for the daytime service! I'm \par
going to close this port pronto!" Then you'll all email me complaining the \par
hack doesn't work. Please, try this hack out on different computers and \par
don't all beat up on AOL. \par
****************************** \par
\par
Now let's check out that Reston computer. I select Remote Host again and \par
enter the name h12.t60-0.Reston.t3.ans.net. I try some port surfing without \par
success. This is a seriously locked down box! What do we do next? \par
So first we remove that "local echo" feature, then we telnet back to \par
whois.internic. We ask about this ans.net outfit that offers links to AOL: \par
[vt100] InterNIC > whois ans.net \par
Connecting to the rs Database . . . . . . \par
Connected to the rs Database \par
ANS CO+RE Systems, Inc. (ANS-DOM) \par
   100 Clearbrook Road \par
   Elmsford, NY 10523 \par
   Domain Name: ANS.NET \par
   Administrative Contact: \par
  Hershman, Ittai  (IH4)  ittai@ANS.NET \par
  (914) 789-5337 \par
   Technical Contact: \par
  ANS Network Operations Center  (ANS-NOC)  noc@ans.net \par
  1-800-456-6300 \par
   Zone Contact: \par
  ANS Hostmaster  (AH-ORG)  hostmaster@ANS.NET \par
  (800)456-6300  fax: (914)789-5310 \par
   Record last updated on 03-Jan-97. \par
   Record created on 27-Sep-90. \par
   Domain servers in listed order: \par
   NS.ANS.NET   192.103.63.100 \par
   NIS.ANS.NET  147.225.1.2 \par
Now if you wanted to be a really evil hacker you could call that 800 number and try to social engineer a password out of somebody who works for this \par
network. But that wouldn't be nice and there is nothing legal you can do \par
with ans.net passwords. So I'm not telling you how to social engineer those \par
passwords. \par
Anyhow, you get the idea of how you can hack around gathering info that \par
leads to the computer that handles anyone's email. \par
So what else can you do with your on-line connection and Win 95? \par
Well... should I tell you about killer ping? It's a good way to lose your \par
job and end up in jail. You do it from your Windows DOS prompt. Find the \par
gory details in the GTMHH Vol.2 Number 3, which is kept in one of our \par
archives listed at the end of this lesson. Fortunately most systems \par
administrators have patched things nowadays so that killer ping won't work. \par
But just in case your ISP or LAN at work or school isn't protected, don't \par
test it without your sysadmin's approval! \par
Then there's ordinary ping, also done from DOS.  It's sort of like tracert, but all it does is \par
time how long a message takes from one computer to \par
another, without telling you anything about the computers between yours and \par
the one you ping. \par
Other TCP/IP commands hidden in DOS include: \par
\'b7 Arp IP-to-physical address translation tables \par
\'b7 Ftp File transfer protocol. This one is really lame. Don't use it. Get a \par
shareware Ftp program from one of the download sites listed below. \par
\'b7 Nbtstat Displays current network info -- super to use on your own ISP \par
\'b7 Netstat Similar to Nbstat \par
\'b7 Route Controls router tables -- router hacking is considered extra elite. \par
Since these are semi-secret commands, you can't get any details on how to \par
use them from the DOS help menu. But there are help files hidden away for \par
these commands: \par
\'b7 For arp, nbtstat, ping and route,  to get help just type in the command \par
and hit enter. \par
\'b7 For netstat you have to give the command "netstat ?" to get help. \par
\'b7 Telnet has a help option on the tool bar. \par
I haven't been able to figure out a trick to get help for the ftp command. \par
Now suppose you are at the point where you want to do serious hacking that \par
requires commands other than these we just covered, but you don't want to \par
use Unix. Shame on you! But, heck, even though I usually have one or two \par
Unix shell accounts plus Walnut Creek Slackware on my home computer, I still \par
like to hack from Windows. This is because I'm ornery. So you can be ornery, \par
too. \par
So what is your next option for doing serious hacking from Windows? \par
How would you like to crack Win NT server passwords? Download the free Win \par
95 program NTLocksmith, an add-on program to NTRecover that allows for the \par
changing of passwords on systems where the administrative password has been \par
lost. It is reputed to work 100% of the time. Get both NTLocksmith and \par
NTRecover -- and lots more free hacker tools -- from \par
http://www.sysinternals.com. \par
\par
********************************** \par
You can go to jail warning: If you use NTRecover to break into someone \par
else's system, you are just asking to get busted. \par
********************************** \par
\par
How would you like to trick your friends into thinking their NT box has \par
crashed when it really hasn't? This prank program can be downloaded from \par
http://www.osr.com/insider/insdrcod.htm. \par
But by far the deadliest hacking tool that runs on Windows can be downloaded from, guess what? \par
http://home.microsoft.com \par
That deadly program is Internet Explorer 3.0. Unfortunately, this program is even better for letting other hackers break into your home computer and do \par
stuff like make your home banking program (e.g. Quicken) transfer your life \par
savings to someone in Afghanistan. \par
But if you're aren't brave enough to run Internet Explorer to surf the Web, you can still use it to hack your own computer, or other computers on your \par
LAN. You see, Internet Explorer is really an alternate Windows shell which \par
operates much like the Program Manager and Windows Explorer that come with \par
the Win 94 and Win NT operating systems. \par
Yes, from Internet Explorer you can run any program on your own computer. Or any program to which you have access on your LAN. \par
\par
*********************************** \par
Newbie note: A shell is a program that mediates between you and the \par
operating system. The big deal about Internet Explorer being a Windows shell \par
is that Microsoft never told anyone that it was in fact a shell. The \par
security problems that are plaguing Internet Explorer are mostly a \par
consequence of it turning out to be a shell. By contrast, the Netscape and \par
Mosaic Web browsers are not shells. They also are much safer to use. \par
*********************************** \par
\par
To use Internet Explorer as a Windows shell, bring it up just like you would if you were going to surf the Web. \par
Kill the program's attempt to establish \par
an Internet connection -- we don't want to do anything crazy, do we? \par
Then in the space where you would normally type in the URL you want to surf, \par
instead type in c:. \par
Whoa, look at all those file folders that come up on the screen. Look \par
familiar? It's the same stuff your Windows Explorer would show you. Now for \par
fun, click "Program Files" then click "Accessories" then click "MSPaint." \par
All of a sudden MSPaint is running. Now paint your friends who are watching this hack very surprised. \par
Next close all that stuff and get back to Internet Explorer. Click on the \par
Windows folder, then click on Regedit.exe to start it up. Export the \par
password file (it's in HKEY_CLASSES_ROOT). Open it in Word Pad. Remember, \par
the ability to control the Registry of a server is the key to controlling  \par
the network it serves. Show this to your next door neighbor and tell her \par
that you're going to use Internet Explorer to surf her password files. In a \par
few hours the Secret Service will be fighting with the FBI on your front \par
lawn over who gets to try to bust you. OK, only kidding here. \par
So how can you use Internet Explorer as a hacking tool? One way is if you \par
are using a computer that restricts your ability to run other programs on \par
your computer or LAN. Next time you get frustrated at your school or library \par
computer, check to see if it offers Internet Explorer. If it does, run it \par
and try entering disk drive names. While C: is a common drive on your home \par
computer, on a LAN you might get results by putting in R: or Z: or any other \par
letter of the alphabet. \par
Next cool hack: try automated port surfing from Windows! Since there are \par
thousands of possible ports that may be open on any computer, it could take \par
days to fully explore even just one computer by hand. A good answer to this \par
problem is the NetCop automated port surfer, which can be found at \par
http://www.netcop.com/. \par
Now suppose you want to be able to access the NTFS file system that Windows NT uses from \par
a Win 95 or even DOS platform? This can be useful if you are wanting to use Win 95 as a platform to hack an NT system. \par
http://www.sysinternals.com/ntfsdos.htm offers a program that allows Win 95 \par
and DOS to recognize and mount NTFS drives for transparent access. \par
Hey, we are hardly beginning to explore all the wonderful Windows hacking \par
tools out there. It would take megabytes to write even one sentence about \par
each and every one of them. But you're a hacker, so you'll enjoy exploring \par
dozens more of these nifty programs yourself. Following is a list of sites \par
where you can download lots of free and more or less harmless programs that \par
will help you in your hacker career: \par
\par
ftp://ftp.cdrom.com \par
ftp://ftp.coast.net \par
http://hertz.njit.edu/%7ebxg3442/temp.html \par
http://www.alpworld.com/infinity/void-neo.html \par
http://www.danworld.com/nettools.html \par
http://www.eskimo.com/~nwps/index.html \par
http://www.geocities.com/siliconvalley/park/2613/links.html \par
http://www.ilf.net/Toast/ \par
http://www.islandnet.com/~cliffmcc \par
http://www.simtel.net/simtel.net \par
http://www.supernet.net/cwsapps/cwsa.html \par
http://www.trytel.com/hack/ \par
http://www.tucows.com \par
http://www.windows95.com/apps/ \par
http://www2.southwind.net/%7emiker/hack.html \par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series #3 Part 1 \par
How to Get a *Good* Shell Account \par
____________________________________________________________ \par
\par
\par
\par
In this Guide you will learn how to: \par
\'b7 -tell whether you may already have a Unix shell account \par
\'b7 -get a shell account \par
\'b7 -log on to your shell account \par
\par
You've fixed up your Windows box to boot up with a lurid hacker logo. You've renamed "Recycle Bin" "Hidden Haxor Secrets." When you run Netscape or \par
Internet Explorer, instead of that boring corporate logo, you have a \par
full-color animated Mozilla destroying New York City. Now your friends and \par
neighbors are terrified and impressed. \par
But in your heart of hearts you know Windows is scorned by elite hackers. \par
You keep on seeing their hairy exploit programs and almost every one of them \par
requires the Unix operating system. You realize that when it comes to \par
messing with computer networks, Unix is the most powerful operating system \par
on the planet. You have developed a burning desire to become one of those \par
Unix wizards yourself. Yes, you're ready for the next step. \par
You're ready for a shell account. SHELL ACCOUNT!!!! \par
  \par
***************************************************** \par
Newbie note: A shell account allows you to use your home computer as a \par
terminal on which you can give commands to a computer running Unix. The \par
"shell" is the program that translates your keystrokes into Unix commands. \par
With the right shell account you can enjoy the use of a far more powerful \par
workstation  than you could ever dream of affording to own yourself. It also \par
is a great stepping stone to the day when you will be running some form of \par
Unix on your home computer. \par
***************************************************** \par
  \par
Once upon a time the most common way to get on the Internet was through a \par
Unix shell account. But nowadays everybody and his brother are on the \par
Internet. Almost all these swarms of surfers want just two things: the Web, \par
and email. To get the pretty pictures of today's Web, the average Internet \par
consumer wants a mere PPP (point to point) connection account. They wouldn't \par
know a Unix command if it hit them in the snoot. So nowadays almost the only \par
people who want shell accounts are us wannabe hackers. \par
The problem is that you used to be able to simply phone an ISP, say "I'd \par
like a shell account," and they would give it to you just like that. But \par
nowadays, especially if you sound like a teenage male, you'll run into \par
something like this: \par
ISP guy: "You want a shell account? What for?" \par
Hacker dude: "Um, well, I like Unix." \par
"Like Unix, huh? You're  a hacker, aren't you!" Slam, ISP guy hangs up on \par
you. \par
So how do you get a shell account? Actually, it's possible you may already \par
have one and not know it. So first we will answer the question, how do you \par
tell whether you may already have a shell account? Then, if you are certain \par
you don't have one, we'll explore the many ways you can get one, no matter \par
what, from anywhere in the world. \par
How Do I Know Whether I Already Have a Shell Account? \par
First you need to get a program running that will connect you to a shell \par
account. There are two programs with Windows 95 that will do this, as well \par
as many other programs, some of which are excellent and free. \par
First we will show you how to use the Win 95 Telnet program because you \par
already have it and it will always work. But it's a really limited program, \par
so I suggest  that you use it only if you can't get the Hyperterminal \par
program to work. \par
1) Find your Telnet program and make a shortcut to it on your desktop. \par
One way is to click Start, then Programs, then Windows Explorer. \par
When Explorer is running, first resize it so it doesn't cover the entire \par
desktop. \par
Then click Tools, then Find, then "Files or Folders." \par
Ask it to search for "Telnet." \par
It will show a file labeled C:\\windows\\telnet (instead of C:\\ it may have \par
another drive). Right click on this file. \par
This will bring up a menu that includes the option "create shortcut."  \par
Click on "create shortcut" and then drag the shortcut to the desktop and \par
drop it. \par
Close Windows Explorer. \par
2) Depending on how your system is configured, there are two ways to connect \par
to the Internet. The easy way is to skip to step three. But if it fails, go \par
back to this step. Start up whatever program you use to access the Internet. \par
Once you are connected, minimize the program. Now try step three. \par
3) Bring up your Telnet program by double clicking on the shortcut you just made. \par
First you need to configure Telnet so it actually is usable. On the \par
toolbar click "terminal," then "preferences," then "fonts."  Choose "Courier \par
New," "regular" and 8 point size. You do this because if you have too big a \par
