Hey !!

i joined a group of geeks ... ;) .. yeah .. really !! geeks ... all at one place .... that called LINUX USERS GROUP ...

check out their web site and IRC channel :)

this tutorial is note made by me ... i just google it !! thanx to original maker !

## Connections make the world go round ##



The computer world, at any rate. Every single time you open up a
website, send an email or upload your webpages into cyberspace, you are
connecting to another machine in order to get the job done. This, of
course, presents a major problem, because this simple act is what
allows malicious users to target a machine in the first place.



# How do these people find their victim?



Well, first of all, they need to get hold of the victim's IP Address.
Your IP (Internet Protocol) address reveals your point of entry to the
Internet and can be used in many ways to cause your online activities
many, many problems. It may not reveal you by name, but it may be
uniquely identifiable and it represents your digital ID while you are
online (especially so if you're on a fixed IP / DSL etc).



With an IP address, a Hacker can find out all sorts of weird and
wonderful things about their victim (as well as causing all kinds of
other trouble, the biggest two being Portnukes/Trojans and the dreaded
DoS ((Denial of Service)) attack). Some Hackers like to collect IP
Addresses like badges, and like to go back to old targets, messing them
around every so often. An IP address is incredibly easy to obtain -
until recently, many realtime chat applications (such as MSN) were
goldmines of information. Your IP Address is contained as part of the
Header Code on all emails that you send and webpages that you visit can
store all kinds of information about you. A common trick is for the
Hacker to go into a Chatroom, paste his supposed website address all
over the place, and when the unsuspecting victim visits, everything
about your computer from the operating system to the screen resolution
can be logged...and, of course, the all important IP address. In
addition, a simple network-wide port scan will reveal vulnerable target
machines, and a war-dialler will scan thousands of lines for exposed
modems that the hacker can exploit.



So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine?



## Virtual and Physical Ports ##



Everything that you recieve over the Internet comes as a result of
other machines connecting to your computer's ports. You have two types;
Physical are the holes in the back of your machine, but the important
ones are Virtual. These allow transfer of data between your computer
and the outside world, some with allocated functions, some without, but
knowing how these work is the first step to discovering who is
attacking you; you simply MUST have a basic knowledge of this, or you
won't get much further.



# What the phrases TCP/UDP actually mean



TCP/IP stands for Transmission Control Protocol and Internet Protocol,
a TCP/IP packet is a block of data which is compressed, then a header
is put on it and it is sent to another computer (UDP stands for User
Datagram Protocol). This is how ALL internet transfers occur, by
sending packets. The header in a packet contains the IP address of the
one who originally sent you it. Now, your computer comes with an
excellent (and free) tool that allows you to see anything that is
connected (or is attempting to connect) to you, although bear in mind
that it offers no blocking protection; it simply tells you what is
going on, and that tool is NETSTAT.



## Netstat: Your first line of defence ##



Netstat is a very fast and reliable method of seeing exactly who or
what is connected (or connecting) to your computer. Open up DOS
(Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS
Prompt, type:



netstat -a



(make sure you include the space inbetween the "t" and the "a").



If you're connected to the Internet when you do this, you should see something like:





Active Connections



Proto Local Address Foreign Address State

TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED

TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING





Now, "Proto(col)" simply means what kind of data transmission is taking
place (TCP or UDP), "Local address" is your computer (and the number
next to it tells you what port you're connected on), "Foreign Address"
is the machine that is connected to you (and what port they're using),
and finally "State" is simply whether or not a connection is actually
established, or whether the machine in question is waiting for a
transmission, or timing out etc.



Now, you need to know all of Netstat's various commands, so type:



netstat ?



You will get something like this:





Displays protocol statistics and current TCP/IP network connections.



NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]



-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the -s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display per-protocol
statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown
for TCP, UDP and IP; the -p option may be used to specify a subset of
the default.





Have a play around with the various options, but the most important use
of these methods is when you combine them. The best command to use is



netstat -an



because this will list all connections in Numerical Form, which makes
it a lot easier to trace malicious users....Hostnames can be a little
confusing if you don't know what you're doing (although they're easily
understandable, as we shall see later). Also, by doing this, you can
also find out what your own IP address is, which is always useful.



