this tutorial is note made by me ... i just google it !! thanx to original maker !

## Connections make the world go round ##



The computer world, at any rate. Every single time you open up a
website, send an email or upload your webpages into cyberspace, you are
connecting to another machine in order to get the job done. This, of
course, presents a major problem, because this simple act is what
allows malicious users to target a machine in the first place.



# How do these people find their victim?



Well, first of all, they need to get hold of the victim's IP Address.
Your IP (Internet Protocol) address reveals your point of entry to the
Internet and can be used in many ways to cause your online activities
many, many problems. It may not reveal you by name, but it may be
uniquely identifiable and it represents your digital ID while you are
online (especially so if you're on a fixed IP / DSL etc).



With an IP address, a Hacker can find out all sorts of weird and
wonderful things about their victim (as well as causing all kinds of
other trouble, the biggest two being Portnukes/Trojans and the dreaded
DoS ((Denial of Service)) attack). Some Hackers like to collect IP
Addresses like badges, and like to go back to old targets, messing them
around every so often. An IP address is incredibly easy to obtain -
until recently, many realtime chat applications (such as MSN) were
goldmines of information. Your IP Address is contained as part of the
Header Code on all emails that you send and webpages that you visit can
store all kinds of information about you. A common trick is for the
Hacker to go into a Chatroom, paste his supposed website address all
over the place, and when the unsuspecting victim visits, everything
about your computer from the operating system to the screen resolution
can be logged...and, of course, the all important IP address. In
addition, a simple network-wide port scan will reveal vulnerable target
machines, and a war-dialler will scan thousands of lines for exposed
modems that the hacker can exploit.



So now that you know some of the basic dangers, you're probably wondering how these people connect to a victim's machine?



## Virtual and Physical Ports ##



Everything that you recieve over the Internet comes as a result of
other machines connecting to your computer's ports. You have two types;
Physical are the holes in the back of your machine, but the important
ones are Virtual. These allow transfer of data between your computer
and the outside world, some with allocated functions, some without, but
knowing how these work is the first step to discovering who is
attacking you; you simply MUST have a basic knowledge of this, or you
won't get much further.



# What the phrases TCP/UDP actually mean



TCP/IP stands for Transmission Control Protocol and Internet Protocol,
a TCP/IP packet is a block of data which is compressed, then a header
is put on it and it is sent to another computer (UDP stands for User
Datagram Protocol). This is how ALL internet transfers occur, by
sending packets. The header in a packet contains the IP address of the
one who originally sent you it. Now, your computer comes with an
excellent (and free) tool that allows you to see anything that is
connected (or is attempting to connect) to you, although bear in mind
that it offers no blocking protection; it simply tells you what is
going on, and that tool is NETSTAT.



## Netstat: Your first line of defence ##



Netstat is a very fast and reliable method of seeing exactly who or
what is connected (or connecting) to your computer. Open up DOS
(Start/Programs/MS-DOS Prompt on most systems), and in the MSDOS
Prompt, type:



netstat -a



(make sure you include the space inbetween the "t" and the "a").



If you're connected to the Internet when you do this, you should see something like:





Active Connections



Proto Local Address Foreign Address State

TCP macintosh: 20034 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED

TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING





Now, "Proto(col)" simply means what kind of data transmission is taking
place (TCP or UDP), "Local address" is your computer (and the number
next to it tells you what port you're connected on), "Foreign Address"
is the machine that is connected to you (and what port they're using),
and finally "State" is simply whether or not a connection is actually
established, or whether the machine in question is waiting for a
transmission, or timing out etc.



Now, you need to know all of Netstat's various commands, so type:



netstat ?



You will get something like this:





Displays protocol statistics and current TCP/IP network connections.



NETSTAT [-a] [-e] [-n] [-s] [-p proto] [-r] [interval]



-a Displays all connections and listening ports.

-e Displays Ethernet statistics. This may be combined with the -s option.

-n Displays addresses and port numbers in numerical form.

-p proto Shows connections for the protocol specified by proto; proto
may be TCP or UDP. If used with the -s option to display per-protocol
statistics, proto may be TCP, UDP, or IP.

-r Displays the routing table.

-s Displays per-protocol statistics. By default, statistics are shown
for TCP, UDP and IP; the -p option may be used to specify a subset of
the default.





