THE INDISPENSABLE GUIDE TO HACKING ---------------------------------- Author: sixby6 Email: sixby6@lycos.com Website: http://rt45.host.sk Date: 7.28.01 Filename: tigth.txt Note: This text written in gedit for Linux and uses UNIX text formatting. Please read in a UNIX text format compatible editor like Pico, gedit, or MS-Word. Oh, and, word-wrap is good. TABLE OF CONTENTS: 1) Introduction A) Purpose of this text B) What is hacking? C) What is a hacker? D) Ethics 2) Where to start A) BBSs/IRC B) Friends C) Elders D) Research 3) The hacker's laboratory A) Home lab B) Portable lab C) Speed 4) Get started hacking A) UNIX/Linux i) What is UNIX/Linux ii) How to use UNIX/Linux and some basic commands iii) Different types of UNIX/Linux iv) Why UNIX/Linux is so vulnerable B) Old school hacking/history C) Exploits! i) Exploits explained a) What are exploits? b) Buffer Overflows ii) How to use exploits iii) Where to get exploits D) Programming i) Why programming is so important ii) What languages are the best? a) C/C++ b) PERL c) Scripting d) Pascal iii) How to program/Where to learn to program E) Other important things i) Core dumps ii) Password cracking a) Getting the passwd file b) Cracking the password iii) Brute Forcing iv) Anonymity a) Wingates/Proxies b) Shell accounts d) Log files F) Crippled Hacking i) AOL ii) Windows 5) Where to hack A) More old school hacking i) SprintNET and other large networks a) Logon and basic commands b) Locating/logging into a system ii) Wardialing and prefix scanning B) Web-based hacking i) Finding targets ii) War-gaming 6) THE HACK, FINALLY! 7) Farewell! A) Your future B) About me C) Thanks D) Final notes 8) APPENDIX A) Hacking programs i) nmap ii) SAINT iii) Nessus iv) Minicom v) John the Ripper vi) Shokdial vii) Brutus B) Hacking websites C) Free shell accounts -- 1) INTRODUCTION A) Purpose of this text: The last really great hacking text was written 12 years ago by The Mentor in 1989. It primarily discussed what was then telenet and different OS's at the time. Well, times change and that file is now staggeringly out of date, predating even Linux. The OS's discussed are mostly gone and UNIX/Linux and Win NT/2k have taken the limelight. I am writing this to help put back into the community what I have extracted from it, knowledge. I hope that in some way this text will help future newbies/intermediates become successful. As many have stated before, I had little help as a newbie. I was pretty much left to discover things on my own without the aid of very good texts. Most of them just lectured you about how mistreated hackers are, etc., etc., etc. Others gave nice descriptions on how to find and identify a target, but never said what to do then...not even point in the right direction. So, I'll do my best to give you help and answer some difficult questions. Though, I do think it should be useful for some who have been in/near hacking for a while; if not then just continue on. Also note, PLEASE don't attempt anything in the guide until you have read the entire text. I will explain all crucial skills in relative detail and then tie everything together in an example hack in the "THE HACK, FINALLY!" section. Everything should be applied except the old school hacking parts. B) What is hacking? Hacking is an art. Hacking is the art of breaking through computer security, and, more importantly, the art of learning how to do it, the art of figuring out exactly how to make a computer do what you want when you want it to. The art of using your mind. Many people I speak to broaden the term to mean using you mind to research, research anything and gain a lot of knowledge in it, this would make doctors and lawyers 'hackers'. I limit the term to computers and, more specifically, computer security and penetration. So doctors are doctors, lawyers are lawyers, and hackers are hackers, in order to give us 'computer security experts' our own special name and identification. C) What is a hacker? A hacker is one who hacks. It's as simple as that. I believe that there are many different levels of hackerdom that exist. Many reserve the term for only the best of the best. Well, I believe that one can be an excellent hacker or a poor hacker just as one can be an excellent cook or a poor cook. Let us distinguish now the difference between 'hacking' and 'cracking'. The best definitions of 'hacker' and cracker are as follows: Hacker n. 1. A person who enjoys exploring the details of programmable systems and how to stretch their capabilities. 2. One who programs enthusiastically. 3. A person who is good at programming quickly. 4. An expert at a particular program, as in 'a Unix hacker'. 5. One who responsibly circumvents the security of a computer system through programming. AND Cracker n. One who breaks security on a system. Coined by hackers in defence against journalistic misuse of the term "hacker." The term "cracker" reflects a strong revulsion at the theft and vandalism perpetrated by cracking rings. There is far less overlap between hackerdom and crackerdom than most would suspect. As you can see, I hold these definitions with high regard. In this text I will concentrate on the fifth definition of hacker. If you want to be a cracker stop reading this text now. Stop for a moment and observe your motives. D) Ethics: Depending on how much of a newbie you are, you may have read other texts on ethics that have been written. So I'll make this section short. Basically, you SHOULD NEVER do anything out of malice or anger. Never purposefully destroy data, never crash a computer, and never hurt anything. Never change anything unless it is to hide your tracks. Never hack government computers. Never hack computers with life-endangering data (example: hospital computers, can you imagine what it would do if one deleted, even accidentally, a patient's records?). AND, last but not least, USE COMMON SENSE AND YOUR CONSCIENCE! If it feels wrong, don't do it. 2) WHERE TO START A) BBSs/IRC: The very best place to start is in a common BBS. In the 80s and early 90s dial-up BBSs (Bulletin Board Systems) where common. One could dial-up a BBS and post just like in any USENET server. That brings me to USENET. USENET is just a form of BBS. It runs through most ISPs and is easily noticed by the 'alt.something' or 'something.something' address. To access it simply find a news server and log into it using a USENET browser (like Outlook Express in Windows). Most ISPs offer a news server so contact them to find out what it is. If they do help, try stuff like newsserver.yourisp.com or news.yourisp.com. If you can't find one, do some research (refer to 2.B to learn how to research correctly) and get one. Try news servers at other ISPs and see what happens. For example, news-server.somecity.rr.com is a good try as the ISP (RoadRunner, rr.com) provides news servers for every city they serve with the start 'news-server'. Anyway, most BBSs now are web based. I can be found at the hackerslab.org BBS and the hack3r.com BBS. Both are very newbie friendly while still providing quality material to the more experienced. TIPS: Never ask to many questions, and ask detailed questions. Don't say "how do I hack through UNIX", ask "Where can I find some recent exploits in UNIX". More on that later. When you get more advanced, chat with a few friends on a good IRC channel. To find out what IRC channels to use, simply ask a friend you make on a BBS what IRC s/he uses and connect to it. A note about IRC: You will find instructions of connecting to an IRC channel in your IRC client's documentation. If you don't then it should be self-explanatory. Also, IRC is not really safe. There are bots and other baddies that crawl in IRC making it dangerous. Which is why I rarely use it. In case you haven't figured it out yet, IRC is a chat network. The Internet equivalent to the CB radio, people can get on it and chat about various things without restriction. B) Friends: Ahh, yes, friends. Friends are another important aspect of hacking. You help them, and they help you. They will back you up in a jam and, more importantly, won't abandon you. They won't take advantage of you. They won't report you. They will warn you of things, etc., etc., etc. Basically all the thing friends in person will do but over the computer. So where can you get some of the wonderful creatures? Make friends with some fellow newbies. The closer to your stage of development, the better. Share with them what you learn and they will share with you what they learn. Learn together, talk to one another about difficult puzzles. You will be amazed at how much faster you both will learn. Make a lot of friends, but never have to many. "A friend to all is a friend to none." Also, don't butt kiss to get friends. Make friends with peers, again, people along the same path as you are and you will go far. C) Elders: 'Elders' does not