font, the Telnet program is shown on the screen so big that the cursor from \par
your shell program can end up being hidden off the screen.  OK, OK, you can \par
pick other fonts, but make sure that  when you close the dialog box that the \par
Telnet program window is entirely visible on the screen. Now why would there \par
be options that make Telnet impossible to use? Ask Microsoft. \par
Now go back to the task bar to click Connect, then under it click "Remote \par
system." This brings up another dialog box. \par
Under "host name" in this box  type in the last two parts of your email \par
address. For example, if your email address is jane_doe@boring.ISP.com, type \par
"ISP.com" for host name. \par
Under "port" in this box, leave it the way it is, reading "telnet." \par
Under "terminal type," in this box, choose "VT100." \par
Then click the Connect button and wait to see what happens. \par
If the connection fails, try entering the last three parts of your email \par
address as the host, in this case "boring.ISP.com." \par
Now if you have a shell account you should next get a message asking you to login. It may \par
look something like this: \par
Welcome to Boring Internet Services, Ltd. \par
Boring.com S9 - login: cmeinel \par
Password: \par
Linux 2.0.0. \par
Last login: Thu Apr 10 14:02:00 on ttyp5 from pm20.kitty.net. \par
sleepy:~$ \par
If you get something like this you are in definite luck. The important thing here, however, \par
is that the computer used the word "login" to get you \par
started. If is asked for anything else, for example "logon," this is not a \par
shell account. \par
As soon as you login, in the case of Boring Internet Services you have a \par
Unix shell prompt on your screen. But instead of something this simple you \par
may get something like: \par
BSDI BSD/OS 2.1 (escape.com) (ttyrf) \par
login: galfina \par
Password: \par
Last login: Thu Apr 10 16:11:37 from fubar.net \par
Copyright 1992, 1993, 1994, 1995 Berkeley Software Design, Inc. \par
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 \par
The Regents of the University of California.  All rights reserved. \par
__________________________________________________________________ \par
  ___________________  ______  ______________ \par
 ___ /   ___/   ___/ \\/  \\/  __  /   ___/ \par
  _____ /   ___/\\__   /   /__/   /   /  /___/   ___/ \par
   _______ /   /  /   /  /   /  /   /  /   /   /  / \par
_________  \\_____/\\_____/\\_____/\\__/___/\\_/\\_____/  .com \par
 [ ESCAPE.COM ] \par
__________________________________________________________________ \par
PLEASE NOTE: \par
Multiple Logins and Simultaneous Dialups From Different Locations \par
Are \par
_NOT_ Permitted at Escape Internet Access. \par
__________________________________________________________________ \par
Enter your terminal type, RETURN for vt100, ? for list: \par
Setting terminal type to vt100. \par
Erase is backspace. \par
  \par
  MAIN \par
Escape Main Menu \par
----[05:45PM]----------------------------------------------------- \par
 ==> H) HELP   Help & Tips for the Escape Interface. (M) \par
 I) INTERNET   Internet Access & Resources (M) \par
 U) USENETMUsenet Conferences (Internet Distribution) (M) \par
 L) LTALK  Escape Local Communications Center (M) \par
 B) BULLETINS  Information on Escape, Upgrades, coming events. (M) \par
 M) MAIL   Escape World Wide and Local Post Office (M) \par
 F) HOME   Your Home Directory (Where all your files end up) \par
 C) CONFIG Config your user and system options  (M) \par
 S) SHELL  The Shell (Unix Environment) [TCSH] \par
 X) LOGOUT Leave System \par
 BACK  MAIN  HOME  MBOX  ITALK LOGOUT \par
----[Mesg: Y]------------[ TAB key toggles menus ]-------[Connected:   \par
0:00]--- \par
CMD> \par
In this case you aren't in a shell yet, but you can see an option on the \par
menu to get to a shell. So hooray, you are in luck, you have a shell \par
account. Just enter "S" and you're in. \par
Now depending on the ISP you try out, there may be all sorts of different \par
menus, all designed to keep the user from having to ever stumble across the \par
shell itself. But if you have a shell account, you will probably find the \par
word "shell" somewhere on the menu. \par
\par
If you don't get something obvious like this, you may have to do the single most humiliating \par
thing a wannabe hacker will ever do. Call tech support and ask whether you have a shell account \par
and, if so,  how to login. It may be \par
that they just want to make it really, really hard for you to find your \par
shell account. \par
Now personally I don't care for the Win 95 Telnet program. Fortunately there are many other \par
ways to check whether you have a shell account. Here's how to use the Hyperterminal program, \par
which, like Telnet, comes free with the \par
Windows 95 operating system. This requires a different kind of connection. \par
Instead of a PPP connection we will do a simple phone dialup, the same sort \par
of connection you use to get on most computer bulletin board systems (BBS). \par
1) First, find the program Hyperteminal and make a shortcut to your desktop. \par
This one is easy to find. Just click Start, then Programs, then Accessories.You'll find \par
Hyperterminal on the accessories menu. Clicking on it will bring up a window with a bunch \par
of icons. Click on the one labeled \par
"hyperterminal.exe." \par
2) This brings up a dialog box called "New Connection." Enter the name of \par
your local dialup, then in the next dialog box enter the phone dialup number \par
of your ISP. \par
3) Make a shortcut to your desktop. \par
4) Use Hyperterminal to dial your ISP. Note that in this case you are making a direct \par
phone call to your shell account rather than trying to reach it \par
through a PPP connection. \par
Now when you dial your ISP from Hyperterminal you might get a bunch of \par
really weird garbage scrolling down your screen. But don't give up. What is \par
happening is your ISP is trying to set up a PPP connection with Hyperterminal. That is \par
the kind of connection you need in order to get pretty pictures on the Web. But Hyperterminal \par
doesn't understand PPP. \par
Unfortunately I've have not been able to figure out why this happens \par
sometimes or how to stop it. But the good side of this picture is that the \par
problem may go away the next time you use Hyperterminal to connect to your \par
ISP. So if you dial again you may get a login sequence. I've found it often \par
helps to wait a few days and try again. Of course you can complain to tech \par
support at your ISP. But it is likely that they won't have a clue on what \par
causes their end of things to try to set up a PPP session with your \par
Hyperterminal connection. Sigh. \par
But if all goes well, you will be able to log in. In fact, except for the \par
PPP attempt problem, I like the Hyperterminal program much better than Win \par
95 Telnet. So if you can get this one to work, try it out for awhile. See if \par
you like it, too. \par
There are a number of other terminal programs that are really good for \par
connecting to your shell account. They include Qmodem, Quarterdeck Internet \par
Suite, and Bitcom. Jericho recommends Ewan, a telnet program which also runs on Windows 95. \par
Ewan is free, and has many more features than either Hyperterminal or Win 95 Telnet. You may \par
download it from jericho's ftp site \par
at sekurity.org in the /utils directory. \par
OK, let's say you have logged into your ISP with your favorite program. But perhaps it still \par
isn't clear whether you have a shell account. Here's your \par
next test. At what you hope is your shell prompt, give the command "ls \par
-alF." If you have a real, honest-to-goodness shell account, you should get \par
something like this: \par
> ls -alF \par
total 87 \par
drwx--x--x5 galfina  user1024 Apr 22 21:45 ./ \par
drwxr-xr-x  380 root wheel   6656 Apr 22 18:15 ../ \par
-rw-r--r--1 galfina  user2793 Apr 22 17:36 .README \par
-rw-r--r--1 galfina  user 635 Apr 22 17:36 .Xmodmap \par
-rw-r--r--1 galfina  user 624 Apr 22 17:36 .Xmodmap.USKBD \par
-rw-r--r--1 galfina  user 808 Apr 22 17:36 .Xresources \par
drwx--x--x2 galfina  user 512 Apr 22 17:36 www/ \par
etc. \par
This is the listing of the files and directories of your home directory. \par
Your shell account may give you a different set of  directories and files \par
than this (which is only a partial listing). In any case, if you see \par
anything that looks even a little bit like this, congratulations, you \par
already have a shell account! \par
\par
******************************************************* \par
Newbie note: The first item in that bunch of dashes and letters in front of \par
the file name tells you what kind of file it is.  "d" means it is a \par
directory, and "-" means it is a file. The rest are the permissions your \par
files have. "r" = read permission, "w" = write permission, and "x" = execute \par
permission (no, "execute" has nothing to do with murdering files, it means \par
you have permission to run the program that is in this file). If there is a \par
dash, it means there is no permission there. \par
The symbols in the second, third and fourth place from the left are the \par
permissions that you have as a user, the following three are the permissions \par
everyone in your designated group has, and the final three are the \par
permissions anyone and everyone may have. For example, in galfina's \par
directory the subdirectory "www/" is something you may read, write and \par
execute, while everyone else may only execute. This is the directory where \par
you can put your Web page. The entire world may browse ("execute") your Web \par
page. But only you can read and write to it. \par
If you were to someday discover your permissions looking like: \par
 drwx--xrwx  newbie user 512 Apr 22 17:36 www/ \par
Whoa, that "w" in the third place from last would mean anyone with an \par
account from outside your ISP can hack your Web page! \par
****************************************************** \par
\par
Another command that will tell you whether you have a shell account is \par
"man." This gives you an online Unix manual. Usually you have to give the \par
man command in the form of  "man <command>" where <command> is the name of \par
the Unix command you want to study.  For example, if you want to know all \par
the different ways to use the "ls" command, type "man ls" at the prompt. \par
On the other hand, here is an example of something that, even though it is \par
on a Unix system, is not a shell account: \par
BSDI BSD/386 1.1 (dub-gw-2.compuserve.com) (ttyp7) \par
Connected to CompuServe \par
Host Name: cis \par
Enter choice (LOGON, HELP, OFF): \par
The immediate tip-off that this is not a shell account is that it asks you \par
to "logon" instead of "login:" \par
  \par
How to Get a Shell Account \par
\par
What if you are certain that you don't already have a shell account? How do you find an ISP \par
that will give you one? \par
The obvious place to start is your phone book. Unless you live in a really \par
rural area or in a country where there are few ISPs, there should be a \par
number of companies to choose from. \par
So here's your problem. You phone Boring ISP, Inc. and say, "I'd like a \par
shell account." But Joe Dummy on the other end of the phone says, "Shell? \par
What's a shell account?"  You say "I want a shell account. SHELL ACCOUNT!!!" \par
He says, "Duh?" You say "Shell account. SHELL ACCOUNT!!!" He says, "Um, er, \par
let me talk to my supervisor." Mr. Uptight Supervisor gets on the phone. "We \par
don't give out shell accounts, you dirty &%$*# hacker." \par
Or, worse yet, they claim the Internet access account they are giving you a shell account \par
but you discover it isn't one. \par
To avoid this embarrassing scene, avoid calling big name ISPs. I can \par
guarantee you, America Online, Compuserve and Microsoft Network don't give \par
out shell accounts. \par
What you want to find is the seediest, tiniest ISP in town. The one that \par
specializes in pasty-faced customers who stay up all night playing MOOs and \par
MUDs. Guys who impersonate grrrls on IRC. Now that is not to say that MUD \par
and IRC people are typically hackers. But these definitely are your serious \par
Internet addicts. An ISP that caters to people like that probably also \par
understands the kind of person who wants to learn Unix inside and out. \par
So you phone or email one of these ISPs on the back roads of the Net and \par
say, "Greetings, d00d! I am an evil haxor and demand a shell account \par
pronto!" \par
No, no, no!  Chances are you got the owner of this tiny ISP on the other end of the line. \par
He's probably a hacker himself. Guess what? He loves to hack \par
but he doesn't want hackers (or wannabe hackers) for customers. He doesn't \par
want a customer who's going to be attracting email bombers and waging hacker \par
war and drawing complaints from the sysadmins on whom this deadly dude has \par
been testing exploit code. \par
So what you do is say something like "Say, do you offer shell accounts? I \par
really, really like to browse the Web with lynx. I hate waiting five hours \par
for all those pretty pictures and Java applets to load. And I like to do \par
email with Pine. For newsgroups, I luuuv tin!" \par
Start out like this and the owner of this tiny ISP may say something like, \par
"Wow, dude, I know what you mean. IE and Netscape really s***! Lynx uber \par
alles! What user name would you like?" \par
At this point, ask the owner for a guest account. As you will learn below, \par
some shell accounts are so restricted that they are almost worthless. \par
But let's say you can't find any ISP within reach of a local phone call that \par
will give you a shell account. Or the only shell account you can get is \par
worthless. Or you are well known as a malicious hacker and you've been \par
kicked off every ISP in town. What can you do? \par
Your best option is to get an account on some distant ISP, perhaps even in \par
another country.  Also, the few medium size ISPs that offer shell accounts \par
(for example, Netcom) may even have a local dialup number for you. But if \par
they don't have local dialups,  you can still access a shell account located \par
*anywhere* in the world by setting up a PPP connection with your local \par
dialup ISP, and then accessing your shell account using a telnet program on \par
your home computer. \par
\par
************************************************* \par
Evil Genius Tip: Sure, you can telnet into your shell account from another \par
ISP account. But unless you have software that allows you to send your \par
password in an encrypted form, someone may sniff your password and break \par
into your account. If you get to be well known in the hacker world, lots of \par
other hackers will constantly be making fun of you by sniffing your \par