Have a play around with the various options, but the most important use
of these methods is when you combine them. The best command to use is



netstat -an



because this will list all connections in Numerical Form, which makes
it a lot easier to trace malicious users....Hostnames can be a little
confusing if you don't know what you're doing (although they're easily
understandable, as we shall see later). Also, by doing this, you can
also find out what your own IP address is, which is always useful.



Also,



netstat -b



will tell you what ports are open and what programs are connecting to the internet.



## Types of Port ##



It would be impossible to find out who was attacking you if computers
could just access any old port to perform an important function; how
could you tell a mail transfer from a Trojan Attack? Well, good news,
because your regular, normal connections are assigned to low, commonly
used ports, and in general, the higher the number used, the more you
should be suspicious. Here are the three main types of port:



# Well Known Ports These run from 0 to 1023, and are bound to the
common services that run on them (for example, mail runs on channel 25
tcp/udp, which is smtp (Simple Mail Transfer Protocol) so if you find
one of these ports open (and you usually will), it's usually because of
an essential function.



# Registered Ports These run on 1024 to 49151. Although not bound to a
particular service, these are normally used by networking utilities
like FTP software, Email client and so on, and they do this by opening
on a random port within this range before communicating with the remote
server, so don't panic (just be wary, perhaps) if you see any of these
open, because they usually close automatically when the system that's
running on them terminates (for example, type in a common website name
in your browser with netstat open, and watch as it opens up a port at
random to act as a buffer for the remote servers). Services like MSN
Messenger and ICQ usually run on these Ports.



# Dynamic/Private Ports Ranging from 49152 to 65535, these things are
rarely used except with certain programs, and even then not very often.
This is indeed the usual range of the Trojan, so if you find any of
these open, be very suspicious. So, just to recap:





Well Known Ports 0 to 1023 Commonly used, little danger.

Registered Ports 1024 to 49151 Not as common, just be careful.

Dynamic/Private Ports 49152 to 65535 Be extremely suspicious.





## The hunt is on ##



Now, it is essential that you know what you're looking for, and the
most common way someone will attack your machine is with a Trojan. This
is a program that is sent to you in an email, or attempts to bind
itself to one of your ports, and when activated, it can give the user
your passwords, access to your hard drive...they can even make your CD
Tray pop open and shut. At the end of this Document, you will find a
list of the most commonly used Trojans and the ports they operate on.
For now, let's take another look at that first example of Netstat....







Active Connections



Proto Local Address Foreign Address State

TCP macintosh: 27374 modem-123.tun.dialup.co.uk: 50505 ESTABLISHED

TCP macintosh: 80 proxy.webcache.eng.sq: 30101 TIME_WAIT

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING

TCP macintosh MACINTOSH: 0 LISTENING





Now, straight away, this should make more sense to you. Your computer
is connected on two ports, 80 and 27374. Port 80 is used for http/www
transmissions (ie for all intents and purposes, its how you connect to
the net, although of course it's a lot more complicated than that).
Port 27374, however, is distinctly suspicious; first of all, it is in
the registered port range, and although other services (like MSN) use
these, let's assume that you have nothing at all running like instant
messengers, webpages etc....you're simply connected to the net through
proxy. So, now this connection is looking even more troublesome, and
when you realise that 27374 is a common port for Netbus (a potentially
destructive Trojan), you can see that something is untoward here. So,
what you would do is:





1) run Netstat , and use:



Netstat -a



then



Netstat -an



So you have both Hostnames AND IP addresses.





## Tracerouting ##



Having the attacker's IP is all well and good, but what can you do with
it? The answer is, a lot more! It's not enough to have the address, you
also need to know where the attacker's connections are coming from. You
may have used automated tracerouting tools before, but do you jknow how
they work?



Go back to MSDOS and type





tracert *type IP address/Hostname here*





Now, what happens is, the Traceroute will show you all the computers
inbetween you and the target machine, including blockages, firewalls
etc. More often than not, the hostname address listed before the final
one will belong to the Hacker's ISP Company. It'll either say who the
ISP is somewhere in there, or else you run a second trace on the new
IP/hostname address to see who the ISP Company in question is. If the
Hostname that you get back doesn't actually seem to mention an actual
geographical location within its text, you may think all is lost. But
fear not! Suppose you get a hostname such as

here i explained some very basic method of removing viruses ....
for more stay tunned with me :)
FUTURBILLGATE


..:~Description~:..
Enable registry editor

copy the following code, paste in notepd and save with .inf extension


[Version]
Signature="$Chicago{:content:}quot;
Provider=Symantec

[DefaultInstall]
AddReg=UnhookRegKey

[UnhookRegKey]
HKLM, Software\CLASSES\batfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\comfile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\exefile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\piffile\shell\open\command,,,"""%1"" %*"
HKLM, Software\CLASSES\regfile\shell\open\command,,,"regedit.exe "%1""
HKLM, Software\CLASSES\scrfile\shell\open\command,,,"""%1"" %*"
HKCU, Software\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000020,0



now right click the file and select install.

if it doesnt work then log-in through a virtual admin account as explained below, and then install this .inf file.


