How to beging in the World of Hacking

     Disclaimer-I am not responsible for any of the information in this document, if it is used for any other purpose than educational reading. Some of the information on this page can be used illegally if the reader does not act responsible. The reader is responsible for his own actions. You can copy anything from this file to any other file as long as you quote, dont change it up, and give me the proper credit...like:

Into:
  
When I got into hacking, i realized that there wasnt many text philes for newbies. so, i decided to write one. i dont really care about misspelled  werds or puncuation so, please ignore the mistakes. In this document i will refer you to other documents a lot. (because why should i waste my time rewriting something that has already been writen?) If at anytime while reading this document you ask yourself "So...How do I hack?", then go away now and save yourself the frustration because you'll never learn. To hack you must understand everything about a system, and then you can get ideas and try them out. 
 
I tried to keep this phile as short as possible, when you read this you should just get an idea about how to hack and why we hack. If you read this document and the philes that i have listed, you should have a good idea on what to do, how to do it, and why. Remember every 'project' is different. You have to use your brain and adjust to each different one. Tools:
 
There are a few things you need to have to be a hacker/phreaker. 'puter - computer (duh)
terminal software - a program like, hyper terminal or ordinary terminal that allows you to dial out to another system.blue box - (exerpted from 2600faq)Blue boxes use a 2600hz tone to size control of telephone switches that use in-band signalling. The caller may then access special switch functions, with the usual purpose of making free long distance phone calls, using the tones provided by the Blue Box.

scanner - a scanner is a program that dials out every number in your area and listens for tones that are comming from other modems. (helps you locate your local targets) a good scanner is Toneloc. Find it! Fone (phone) line - I hope you know whut this is...It also helps to know a computer language ex: C, C++ ect.

Info resources:
I dont know many good boards anymore because almost all of their sysops (system operators) have been busted. But I suggest you get a server that uses netscape and get unlimited access to the www(World wide web). And visit these good homepages by entering their name in the webcrawler search engine (http://webcrawler.com)
 
Silicon Toads Hacking Resources Flamestrike Enterprises The Plowskฅ Page (mine, you can reach me from there) Matervas Hideout Burns Lair Cold fire From these pages you will find a wealth of information on h/p (hacking/phreaking)

getting started: 
the first thing you must do is get on your computer, open your terminal software and connect to a board. (bulletin board, bbs). This is a must! (its also a VERY basic thing). (You can usually find a bbs number on a homepage or enter bbs in a search engine.) Now that you can do that, start reading. Read as many text philes as possible.
 
IRIS- IRIS stands for Interactive Real Time Information System. It orig-inally ran on PDP-11's, but now runs on many other minis. You can
  spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
  and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
  in, and keeps no logs of bad attempts. I don't know any default
  passwords, so just try the common ones from the password database
  below.
  Common Accounts:
  MANAGER
  BOSS
  SOFTWARE
  DEMO
  PDP8
  PDP11
  ACCOUNTING
DEC-10- An earlier line of DEC computer equipment, running the TOPS-10 operating system. These machines are recognized by their '.' prompt. The DEC-10/20 series are remarkably hacker-friendly, allowing you to enter several important commands without ever logging into the system. Accounts are in the format [xxx,yyy] where xxx and yyy are integers. You can get a listing of the accounts and the process names of everyone on the system before logging in with the command .systat (for SYstem STATus). If you seen an that reads [234,1001] BOB JONES, it might be wise to try BOB or JONES or both for a password on this account. To login, you type .login xxx,yyy and then type the password when prompted for it. The system will allow you unlimited tries at an account, and does not keep records of bad login attempts. It will also inform you if the UIC you're trying (UIC = User Identification Code, 1,2 for
  example) is bad.
  Common Accounts/Defaults:
  1,2: SYSLIB or OPERATOR or MANAGER
  2,7: MAINTAIN
  5,30: GAMES

UNIX- There are dozens of different machines out there that run UNIX. While some might argue it isn't the best operating system in the world, it is certainly the most widely used. A UNIX system will usually have a prompt like 'login:' in lower case. UNIX also will give you unlimited shots at logging in (in most cases), and there is usually no log kept of bad attempts. Common Accounts/Defaults: (note that some systems are case sensitive, so use lower case as a general rule. Also, many times the accounts will be unpassworded, you'll just drop right in!)
  root: root
  admin: admin
  sysadmin: sysadmin or admin
  unix: unix
  uucp: uucp
  rje: rje
  guest: guest
  demo: demo
  daemon: daemon
  sysbin: sysbin
Code of ethics:
 
Once you get in a system, do not manipulate anything but the log file (erase the record of your bad logins) and anywhere you might have left your handle. (name, a.k.a.) You dont want to leave your handle anywhere because they WILL be able to track you down by your handle alone. Its ok to be paranoid! Dont think for one minute that you are undetectable, if you make any mistakes, you could get caught. Here is a list of things you could do to 
help yourself from getting in trouble.
 
