ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ ÛÛ²ÜܲÜܲÜܲÜܲÜܲÜܲܰTHE°Ü²ÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÛÛ ÛÛ²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²ÛÛ ÛÛ²° ÜÜÜ ÜÜÜ Ü ÜÜÜÜÜÜ ÜÜÜÜ ÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜÜÜÜÜ °²ÛÛ ÛÛ²° ÛÛ ÛÛ Û ÛÜ Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ ÛÛ Û ÛÛ Û ÛÛ °²ÛÛ ÛÛ²° ÜÛÛÜÛÛÜ Û ÛÜÛ ÛÛ ÛÛ Û ÛÛ ÛÛ ÛÛ ÛÛ ÛÛÜÜ °²ÛÛ ÛÛ²° ÛÛ ÛÛ Û ÛÛ ÛÛ ÛÛ Û ÛÛ ÛÛ ÛÛ ÛÛ ÛÛ °²ÛÛ ÛÛ²° ÛÛ ÛÛ Û Û ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛ ÛÛ ÛÛÛÛÛÛ °²ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÜÛÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜÛ Û -|The Antidote|- Û ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ |===================| *Issue: 1* |=The Antidote======| |===================| |=Founded By:=======| |=LoRD OaK & Duece==| |===================| Contents- Introduction Writing Antidote Current News Chinese hackers sentenced to death- Skaman Remote Explorer III- LoRD OaK Cyber War- LoRD OaK Submittings Windows NT security Tips- z0mbie Assebly in a NuTSHeLL- skatebs A legal hack with Remote Wall- PBBSER |*******************| |*Introduction******| |*******************| This ezine is made in .txt and .bat files. If you wish to get one or the other instead of the one you are using now, please visit www.thepoison.org/antidote and click on issues. I am first going to thank Macro Imperatore for making the ASCII art above. He does a nice job and thanx! You can e-mail him at: spaggy64@hotmail.com His webpage is located at: http://www.micwarez.cjb.net so please go check it out! Please feel free to submit your articals to the Antidote. You can send your articals to: lordoak@thepoison.org or duece@thepoison.org . If we see that the artical will fit in our magazine, we will post it and give you full credit. You can write news stories to us, or like z0mbie did this "NT security Tips", you can write us with questions, news, comments, or even hacking/phreaking stories. You will get fill credit or you can stay anonymous (please specify the information on what you want to be listed as in your e-mail). |*******************| |*Current News******| |*******************| Chinese Hackers Sentenced To Death Two brothers from Yangzhou City China are the first, in an expected coming wave of high tech criminals, to be handed down a stiff sentence from the Chinese courts. Hao Jingrong connected a homemade modem to the Industrial and Commercial bank where he was employed. Then his brother Hao Jingwen used a personal computer from a remote location to hack into the banks computer system and transfer a total amount of 720,000 yuan, which is equivalent to 86,700 US dollars into several banks accounts which they had set up using false names. They were able to withdraw 260,000 yaun before being apprehended by police. This type of bank robbery has been the first of its type in china. The courts fined the brothers 40,000 yuan and sentenced them to Death although all the stolen money was recovered Skaman (skaman1@hotmail.com) Remote Explorer III Remote Explorer III can be used as a worm or a virus if run/ran by a Windows NT user. it will locate executable files, insert a compressed copy of the original executable into a copy of itself as a resource, then replace the original (including file attributes and access times). If a server admin runs this worm/virus, it will install itself as a service and when it runs as a service, it is operating under System user context, and so will then open the shell process (typically explorer) and copy the process taken, which it then uses to duplicate a new copy of itself running under the context of the logged in user. Then it will duplicate itself and try to run itself again whether it is installing itself as a service remotely or is merely corrupting files isn't known. It could be doing either or both. If it achieves running as a service, it qualifies as a worm (actively spreads itself, rather than passively). In a addition to infecting exe files, it can also and will encrpt data files. It normally shows up as "Remote Explorer", and can be located using sc from the Resource Kit, Server Manager (point and click, so not practical for lots of machines), and the ISS scanner will also find it (see the 'Unknown Services' check). Once you locate a copy of it running as a service, either use sc or Server Manager to stop the service and set it to disabled. Do not log on locally on a machine with an active Remote Explorer service. The various anti-virus people are now coming up with disinfectors. LoRD OaK [lordoak@thepoison.org] War declared on China and Iraq contributed by Legion of the Underground In a very heated and emotional discussion Legion of the Underground declared cyber-war on the information infrastructure of China and Iraq Monday night. They cited severe civil rites abuses by the governments of both countries as well as the recent sentencing to death of two bank robbers in China and the production of weapons of mass destruction by Iraq as the reasons for their outrage. Quoting from the Declaration of Independence about the right of the people to govern themselves and stating that the US government will probably stand idly by while these atrocities happen in other countries the Legion of the Underground called for the complete destruction of all computer systems in China and Iraq. "The Government controls what goes into our mouths lets not