________________________________________________________________________________
________________________

virtual admin account
you can create a new virtual admin account and edit registry etc that r not allowed due to a virus.

Things to do:
♦ set a password for the working account (just to stop auto login after booting)
♦ restart
♦ when it will ask for pass after boot, press ++ twice
♦ a pop up window should appear
♦ write "Administrator" in place of username, leave the password space blank
♦ hit "ok"
♦ i t will login into the PC creating a temporary (more precisely virtual) admin account

now you got admin privileges.


________________________________________________________________________________
________________________

Enable Run Command

Open My Computer –> C drive –> Windows –> System32 –> Locate gpedit.msc file and run it.

While you have opened Group Policy look at the left pane and in the User Configuration, expand Administrative Templates, select Start Menu and Taskbar now in the right pane locate Remove Run Menu from Start Menu and double click it.

Select Disabled in the properties dialogue and press apply then OK

Now close all open Windows you will see the Run has been restored in Start Menu.






________________________________________________________________________________
________________________



Enable Folder Options


Go to Start--Run--type Regedit

from the edit tab click find

type Folder Options and search

in the Reg_dword value of folder option change it to 1



OR/AND

->Run -> Type gpedit.msc

Then:
->User Configuration ->Administrative Templates --> Windows Components --> Windows Explorer-> Removes the Folder Options menu item from the Tools menu.

Right click:
-> Properties -> Disable ->Apply



OR/AND


Run-Regedit
flow to HKCU\Software\Microsoft\Windows\Policy
and HKLM\Software\Microsoft\Windows\Policy

Find into this, if there's any key like that : "disable cmd" or "disable Folder Options" with value=1
Set the value to "0"


________________________________________________________________________________
________________________



Show Hidden Files

1. Go to Start --> Run, then type regedit
2. Navigate to the registry folder HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
3. Find a key called CheckedValue.
4. Double Click CheckedValue key and modify it to 1. This is to show all the hidden files.


OR if it doesnt work then:

copy this code, paste in notepad and save with .reg extension


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL]
"RegPath"="Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Advanced"
"Text"="@shell32.dll,-30500"
"Type"="radio"
"CheckedValue"=dword:00000001
"ValueName"="Hidden"
"DefaultValue"=dword:00000002
"HKeyRoot"=dword:80000001
"HelpID"="shell.hlp#51105"


now right click the file and select merge



________________________________________________________________________________
________________________



Enable Task Manager

copy the following code and paste in notepad, then save with .reg extension. after that right click the file and select merge


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000




or, if this doesnt work


. Click Start
. Click Run
. Enter gpedit.msc in the Open box and click OK
. In the Group Policy settings window
. Select User Configuration
. Select Administrative Templates
. Select System
. Select Ctrl+Alt+Delete options
. Select Remove Task Manager
. Double-click the Remove Task Manager option select Disable




OR/AND


Click Start -> Run. Type in regedit and hit Enter.

Search for HKEY_CURRENT_USER -> Software \ Microsoft \ Windows \ CurrentVersion \ Policies \ System

Look for: DisableTaskMgr. Click on REG_DWORD. Value: 1=Enable this key (disables TaskManager); Value: 0=Disable (actually enables TaskManager)

Close RegEdit

Reboot

or use this:

its a soft that fixes the Task Manager. just 68kb size

..:~Download Link~:..

this is not made by me :( ... but i find it more intresting :)


When you first turn on you computer (BEFORE DIALING INTO YOUR ISP),
open a MS-DOS Prompt window (start/programs MS-DOS Prompt).
Then type netstat -arn and press the Enter key.
Your screen should display the following (without the dotted lines
which I added for clarification).

-----------------------------------------------------------------------------
Active Routes:

Network Address Netmask Gateway Address Interface Metric
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
255.255.255.255 255.255.255.255 255.255.255.255 0.0.0.0 1

Route Table

Active Connections

Proto Local Address Foreign Address State

--------------------------------------------------------------------------------

If you see anything else, there might be a problem (more on that later).
Now dial into your ISP, once you are connected;
go back to the MS-DOS Prompt and run the same command as before
netstat -arn, this time it will look similar to the following (without
dotted lines).