* Encrypt your entire hard drive
* hide your files in a very safe spot.
* dont tell anyone that you dont know very well about your hacking. Good hackers never reveal specific details to anyone about their current project.They give only very vague hints of what they are doing. 
* dont openly give out your real name or address
* dont join any major hacking groups, be an individual.
* Dont hack government computers, ESPECIALLY YOUR OWN GOVERNMENTS! Foreign computers can sometimes be phun, but dont say i didnt warn you!
* Make sure that you dont leave any evidence that you have been in a system and any evidence of who it was.
* Use your brain.
If you follow most of these guidelines, you should be safe. The last thing you want is to end up in a one room apartment located in the third floor of the state prision with your cellmate Bruno, the ax murderer, whose doing life.
Getting in:
The hardest thing about hacking is getting the numbers for a system. You can do this by using a scanning program. Then, once you connect to a system you must first recognise what kind of system you have connected to. (by the way, for you real brainiacs, you have to use your terminal software to call another system.) You can usually do this by looking at the prompt you get, if you get one. (check the Unresponsive section) Sometimes a system will  tell you as soon as you connect by saying some thing like "hello, welcome to Anycompany using anysystem v 1.0" When you determine what system you have connected to, this is when you start trying your logins. You can try typing in demo and as your userid and see if you can find any users names to try. If you enter a name and you are allowed in without a password you usually, but not always, have entered a name that you cant do a whole lot with but, it can still be phun and you can probably find clues on how to get in on another name. While your in: There are usually many interesting files you can read in all of these systems. You can read files about the system. You might want to try a help command. They will usually tell you a lot. Sometimes, if your lucky, you can manage to download the manual of the system! There is nothing like the thrill of your first hack, even if it wasnt a very good one, it was probably still phun. You could read every text phile in the world and you still probably wouldnt learn as much as you do during your  first hack. Have Phun!

Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
  Occasionally you will connect to a system that will do nothing but sit there. This is a frustrating feeling, but a methodical approach to the system will yield a response if you take your time. The following list will usually make *something* happen.
1) Change your parity, data length, and stop bits. A system that won't re-spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one. While having a good term program isn't absolutely necessary, it sure is helpful.

2) Change baud rates. Again, if your term program will let you choose odd baud rates such as 600 or 1100, you will occasionally be able to penetrate some very interesting systems, as most systems that depend on a strange baud rate seem to think that this is all the security they need...

3) Send a series of 's.

4) Send a hard break followed by a .

5) Type a series of .'s (periods). The Canadian network Datapac responds to this.

6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does a MultiLink II.

7) Begin sending control characters, starting with ^A --> ^Z.

8) Change terminal emulations. What your vt100 emulation thinks is garbage may all of a sudden become crystal clear using ADM-5 emulation. This also relates to how good your term program is.

9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO, JOIN, HELP, and anything else you can think of.

10) If it's a dialin, call the numbers around it and see if a company answers. If they do, try some social engineering. I tried to keep this phile as short as possible to save downloading time and just telling you the very basics like what you need to do and what you need to read. I hope this was helpful.






  

  Why the "Fun with RA boards" hacking method is LAME!
  (The REAL way to hack RemoteAccess)
  -----------------------------------
  
   
  "Saving the Brain Forest"


Well dewdz, ya seen the file text about hacking RemoteAccess and you wanna 
crack that H/P or warez RA board for mega ratios? Get Real!  

RA *CAN* be hacked but only in the same way as any other BBS sox... no 
sysop reading that file was shat themselves .. here's why not:

Basically the technique outlined involved you writing a trojan and 
disguising it as some program the sysop is really gagging for in the hope 
is he'll run it on his system. Wot it'll really do is copy his USER.BBS 
onto the filebase so you can call back later and d/l it... neat idea, and 
one that in *theory* will work with most BBS sox (most are EVEN easier coz 
they don't encrypt the users file like RA) but their execution of it sucks!

Firstly, their compiled batch file relied on the sysop running RA off their 
C: drive from the directory \RA... Yeah, maybe some lame PD board they
hang out on is like that but most sysops I know run multiple drives and 
many have more complex directory structures... Lame Hacker 0 - Sysop 1

Okay... letz assume they got on some lame fucking board and the users file
*is* C:\RA\USERS.BBS - next step is to copy the file into the filebase and 
make it d/lable. How do they do that? (patronising Dez Lymon voice) .

Their idea was to copy the file into D:\FILES\UPLOAD .. Yeah sure guyz...
EVERY board uses the D: drive for the filebase and happen to have a file
area in \FILES\UPLOAD - NOT!!!!!! Lame Hacker 0 - Sysop 2

Right, so they got better odds than winning the national fucking lottery and
all the above worked (yeah man, we're dreamin' but let's give 'em a chance).
What next? The file has to be d/lable... you found a sysop that makes
UNCHECKED & UNSCANNED files available for download? Fuck off! Get a life!
  Lame Hacker 0 - Sysop 3

So... okay.... we got a sysop that's so fucking lame he doesn't deserve
to to breath the same air as the rest of the human race and uses all the 
above paths and makes unchecked uploads d/lable. RA by default won't allow 
files to be d/led UNLESS they're in the file database. Unless the USERS.BBS
destination ALREADY EXISTED in that area and was previously in the area 
database there's NO WAY you can d/l it.

