Hackers Black Book
Hackers Black Book
Hackers Black Book
This report is helpful in two different regard. It is to give the possibility to humans, who lost their password, of back-getting and for owners of Websites possible with protected contents of making it by application of simple techniques without long waiting periods to protect these contents. Web masters, which know the techniques described in this report, have substantially better prospects to protect your Website surely from intruders. Hacker's Black Book C copyright 1998.1999 walter Voell Under the URL:
Hackers Blackbook HTTP://speedometer.de/banner/secure/ the member range is to this report. There you find to utilities and Tools, in order to do the techniques over again described in this report. Their Login: januar2000 Their password: xxx2345
Hackers Blackbook
Table of contents
Topic Javascript password protection systems HTACCESS Passwortschutzsysteme Weak passwords Direct chopping of the password file The Admin Tools Phreaken Log in name checker Log in generator not surely Pictures not in protected listings Pack Sniffing Trojan horses - NetBus and BackOrifice Tip of the author Legal aspects The career profile of the hacker Anonymous working My working environment Important one left 23 20 21 16 14 3
Side
4 7 8 9 10 12 13
15
19
22
24
Hackers Blackbook
Hackers Blackbook document. location. href="http. members. Proteetedserver. com/members / "+pass+". HTML "; } Here more protection than in exists the first variant, however the listings are by means of the HTTP server against bad would often not list the listing estimated. One selects the URL by means of the Browsers http://members.protectedserver.com/members/hu8621.shtm directly into the Browser, then one receives often a listing of all HTML sides in this listing, thus also the side, which is started over the Javascript password protection. fucnction jprot () {<P> pass=prompt ("Enter your password","password"); document.location.href="http.//members.Proteetedserver. com/members/ "+pass+".html"; }<P>
HTACCESS Passwortschutzsysteme
Nearly all Web servers used today control the so-called HTACCESS password protection. First it from the Apache Web server begun, meanwhile are however many other Web servers to the HTACCESS standard compatible. Therefore it is used also very frequently by so-called Paysites. Z. B. the Websites www. playgal. com or www. hotsex. com use this protective mechanism. A Website, which uses HTACCESS, is to be recognized by the fact that with enter the member range a Popup dialogue appears (not Javascript-generated), which measured following looks:
PICTURE MISSING
In order to understand the function of this protection, one should know some Gmndlagen of the Unix operating system. Under Unix (and/or Linux, BSD etc.. and 1999 Frank Owens & l@tz@rus 5
Hackers Blackbook also under Windows Webservem like the Microsoft IIS the HTML documents are hierarchically in listing structures arranged and put down as also with a normal PC. One speaks here in particular of einer"Baumstruktur ". The root of the tree (English "root") is the Domain without further information. To Example www. IBM. com are the Domain and this are the root of the listing structure. If in the listing "secure" would lie now the HTML of documents and diagrams which can be protected, then now a HTACCESS file would have to be put down in this listing. The file must the names ". carry htaccess "(with point before it). The Htaccess file puts to be firmly in which file the passwords and on which kind the listing protect is. The HTACCESS file looks as follows: AuthUserFile/usr/home/myhomedir/passes AuthName MyProteetedSite AuthType basic require valid user
Hackers Blackbook
This HTACCESS file specifies that the password file is the file of lusr/homelmybomedir/passes on the server. The password file should not be appropriate for meaningful way in the range of the HTML Dokurnente, not be happenable thus via WWW. The options "AuthName" indicates, which designation in the PopUp dialogue is to appear (in the dialogue for example above "playgal"). Interesting to HTACCESS protection is that by the HTACCESS file also all sublists are along-protected underneath the listing, in which the HTACCESS file is. And this up to any depth. In our example one could put on secure "as many as desired further listings thus underneath the listing". These were protected all. How now does the password file look? In the following one an exemplary password file:
For each member the password file contains a line, which consists of two parts, which are separate by a colon. That first part is the log in name, the second part contains the password in coded form. This coding is very safe. It is machine specific. That is, that even if one would get this password file into the fingers one would know from the coded passwords the real passwords does not back-compute. With the password input the password is coded by the Unix Systemfunktion"crypt("and compared with the coded password put down in the password file. If it is alike, then the Login is OK ONE. )
Hackers Blackbook
Weak passwords
As one can recognize thus, it is very difficult to arrive in Websites, which are protected by means of HTACCESS. However some Web masters are simply too stupid to use the HTACCESS protection correctly and offer so to the aggressor some possibilities. A weak password is a password that will easily guess can. Here some at the most frequent assigned username/password the combinations:
Particularly the large Pay Websites, which has some thousand members, is very probable it that such "weak" passwords are thereby. In addition one must imagine that some members in many different Websites member are and do not want all possible passwords to note. Therefore the name of the respective Website is also often selected of the members as password.