mean 'Older People'. It means someone who has significantly more knowledge than you do. They will not be eager to be your best friend (your a newbie), but if you ask intelligent questions they will answer with good answers and you can learn a lot. No matter how good you are there's always someone better than you. Take advantage of this and learn from them. When asking questions, DO NOT BE PUSHY! If you want answers then ask nicely, but don't pander...you get the idea. If s/he is really nice, they will have an open-source program or two for you to learn from. That's how I learned, reading other people's work until I could emulate, then improve upon it. More about this later. D) Research: The single most important tool in your hacking quest is research. Whenever you don't know something you will need to find out what it is by research. When you just don't know what to do at a certain point, research. Bored? Research, etc., etc., etc. Also remember that researching is a tool that can be used in many places in life, if you EVER don't know ANYTHING, I bet you can find it (within reason) through research. Newsletters are great. You can search the records for excellent information and if you are an active member then read it first hand. Another good type of newsletter is the one available at securityfocus.com. They have a system that whenever someone finds a need vulnerability or writes a new exploit or text, they will email it to securityfocus.com and then it will be echoed to all members of the newsletter. So you get the info almost as soon as it's created, no waiting for websites to update or anything. Places for the conventional type of newsletter (more like an ezine) are 2600.com and Phrack.org. Phrack.org is my favorite b/c it's free and there is A LOT of info available. Search engines are very useful as well. Google.com and NorthernLight.com are my favorites. Make sure to learn Boolean searching to speed up you search and find what you need. 3) THE HACKERS LABORATORY There are a lot of people that like to tell you hacking requires hugely complex and expensive computers. This section attempts to prove that wrong as well as telling you what you DO need and what I use. A) Home lab: At home hacking requires a computer with a modem. That's it. Any computer will do. I run a PIII 450 w/ 128 RAM. I built it out of spare parts and a few new things. It runs RedHat linux 7.1 on a 4 GB hard disk as well as Windows 98 on a shiny new 60 GB hard disk. 95% of the time I run linux. As for an Internet connection, I have a 10/100 base network set up connected with cable Internet. I also have a 56k Courier V.Everything modem (the best modem ever made :) ) for dial-up hacking. Currently, my system is about average for what most have. The truth is you need much less. I recommend at least a 486/66mhz running some sort of linux, with at least a 14.4 modem. If you really want barebones, you can download "muLinux" which installs on just one floppy disk so you don't even need a hard drive. Or, plummeting even further, you can hack on just about anything with a modem, including ancient Apples and 286's. But most likely you will need at least my minimal recommended system. B) Portable lab: If you really want fun, put together one of these kits, and drive out to some random, obscure payphone late at night. Hook it up, and dial-out. I strongly recommend taking a friend or two along to talk to and fight the loneliness (face it, its CREEPY and sometimes DANGEROUS out there alone at 1:00 AM). What exactly do you need? Some kind of laptop (really old or brand new, doesn't make a crap of difference). A modem that can connect to it. An acoustic coupler. A pile of quarters (just in case, your at a payphone, right?). That's all. I use a Toshiba Libretto 50CT laptop (HIGHLY recommended, btw) with a 56k PCMCIA modem and two batteries (lasts 6 hours, total) running Peanut linux 8.4. I also have a portable acoustic coupler. If you don't have any of this stuff, you can buy the Libretto series laptop for $100 at ebay. (SIDETRACK: the Libretto is very nice because it's very small (VHS tape size) and very versatile, the batteries last long also, oh, and it's cheap). Anyway, a PCMCIA modem costs about $70.00, and a portable acoustic coupler is practically nothing. And that's July 2001, by the time you read this its probably all much cheaper still. As for an OS, Peanut linux has proved itself to be very effective for travel and hacking so get it from http://www.ibiblio.com/peanut and install it on your laptop. C) Speed: Speed really doesn't matter in portable hacking. You will be dialling through an acoustic coupler, which only gets 28.8 anyway. As for all hacking, speed won't matter (my laptop is just a P75!), you are just transmitting text, JUST TEXT, so it can't matter whether you have a T3 or 300bps connection or running a 386 or Cray super computer. Speed WILL, however, make a difference in cracking and compiling. Password cracking (explained later) and code compiling (also explained later) require relatively fast machines to do the work at a reasonable pace. An extra computer will do wonders while password cracking so you can continue to hack while a backup machine crunches numbers. 4) GET STARTED HACKING A) UNIX/Linux i) What is UNIX/Linux: The following segment is copied with permission from UNIXkid, " Unix is a multi user multi tasking operating system. Multi user means it can have more then one person logged on to the system at one time. And multi tasking means that it can do more then one thing at a time. Unlike windows it doesn't store it's files by drive name like c\\, it stores them in directories like /etc or /home. UNIX comes in almost 80 different versions and types, the most common would be BSD and linux, Linux is easy to use for a windows user, and bsd is for the more experienced user. UNIX is a complex system that uses simple commands to do things. If you use Unix from the shell<---(a user interface that displays everything in txt) you give the system commands to get things done, say you wanted to make a program in the C computer language. You would type gcc at the command line, gcc is the command for the c compiler. Think of using Unix from the shell as using DOS in windows, there are no desktops and you don't even need to use the mouse. But UNIX systems like linux and bsd do come with desktop's and some versions of linux are as easy to use as windows, The only thing that is different is the file system, it's more stable and best of all it's free but if you want to use Unix now without buying it, just get a shell account a shell account is Unix without the desk top's and things just like I said before it is just a user interface. But they can be fun, to use there are many types of shells, here is a list of the most popular: bash shell it comes with linux, and is easy to use. There is a C shell not as easy to use for newbies, but has it's good points. There is a korn shell, similar to the bash shell and also easy to use, there is a z shell I don't know much about that one try it for yourself and tell me what you think. There are other shells but those are the most popular. Once you use UNIX you will love it, it is way more stable than windows and you can change it, and do what ever you want to it. Unlike windows that hides files from us, just ask the riddler. Now for those commands I told you about, this list of commands was taken from the UNIX bible by psychotic, so some of them are old but most of them still work. " ii) How to use UNIX/Linux and some basic commands: Again, a section copied with permission from UNIXkid (its good stuff), " alias .......this allows the user view the current aliases awk ........ this allows the user to search for a pattern within a file bdiff .......compares two large files bfs .........scans a large file cal .........shows a calendar cat .........concatenates and prints a file gcc .........c compiler cd ..........changes directories chgrb .......changes a file groups ownership chmod .......changes the permission on a file chown .......changes the individual ownership of a file cmp .........compares two files comm ........compares two files so as to determine which lines are common to both cp ..........copies file to another location cu ..........calls another Unix system date ........returns the date and time df ..........shows all mounted drives on your machine diff ........displays the difference between two files du ..........shows the disk usage in blocks for a directory echo ........echoes the data to the screen or file ed ..........text editor env .........lists the current environment variables ex ..........another text editor expr ........evaluates a mathematical formula find ........finds a file f77 .........fortran complier format ......initializes a floppy disk grep ........searches for a pattern within a file help ........gives help kill ........stops a running process ln ..........creates a link between two files lpr .........copies the file to the line printer ls ..........lists the files in a directory mail ........allows the user to send/receive mail mkdir .......makes directory more ........displays a data file to the screen mv ..........used to move or rename files nohup .......allows a command to continue running even when you log out nroff .......used to format text passwd ......changes your password pkgadd ......installs a new program onto your machine ps ..........lists the current processes running pwd .........displays the name of the working directory rm ..........removes files rmdir .......removes directories set .........lists all the variables in the current shell setenv ......sets the environment variables sleep .......causes a process to become inactive source ......allows the user to execute a file and update any changed values in that file sort ........sorts files spell .......checks for spelling errors in a file split .......divides a file stty ........sets the terminal options tail ........displays the end of a file tar .........copies all specified files into one touch .......creates an empty file or updates the time/date stamp on a file troff .......outputs formatted output tset ........sets the terminal type umask .......specify a new creation mask uniq ........compares two files uucp ........Unix to Unix execute vi ..........full screen editor vipw ........opens the vi editor as well as password file for editing volcheck ....checks to see if there is a floppy disk mounted to your machine wc ..........displays detail in the full size who .........info on other people online write .......send a message to another user ! ...........repeats commands " iii) Different types of UNIX/Linux: This parts by me. =) There are many different types of UNIX out there. Why? Because UNIX is open-source. So, programmers have modified it to make dozens of different types, flavors or distros, if you will. Different distros serve different purposes. For example, Linux (the most popular) is very good at workstation/development things. BSD-UNIX, (OpenBSD, NetBSD, FreeBSD, etc.) is well suited for server-based systems. Among the different types of UNIX, there are types of types. For example, there is (as has been said) OpenBSD, NetBSD, and FreeBSD, all flavors of BSD-UNIX. In linux, there are many more. To name a few: RedHat, Slackware, Mandrake, Beehive, Turbo, Phat, Rock, Best, SuSE, and more. Specialty versions can be downloaded, some small enough to fit on a floppy, some work on Macs, some made with only one service. Skilled programmers will even make their own linux for their own computer. So with all these distros available, how does one choose? First take into account what you want it for. Take in account what sys requirements you have. How much disk space do you have? Personally, I use RedHat linux. A lot of people don't like it because it is not secure like other Linuxs and ships with a gcc compiler that's been monkied with. Though RedHat has made a very good installation system and update network. Good for someone like me who upgrades and reinstalls a lot. If I just had one computer with a small hard drive, then I would find a smaller, easier-on-the-computer linux. Keep in mind though that almost all Linuxs' will run better than Windows. Most, for example, only require a 386 to run! How's that compared to Windows 98 needing 32 Megs of RAM and a P75? And when you have a 450+ computer, most Linuxs will run spectacularly well. iv) Why UNIX/Linux is so vulnerable: UNIX based systems are extremely vulnerable for one main reason. They are multi-user. One can log in at a low level and then break through to gain higher levels. A sysadmin has to secure not on incoming threats, but ones that originate from within the computer as well. This is very difficult as the lower level user can still compile and run programs, etc. If Microsoft weren't so stupid, they would make a decent OS. In this case, Windows NT/2k would be more secure than *nix. Windows in single user, allowing a sysadmin to concentrate on preventing a user from gaining ANY access, not all the complex multi-user stuff. B) Old school hacking/history: Now we will take a small break from your hard work and I will explain some history to hacking as best I can. I, obviously, was not around for all this, but I will explain it as best I can. The earliest stages of hacking began with another art called 'phreaking' which is basically hacking the telephone system. Phreaking has been around as long as the telephone system, in fact, the first people arrested for any sort of hacking, no matter how prehistoric, was in 1897 when a few friends manipulated the existing phone networks to get free calls (well, telegraphs). Phreaking (as it is now known) really started in the early 60s when hippies wanting free calls figured out how to make a pay phone connect the call AND return the payment. Soon after, people figured out that the phones could be tricked into making free calls by emulating the 'confirmed' signal at 2600khz. Phreaking got more and more complicated and developed into what it is today (fun, but not the focus of this text). Hacking developed in the labs of MIT on their mainframe networks. MIT personnel made what they called 'hacks' to bypass complicated steps (and/or security). They where harmless as the only people who used that hacks where the people who had created the complicated steps. They bypassed their own security systems. But, in 1969, the largest, most significant event for hacking occurred in the small city of Urbana-Champaign, Illinois, inside the dim-lighted computer labs of the University of Illinois. ARPAnet was born. ARPAnet was a small network of about 20 or so computers, all hooked together for the first time, communicating and sending data using packet based networking. This was a huge step as now small 'hacks' of MIT geeks could be run over networks and gain information from many, many places, all at once. There where terminals all over the campus, people could ask for time in half-hour intervals to program and do various tasks. People used to program games ('StarTrek Adventures' was apparently popular). A few friends wanted to send messages to one another quickly across campus and to other buildings housing terminals. It was a brilliant idea, but they could not get authorization to make such a project, so they did it anyway. They quickly made their little tool and were happy with themselves. A way to communicate without using the phones and where able to do it quickly, cheaply, and efficiently. They called their invention electronic mail, or 'email'. Cool huh? Zoom forward a few years to 1981. This was a new era. An era when computer networks where good enough to have companies hooked and buying them to store data over mainframes but the networks where new enough to lack any kind of reasonable security. Thus large, penetrable networks (such as telenet) were common and soon thereafter crawling with hackers. These hackers where mostly harmless, not always because they where moral, but because little in the way of sensitive data had been moved to the computer. The U.S. government, the people who FUNDED the entire thing, where quick to pick up on the idea. Soon they created their own networks for various things, the most famous being MILnet for the military. Then in 1986 Congress sent a message to all hackers, indeed all people, with the 'Federal Computer Fraud and Abuse Act'. This gave anyone convicted of unauthorized access to any computer data 5 years in prison. Still though, hacking remained strong through underground BBSs and secrecy until it lost all credibility in 1993-94 when many people were busted by the Feds for doing very illegal acts. The harmless penetration was the majority, but it went undetected and no one heard about it. The ones the masses heard about where like Vladimir Levin, arrested by Russian police for stealing 10 million dollars from Citibank via the computer. An outcry against hackers erupted and the FBI engaged in a witch-hunt to root out all hackers. The people who had created hacking, the legends, where either arrested or went so far underground they where no longer heard from. This had a devastating effect on hacking. Now thieves flooded into the hacking world looking for riches. But without elders to learn from, they all became lazy script kiddies who wanted everything but gave nothing. No more great hacking texts where written, which fried all legit newbies efforts to learn (that's why I'm writing this now! =) ). Computers made huge progress. Hacking still popped up occasionally in the news and in magazines, but for the most part, the days of glory are gone. And so here I am now in 2001. Perhaps though I am getting worked up; for memory always glorifies the past and the people who tell their stories of the 80s may simply be living a dream... BAH! Enough of this! Lets get back to how to hack! C) Exploits! i) Exploits explained a) What are exploits? Exploits are programs. Exploits use code from other programs that runs a level higher than their own (often root) to then trick an OS into letting the user have access to other commands and functions only available to the higher level(s). For example: There is a box somewhere in the world with a lot of users on it. There are many user levels on this machine ranging from guest to root. Username 'Bob' exists on this computer. 