MY TECH BLOG

Google+ Badge

Tuesday, 12 November 2013

all win 8 keyboard shortcut

Who R Using Win 8 ??
Some Keyboard Shortcuts 4 them...
Windows key – brings up the Metro start screen. You can start typing to search for an app, just like the Win7 start menu.
Win + D – brings up the old Windows desktop.
Win + C – brings up the Charms menu, where you can search, share, and change settings.
Win + I – opens the Settings panel, where you can change settings for the current app, change volume, wireless networks, shut down, or adjust the brightness.
Win + Z – opens the App Bar for the current Metro application.
Win + H – opens the Metro Share panel.
Win + Q – brings up the Metro App Search screen.
Win + W – brings up the Metro Settings search screen.
Win + F – brings up the Metro File search screen.
Win + K – opens the Devices panel (for connecting to a projector or some other device)
Win + , (comma) – Aero Peek at the desktop.
Win + . (period) – Snaps the current Metro application to one side of the screen. (Right side)
Win + Shift + . (period) – Snaps the current Metro application to the other side of the screen. (Left side)
Win + J – switches focus between snapped Metro applications.
Win + Page Up / Down – moves the current app to the other monitor.
Win + Tab – opens the Metro application switcher menu, switches between applications.
You might notice that we didn’t show screenshots of how all these shortcut keys work, and there’s a reason for that: you need to test them out for yourself to really learn how they work.
Win+X – lunch kind of start menu, very useful
Windows Key + Print Screen saves a screenshot into your Pictures folder. It’s quite handy.
If there’s any other shortcut keys that are new to Windows 8 and we haven’t featured them, be sure to let us know in the comments

Sunday, 10 November 2013

An Introduction into TeleScan


 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
 %%%                                                  %%%              tm %%%
 %%%   %%%%%%% %%%%%%% %%%           %%%%%  %%%%%      %%%      %%%%%%    %%%
 %%%                   %%%          %%%    %%%   %      %%%    %%%  %%%   %%%
 %%%     %%%   %%%%%%% %%%     %%%   %%%%  %%%       %%% %%%   %%%  %%%   %%%
 %%%     %%%   %%%     %%%             %%% %%%   %  %%%   %%%  %%%  %%%   %%%
 %%%     %%%   %%%%%%% %%%%%%%      %%%%%   %%%%%  %%%%%%%%%%% %%%  %%%   %%%
 %%%                                                           %%%        %%%
 %%%                   The Ultimate Skip Tracing Weapon                   %%%
 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% 14-Feb-94 %%%%
INTRODUCTION
 Whats all the hoopla? Well I've been trying to find a good ANI demo ever
 since IIRG's went down at the first of the year [800-852-9932]. Well I
 finally got one from The Mortician. Here it is...
                           8 0 0 . 7 7 5 . 5 5 1 3
 This is an ANI demo provided by a security company called TEL-SCAN(tm). Now
 ANI is cool and useful and everything, but it isn't hardly worthy of one of
 my wonderful headers. But see, theres more at stake here. Call the demo and
 get the ANI info and all that, and if you're a lamer stop there. But if
 you're kK00l enough, stay on the line and find out more about TEL-SCAN(tm),
 the company providing the demo.
THE TEL-SCAN(tm) NETWORK
 TEL-SCAN(tm) is a Colorado based Security service that offers an improvised
 skip-tracing method to Private Investigators, (or anyone with money and a
 good MO). How it works is this: subscribers are provided with an 800
 "Identifier Line" which when called automatically identifies the incoming
 number and records it into a corresponding Voice Mail Box. The subscriber can
 then call the Mail Box and it will relay to him all incoming calls to the
 "Identifier Line". 2-o0 pH_ukYn /<eW/! The possibilities with ANI and VMBs at
 hand are endless!!!
 TEL-SCAN(tm) can be used as such: Get a bunch of business cards printed with
 the "Identifier Line" printed as your phone number. If you're looking for
 someone, leave your card around places where they're likely to get it. When
 they call, you've got the number they're calling from and possibly an
 important lead. Viola! Skip-Tracing improvised. No this of course is
 constitutes intended use. As far as underground use goes...well...you know.
TEL-SCAN(tm) GEOGRAPHICALS
 For more information on TEL-SCAN(tm) write or call::
                    TEL-SCAN(tm)
                    2641 North Taft
                    Loveland, CO  80538
                    Number: 303.663.1703
                       FAX: 303.663.1708
 By the way when you call, you will be asked where you heard about TEL-
 SCAN(tm). DO NOT say you heard it from me (duh)! Have a good one ready
 because they will hang up on you if they think something is funny.
TEL-SCAN(tm) PRICES
 This service has a one time activation fee of $67.00 dollars. Thereafter you
 are charged $5.00 dollars everytime the service identifies a number for you.
 You are billed monthly if applicable, but there are no mandatory monthly
 fees. Now here's the good part: you can subscribe to the service via FAXed
 licensing agreement at which time you will IMMEDIATLEY be issued a Mail Box
 and a "Line Identifier". They will bill you later for the activation fee. Not
 to shabby huh?
OUTRODUCTION
 Well thats it, and thanks again to The Mortician at Lies, Hate, and Deception
 (LHD·) for this one. Look for other oB files (with great headers) labeled as
 xxxxxxxx.oB. These files can be found at...
 .%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.
 .%   oleBuzzard's kn0wledge phreak   %.%   sUmthyn lykE 4000+ text fylez   %.
 .%   AC 303.382.5968--NUP = NO NUP   %.%   hAck/phrEAk/AnArky/vIrII/cArd   %.
 .%   24oo-14.4ooKiloBaud-Open 24/7   %.%   n0 phUckyn lAmEr wArEz do0dz!   %.
 .%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%.