Example:
www. hotsex. com: username: hot, passwords: sex www. hotbabes. com: username: hot, passwords: babes
Hackers Blackbook Or the members use simply only their name. Are naturally interesting at the most frequent occurring name particularly:
In the American one for example john/smith John/John Miller/Miller rick/rick franc/franc and further more. In German naturally different name is more interesting. That is also asked Login which can be noticed simply consisting of "username/passwords", as it irn password dialogue, occurs also frequently. The weakest of all passwords is however the so-called "ENTER" - password. The Web master must be simply confirmed to any data with producing new member data simply without input once unnoticed its Toot by mistake started with the appearance of the password of dialogue, without at all something to enter, then evenly more solcher"leerer a "entry is in the password file. To the engaged Web master the following safety tips address themselves: A producing "emptier" passwords prevent and control
Hackers Blackbook The members not the passwords themselves to select leave, but one by coincidence generating (z.b. "kd823joq") If the customers may select its username/password combination, not to permit that the username equal to the password is. Direct chopping of the password file Normally it should not be possible to arrive at the password file. In some traps it is however possible to come to it into the following traps:
10
Hackers Blackbook
11
Hackers Blackbook
12
Hackers Blackbook
Phreaken
By "Phreaken" one understands the employment about wrong information, in order to register itself with a Paysite as a new member. That is naturally forbidden and these references here is primarily the Webmastem to serve, so that they can protect themselves against such abuse. We want to describe that here at the furthest common case, with which the membership on-line is paid via credit card and afterwards immediate entrance is given. Phreaker use for it an anonymous lnternetzugang. In addition the test entrance is often abused by AOL. Test memberships are almost in each computer newspaper. In addition, okay. net offers immediate entrance according to indication of all data. One announces oneself with fantasy names and any bank account, which one knows ago from any calculation or sonstwo. One is long anonymous already one month via AOL or okay. net in the InterNet on the way. Furthermore one needs a "valid" credit card number (preferably VISAS or Mastercard - in Germany Eurocard). To these to come, is already somewhat more difficult. A usual method is it, a so-called "Credit Card generator" like z. b. to begin "Credit Wizard" oder"Cardpro "more oder"Creditmaster". Looking for by means of "more metacrawler. com "and the terms" Credit Card generator "o. ae. often already brings the desired programs. To the fact one should know that the on-line transaction centers cannot examine exactly, whether a credit card number really existed and whom them belong. There are only certain algorithms, in order to examine the number and the effective dates of a credit card for a valid structure. Therefore one can indicate arbitrary names and address for the registration and one of the generated numbers. However the generators do not supply the pertinent effective date. However there is a simple however quite effective trick, in order to receive card numbers with correct effective date: Most of the above-mentioned programs offer the possibility of generating from a material existing credit card number new numbers. This procedure wird"Extrapolation "genannant. The generated numbers differ usually only in the last places and there the card numbers with the credit card 1999 Frank Owens & l@tz@rus 13