'Bob' is only a low level user, but he can still execute some programs, compile and write code, etc. Because the sysadmin is nice, he allows the lower levels (including 'Bob') to play some games on the machine. Everything is dandy until 'Bob' stumbles upon the latest version of PONG. 'Bob' plays the game for a while and after some disgust of losing, he decides to see if he can edit the scores list and give himself first place. As was said before, 'Bob' is only a low level user, and he fails to edit the scores list from his account. The sysadmin has altered the program to protect the scores list in a higher level than 'Bob' so 'Bob' can't edit it. 'Bob' examines the file (he has read access to it, not write or execute) and discovers that, OOPS, the sysadmin protected the scores in a high level all right, he protected them in root! 'Bob' knows that PONG must be able to write to the file in root from his low level account if it is able to store his high scores. 'Bob' also knows that if PONG can be halted while it is writing the file he can insert his own code while PONG is still running as root. This will allow him to get that glorious and beautiful root prompt. So 'Bob' writes a program that he executes (from his own account) that runs PONG, gets a high score, and then crashes PONG while it is writing the high score to the scores file in root. Once this has been accomplished 'Bob's' program then executes a special piece of code that brings up a prompt instead of writing to the scores file. The computer thinks that PONG is still happily writing to scores while it really has become 'Bob's' slave in that he now has total access to everything. 'Bob's' program exploited the weakness in PONG (storing the scores in root) and, thus, is called an exploit. This is very hard to swallow if you have never had experience with it before, so I will draw a diagram. HERE IS WHAT PONG NORMALLY DOES: PONG executed by 'Bob' --> 'Bob' plays PONG --> 'Bob' plays very well and gets a high score --> PONG gains access to root --> PONG writes 'Bob's' score to the scores list (scores are protected by root, remember) --> PONG leaves root --> 'Bob' leaves PONG. HERE IS WHAT 'BOB'S' CODE (EXPLOIT) DID: Executes PONG --> Tricks PONG into giving a high score --> PONG access root to write the high score --> PONG is crashed by the exploit while it is writing to root --> THERFORE PONG (AND, WITH IT, USERNAME 'BOB') NEVER LEAVE ROOT --> The code then runs another bit of code that creates a prompt --> THIS PROMPT IS GIVEN ROOT BECAUSE 'BOB' NEVER LEFT ROOT --> 'Bob' is now free to execute any command he wishes without impedance. There are two different types of exploits: local and remote. Local exploits need to be run on the box that will be hacked. Remote exploits can be run over the Internet from any computer. These exploit some server that is running on the box such as HTTP, finger, or SMTP. Here is an example of a remote exploit (the previous was a local exploit): 'Bob' is again hacking a box. He runs a port scan and finds that the target is running a very buggy SMTP server with a huge security hole. 'Bob' finds of BUGTRAQ an exploit that can be compiled and run on his home machine and can exploit the SMTP server (a remote exploit). So he downloads it. 'Bob' knows its stupid to run it on his own computer, so he loads up some other shell account at a free shell website and compiles the exploit. It runs, and successfully roots his target. That's quite a bit simpler than local exploits, but also quite a bit rarer. b) Buffer Overflows: Buffer Overflows are possibly the most common method of exploiting a program. Basically, Buffer Overflows fill up a buffer inside a program (that runs at a higher level) and forces it to crash, spewing out in detail how the program gained a higher level. The 'spewing out' is done into what is called a core dump, which is produced by crashing programs to help programmers decipher a bug or error by telling the programmer exactly what happened in the events leading up to a crash; call it a program's black box. A hacker can use this to his/her advantage by crashing a program and then reading the core dump to figure out what the program does to accomplish a certain task (like run at a higher level, like root). Anyway, I do not feel I can top the explanation of Buffers and Buffer Overflows done by Aleph1 in his 1996 paper for Phrack (phrack.org) on Buffer Overflows. To find this paper, search phrack.org for 'Smashing Stack for fun and profit'. ii) How to use exploits: Since most exploits are written in C or Perl, it is important to understand a little about the languages, if you don't already know, skip to the next section, "Programming", and then read the Perl and C sections. For now I'll just explain how to use them. For Perl, you need to make the script file executable. To do this, you will need to use the "chmod" command. So type: [you@server you]# chmod 700 sploit.pl C/C++ files need to be compiled. Use gcc to do this then simply execute the file. [you@server you]# gcc sploit.c -o sploit [you@server you]# ./sploit But wait! How do you get the exploit onto the server? There are a couple of options here. Either a) FTP to the server (if available) and upload the .c or .pl file to the account. OR you can b) type the file into the server using a text editor such as "Pico" or "vi". Try "Pico" first as it is easier, just type: [you@server you]# Pico sploit.c Some servers don't have Pico and you will need to use vi, a much more primitive editor. iii) Where to get exploits: There are many websites that supply free exploits for people to download and use. There are also mailing lists and other things. See APPENDIX B for a list. D) Programming i) Why programming is so important: Remember, almost all exploits are written in C or Perl. And probably 80% or more are C. You will eventually need to write your own exploits. And you certainly need to understand how programming works. I would say you need to know (read AND write) C/C++ and scripting, and at LEAST be able to read Perl and probably write it as well. You will not pick this up right away so be patient and practice. ii) What languages are the best? a) C/C++: Most exploits are written in C. Most apps are written in C. Most EVERYTHING is at least partially written in C. The skill is invaluable. If there is a program that is good, but doesn't have exactly what you need, you can modify it. No program out there to do what you want? Make your own! Since C/C++ are universal and work on just about every computer in existence, it is a very useful, portable language to learn. b) PERL: Perl is very important as many exploits are written in Perl and many online apps are written in Perl which means you will need to examine them and look for possible vulnerabilities. c) Scripting: UNIX scripts are very similar to DOS Batch files. They are simply a way of quickly running many different commands at once/consecutively. Many "director" files are written in script. Basically, the files runs a series commands quickly, saving the user trouble. They can be written in all of the different shells, for example, BASH scripting, CSH scripting, etc. All of these scripts can be run from other shells. So BASH scripts can be run from the CSH shell. d) Pascal: Pascal was the first language I learned. It is very useful because it is so similar to C/C++, but is easier to learn. Slight variants of Pascal exist in the form of Delphi for Windows and its linux clone, Krylix. Delphi/Krylix are both products of Borland and are very useful for quickly creating good-looking programs with a lot of functionality. The drawback is in speed; Delphi/Krylix programs tend to be slower running than C/C++ programs. iii) How to program/Where to learn to program: I can't tell you how to program, as it would take many months and many texts. But, I will tell you where to find good tutorials on programming. First of all, you will need a language that's easy to beginners. I started with Pascal, but I would recommend to others that they learn python (python.org) first, then HTML, Perl, and THEN Pascal. Once you know Pascal, C/C++ will come very easily to you. It may sound like a lot, but python, HTML, and Perl can be learned