The way they "solved" this was to add an entry to FILES.BBS in the file
directory. Nice one... EXCEPT RA DOESN'T USE FILES.BBS AS IT'S FILE 
DATABASE. Unless you happen to be lucky enough that the sysop does an 
import from FILES.BBS to the REAL file database before checking out your 
planted file (most RA sysops only import from FILES.BBS when adding CDROMs) 
the addition of this entry will do FUCK ALL! Lame Hacker 0 - Sysop 4
   
To quote from the author "This is a generic program and you will have to 
tailor it so it will meet your needs." - yeah man, fucking rethink, redesign
and rewrite it more like!

Oh yeah... EVEN IF YOU DO get a copy of the USER.BBS file downloaded THE
PASSWORDS ARE ENCRYPTED!!! Lame Hacker :( - Sysop:-)


So how can U hack RA? Well, the idea was okay but, like hacking any system, 
you gotta KNOW the system ya gonna hack b4 U stand a chance.

Most sysops will use the DOS environment variable RA set to the RA system 
directory so that external doors can find the system files... that's very 
helpful of the sysop, to show us where we can find his config files.

In the RA system directory should be the file CONFIG.RA. You might want to 
include a check for this file within your program and possibly do a disk 
and directory scan for the file if RA isn't defined or is set incorrectly.

I'm not *entirely* sure about other versions of RA, but in the current 
release (2.02) the CONFIG.RA offset &h3E4 is where the name of the mail 
directory starts. This is the path where USERS.BBS will be found.

Next you need to know for SURE the name of a directory which stores the 
files for a filearea from which you are able to download.

I suggest you do this in one of three ways:

1) Interogate the file FILES.RA in the RA system directory which contains 
  the filebase area configs. You *could* just search the directory for a 
  valid path but you'd wouldn't know if you had d/l access to the area.  

2) If you want to be a bit more clever you could interpret the file and 
  find out the minimum security level required to d/l from each area and 
  dump your copy of USERS.BBS in the area with the lowest access level, 
  pretty much guaranteeing that you'll be able to get to the file. This
  doesn't take security flags into account so there's still a SLIM 
  possiblity you won't be able to d/l the file unless you also write flag 
  testing into your program.

3) My favourite technique is to have the program read a small config file 
  which is uploaded with your archive. This file just contains the name 
  of a file you KNOW you have d/l access from. You can then either do a 
  global search for that filename or, preferably (coz it's faster) read 
  FILES.RA for the paths used by the filebase and search those.

So now you have the location of the USERS.BBS and the destination directory 
you simply need to copy the file. However, even though the file is sitting 
in a filebase directory it STILL isn't available for d/l... why? Because 
it's not in the filearea database.

You could get clever and find amend filearea database files directly if you 
get the fileareas path from CONFIG.RA (offset &hC12) and write to the files 
HDR\FBD#####.HDR (header) IDX\FDB#####.IDX (index) and, if you want to add 
a description, TXT\FBD#####.TXT, where ##### is the RA file area number.

There *is* an easier way. Shell out to DOS and execute the RAFILE utility 
from the RA program path, passing the arguments "ADOPT filename #####".

E.g. the BASIC command would be:

  SHELL "RAFILE ADOPT "+filename$+STR$(areanum)

Where filename$ contains the name of your USERS.BBS copy and areanum is the 
RA filearea number. If your filename was USERTEST.ZIP and you'd copied it 
to the directory used for RA file area 10 you'd be executing:

  RAFILE ADOPT USERTEST.ZIP 10

This will "adopt" the file, adding it to the RA file database, making it 
available for d/l (assuming you have the appropriate rights to the area).

All you need to do now is to package this trojan file to entice the sysop
into running it... In the LAME method for hacking RA the author used DSZ 
as an example. That was about the most realistic part of the file and the
only bit worth leaching!


Your archive:
  DSZ.EXE (your program)
  DSZ.DAT (the *real* DSZ.EXE)
  DSZ.CFG (small file containing the name of a *known* 
  d/lable file - preferabbly encrypted)
  + any other files that normally come with DSZ


   
Flow diagram for DSZ.EXE trojan:

  _______  
  / \
  | Start |
  \_______/
  |
  |
  +--------+--------+
  | Read enviroment |
  | variable RA |
  +--------+--------+
  |
  |
  / \
  / \
  /CONFIG.RA\ +---------------------+
  / exist in \___>____| Scan drives & paths |
  \ that path / No | search for the file |
  \ ? / +----------+----------+
  \ / |
  \ / |
  Yes | |
  +------------<-------------+   |   +--------+--------+   | Read CONFIG.RA |   | to get location |   | of USERS.BBS |   +--------+--------+   |   |   +--------+--------+   | Read DSZ.CFG to |   | get a filename |   +--------+--------+   |_____________<____________>__________|
  \ file / No
  \ ? /
  \ /  
  \ /  
  Yes |  
  |
  +--------+--------+
  | Copy USERS.BBS |
  | to the filearea |
  | directory |
  +--------+--------+
  |
  |
  +--------+--------+
  | Run RAFILE with |
  | ADOPT to update |
  | RA database |
  +--------+--------+
  |
  |
  +--------+--------+
  | Delete DSZ.EXE |
  | and DSZ.CFG |
  +--------+--------+
  |
  |
  +--------+--------+
  | Rename DSZ.DAT |
  | to DSZ.EXE |
  +--------+--------+
  |
  ___|___  
  / \
  | Stop! |
  \_______/
   
Once you've uploaded the file, preferably using a pseudonym, post the sysop 
a message telling him how c00l your upload is. Wait a day or so and dial 
back. Do a filename search using the name you decided to use for your copy 
of USERS.BBS and d/l it.  