Also,



netstat -b



will tell you what ports are open and what programs are connecting to the internet.



## Types of Port ##



It would be impossible to find out who was attacking you if computers
could just access any old port to perform an important function; how
could you tell a mail transfer from a Trojan Attack? Well, good news,
because your regular, normal connections are assigned to low, commonly
used ports, and in general, the higher the number used, the more you
should be suspicious. Here are the three main types of port:



# Well Known Ports These run from 0 to 1023, and are bound to the
common services that run on them (for example, mail runs on channel 25
tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find
one of these ports open (and you usually will), it's usually because of
an essential function.



# Registered Ports These run on 1024 to 49151. Although not bound to a
particular service, these are normally used by networking utilities
like FTP software, Email client and so on, and they do this by opening
on a random port within this range before communicating with the remote
server, so don't panic (just be wary, perhaps) if you see any of these
open, because they usually close automatically when the system that's
running on them terminates (for example, type in a common website name
in your browser with netstat open, and watch as it opens up a port at
random to act as a buffer for the remote servers). Services like MSN
Messenger and ICQ usually run on these Ports.



# Dynamic/Private Ports Ranging from 49152 to 65535, these things are
rarely used except with certain programs, and even then not very often.
This is indeed the usual range of the Trojan, so if you find any of
these open, be very suspicious. So, just to recap:





Well Known Ports 0 to 1023 Commonly used, little danger.

Registered Ports 1024 to 49151 Not as common, just be careful.

Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.





## The hunt is on ##



Now, it is essential that you know what you're looking for, and the
most common way someone will attack your machine is with a Trojan. This
is a program that is sent to you in an email, or attempts to bind
itself to one of your ports, and when activated, it can give the user
your passwords, access to your hard drive...they can even make your CD
Tray pop open and shut. At the end of this Document, you will find a
list of the most commonly used Trojans and the ports they operate on.
For now, let's take another look at that first example of Netstat....







Active Connections



Proto Local Address Foreign Address State

TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED

TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING





Now, straight away, this should make more sense to you. Your computer
is connected on two ports, 80 and 27374. Port 80 is used for http/www
transmissions (ie for all intents and purposes, its how you connect to
the net, although of course it's a lot more complicated than that).
Port 27374, however, is distinctly suspicious; first of all, it is in
the registered port range, and although other services (like MSN) use
these, let's assume that you have nothing at all running like instant
messengers, webpages etc....you're simply connected to the net through
proxy. So, now this connection is looking even more troublesome, and
when you realise that 27374 is a common port for Netbus (a potentially
destructive Trojan), you can see that something is untoward here. So,
what you would do is:





1) run Netstat , and use:



Netstat -a



then



Netstat -an



So you have both Hostnames AND IP addresses.





## Tracerouting ##



Having the attacker's IP is all well and good, but what can you do with
it? The answer is, a lot more! It's not enough to have the address, you
also need to know where the attacker's connections are coming from. You
may have used automated tracerouting tools before, but do you jknow how
they work?



Go back to MSDOS and type





tracert *type IP address/Hostname here*





Now, what happens is, the Traceroute will show you all the computers
inbetween you and the target machine, including blockages, firewalls
etc. More often than not, the hostname address listed before the final
one will belong to the Hacker's ISP Company. It'll either say who the
ISP is somewhere in there, or else you run a second trace on the new
IP/hostname address to see who the ISP Company in question is. If the
Hostname that you get back doesn't actually seem to mention an actual
geographical location within its text, you may think all is lost. But
fear not! Suppose you get a hostname such as

here i explained some very basic method of removing viruses ....
for more stay tunned with me :)
FUTURBILLGATE


..:~Description~:..
Enable registry editor

copy the following code, paste in notepd and save with .inf extension


[Version]
Signature="$Chicago{:content:}quot;
Provider=Symantec

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0



now right click the file and select install.

if it doesnt work then log-in through a virtual admin account as explained below, and then install this .inf file.


________________________________________________________________________________
________________________

virtual admin account
you can create a new virtual admin account and edit registry etc that r not allowed due to a virus.

Things to do:
♦ set a password for the working account (just to stop auto login after booting)
♦ restart
♦ when it will ask for pass after boot, press ++ twice
♦ a pop up window should appear
♦ write "Administrator" in place of username, leave the password space blank
♦ hit "ok"
♦ i t will login into the PC creating a temporary (more precisely virtual) admin account

now you got admin privileges.