let them do the same with what comes out!" said one LoU member during a press conference held on IRC Monday night. LoU mentioned that they may seek out assistance in their war from the Hong Kong Blondes. The HKBs are a well known group attempting to cause mayhem on China's internetworks from within the Iron Curtain. The HKBs where trained and assisted, until recently, by the infamous Cult of the Dead Cow hacking group. LoRD OaK [lordoak@thepoison.org] |*******************| |*Submittings*******| |*******************| Windows NT Security Tips! ============================================= Written by: z0mbie (z0mbie@thepoison.org) Copyrighted by: Security Warfare ============================================= This is just a list of all the security hazards that are located within the NT Security and how to secure those problems. I. Information on Security Hazards. II. Securing the Security problem III. Some cool tips on Windows NT Information on Security Hazards As you all know that Windows NT is most used for hacking into and destroying the machine you can do allot of remote exploits within Windows NT for ( example ) rollback, getadmin, IIS 3.0 ( GET ../..) etc. etc. RollBack : Is a program for windows NT for deleting the registry. This can be used remotely with access to the remote machine. GetAdmin: Getadmin is a nice little tool for getting administrator passwords from the remote machine. RedButton : Logs on remotely to a Target computer without presenting any User Name and Password Shows that unauthorized access to sensitive information stored in file system and registry available to Every one group can be obtained. Determines the current name of Built -in Administrator account (thus demonstrating that it is useless to rename it). Read several registry entries (i.e. it displays the name of Registered Owner) Lists all shares (including the hidden ones) Shows that identifier Everyone includes not only legitimate users of the network but everyone. Sechole: Sechole.exe allows a non-administrative user to gain debug-level access on a system process. Using this utility, the non-administrative user is able to run some code in the system security context and thereby grant himself or herself local administrative privileges on the system. Sechole.exe locates the memory address of a particular API function (OpenProcess) and modifies the instructions at that address in a running image of the exploit program on the local system. Sechole.exe requests debug rights that give it elevated privileges. The request is successful because the access check for this right is expected to be done in the API that was successfully modified by the exploit program. Sechole.exe can now add the user who invoked Sechole.exe to the local Administrators group. Qtip: Logs on remotely to a Target computer and then gives your all the user names from the remote computer. L0phtCrack: Cracks the administrator passwords from the .sam file from the remote computer. You can also do this remotely if you have the Administrator user name and Password C2MYAZZ SMB Downgrade: When a Microsoft networking client creates a new connection to an NT Server, it is possible for another computer on the same physical network to `spoof' the Microsoft client into sending a clear-text password to the NT Server. It Bypasses all password encryption and allowing the client's clear-text password to be discovered by any other device on the same physical network. his program actually runs on a Windows based system loaded with Novell ODI style drivers running in promiscuous mode. Once active, the software listens for SMB negotiations, and upon detecting one, the software sends a single packet to the client instructing it to downgrade its connection attempt to a clear text level - at which point the client silently obeys by sending its password in clear readable text. Once this happens this little piece of software actually grabs the password as it travels over the wire and displays it on the screen. The client is successfully connected to the NT Server, and the user remains none-the-wiser that its password has just been grabbed netmonex : Breaks the NT password scheme for Microsoft's Network Monito IIS 3.0 ( Internet Information Server ) : You can shutdown a HTTP Server by doing this command GET ../.. ) by doing this telnet to the host on port 80 ( They half to be running IIS ) then once connected type ( GET ../.. ) Crashing IIS 3.0 & 4.0 ( Internet Information Server ) : Specially-malformed GET requests can create a Denial of Service situation in the W3 server and use all available memory on the Web server which causes IIS to appear to hang or generate an access violation error message. Lets you browse and download files : A URL such as 'http://www.whatever.com/..\..' allows you to browse and download files outside of the web server content root directory. A URL such http://www.whatever.com/scripts..\..