password. Unfortunately, almost all shell accounts are set up so you must \par
expose your password to anyone who has hidden a sniffer anywhere between the \par
ISP that provides your PPP connection and your shell account ISP. \par
One solution is to insist on a shell account provider that runs ssh (secure \par
shell). \par
************************************************** \par
\par
So where can you find these ISPs that will give you shell accounts? One good source is \par
http://www.celestin.com/pocia/. It provides links to Internet \par
Service Providers categorized by geographic region. They even have links to \par
allow you to sign up with ISPs serving the Lesser Antilles! \par
\par
*********************************************** \par
Evil Genius tip: Computer criminals and malicious hackers will often get a \par
guest account on a distant ISP and do their dirty work during the few hours \par
this guest account is available to them. Since this practice provides the \par
opportunity to cause so much harm, eventually it may become really hard to \par
get a test run on a guest account. \par
*********************************************** \par
\par
But if you want to find a good shell account the hacker way, here's what you do.  Start with a \par
list of your favorite hacker Web sites. For example, let's \par
try http://ra.nilenet.com/~mjl/hacks/codez.htm. \par
You take the beginning part of the URL (Uniform Resource Locator) as your \par
starting point. In this case it is "http://ra.nilenet.com." Try surfing to \par
that URL. In many cases it will be the home page for that ISP. It should \par
have instructions for how to sign up for a shell account. In the case of \par
Nile Net we strike hacker gold: \par
 Dial-up Accounts and Pricing \par
NEXUS Accounts \par
NEXUS Accounts include: Access to a UNIX Shell, full \par
Internet access, Usenet newsgroups, 5mb of FTP and/or \par
WWW storage space, and unlimited time. \par
One Time Activation Fee: $20.00 \par
Monthly Service Fee: $19.95 or \par
Yearly Service Fee: $199.95 \par
Plus which they make a big deal over freedom of online speech. And they host a great hacker \par
page full of these Guides to (mostly) Harmless Hacking! \par
\par
How to Login to Your Shell Account \par
\par
Now we assume you finally have a guest shell account and are ready to test \par
drive it. So now we need to figure out how to login. Now all you hacker \par
geniuses reading this, why don't you just forget to flame me for telling \par
people how to do something as simple as how to login. Please remember that \par
everyone has a first login. If you have never used Unix, this first time can \par
be intimidating. In any case, if you are a Unix genius you have no business \par
reading this Beginners' Guide. So if you are snooping around here looking \par
for flamebait, send your flames to /dev/null. \par
\par
*********************************************************** \par
Newbie note: "Flames" are insulting, obnoxious rantings and ravings done by \par
people who are severely lacking in social skills and are a bunch of &$%@#!! \par
but who think they are brilliant computer savants. For example, this newbie \par
note is my flame against &$%@#!! flamers. \par
 "/dev/null" stands for "device null." It is a file name in a Unix operating \par
system. Any data that is sent to /dev/null is discarded. So when someone \par
says they will put something in "/dev/null" that means they are sending it \par
into permanent oblivion. \par
*********************************************************** \par
\par
The first thing you need to know in order to get into your shell account is your user name \par
and password. You need to get that information from the ISP \par
that has just signed you up. The second thing you need to remember is that \par
Unix is "case sensitive." That means if your login name is "JoeSchmoe" the \par
shell will think "joeschmoe" is a different person than "JoeSchmoe" or \par
"JOESCHMOE." \par
OK, so you have just connected to your shell account for the first time. You may see all \par
sorts of different stuff on that first screen. But the one thing \par
you will always see is the prompt: \par
 login: \par
Here you will type in your user name. \par
In response you will always be asked : \par
 Password: \par
Here you type in your password. \par
After this you will get some sort of a prompt. It may be a simple as: \par
 % \par
or \par
 $ \par
or \par
 > \par
Or as complicated as: \par
 sleepy:~$ \par
Or it may even be some sort of complicated menu where you have to choose a \par
"shell" option before you get to the shell prompt. \par
Or it may be a simple as: \par
 # \par
\par
********************************************************** \par
Newbie note: The prompt "#" usually means you have the superuser powers of  \par
a "root" account. The Unix superuser has the power to do *anything* to the \par
computer. But you won't see this  prompt unless either the systems \par
administrator has been really careless -- or someone is playing a joke on \par
you. Sometimes a hacker thinks he or she has broken into the superuser \par
account because of seeing the "#" prompt. But sometimes this is just a trick \par
the sysadmin is playing. So the hacker goes playing around in what he or she \par
thinks is the root account while the sysadmin and his friends and the police \par
are all laughing at the hacker. \par
********************************************************** \par
\par
Ready to start hacking from your shell account? Watch out, it may be so \par
crippled that it is worthless for hacking. Or, it may be pretty good, but \par
you might inadvertently do something to get you kicked off. To avoid these \par
fates, be sure to read Beginners' Series #3 Part 2 of How to Get a *Good* \par
Shell Account, coming out tomorrow. \par
In case you were wondering about all the input from jericho in this Guide, \par
yes, he was quite helpful in reviewing it and making suggestions. Jericho is \par
a security consultant runs his own Internet host, obscure.sekurity.org. \par
Thank you, jericho@dimensional.com, and happy hacking! \par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series #3 Part 2 \par
How to Get a *Good* Shell Account \par
____________________________________________________________ \par
\par
\par
\par
In this section you will learn: \par
\'b7 -how to explore your shell account \par
\'b7 -Ten Meinel Hall of Fame Shell Account Exploration Tools \par
\'b7 -how to decide whether your shell account is any good for hacking \par
\'b7 -Ten Meinel Hall of Fame LAN and Internet Exploration Tools \par
\'b7 -Meinel Hall of Infamy Top Five Ways to Get Kicked out of Your Shell \par
Account \par
\par
How to Explore Your Shell Account \par
\par
So you're in your shell account. You've tried the "ls -alF" command and are pretty sure this \par
really, truly is a shell account. What do you do next? \par
A good place to start is to find out what kind of shell you have. There are \par
many shells, each of which has slightly different ways of working. To do \par
this, at your prompt give the command "echo $SHELL." Be sure to type in the \par
same lower case and upper case letters. If you were to give the command \par
"ECHO $shell," for example, this command won't work. \par
If you get the response: \par
   /bin/sh \par
That means you have the Bourne shell. \par
If you get: \par
   /bin/bash \par
Then you are in the Bourne Again (bash) shell. \par
If you get: \par
   /bin/ksh \par
You have the Korn shell. \par
If the "echo $SHELL" command doesn't work, try the command "echo $shell," \par
remembering to use lower case for "shell."  This will likely get you the \par
answer: \par
   /bin/csh \par
This means you have the C shell. \par
Why is it important to know which shell you have? For right now, you'll want a shell that is \par
easy to use. For example, when you make a mistake in typing, it's nice to hit the backspace \par
key and not see ^H^H^H on your screen. Later, though, for running those super hacker exploits, \par
the C shell may be better for you. \par
Fortunately, you may not be stuck with whatever shell you have when you log in. If your shell \par
account is any good, you will have a choice of shells. \par
Trust me, if you are a beginner, you will find bash to be the easiest shell to use. You may be \par
able to get the bash shell by simply typing the word \par
"bash" at the prompt. If this doesn't work, ask tech support at your ISP for \par
a shell account set up to use bash. A great book on using the bash shell is \par
_Learning the Bash Shell_, by Cameron Newham and Bill Rosenblatt, published \par
by O'Reilly. \par
If you want to find out what other shells you have the right to use, try \par
"csh" to get the C shell; "ksh" to get the Korn shell, "sh" for Bourne \par
shell, "tcsh" for the Tcsh shell, and "zsh" for the Zsh shell. If you don't \par
have one of them, when you give the command to get into that shell you will \par
get back the answer "command not found." \par
Now that you have chosen your shell, the next thing is to explore. See what riches your ISP \par
has allowed you to use. For that you will want to learn, and I mean *really learn* your most \par
important Unix commands and auxiliary \par
programs. Because I am supreme arbiter of what goes into these Guides, I get \par
to decide what the most important commands are. Hmm, "ten" sounds like a \par
famous number. So you're going to get the: \par
Ten Meinel Hall of Fame Shell Account Exploration Tools \par
1) man <command name> \par
This magic command brings up the online Unix manual.  Use it on each of the commands below, \par
today! Wonder what all the man command options are? Try the \par
"man -k" option. \par
2) ls \par
Lists files. Jericho suggests "Get people in the habit of using "ls -alF". \par
This will come into play down the road for security-conscious users." You'll see a huge list \par
of files that you can't see with the "ls" command alone, and lots of details. If you see such \par
a long list of files that they scroll off the terminal screen, one way to solve the problem is \par
to use "ls -alF|more." \par
3) pwd \par
Shows what directory you are in. \par
4) cd <directory> \par
Changes directories.  Kewl directories to check out include /usr, /bin and \par
/etc.  For laughs, jericho suggests exploring in /tmp. \par
5) more <filename> \par
This shows the contents of text files. Also you might be able to find "less" and "cat" which \par
are similar commands. \par
6) whereis <program name> \par
Think there might be a nifty program hidden somewhere?  Maybe a game you \par
love? This will find it for you. Similar commands are "find" and "locate." \par
Try them all for extra fun. \par
7) vi \par
An editing program. You'll need it to make your own files and when you start programming \par
while in your shell account. You can use it to write a really \par
lurid file for people to read when they finger you. Or try "emacs." It's \par
another editing program and IMHO more fun than vi. Other editing programs \par
you may find include "ed" (an ancient editing program which I have used to \par
write thousands of lines of Fortran 77 code), "ex," "fmt," "gmacs," \par
"gnuemacs," and "pico." \par
8) grep \par
Extracts information from files, especially useful for seeing what's in \par
syslog and shell log files. Similar commands are "egrep," "fgrep," and \par
"look." \par
9) chmod <filename> \par
Change file permissions. \par
10) rm <filename> \par
Delete file. If you have this command you should also find "cp" for copy \par
file, and "mv" for move file. \par
  \par
How to Tell Whether Your Shell Account Is any Good for Hacking \par
\par
Alas, not all shell accounts are created equal.  Your ISP may have decided \par
to cripple your budding hacker career by  forbidding your access to \par
important tools. But you absolutely must have access to the top ten tools \par
listed above. In addition, you will need tools to explore both your ISP's \par
local area network (LAN) and the Internet. So in the spirit of being Supreme \par
Arbiter of Haxor Kewl, here are my: \par
Ten Meinel Hall of Fame LAN and Internet Exploration Tools \par
1) telnet <hostname> <port number or name> \par
If your shell account won't let you telnet into any port you want either on its LAN or the \par
Internet, you are totally crippled as a hacker. Dump your ISP \par
now! \par
\par
2) who \par
Shows you who else is currently logged in on your ISP's LAN. Other good \par
commands to explore the other users on your LAN are "w," "rwho, " "users." \par
3) netstat \par
All sorts of statistics on your LAN, including all Internet connections. For real fun, try \par
"netstat -r" to see the kernel routing table. However, jericho \par
warns "Be careful. I was teaching a friend the basics of summing up a Unix \par
system and I told her to do that and 'ifconfig'. She was booted off the \par
system the next day for 'hacker suspicion' even though both are legitimate commands for users." \par
4) whois <hostname> \par
Get lots of information on Internet hosts outside you LAN. \par
5) nslookup \par
Get a whole bunch more information on other Internet hosts. \par
6) dig \par
Even more info on other Internet hosts. Nslookup and dig are not redundant. \par
Try to get a shell account that lets you use both. \par
7) finger \par
Not only can you use finger inside your LAN. It will sometimes get you \par
valuable information about users on other Internet hosts. \par
8) ping \par
Find out if a distant computer is alive and run diagnostic tests -- or just plain be a \par
meanie and clobber people with pings. (I strongly advise \par
*against* using ping to annoy or harm others.) \par
9) traceroute \par
Kind of like ping with attitude. Maps Internet connections, reveals routers and boxes \par
running firewalls. \par
10) ftp \par
Use it to upload and download files to and from other computers. \par
If you have all these tools, you're in great shape to begin your hacking \par
career. Stay with your ISP. Treat it well. \par
Once you get your shell account, you will probably want to supplement the \par
"man" command with a good Unix book . Jericho recommends _Unix in a Nutshell_ published \par
by O'Reilly. "It is the ultimate Unix command reference, and only costs 10 bucks. \par
O'Reilly r00lz." \par
\par
How to Keep from Losing Your Shell Account \par
\par
So now you have a hacker's dream, an account on a powerful computer running Unix. How do \par
you keep this dream account? If you are a hacker, that is not so easy. The problem is that \par
you have no right to keep that account. You can \par
be kicked off for suspicion of being a bad guy, or even if you become \par
inconvenient, at the whim of the owners. \par
Meinel Hall 'O Infamy \par
\par
Top Five Ways to Get Kicked out of Your Shell Account \par
\par
1) Abusing Your ISP \par
Let's say you are reading Bugtraq and you see some code for a new way to \par
break into a computer. Panting with excitement, you run emacs and paste in \par