________________________________________________________________________________
________________________

Enable Run Command

Open My Computer –> C drive –> Windows –> System32 –> Locate gpedit.msc file and run it.

While you have opened Group Policy look at the left pane and in the User Configuration, expand Administrative Templates, select Start Menu and Taskbar now in the right pane locate Remove Run Menu from Start Menu and double click it.

Select Disabled in the properties dialogue and press apply then OK

Now close all open Windows you will see the Run has been restored in Start Menu.






________________________________________________________________________________
________________________



Enable Folder Options


Go to Start--Run--type Regedit

from the edit tab click find

type Folder Options and search

in the Reg_dword value of folder option change it to 1



OR/AND

->Run -> Type gpedit.msc

Then:
->User Configuration ->Administrative Templates --> Windows Components --> Windows Explorer-> Removes the Folder Options menu item from the Tools menu.

Right click:
-> Properties -> Disable ->Apply



OR/AND


Run-Regedit
flow to HKCU\Software\Microsoft\Windows\Policy
and HKLM\Software\Microsoft\Windows\Policy

Find into this, if there's any key like that : "disable cmd" or "disable Folder Options" with value=1
Set the value to "0"


________________________________________________________________________________
________________________



Show Hidden Files

1. Go to Start --> Run, then type regedit
2. Navigate to the registry folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
3. Find a key called CheckedValue.
4. Double Click CheckedValue key and modify it to 1. This is to show all the hidden files.


OR if it doesnt work then:

copy this code, paste in notepad and save with .reg extension


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"


now right click the file and select merge



________________________________________________________________________________
________________________



Enable Task Manager

copy the following code and paste in notepad, then save with .reg extension. after that right click the file and select merge


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000




or, if this doesnt work


. Click Start
. Click Run
. Enter gpedit.msc in the Open box and click OK
. In the Group Policy settings window
. Select User Configuration
. Select Administrative Templates
. Select System
. Select Ctrl+Alt+Delete options
. Select Remove Task Manager
. Double-click the Remove Task Manager option select Disable




OR/AND


Click Start -> Run. Type in regedit and hit Enter.

Search for HKEY_CURRENT_USER -> Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System

Look for: DisableTaskMgr. Click on REG_DWORD. Value: 1=Enable this key (disables TaskManager); Value: 0=Disable (actually enables TaskManager)

Close RegEdit

Reboot

or use this:

its a soft that fixes the Task Manager. just 68kb size

..:~Download Link~:..

this is not made by me :( ... but i find it more intresting :)


When you first turn on you computer (BEFORE DIALING INTO YOUR ISP),
open a MS-DOS Prompt window (start/programs MS-DOS Prompt).
Then type netstat -arn and press the Enter key.
Your screen should display the following (without the dotted lines
which I added for clarification).

-----------------------------------------------------------------------------
Active Routes:

Network Address Netmask Gateway Address Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1

Route Table

Active Connections

Proto Local Address Foreign Address State

--------------------------------------------------------------------------------

If you see anything else, there might be a problem (more on that later).
Now dial into your ISP, once you are connected;
go back to the MS-DOS Prompt and run the same command as before
netstat -arn, this time it will look similar to the following (without
dotted lines).

-------------------------------------------------------------------------------------

Active Routes:

Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1

Route Table

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
TCP 216.1.104.70:137 0.0.0.0:0 LISTENING
TCP 216.1.104.70:138 0.0.0.0:0 LISTENING
TCP 216.1.104.70:139 0.0.0.0:0 LISTENING
UDP 216.1.104.70:137 *:*

--------------------------------------------------------------------------------

What you are seeing in the first section (Active Routes) under the heading of
Network Address are some additional lines. The only ones that should be there
are ones belonging to your ISP (more on that later). In the second section
(Route Table) under Local Address you are seeing the IP address that your ISP
assigned you (in this example 216.1.104.70).

The numbers are divided into four dot notations, the first three should be
the same for both sets, while in this case the .70 is the unique number
assigned for THIS session. Next time you dial in that number will more than
likely be different.