The next step, now you have the USERS.BBS file is to crack the passwords.  
I only know of ONE crack program out there which has the RA password 
encryption algorythm, a program based on the popular Unix CRACKERJACK 
program called RA-CRACK. This simply takes a given word, encrypts it, and
compares it to the USERS.BBS file to find a user with a matching password.

RA-CRACK takes it's source words from a text file so it would be possible 
to either:

 a) Use a TXT dictionary file as the source. All passwords that are 
  normal words will be found. This method will usually find about 90% 
  of the user passwords.

 b) Write a "brute force" cracker using a small routine that "counts" 
  through valid ASCII character combinations from "!" (ASCII 33) upto 
  a string containing 25 (max length of a RA password) null characters 
  (ASCII 255), passing these via a text file to RA-CRACK. This SHOULD 
  be _100%_ successful, but SLOW!

Easiest Hacking there is...

OK, this is my mini guide to the easiest 'hacking' there is ( I think ) if any one knows different then mail me and tell me :)

Most FTP servers have the directory /pub which stores all the 'public' information  for you to download. But along side /pub you will probably find other directorys  such as /bin and /etc its the /etc directory which is important. In this directory  there is normally a file called passwd. . This looks something like this :-

root:7GHgfHgfhG:1127:20:Superuser
jgibson:7fOsTXF2pA1W2:1128:20:Jim Gibson,,,,,,,:/usr/people/jgibson:/bin/csh
tvr:EUyd5XAAtv2dA:1129:20:Tovar:/usr/people/tvr:/bin/csh
mcn:t3e.QVzvUC1T.:1130:20:Greatbear,,,,,,,:/usr/people/mcn:/bin/csh
mouse:EUyd5XAAtv2dA:1131:20:Melissa P.:/usr/people/mouse:/bin/csh

This is where all the user names and passwords are kept. For example, root is  the superuser and the rest are normal users on the site. The bit after the word  root or mcn such as in this example (EUyd5XAAtv2dA) is the password BUT it is  encrypted. So you use a password cracker....which you can d/l from numerous sites  which I will give some URL's to at the end of this document. With these password  crackers you will be asked to supply a passwd. file which you download from the  \etc directory of the FTP server and a dictionary file which the crackers progam  will go through and try to see if it can make any match. And as many people use  simple passwords you can use a 'normal' dictionary file. But when ppl REALLY don't  want you to break their machines they set their passwords to things such as GHTiCk45  which Random Word Generator will create (eventually ). Which is where programs such  as Random Word Generator come in. ( Sorry just pluging my software )  BTW the bad news is that new sites NORMALLY have password files which look like this :-

root:x:0:1:0000-Admin(0000):/:/sbin/sh
The x signifies shadowed - you can't use a cracker to crack it because there's nothing  there to crack, its hidden somewhere else that you can't get to. x is also represented  as a * or sometimes a . Ones like the top example are known as un-shadowed password  files normally found at places with .org domain or .net and prehaps even .edu sites.  (Also cough .nasa.gov cough sites). If you want a normal dictionary file i recommend you go to 
http://www.globalkos.org and download kOS Krack which  has a 3 MEG dictionary file. Then run a .passwd cracking program  such as jack the ripper or hades or killer crack ( I recommend ) against the .passwd file and dictionary file. Depending upon the amount of passwords in  the .passwd file, the size of the dictionary file and the speed of the processor it could be a lengthy process. Eventually once you have cracked a password you need a basic knowledge of unix. I have included the necassary commands to upload a different index.html file to a server :- Connect to a server through ftp prefably going through a few shells to hide your  host and login using the hacked account at the Login: Password: part. Then once connected type  dir or list  If there's a directory called public_html@ or something similar change directory  using the Simple dos cd command ( cd public_html ) Then type binary to set the mode to binary transfer ( so you can send images if necassary )
Then type put index.html or whatever the index file is called. It will then ask which transfer you wish to use, Z-Modem is the best.  Select the file at your end you wish to upload and send it.
Thats it ! If you have root delete any log files too.
Please note that this process varys machine to machine.
To change the password file for the account ( very mean ) login in through telnet and simply type passwd at the prompt and set the password for the account to anything you wish.
Thats it....if ya don't understand it read it about 10x if ya still don't ask someone 
else i am too busy with errrr stuff..

Beginners guide

  In the following file, all references made to the name Unix, may also be substituted to the Xenix operating system.

  Brief history: Back in the early sixties, during the development of third generation computers at MIT, a group of programmers studying the potential of computers, discovered their ability of performing two or more tasks
simultaneously. Bell Labs, taking notice of this discovery, provided funds for their developmental scientists to investigate into this new frontier. After about 2 years of developmental research, they produced an operating system they called "Unix".

  Sixties to Current: During this time Bell Systems installed the Unix system to provide their computer operators with the ability to multitask so that they could become more productive, and efficient. One of the systems they put on the Unix system was called "Elmos". Through Elmos many tasks (i.e. billing,and installation records) could be done by many people using the same mainframe.