in less than two or three months and Pascal took me about 2 months to really master. C takes longer, but with those others as a background you shouldn't have much trouble. As for actually LEARNING them... Python can be learned at their website, python.org. They have a couple nice tutorials there. HTML I learned from a book called "Learn HTML in 10 minutes". Well, not exactly 10 minutes (its 200 pages long), but I did pick it up quickly. Pascal I learned from a book called "Teach yourself Delphi in 21 days". I learned the basics from that book in about a month, and then really took off and pretty much mastered it in 2 months. C/C++ I feel you can never master. They are so complex and powerful that people can never really get the whole language down by themselves. If you eventually work on some big program, you will probably need several people working with you to accomplish your task. Anyway, to learn it, buy books on C/C++. At least three of them. Ranging from Beginner to Advanced. Read them two or three times if you have to. E) Other important things i) Core dumps: Ahh yes, the core dump. Go back to the 'Bob' example I gave you in the exploits section. Now, instead of walking right in after he crashed 'pong', he finds a file called the core dump. What a core dump is, is the contents of the RAM right at the instance when the 'pong' crash occurs. The legit purpose for this file is to allow programmers to see what happened in RAM right before the program crashed, allowing them to solve bugs. Well, lets say passwords are in RAM at the time of the crash. In this case, the root password. 'Bob' can pick up the core dump file and examine it himself. But not to debug a program, to find the root password that was in RAM. To do this he would use a hex editor and look at the hex/ASCII code inside the file. A good hex editor is often included on linux boxes. If not, pick up a copy of 'ghex' from download.com. ii) Password cracking: For those of you who don't know already, Password Cracking is the act of reversing the encryption on a password. Basically, you get a file from a computer that is full of encrypted passwords, and then you run a Password Cracking program that takes a list of words and then encrypts them, and then compares the encrypted word with the one it received from the password file you got from a server. Its a little hard to follow so here's and example. Say that the encryption is 1=a, 2=b, 3=c, etc (pretty sad encryption, but its just an example). So you have a file full of encrypted words that looks like this: root:123:othercrap The password-cracking program takes a word from a file (say bcd) and encrypts it. Now the password cracker knows that bcd=234. Then it compares 234 with the password it already knows (in this case 123). It sees they are not the same. So it moves on and encrypts the next word in the file (abc). It sees that abc=123 and that 123 is the password it is attempting to crack. So now it tells you that the root password is 123. Now, of course, real encryption is much more complex and the computer is a lot better at the cracking process (doing it some 25,000 times a second). This is the only real place where a fast computer is needed. Cracking passwords takes CPU strength and the more you have the faster it will crack. a) Getting the passwd file: The file which contains all the passwords is normally stored on the /ect/passwd file on a computer. Grab this file in either ftp or telnet. [you@website you]# cat /ect/passwd 99.9% of the time it will be shadowed, in which case you will see the following in the /ect/passwd file: root:x:othercrap If this is the case, the real password file is stored in a protected shadowed file (/ect/shadow on linux boxes). Getting the shadowed password file can be a pain. If the file is shadowed, keep it anyway and use it as a source of logins to brute force (explained later). There are a few tricks that can be attempted to grap the juicy shadowed password file. Keep in mind, however, that these tricks are many times patched and fixed on a computer. * Use anonymous FTP to connect to a host and grap it. Often, admins allow a ridiculous amount of access to the anonymous and guest accounts. You can sometimes just surf using your browser and open the file. The host may look like this: ftp://ftp.website.com/home/guest Get rid of the home/guest part and add etc. This sometimes give you access to the /ect/ directory. ftp://ftp.website.com/ect/ From there try and grab the shadowed password file. If that doesn't work, pick up the /ect/passwd file and use the logins for brute forcing (again, described later). * The old, but easy PHF method, just type this and it may show up: http://www.website.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow * This is my own special way, although I'm sure someone else found out about this before me. First of all, find out if the host has a bulletin board or message board (not UBB, just a plain message board). If so, great! The address should look like this (or similar): http://www.website.com/bulletin/bulletin.html Take off the bulletin.html: http://www.website.com/bulletin/ You will end up in a directory with several files including one called "passwd", "passwd.txt", or "password.txt" (or similar; just open all the files and see if its not obvious). There it is! The root password for the message board (encrypted, of course)! Often, the sysadmin will use the same root password for the message board as s/he does for the box itself, if this is the case, you now have root. If not, well, you at least have the message board (though, its probably useless). Now all you need to do is crack the password. b) Cracking the password: I've already described how password cracking works so now I'll explain what you need to do it. First you need a program to do this. My favorite is called "John the Ripper" (APPENDIX A.v). As with any password cracker, you will need a wordlist. Go to http://www.hackersclub.org/km and look under wordlists. Find one that suits your target (if it's a Russian box, get a Russian wordlist, etc). My personal favorite is the one at the end of the page called "web2.txt". It's a slightly modified version of Webster's dictionary all in one file. Combine this with a valid passwd or shadow file and you should have at least one password within a few minute, depending on how fast your computer is, how big your wordlist file is, and how many l/p combos you need to crack. Once you have a working l/p you can get access to the box and can do various things to get root (described previously). iii) Brute Forcing: This is the most basic method to gain a working l/p. What you need to do is find a list of working logins for a box. The easiest way is to grab the /ect/passwd file and use those logins. This works even if it is shadowed as only the passwords are w'ed out, not the logins. From this point you can use the wordlist file from "Password Cracking" and simply guess each password randomly. Now, of course, this could take a very long time. So what now? You need to get a program to do it for you. My favorite is called "Brutus" and, unfortunately, only runs in Windows (see APPENDIX A.vii). I usually put Brutus on a second computer while I continue to look for holes elsewhere (this works for password cracking as well). Brute forcing should be used as a last resort; only to be used after all other methods of penetration have been exhausted. iv) Anonymity a) Wingates/Proxies: First I will cover proxies. A proxy server is something that allows you relative secrecy by feeding all your data through another server. Here is a diagram of a direct connection: you ------------------------ server Here is diagram of a proxy server connection: you ----- proxy server ----- server What really goes on is much more complex, but you can pretty much see what the benefits are as the server only sees the proxy, not you. However, not all proxies are totally anonymous. Many provide indirect data about you to the server you are connecting to. If you cannot find an anonymous proxy, then there is no point. Cyberarmy.com has a good proxy anonymity scanner as well as an extensive list of proxies. Many other sites do as well, but most are copied and not reliable. Just look around. To use a proxy, you need to tell you browser to surf through the proxy of choice. This is very simple in Netscape and MSIE. Just look under 'preferences' and/or 'options' for 'proxies' and insert the needed data. Unfortunately, most proxies only allow anonymity in HTTP or FTP. If this is the case, you will need a Wingate for telnet security. A wingate is basically a glorified proxy. You telnet to it and insert the host which you want to bounce to. Wingate's are very secure because most of them don't keep logs, and the ones that do delete their logs after 2 or 3 days. The drawback is that they are very difficult to