To make sure that the first three notation are as they should be, we will run
one more command from the MS-DOS window.
From the MS-DOS Prompt type tracert /www.yourispwebsite.com or .net
or whatever it ends in. Following is an example of the output you should see.

---------------------------------------------------------------------------------------

Tracing route to /www.motion.net [207.239.117.112]over a maximum of 30 hops:
1 128 ms 2084 ms 102 ms chat-port.motion.net [216.1.104.4]
2 115 ms 188 ms 117 ms chat-core.motion.net [216.1.104.1]
3 108 ms 116 ms 119 ms www.motion.net [207.239.117.112]
Trace complete.

------------------------------------------------------------------------------------------

You will see that on lines with the 1 and 2 the first three notations of the
address match with what we saw above, which is a good thing. If it does not,
then some further investigation is needed.

If everything matches like above, you can almost breath easier. Another thing
which should you should check is programs launched during startup. To find
these, Click start/programs/startup, look at what shows up. You should be
able to recognize everything there, if not, once again more investigation is
needed.

-------------------------------------------------------------------------------------------

Now just because everything reported out like we expected (and demonstrated
above) we still are not out of the woods. How is this so, you ask? Do you use
Netmeeting? Do you get on IRC (Internet Relay Chat)? Or any other program
that makes use of the Internet. Have you every recieved an email with an
attachment that ended in .exe? The list goes on and on, basically anything
that you run could have become infected with a trojan. What this means, is
the program appears to do what you expect, but also does just a little more.
This little more could be blasting ebay.com or one of the other sites that
CNNlive was talking about.

What can you do? Well some anti-virus software will detect some trojans.
Another (tedious) thing is to start each of these "extra" Internet programs
one at a time and go through the last two steps above, looking at the routes
and connection the program uses. However, the tricky part will be figuring
out where to tracert to in order to find out if the addresses you see in
step 2 are "safe" or not. I should forewarn you, that running tracert after
tracert, after tracert might be considered "improper" by your ISP. The steps
outlined above may not work exactly as I have stated depending upon your ISP,
but with a true ISP it should work. Finally, this advise comes with NO
warranty and by following my "hints' you implicitly release me from ANY and
ALL liability which you may incur.


Other options

Display protocol statistics and current TCP/IP network connections.
Netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [intervals]

-a.. Display all connections and listening ports.
-e.. Display Ethernet statistics. This may be combined with the -s option.
-n.. Diplays address and port numbers in the numerical form.
-p proto..Shows connections for the protocol specified by proto; proto may be
TCP or UDP. If used with the -s option to display per-protocol statistics,
proto may be TCP, UDP, of IP.
-r.. Display the routing table.
-s.. Display per-protocol statistics. By default, statistics are shown for TCP
UDP and IP; the -p option may be used to specify a subset of the default
interval..Redisplay selected statistics, pausing intervals seconds between each
display. If omitted. netstat will print the current configuration information
once

again a tutorial from me to explain the stuff ! cheers !!!!
-futurbillgate


WHAT MAKES A SYSTEM SECURE?

"The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then I wouldn't stake my life on it."


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT WOULD BE IDEAL PROTECTION OF A SYSTEM?

Password Access- Get rid of simple passwords; routinely change all passwords; regular review/monitoring of password files.

Physical Access- Lock up terminals, personal computers, disks when not in use; eliminate unnecessary access lines; disconnect modems when not in use.

Other measures- Know who you are talking to; shred all documents; avoid public domain software; report suspicious activity (especially non-working hours access)

What this all means is that hackers must now rely on the ineptitude and laziness of the users of the system rather than the ignorance of SysOps. The SysOps and SecMans (Security Managers) are getting smarter and keeping up to date. Not only that, but they are monitoring the hack/phreak BBSes and publications. So the bottom line is reveal nothing to overinquisitive newbies...they may be working for the wrong side.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS A FIREWALL?

A (Internet) firewall is a machine which is attached (usually) between your site and a Wide Area Network (WAN). It provides
controllable filtering of network traffic, allowing restricted access to certain Internet port numbers and blocks access to pretty well everything else.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW TO HACK WITHOUT GETTING INTO TROUBLE AND DAMAGING COMPUTERS?