the code. You fix up the purposely crippled stuff someone put in to keep \par
total idiots from running it. You tweak it until it runs under your flavor \par
of Unix. You compile and run the program against your own ISP. It works! You \par
are looking at that "#" prompt and jumping up and down yelling "I got root! \par
I got root!" You have lost your hacker virginity, you brilliant dude, you!  \par
Only, next time you go to log in, your password doesn't work. You have been \par
booted off your ISP. NEVER, NEVER ABUSE YOUR ISP! \par
\par
********************************************************* \par
You can go to jail warning: Of course, if you want to break into another \par
computer, you must have the permission of the owner. Otherwise you are \par
breaking the law. \par
********************************************************* \par
\par
2) Ping Abuse. \par
Another temptation is to use the powerful Internet connection of your shell account \par
(usually a T1 or T3) to ping the crap out of the people you don't \par
like. This is especially common on Internet Relay Chat. Thinking of ICBMing \par
or nuking that dork? Resist the temptation to abuse ping or any other \par
Internet Control Message Protocol attacks. Use ping only as a diagnostic \par
tool, OK? Please? Or else! \par
3) Excessive Port Surfing \par
Port surfing is telnetting to a specific port on another computer. Usually \par
you are OK if you just briefly visit another computer via telnet, and don't \par
go any further than what that port offers to the casual visitor. But if you \par
keep on probing and playing with another computer, the sysadmin at the \par
target computer will probably email your sysadmin records of your little \par
visits. (These records of port visits are stored in "messages," and \par
sometimes in "syslog" depending on the configuration of your target computer \par
-- and assuming it is a Unix system.) \par
Even if no one complains about you, some sysadmins habitually check the \par
shell log files that keep a record of everything you or any other user on \par
the system has been doing in their shells. If your sysadmin sees a pattern \par
of excessive attention to one or a few computers, he or she may assume you \par
are plotting a break-in. Boom, your password is dead. \par
4) Running Suspicious Programs \par
If you run a program whose primary use is as a tool to commit computer \par
crime, you are likely to get kicked off your ISP. For example, many ISPs \par
have a monitoring system that detects the use of the program SATAN.  Run \par
SATAN from your shell account and you are history. \par
  \par
********************************************************** \par
Newbie note: SATAN stands for Security Administration Tool for Analyzing \par
Networks. It basically works by telnetting to one port after another of the \par
victim computer. It determines what program (daemon) is running on each \par
port, and figures out whether that daemon has a vulnerability that can be \par
used to break into that computer. SATAN can be used by a sysadmin to figure \par
out how to make his or her computer safe. Or it may be just as easily used \par
by a computer criminal to break into someone else's computer. \par
*********************************************************** \par
  \par
5) Storing Suspicious Programs \par
It's nice to think that the owners of your ISP mind their own business. But they don't. \par
They snoop in the directories of their users. They laugh at your \par
email. OK, maybe they are really high-minded and resist the temptation to \par
snoop in your email. But chances are high that they will snoop in your shell \par
log files that record every keystroke you make while in your shell account. \par
If they don't like what they see, next they will be prowling your program \par
files. \par
One solution to this problem is to give your evil hacker tools innocuous \par
names. For example, you could rename SATAN to ANGEL. But your sysdamin may \par
try running your programs to see what they do. If any of your programs turn \par
out to be commonly used to commit computer crimes, you are history. \par
Wait, wait, you are saying. Why get a shell account if I can get kicked out even for legal, \par
innocuous hacking? After all, SATAN is legal to use. In \par
fact, you can learn lots of neat stuff with SATAN. Most hacker tools, even \par
if they are primarily used to commit crimes, are also educational. Certainly \par
if you want to become a sysadmin someday you will need to learn how these \par
programs work. \par
Sigh, you may as well learn the truth. Shell accounts are kind of like \par
hacker training wheels. They are OK for beginner stuff. But to become a \par
serious hacker, you either need to find an ISP run by hackers who will \par
accept you and let you do all sorts of suspicious things right under their \par
nose. Yeah, sure. Or you can install some form of Unix on your home \par
computer. But that's another Guide to (mostly)  Harmless Hacking (Vol. 2 \par
Number 2: Linux!). \par
If you have Unix on your home computer and use a PPP connection to get into the Internet, \par
your ISP is much less likely to snoop on you. Or try making \par
friends with your sysadmin and explaining what you are doing. Who knows, you \par
may end up working for your ISP! \par
In the meantime, you can use your shell account to practice just about \par
anything Unixy that won't make your sysadmin go ballistic. \par
\par
************************************************************ \par
Would you like a shell account that runs industrial strength Linux -- with \par
no commands censored? Want to be able to look at the router tables, port \par
surf all.net, and keep SATAN in your home directory without getting kicked \par
out for suspicion of hacking? Do you want to be able to telnet in on ssh \par
(secure shell)so no one can sniff your password? Are you willing to pay $30 \par
per month for unlimited access to this hacker playground? How about a seven \par
day free trial account? Email haxorshell@techbroker.com for details. \par
************************************************************ \par
\par
In case you were wondering about all the input from jericho in this Guide, yes, \par
he was quite helpful in reviewing this and making suggestions. Jericho is a security \par
consultant and also runs his own Internet host, obscure.sekurity.org. Thank you, \par
jericho@dimensional.com, and happy hacking! \par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
___________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series Number 4 \par
How to use the Web to look up information on hacking. \par
This GTMHH may be useful even to Uberhackers (oh, no, flame alert!) \par
____________________________________________________________ \par
\par
\par
\par
Want to become really, really unpopular? Try asking your hacker friends too many questions \par
of the wrong sort. \par
But, but, how do we know what are the wrong questions to ask? OK, I \par
sympathize with your problems because I get flamed a lot, too. That's partly \par
because I sincerely believe in asking dumb questions. I make my living \par
asking dumb questions. People pay me lots of money to go to conferences, \par
call people on the phone and hang out on Usenet news groups asking dumb \par
questions so I can find out stuff for them. And, guess what, sometimes the \par
dumbest questions get you the best answers. So that's why you don't see me \par
flaming people who ask dumb questions. \par
\par
******************************************************** \par
Newbie note: Have you been too afraid to ask the dumb question, "What is a \par
flame?" Now you get to find out! It is a bunch of obnoxious rantings and \par
ravings made in email or a Usenet post by some idiot who thinks he or she is \par
proving his or her mental superiority through use of foul and/or impolite \par
language such as "you suffer from rectocranial inversion," f*** y***, d****, \par
b****, and of course @#$%^&*! This newbie note is my flame against those \par
flamers to whom I am soooo superior. \par
******************************************************** \par
\par
But even though dumb questions can be good to ask, you may not like the \par
flames they bring down on you. So, if you want to avoid flames, how do you \par
find out answers for yourself? \par
This Guide covers one way to find out hacking information without having to ask people \par
questions: by surfing the Web. The other way is to buy lots and \par
lots of computer manuals, but that costs a lot of money. Also, in some parts \par
of the world it is difficult to get manuals. Fortunately, however, almost \par
anything you want to learn about computers and communications is available \par
for free somewhere on the Web. \par
First, let's consider the Web search engines. Some just help you search the Web itself. \par
But others enable you to search Usenet newsgroups that have been \par
archived for many years back. Also, the best hacker email lists are archived \par
on the Web, as well. \par
There are two major considerations in using Web search engines. One is what search \par
engine to use, and the other is the search tactics themselves. \par
I have used many Web search engines. But eventually I came to the conclusion \par
that for serious research, you only need two: Alavista (http://altavista.digital.com)\par
and Dejanews (http://www.dejanews.com). \par
Altavista is the best for the Web, while Dejanews is the best one for \par
searching Usenet news groups. But, if you don't want to take me at my word, \par
you may surf over to a site with links to almost all the Web and Newsgroup \par
search engines at http://sgk.tiac.net/search/. \par
But just how do you efficiently use these search engines? If you ask them to find \par
"hacker" or even "how to hack," you will get bazillions of Web sites \par
and news group posts to read. OK, so you painfully surf through one hacker \par
Web site after another. You get portentous-sounding organ music, skulls with \par
red rolling eyes, animated fires burning, and each site has links to other \par
sites with pretentious music and ungrammatical boastings about "I am 31337, \par
d00dz!!! I am so *&&^%$ good at hacking you should bow down and kiss my \par
$%^&&*!" But somehow they don't seem to have any actual information. Hey, \par
welcome to the wannabe hacker world! \par
You need to figure out some words that help the search engine of your choice get \par
more useful results. For example, let's say you want to find out whether I, the \par
Supreme R00ler of the Happy Hacker world, am an elite hacker chick or merely some poser. \par
Now the luser approach would to simply go to \par
http://www.dejanews.com and do a search of Usenet news groups for "Carolyn \par
Meinel," being sure to click the "old" button to bring up stuff from years \par
back. But if you do that, you get this huge long list of posts, most of \par
which have nothing to do with hacking: \par
CDMA vs GSM - carolyn meinel <cmeinel@unm.edu> 1995/11/17 \par
Re: October El Nino-Southern Oscillation info gonthier@usgs.gov (Gerard J. \par
Gonthier) 1995/11/20 \par
Re: Internic Wars MrGlucroft@psu.edu (The Reaver) 1995/11/30 \par
shirkahn@earthlink.net (Christopher Proctor) 1995/12/16 \par
Re: Lyndon LaRouche - who is he? lness@ucs.indiana.edu (lester john ness) \par
1996/01/06 \par
U-B Color Index observation data - cmeinel@nmia.com (Carolyn P. Meinel) \par
1996/05/13 \par
Re: Mars Fraud? History of one scientist involved gksmiley@aol.com (GK \par
Smiley) 1996/08/11 \par
Re: Mars Life Announcement: NO Fraud Issue twitch@hub.ofthe.net 1996/08/12 \par
Hackers Helper E-Zine wanted - rcortes@tuna.hooked.net (Raul Cortes) \par
1996/12/06 \par
Carolyn Meinel, Sooooooper Genius - nobody@cypherpunks.ca (John Anonymous \par
MacDonald, a remailer node) 1996/12/12 \par
Anyhow, this list goes on and on and on. \par
But if you specify "Carolyn Meinel hacker" and click "all" instead of "any" on the \par
"Boolean" button, you get a list that starts with: \par
Media: "Unamailer delivers Christmas grief" -Mannella@ipifidpt.difi.unipi.it \par
(Riccardo Mannella) 1996/12/30 Cu Digest, #8.93, Tue 31 Dec 96 - Cu Digest \par
(tk0jut2@mvs.cso.niu.edu) \par
<TK0JUT2@MVS.CSO.NIU.EDU> 1996/12/31 \par
RealAudio interview with Happy Hacker - bmcw@redbud.mv.com (Brian S. \par
McWilliams) 1997/01/08 \par
Etc. \par
This way all those posts about my boring life in the world of science don't \par
show up, just the juicy hacker stuff. \par
Now suppose all you want to see is flames about what a terrible hacker I am. \par
You could bring those to the top of the list by adding (with the "all" \par
button still on) "flame" or "f***" or "b****" being careful to spell out \par
those bad words instead fubarring them with ****s. For example, a search on \par
"Carolyn Meinel hacker flame" with Boolean "all" turns up only one post.  \par
This important tome says the Happy Hacker list is a dire example of what \par
happens when us prudish moderator types censor naughty words and inane \par
diatribes. \par
\par
****************************************** \par
Newbie note: "Boolean" is  math term. On the Dejanews search engine they \par
figure the user doesn't have a clue of what "Boolean" means so they give you \par
a choice of "any" or "all" and then label it "Boolean" so you feel stupid if \par
you don't understand it. But in real Boolean algebra we can use the \par
operators "and" "or" and "not" on word searches (or any searches of sets). \par
"And" means you would have a search that turns up only items that have "all" \par
the terms you specify; "or" means you would have a search that turns up \par
"any" of the terms. The "not" operator would exclude items that included the \par
"not" term even if they have any or all of the other search terms. Altavista \par
has real Boolean algebra under its "advanced"" search option. \par
****************************************** \par
\par
But let's forget all those Web search engines for a minute. In my humble yet old-fashioned \par
opinion, the best way to search the Web is to use it exactly \par
the way its inventor, Tim Berners-Lee, intended. You start at a good spot \par
and then follow the links to related sites. Imagine that! \par
Here's another of my old fogie tips. If you want to really whiz around the \par
Web, and if you have a shell account, you can do it with the program lynx. \par
At the prompt, just type "lynx followed by the URL you want to visit. \par
Because lynx only shows text, you don't have to waste time waiting for the \par
organ music, animated skulls and pornographic JPEGs to load. \par
So where are good places to start? Simply surf over to the Web sites listed at \par
the end of this Guide. Not only do they carry archives of these Guides, they carry a \par
lot of other valuable information for the newbie hacker, as well as links to other \par