All mIRC Commands

 All mIRC Commands

/ Recalls the previous command entered in the current window.
/! Recalls the last command typed in any window.
/action {action text} Sends the specifed action to the active channel or query window.
/add [-apuce] {filename.ini} Loads aliases, popups, users, commands, and events.
/ame {action text} Sends the specifed action to all channels which you are currently on.
/amsg {text} Sends the specifed message to all channels which you are currently on.
/auser {level} {nick|address} Adds a user with the specified access level to the remote users
list.
/auto [on|off|nickname|address] Toggles auto-opping of a nick or address or sets it on or off
totally.
/away {away message} Sets you away leave a message explaining that you are not currently paying
attention to IRC.
/away Sets you being back.
/ban [#channel] {nickname} [type] Bans the specified nick from the curent or given channel.
/beep {number} {delay} Locally beeps 'number' times with 'delay' in between the beeps. /channel
Pops up the channel central window (only works in a channel).
/clear Clears the entire scrollback buffer of the current window.
/ctcp {nickname} {ping|finger|version|time|userinfo|clientinfo} Does the given ctcp request on
nickname.
/closemsg {nickname} Closes the query window you have open to the specified nick.
/creq [ask | auto | ignore] Sets your DCC 'On Chat request' settings in DCC/Options.
/dcc send {nickname} {file1} {file2} {file3} ... {fileN} Sends the specified files to nick.
/dcc chat {nickname} Opens a dcc window and sends a dcc chat request to nickname.
/describe {#channel} {action text} Sends the specifed action to the specified channel window.
/dde [-r] {service} {topic} {item} [data] Allows DDE control between mIRC and other
applications.
/ddeserver [on [service name] | off] To turn on the DDE server mode, eventually with a given
service name.
/disable {#groupname} De-activates a group of commands or events.
/disconnect Forces a hard and immediate disconnect from your IRC server. Use it with care.
/dlevel {level} Changes the default user level in the remote section.
/dns {nickname | IP address | IP name} Uses your providers DNS to resolve an IP address.
/echo [nickname|#channel|status] {text} Displays the given text only to YOU on the given place
in color N.
/enable {#groupname} Activates a group of commands or events.
/events [on|off] Shows the remote events status or sets it to listening or not.
/exit Forces mIRC to closedown and exit.
/finger Does a finger on a users address.
/flood [{numberoflines} {seconds} {pausetime}] Sets a crude flood control method.
/fsend [on|off] Shows fsends status and allows you to turn dcc fast send on or off.
/fserve {nickname} {maxgets} {homedirectory} [welcome text file] Opens a fileserver.
/guser {level} {nick} [type] Adds the user to the user list with the specified level and
address type.
/help {keyword} Brings up the Basic IRC Commands section in the mIRC help file.
/ignore [on|off|nickname|address] Toggles ignoring of a nick or address or sets it on or off
totally.
/invite {nickname} {#channel} Invites another user to a channel.
/join {#channel} Makes you join the specified channel.
/kick {#channel} {nickname} Kicks nickname off a given channel.
/list [#string] [-min #] [-max #] Lists all currently available channels, evt. filtering for
parameters.
/log [on|off] Shows the logging status or sets it on or off for the current window.
/me {action text} Sends the specifed action to the active channel or query window.
/mode {#channel|nickname} [[+|-]modechars [parameters]] Sets channel or user modes.
/msg {nickname} {message} Send a private message to this user without opening a query window.
/names {#channel} Shows the nicks of all people on the given channel.
/nick {new nickname} Changes your nickname to whatever you like.
/notice {nick} {message} Send the specified notice message to the nick.
/notify [on|off|nickname] Toggles notifying you of a nick on IRC or sets it on or off totally.
/onotice [#channel] {message} Send the specified notice message to all channel ops.
/omsg [#channel] {message} Send the specified message to all ops on a channel.
/part {#channel} Makes you leave the specified channel.
/partall Makes you leave all channels you are on.
/ping {server address} Pings the given server. NOT a nickname.
/play [-c] {filename} [delay] Allows you to send text files to a window.
/pop {delay} [#channel] {nickname} Performs a randomly delayed +o on a not already opped nick.
/protect [on|off|nickname|address] Toggles protection of a nick or address or sets it on or off
totally.
/query {nickname} {message} Open a query window to this user and send them the private message.
/quit [reason] Disconnect you from IRC with the optional byebye message.
/raw {raw command} Sends any raw command you supply directly to the server. Use it with care!!
/remote [on|off] Shows the remote commands status or sets it to listening or not.
/rlevel {access level} Removes all users from the remote users list with the specified access
level.
/run {c:\path\program.exe} [parameters] Runs the specified program, evt. with parameters.
/ruser {nick[!]|address} [type] Removes the user from the remote users list.
/save {filename.ini} Saves remote sections into a specified INI file.
/say {text} Says whatever you want to the active window.
/server [server address [port] [password]] Reconnects to the previous server or a newly
specified one.
/sound [nickname|#channel] {filename.wav} {action text} Sends an action and a fitting sound.
/speak {text} Uses the external text to speech program Monologue to speak up the text.
/sreq [ask | auto | ignore] Sets your DCC 'On Send request' settings in DCC/Options.
/time Tells you the time on the server you use.
/timer[N] {repetitions} {interval in seconds} {command} [| {more commands}] Activates a timer.
/topic {#channel} {newtopic} Changes the topic for the specified channel.
/ulist [{|}]{level} Lists all users in the remote list with the specified access levels.
/url [-d] Opens the URL windows that allows you to surf the www parallel to IRC.
/uwho [nick] Pops up the user central with information about the specified user.
/who {#channel} Shows the nicks of all people on the given channel.
/who {*address.string*} Shows all people on IRC with a matching address.
/whois {nickname} Shows information about someone in the status window.
/whowas {nickname} Shows information about someone who -just- left IRC.
/wavplay {c:\path\sound.wav} Locally plays the specified wave file.
/write [-cidl] {filename} [text] To write the specified text to a .txt file.

MoViEBoT #xdcc-help /server irc.atomic-irc.net

We strive to make IRC easier for you!

Friday, 8 November 2013

ALL About Spyware

There are a lot of PC users that know little about "Spyware", "Mal-ware", "hijackers", "Dialers" & many more. This will help you avoid pop-ups, spammers and all those baddies.

What is spy-ware?
Spy-ware is Internet jargon for Advertising Supported software (Ad-ware). It is a way for shareware authors to make money from a product, other than by selling it to the users. There are several large media companies that offer them to place banner ads in their products in exchange for a portion of the revenue from banner sales. This way, you don't have to pay for the software and the developers are still getting paid. If you find the banners annoying, there is usually an option to remove them, by paying the regular licensing fee.

Known spywares
There are thousands out there, new ones are added to the list everyday. But here are a few:
Alexa, Aureate/Radiate, BargainBuddy, ClickTillUWin, Conducent Timesink, Cydoor, Comet Cursor, eZula/KaZaa Toptext, Flashpoint/Flashtrack, Flyswat, Gator, GoHip, Hotbar, ISTbar, Lions Pride Enterprises/Blazing Logic/Trek Blue, Lop (C2Media), Mattel Brodcast, Morpheus, NewDotNet, Realplayer, Songspy, Xupiter, Web3000, WebHancer, Windows Messenger Service.

How to check if a program has spyware?
The is this Little site that keeps a database of programs that are known to install spyware.

Check Here: http://www.spywareguide.com/product_search.php

If you would like to block pop-ups (IE Pop-ups).
There tons of different types out there, but these are the 2 best, i think.

Try: Google Toolbar (http://toolbar.google.com/) This program is Free
Try: AdMuncher (http://www.admuncher.com) This program is Shareware

If you want to remove the "spyware" try these.
Try: Lavasoft Ad-Aware (http://www.lavasoftusa.com/) This program is Free
Info: Ad-aware is a multi spyware removal utility, that scans your memory, registry and hard drives for known spyware components and lets you remove them. The included backup-manager lets you reinstall a backup, offers and multi language support.

Try: Spybot-S&D (http://www.safer-networking.org/) This program is Free
Info: Detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer. Blocks ActiveX downloads, tracking cookies and other threats. Over 10,000 detection files and entries. Provides detailed information about found problems.

Try: BPS Spyware and Adware Remover (http://www.bulletproofsoft.com/spyware-remover.html) This program is Shareware
Info: Adware, spyware, trackware and big brotherware removal utility with multi-language support. It scans your memory, registry and drives for known spyware and lets you remove them. Displays a list and lets you select the items you'd like to remove.

Try: Spy Sweeper v2.2 (http://www.webroot.com/wb/products/spysweeper/index.php) This program is Shareware
Info: Detects and removes spyware of different kinds (dialers, loggers, trojans, user tracks) from your computer.
The best scanner out there, and updated all the time.

Try: HijackThis 1.97.7 (http://www.spywareinfo.com/~merijn/downloads.html) This program is Freeware
Info: HijackThis is a tool, that lists all installed browser add-on, buttons, startup items and allows you to inspect them, and optionally remove selected items.


If you would like to prevent "spyware" being install.
Try: SpywareBlaster 2.6.1 (http://www.wilderssecurity.net/spywareblaster.html) This program is Free
Info: SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It achieves this by disabling the CLSIDs of popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Try: SpywareGuard 2.2 (http://www.wilderssecurity.net/spywareguard.html) This program is Free
Info: SpywareGuard provides a real-time protection solution against so-called spyware. It works similar to an anti-virus program, by scanning EXE and CAB files on access and alerting you if known spyware is detected.