1. Don't do damage intentionally.
2. Don't alter files other than than to hide your presence or to remove traces of your intrusion.
3. Don't leave any real name, handle, or phone number on any system.
4. Be careful who you share info with.
5. Don't leave your phone number with anyone you don't know.
6. Do NOT hack government computers.
7. Don't use codes unless you HAVE too.
8. Be paranoid!
9. Watch what you post on boards, be as general as possible.
10. Ask questions...but do it politely and don't expect to have everything handed to you.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT DO I DO IF I AM GETTING NOWHERE?

1. Change parity, data length, and stop bits. The system may not respond to 8N1 (most common setting) but may respond to 7E1,8E2, 7S2, etc.
2. Change baud rates.
3. Send a series of carriage returns.
4. Send a hard break followed by a carriage return.
5. Send control characters. Work from ^a to ^z.
6. Change terminal emulation.
7. Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, GO, LOGON, JOIN, HELP, or anything else you can think off.

=====================================================================


WHAT ARE COMMON DEFAULT ACCOUNTS ON UNIX?

Common default accounts are root, admin, sysadmin, unix, uucp, rje, guest, demo, daemon, sysbin. These accounts may be unpassworded or the password may possibly be the same (i.e. username uucp has uucp as the passwd).

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW IS THE UNIX PASSWORD FILE SETUP?

The password file is usually called /etc/passwd. Each line of the passwd file of a UNIX system follows the following format:


userid:password:userid#:groupid#:GECOS field:home dir:shell


What each of these fields mean/do---

userid -=> the userid name, entered at login and is what the login searches the file for. Can be a name or a number.

password -=> the password is written here in encrypted form. The encryption is one way only. When a login occurs the password entered is run through the encryption algorithm (along with a salt) and then contrasted to the version in the passwd file that exists for the login name entered. If they match, then the login is allowed. If not, the password is declared invalid.

userid# -=> a unique number assigned to each user, used for permissions

groupid# -=> similar to userid#, but controls the group the user belongs to. To see the names of various groups check /etc/group

GECOS FIELD -=> this field is where information about the user is stored. Usually in the format full name, office number, phone number, home phone. Also a good source of info to try and crack a password.

home dir -=> is the directory where the user goes into the system at (and usually should be brought to when a cd is done)

shell -=> this is the name of the shell which is automatically started for the login

Note that all the fields are separated by colons in the passwd file.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT DO THOSE *s, !s, AND OTHER SYMBOLS MEAN IN THE PASSWD FILE?

Those mean that the password is shadowed in another file. You have to find out what file, where it is and so on. Ask somebody on your system about the specifics of the Yellow Pages system, but discretely!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS A UNIX TRIPWIRE?

Tripwire is a tool for Unix admins to use to detect password cracker activity, by checking for changed files, permissions, etc. Good for looking for trojan horses like password stealing versions of telnet/rlogin/ypcat/uucp/etc, hidden setuid files, and the like.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

USING SUID/GUID PROGS TO FULL ADVANTAGE.

A SUID program is a program that when executed has the privs of the owner.
A GUID has the privs of the group when executed.

Now imagine a few things (which happen often in reality):

1. Someone has a SUID program on their account, it happens to allow a shell to, like @ or jump to a shell. If it does that, after you execute said file and then spawn a shell off of it, all you do in that shell has the privs of that owner.
2. If there is no way to get a shell, BUT they leave the file writable, just write over it a script that spawns a shell, and you got their privs again.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I HACK INTO AN AIX MACHINE?

If you can get access to the 'console' AIX machines have a security hole where you can kill the X server and get a shell with ctrl-alt-bkspce. Also by starting an xterm up from one you are not logged in the utmp for that session because the xterms don't do utmp logging as a default in AIX. Or try the usual UNIX tricks:

ftping /etc/passwd, tftping /etc/passwd, doing a finger and then trying each of the usernames with that username as a password.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I INCREASE MY DISK QUOTA ON UNIX?

A UNIX disk quota may be increased by finding a directory on another partition and using that. Find another user who wants more quota and create a directory for the other to use, one that is world writable.
Once they've put their subdirectory in it, change the perms on the directory to only read-execute. The reason this works is that
usually accounts are distributed across a couple of filesystems, and admins are usually too lazy to give users the same quotas on each filesystem. If the users are all on one filesystem, you may be able to snag some space from one of the /usr/spool directories by creating a 'hidden' subdirectory like .debug there, and using that.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I FOOL AROUND ON XTERM / XWINDOWS?