Hackers Blackbook publishers usually in ascending order to be assigned, had the in such a way generated Kartennumrnern mostly the effective date of the map, from which extrapolates became. Folgendei screen excerpt show the extrapolation procedure: One can take its own, material-existing credit card and compute from its number new card numbers. The Gueltigkeitsdaturn is then with largest probability with extrapolates numbers identically to the effective date of the own, material credit card. The user of these techniques does not need to have a fear that one can retrace him. The entrance by means of anonymous AOL test entrances offers maximum protection. None is available such entrance ' should a "Anonymizer" be used. One finds such for example under www. more anonymizer. com. Surf one over the Anonymizer, is not retracable the IP address. A somewhat weaker variant to hide its IP address is those to use a pro XY server. Most lnternet Zugangsprovider offers the possibility of surfen waiters a Proxy. But note: If one uses its own lnternet entrance, thus no anonymous AOL entrance or Anonymizer or Proxy, then the operator of the Website, at whom one announces oneself by means of the wrong credit card data, can by means of the IP address, which the server logs, finds out, who betrogen it has and/or. it tried. In addition it needs to only contact and to it the IP address communicate your Zugangsprovider. The Provider leads i. D. R. over the last 80 days minutes, when who with which IP address on-line was.
14
Hackers Blackbook
15
Hackers Blackbook
16
Hackers Blackbook
17
Hackers Blackbook
Pack Sniffing
This possibility is somewhat more complicated than the other described, because some Vorraussetzungen must be met: It must sit in a LAN (Ethernet Netwerk) at a computer and have root ACCESS. Then one can use a so-called "pack Sniffer" as for example "SNOOP". One finds pack Sniffer usually as C-Sourcecode in the InterNet. One must compile these short SOURCE codes then only by means of GCC on the UNIX Shell and is possible already it to hear the packages, which are sent to and of other computer in the LAN. Because Ethemet networks use the so-called "Broadcast" technology. A package that for a computer in a LAN is intended, is sent in principle to all computers in the LAN. Pack Sniffing is thus again particularly in the traps dangerous, with which one rents with a Webspace Provider its Web server and naturally with many other customers in a LAN is there. An example is www. pair. com, one the largest commercial Webspace Provider in the USA. There are over 70 Web servers in a LAN, on the z. Time. Upper 30. 000 customers a virtual Web server operate! As protection against pack Sniffing the employment of a "Segrnenied offers itself networks". Used with such a network the Boradcast technology will not become, sondem the packages directly by means of Rouling tables the target computer geroutet. One for Web Smer suitable solution is particularly the employment of SSL (Secure Sockets Layer). This minutes ve@schluesselt all packages, which thus be still intercepted can, but no more can not be read. SSL is offered by most Webhosting enterprises against small surcharge. SSL coding Web contents are at the minutes Prefix"hnps: recognize. For the enterprise of a SSL protected Wcbsite one must have an Ssl ID, it for example with www. verisipn. CO gives. A small disadvantage is however that HTTPS connections are somewhat slower than usual HTTP connections, since a relatively high coding Overhead exists.
18
Hackers Blackbook
Hackers Blackbook after an entry with the name ". exe "(default file name) and/or. with an entry long 124.928 (+/- 30 bytes). Delete this entry; it causes that "bake Orifice" servers. with each Windows start one activates automatically. The program lies generally in the listing "\Windows\System" and is recognizable from the fact that it does not have a program Icon and a size of 122 KByte (or slightly more) possesses. If you should not find the file for any reasons, it can help you that different information is to be found as ASCII stringer in the Prgramrn code; like that the character string is contained "bofilernappingcon" with large probability, which you will find over search in the Explorer. Additionally to "bake Orifice Prgramm Datel" becomes in the same listing still the "WINE)LL. DLL "to the rnitloggen of keyboard entries installs, which delete you also meaningful way, which can cause however alone no damage. The problem with bake Orifice is that it is difficult to explore the IP address of the host since this changes when each a selecting the stricken computer. This problem solved, and a still more powerful solution created Carl Fredrik Neikter with its program "Netssus", which is quite similar. It offers still larger functions and is simpler to install.