\scriptname' allows you to execute a target script. NAT ( Network Auditing Tool ) : Nat is another little nice program which brute forces the remote machine which trys every password / login attempt until it finds the patch this can be done by doing ( C:\z0mbie\NAT> C:\nat -o z0mbie.txt -u userlist.txt -p passlist.txt 10.10.10.10-10.10.10.30) nbtstat : Is a way to see if there running NetBios Over TCP/IP and to see what services they are running. net view : Is a way to view the shares on the remote machine! net use : Is a way to use a shared resource. The way to view a list of shares on the remote machine you would type this following. C:\>net view \\127.0.0.1 System error 5 has occurred. Access is denied. C:\>net use \\127.0.0.1\ipc$ "" /user:"" The command completed successfully. C:\>net view \\127.0.0.1 Shared resources at \\127.0.0.1 That will view the shares on the machine and give a list like Share name Type Used as Comment ------------------------------------------------------------------------------- Accelerator Disk Agent Accelerator share for Seagate backup Inetpub Disk IRC Disk NETLOG Disk Log on server share www_root Disk The command completed successfully. CMD (Command Prompt) : You can stick this in the /cgi-bin/scripts of there server and then open up your web browser and execute the program by doing ( http:\\SYS is on your system disable it in Control Panel's Device item. Recover from Registry Blunders Before you delve into the NT Registry, make sure you set up a safety net. NT's backups program (NTBackup) and repair disk utilities (Rdisk) can help you recover if you make a serious error, but only if you use them beforehand. Lose the Last User If you don't like having the last user's log-on name shown in the log-on dialog, you can blank out the User name space. Edit: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\wWinlogon. Change the DontDisplayLastUserName (REG_SZ) to 1. The Key to NumLock Windows NT lets you decide if you want NumLock on or off whenever you log-on. Find the key HKCU\Control Panel\KeyBoard and change the value for InitialKeyboardIndicators. Set the value to 0 to turn NumLock off; make the value 2 if you want the NumLock on Change the Message You can change the text display on the NT Log-on screen above the user name and password. Set a String value at HKLN\Software\Microsoft\WindowsNT\Current Version\WinLogon\LogonPrompt to the message you want to display Nuke NIC Error If you add a second network interface card (NIC) into your server and get an "Error 20101" in the log, don't panic. This doesn't prevent Remote Access Service (RAS) from working, and you can eliminate the error by editing the Registry. Go to the KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Router\Interfaces\(X) key (X varies depending on the number of NICs installed). Look for the enabled value name of each key, a type REG_DWORD value. The valid entries are 0 for disabled and 4 for enabled. When you find the Enabled value name that is not set to 0 or 1, set it to 1 Logon Welcome/Legal Notice : The Registry value entries that control the log on sequence for starting Windows NT are found under the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon LegalNoticeCaption REG_SZ Default: (none) Specifies a caption for a message to appear when the user presses CTRL+ALT+DEL during log on. Add this value entry if you want to add a warning to be displayed when a user attempts to log on to a Windows NT system. The user cannot proceed with logging on without acknowledging this message. To specify text for the message, you must also specify a value for Legal Notice Text. Note: You can use the System Policy Editor to change this value. LegalNoticeText REG_SZ Default: (none) How to alter the time it takes Windows NT to shutdown : Edit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout (or add it as a REG_SZ) This key tells the service control manager how long to wait for services to complete the shut-down request. The deault is 20000 milliseconds. You must wait long enough for the services to complete an orderly shutdown. Keep your RAS connection when you logoff Windows NT : Edit: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Add value Keep Ras Connections as a type REG_SZ. Set it to 1. Assembly in A Nutshell Okay Assembly is probably the most feared language out there. I mean if you think about it that's reasonable. Every beginners programming book or 'tute says that you don't have to be a math genius or super elite genius or whatever, because the new languages are easy/easier. Well Assembly IS hard to learn and it does involve a lot more math than a language like BASIC. Then again after writing 1000's of lines of ASM code you can laugh at BASIC programmers. You'll even be above the best C programmers... well maybe not, that'll take a few million lines of assembly code but you get the idea. Here are a few definitions: mov = mov es, ax... whatever is in ax is now in es int = int 21h, checks what is in something and executes usually... compicated ; = a semicolon starts a comment AX, BX, CX, DX = general purpose registers CS = Code Segment Register DS = Data Segment Register ES = Extra Segment Register SS = Stack Segment Register Okay now for a program with many comments: ;************************START CUT HERE************************ DOSSEG ; come on figure this out for yourself... .Model Small ; Model of the program... this is for an exe .Stack ; Stack isn't really used here .Data ; Starts data segment .Code ; Starts code segment Msg db "Hello World!$" ; Msg equals 'Hello World!$" a dollar sign ends it START: ; take a guess mov ax, cs ; ax now equals the code segment which is Msg mov ds, ax ; makes the data segment equal to ax which is equal to the code segment which is Msg mov dx, offset Msg ; okay offset is like a pointer in C mov ah, 9 ; okay ah is the top 2 bytes of ax (al are lower 2)... 