Most x commands have a -display option which allows you to pick a terminal to send to. So if you use bitmap to create a bitmap, or download one, etc then:

xsetroot -bitmap bitmapname
[display the bitmap on your screen]

xsetroot -bitmap bitmapname -display xt2500:0
[display the bitmap on another xterm]

Other uses, try xterm -display xt??:0 will give someone else one of your login windows to play with. They are then logged in as you though, and can erase your filespace, etc. Beware!

Slightly irritating:
xclock -geom 1200x1200 -display xt??:0
[fills the entire screen with a clock]

Slightly more irritating:
Use a shell script with xsetroot to flash people's screens different colors.

On the nastier side:
Use a shell script with xsetroot to kill a person's window manager.

Downright nasty:
Consult the man pages on xkill. It is possible to kill windows on any display. So to log someone off an xterm you merely have to xkill their login window.

Protect yourself:
If you use xhost - this will disable other people from being able to log you out or generally access your terminal.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I TAKE ADVANTAGE OF THE DECODE DAEMON?

First, you need to make sure that the decode daemon is active.
Check this by telnetting to the smtp port (usually port 25), and expanding user Decode. If it gives you something, you can use it.
If it tells you that the user doesn't exist, or whatever, you can't.

If the daemon is active, this is how to exploit the decode daemon:
1) uuencode an echo to .rhosts
2) pipe that into mail, to be sent to the decode daemon (What happens: the decode daemon (1st) decodes the process, but
leaves the bin priveleges resident. (2nd) the echo command is executed, because now the decoded message assumes the bin priveleges [which are *still* active, even though the daemon didn't issue the command]).
3) If this is done right, you will be able to rlogin to the sysem.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I GET THE PASSWORD FILE IF IT IS SHADOWED?

If your system has Yellow Pages file managment:

ypcat /etc/passwd > whatever.filename

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW IS A PASSWORD ENCRYPTED IN UNIX?

Password encryption on UNIX is based on a modified version of the DES [Data Encryption Standard]. Contrary to popular belief, the typed password is not encrypted. Rather the password is used as the key to encrypt a block of zero-valued bytes.
To begin the encryption, the first seven bits of each character in the password are extracted to form the 56-bit key. This implies
that no more than eight characters are significant in a password.
Next, the E table is modified using the salt, which is the first two characters of the encrypted password (stored in the passwd file).
The purpose of the salt is to makae it difficult to use hardware DES chips or a precomputed list of encrypted passwords to attack the algorithm. The DES algorithm (with the modified E table) is then invoked for 25 iterations on the block of zeros. The output of this encryption, which is 64 bits long, is then coerced into a 64-character alphabet (A-Z, a-z, 0-9, "." and "/"). Because this
coersion involves translations in which several different values are represented by the same character, password encryption is essentially one-way; the result cannot be decrypted.

- futurbillgate

How to re-install windows without loosing anything

Over time, Windows loses stability. If you keep a computer for more than two years, at some point you're going to have to bite the bullet and reinstall Windows from scratch. But contrary to popular belief, you won't have to reformat your hard drive (with one exception, discussed below). The bad stuff you need to get rid of is all in your Windows folder.

Before you begin, gather your Windows and application CD-ROMs. Back up your data files (just to be safe), and then clear two days off your calendar. If everything goes smoothly, you can reinstall Windows in a few hours. But you have to assume something will go wrong: You may not be able to find a necessary CD, or data won't be where you thought it was, or something will simply refuse to work.

There's a difference between a repair reinstall and a complete reinstall. Though a repair (also called a refresh) will let you keep your current settings, a complete reinstall will give you a truly fresh version of Windows. Repairs are fast and easy, but they don't fix anywhere near as many problems. The instructions below are for total reinstalls, except where noted.
Your Vendor's Restore CD

Most computers ship with a vendor-specific restore CD rather than with a Microsoft Windows CD-ROM. (If your PC came with a Microsoft Windows CD, or if you bought a retail copy of Windows, skip to the section for your version.)