Try: XP-AntiSpy (http://www.xp-antispy.org/) This program is Free
Info: XP-AntiSpy is a small utility to quickly disable some built-in update and authentication features in WindowsXP that may rise security or privacy concerns in some people.

Try: SpySites (http://camtech2000.net/Pages/SpySites_Prog...ml#SpySitesFree) This program is Free
Info: SpySites allows you to manage the Internet Explorer Restricted Zone settings and easily add entries from a database of 1500+ sites that are known to use advertising tracking methods or attempt to install third party software.

If you would like more Information about "spyware".
Check these sites.
http://www.spychecker.com/
http://www.spywareguide.com/
http://www.cexx.org/adware.htm
http://www.theinfomaniac.net/infomaniac/co...rsSpyware.shtml
http://www.thiefware.com/links/
http://simplythebest.net/info/spyware.html

Usefull tools...
Try: Stop Windows Messenger Spam 1.10 (http://www.jester2k.pwp.blueyonder.co.uk/j...r2ksoftware.htm) This program is Free
Info: "Stop Windows Messenger Spam" stops this Service from running and halts the spammers ability to send you these messages.

----------------------------------------------------------------------------
All these softwares will help remove and prevent evil spammers and spywares attacking your PC. I myself recommend getting "spyblaster" "s&d spybot" "spy sweeper" & "admuncher" to protect your PC. A weekly scan is also recommended

Free Virus Scan
Scan for spyware, malware and keyloggers in addition to viruses, worms and trojans. New threats and annoyances are created faster than any individual can keep up with.
http://defender.veloz.com// - 15k


Finding . is a Click Away at 2020Search.com
Having trouble finding what you re looking for on: .? 2020Search will instantly provide you with the result you re looking for by drawing on some of the best search engines the Internet has to offer. Your result is a click away!
http://www.2020search.com// - 43k


Download the BrowserVillage Toolbar.
Customize your Browser! Eliminate Pop-up ads before they start, Quick and easy access to the Web, and much more. Click Here to Install Now!
http://www.browservillage.com/ - 36k

All about ftp must read

 Setting Up A Ftp:


Well, since many of us have always wondered this, here it is. Long and drawn out. Also, before attempting this, realize one thing; You will have to give up your time, effort, bandwidth, and security to have a quality ftp server.
That being said, here it goes. First of all, find out if your IP (Internet Protocol) is static (not changing) or dynamic (changes everytime you log on). To do this, first consider the fact if you have a dial up modem. If you do, chances are about 999 999 out of 1 000 000 that your IP is dynamic. To make it static, just go to a place like h*tp://www.myftp.org/ to register for a static ip address.

You'll then need to get your IP. This can be done by doing this:
Going to Start -> Run -> winipcfg or www.ask.com and asking 'What is my IP?'

After doing so, you'll need to download an FTP server client. Personally, I'd recommend G6 FTP Server, Serv-U FTPor Bullitproof v2.15 all three of which are extremely reliable, and the norm of the ftp world.
You can download them on this site: h*tp://www.liaokai.com/softw_en/d_index.htm

First, you'll have to set up your ftp. For this guide, I will use step-by-step instructions for G6. First, you'll have to go into 'Setup -> General'. From here, type in your port # (default is 21). I recommend something unique, or something a bit larger (ex: 3069). If you want to, check the number of max users (this sets the amount of simultaneous maximum users on your server at once performing actions - The more on at once, the slower the connection and vice versa).

The below options are then chooseable:
-Launch with windows
-Activate FTP Server on Start-up
-Put into tray on startup
-Allow multiple instances
-Show "Loading..." status at startup
-Scan drive(s) at startup
-Confirm exit

You can do what you want with these, as they are pretty self explanatory. The scan drive feature is nice, as is the 2nd and the last option. From here, click the 'options' text on the left column.

To protect your server, you should check 'login check' and 'password check', 'Show relative path (a must!)', and any other options you feel you'll need. After doing so, click the 'advanced' text in the left column. You should then leave the buffer size on the default (unless of course you know what you're doing ), and then allow the type of ftp you want.

Uploading and downloading is usually good, but it's up to you if you want to allow uploads and/or downloads. For the server priority, that will determine how much conventional memory will be used and how much 'effort' will go into making your server run smoothly.

Anti-hammering is also good, as it prevents people from slowing down your speed. From here, click 'Log Options' from the left column. If you would like to see and record every single command and clutter up your screen, leave the defaults.

But, if you would like to see what is going on with the lowest possible space taken, click 'Screen' in the top column. You should then check off 'Log successful logins', and all of the options in the client directry, except 'Log directory changes'. After doing so, click 'Ok' in the bottom left corner.

You will then have to go into 'Setup -> User Accounts' (or ctrl & u). From here, you should click on the right most column, and right click. Choose 'Add', and choose the username(s) you would like people to have access to.

After giving a name (ex: themoonlanding), you will have to give them a set password in the bottom column (ex: wasfaked). For the 'Home IP' directory, (if you registered with a static server, check 'All IP Homes'. If your IP is static by default, choose your IP from the list. You will then have to right click in the very center column, and choose 'Add'.

From here, you will have to set the directory you want the people to have access to. After choosing the directory, I suggest you choose the options 'Read', 'List', and 'Subdirs', unless of course you know what you're doing . After doing so, make an 'upload' folder in the directory, and choose to 'add' this folder seperately to the center column. Choose 'write', 'append', 'make', 'list', and 'subdirs'. This will allow them to upload only to specific folders (your upload folder).

Now click on 'Miscellaneous' from the left column. Choose 'enable account', your time-out (how long it takes for people to remain idle before you automatically kick them off), the maximum number of users for this name, the maximum number of connections allowed simultaneously for one ip address, show relative path (a must!), and any other things at the bottom you'd like to have. Now click 'Ok'.
**Requested**


From this main menu, click the little boxing glove icon in the top corner, and right click and unchoose the hit-o-meter for both uploads and downloads (with this you can monitor IP activity). Now click the lightning bolt, and your server is now up and running.

Post your ftp info, like this:

213.10.93.141 (or something else, such as: 'f*p://example.getmyip.com')

User: *** (The username of the client)

Pass: *** (The password)

Port: *** (The port number you chose)

So make a FTP and join the FTP section


Listing The Contents Of A Ftp:

Listing the content of a FTP is very simple.
You will need FTP Content Maker, which can be downloaded from here:
ht*p://www.etplanet.com/download/application/FTP%20Content%20Maker%201.02.zip

1. Put in the IP of the server. Do not put "ftp://" or a "/" because it will not work if you do so.
2. Put in the port. If the port is the default number, 21, you do not have to enter it.
3. Put in the username and password in the appropriate fields. If the login is anonymous, you do not have to enter it.
4. If you want to list a specific directory of the FTP, place it in the directory field. Otherwise, do not enter anything in the directory field.
5. Click "Take the List!"
6. After the list has been taken, click the UBB output tab, and copy and paste to wherever you want it.


If FTP Content Maker is not working, it is probably because the server does not utilize Serv-U Software.