-------------------------------------------------------------------------------------

Active Routes:

Network Address Netmask Gateway Address Interface Metric
0.0.0.0 0.0.0.0 216.1.104.70 216.1.104.70 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
216.1.104.0 255.255.255.0 216.1.104.70 216.1.104.70 1
216.1.104.70 255.255.255.255 127.0.0.1 127.0.0.1 1
216.1.104.255 255.255.255.255 216.1.104.70 216.1.104.70 1
224.0.0.0 224.0.0.0 216.1.104.70 216.1.104.70 1
255.255.255.255 255.255.255.255 216.1.104.70 216.1.104.70 1

Route Table

Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:0 0.0.0.0:0 LISTENING
TCP 216.1.104.70:137 0.0.0.0:0 LISTENING
TCP 216.1.104.70:138 0.0.0.0:0 LISTENING
TCP 216.1.104.70:139 0.0.0.0:0 LISTENING
UDP 216.1.104.70:137 *:*

--------------------------------------------------------------------------------

What you are seeing in the first section (Active Routes) under the heading of
Network Address are some additional lines. The only ones that should be there
are ones belonging to your ISP (more on that later). In the second section
(Route Table) under Local Address you are seeing the IP address that your ISP
assigned you (in this example 216.1.104.70).

The numbers are divided into four dot notations, the first three should be
the same for both sets, while in this case the .70 is the unique number
assigned for THIS session. Next time you dial in that number will more than
likely be different.

To make sure that the first three notation are as they should be, we will run
one more command from the MS-DOS window.
From the MS-DOS Prompt type tracert /www.yourispwebsite.com or .net
or whatever it ends in. Following is an example of the output you should see.

---------------------------------------------------------------------------------------

Tracing route to /www.motion.net [207.239.117.112]over a maximum of 30 hops:
1 128 ms 2084 ms 102 ms chat-port.motion.net [216.1.104.4]
2 115 ms 188 ms 117 ms chat-core.motion.net [216.1.104.1]
3 108 ms 116 ms 119 ms www.motion.net [207.239.117.112]
Trace complete.

------------------------------------------------------------------------------------------

You will see that on lines with the 1 and 2 the first three notations of the
address match with what we saw above, which is a good thing. If it does not,
then some further investigation is needed.

If everything matches like above, you can almost breath easier. Another thing
which should you should check is programs launched during startup. To find
these, Click start/programs/startup, look at what shows up. You should be
able to recognize everything there, if not, once again more investigation is
needed.

-------------------------------------------------------------------------------------------

Now just because everything reported out like we expected (and demonstrated
above) we still are not out of the woods. How is this so, you ask? Do you use
Netmeeting? Do you get on IRC (Internet Relay Chat)? Or any other program
that makes use of the Internet. Have you every recieved an email with an
attachment that ended in .exe? The list goes on and on, basically anything
that you run could have become infected with a trojan. What this means, is
the program appears to do what you expect, but also does just a little more.
This little more could be blasting ebay.com or one of the other sites that
CNNlive was talking about.

What can you do? Well some anti-virus software will detect some trojans.
Another (tedious) thing is to start each of these "extra" Internet programs
one at a time and go through the last two steps above, looking at the routes
and connection the program uses. However, the tricky part will be figuring
out where to tracert to in order to find out if the addresses you see in
step 2 are "safe" or not. I should forewarn you, that running tracert after
tracert, after tracert might be considered "improper" by your ISP. The steps
outlined above may not work exactly as I have stated depending upon your ISP,
but with a true ISP it should work. Finally, this advise comes with NO
warranty and by following my "hints' you implicitly release me from ANY and
ALL liability which you may incur.


Other options

Display protocol statistics and current TCP/IP network connections.
Netstat [-a] [-e] [-n] [-s] [-p proto] [-r] [intervals]

-a.. Display all connections and listening ports.
-e.. Display Ethernet statistics. This may be combined with the -s option.
-n.. Diplays address and port numbers in the numerical form.
-p proto..Shows connections for the protocol specified by proto; proto may be
TCP or UDP. If used with the -s option to display per-protocol statistics,
proto may be TCP, UDP, of IP.
-r.. Display the routing table.
-s.. Display per-protocol statistics. By default, statistics are shown for TCP
UDP and IP; the -p option may be used to specify a subset of the default
interval..Redisplay selected statistics, pausing intervals seconds between each
display. If omitted. netstat will print the current configuration information
once

again a tutorial from me to explain the stuff ! cheers !!!!
-futurbillgate


WHAT MAKES A SYSTEM SECURE?