quality sites. My favorites are:       http://www.cs.utexas.edu/users/matt/hh.html and \par
http://www.silitoad.org \par
Warning: parental discretion advised. You'll see some other great starting \par
points elsewhere in this Guide, too. \par
Next, consider one of the most common questions I get: "How do I break into a \par
computer????? :( :(" \par
Ask this of someone who isn't a super nice elderly lady like me and you will get a \par
truly rude reaction. Here's why. The world is full of many kinds of \par
computers running many kinds of software on many kinds of networks. How you \par
break into a computer depends on all these things. So you need to thoroughly \par
study a computer system before you an even think about planning a strategy \par
to break into it. That's one reason breaking into computers is widely \par
regarded as the pinnacle of hacking. So if you don't realize even this much, \par
you need to do lots and lots of homework before you can even dream of \par
breaking into computers. \par
But, OK, I'll stop hiding the secrets of universal computer breaking and \par
entry. Check out: \par
Bugtraq archives: http://geek-girl.com/bugtraq \par
NT Bugtraq archives: http://ntbugtraq.rc.on.ca/index.html \par
\par
*************************************************** \par
You can go to jail warning: If you want to take up the sport of breaking \par
into computers, you should either do it with your own computer, or else get \par
the permission of the owner if you want to break into someone else's \par
computer. Otherwise you are violating the law. In the US, if you break into \par
a computer that is across a state line from where you launch your attack, \par
you are committing a Federal felony. If you cross national boundaries to \par
hack, remember that most nations have treaties that allow them to extradite \par
criminals from each others' countries. \par
*************************************************** \par
\par
Wait just a minute, if you surf over to those site you won't instantly \par
become an Ubercracker. Unless you already are an excellent programmer and \par
knowledgeable in Unix or Windows NT, you will discover the information at \par
these two sites will *NOT* instantly grant you access to any victim computer \par
you may choose. It's not that easy. You are going to have to learn how to \par
program. Learn at least one operating system inside and out. \par
Of course some people take the shortcut into hacking. They get their \par
phriends to give them a bunch of canned break-in programs. Then they try \par
them on one computer after another until they stumble into root and \par
accidentally delete system files. The they get busted and run to the \par
Electronic Freedom Foundation and whine about how the Feds are persecuting \par
them. \par
So are you serious? Do you *really* want to be a hacker badly enough to \par
learn an operating system inside and out? Do you *really* want to populate \par
your dreaming hours with arcane communications protocol topics? The \par
old-fashioned, and super expensive way is to buy and study lots of manuals. \par
<Geek mode on> Look, I'm a real believer in manuals. I spend about $200 per \par
month on them. I read them in the bathroom, while sitting in traffic jams, \par
and while waiting for doctor's appointments. But if I'm at my desk, I prefer \par
to read manuals and other technical documents from the Web. Besides, the Web \par
stuff is free! <Geek mode off> \par
The most fantastic Web resource for the aspiring geek, er, hacker, is the \par
RFCs. RFC stands for "Request for Comment." Now this sounds like nothing \par
more than a discussion group. But actually RFCs are the definitive documents \par
that tell you how the Internet works. The funny name "RFC" comes from \par
ancient history when lots of people were discussing how the heck to make \par
that ARPAnet thingy work. But nowadays RFC means "Gospel Truth about How the \par
Internet Works" instead of "Hey Guys, Let's Talk this Stuff Over." \par
\par
******************************************************** \par
Newbie note: ARPAnet was the US Advanced Research Projects Agency experiment \par
launched in 1969 that evolved into the Internet. When you read RFCs you will \par
often find references to ARPAnet and ARPA -- or sometimes DARPA. That "D" \par
stands for "defense." DARPA/ARPA keeps on getting its name changed between \par
these two. For example, when Bill Clinton became US President in 1993, he \par
changed DARPA back to ARPA because "defense" is a Bad Thing. Then in 1996 \par
the US Congress passed a law changing it back to DARPA because "defense" is \par
a Good Thing. \par
******************************************************** \par
\par
Now ideally you should simply read and memorize all the RFCs. But there are zillions of \par
RFCs and some of us need to take time out to eat and sleep. So \par
those of us without photographic memories and gobs of free time need to be \par
selective about what we read. So how do we find an RFC that will answer \par
whatever is our latest dumb question? \par
One good starting place is a complete list of all RFCs and their titles at \par
ftp://ftp.tstt.net.tt/pub/inet/rfc/rfc-index. Although this is an ftp (file \par
transfer protocol) site, you can access it with your Web browser. \par
Or, how about the RFC on RFCs! That's right, RFC 825 is "intended to clarify \par
the status of RFCs and to provide some guidance for the authors of RFCs in the future.  \par
It is in a sense a specification for RFCs." To find this RFC, \par
or in fact any RFC for which you have its number, just go to Altavista and \par
search for "RFC 825" or whatever the number is. Be sure to put it in quotes \par
just like this example in order to get the best results. \par
Whoa, these RFCs can be pretty hard to understand! Heck, how do we even know \par
which RFC to read to get an answer to our questions? Guess what, there is \par
solution, a fascinating group of RFCs called "FYIs" Rather than specifying \par
anything, FYIs simply help explain the other RFCs. How do you get FYIs? \par
Easy! I just surfed over to the RFC on FYIs (1150) and learned that: \par
FYIs can be obtained via FTP from NIC.DDN.MIL, with the pathname FYI:mm.TXT, \par
or RFC:RFCnnnn.TXT (where "mm" refers to the number of the FYI and "nnnn" refers to the \par
number of the RFC).  Login with FTP, username ANONYMOUS and password GUEST.  The NIC also \par
provides an automatic mail service for those sites which cannot use FTP.  Address the \par
request to SERVICE@NIC.DDN.MIL and in the subject field of the message indicate the FYI or \par
RFC number, as in "Subject: FYI mm" or "Subject: RFC nnnn". \par
But even better than this is an organized set of RFCs hyperlinked together \par
on the Web at http://www.FreeSoft.org/Connected/. I can't even begin to \par
explain to you how wonderful this site is. You just have to try it yourself. \par
Admittedly it doesn't contain all the RFCs. But it has a tutorial and a \par
newbie-friendly set of links through the most important RFCs. \par
Last but not least, you can check out two sites that offer a wealth of \par
technical information on computer security: \par
http://csrc.nist.gov/secpubs/rainbow/ \par
http://GANDALF.ISU.EDU/security/security.html security library \par
I hope this is enough information to keep you busy studying for the next \par
five or ten years. But please keep this in mind. Sometimes it's not easy to \par
figure something out just by reading huge amounts of technical information. \par
Sometimes it can save you a lot of grief just to ask a question. Even a dumb question. \par
Hey, how would you like to check out the Web site for those of us \par
who make our living asking people dumb questions? Surf over to http://www.scip.org. \par
That's the home page of the Society of Competitive \par
Information Professionals, the home organization for folks like me. So, go \par
ahead, make someone's day. Have phun asking those dumb questions. Just \par
remember to fireproof your phone and computer first! \par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
__________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series Number 5 \par
PGP for Newbies \par
____________________________________________________________ \par
\par
\par
\par
Do you cringe at the idea of people snooping on your email and through the \par
files on your computer?  Encryption is the only way to be absolutely certain \par
you can keep your private stuff really private.  Even if you are a newbie, \par
encryption can be surprisingly easy  -- if you use the free PGP program, the \par
encryption technique so powerful that it is illegal to use in some \par
countries!   The following GTMHH was written by Keydet89 <keydet89@yahoo.com>, so \par
if you want to ask questions, email him and not me! (Carolyn Meinel). \par
\par
This Guide will tell you about: \par
  -Creating your own keys \par
  -Importing keys \par
  -Creating a group of keys \par
  -Making your public key public \par
  -Encrypting Files \par
  -Encrypting your email \par
\par
PGP is a personal encryption program that you can use to \par
encrypt files or email. \par
PGP is 'Pretty Good Privacy', originally created by Phil \par
Zimmerman.  The long and short of the story is that Phil \par
released his encryption program to the public and was \par
investigated by the federal government.  As soon as the \par
investigation was closed, Phil started a company based on \par
his product, which was later purchased by Network Associates. \par
You can get the freeware version of PGP from: \par
http://www.nai.com/products/security/pgpfreeware.asp \par
**Be prepared for a wait, as this is approximately a 5.5Mb \par
file. \par
Note:  All of the examples used in this Guide are performed \par
using PGPfreeware 6.0.  The link above is for this version. \par
\par
************************************************************ \par
Newbie Note:  How to use PGP will be described, but if you \par
want to make it a little easier to use, download the Eudora \par
email client and install PGP's Eudora plug-in.  The tools \par
from PGP appear as icons on the toolbar in Eudora, and \par
encrypting or decrypting an email is as easy as selecting \par
an icon. \par
To get Eudora freeware to use with PGP, go to: \par
http://www.eudora.com/products/ \par
************************************************************ \par
\par
Once you have the PGP freeware program, double-click on the \par
icon to install it.  Just follow the instructions, they are \par
very straight-forward, and there are no tricks or surprises \par
along the way.  You will have to reboot your computer, though, \par
but when you do, PGP Tray should be in your Startup group, and \par
there will be a little lock icon on the TaskBar. \par
NOTE:  For the purposes of this Guide, PGP 6.0 was installed \par
on NT 4.0/SP 3.  However, there should be no great difference \par
with 95/98. \par
Okay, once you have PGP installed, you need to create your own \par
keys.  But before we get started on that, let's briefly describe \par
how all of this works... \par
Briefly, the idea is this...PGP generates strong cryptographic \par
keys, a public and a private key.  You keep the private key, and \par
distribute your public key...attach it to your email by using a \par
signature file, post it on a web page, whatever.  You get your \par
friends public keys and import them into PGP Tools.  When you want \par
to send an encrypted email, you encrypt the email using the public \par
key of whomever you are sending it to...and only that person will \par
be able to decrypt it using their private key.  You can also sign \par
the files and emails so that whomever has your public key in their \par
key ring will know that the file is from you, and not someone \par
pretending to be you. \par
\par
Creating your own keys \par
\par
Now, let's generate a key pair.  Click Start -> Programs -> PGP -> \par
PGP Keys.  Note:  This assumes that you installed PGP using the \par
default options.  You will see lots of keys already in the PGP Keys \par
tool...these are the keys of the folks at PGP, Inc, which is now \par
part of Network Associates.  Scroll down until you find Phil \par
Zimmerman's key...he is the creator of PGP. \par
To create your own pair, choose Keys -> New Key... and follow the \par
instructions.  The second screen of the Key Generation Wizard asks \par
for your full name and an email address.  If you have one of the \par
free email accounts from Yahoo or HotMail, you may choose to use \par
that email address.  The third screen asks you to pick how large \par
of a key pair you wish to generate...since the Happy Hacker herself \par
uses 3072 bits, we'll choose the same strength. \par
\par
************************************************************ \par
Newbie Note:  The size of the key determines its strength... \par
the larger the key, the harder it is to crack. \par
************************************************************ \par
\par
On the fourth screen, choose 'Key pair never expires'. The fifth screen asks for a \par
passphrase to protect your private key. Choose something that is not at all easy to guess...and \par
then mix in numbers, capital letters, and punctuation.  After you confirm your passphrase and \par
click 'Next', there will be a way cool graphic while PGP generates your key pair. \par
Next, since we're just setting this up on our own system, and not \par
connecting to a root server (a server that is used by companies to \par
manage lots of keys), do not check the 'Send my key to the root \par
server now' box. \par
You now have your own key pair!! \par
\par
Importing keys \par
\par
Okay, now what?  Hhhmmm....let's look at an example of how to \par
import keys.  Go to: \par
http://koan.happyhacker.org/~satori/satori.asc \par
There are two key blocks on this page...looks like two different \par
versions of PGP.  Great.  Look at the larger one...now highlight \par
it, including the lines that contain 'BEGIN (END) PGP PUBLIC KEY \par
BLOCK'. \par
NOTE:  We are only going to import the lower key block.  Do not \par
include the upper key block...the smaller one that says 'Version \par
2.6.2'. \par
Highlight the entire 'Version:  PGPfreeware 5.0i' block, and \par
press 'ctrl-c' (ie, hold down the control key, and press the 'c' \par
key) or choose Edit -> Copy from your browser. \par
Minimize the browser and open PGP Keys. \par
Choose Edit -> Paste, and you'll see Satori's key in the \par
dialog window.  The email address used is 'satori@rt66.com'. \par
Click 'Import'.  Now you have Satori's public key, and you can \par
encrypt messages to him...and only him. \par
PGP ships with two public key servers built in.  To see them, \par
open PGPKeys, and choose Server -> Search.  The drop-down box \par
at the top of the Search Window will list an LDAP server at \par
PGP.COM and an HTTP connection to MIT.EDU.  You can search for \par
keys by typing in the name of the user you are looking for...I \par