If you get this error message:
StatusCode = 550
LastResponse was : 'Unable to open local file test-ftp'
Error = 550 (Unable to open local file test-ftp)
Error = Unable to open local file test-ftp = 550
Close and restart FTP Content Maker, then try again.




error messages:

110 Restart marker reply. In this case, the text is exact and not left to the particular implementation; it must read: MARK yyyy = mmmm Where yyyy is User-process data stream marker, and mmmm server's equivalent marker (note the spaces between markers and "=").
120 Service ready in nnn minutes.
125 Data connection already open; transfer starting.
150 File status okay; about to open data connection.
200 Command okay.
202 Command not implemented, superfluous at this site.
211 System status, or system help reply.
212 Directory status.
213 File status.
214 Help message. On how to use the server or the meaning of a particular non-standard command. This reply is useful only to the human user.
215 NAME system type. Where NAME is an official system name from the list in the Assigned Numbers document.
220 Service ready for new user.
221 Service closing control connection. Logged out if appropriate.
225 Data connection open; no transfer in progress.
226 Closing data connection. Requested file action successful (for example, file transfer or file abort).
227 Entering Passive Mode (h1,h2,h3,h4,p1,p2).
230 User logged in, proceed.
250 Requested file action okay, completed.
257 "PATHNAME" created.
331 User name okay, need password.
332 Need account for login.
350 Requested file action pending further information.
421 Too many users logged to the same account
425 Can't open data connection.
426 Connection closed; transfer aborted.
450 Requested file action not taken. File unavailable (e.g., file busy).
451 Requested action aborted: local error in processing.
452 Requested action not taken. Insufficient storage space in system.
500 Syntax error, command unrecognized. This may include errors such as command line too long.
501 Syntax error in parameters or arguments.
502 Command not implemented.
503 Bad sequence of commands.
504 Command not implemented for that parameter.
530 Not logged in.
532 Need account for storing files.
550 Requested action not taken. File unavailable (e.g., file not found, no access).
551 Requested action aborted: page type unknown.
552 Requested file action aborted. Exceeded storage allocation (for current directory or dataset).
553 Requested action not taken. File name not allowed.


 Active FTP vs. Passive FTP, a Definitive Explanation

Introduction
One of the most commonly seen questions when dealing with firewalls and other Internet connectivity issues is the difference between active and passive FTP and how best to support either or both of them. Hopefully the following text will help to clear up some of the confusion over how to support FTP in a firewalled environment.

This may not be the definitive explanation, as the title claims, however, I've heard enough good feedback and seen this document linked in enough places to know that quite a few people have found it to be useful. I am always looking for ways to improve things though, and if you find something that is not quite clear or needs more explanation, please let me know! Recent additions to this document include the examples of both active and passive command line FTP sessions. These session examples should help make things a bit clearer. They also provide a nice picture into what goes on behind the scenes during an FTP session. Now, on to the information...



The Basics
FTP is a TCP based service exclusively. There is no UDP component to FTP. FTP is an unusual service in that it utilizes two ports, a 'data' port and a 'command' port (also known as the control port). Traditionally these are port 21 for the command port and port 20 for the data port. The confusion begins however, when we find that depending on the mode, the data port is not always on port 20.



Active FTP
In active mode FTP the client connects from a random unprivileged port (N > 1024) to the FTP server's command port, port 21. Then, the client starts listening to port N+1 and sends the FTP command PORT N+1 to the FTP server. The server will then connect back to the client's specified data port from its local data port, which is port 20.

From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's port 20 to ports > 1024 (Server initiates data connection to client's data port)
FTP server's port 20 from ports > 1024 (Client sends ACKs to server's data port)


In step 1, the client's command port contacts the server's command port and sends the command PORT 1027. The server then sends an ACK back to the client's command port in step 2. In step 3 the server initiates a connection on its local data port to the data port the client specified earlier. Finally, the client sends an ACK back as shown in step 4.

The main problem with active mode FTP actually falls on the client side. The FTP client doesn't make the actual connection to the data port of the server--it simply tells the server what port it is listening on and the server connects back to the specified port on the client. From the client side firewall this appears to be an outside system initiating a connection to an internal client--something that is usually blocked.



Active FTP Example
Below is an actual example of an active FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

There are a few interesting things to consider about this dialog. Notice that when the PORT command is issued, it specifies a port on the client (192.168.150.80) system, rather than the server. We will see the opposite behavior when we use passive FTP. While we are on the subject, a quick note about the format of the PORT command. As you can see in the example below it is formatted as a series of six numbers separated by commas. The first four octets are the IP address while the second two octets comprise the port that will be used for the data connection. To find the actual port multiply the fifth octet by 256 and then add the sixth octet to the total. Thus in the example below the port number is ( (14*256) + 178), or 3762. A quick check with netstat should confirm this information.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PORT 192,168,150,80,14,178
200 PORT command successful.
---> LIST
150 Opening ASCII mode data connection for file list.
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.


Passive FTP
In order to resolve the issue of the server initiating the connection to the client a different method for FTP connections was developed. This was known as passive mode, or PASV, after the command used by the client to tell the server it is in passive mode.

In passive mode FTP the client initiates both connections to the server, solving the problem of firewalls filtering the incoming data port connection to the client from the server. When opening an FTP connection, the client opens two random unprivileged ports locally (N > 1024 and N+1). The first port contacts the server on port 21, but instead of then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command. The result of this is that the server then opens a random unprivileged port (P > 1024) and sends the PORT P command back to the client. The client then initiates the connection from port N+1 to port P on the server to transfer data.

From the server-side firewall's standpoint, to support passive mode FTP the following communication channels need to be opened:

FTP server's port 21 from anywhere (Client initiates connection)
FTP server's port 21 to ports > 1024 (Server responds to client's control port)
FTP server's ports > 1024 from anywhere (Client initiates data connection to random port specified by server)
FTP server's ports > 1024 to remote ports > 1024 (Server sends ACKs (and data) to client's data port)



In step 1, the client contacts the server on the command port and issues the PASV command. The server then replies in step 2 with PORT 2024, telling the client which port it is listening to for the data connection. In step 3 the client then initiates the data connection from its data port to the specified server data port. Finally, the server sends back an ACK in step 4 to the client's data port.

While passive mode FTP solves many of the problems from the client side, it opens up a whole range of problems on the server side. The biggest issue is the need to allow any remote connection to high numbered ports on the server. Fortunately, many FTP daemons, including the popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use. See Appendix 1 for more information.

The second issue involves supporting and troubleshooting clients which do (or do not) support passive mode. As an example, the command line FTP utility provided with Solaris does not support passive mode, necessitating a third-party FTP client, such as ncftp.

With the massive popularity of the World Wide Web, many people prefer to use their web browser as an FTP client. Most browsers only support passive mode when accessing ftp:// URLs. This can either be good or bad depending on what the servers and firewalls are configured to support.



Passive FTP Example
Below is an actual example of a passive FTP session. The only things that have been changed are the server names, IP addresses, and user names. In this example an FTP session is initiated from testbox1.slacksite.com (192.168.150.80), a linux box running the standard FTP command line client, to testbox2.slacksite.com (192.168.150.90), a linux box running ProFTPd 1.2.2RC2. The debugging (-d) flag is used with the FTP client to show what is going on behind the scenes. Everything in red is the debugging output which shows the actual FTP commands being sent to the server and the responses generated from those commands. Normal server output is shown in black, and user input is in bold.

Notice the difference in the PORT command in this example as opposed to the active FTP example. Here, we see a port being opened on the server (192.168.150.90) system, rather than the client. See the discussion about the format of the PORT command above, in the Active FTP Example section.

testbox1: {/home/p-t/slacker/public_html} % ftp -d testbox2
Connected to testbox2.slacksite.com.
220 testbox2.slacksite.com FTP server ready.
Name (testbox2:slacker): slacker
---> USER slacker
331 Password required for slacker.
Password: TmpPass
---> PASS XXXX
230 User slacker logged in.
---> SYST
215 UNIX Type: L8
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> ls
ftp: setsockopt (ignored): Permission denied
---> PASV
227 Entering Passive Mode (192,168,150,90,195,149).
---> LIST
150 Opening ASCII mode data connection for file list
drwx------ 3 slacker users 104 Jul 27 01:45 public_html
226 Transfer complete.
ftp> quit
---> QUIT
221 Goodbye.