NetBus:
After you hemngergeladen yourselves the appropriate file have, you should unpack these. Now you receive to three files: NETBUS. EXE, NETBUS. Rtf and PATCH. EXE With PATCH. EXE concerns it the dangerous lnfizierungsprogramrn, the actual Trojan horse. Do not start this file thus! D IE file NETBUS. Rtf contains a short English guidance the Authors. The file NETBUS. EXE is the "Client" with that you infected servers to access can. These can start you without concerns. Start for testing the server on your own computer, by opening a DOS request for input and starting in the listing of NetBus the server with the parameter, Jnoadd ", thus PATCH. EXE/noadd [ RETURN ] 1999 Frank Owens & l@tz@rus 20
Hackers Blackbook Now the server runs. Now you can start the Client (NETBUS.EXE doppelelicken) access and your own computer '. Select in addition as address "local host" or "127. 0.0. 1 "if you the server terminate wohlen, select you irn Client"Server Admin" and then "CLOSE server". In addition the infecting program can be changed in such a way the fact that it sends automatically the IP address to one of them selected to email address as soon as with one of NetBus infected someone computers into the InterNet goes. This is the enormous advantage against-practices r bakes Orifice. In addition one selects the Button "server Setup" in the NetBus Client and enters the appropriate information. Difficult it is only to find a free Mail server the Mails of each IP address accepts. Then one selects "Patch Srvr" and selects the too patchende Infiziemngsdatei (standard massive "patch. exe"). Who tries to infect another computer the file PATCH can. EXE now simply by email to another more lnternetnutzer send and the file "Windows updates" or than any mad merry Anirnation call. The file can be renamed to it at will (z.b. Win98update. exe or siedler2_patch. exe etc.. ). If the file is now started, optically nothing happens. However the NeiBus server installed itself already on the computer hidden and from now on automatisc ' was started each time, if the computer is gebootet. If one made above changes to lnfizierungsprogramm, one gets now always automatically email with the IP address of the infected computer, as soon as this online goes into the InterNet. This You can enter IP address now in the Netssus Client and manipulate the computer. Hackers use for safety's sake anonymous email addresses, it for example with holmail. com or maii. com gives. In order to protect your system, Norton is recommended anti-virus HTTP: www. symantec. more de/region/de/avcenter/which beside NetBus bake Orifice recognizes. They can work also again manually. That automatic NetBus start is registered in the Registry under "\liKEY LOCAL MACHINESOFTWARF, \Microsoft\Windows\CurrentVersion\Run" and should be removed. However the file name can vary (patch.exe, sysedit. exe or explore. exe are some well-known names) 1999 Frank Owens & l@tz@rus 21
Hackers Blackbook Resuming ones lnfo find you under HTTP: www. bubis. com/glaser/netbus. htm
22
Hackers Blackbook
Hackers Blackbook 30 Datenveranderung: 2. Who itself rechtswiedrig data ( 20 Abs. 2) deletes, suppressed, useless makes or changes, with imprisonment up to two years or with fine one punishes. 3. That Attempt is punishable. '303b computer sabotage: 1. Who stoehrt a data processing, which is for a strange enterprise, a strange enterprise or an authority of substantial importance, thus that he. .. a) an act after $ 30 Abs. 1 commits or for b) a data-processing system or a data medium zerstoehrt, damaged, useless makes, eliminated or changes, with an imprisonment up to five years or with fine is punished. 2. The attempt is punishable.