found the Happy Hacker's public key in a matter of seconds!  I \par
just clicked on her key, and dragged it to my PGPKeys window... \par
Hint:  For the search, use the UserID of 'Carolyn Meinel'. \par
\par
Creating a group of keys \par
\par
Now let's create a group of keys. What this does is keep several \par
keys together, so if you have several keys from friends and you \par
want to encrypt a file for all of them, you don't have to go about \par
encrypting the file for each person. \par
In PGPKeys, choose Groups -> New Group..., and enter the \par
information asked for. \par
Choose Groups -> Show Groups, and a lower dialog window will open \par
in PGPKeys, with the name of the group you just created. \par
To add keys to the group, highlight the key you want to add and \par
click 'ctrl-c' to copy the keys to the clipboard. \par
Highlight the group, right-click on it to open the popup menu, \par
and choose Paste.  The keys will be pasted into the group. \par
\par
Making your public key public \par
\par
There are a couple of ways to make your public key available. \par
We'll describe two methods...using a public key server, or saving the key to a text file \par
so that someone else can import it. \par
First, as stated above, PGP ships with two public servers...one \par
at PGP.COM, the other at MIT.  When you are connected to the \par
Internet, open PGPKeys, select your key pair, and click Server -> \par
Send to, and choose the server you want to send your public key \par
to. \par
The other method is to save your public key to a file.  This \par
file can be sent to your friends, or pasted into your signature \par
file on your email.  To save your public key to a file: \par
Open PGPKeys, and select your key pair. \par
Click Keys -> Export, and a file dialog will open. \par
Choose a filename. \par
To save your public key into a document that already exists, \par
such as a signature file for your email: \par
Select your key pair. \par
Click Edit -> Copy (or hit ctrl-c). \par
Move to the document where you want the key saved, and choose \par
Edit -> Paste from the menubar for the document (or hit ctrl-v). \par
\par
Encrypting Files \par
\par
Warning: The next example shows you how to encrypt and decrypt \par
your files.  Choose a file to try the example on but do NOT try it on a system file or other \par
important file!! \par
Want to encrypt a file on your machine?  Great, let's try it. \par
Open up any folder, and choose any file.  Right-click on the \par
file, and go to PGP in the popup menu.  Choose 'Encrypt', and \par
choose your key pair from the dialog window.  Now, click on the \par
pair, and drag it into the lower window.  PGP will encrypt the \par
file and you'll see another icon pop up...an armor plate with a \par
lock on it.  Very appropriate, if you think about it. \par
Now to decrypt the file, make sure that you've moved or deleted \par
the original file (make sure that you aren't using a system or \par
other important file for this example!!) and double-click on the \par
encrypted file.  Enter your passphrase in the lower dialog window, \par
and BANG!, your file is decrypted. \par
This is a great way to protect your files.  And it's free! \par
To encrypt a file for the group, just follow the same steps as \par
above, but choose the group name instead of a single key. \par
\par
Encrypting your email \par
\par
Now, encrypting your email...if you are using Eudora or (god \par
forbid!!) Outlook, then you could have opted to use the PGP plug-ins for either of them.  \par
However, if you don't use either of the two mail clients, then in order to encrypt your \par
email, can choose a couple of options. \par
First, using an email client such as Netscape, you can easily \par
encrypt the file as described above, and attach it to the email. \par
Another option is to type what you want into the message area of \par
the email, and then highlight it and click 'ctrl-c' to copy the \par
text to the clipboard.  Then right-click on the PGP Tray icon on \par
the TaskBar (the little lock) and choose 'Encrypt & Sign Clipboard'.  \par
The PGPKeys window will open, and you need to choose to whom you wish to encrypt the message.  \par
You'll be prompted for your passphrase, as the message will be signed, so that your friend \par
(who has your public key) will know that it's from you. \par
Once the text on the clipboard is encrypted, go back to the email \par
(or file) and highlight the text again, and click 'ctrl-v' \par
(hold down the control key and hit 'v') and the encrypted \par
message will be pasted into the email over the original message. \par
\par
************************************************************ \par
Newbie Note:  If the PGP Tray icon isn't on your TaskBar, \par
check your Startup folder.  If it's not in the Startup folder, \par
add a shortcut to PGPTray.exe to the folder. \par
If at any time you are having difficulty trying to do anything \par
with your keys, simply open the Help in PGP.  The help documents \par
are very good...they are clear, descriptive, and concise. \par
************************************************************ \par
\par
Here's my (Keydet89) public key: \par
-----BEGIN PGP PUBLIC KEY BLOCK----- \par
Version: PGPfreeware 6.0 for non-commercial use <http://www.pgp.com> \par
mQGiBDYMk4YRBAD3QaP+/6SFBzkdZLc+iVlfRJ1q7F3axQOK3uAgEMQ41kyJVQju \par
Ynn+ZnVG8qgPRnvD3DkapzmWpl/lgc+ezmA9Af6pezrFKEBP9NWZN8u53qXNKPxo \par
CaIIikhoOcd+5YnrsezKvDN6ab8vWcYgrui3ecMu6AmAxnFAj+rCiQizvQCg/6V8 \par
sYmhkBIqTbu8eMwZ/G7OXq8D/13LtUsoLB/Z9Wtza661GtZ/O9NLiA0qlJbDOkvf \par
cv9k76KvzHCshvTwM/s9sqmc5EuB4cvNNILelW0wMcQrM+NBNNxtgGf/Q4+nh0kB \par
11GSOOijIEDFLSb2MIu3I1wDeFLiSD30F88MjpK517bhLIPY+xt5EtIBzFx6Xh27 \par
23EFA/9IZkLzO7fwAtjljWCyw72e4sxXDPO5v1GFBG+TZF9DM+Zzbfext9Wkw5MW \par
DMStICIaCYAsq5ywaQUrzPe2WJfeQqNbSOi9QULnri7dg0jBOxHHPkMDy4wxKqmu \par
dS4txrCedXKWALKVnFfDy2bfrLZ9WYP2YIqta3QoYvg5Qkpy+LQdS2V5ZGV0ODkg \par
PGtleWRldDg5QHlhaG9vLmNvbT6JAEsEEBECAAsFAjYMk4YECwMCAQAKCRA5IB4E \par
SkfiCzxJAJ9I8COJS34TOJftyPXFLHz1qpAFiwCg8c9G3jZRv4ki5MjufpPDtnOQ \par
5zG5Aw0ENgyThhAMAMwdd1ckOErixPDojhNnl06SE2H22+slDhf99pj3yHx5sHId \par
OHX79sFzxIMRJitDYMPj6NYK/aEoJguuqa6zZQ+iAFMBoHzWq6MSHvoPKs4fdIRP \par
yvMX86RA6dfSd7ZCLQI2wSbLaF6dfJgJCo1+Le3kXXn11JJPmxiO/CqnS3wy9kJX \par
twh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV89AHxstDqZSt90xk \par
hkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50T8X8dryDxUcwYc58 \par
yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknbzSC0neSRBzZrM2w4 \par
DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdXQ6MdGGzeMyEstSr/ \par
POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbTCD1mpF1Bn5x8vYlL \par
IhkmuquiXsNV6UwybwACAgv+PxYBW2jJR/SP7xiaZ0TZ8E1QsgyZfN0EBHb8oogw \par
hpNmJzqjmTLWrPpTMRlHVkPxikunEnUIL1tBzrPGaz+CuUOhCFAVqXr/JwCF2ocQ \par
Zus/rtucN7PPqvkC5IMYW04MvBGE4n/7pbNFelXZb790nkyOamVh0zqMokraQtfW \par
mi4qQrlg0yEqiLt1JUvf/mdaSR2UdYiLMLg43oIPXmp608DjtUWXBU8nZuYLq60v \par
dQde2dX82cOvlswR3/z43KGrhsklQwKZoPq1IkcP3pA9Jjqq3ltLXf5A74vFCetl \par
JBoLUW0pCIuN1GcG4qAIeUusTuyX6QtO6pfvfYyNhyEF+ylJGyt93VSUssNF1wR/ \par
UodXQ3NdtQAWYrNXTWwrXDN9Sm4rG/rHU/BPbd0VLC8PH8wraVluk/NzMrMdPGhj \par
mnxeHcBRb0WtIA6hZt+rIJBsel7In6ayl0UbnZWFkp0AZshmh0DKBy46Tr4V2UYM \par
NdjL9AemPh4kd64VmvJ2GHleiQBGBBgRAgAGBQI2DJOGAAoJEDkgHgRKR+IL3BwA \par
oIkAAwmgpFp9CLq1SX4sPj871eekAKCag3rN+zsu1dh3lBJQ4lYw7TmtAg== \par
=0E/c \par
-----END PGP PUBLIC KEY BLOCK----- \par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
\par
____________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series Number 6 \par
The Exploit Files \par
____________________________________________________________ \par
\par
\par
\par
How many times have you read hacker newsgroups or email lists and seen posts that begged \par
"teach me to hack," or asked "how do I hack this"? It often \par
looks as though the person asking the question just doesn't understand the \par
basics of vulnerabilities and their exploits. The purpose of this Guide is \par
to explain what vulnerabilities and exploits are, and how they relate to \par
computer security. \par
Let's start with an example. Suppose that you are trying to sell something \par
by phone. So you start by calling phone numbers, and you keep calling until \par
you get someone to answer, not an answering machine, but a real live person. \par
Then if the person who answers the phone speaks the same language as you and can understand \par
you, you try to sell your product.  Lots of people will hang \par
up on you, but eventually, someone will buy something...bang!  You've \par
scored! \par
\par
In this Guide you will learn: \par
        -What is a vulnerability \par
        -What is an exploit \par
        -How to look for vulnerabilities \par
 \par
So what does this have to do with 'hacking'?  Look at your dialing of phone numbers as port \par
scanning IP (Internet protocol) addresses on the Internet. \par
Some Internet host computers won't answer. Maybe a firewall is blocking the ports that you're \par
scanning.  Some hosts will answer, and at that point \par
maybe, just maybe, you've found a vulnerable computer. \par
\par
******************************************************************** \par
Newbie note: What are these 'ports' we are talking about?  This kind of \par
'port'  is a number used to identify a service on an Internet host.  For \par
this reason they are often called 'TCP/IP' (transfer control \par
protocol/Internet protocol) ports, to distinguish them from other kinds of \par
computer ports such as modems, ports to printers, etc. Each  host computer \par
connected to the Internet is identified by an IP address such as \par
'victim.fooisp.com.'  Since each host may have many  services running, each \par
service uses a different port.  To contact any of these ports across the \par
Internet, you use the host's IP address and port number -- it's kind of like \par
dialing a phone number. \par
******************************************************************** \par
\par
Now maybe you have connected to telnet, port 23.  You get a login prompt, \par
but you don't know any valid username/password combinations.  So the host \par
"hangs up" on you.  After many hours of trying, you connect to a host on the \par
right port, and Shazam!! You're greeted with a login prompt, and you quickly \par
guess a valid username and password combination.  The next thing you know, \par
you have a command prompt. You have discovered a vulnerability -- an easily \par
guessed password! So being the 'white hat hacker' that you are, you send an \par
email to the sysadmin of the site and leave quietly. \par
\par
***************************************************************** \par
Newbie note: A 'host'  is a computer connected to the Internet. A 'service' \par
is a program that is running on a port of an Internet host. Each service is \par
a program that will respond to certain commands. If you give it the right \par
command, you will get it to do something for you. \par
The simplest example of a service is 'chargen', or character generator (port 19). If you make a \par
telnet connection on the chargen port to a server running the chargen service, this program will \par
react to this connection by sending a string of characters which you will see being repeated \par
across your telnet screen.  All you need to do is connect to the service. \par
Another example of a service is finger (port 79).  If you run a finger \par
program to request information on a particular user from a specific host, \par
and the finger service (or 'fingerd') is running, and if the user has not \par
instructed the finger service to ignore requests about him or her, you will \par
get back information on that user. \par
***************************************************************** \par
\par
What services are run from these ports, and how can we learn more about \par
them? Ports numbered from 1 to 1024 are called the 'well-known' ports. \par
These are listed in RFC 1700 (see http://www.internetnorth.com.au/keith/networking/rfc.html).  Many of the \par
well-known ports are also listed in a file on your computer called 'services'.  On Win95, it's c:\\windows\\services; on NT, it's c:\\winnt\\system32\\drivers\\etc\\services; on many Unix type computers (your \par
shell account) it's /etc/services.\par
These ports are called 'well-known' because they are commonly used by \par
certain  services. For example, the well-known port for sending email is the \par
SMTP port, or port 25.  Because it is 'well-known', anyone can send email to \par
anyone else.  Because port 110 is the well-known port for checking email, \par
all email clients know that they have to connect to a POP server on port 110 \par
in order to retrieve email. \par
An excellent FAQ (frequently asked questions) on TCP/IP ports can be found \par
at http://www.technotronic.com/tcpudp.html \par
\par
************************************************************* \par
You can get punched in the nose warning:  There are many port scanning \par
tools, and wannabe hackers use them ... a lot.  But for what purpose? In \par
most cases all that happens is that a sysadmin or firewall administrator \par
goes through the logs that computer keeps of who has tried to hack that \par
site. He or she then decides whether to ignore your scan or call the \par
sysadmin of the site that your scan came from. Even though (in the US at \par
least) port scanning is legal, it makes systems administrators really mad at \par
you! To avoid getting kicked off your Internet provider, get permission to \par
scan first! \par
************************************************************* \par
\par
What Is a Vulnerability? \par
\par
A 'vulnerability' is anything about a computer system that will allow \par
someone to either keep it from operating correctly, or that will let \par
unauthorized people take it over.  There are many types of vulnerabilities. \par
They may be a misconfiguration in the setup of a service, or a flaw in the \par
programming of the service. \par
An example of a setup misconfiguration is leaving the 'wiz' or 'debug' \par
commands operational in older versions of sendmail, or incorrectly setting \par
directory permissions on your FTP server so people can download the password \par
file.  In these cases, the vulnerability is not how the program was written, \par
but with how the program is configured. Allowing file sharing on your \par
Windows 95 or 98 computer when it is not necessary, or failing to put a \par
password on file sharing, is another example. \par
Examples of errors in the programming of services are the large number of \par
buffer overflow vulnerabilities in the programs that run services on port of \par
Internet host computers.  Many of these buffer overflow problems allow \par
people to use the Internet to break into and take control of host computers \par
(check out "Smashing the Stack", by Aleph One, at: \par
http://www.happyhacker.org/docs/smash.txt). \par
\par
What Is an Exploit? \par