Summary
The following chart should help admins remember how each FTP mode works:

Active FTP :
command : client >1024 -> server 21
data : client >1024 <- server 20

Passive FTP :
command : client >1024 -> server 21
data : client >1024 -> server >1024

A quick summary of the pros and cons of active vs. passive FTP is also in order:

Active FTP is beneficial to the FTP server admin, but detrimental to the client side admin. The FTP server attempts to make connections to random high ports on the client, which would almost certainly be blocked by a firewall on the client side. Passive FTP is beneficial to the client, but detrimental to the FTP server admin. The client will make both connections to the server, but one of them will be to a random high port, which would almost certainly be blocked by a firewall on the server side.

Luckily, there is somewhat of a compromise. Since admins running FTP servers will need to make their servers accessible to the greatest number of clients, they will almost certainly need to support passive FTP. The exposure of high level ports on the server can be minimized by specifying a limited port range for the FTP server to use. Thus, everything except for this range of ports can be firewalled on the server side. While this doesn't eliminate all risk to the server, it decreases it tremendously.

Advanced Shellcoding Techniques

  ***********************************************
     *                                             *
     * Advanced Shellcoding Techniques - by Darawk *
     *                                             *
     ***********************************************

Introduction

This paper assumes a working knowledge of basic shellcoding techniques, and x86 assembly, I will not rehash these in this paper.  I hope to teach you some of the lesser known shellcoding techniques that I have picked up, which will allow you to write smaller and better shellcodes.  I do not claim to have invented any of these techniques, except for the one that uses the div instruction.



The multiplicity of mul

This technique was originally developed by Sorbo of darkircop.net.  The mul instruction may, on the surface, seem mundane, and it's purpose obvious.  However, when faced with the difficult challenge of shrinking your shellcode, it proves to be quite useful.  First some background information on the mul instruction itself.

mul performs an unsigned multiply of two integers.  It takes only one operand, the other is implicitly specified by the %eax register.  So, a  common mul instruction might look something like this:

movl $0x0a,%eax
mul $0x0a

This would multiply the value stored in %eax by the operand of mul, which in this case would be 10*10.  The result is then implicitly stored in EDX:EAX.  The result is stored over a span of two registers because it has the potential to be considerably larger than the previous value, possibly exceeding the capacity of a single register(this is also how floating points are stored in some cases, as an interesting sidenote).

So, now comes the ever-important question.  How can we use these attributes to our advantage when writing shellcode?  Well, let's think for a second, the instruction takes only one operand, therefore, since it is a very common instruction, it will generate only two bytes in our final shellcode.  It multiplies whatever is passed to it by the value stored in %eax, and stores the value in both %edx and %eax, completely overwriting the contents of both registers, regardless of whether it is necessary to do so, in order to store the result of the multiplication.  Let's put on our mathematician hats for a second, and consider this, what is the only possible result of a multiplication by 0?  The answer, as you may have guessed, is 0.  I think it's about time for some example code, so here it is:

xorl %ecx,%ecx
mul %ecx

What is this shellcode doing?  Well, it 0's out the %ecx register using the xor instruction, so we now know that %ecx is 0.  Then it does a mul %ecx, which as we just learned, multiplies it's operand by the value in %eax, and then proceeds to store the result of this multiplication in EDX:EAX.  So, regardless of %eax's previous contents, %eax must now be 0.  However that's not all, %edx is 0'd now too, because, even though no overflow occurs, it still overwrites the %edx register with the sign bit(left-most bit) of %eax.  Using this technique we can zero out three registers in only three bytes, whereas by any other method(that I know of) it would have taken at least six.


The div instruction

Div is very similar to mul, in that it takes only one operand and implicitly divides the operand by the value in %eax.  Also like, mul it stores the result of the divide in %eax.  Again, we will require the mathematical side of our brains to figure out how we can take advantage of this instruction.  But first, let's think about what is normally stored in the %eax register.  The %eax register holds the return value of functions and/or syscalls.  Most syscalls that are used in shellcoding will return -1(on failure) or a positive value of some kind, only rarely will they return 0(though it does occur).  So, if we know that after a syscall is performed, %eax will have a non-zero value, and that  the instruction divl %eax will divide %eax by itself, and then store the result in %eax, we can say that executing the divl %eax instruction after a syscall will put the value 1 into %eax.  So...how is this applicable to shellcoding? Well, their is another important thing that %eax is used for, and that is to pass the specific syscall that you would like to call to int $0x80.  It just so happens that the syscall that corresponds to the value 1 is exit().  Now for an example:

     
xorl %ebx,%ebx
mul %ebx
push %edx
pushl   $0x3268732f
pushl   $0x6e69622f
mov %esp, %ebx
push %edx
push %ebx
mov %esp,%ecx
movb $0xb, %al  #execve() syscall, doesn't return at all unless it fails, in which case it returns -1
int $0x80

divl %eax  # -1 / -1 = 1
int $0x80

Now, we have a 3 byte exit function, where as before it was 5 bytes.  However, there is a catch, what if a syscall does return 0?  Well in the odd situation in which that could happen, you could do many different things, like inc %eax, dec %eax, not %eax anything that will make %eax non-zero.  Some people say that exit's are not important in shellcode, because your code gets executed regardless of whether or not it exits cleanly.  They are right too, if you really need to save 3 bytes to fit your shellcode in somewhere, the exit() isn't worth keeping.  However, when your code does finish, it will try to execute whatever was after your last instruction, which will most likely produce a SIG ILL(illegal instruction) which is a rather odd error, and will be logged by the system.  So, an exit() simply adds an extra layer of stealth to your exploit, so that even if it fails or you can't wipe all the logs, at least this part of your presence will be clear.



Unlocking the power of leal

The leal instruction is an often neglected instruction in shellcode, even though it is quite useful.  Consider this short piece of shellcode.

xorl %ecx,%ecx
leal 0x10(%ecx),%eax

This will load the value 17 into eax, and clear all of the extraneous bits of eax.  This occurs because the leal instruction loads a variable of the type long into it's desitination operand.  In it's normal usage, this would load the address of a variable into a register, thus creating a pointer of sorts.  However, since ecx is 0'd and 0+17=17, we load the value 17 into eax instead of any kind of actual address.  In a normal shellcode we would do something like this, to accomplish the same thing:

xorl %eax,%eax
movb $0x10,%eax

I can hear you saying, but that shellcode is a byte shorter than the leal one, and you're quite right.  However, in a real shellcode you may already have to 0 out a register like ecx(or any other register), so the xorl instruction in the leal shellcode isn't counted.  Here's an example:

xorl    %eax,%eax
xorl    %ebx,%ebx
movb    $0x17,%al
int    $0x80
     
xorl %ebx,%ebx
leal 0x17(%ebx),%al
int $0x80

Both of these shellcodes call setuid(0), but one does it in 7 bytes while the other does it in 8.  Again, I hear you saying but that's only one byte it doesn't make that much of a difference, and you're right, here it doesn't make much of a difference(except for in shellcode-size pissing contests =p), but when applied to much larger shellcodes, which have many function calls and need to do things like this frequently, it can save quite a bit of space.



Conclusion

I hope you all learned something, and will go out and apply your knowledge to create smaller and better shellcodes.  If you know who invented  the leal technique, please tell me and I will credit him/her.  

Accessing the bindery files directly

                                                         3 November 1995


                  Accessing the bindery files directly


                  Alastair Grant, Cambridge University


1. Introduction

This document describes a command for accessing the NetWare 3.x bindery
files directly, bypassing the NetWare network API calls.

It can be used for fast bindery access, bulk user management, bypassing
security restrictions, investigating problems etc.

It is quite possible to destroy the bindery completely, or to reveal
information which could be used by hackers to obtain passwords. Users
are assumed to have a basic grasp of good procedures for security and
backup.