  Note: Cosmos is accessed through the Elmos system.

  Current: Today, with the development of micro computers, such multitasking can be achieved by a scaled down version of Unix (but just as powerful). Microsoft,seeing this development, opted to develop their own Unix like system for the IBM line of PC/XT's. Their result they called Xenix (pronounced zee-nicks). Both Unix and Xenix can be easily installed on IBM PC's and offer the same functions (just 2 different vendors).

  Note: Due to the many different versions of Unix (Berkley Unix, Bell System III, and System V the most popular) many commands following may/may not work. I have written them in System V routines. Unix/Xenix operating systems will be considered identical systems below.

  How to tell if/if not you are on a Unix system: Unix systems are quite common systems across the country. Their security appears as such:

Login; (or login;)
password:

  When hacking on a Unix system it is best to use lowercase because the Unix system commands are all done in lower- case.

  Login; is a 1-8 character field. It is usually the name (i.e. joe or fred) of the user, or initials (i.e. j.jones or f.wilson). Hints for login names can be found trashing the location of the dial-up (use your CN/A to find where the
computer is).

  Password: is a 1-8 character password assigned by the sysop or chosen by the user.

  Common default logins
  --------------------------

  login; Password:

  root root,system,etc..
  sys sys,system
  daemon daemon
  uucp uucp
  tty tty
  test test
  unix unix
  bin bin
  adm adm
  who who
  learn learn
  uuhost uuhost
  nuucp nuucp

  If you guess a login name and you are not asked for a password, and have accessed to the system, then you have what is known as a non-gifted account. If you guess a correct login and pass- word, then you have a user account. And, if you guess the root password, then you have a "super-user" account. All Unix systems have the following installed to their system: root, sys, bin, daemon, uucp, adm

  Once you are in the system, you will get a prompt. Common prompts are:

$

%

#

  But can be just about anything the sysop or user wants it to be.

  Things to do when you are in: Some of the commands that you may want to try follow below:

  who is on (shows who is currently logged on the system.)
  write name (name is the person you wish to chat with)
  To exit chat mode try ctrl-D.
  EOT=End of Transfer.
  ls -a (list all files in current directory.)
  du -a (checks amount of memory your files use;disk usage)
  cd\name (name is the name of the sub-directory you choose)
  cd\ (brings your home directory to current use)
  cat name (name is a filename either a program or documentation your username has written)

  Most Unix programs are written in the C language or Pascal since Unix is a programmers' environment.

  One of the first things done on the system is print up or capture (in a buffer) the file containing all user names and accounts. This can be done by doing the following command:

cat /etc/passwd

  If you are successful you will a list of all accounts on the system. It should look like this:

root:hvnsdcf:0:0:root dir:/:
joe:majdnfd:1:1:Joe Cool:/bin:/bin/joe
hal::1:2:Hal Smith:/bin:/bin/hal

  The "root" line tells the following info :

login name=root
hvnsdcf = encrypted password
0 = user group number
0 = user number
root dir = name of user
/ = root directory

  In the Joe login, the last part "/bin/joe " tells us which directory is his home directory (joe) is.

  In the "hal" example the login name is followed by 2 colons, that means that there is no password needed to get in using his name.

  Conclusion: I hope that this file will help other novice Unix hackers obtain access to the Unix/Xenix systems that they may find. There is still wide growth in the future of Unix, so I hope users will not abuse any systems (Unix or any others) that they may happen across on their journey across the electronic highways of America. There is much more to be learned about the Unix system that I have not covered. They may be found by buying a book on the Unix System (how I learned) or in the future I may write a part II to this........

Stop Annoying Pop-ups Without Pop-up Blockersoutl

Did you ever go to warez/cracks sites (which we all know is BAD!) only to be bombarded with 10 windows opening up at a time, with porn, spam etc?

I've discovered a VERY easy way to block about 90-95% of this sh!t, without using any pop-up stopping programs (I hate installing that garbage!).

This is for Internet Explorer 6.0, but I'm sure that it can work with other browsers if you take the time to fiddle around.

Here's how you do it...

1) Go to TOOLS and then INTERNET OPTIONS.

2) Click the SECURITY tab, move the slider up to HIGH and click APPLY.

This applies the highest security settings to IE, which blocks EVERYTHING, including JavaScript, Applets, and so on that pop-ups are based upon.

The catch is this... Some places like online banks and other web sites need these functions to work properly... So you'll need to re-enable one important thing...

1) Go to TOOLS and then INTERNET OPTIONS.

2) Click the SECURITY tab, CUSTOM LEVEL, scroll down to SCRIPTING, and under ACTIVE SCRIPTING, select the ENABLE radio button.

3) Click APPLY and you're pretty much done!

Note: This does NOT completely remove pop-ups and other annoyances, but it sure helps ALOT, without having to trash your computer with pop-up blockers

Secret Backdoor To Many Websites

Ever experienced this? You ask Google to look something up; the engine returns with a number of finds, but if you try to open the ones with the most promising content, you are confronted with a registration page instead, and the stuff you were looking for will not be revealed to you unless you agree to a credit card transaction first....
The lesson you should have learned here is: Obviously Google can go where you can't.