find and many are unreliable as far as stability. For this reason you will need to find a wingate scanner (cyberarmy.com, again) and search for them yourself. You will want at least 3 to 5 wingates between you and the server you are attacking to ensure you will not get caught. Most sysadmins will not want to do the work to search you down through 5 anonymous wingates, and even if they did, it's nearly impossible. And that assumes you're detected at all; if you follow the hacker's ethics, you probably won't be detected anyway. b) Shell accounts: Free shell accounts are a good way to ensure anonymity as well. They are also much easier to find and more reliable than wingates. Be aware, though, that most free shell accounts are well logged and the sysadmins are willing to work with law enforcement so you will need several accounts at different hosts to be stealthy. Read APPENDIX C for a listing of free shell account hosts. A configuration as follows is pretty much 100% safe: you --- free shell 1 --- free shell 2 --- wingate 1 --- wingate 2 --- wingate 3 --- wingate 4 --- free shell 3 --- server Be sure to sign up for the free shells using proxies as well. But wait... what is a shell account anyway? A shell account is basically an account at some host running a *nix server that you can telnet or ssh (ssh is a secure form of telnet) to. Remember how you have to login to your linux box each day? Well, this is basically the same except you telnet or ssh to the host to login. c) Log files: All UNIX/Linux boxes have some sort of logging turned on. I will go over a few of the more common logs and how to remove them. The first two (and the default logs) are kernal logs (klogd) and system logs (syslogd). The first step is to simply turn of the logs by killing the daemons that do it. Do the following: [root@hacked root]# ps -def | grep syslogd [root@hacked root]# kill -9 pid_of_syslogd [root@hacked root]# ps -def | grep klogd [root@hacked root]# kill -9 pid_of_klogd What this does is first find the syslog, then kill the syslog. Then find the klog, and then kill the klog. Not so tough. Now edit (not delete) the /etc/syslog.conf file to remove yourself from the logs. Several other logs exist on a machine: utmp, wtmp, lastlog, and .bash_history. Utmp log is the log for the system. This logs everything that goes on. The wtmp logs who logs in and out of a box and when. It needs to be changed, particularly if you made several logins at odd times of the day under little used accounts. If you are using the bash shell, you will also need to edit the .bash_history file. This log contains all the commands you gave while using your account. All pf these should be in /var/log, /ect, or /usr/bin. If you don't find them, its probable that another machine has been set up to monitor the computer you're hacking. If this is the case, you will need to hack that machine to put those logs out of commission. Just a note, if you are on a windows box, all logs are stored in the C:\\winNT\\system32\\logfiles directory. You can safely just delete all these files as Windows just makes new ones without your presence in them when they disappear. Rootkits are nice as well. A rootkit finds and edits logs for you, keeps you from appearing in the 'who' search, and allows you an easy backdoor into a system. The drawback is that rootkits are detectable if a sysadmin looks at the reports. What happens is that instead of sending a REAL report to the sysadmin about what is going on, the rootkit sends a forged one, and this leaves noticeable traces of itself on the logs. All a sysadmin has to do is examine them closely and can see that a rootkit has been placed. F) Crippled Hacking i) AOL: Ugh, if you have AOL the best thing you can do is get rid of it. If you can't, then here are two tips on how to at least get some good use out of it. 1) From aol-files.com, download an old version of AOL, try version 1.5 or 1.0. It offers a real connection to the Internet. From that you can actually telnet and use other important functions. And (this one is from happyhacker.org) 2) Don't even use the AOL client program. If you use Windows 95/98, go to Control Panel --> Network and make sure you are running Client for Microsoft Networks, Dial-Up Adapter, and TCP/IP-->Dial-Up Adapter. Under TCP/IP-->Dial-Up Adapter click Properties and then get tech support at AOL to help you fill in everything. If they won't help you, under DNS Configuration tab, choose Enable DNS and put in these guys for your DNS servers: 206.61.52.11 and 206.61.52.12. They belong to Vincent Larsen of http://www.thirdpig.com. Then on the IP Address tab choose "obtain an IP address automatically." Don't fill in anything else. If these methods don't work, get a new ISP. Don't contact me about how to use AOL and hack. I can't/won't help you. ii) Windows: Contrary to popular belief, you can hack with Windows. In fact, sometimes it's vital to a good hack. You may need to run a program that only runs from Windows, for example, most wingate scanners and brute forcer programs run on Windows only. Understanding how Windows works is also nice, as you will encounter many NT boxes on the Internet. I suggest keeping at least dual boot system with some linux version and some Windows version. This guide focuses on *nix OS's, but most of the stuff can be done from Windows anyway. All you need is a working shell account (APPENDIX C) and a program called HyperTerminal, which allows you to connect to your shell account and dial up networks. A windows brute forcer and wardialer are also helpful (APPENDIX A). 5) WHERE TO HACK A) More old school hacking i) SprintNET and other large networks: SprintNET (once known as telenet) hacking is a little old now, but I will still explain how to do it as it is a skill that is important to hacking, and you can still find interesting machines connected to it. Another major network exists, called Tymnet, which is run by MCI. The 800 number for SprintNET is 1-800-473-7983 and Tymnet is 1-800-937-2862. Use those numbers only to get your local dialups, as the 800 numbers are always equipped with tracer programs. I'm going to make this quick as I could write an entire tutorial on it. Its not super important and there are many good ones written already on the topic, specifically, The Mentor's guide. a) Logon and basic commands: I'll go over connecting to SprintNET. 1) Use Hyperteminal (windows) or Minicom (linux) to connect to the 800 number. You will see a TERMINAL= prompt, type 'vt100'. This is most computers emulation. You may need a different one, but this one is the best and should work. Now type @ and the hit. At the @ prompt type 'mail'. It will ask for a l/p combo. Type 'phones' and 'phones' for the login and password. Find your local dialup number, log off the 800 number and dial the number you found. Log in the same way and move on to the next section. For Tymnet, dial up the same way you did for SprintNET. Now type your terminal emulation at the prompt and DO NOT PRESS ENTER. When you finish, you will see another prompt, now all you need to do is b) Locating/logging into a system: First you must understand how these networks specify each computer. Similarly to the Internet, they are all given a number. But unlike the Internet, the number itself reveals information about that computer and its location. This number is called a Network User Address, or NUA. An example is a follows: 031107410006540. The 03110 is the DNIC, the 74100 is the area code, and the 06540 is the network address. The DNIC explains what network the computer is connected to and what country it is located in. Each country/network combination is giving its own number. Read The Mentor's guide for a further explanation as it says it better than I ever could. The area code is pretty self explanatory, and the network address is similar to the suffix of a telephone number. Lets say you wanted to connect to our sample machine. You would type the following: @c 741 654 You can omit the zeros and network address when typing this. The 'c' means connect. So 'c 741 654' means 'connect to 031107410006540. You will encounter certain problems along the way. Computers that won't respond, odd OS's, custom systems, and a whole load of neat things to experiment with. Again, if you want to hack on SprintNET, read another text like The Mentor's or Revelation's (http://www.hackers.com/index2.html) about SprintNET hacking. Those texts concentrate on old school hacking and are mostly obsolete by the Internet. But they still work fine and are interesting, so read those texts. I am not spending that much time describing it, as it is not the focus of this text. Got it? Good. ii) Wardialing and prefix scanning: One method an old school hacker uses to find a system is the wardial. A wardial is a scan of every number in a telephone prefix looking for systems to attack. So if the prefix I wanted to scan were 555, then I would use a wardialer to scan from 555-0000 to 555-9999. The chances of encountering something cool are high, but it can take a while. Wardials happen all the time for various reasons. Ever hear your phone ringing, pick it up, then no one answers and you hear a *click*buzzzzz*, then it hangs up? That is probably some hacker wardialing for a machine to hack. S/he just happened to come across your number in the scan. There are two ways to wardial. 