Some restore CDs give you all the options of a full Microsoft Windows CD, but with better instructions and the convenience of having all the right hardware drivers. Others can do nothing except reformat your hard drive and restore it to the condition it was in when you bought the PC. (This case is the exception I mentioned above that requires a reformat.)

If your restore CD is reformat-only, back up your data files to a network or a removable medium before reinstalling Windows. If you use Windows 98 or Me, back up C:\My Documents, plus the folders inside C:\Windows discussed in the 98*steroidsRgangstaa section below. If you have Windows 2000 or XP, back up C:\Documents and Settings. Also back up any other folders in which you store your data files.
Windows 98 and ME CDs

These Windows versions keep some important data inside your soon-to-be-erased Windows folder, so you need to copy several of its subfolders to another location. Right-click My Computer and select Explore. Double-click the C: drive icon (in Me, you may then have to click View the entire contents of this drive). Right-click in the right pane and select New, Folder. Name the new folder oldstuff.

Go to the Windows folder (you might have to click View the entire contents of this folder), hold down Ctrl, and select the following subfolders: All Users, Application Data, Desktop, Favorites, Local Settings, Profiles, SendTo, and Start Menu. If you don't see them all, select View, Folder Options (Tools, Folder Options in Me), click the View tab, select Show all files, and click OK. (If you still don't see them all, don't worry about it.) Press Ctrl and drag the folders to C:\oldstuff (see FIGURE 1).

Restart Windows with a start-up disk in your floppy drive. (To make a start-up floppy, insert a disk, select Start, Settings, Control Panel, double-click Add/Remove Programs, click Startup Disk, Create Disk, and follow the prompts.) At the Startup Menu, select Start computer with CD-ROM support. While the drivers load, insert your Windows CD-ROM.

Unless you're doing a repair reinstall, type the command c:\windows\command\deltree /y c:\windows and press Enter. Deleting your old files could take time, but the /y switch suppresses confirmation prompts, so take a break.

When you're back at the A: prompt, type x:setup, where x is your CD drive letter (it's likely one letter past what it usually is in Windows, so if it's D: in Windows, it's probably E: here). Press Enter and follow the prompts.

Once you're back in Windows, reinstall your graphics card driver. If you have Windows set up for more than one user, you'll also have to re-create each account. Select Start, Settings, Control Panel, Users to do so. It's important that the user names match those in the old installation. If you're not sure, open Windows Explorer and navigate to C:\oldstuff\profiles. There you'll find a folder for each registered user name (see FIGURE 2). Don't worry about passwords. Log off and log back on as each user. When you're done, log off and back on one more time, but instead of choosing a user name and a password, press Esc to enter Windows without being a specific user.

Select Start, Programs, MS-DOS Prompt (in Windows 98) or Start, Programs, Accessories, MS-DOS Prompt (in Windows Me). Type xcopy c:\oldstuff\*.* c:\windows /s /h /r /c and press Enter (if you want to know what the xcopy switches do, enter the command xcopy /?). When xcopy asks if it should overwrite a file, press a for All.

When xcopy is through, reboot and log on (as a particular user, if necessary). Open My Documents to make sure all your personal files are where they belong, including your Internet Explorer favorites and your custom Start menu shortcuts.

Now skip ahead to "Finishing the Job."
Windows 2000 and XP CDs

Boot your computer with your Windows CD-ROM inserted. When you get the 'Press any key to boot from CD' message, do so. (If you don't see that message before Windows starts, restart Windows, press the key you're prompted to enter for your PC Setup program, and change the boot order so your CD drive is first.)

At the 'Welcome to Setup' screen, press Enter. The R (repair) option takes you to the Recovery Module, which is useful if Windows won't boot, but it's no help with a reinstallation. Soon you'll be told that there's already a Windows installation on the computer. Press r for a repair reinstall or Esc to begin a complete, destructive one. For a complete restore, select your C: partition and press Enter. When you get the warning that says an operating system is on that partition, press c. When you are asked your partition preference, select Leave the current file system intact (no changes). When you're told that a Windows folder (or Winnt folder for Windows 2000) already exists, press l ('ell') to delete it and create a new one. Follow the series of prompts. When the installation program asks for your name, enter temp.