24
Hackers Blackbook
Hackers Blackbook Moeglichkei opens ten and individual power. But for many - and ever more becomes - the hacker is a ominoese figure, a besserwisserischer Soziopahl, which is ready to break out of its individual Wildnis and penetrate in other humans life, only around its own, anarchischen well-being being issued sake. Each form of power without responsibility, without direct and formal examinations and without reconciliation takes part in humans fear - and the right.
26
Hackers Blackbook
Anonymous working
You should not give anybody the possibility of making a profile of you in addition are the following to be considered: Stops only too much well gotten used to hackers contact, if you exchange enamels with them, then should it with PGP encrypted be natural, to an anonymous account go (use no chopped account, better www. hotmail. com, www. yahoo. com. ..using a special Handles, which you use for nothing different one - you should change irregularly the action/account and provide naturally also a new PGP seckey pubkey for pair (also the passport cliche to change! ). Pay attention to it that your PGP key with at least 2048 bits key length is generated, in addition should you from safety municipalities not the 5. x version use, but with the old 2. 6.x version! ! If you want to absolutely rumtreiben yourself on the relevant IRC Channels, then change always yours nod and for change also your host (there many computers in the InterNet IRC Clients to have installed, you should not use Relays (or also IP'Source Routing and IP Spoofing, probier's out) I know that changing of the Nicks is not so beautiful, because one gets thereby no Reputation with the broad mass; but Reputation is as deadly as useful (other hackers accept you immediately and are somewhat more geschwaetziger you opposite - around itself to form - however if you write first times so far bist'dass you your own Exploits, then you are anyway no longer dependent on the largest part of the hackers, and you do not meet the remaining so simply in the IRC) Here so-called ReRouter, which passes a TCP on connection, is useful, which already in the regard is interesting, if one protected oneself against attacks of other hacker wants, if one caused too much annoyance on the IRC; Also here you could naturally use a special account fuer's IRC
27
Hackers Blackbook
My working environment
As point of A choice a large university with many Usern or a large Isp serves me. I use PPP instead of normal terminal programs around larger control of my connection to have to let run and because it is of advantage, over a line several sessions telnet, ftp. A small computer serves me as Firewall and routs, I develops the PPP connection to my point of A choice and supervises all detailed packages. Furthermore I manufacture a Connection with SSH to the a choice computer, in order to pursue periodically all logged in user and network connections (which functions naturally only if the a choice computer is a Unix machine and no terminal server o. ae. ). It is to be seen very interesting, what an administrator of everything makes, if it notices that somewhat with right things on its machine does not proceed. As soon as such sounding/investigations are noticeable to me, I break the connection off immediately, if I am however straight in a critical situation, must I DOS attacks use or the Admin out lock, in order to slow its work down, and/or. to prevent. On the a choice computer it is not necessary to mask its present it is better to manipulate inconspicuously in the mass to submerge than any Logs. The second, larger computer is my workstation, from here builds I a SSH connection to the first anti-trace computer on this anti-trace computer changes regularly, lies abroad and I has full control of it. From here I go over a further antitrace computer to my Hacking computer; I have ' root' rights, the second RK computer am naturally only a simple TCP Relay also here, thus save I the stress with the log files eic. To Hacking computers in front I go into very safe Domains or chop from here on new Net@erke (it to exist naturally several this computer, which are changed besides irregularly), to scanning use I particularly a computer chopped for it which is scanners here all well hidden and additionally with 3DES coded. The coded SSH connection is necessary, so that the Admins/Politessen cannot alongcut my activities at the point of A choice (or sonstwo). If you have only one computer available, then you can protect yourself naturally also with the Firewall of Linux/FreeBSD/OpenBSD. It istjedoch more comfortably
28
Hackers Blackbook to observe the connection over a special computer (I do not know, in what respect Linux and CO. a second monitor at a computer supports). You still your Kemel should patchen, so that he supplies more to you with info. nations over detailed packages, thus are additional you able, DOS attacks, SOURCE Routing of attacks, Traceroutes etc.. to recognize and their origin.
29
Hackers Blackbook
30