2. Command syntax

The basic format of the command is

   bindery [options] bindery-spec action action ...


2.1 Specifying a bindery

A bindery specification takes the form

   path/.extension

E.g. SYS:SYSTEM/.SYS. The path defaults to the current directory. The
extension defaults to .OLD.

Alternatively an 'active' bindery can be specified:

   SERVER server

The bindery will be closed if necessary.


2.2 Actions on the bindery

  INFO      print info about the bindery
  SCHEMA    checks the bindery against the schema in BINDERY.SCH
  DUMP obj  dump all information for the specified object(s)
  OBJ       list all object records
  PROP      list all property records
  VAL       list all value records
  VALDATA   list all value records, with data
  EXPORT    export the bindery to a text file; see below
  IMPORT    import the bindery from a text file
  ETC       export user password information, suitable for input to the
            password-cracking program described below

The following actions apply only if a bindery has been specified by the
SERVER parameter:
  CLOSE     close the bindery, i.e. make it available for direct access;
            users attempting to access the bindery via NetWare API calls
            will receive an error
  OPEN      open the bindery, which causes the server to reload it and
            may take some time for large binderies
  COPY directory
            copy the bindery files into a directory elsewhere


3. Export/import

The bindery can be exported to and imported from a text file. This can
be used for various purposes:

 -   problem diagnosis and repair

 -   creation of large binderies given a set of user information

 -   compaction of binderies

 -   merging binderies or moving users between binderies while
     preserving their passwords

To see the format of the export file, try exporting a small bindery.


4. Password cracking

Passwords are not stored in clear in the bindery. What is stored is a
16-byte value computed via a one-way function from the user's object id
and the password. Given the object id and password it is possible to
generate a candidate password which can be compared against that in the
bindery.

The ETC option of the BINDERY command produces a file containing the
required information, in a format superficially similar to /etc/passwd
on Unix:

   userid:pw-hash:object-id:pw-len:name::

e.g.

   ttidy:32d8998e098a05830f809b809ea02137:D0000001:8:Terry Tidy

This can then be input into bindery cracking programs. Separating the
functions in this way allows various forms of parallelism:

 -   the password file can be split into smaller chunks

 -   the same password file can be worked on by several cracking
     programs each with different dictionaries or algorithms

 -   cracking programs can be run on faster machines

A cracking program BINCRACK is provided which takes such a file as
input. It has command syntax:

   bincrack [/verify] [/numsub] pw-file dict-file

/verify lists the passwords that are being tried. /numsub tries
substituting numbers for letters, e.g. "1D10T". This takes a lot longer
as all possible combinations are tried. pw-file is an exported bindery
password file. dict-file is a simple word list.

Versions are available for MS-DOS and for Solaris 1 and Solaris 2 SPARC
systems.

Suitable wordlists can be found at

   ftp://ftp.ox.ac.uk/pub/wordlists/

A very small tut for RealMedia

You may find this helpful if you donwload hundreds of short episodes in rm format like me and tired of double-click to open next files.

Very easy. Use notepad to open a new file, type this inside:
file://link to file1
file://link to file2
(type as many as you want)
Close file. Rename it to FileName.rm

Then you`re done!!!!

Ex:
I put my playlist file here: C:\Movies\7VNR
And the movie files are in C:\Movies\7VNR\DragonBall

Then inside my playlist file I`ll have something like this:

file://DragonBall/db134.rm
file://DragonBall/db135.rm
file://DragonBall/db136.rm
file://DragonBall/db137.rm
file://DragonBall/db138.rm

A Small Guide to Hacking HOTMAIL

From hacker@mitchell.demon.nl Mon Mar 02 20:09:04 1998
Newsgroups: alt.hacking
Subject: Hotmail Hack info !
From: Terry Mitchell <hacker@mitchell.demon.nl>
Date: Mon, 02 Mar 1998 12:09:04 -0800

HOTMAIL HACKING INFO.


I_1_I  - Brute force hacking
a. Use telnet to connect to port 110 (Hotmail´s pop-server)
b. Type USER and then the victim´s username
c. Type PASS and then the guess a password
d. Repeat that until U have found the correct password.
!. This is called brute force hacking and requires patience.
It´s better than trying to guess the victims password on
hotmail homepage only because it´s faster.
____
I_2_I  - The Best way
a. Get the username of the victim (It usually stands in the adress-field
)
b. Then type " www.hotmail.com/cgi-bin/start/victimsusername "
c. U´re in!
!. This hack only work if U are on the same network or computer as the
victim and if he don´t log out.
____
I_3_I  - The old way
a. Go to http://www.hotmail/proxy.html
b. Now type the victims username. (press login)
c. Look at the source code.
d. On the fifth row U should find "action=someadress"
e. Copy that adress and paste it into the adress-field
f. You are in...
!. As you can see it´s a long procedure and the victim have
plenty of time to log out.
____
I_4_I  - Another...
a. Go to hotmail´s homepage
b. Copy the source code.
c. Make a new html file with the same code but change method=post to
method=enter
d. "view" the page
e. Change the adress to www.hotmail.com/ (don´t press enter!)
f. Make the victim type in his username and password
g. Look in the adress-field. There you´ll see ...&password:something...
!. This is the way I use, because it lets you know the password.
(If he exits the browser U can see the password in the History folder!)

READ!
Hotmail´s sysops have changed the "system" so that the victim may log
out even
if U are inside his/her account. So don´t waste U´r time!

---

So you want to get some hotmail passwords?
This is pretty easy to do once you have got the hang of it.
If you are a beginner, I wouldn't make this your first attempt at
hacking.  When you need to do is use a port surfer and surf over to
port 80.  While there, you have to try and mail the user that you
want the password from.  It is best to mail them using the words
"We" and "Here at Hotmail..."  Most suckers fall for this and end
up giving out their password.  There is another way to also, you can
get an anon mailer, and forge the addres as staff@hotmail.com.  But
you have to change the reply address to go to a different addres
like user@host.com.  The person that you are trying to get the pass
from MUST respond to that letter for the mail to be forwarded to you.
Have text like "Please reply to this letter with the subject "PASSWORD"
and underneith please include your user name and password.
If you have trouble Loging in withing the next few days, this is
only because we are updating our mail servers but no need to worry,
your mail will still be there.  Even though the server may be down
for an hour.  From the staff at Hotmail, Thank You."



A simple TCP spoofing attack



                        A simple TCP spoofing attack


Over the past few years TCP sequence number prediction attacks have become a
real threat against unprotected networks, taking advantage of the inherent
trust relationships present in many network installations.  TCP sequence
number prediction attacks have most commonly been implemented by opening a
series of connections to the target host, and attempting to predict the
sequence number which will be used next.  Many operating systems have
therefore attempted to solve this problem by implementing a method of
generating sequence numbers in unpredictable fashions.  This method does
not solve the problem.

This advisory introduces an alternative method of obtaining the initial
sequence number from some common trusted services.  The attack presented here
does not require the attacker to open multiple connections, or flood a port
on the trusted host to complete the attack.  The only requirement is that
source routed packets can be injected into the target network with fake
source addresses.

This advisory assumes that the reader already has an understanding of how
TCP sequence number prediction attacks are implemented.

The impact of this advisory is greatly diminished due to the large number of
organizations which block source routed packets and packets with addresses
inside of their networks.  Therefore we present the information as more of
a 'heads up' message for the technically inclined, and to re-iterate that
the randomization of TCP sequence numbers is not an effective solution
against this attack.