\par
An 'exploit' is a program or technique that takes advantage of a \par
vulnerability.  For example, the FTP-Bounce vulnerability occurs when an FTP \par
server (used to allow people to upload and download files) is configured to \par
redirect FTP connections to other computers.  There really is no good reason \par
to allow this feature.  It has become a vulnerability because this 'bounce' \par
feature allows someone to use it to port scan other computers on the same \par
local area network (LAN) as that FTP server.  So even though a firewall may \par
be keeping port scanners form directly scanning other computers on this LAN, \par
the FTP server would bounce a scan past the firewall. \par
So really an exploit is any technique that takes advantage of a \par
vulnerability to enable you to carry out your own schemes, despite the \par
wishes of the sysadmin of your target. Exploits depend on operating systems \par
and their configurations, the configurations of programs running on computer \par
systems, and of the LAN they are on. \par
Operating systems such as NT, VMS and Unix are very different, and the \par
various versions of Unix have their differences, as well.  (Examples of Unix \par
operating systems include BSD, AIX, SCO, Irix, Sun OS, Solaris, and Linux). \par
Even the various versions of the Linux form of Unix are different. \par
This means exploits that will work against NT systems will probably not work against Unix systems, \par
and exploits for Unix systems will probably not work \par
against NT. NT services are run by different programs from what you may find \par
on Unix type computers. Further, different versions of the same service \par
running on any particular operating system will probably not be vulnerable \par
to the same exploit,  because each version of a service is run by a \par
different program.  Sometimes this different program may have the same name \par
but only have a different version number. For example sendmail 8.9.1a is \par
different from 8.8.2.  Many of the differences are that 8.9.1a has been \par
fixed so that none of the old sendmail exploit programs will work on it. \par
For example, the "Leshka" exploit explained in the GTMHH on advanced shell \par
programming clearly explains that it only works on versions 8.7-8.8.2 of the \par
SMTP service program called 'sendmail.'  We observed a number of people who \par
were playing the hacker wargame trying to run the Leshka exploit against a \par
later, fixed version of sendmail. \par
So remember, an exploit for one operating system or service is unlikely to \par
work against another operating system.  This isn't to say that it definitely \par
won't...it's just not likely.  However, you are pretty much guaranteed that \par
any Win95 or NT exploit will not work against any kind of Unix. \par
\par
How to Look for Vulnerabilities \par
\par
Now let's start someplace where you are unlikely to get punched in the nose by looking at \par
some ports on your own computer.  You can do this by typing \par
'netstat -a' at the command prompt. \par
You should see something such as: \par
Active Connections \par
Proto  Local AddressForeign Address  State \par
TCPlocalhost:1027   0.0.0.0:0LISTENING \par
TCPlocalhost:1350.0.0.0:0LISTENING \par
TCPlocalhost:1350.0.0.0:0LISTENING \par
TCPlocalhost:1026   0.0.0.0:0LISTENING \par
TCPlocalhost:1026   localhost:1027   ESTABLISHED \par
TCPlocalhost:1027   localhost:1026   ESTABLISHED \par
TCPlocalhost:1370.0.0.0:0LISTENING \par
TCPlocalhost:1380.0.0.0:0LISTENING \par
TCPlocalhost:nbsession  0.0.0.0:0LISTENING \par
UDPlocalhost:135*:* \par
UDPlocalhost:nbname *:* \par
UDPlocalhost:nbdatagram *:* \par
Hhhmm...nothing much going on here.  The 'Local Address' (ie, my local \par
machine) seem to be listening on ports 135, 137, 138, and 'nbsession' (which \par
translates to port 139...type 'netstat -an' to see just the port numbers, \par
not the names of the ports). This is okay...those ports are part of \par
Microsoft networking, and need to be active on the LAN my machine is \par
connected to. \par
Now we connect our Web browser to http://www.happyhacker.org and at the same \par
time run Windows telnet and connect to a shell account at example.com. \par
Let's see what happens.  Here's the output of the 'netstat -a' command, \par
slightly abbreviated: \par
Active Connections \par
Proto  Local Address  Foreign Address  State \par
TCPlocalhost:1027 0.0.0.0:0LISTENING \par
TCPlocalhost:135  0.0.0.0:0LISTENING \par
TCPlocalhost:135  0.0.0.0:0LISTENING \par
TCPlocalhost:2508 0.0.0.0:0LISTENING \par
TCPlocalhost:2509 0.0.0.0:0LISTENING \par
TCPlocalhost:2510 0.0.0.0:0LISTENING \par
TCPlocalhost:2511 0.0.0.0:0LISTENING \par
TCPlocalhost:2514 0.0.0.0:0LISTENING \par
TCPlocalhost:1026 0.0.0.0:0LISTENING \par
TCPlocalhost:1026 localhost:1027   ESTABLISHED \par
TCPlocalhost:1027 localhost:1026   ESTABLISHED \par
TCPlocalhost:137  0.0.0.0:0LISTENING \par
TCPlocalhost:138  0.0.0.0:0LISTENING \par
TCPlocalhost:139   0.0.0.0:0LISTENING \par
TCPlocalhost:2508 zlliks.505.ORG:80ESTABLISHED \par
TCPlocalhost:2509 zlliks.505.ORG:80ESTABLISHED \par
TCPlocalhost:2510 zlliks.505.ORG:80ESTABLISHED \par
TCPlocalhost:2511 zlliks.505.ORG:80ESTABLISHED \par
TCPlocalhost:2514 example.com:telnet   ESTABLISHED \par
So what do we see now?  Well, there are the ports listening for Microsoft \par
networking, just like in the first example.  And there also are some new \par
ports listed. Four are connected to 'zlliks.505.org' on port 80, and one to \par
'example.com' on the telnet port.  These correspond to the client connections \par
that I set up.  See, this way you know the name of the computer that was running the \par
happy Hacker Web site at this time. \par
But what is with the really high port numbers?  Well, remember the \par
'well-known' ports that we talked about above?  Client applications, such as \par
browsers and telnet clients (clients are programs that connect to servers) \par
need to use a port to receive data on, so they randomly select ports from \par
outside the 'well-known' port range...above 1024.  In this case, my browser \par
has opened up four ports...2508 through 2511. \par
Now suppose you want to scan your friend's ports.  This is the best way to \par
scan, as you won't have to worry about your friend getting you kicked off \par
your ISP for suspicion of trying to break into computers. How do you know \par
what your friend's IP address is?  Ask him or her to run the command (from \par
the DOS prompt) 'netstat -r'. This shows something like this: \par
C:\\WINDOWS>netstat -r \par
Route Table \par
Active Routes: \par
Network Address  NetmaskGateway Address  Interface   Metric \par
0.0.0.0 0.0.0.0 198.59.999.200   198.59.999.200   1 \par
127.0.0.0   255.0.0.0   127.0.0.1127.0.0.11 \par
198.59.999.0255.255.255.0   198.59.999.200   198.59.999.200   1 \par
198.59.999.200  255.255.255.255 127.0.0.1127.0.0.11 \par
198.59.999.255  255.255.255.255 198.59.999.200   198.59.999.200   1 \par
224.0.0.0   224.0.0.0   198.59.999.200   198.59.999.200   1 \par
255.255.255.255 255.255.255.255 198.59.999.200   0.0.0.0  1 \par
Active Connections \par
  Proto  Local Address  Foreign AddressState \par
  TCPlovely-lady:1093   mack.foo66.com:smtp ESTABLISHED \par
That 'gateway address' and 'interface' both give the current IP address of \par
your computer. If you are on a LAN, the gateway should be different from \par
your own computer's IP address.  If you or your friend are on a LAN, \par
however, you should think twice before port scanning each other, or the \par
LAN's sysadmin may notice your activity.  Warning, sysadmins have quite an \par
arsenal of larts to use on suspicious-acting users. \par
\par
************************************************************ \par
Newbie note: Lart?  What the heck is a lart?  It is a "luser attitude \par
readjustment tool."  This is a generic class of techniques used by sysadmins \par
to punish lusers.  What is a luser? A wayward user. To get a sampling of \par
popular larts, see http://mrjolly.cc.waikato.ac.nz. You want your sysadmins \par
to be your FRIENDS, right?  Never forget this! \par
************************************************************ \par
\par
What are some of the vulnerabilities to win95 and NT, you ask? Check \par
previous GTMHHs for this information. Perhaps the most important thing to \par
remember about Windows is equal to root in Unix), can run a program that \par
uses any port it wants, even a well-known port.  This vulnerability is \par
demonstrated by a program from Weld Pond of L0pht fame called 'netcat'.  The \par
program can be obtained from: \par
http://www.l0pht.com/~weld/netcat \par
Read the documentation that ships with the program, or the Guides on (a) \par
win95 and telnet from: \par
http://www.happyhacker.org/gtmhh.shtml \par
or (b) NT security from: \par
http://www.infowar.com/hacker/hacker.html-ssi \par
for information on uses of netcat. \par
Of course, various Windows applications, such as Internet Explorer, have \par
their own vulnerabilities. \par
By now, you're probably wondering where you can learn more about various \par
vulnerabilities and exploits for just about any computer you might find on \par
the Internet.  \par
Here is a list of sites: \par
ISS X-Force \par
http://www.iss.net/xforce \par
RootShell \par
http://www.rootshell.com \par
TechnoTronic \par
http://www.technotronic.com \par
Packet Storm Security Site \par
http://www.Genocide2600.com/~tattooman/index.shtml \par
Bugtraq archives: \par
http://www.netspace.org/lsv-archive/bugtraq.html \par
NTBugTraq \par
http://www.ntbugtraq.com \par
Aelita Software \par
http://www.ntsecurity.com \par
This site has the RedButton program, which demonstrates the capability to \par
connect to an NT machine via a null session and retrieve registry \par
information.  This is a relatively simple problem to fix...see the NT \par
security Guides at: http://www.infowar.com/hacker/hacker.html-ssi \par
NTSecurity \par
http://www.ntsecurity.net \par
Active Matrix's HideAway \par
http://www.hideaway.net/exploits.html \par
CERT \par
http://www.cert.org \par
\par
\par
____________________________________________________________ \par
\par
GUIDE TO (mostly) HARMLESS HACKING \par
Beginners' Series Number 7 \par
Computer hacking. Where did it begin and how did it grow? \par
____________________________________________________________ \par
\par
\par
\par
If you wonder what it was like in days of yore, ten, twenty, thirty years \par
ago, how about letting and old lady tell you the way it used to be. \par
Where shall we start? Seventeen years ago and the World Science Fiction \par
Convention in Boston, Massachusetts? Back then the World Cons were the \par
closest thing we had to hacker conventions. \par
Picture 1980. Ted Nelson is running around with his Xanadu  guys: Roger \par
Gregory, H. Keith Henson (now waging war against the Scientologists) and  K. \par
Eric Drexler, later to build the Foresight Institute. They dream of creating \par
what is to become the World Wide Web. Nowadays guys at hacker cons might \par
dress like vampires. In 1980 they wear identical black baseball caps with \par
silver wings and the slogan: "Xanadu: wings of the mind."  Others at World \par
Con are a bit more underground: doing dope, selling massages, blue boxing \par
the phone lines. The hotel staff has to close the swimming pool in order to \par
halt the sex orgies. \par
Oh, but this is hardly the dawn of hacking. Let's look at the Boston area \par
yet another seventeen years further back, the early 60s.  MIT students are \par
warring for control of the school's mainframe computers. They use machine \par
language programs that each strive to delete all other programs and seize \par
control of the central processing unit. Back then there were no personal \par
computers. \par
In 1965, Ted Nelson, later to become leader of the silver wing-headed \par
Xanadu gang at the 1980 Worldcon, first coins the word "hypertext" to \par
describe what will someday become the World Wide Web. Nelson later spreads \par
the gospel in his book Literacy Online. The back cover shows a Superman-type \par
figure flying and the slogan "You can and must learn to use computers now." \par
But in 1965 the computer is widely feared as a source of Orwellian powers. \par
Yes, as in George Orwell's ominous novel , "1984," that predicted a future \par
in which technology would squash all human freedom. Few are listening to \par
Nelson. Few see the wave of free-spirited anarchy the hacker culture is \par
already unleashing. But LSD guru Timothy Leary's daughter Susan begins to \par
study computer programming. \par
Around 1966, Robert Morris Sr., the future NSA chief scientist, decides to \par
mutate these early hacker wars into the first "safe hacking" environment. He \par
and the two friends who code it call their game "Darwin." Later "Darwin" \par
becomes "Core War," a free-form computer game played to this day by some of \par
the uberest of uberhackers. \par
Let's jump to 1968 and the scent of tear gas. Wow, look at those rocks \par
hurling through the windows of the computer science building at the \par
University of Illinois at Urbana-Champaign! Outside are 60s antiwar \par
protesters. Their enemy, they believe, are the campus' ARPA-funded \par
computers. Inside are nerdz high on caffeine and nitrous oxide. Under the \par
direction of the young Roger Johnson, they gang together four CDC 6400s and \par
link them to 1024 dumb vector graphics terminals. This becomes the first \par
realization of cyberspace: Plato. \par
1969 turns out to be the most portent-filled year yet for hacking. \par
In that year the Defense Department's Advanced Research Projects Agency \par
funds a second project to hook up four mainframe computers so researchers \par
can share their resources. This system doesn't boast the vector graphics of \par
the Plato system. Its terminals just show ASCII characters: letters and \par
numbers. Boring, huh? \par
But this ARPAnet is eminently hackable. Within a year, its users  hack \par
together a new way to ship text files around. They call their unauthorized, \par
unplanned invention "email." ARPAnet has developed a life independent of its \par
creators. It's a story that will later repeat itself in many forms. No one \par
can control cyberspace. They can't even control it when it is just four \par
computers big. \par
Also in 1969 John Goltz teams up with a money man to found Compuserve using the new packet \par
switched \par
technology being pioneered by ARPAnet. Also in 1969 we see a remarkable birth at Bell Labs \par
as Ken Thompson invents a new \par
operating system: Unix. It is to become the gold standard of hacking and the \par
Internet, the operating system with the power to form miracles of computer \par
legerdemain. \par
In 1971, Abbie Hoffman and the Yippies found the first hacker/phreaker \par
magazine, YIPL/TAP (Youth International Party -- Technical Assistance \par