Can we solve this problem? Yes, we can. We merely have to convince the site we want to enter, that WE ARE GOOGLE.
In fact, many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure.
Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.
How then, can you disguise yourself as a Googlebot? Quite simple: by changing your browser's User Agent. Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Googlebot/2.1"
"Compatible"="+http://www.googlebot.com/bot.html"

Voila! You're done!

You may always change it back again.... I know only one site that uses you User Agent to establish your eligability to use its services, and that's the Windows Update site...
To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
@="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Ps:
Opera allows for on-the-fly switching of User Agents through its "Browser Identification" function, while for Mozilla/FireFox browsers a switching utility is available as an installable extension from this url:
help://chrispederick.myacen.com/work/firefox/useragentswitcher/download/

Remote Desktop Through Company Firewall

Dont wanna take any credit for this as i got this from another forum thought of it as quite informative so pastin it here

Note this tutorial is collection of tips I gathered from searching the internet and some credit is due to the original authors. None of which I know.

A lot of people I know love using the Windows Remote Desktop feature at work, however are prevented from connecting to their home computer because of the company firewall. This is because most corporate firewalls block port 3389 which Remote Desktop uses. Most just switch to VNC, however most find it slower than Remote Desktop.

This quick tutorial shows how (from a fire walled network that blocks port 3389) you can access your home computer using MS Remote Desktop.

*This tutorial assumes you have or know how to setup and dynamic DNS client if you need one

*Assumes you know how to setup port forwarding if you need to.

Because Remote Desktop is using port 3389 by default, it is not possible to go through a firewall. So you can use port 443. Because this port is always open on your companies firewall to allow https. (One would assume )

At your home PC:

1) Configure Your pc to allow Remote Connections in your System Properties (windows - Break) tab Remote. Check 'Allow users to connect remote to this computer.

2) (add users if needed)

3) According to
CODE
http://support.microsoft.com/default.aspx?scid=kb;en-us;306759]

In the registry change
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber to 443 (click Decimal radio button first)

*Configure your firewall to allow traffic through port 443 (If you need to)

*Configure your route to forward port 443 to your computer (If you need to)

If you have IIS running you have to change the port number of https. because it is already listening on this port.
C:\WINDOWS\system32\cscript.exe c:\inetpub\adminscripts\adsutil.vbs SET w3svc/1/
SecureBindings ":444:"

Or just disable IIS Service


For your PC at work:

According to
CODE
http://support.microsoft.com/default.aspx?scid=kb;en-us;304304

you can just type the port after the IP-Address of your home PC.

*Or if you have a Dynamic DNS Client such as No-IP or DynDNS you can type in that address.

Alternatively
You can add the following to the rdp file. (which you can get to click on Save As on the tab General of Remote Desktop Connection)
server port:i:443

Extra tip: to have access to your clients hard disk on your remote desktop, check Disk Drives on the tab Local Resources of Remote Desktop Connection

Read This! Av Compare!

Testbed consisted of 321 Viruses, Trojans and Worms, all for the Windows32 environment, and all reasonably new samples. I don't have any data on whether some of these are zoo, or ITW, but they are all real threats I feel someone is likely to encounter, since I got them off the internet (and i've verified they are real as each sample must be detected by at least 4 AV's for me to consider it). All scanners were installed on a clean system, without any traces of other anti-virus softwares - between each test the system and directories were cleaned, and the registry was sweeped. Each AV product was treated with a double-reboot, one before, and one after installation. Each scanner was set at its highest possible settings, and was triple checked for proper options and configuration. Most products were the full registered version when possible, others were fully functional unrestricted trials. All products were tested with the current version as of 6-14-04, and the latest definitions for that date. Each product was run through the test set a minimum of 3 times to establish proper settings and reliability, the only product to exhibit some variance on this was F-Secure, which had one scan come up less than the other two without any settings changes indicating a possible stability issue.

The final standings:

1) MKS-Vir
1a) eXtendia AVK
2) Kaspersky 5.0/4.5
2a) McAfee VirusScan 8.0
3) F-Secure
4) GData AVK
5) RAV + Norton (2 way tie)
6) Dr.Web
7) CommandAV + F-Prot + BitDefender (3 Way Tie)
8) ETrust
9) Trend
10) Panda
11) Avast! Pro
12) KingSoft
13) NOD32
14) AVG Pro
15) AntiVIR
16) ClamWIN
17) UNA
18) Norman
19) Solo
20) Proland
21) Sophos
22) Hauri
23) CAT Quickheal
24) Ikarus

Heuristics seemed to play some of a roll in this test, as no AV had every virus in my test in their definitions, and products with stronger heuristics were able to hold their position towards the top of the test. Double/Multi engined products put up strong showings as well, proving to me that the redundacy method works, and I think more AV companies should considering double-engines. The strongest heurisitical AV I noticed was F-Prot/Command, picking up only 247 samples with definitions but they were able to power through 67 additional hits on "Possible Virus" indicators - very strong! Norton with BloodHound activated had 30 Heuristical pickups, and DrWeb rounded up the pack with 20 heuristical pickups. eXtendia AVK grabs the number one slot with double engine scanning, anything the KAV engine missed, the RAV engine picked up with great redundancy on the double engine/definition system. McAfee actually missed only 2 samples with its definitions, but picked those 2 up as "Suspicious File", and therefore, scores nearly perfect as well.