Technical Details
~~~~~~~~~~~~~~~~~

The problem occurs when particular network daemons accept connections
with source routing enabled, and proceed to disable any source routing
options on the connection.  The connection is allowed to continue, however
the reverse route is no longer used.  An example attack can launched against
the in.rshd daemon, which on most systems will retrieve the socket options
via getsockopt() and then turn off any dangerous options via setsockopt().

An example attack follows.

Host A is the trusted host
Host B is the target host
Host C is the attacker

Host C initiates a source routed connection to in.rshd on host B, pretending
to be host A.

Host C spoofing Host A         <SYN>    -->  Host B in.rshd

Host B receives the initial SYN packet, creates a new PCB (protocol
control block) and associates the route with the PCB.  Host B responds,
using the reverse route, sending back a SYN/ACK with the sequence number.

Host C spoofing Host A  <--  <SYN/ACK>       Host B in.rshd

Host C responds, still spoofing host A, acknowledging the sequence number.
Source routing options are not required on this packet.

Host C spoofing Host A         <ACK>    -->  Host B in.rshd

We now have an established connection, the accept() call completes, and
control is now passed to the in.rshd daemon.  The daemon now does IP
options checking and determines that we have initiated a source routed
connection.  The daemon now turns off this option, and any packets sent
thereafter will be sent to the real host A, no longer using the reverse
route which we have specified.  Normally this would be safe, however the
attacking host now knows what the next sequence number will be.  Knowing
this sequence number, we can now send a spoofed packet without the source
routing options enabled, pretending to originate from Host A, and our
command will be executed.

In some conditions the flooding of a port on the real host A is required
if larger ammounts of data are sent, to prevent the real host A from
responding with an RST.  This is not required in most cases when performing
this attack against in.rshd due to the small ammount of data transmitted.

It should be noted that the sequence number is obtained before accept()
has returned and that this cannot be prevented without turning off source
routing in the kernel.

As a side note, we're very lucky that TCP only associates a source route with
a PCB when the initial SYN is received.  If it accepted and changed the ip
options at any point during a connection, more exotic attacks may be possible.
These could include hijacking connections across the internet without playing
a man in the middle attack and being able to bypass IP options checking
imposed by daemons using getsockopt().  Luckily *BSD based TCP/IP stacks will
not do this, however it would be interesting to examine other implementations.

Impact
~~~~~~

The impact of this attack is similar to the more complex TCP sequence
number prediction attack, yet it involves fewer steps, and does not require
us to 'guess' the sequence number.  This allows an attacker to execute
arbitrary commands as root, depending on the configuration of the target
system.  It is required that trust is present here, as an example, the use
of .rhosts or hosts.equiv files.


Solutions
~~~~~~~~~

The ideal solution to this problem is to have any services which rely on
IP based authentication drop the connection completely when initially
detecting that source routed options are present.  Network administrators
and users can take precautions to prevent users outside of their network
from taking advantage of this problem.  The solutions are hopefully already
either implemented or being implemented.

1. Block any source routed connections into your networks
2. Block any packets with internal based address from entering your network.

Network administrators should be aware that these attacks can easily be
launched from behind filtering routers and firewalls.  Internet service
providers and corporations should ensure that internal users cannot launch
the described attacks.  The precautions suggested above should be implemented
to protect internal networks.

Example code to correctly process source routed packets is presented here
as an example.  Please let us know if there are any problems with it.
This code has been tested on BSD based operating systems.

        u_char optbuf[BUFSIZ/3];
        int optsize = sizeof(optbuf), ipproto, i;
        struct protoent *ip;

        if ((ip = getprotobyname("ip")) != NULL)
                ipproto = ip->p_proto;
        else
                ipproto = IPPROTO_IP;
        if (!getsockopt(0, ipproto, IP_OPTIONS, (char *)optbuf, &optsize) &&
            optsize != 0) {
                for (i = 0; i < optsize; ) {
                        u_char c = optbuf[i];
                        if (c == IPOPT_LSRR || c == IPOPT_SSRR)
                                exit(1);
                        if (c == IPOPT_EOL)
                                break;
                        i += (c == IPOPT_NOP) ? 1 : optbuf[i+1];
                }
        }


One critical concern is in the case where TCP wrappers are being used.  If
a user is relying on TCP wrappers, the above fix should be incorporated into
fix_options.c.  The problem being that TCP wrappers itself does not close
the connection, however removes the options via setsockopt().  In this case
when control is passed to in.rshd, it will never see any options present,
and the connection will remain open (even if in.rshd has the above patch
incorporated).  An option to completely drop source routed connections will
hopefully be provided in the next release of TCP wrappers.  The other option
is to undefine KILL_IP_OPTIONS, which appears to be undefined by default.
This passes through IP options and allows the called daemon to handle them
accordingly.


Disabling Source Routing
~~~~~~~~~~~~~~~~~~~~~~~~

We believe the following information to be accurate, however it is not
guaranteed.

--- Cisco

To have the router discard any datagram containing an IP source route option
issue the following command:

no ip source-route

This is a global configuration option.


--- NetBSD

Versions of NetBSD prior to 1.2 did not provide the capability for disabling
source routing.  Other versions ship with source routing ENABLED by default.
We do not know of a way to prevent NetBSD from accepting source routed packets.
NetBSD systems, however, can be configured to prevent the forwarding of packets
when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0


--- BSD/OS

BSDI has made a patch availible for rshd, rlogind, tcpd and nfsd.  This
patch is availible at:

ftp://ftp.bsdi.com/bsdi/patches/patches-2.1

OR via their patches email server <patches@bsdi.com>

The patch number is
U210-037 (normal version)
D210-037 (domestic version for sites running kerberized version)


BSD/OS 2.1 has source routing disabled by default

Previous versions ship with source routing ENABLED by default.  As far as
we know, BSD/OS cannot be configured to drop source routed packets destined
for itself, however can be configured to prevent the forwarding of such
packets when acting as a gateway.

To determine whether forwarding of source routed packets is enabled,
issue the following command:

# sysctl net.inet.ip.forwarding
# sysctl net.inet.ip.forwsrcrt

The response will be either 0 or 1, 0 meaning off, and 1 meaning it is on.

Forwarding of source routed packets can be turned off via:

# sysctl -w net.inet.ip.forwsrcrt=0

Forwarding of all packets in general can turned off via:

# sysctl -w net.inet.ip.forwarding=0


--- OpenBSD

Ships with source routing turned off by default.  To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on.  If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0

This will prevent OpenBSD from forwarding and accepting any source routed
packets.


--- FreeBSD

Ships with source routing turned off by default.  To determine whether source
routing is enabled, the following command can be issued:

# sysctl net.inet.ip.sourceroute

The response will be either 0 or 1, 0 meaning that source routing is off,
and 1 meaning it is on.  If source routing has been turned on, turn off via:

# sysctl -w net.inet.ip.sourceroute=0


--- Linux

Linux by default has source routing disabled in the kernel.


--- Solaris 2.x

Ships with source routing enabled by default.  Solaris 2.5.1 is one of the
few commercial operating systems that does have unpredictable sequence
numbers, which does not help in this attack.

We know of no method to prevent Solaris from accepting source routed
connections, however, Solaris systems acting as gateways can be prevented
from forwarding any source routed packets via the following commands:

# ndd -set /dev/ip ip_forward_src_routed 0

You can prevent forwarding of all packets via:

# ndd -set /dev/ip ip_forwarding 0

These commands can be added to /etc/rc2.d/S69inet to take effect at bootup.


--- SunOS 4.x

We know of no method to prevent SunOS from accepting source routed
connections, however a patch is availible to prevent SunOS systems from
forwarding source routed packets.