Program).  YIPL/TAP essentially invents phreaking -- the sport of playing \par
with phone systems in ways the owners never intended. They are motivated by \par
the Bell Telephone monopoly with its high long distance rates, and a hefty \par
tax that Hoffman and many others refuse to pay as their protest against the \par
Vietnam War. What better way to pay no phone taxes than to pay no phone bill \par
at all? \par
Blue boxes burst onto the scene. Their oscillators automate the whistling \par
sounds that had already enabled people like Captain Crunch (John Draper) to \par
become the pirate captains of the Bell Telephone megamonopoly. Suddenly \par
phreakers are able to actually make money at their hobby. Hans and Gribble \par
peddle blue boxes on the Stanford campus. \par
In June 1972, the radical left magazine Ramparts, in the article \par
"Regulating the Phone Company In Your Home"  publishes the schematics for a \par
variant on the blue box known as the "mute box." This article violates \par
Californian State Penal Code section 502.7, which outlaws the selling of \par
"plans or instructions for any instrument, apparatus, or device intended to \par
avoid telephone toll charges." California police, aided by Pacific Bell \par
officials, seize copies of the magazine from newsstands and the magazine's \par
offices. The financial stress leads quickly to bankruptcy. \par
As the Vietnam War winds down, the first flight simulator programs in \par
history unfold on the Plato network. Computer graphics, almost unheard of in \par
that day, are displayed by touch-sensitive vector graphics terminals. \par
Cyberpilots all over the US pick out their crafts: Phantoms, MIGs, F-104s, \par
the X-15, Sopwith Camels. Virtual pilots fly out of digital airports and try \par
to shoot each other down and bomb each others' airports. While flying a \par
Phantom, I see a chat message on the bottom of my screen. "I'm about to \par
shoot you down." Oh, no, a MIG on my tail. I dive and turn hoping to get my \par
tormentor into my sights. The screen goes black. My terminal displays the \par
message "You just pulled 37 Gs. You now look more like a pizza than a human \par
being as you slowly flutter to Earth." \par
One day the Starship Enterprise barges in on our simulator, shoots everyone down and vanishes back \par
into cyberspace. Plato has been hacked! Even in 1973 multiuser game players have to worry about \par
getting "smurfed"! (When a hacker breaks into a multiuser game on the Internet and kills players \par
with \par
techniques that are not rules of the game, this is called "smurfing.") \par
1975. Oh blessed year! Under a Air Force contract, in the city of \par
Albuquerque, New Mexico, the Altair is born. Altair. The first microcomputer. Bill Gates writes \par
the operating system. Then Bill's mom persuades him to move to Redmond, CA where she \par
has some money men who want to see what this operating system business is all about. \par
Remember Hans and Gribble? They join the Home Brew Computer club and choose Motorola \par
microprocessors to build their own. They begin selling their \par
computers, which they brand name the Apple, under their real names of Steve \par
Wozniak and Steve Jobs. A computer religion is born. \par
The great Apple/Microsoft battle is joined. Us hackers suddenly have boxes \par
that beat the heck out of Tektronix terminals. \par
In 1978, Ward Christenson and Randy Suess create the first personal \par
computer bulletin board system. Soon, linked by nothing more than the long \par
distance telephone network and these bulletin board nodes, hackers create a \par
new, private cyberspace. Phreaking becomes more important than ever to \par
connect to distant BBSs. \par
Also in 1978, The Source and Compuserve computer networks both begin to \par
cater to individual users. "Naked Lady" runs rampant on Compuserve. The \par
first cybercafe, Planet Earth, opens in Washington, DC. X.25 networks reign \par
supreme. \par
Then there is the great ARPAnet mutation of 1980. In a giant leap it moves \par
from Network Control Protocol to Transmission Control Protocol/Internet \par
Protocol (TCP/IP). Now ARPAnet is no longer limited to 256 computers -- it \par
can span tens of millions of hosts! Thus the Internet is conceived within \par
the womb of the DoD's ARPAnet. The framework that would someday unite \par
hackers around the world was now, ever so quietly, growing. Plato fades, \par
forever limited to 1024 terminals. \par
Famed science fiction author Jerry Pournelle discovers ARPAnet. Soon his \par
fans are swarming to find excuses -- or whatever -- to get onto ARPAnet. \par
ARPAnet's administrators are surprisingly easygoing about granting accounts, \par
especially to people in the academic world. \par
ARPAnet is a pain in the rear to use, and doesn't transmit visuals of \par
fighter planes mixing it up. But unlike the glitzy Plato, ARPAnet is really \par
hackable and now has what it takes to grow. Unlike the network of hacker \par
bulletin boards, people don't need to choose between expensive long distance \par
phone calls or phreaking to make their connections. It's all local and it's \par
all free. \par
That same year, 1980, the  "414 Gang" is raided. Phreaking is more \par
hazardous than ever. \par
In the early 80s hackers love to pull pranks. Joe College sits down at his \par
dumb terminal to the University DEC 10 and decides to poke around the campus \par
network.  Here's Star Trek! Here's Adventure! Zork! Hmm, what's this program \par
called Sex? He runs it. A message pops up: "Warning: playing with sex is \par
hazardous. Are you sure you want to play? Y/N" Who can resist? With that "Y" \par
the screen bursts into a display of ASCII characters, then up comes the \par
message: "Proceeding to delete all files in this account." Joe is weeping, \par
cursing, jumping up and down. He gives the list files command. Nothing! \par
Zilch! Nada! He runs to the sysadmin. They log back into his account but his \par
files are all still there. A prank. \par
In 1983 hackers are almost all harmless pranksters, folks who keep their \par
distance from the guys who break the law. MITs "Jargon file" defines hacker \par
as merely "a person who enjoys learning about computer systems and how to \par
stretch their capabilities; a person who programs enthusiastically and \par
enjoys dedicating a great deal of time with computers." \par
1983 the IBM Personal Computer enters the stage powered by Bill Gates' \par
MS-DOS operating system. The empire of the CP/M operating system falls. \par
Within the next two years essentially all microcomputer operating systems \par
except MS-DOS and those offered by Apple will be dead, and a thousand \par
Silicon Valley fortunes shipwrecked. The Amiga hangs on by a thread. Prices \par
plunge, and soon all self-respecting hackers own their own computers. \par
Sneaking around college labs at night fades from the scene. \par
In 1984 Emmanuel Goldstein launches 2600: The Hacker Quarterly and the \par
Legion of Doom hacker gang forms. Congress passes the Comprehensive Crime \par
Control Act giving the US Secret Service jurisdiction over computer fraud.  \par
Fred Cohen, at Carnegie Melon University writes his PhD thesis on the brand \par
new, never heard of thing called computer viruses. \par
1984. It was to be the year, thought millions of Orwell fans, that the \par
government would finally get its hands on enough high technology to become \par
Big Brother. Instead, science fiction author William Gibson, writing \par
Neuromancer on a manual typewriter, coins the term and paints the picture of \par
"cyberspace." "Case was the best... who ever ran in Earth's computer matrix. \par
Then he doublecrossed the wrong people..." \par
In 1984 the first US police "sting" bulletin board systems appear. \par
Since 1985, Phrack has been providing the hacker community with information on \par
operating systems, networking technologies, and telephony, as well as relaying other \par
topics of interest to the international computer underground. \par
The 80s are the war dialer era. Despite ARPAnet and the X.25 networks, the \par
vast majority of computers can only be accessed by discovering their \par
individual phone lines. Thus one of the most treasured prizes of the 80s \par
hacker is a phone number to some mystery computer. \par
Computers of this era might be running any of dozens of arcane operating \par
systems and using many communications protocols. Manuals for these systems \par
are often secret. The hacker scene operates on the mentor principle. Unless \par
you can find someone who will induct you into the inner circle of a hacker \par
gang that has accumulated documents salvaged from dumpsters or stolen in \par
burglaries, you are way behind the pack. Kevin Poulson makes a name for \par
himself through many daring burglaries of Pacific Bell. \par
Despite these barriers, by 1988 hacking has entered the big time. According to a list of \par
hacker groups compiled by the editors of  Phrack on August 8, 1988, the US hosts hundreds \par
of them. \par
The Secret Service covertly videotapes the 1988 SummerCon convention. \par
In 1988 Robert Tappan Morris, son of NSA chief scientist Robert Morris Sr., writes an \par
exploit that will forever be known as the Morris Worm. It uses a \par
combination of finger and sendmail exploits to break into a computer, copy \par
itself and then send copy after copy on to other computers. Morris, with \par
little comprehension of the power of this exponential replication, releases \par
it onto the Internet. Soon vulnerable computers are filled to their digital \par
gills with worms and clogging communications links as they send copies of \par
the worms out to hunt other computers. The young Internet, then only a few \par
thousand computers strong, crashes. Morris is arrested, but gets off with \par
probation. \par
1990 is the next pivotal year for the Internet, as significant as 1980 and \par
the launch of TCP/IP.  Inspired by Nelson's Xanadu, Tim Berners-Lee of the \par
European Laboratory for Particle Physics (CERN) conceives of a new way to \par
implement hypertext. He calls it the World Wide Web. In 1991 he quietly \par
unleashes it on the world. Cyberspace will never be the same. Nelson's \par
Xanadu, like Plato, like CP/M, fades. \par
1990 is also a year of unprecedented numbers of hacker raids and arrests.  \par
The US Secret Service and New York State Police raid Phiber Optik, Acid \par
Phreak, and Scorpion in New York City, and arrest Terminus, Prophet, \par
Leftist, and Urvile. \par
The Chicago Task Force arrests Knight Lightning and raids Robert Izenberg, \par
Mentor, and Erik Bloodaxe. It raids both Richard Andrews' home and business. \par
The US Secret Service and Arizona Organized Crime and Racketeering Bureau \par
conduct Operation Sundevil raids in Cincinnatti, Detroit, Los Angeles, \par
Miami, Newark, Phoenix, Pittsburgh, Richmond, Tucson, San Diego, San Jose, \par
and San Francisco. A famous unreasonable raid that year was the Chicago Task \par
Force invasion of Steve Jackson Games, Inc. \par
June 1990 Mitch Kapor and John Perry Barlow react to the excesses of all \par
these raids to found the Electronic Frontier Foundation. Its initial purpose \par
is to protect hackers. They succeed in getting law enforcement to back off \par
the hacker community. \par
In 1993, Marc Andreesson and Eric Bina of the National Center for \par
Supercomputing Applications release Mosaic, the first WWW browser that can \par
show graphics. Finally, after the fade out of the Plato of twenty years \par
past, we have decent graphics! This time, however, these graphics are here \par
to stay. Soon the Web becomes the number one way that hackers boast and \par
spread the codes for their exploits. Bulletin boards, with their tightly \par
held secrets, fade from the scene. \par
In 1993, the first Def Con invades Las Vegas. The era of hacker cons moves \par
into full swing with the Beyond Hope series, HoHocon and more. \par
1996 Aleph One takes over the Bugtaq email list and turns it into the first public \par
"full disclosure" computer security list. For the first time in \par
history, security flaws that can be used to break into computers are being \par
discussed openly and with the complete exploit codes. Bugtraq archives are \par
placed on the Web. \par
In August 1996 I start mailing out Guides to (mostly) Harmless Hacking. \par
They are full of  simple instructions designed to help novices understand \par
hacking. A number of hackers come forward to help run what becomes the Happy \par
Hacker Digest. \par
1996 is also the year when documentation for routers, operating systems, \par
TCP/IP protocols and much, much more begins to proliferate on the Web. The \par
era of daring burglaries of technical manuals fades. \par
In early 1997 the readers of Bugtraq begin to tear the Windows NT operating system to shreds. \par
A new mail list, NT Bugtraq, is launched just to handle the high volume of NT security flaws \par
discovered by its readers. \par
Self-proclaimed hackers Mudge and Weld of The L0pht, in a tour de force of \par
research, write and release a password cracker for WinNT that rocks the \par
Internet. Many in the computer security community have come far enough along \par
by now to realize that Mudge and Weld are doing the owners of NT networks a \par
great service. \par
Thanks to the willingness of hackers to share their knowledge on the Web, \par
and mail lists such as Bugtraq, NT Bugtraq and Happy Hacker, the days of \par
people having to beg to be inducted into hacker gangs in order to learn \par
hacking secrets are now fading. \par
Where next will the hacker world evolve? You hold the answer to that in \par
your hands. \par
\par
________________________________________________________ \par
\par
Where are those back issues of GTMHHs and Happy Hacker Digests? Check out \par
the official Happy Hacker Web page at http://www.happyhacker.org. \par
We are against computer crime. We support good, old-fashioned hacking of the kind that led to \par
the creation of the Internet and a new era of freedom of \par
information. But we hate computer crime.  So don't email us about any crimes \par
you may have committed! \par
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless \par
Hacking, please email hacker@techbroker.com with message "subscribe \par
happy-hacker" in the body of your message. \par
Copyright 1998 keydet89 and Carolyn Meinel.  You may forward, print out or \par
post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you \par
leavethis notice at the end. \par
_________________________________________________________ \par
The Guide for (mostly) Harmless Hacking                                                         \par
Beginner's Series\par
\par
"Sa\'efmo"                                                                                                                                                            1/1\par
\par
\par
}