The biggest dissapointments for me were Norman and Nod32. Even with Advanced-Heuristics enabled, NOD32 failed to pick up a large portion of the samples. Norman, while finding some of the toughest samples, managed to completely miss a large portion of them! Showing that their sandbox-emulation system has great potetential, but its far from complete.

Actual test numbers were:

Total Samples/Found Samples (321 total possible) + Number Missed + Detection Percentage

Discovered and tested MKS-Vir2004, from Poland. Surprisingly, this one with caught every sample perfectly on Medium Heuristics. Specifically, nearly 50 samples were picked up Heuristically giving it a perfect score of 321/321. However, when I increased Heuristics to "Super Deep", it picked up an addition 10 more suspicious files. Upon further investigation, it was found that it was picking up signatures of hacktool utilities left over in some of the archives and flagging those files. Indeed, this is impressive. MKS-Vir2004 exhibits the most advanced detection algorithms i've ever seen, clearly it only had signatures for 271 of my samples, but through code emulation, it was able to pick up all 321 samples!! It clearly labeled the Heuristically found ones as things as "Likely Win32 Trojan" or "Highly Suspicious Acting File". In addition, its scanning speed was incredibly quick, and its memory footprint was quite small. Impressive! Furthermore, this is a full featured and fairly polished product that appears to update at least once per day, and tech support responded to me within 5-15 minutes on my emails. Unfortunately, it appears to not be available in the US for purchase at this time.

1a) MKS_Vir 2004 - 321/321 0 Missed - 100%
1b) eXtendia AVK - 321/321 0 Missed - 100%
2a) Kaspersky 5.0 - 320/321 1 Missed - 99.70% (with Extended Database ON)
2b) McAfee VirusScan 8.0 - 319/321 + 2 (2 found as joke programs - heuristically) - 99%
3) F-Secure - 319/321 2 Missed - 99.37%
4) GData AVK - 317/321 4 Missed - 98.75%
5) RAV + Norton (2 way tie) - 315/321 6 Missed - 98.13%
6) Dr.Web - 310/321 11 Missed - 96.57%
7) CommandAV + F-Prot + BitDefender (3 Way Tie) - 309/321 12 Missed - 96.26%
8) ETrust - 301/321 20 Missed - 93.76%
9) Trend - 300/321 21 Missed - 93.45%
10) Avast! Pro - 299/321 22 Missed - 93.14%
11) Panda - 298/321 23 Missed - 92.83%
12) Virus Buster - 290/321 31 Missed - 90.34%
13) KingSoft - 288/321 33 Missed - 89.71%
14) NOD32 - 285/321 36 Missed (results identical with or without advanced heuristics) - 88.78%
15) AVG Pro - 275/321 46 Missed - 85.66%
16) AntiVIR - 268/321 53 Missed - 83.48%
17) Antidote - 252/321 69 Missed - 78.50%
18) ClamWIN - 247/321 74 Missed - 76.94%
19) UNA - 222/321 99 Missed - 69.15%
20) Norman - 215/321 106 Missed - 66.97%
21) Solo - 182/321 139 Missed - 56.69%
22) Fire AV - 179/321 142 Missed - 55.76%
23) V3 Pro - 109/321 212 Missed - 33.95%
24) Per_AV - 75/321 - 246 Missed - 23.36%
25) Proland - 73/321 248 Missed - 22.74%
26) Sophos - 50/321 271 Missed - 15.57%
27) Hauri - 49/321 272 Missed - 15.26%
28) CAT Quickheal - 21/321 300 Missed - 6%
29) Vir_iT - 10/321 311 Missed - 3%
30) Ikarus - Crashed on first virus. - 0%

Interesting also to note, is the detection level of the US AVK version with KAV+RAV engines was higher than the German version with KAV+BitDefender engines. Several vendors have free versions of their for purchase AV's, we didn't test the free versions, as it would serve no purpose for this test, but based on the results, none of the free versions would have been very impressive anyway. The term "Heuristics" seems like it should be taken very liberally, as some products that claim to be loaded with Heuristics scored miserably on items they clearly didn't have definitions for. Scanning speed was not measured, as it was totally irrelevant to my testing, and on-access scanners were not tested, as it would have been too time consuming, but considering most products have similar on-access engines as on-demand, and use the same database, results most likely, would be very similar.

Cut through the hype, cut through the marketing schemes, this was a real test, with real samples, and none of these samples were provided to the antivirus software vendors in advance. This is real world, and these are likely badguys you'll encounter, since I got them in my real encounters, and all were aquired on the internet in daily activities which anyone out there might be involved in. (Installing shareware, filesharing, surfing, etc). Keep in mind that with ITW tests the AV vendors have full disclosure of what they will be tested on in advance, not so here, so heuristics and real detection algorithms will play a big part, as well as the depth and scope of their definition database.