1) simply get a telephone and a prefix and start dialling numbers manually. When you hear a carrier signal (an obvious modem sound) go ahead and dial the number from your computer. And 2) the better way, use a program on your computer to do it for you. The best of these I know of for linux is 'Shokdial' (APPENDIX A.vi). Your computer will sit and dial for hours at a time, recording all valid systems. Note: you may have some people tell you wardialing is illegal. Well its not. The idea of a telephone is to be able to dial whomever, whenever you want. So long as you don't "dial flood" someone (dialling their number over and over again so as to annoy them and keep others from calling them), its legal. B) Web-based hacking i) Finding targets: There are three primary ways to find targets. The first way I don't recommend. But basically, what you do is go to a search engine and type "URL=.com". This will find all of the targets with the ".com" suffix. Most often this is done when someone just wants to search around and find some random server and scan for a specific vulnerability. If its not on the first machine on the list, they move on to the second and third and forth, forever searching for a system with one specific vulnerability. When they find one, they break in and then leave. It's not exciting, and is very lame, usually employed by script kiddies who want to get their name on allda.de for defacing a web page. The second way is how I normally work. I find a target that looks promising and lay siege to it. Do this by searching for some random topic like "animal hides" or something and check out each server. When you find one that's weak, that's your target. I describe this type of hack in section 6, "THE HACK, FINALLY". This also includes when people ask you to attack their own servers to perform a security check. The third method is to simply look for websites you don't like. This can be anywhere from hacking the DNC/RNC, or hacking child porn sites. They range from noble (hacking kiddie porn) to mean (hacking the official Barney website and depriving children of their Barney games) to just plain lame. Whatever the reason, it most often end up in a rm -rf / on the system, which destroys everything. ii) Wargaming: This is fun! A hacker's wargame is a server set up for the specific purpose of you hacking it. It's REALLY nice because its 100% legal so there's no worrying about log files, anonymity or whatever. I usually go through a shell account or wingate because I'm paranoid :) anyway. Wargames are hosted at pulltheplug.com, hack3r.com, happyhacker.org, and others. But I don't like using those, as they are all hacked and patched and not realistically secured machines. So, go to your favorite BBS system and look around for a post about wargames. Very often someone will find an extra box and put it on the web for fun to see if people can hack it. Many times these are just lightly secured and are almost ALWAYS realistically shielded from attackers, in other words they are not default Red Hat installs, and are also not hacker proof over powerfully and overpopulated boxes. Eventually, you may want to get an extra machine hooked up to your own network and set it up as a wargame. Another cool type of wargame is the taunt wargame. Some company who thinks their hacker proof says "c'mon get me!". This is cool because many times they will offer a reward for hacking their servers. The most recent of which I heard a company offering 1 million dollars to the person who could root their computer. 6) THE HACK, FINALLY! I assure you this section is EXTREMELY important to a successful hack and should not be overlooked. Gathering the proper information about a target can give you easier ways in and crucial data about a network's overall security. Here is an example of how you would perform a hack. Remember to employ ALL the skills you learned from this text while reading this. And for the love of God, don't try this without knowing what your doing. First of all, you will need all the valid email addresses you can find at your target. Lets say your target is website.com. Go to website.com in your browser. Look around for a contact page or something. Look on the bottom of the pages at copyright info. Write down all the email addresses you can find. These addresses are very important as they often serve as valid logins on many machines. The more logins you have for a machine, the more easily you can Brute Force their system. Second, run whois and nslookup on their server. So: [you@localhost you]# nslookup website.com [you@localhost you]# whois website.com Write down ALL the info it prints on the screen. IP addresses, email addresses, name servers, other computers on the network, everything. This is important info in the future. And third send an email to a bad address, i.e. xoxoxoxox@website.com, from an anonymous email address. Then when you get the "Could not deliver email yada yada yada" message, write down the header. This often includes important data on what version of servers they are running, etc. You will need to perform a network scan as well to find out what other computers lie on the network. Use 'nmap' to do a subnet scan of the IP addresses you found using whois and nslookup. To do this use the following command: [you@localhost you]# nmap -sP website.com/8 What this does is scan all the computers on similar IP addresses to see if they are connected to the same network. So if website.com is 1.1.1.1 than a subnet scan will scan from 1.1.1.1 to 1.1.1.255 in order to determine what computers are hooked up along with 1.1.1.1. Use 'nmap' again to scan for services on all the machines revealed by the subnet scan using the following command: [you@localhost you]# nmap -v -sS IPADDRESS Be sure to read the nmap man files (man nmap) to customize these options to fit your own needs and see exactly what they are doing. This will allow you to decide a weak point in website.com's network. If you find SMTP services, remember to send a fake email to that machine or telnet to the service to find out its version number. Now after you've done that, you will need to find out what OS's are running. There are a variety of ways to do this, but the best, most anonymous is to go to http://www.netcraft.com/whats and insert each IP address. It will give you its OS as well as some other information. Write it all down in the following format, making a new entry for every machine: IP ADDRESS: OS: SERVICES: -ftp version -smtp version -http version -etc etc etc NOTES: leave some space (maybe put working l/p combos here) You may have 30+ of these entries, but it will be well worth it. After all that's written down, take a couple of days off and study the info you've gathered. Look for low version numbers, and general abnormalities. For example, if you see one that says OS: RedHat 7.0 ftp version 1.0, smtp version 1.0, http version 1.0, etc you can infer that this is probably a default install RedHat box and is very weak. You decide to attack it. Search the Internet for exploits on that box. Search for exploits on its version of smtp/ftp/whatever and its OS. Once you have a promising one, use it by employing the methods I have described before. An alternative is to run a SAINT scan (APPENDIX A.ii) on promising boxes and look for vulnerabilities. Run SAINT as little as possible as it tends to attract attention. If all you could find is a local exploit, you will need a l/p for that box. This can be trouble. Read the "Password Cracking" and "Brute Forcing" sections on how to get l/p combos. After using the methods pointed out before, time, and work; you will gain root access to one of the boxes on the network. From there you have it made. Install a network sniffer on the machine. Soon, (sometimes within minutes) you will have l/p combos from people around the network logging in and out of various things. Eventually someone will login somewhere as root. BAM! You have the root password to another machine sniffed and waiting for you on the first box you hacked. Login to that box as root and look around. DO NOT DESTROY ANYTHING. If you want, install another network sniffer and wait. Soon enough you may have total access to their network assuming an admin didn't detect your presence. Its good to have access to more than one box so if one is taken down you have access to another. BUT, if you find that an admin has detected you, its best to leave immediately. Even put a message in the /root/ directory about the fact that you hacked their system and how you did it and that you didn't change anything (you didn't, DID YOU?) and will leave ASAP. Doing this will ease anger of an admin and keep them from wanting to trace you. Going back a little, if you have trouble finding a box that allows telneting, do a prefix scan of their telephone number (found in the 'whois' search). Often you will find a modem attached to a weak computer. You will be presented with the login prompt to some backdoor computer. You can brute force your way in or use a l/p from another box. A few more notes/tricks, 1) rootkits, when you gain root, install one of these guys to help hide yourself. It will alter logs and remove you from the online list at the time (the 'who' command). That way no one will know you're on. Rootkits are far from foolproof as they often leave fingerprints and detectable traces of their existence. 