9 in ah makes the dos interrupt print a string int 21h ; dos interrupt, since ah = 9 then it prints the string mov ax, 4c00h ; puts 4ch in ah , that makes the dos interrupt (21h) print a string int 21h ; call the interrupt END START ; figure this out yourself ************************END CUT HERE************************ Now put this in a text editor, save it with an .asm extension and compile it. What you can't compile it! Okay you are going to need an assembler and a linker. I use Tasm and Tlink cause they came with my Borland C++ compiler. For Tasm you would do this and its fairly similar to any others: C:\unzipped\asm> tasm helloworld.asm some stuff... C:\unzipped\asm> tlink helloworld.obj some stuff... C:\unzipped\asm> helloworld.exe Hello World! C:\unzipped\asm> Have fun? Okay here are some more explanations of what you did. '.model small' makes the program an exe file when compiled&linked. '.model tiny' is for a com file but exe is best for this. '.stack' is equal to saying '.stack 100h' because 100h is the default. We don't really need any stack in this program HOWEVER when this is assembled it will avoid a 'No Stack' warning. The '.data' starts the data segment and in many cases you would put the defined strings there. In fact it probably would have been more correct to put the 'Msg db "...' in there but the code is slightly more complicated. '.code' starts the code segment and basically the actual code that makes the program do what it does. That's enough for this tutorial, check the Legion of Outlawed Tech's website @ http://legionoot.hypermart.net for more tutorials. By: Post BBS Era Representative (PBBSER) Email: skatebs@cyberspace.org Webpages: http://legionoot.hypermart.net, http://www.angelfire.com/pa/skatebs What's the deal with web design t hese days? The Internet: a bustling network of information, hackers, IP addresses and servers. New web pages spring up every day, taking up the space of the previous tenant in web space. From these pages, we see new, creative ideas, layouts, and images. Wait a second!! Creative? New? Sure, we see new things every day...or so we think. Chances are that the cool new layout you're seeing right now is just a rip-off of another site or image. It happens more than you think. The question you may be asking right now is: yeah, so, who cares? If it looks good, then why not use it? Well, here's my answer. If everyone on the Internet keeps this up, we're not going to see the eye-candy that we have come to love that much longer. Challenging as it may be, why not think of an innovative layout or image yourself? You'll get much more praise if you do. Take my word for it. OK, so you're still not convinced. Try this: takes a look at all of the Quake II pages that have sprung up. Start at www.planetquake.com, then click on any user-made page from there. Notice anything? They ALL have the same backgrounds, same basic layout, and same general idea. The only page that differs is the ACE bot page, going with a white background and a white-and-blue color scheme. Does it really take THAT long to do something different? The answer is no. Web page design and graphic layout are two of the key factors that draw traffic. The same with content, but we won't go there. If your page is well designed, nice to look at, and original, people are going to love to visit your page. I admire the people and companies who always are changing their designs it brings something new every time you see it, and a reason to come back. SCoRPyaN [scropyan@thepoison.org] A legal hack with Remote Wall All of us are paranoid to some level of getting caught hacking. However there are some legal ways to hack too. Now, I am not saying don't ever to illegal things I am just saying you can do stuff legally that has cool results. I had known about the wall command and as you probably know it can issue a message to all the people on your system. Now rwall or remote wall does it on a remote system. I tested it on a system without having root privaleges and it worked. I used a library computer with the necessary port open. First you make a text file in which you include all the text you want to post on the remote system. Now open a window and telnet to the system if you want proof that rwall is going to actually do what i say it will. Now type: rwall [host] ./file.txt. The ./file.txt isn't your average execute so watch what happens in the other system. It will say broadcast message from remote: [stuff], with a lot of other junk added in. Now that isn't going to be much of a hack but say you know some lamer who cracks servers and pulls the dreaded rm -rf / a lot and you want him to stop. In that case change your hostname to fbi.gov or something like that and have the message be: Failure to stop will cause in appropriate legal actions. Won't hurt him, just scare him. Or to a library computer (this is what I did) send some message like "pornography books are not to be searched for on this system". And think about what your teachers will think when "the principal" tells them they are fired... The list goes on and on. Please no flaming if you knew about this, it's a little idea for newbies. Greets to: Duece, The Loot, Antidote, Tainted Angel, aL, r8ven, Loki, Kheops, Tatiana, Tag, Trunks_x99 for convincing me to start assembly and not getting mad that I am 10 times better at it than him :~), #linux on dalnet - malloc is the man, Zafar, Tatiana, and everyone else that I forgot. http://legionoot.hypermart.net By: Post BBS Era Representative aka PBBSER