[Edit: After re-testing the Kaspersky products with Extended Database option turned ON, the moved up effectively scoring 100% considering the 1% margin of error]

Rapidshare Hacked

Rapidshare Hacked, unlimited upload, no countdown

UNLIMITED download/upload
Its very easy to fool Rapid Share server if your IP address is assigned by your ISP. Just follow these simple steps:

clean up IE or netscape or Firefox cookie( In this case the one that belong to rapidshare website)
On Command prompt (open MS-DOS)
type -----> ipconfig /flushdns <---Enter
type -----> ipconfig /release <---Enter
type -----> ipconfig /renew <---Enter
type -----> exit <--------Enter

Or save these commands in a bat file and run it everytime you need to fool Rapidshare server. Remember to clean up rapidshare cookie in your temp Internet files folder.

Now you should be ready to download/upload as many files as you want from their server.

another way, get proxies from the internet and apply to the browser.
some of proxies might not work though...

Note:
If you are on a LAN and behind a router (using NAT, for example)---this will not work.
If you use a fixed proxy--- this will not work.
If you have a fixed IP address from your ISP or college or employer or whatever -- this will not work.
If you happen to get the same IP address from your DHCP server because it's assigned to you -- this will not work

NO waiting
THIS "cheat" for RAPIDSHARE DOWNLOADS eliminates the "WAITING" for the file. No more COUNTDOWNS. So heres what you do:

1. First, Find a rapidshare download.
2. Hit the FREE BUTTON, like always.
3. While your waiting for it to countdown, change the URL in the bar to:
Code:
java script:c(countdown = 0);
and hit ENTER or the GO button over and over. Eachtime you do so, it decreases 10-20 seconds. Few times and the link appears.
or you can simply do the code below ONCE
java script: for (i=0; i<30;>

PACKET ATTACKS

Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I have enjoyed writing it.

The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage. Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on sentences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on new methods to help us stop them and secure our networks.

Introduction:
TCP/IP Packet Switching Networks
OSI MODEL

---Chapter 1.---
Section a.

Introduction to DDOS/DOS & Packet Attacks
Section b.
How attacks are crafted

---Chapter 2.---
Section a. (attacks)
  ICMP
  Smurf
  SYN/ACK
  UDP
  DNS
  ARP
  DrDOS
  Special Bot / Trojans
  Worm DOS  
  Unicode ping flood (new!)
Section b.
  Phasing
Section c. (hacks)
  TCP hijacking
  Sniffing
  Scans
  Information gathering / Footprinting
Section d.
  Defense against these attacks
  Attack Detection
  Intrusion Detection
Section e.
  IPSEC
  NAT as a means of security

---Chapter 3.---
Section a.
The future of TCP/IP as a means of using IPv6
 
---Chapter 4. ---
Section a.
New security application / protocol

-----
Introduction.

Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size, carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that craft many different types of packets. And they are all read differently when they are received at the other end. Where as an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so embedded in our infrastructure we must adapt and learn to defend each new attack.

OSI MODEL

Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.

Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.

Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what this means in a few minutes)

Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the application(client) to a remote host(server).

Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.

Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also another function of this layer in inter-networking.

Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC (media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC sub layer controls how a computer on your network has access to data.

Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many protocols within this layer.

You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven really comes first, the end user types something into his instant messenger (for example) and the data flows down through the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm understanding.

To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading. Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the way TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :( On the other hand if you dont understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)

Data_Clast

---------------------------------------------------------------------------------------
Chapter 1.

Section a.

 The most common attack on the internet today is a denial of service attack. There are many programs on the internet today that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume. Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing' any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP hijacking and your typical port and vulnerability scans among other things.

Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?! Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.

The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to none because they are created and launched by skilled malicious individuals. They were also distributed denial of service attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more on that later though.

Section b.

 You will learn more about how these individual attacks are crafted and how they work later in this paper but this is small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say "attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used different versions of RedHat Linux, Mandrake Linux, and Windows XP.

Chapter 2.

Section a.

There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack. All of these attacks target different things. While the SMURF attack may target the general network its attacking, the SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks all over the web. Lets take a more detailed look at each attack.

ICMP brute flood attack.

ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY. Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my tutorial on that!
http://www.theory-x.org/dataclast/_content/MPS.txt

In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP. The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.

[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]

Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with spoofed address's taking up network resources. The simplest of attacks.

Smurf attack.

(first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other attacks, as it works for those to.

You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine, any machine and ping your broadcast address. Mine is 192.168.0.255 Immediately you see each machine receiving a broadcast packet. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massive scale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You could spoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its valid traffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass, or passes so slowly it makes no difference to the end user.

[zombie machine] --> ICMP ECHO_REQUEST source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies the ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]

SYN/ACK attack.

The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target. This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a brief description.

[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]

As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed packets.

Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish this.

UDP attack

UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction and is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method, so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over a network. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attack above. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would set flags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembled on the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.

DNS attack

The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to the average script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com, simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth to create, but a DNS response is much bigger. So this is how a DNS attack would look like.

10.10.10.10 = victims IP

[dns query packet (who is google.com)] --> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns response] [dns response] [dns response] --> [victim]

As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit' there is a massive flood of them because the DNS server that is sending them is a very good machine on a very good connection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.

ARP attack

The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to
sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet. Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.

DRDOS attack

A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is some ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfires free ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYN packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim. Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond the middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just one machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP, webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in theory this attack could use any number of 'middle man' servers to bombard your network with packets.