2) remember to always login/hack using three or more wingates or shell accounts as a buffer. Wingates are better, but harder to find. And 3) try all the passwords you find on all machines you find. Very often, an andin will use the same root password for more than one machine. If this is the case, by hacking one machine you have actually gotten access to others. I want to reiterate to you the importance of not changing anything but log files. Downloading corporate secrets, source code, bank records, and ESPESSIALLY credit card numbers are all very likely to get you caught. Defacing a web page is just lame so don't do it. Personally, I hack because its fun. I get little thrills from seeing that root prompt and most of the time I either seal up holes myself, or leave a message telling the admin how to do it himself. Sysadmins are people too and you can either befriend them or piss them off. So keep that in mind. 7) FAREWELL! A) Your future: Well, this parts up to you! I hope that you will use this guide for good, not evil, and become a very successful hacker. Just keep plugging at it and don't turn script kiddie on me. :) B) About me: Me? Well, I originally entered the hacking world when I read a magazine article by Caroline P. Mienel (of happyhacker.org) in Scientific American, October 1998 edition. I was amazed. I read up on hacking, programming, etc and fell into place. Being a newbie was hard and I was tempted to turn script kiddie. Part of the reason I am writing this now is to help you newbies out there find a place in hacking. I am stuck between being a novice hacker and an outstanding one. I believe this is because of limitations put on me inadvertently by my parents (of course, its all them, not me, duhh!). But really, I have read enough that all I need is some more freedom without people peering down on me so I can spend more time hacking and less time hiding things. :) Just FYI, I have gone through a couple names, the most recent being '/|ristides'. "Issues" forced me to retire that name and now I can be known as 'sixby6'. Please don't call me by anything but 'sixby6'... That's it for my boring story. C) Thanks: I would like to thank... Ginberry - for grammar and spell checking this guide. UNIXkid - for providing part of the UNIX/Linux section. Devonix - for being cool Jetstorm - for being cool modest - for reminding me to write this guide :P The Mentor - for making a really good hacking text in '89 Caroline P. Meinel - for drawing me into hacking my dad - for buying me lots of computer crap :) A lot of other cool people can be found on BBSs. So go to hackers.com BBS and talk to me and some of my friends. ;) D) Final notes: Notice that I named this text, "The Indispensable Guide to Hacking", not the only or the best guide to hacking. I have done my best to give you useful and helpful information, but that does not mean that you should consider yourself a hacker after reading it or that you should stop reading texts. I hope you have enjoyed my work and I have brought you a step or two closer to becoming a hacker. I left a lot out of this text, I know, but I believe that this gives all the fundamentals you need to start. I apologize if I have been confusing or long winded in some parts, but I don't claim to be a professional writer (my, over, use, of, the, comma, annoys, some, people) so, as always, feel free to email me with questions/comments/suggestions so long as they aren't "help me hack something", "hack something for me", "teach me to hack", "how do I hack hotmail", "what is telnet", or other similar. Remember, a picture is worth 1000 words, but I don't need 1000 words to get the picture. Short and easy will do. You can also contact me on the Hackers.com BBS and Hack3r.com BBS. 8) APPENDIX A) Hacking programs: This is a list and short description of some software tools you will want/need. All these programs are for UNIX/Linux; some have Windows versions, however. Read 4.F.ii, "Crippled Hacking, Windows" for information on hacking with Windows. All of these programs can be downloaded from my site, http://rt45.host.sk. i) nmap: This program is absolutely necessary. It is a very advanced port scanner with many different options and tools all integrated. You can run FIN scans, regular scans, send spoofed packets, and MUCH MORE. Read various other texts about nmap to figure out how to use it. Once you do, you'll be glad you did. (http://www.nmap.org) ii) SAINT: A highly evolved version of SATAN (Security Administrator's Tool for Analyzing Networks) and scans UNIX/Linux systems for known vulnerabilities, then alerts you of any exploitable services and general ways to exploit them. Very nice tool and helpful for quickly analyzing a *nix box. This program WILL NOT do the hacking for you, it just tells you what can be hacked, saving you the painful trouble of finding out yourself. iii) Nessus: Very similar to SAINT, except analyzes NT, not *nix. Nice because the update so often, and a very streamlined install might I add. (http://www.nessus.org) iv) Minicom: Most linux distros automatically install this one. Basically, it allows you to dial up a computer. Packed full of options and helpful text interface allows you to run it very well even w/o Xwindows installed. To see if you have it, type "minicom" at the console. v) John the Ripper: You probably have heard of this one. John the Ripper is a password cracking program that takes a wordlist and attempts to crack passwords from the /ect/passwd or /ect/shadow file. More info in 4.E.ii, "Password Cracking". vi) Shokdial: The best linux wardailer existing. Info in 5.A.ii, "Wardialing and prefix scanning". vii) Brutus: A Windows only brute forcer. Very good, offering support for brute forcing telnet, http, smtp, and others very quickly and anonymously. (http://www.hoobie.net) B) Hacking websites: Here is a list of some websites about hacking I have found. This isn't supposed to be a huge list or anything, just a list of some of the best. http://rt45.host.sk http://www.hack3r.com http://www.hacknix.com http://www.root-core.com http://www.soldierx.com http://www.attrition.org http://blacksun.box.sk http://www.securityfocus.com http://www.hackersclub.com/km http://www.hackers.com http://www.cyberarmy.com C) Free shell accounts: SDF (freeshell.org) - http://sdf.lonestar.org GREX (cyberspace.org) - http://www.grex.org NYX - http://www.nxy.net Arbornet - http://m-net.arbornet.org ShellYeah - http://www.shellyeah.org HOBBITON.org - http://www.hobbiton.org FreeShells - http://www.freeshells.net DucTape - http://www.ductape.net Nether.Net - telnet://freenet.nether.net (login: newuser) Free.Net.Pl (Polish server) - http://www.free.net.pl XOX.pl (Polish server) - http://www.xox.pl IProtection - http://www.iprotection.com CORONUS - http://www.coronus.com ODD.org - http://www.odd.org MARMOSET - http://www.marmoset.net BRU-NOC - http://www.bru-noc.net flame.org - http://www.flame.org freeshells - http://freeshells.net.pk LinuxShell - http://www.linuxshell.org Unix-Shells - telnet://unix-shells.com takiweb - http://www.takiweb.com FreePort - http://freeport.xenos.net BSDSHELL - http://free.bsdshell.net ROOTshell.be - http://www.rootshell.be shellasylum.com - http://www.shellasylum.com Daforest - http://www.daforest.org FreedomShell.com - http://www.freedomshell.com LuxAdmin - http://www.luxadmin.org shellweb - http://shellweb.net DISCLAIMER: THIS TEXT REPRESENTS FREE SPEECH AT ITS BEST. I DO _NOT_ PROMOTE ILLEGAL ACTIVITIES. YOU TAKE FULL RESPONSIBILITY FOR YOUR ACTIONS. IF YOU USE THIS AS A GUIDE TO COMMIT CRIME AND END UP IN COURT OR PRISON, DON'T WHINE TO ME ABOUT SHOWING YOU HOW. I CANNOT STOP YOU FROM DOING SOMETHING ILLEGAL, SO IT IS NOT MY FAULT! ALSO, DO NOT COPY THIS TEXT WITHOUT PERMISSION. YOU _MAY_ POST IT ON A BBS, MESSAGE BOARD, WEBSITE, WHATEVER, WITHOUT PERMISSION. JUST DON'T COPY IT. eof }