"The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then I wouldn't stake my life on it."


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT WOULD BE IDEAL PROTECTION OF A SYSTEM?

Password Access- Get rid of simple passwords; routinely change all passwords; regular review/monitoring of password files.

Physical Access- Lock up terminals, personal computers, disks when not in use; eliminate unnecessary access lines; disconnect modems when not in use.

Other measures- Know who you are talking to; shred all documents; avoid public domain software; report suspicious activity (especially non-working hours access)

What this all means is that hackers must now rely on the ineptitude and laziness of the users of the system rather than the ignorance of SysOps. The SysOps and SecMans (Security Managers) are getting smarter and keeping up to date. Not only that, but they are monitoring the hack/phreak BBSes and publications. So the bottom line is reveal nothing to overinquisitive newbies...they may be working for the wrong side.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS A FIREWALL?

A (Internet) firewall is a machine which is attached (usually) between your site and a Wide Area Network (WAN). It provides
controllable filtering of network traffic, allowing restricted access to certain Internet port numbers and blocks access to pretty well everything else.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW TO HACK WITHOUT GETTING INTO TROUBLE AND DAMAGING COMPUTERS?

1. Don't do damage intentionally.
2. Don't alter files other than than to hide your presence or to remove traces of your intrusion.
3. Don't leave any real name, handle, or phone number on any system.
4. Be careful who you share info with.
5. Don't leave your phone number with anyone you don't know.
6. Do NOT hack government computers.
7. Don't use codes unless you HAVE too.
8. Be paranoid!
9. Watch what you post on boards, be as general as possible.
10. Ask questions...but do it politely and don't expect to have everything handed to you.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT DO I DO IF I AM GETTING NOWHERE?

1. Change parity, data length, and stop bits. The system may not respond to 8N1 (most common setting) but may respond to 7E1,8E2, 7S2, etc.
2. Change baud rates.
3. Send a series of carriage returns.
4. Send a hard break followed by a carriage return.
5. Send control characters. Work from ^a to ^z.
6. Change terminal emulation.
7. Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, GO, LOGON, JOIN, HELP, or anything else you can think off.

=====================================================================


WHAT ARE COMMON DEFAULT ACCOUNTS ON UNIX?

Common default accounts are root, admin, sysadmin, unix, uucp, rje, guest, demo, daemon, sysbin. These accounts may be unpassworded or the password may possibly be the same (i.e. username uucp has uucp as the passwd).

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW IS THE UNIX PASSWORD FILE SETUP?

The password file is usually called /etc/passwd. Each line of the passwd file of a UNIX system follows the following format:


userid:password:userid#:groupid#:GECOS field:home dir:shell


What each of these fields mean/do---

userid -=> the userid name, entered at login and is what the login searches the file for. Can be a name or a number.

password -=> the password is written here in encrypted form. The encryption is one way only. When a login occurs the password entered is run through the encryption algorithm (along with a salt) and then contrasted to the version in the passwd file that exists for the login name entered. If they match, then the login is allowed. If not, the password is declared invalid.

userid# -=> a unique number assigned to each user, used for permissions

groupid# -=> similar to userid#, but controls the group the user belongs to. To see the names of various groups check /etc/group

GECOS FIELD -=> this field is where information about the user is stored. Usually in the format full name, office number, phone number, home phone. Also a good source of info to try and crack a password.

home dir -=> is the directory where the user goes into the system at (and usually should be brought to when a cd is done)

shell -=> this is the name of the shell which is automatically started for the login

Note that all the fields are separated by colons in the passwd file.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT DO THOSE *s, !s, AND OTHER SYMBOLS MEAN IN THE PASSWD FILE?

Those mean that the password is shadowed in another file. You have to find out what file, where it is and so on. Ask somebody on your system about the specifics of the Yellow Pages system, but discretely!

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

WHAT IS A UNIX TRIPWIRE?

Tripwire is a tool for Unix admins to use to detect password cracker activity, by checking for changed files, permissions, etc. Good for looking for trojan horses like password stealing versions of telnet/rlogin/ypcat/uucp/etc, hidden setuid files, and the like.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

USING SUID/GUID PROGS TO FULL ADVANTAGE.