Once the installation is complete, your system will reboot into Windows, and you'll be logged on as user Temp. If the screen is difficult to read, reinstall your graphics card driver.

If you are reinstalling Windows XP, skip to "For Both Windows XP and 2000."

If you're reinstalling Windows 2000, log off as Temp and back on as Administrator. Now log off and on again, this time as Temp. Open Windows Explorer and navigate to C:\Documents and Settings. One of the subfolders will be named Administrator. Another will be named something like Administrator.computername.

Select Start, Programs, Accessories, Command Prompt. Type cd "\documents and settings" and press Enter. Then type xcopy administrator\*.* administrator.computername /s /h /r /c, replacing computername with the last part of that folder's name (after "Administrator.") in Documents and Settings. Now press Enter, and when you're asked about overwriting files or folders, press a for All.

If you have any users on the old installation besides Administrator, continue with the "For Both Windows XP and 2000" section. Otherwise, open Windows Explorer and make sure your data files are where they belong. Then go to Control Panel's Users and Passwords applet and delete the user Temp before skipping to "Finishing the Job."
For Both Windows XP and 2000

Reopen Windows Explorer. Select your C: drive (you may have to click Show the contents of this folder). Right-click in the right pane and select New, Folder. Name the new folder oldstuff. In the left pane, choose the Documents and Settings folder. It should have subfolders for each user from the previous install, plus one for Temp and a few others. Move the folders for your previous user names to oldstuff.

Select Start, Control Panel, User Accounts (Start, Settings, Control Panel, Users and Passwords in Windows 2000). Create an account for each user who was registered before the reinstall. Be sure to use the exact names. They are the same names as the folders you just moved to oldstuff (as shown in FIGURE 2). In Windows XP, at least one user must have administrator privileges.

Log off and back on as each user, before logging back on as Temp. Make sure that you select Log Off and not Switch User at Windows XP's Log Off dialog box (this isn't an issue in Win 2000).

Log on as Temp, select Start, Programs, Accessories, Command Prompt (in XP, Start, All Programs, Accessories, Command Prompt), type xcopy c:\oldstuff\*.* "c:\documents and settings" /s /h /r /c, and press Enter. Press a when asked if you want to overwrite a file. Log off Temp and log on to each restored account to make sure everyone's documents and data are where they belong. Log on as an administrator and run Control Panel's User Accounts applet again to remove the user Temp.
Finishing the Job

Now you've got Windows going, but not much else. You may have to reinstall your printer, sound card, and so on. Luckily, if a driver for the gadget came on your Windows or vendor restore CD, it was probably reinstalled automatically.

You'll have to reinstall your applications to reintroduce them to Windows. Some of their settings will not be changed by the reinstallation, but those that were stored in the Registry were wiped out.

Once your Internet connection is running again, browse to Windows Update and download all critical updates for your version (see FIGURE 3). Then visit the sites of your hardware vendors to update your drivers.

After the reinstall, some of your data may not show up where it should. Search for it in both your Application Data and oldstuff folders, and see if you can move it to the folder in which Windows or your apps are looking for it. If you find a folder called Identities with two subfolders whose names are long and indecipherable, try moving the contents of one to the other and see if your data reappears.

You've probably guessed that the final step is deleting the c:\oldstuff folder--and the Administrator folder in Windows 2000. Make this the very last step, however. Wait a couple of days, weeks, or even months until you're confident that all of your needed files are accessible.

▬▬> http://www.stumbleupon.com/

StumbleUpon is an Internet community that allows its users to discover and rate Web pages, photos, and videos. It is a personalized recommendation engine which uses peer and social-networking principles.

Web pages are presented when the user clicks the "Stumble!" button on the browser's toolbar . StumbleUpon chooses which Web page to display based on the user's ratings of previous pages, ratings by his/her friends, and by the ratings of users with similar interests. Users can rate or choose not to rate any Web page with a thumbs up or thumbs down, and clicking the Stumble button resembles "channel-surfing" the Web. StumbleUpon also allows their users to indicate their interests from a list of nearly 500 topics to produce relevant content for the user.^[3] There is also one-click blogging built in as well.

▬▬> http://www.typenow.net/themed.htm

site for download lot of FONTS .....

▬▬> http://www.looplabs.com/

worlds first online mixer site .. :)