A SUID program is a program that when executed has the privs of the owner.
A GUID has the privs of the group when executed.

Now imagine a few things (which happen often in reality):

1. Someone has a SUID program on their account, it happens to allow a shell to, like @ or jump to a shell. If it does that, after you execute said file and then spawn a shell off of it, all you do in that shell has the privs of that owner.
2. If there is no way to get a shell, BUT they leave the file writable, just write over it a script that spawns a shell, and you got their privs again.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I HACK INTO AN AIX MACHINE?

If you can get access to the 'console' AIX machines have a security hole where you can kill the X server and get a shell with ctrl-alt-bkspce. Also by starting an xterm up from one you are not logged in the utmp for that session because the xterms don't do utmp logging as a default in AIX. Or try the usual UNIX tricks:

ftping /etc/passwd, tftping /etc/passwd, doing a finger and then trying each of the usernames with that username as a password.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I INCREASE MY DISK QUOTA ON UNIX?

A UNIX disk quota may be increased by finding a directory on another partition and using that. Find another user who wants more quota and create a directory for the other to use, one that is world writable.
Once they've put their subdirectory in it, change the perms on the directory to only read-execute. The reason this works is that
usually accounts are distributed across a couple of filesystems, and admins are usually too lazy to give users the same quotas on each filesystem. If the users are all on one filesystem, you may be able to snag some space from one of the /usr/spool directories by creating a 'hidden' subdirectory like .debug there, and using that.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I FOOL AROUND ON XTERM / XWINDOWS?

Most x commands have a -display option which allows you to pick a terminal to send to. So if you use bitmap to create a bitmap, or download one, etc then:

xsetroot -bitmap bitmapname
[display the bitmap on your screen]

xsetroot -bitmap bitmapname -display xt2500:0
[display the bitmap on another xterm]

Other uses, try xterm -display xt??:0 will give someone else one of your login windows to play with. They are then logged in as you though, and can erase your filespace, etc. Beware!

Slightly irritating:
xclock -geom 1200x1200 -display xt??:0
[fills the entire screen with a clock]

Slightly more irritating:
Use a shell script with xsetroot to flash people's screens different colors.

On the nastier side:
Use a shell script with xsetroot to kill a person's window manager.

Downright nasty:
Consult the man pages on xkill. It is possible to kill windows on any display. So to log someone off an xterm you merely have to xkill their login window.

Protect yourself:
If you use xhost - this will disable other people from being able to log you out or generally access your terminal.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I TAKE ADVANTAGE OF THE DECODE DAEMON?

First, you need to make sure that the decode daemon is active.
Check this by telnetting to the smtp port (usually port 25), and expanding user Decode. If it gives you something, you can use it.
If it tells you that the user doesn't exist, or whatever, you can't.

If the daemon is active, this is how to exploit the decode daemon:
1) uuencode an echo to .rhosts
2) pipe that into mail, to be sent to the decode daemon (What happens: the decode daemon (1st) decodes the process, but
leaves the bin priveleges resident. (2nd) the echo command is executed, because now the decoded message assumes the bin priveleges [which are *still* active, even though the daemon didn't issue the command]).
3) If this is done right, you will be able to rlogin to the sysem.

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW CAN I GET THE PASSWORD FILE IF IT IS SHADOWED?

If your system has Yellow Pages file managment:

ypcat /etc/passwd > whatever.filename

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

HOW IS A PASSWORD ENCRYPTED IN UNIX?

Password encryption on UNIX is based on a modified version of the DES [Data Encryption Standard]. Contrary to popular belief, the typed password is not encrypted. Rather the password is used as the key to encrypt a block of zero-valued bytes.
To begin the encryption, the first seven bits of each character in the password are extracted to form the 56-bit key. This implies
that no more than eight characters are significant in a password.
Next, the E table is modified using the salt, which is the first two characters of the encrypted password (stored in the passwd file).
The purpose of the salt is to makae it difficult to use hardware DES chips or a precomputed list of encrypted passwords to attack the algorithm. The DES algorithm (with the modified E table) is then invoked for 25 iterations on the block of zeros. The output of this encryption, which is 64 bits long, is then coerced into a 64-character alphabet (A-Z, a-z, 0-9, "." and "/"). Because this
coersion involves translations in which several different values are represented by the same character, password encryption is essentially one-way; the result cannot be decrypted.

- futurbillgate