This patch is availible at:

ftp://ftp.secnet.com/pub/patches/source-routing-patch.tar.gz

To configure SunOS to prevent forwarding of all packets, the following
command can be issued:

# echo "ip_forwarding/w 0" | adb -k -w /vmunix /dev/mem
# echo "ip_forwarding?w 0" | adb -k -w /vmunix /dev/mem

The first command turns off packet forwarding in /dev/mem, the second in
/vmunix.


--- HP-UX

HP-UX does not appear to have options for configuring an HP-UX system to
prevent accepting or forwarding of source routed packets.  HP-UX has IP
forwarding turned on by default and should be turned off if acting as a
firewall.  To determine whether IP forwarding is currently on, the following
command can be issued:

# adb /hp-ux
ipforwarding?X      <- user input
ipforwarding:
ipforwarding: 1
#

A response of 1 indicates IP forwarding is ON, 0 indicates off.  HP-UX can
be configured to prevent the forwarding of any packets via the following
commands:

# adb -w /hp-ux /dev/kmem
ipforwarding/W 0
ipforwarding?W 0
^D
#

--- AIX

AIX cannot be configured to discard source routed packets destined for itself,
however can be configured to prevent the forwarding of source routed packets.
IP forwarding and forwarding of source routed packets specifically can be
turned off under AIX via the following commands:

To turn off forwarding of all packets:

# /usr/sbin/no -o ipforwarding=0

To turn off forwarding of source routed packets:

# /usr/sbin/no -o nonlocsrcroute=0

Note that these commands should be added to /etc/rc.net



If shutting off source routing is not possible and you are still using
services which rely on IP address authentication, they should be disabled
immediately (in.rshd, in.rlogind).  in.rlogind is safe if .rhosts and
/etc/hosts.equiv are not used.


Attributions
~~~~~~~~~~~~

Thanks to Niels Provos <provos@physnet.uni-hamburg.de> for providing
the information and details of this attack.  You can view his web
site at http://www.physnet.uni-hamburg.de/provos

Thanks to Theo de Raadt, the maintainer of OpenBSD for forwarding this
information to us.  More information on OpenBSD can be found at
http://www.openbsd.org

Thanks to Keith Bostic <bostic@bsdi.com> for discussion and a quick
solution for BSD/OS.

Thanks to Brad Powell <brad.powell@west.sun.com> for providing information
for Solaris 2.x and SunOS 4.x operating systems.

Thanks go to CERT and AUSCERT for recommendations in this advisory.

You can contact the author of this advisory at oliver@secnet.com



-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzJATn0AAAEEAJeGbZyoCw14fCoAMeBRKiZ3L6JMbd9f4BtwdtYTwD42/Uz1
A/4UiRJzRLGhARpt1J06NVQEKXQDbejxGIGzAGTcyqUCKH6yNAncqoep3+PKIQJd
Kd23buvbk7yUgyVlqQHDDsW0zMKdlSO7rYByT6zsW0Rv5JmHJh/bLKAOe7p9AAUR
tCVPbGl2ZXIgRnJpZWRyaWNocyA8b2xpdmVyQHNlY25ldC5jb20+iQCVAwUQMkBO
fR/bLKAOe7p9AQEBOAQAkTXiBzf4a31cYYDFmiLWgXq0amQ2lsamdrQohIMEDXe8
45SoGwBzXHVh+gnXCQF2zLxaucKLG3SXPIg+nJWhFczX2Fo97HqdtFmx0Y5IyMgU
qRgK/j8KyJRdVliM1IkX8rf3Bn+ha3xn0yrWlTZMF9nL7iVPBsmgyMOuXwZ7ZB8=
=xq4f
-----END PGP PUBLIC KEY BLOCK-----

Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.

 You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
 and advisories at ftp://ftp.secnet.com/advisories

 You can browse our web site at http://www.secnet.com

 You can subscribe to our security advisory mailing list by sending mail to
 majordomo@secnet.com with the line "subscribe sni-advisories"

A Novice's Guide To Hacking

                                     A Novice's Guide To Hacking
This file is an addendum to "A Novice's Guide To Hacking" written by "The
Mentor".  The word "hacking" is here used the way the non-hacking public
thinks it is used, to mean breaking into somebody else's computer.  Its
purpose is to expand and clarify the information about the TOPS-20 operating
system, which runs on DECsystem-20 mainframes.  The Mentor basically lumped
this system in with TOPS-10 and didn't note important differences between the
two.  I will here reproduce in full what The Mentor had to say about TOPS-10
and about VMS, which are the parent and the offspring of TOPS-20.

VMS-       The VAX computer is made by Digital Equipment Corporation (DEC),
           and runs the VMS (Virtual Memory System) operating system.
           VMS is characterized by the 'Username:' prompt.  It will not tell
           you if you've entered a valid username or not, and will disconnect
           you after three bad login attempts.  It also keeps track of all
           failed login attempts and informs the owner of the account next time
           s/he logs in how many bad login attempts were made on the account.
           It is one of the most secure operating systems around from the
           outside, but once you're in there are many things that you can do
           to circumvent system security.  The VAX also has the best set of
           help files in the world.  Just type HELP and read to your heart's
           content.
           Common Accounts/Defaults:  [username: password [[,password]] ]
           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
           OPERATOR:   OPERATOR
           SYSTEST:    UETP
           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
           FIELD:      FIELD or SERVICE
           GUEST:      GUEST or unpassworded
           DEMO:       DEMO  or unpassworded
           DECNET:     DECNET


DEC-10-    An earlier line of DEC computer equipment, running the TOPS-10
           operating system.  These machines are recognized by their
           '.' prompt.  The DEC-10/20 series are remarkably hacker-friendly,
           allowing you to enter several important commands without ever
           logging into the system.  Accounts are in the format [xxx,yyy] where
           xxx and yyy are integers.  You can get a listing of the accounts and
           the process names of everyone on the system before logging in with
           the command .systat (for SYstem STATus).  If you seen an account
           that reads [234,1001]   BOB JONES, it might be wise to try BOB or
           JONES or both for a password on this account.  To login, you type
           .login xxx,yyy  and then type the password when prompted for it.
           The system will allow you unlimited tries at an account, and does
           not keep records of bad login attempts.  It will also inform you
           if the UIC you're trying (UIC = User Identification Code, 1,2 for
           example) is bad.
           Common Accounts/Defaults:
           1,2:        SYSLIB or OPERATOR or MANAGER
           2,7:        MAINTAIN
           5,30:       GAMES

**** note:  I'm remembering this stuff from several years ago, and in some
cases my memory may be foggy or stuff may be outdated.

TOPS-20, once you are inside, resembles VMS much more than it resembles
TOPS-10, as far as I know (I'm not really familiar with VMS).  From the
outside, it's more like TOPS-10, except that the prompt is a @ instead of a
period.  You can enter many commands without logging in, including SYSTAT and
probably FINGER.  (Sometimes you can even use the mail program without
logging in.)  It is very helpful.  Not only does the command HELP lead to
lots of useful information, but anywhere in typing a command you can press ?
and it will tell you what the format of the command expects.  For instance,
if you type ? by itself, it will tell you all the words that a command can
begin with.  If you type S?, it will tell you all the commands that start
with the letter S.  If you type SYSTAT ?, it will tell you the options
available on the systat command.  You can use this at any point in any
command.  Furthermore, if there is only one possibility (you have typed a
unique abbreviation), you can press Escape and it will finish the word for
you.  I'm not sure, but I think TOPS-20 was the system that first introduced
filename completion as well --turning a uniquely abbreviated filename into a
complete name when you press escape, beeping if the abbreviation is not
unique.  With command keywords you can leave the abbreviation un-expanded,
with filenames you have to expand it (or type it all in) for it to work.

Use the "Login" command to log in, followed by a username.  It will prompt
for a password.  Note that a password can be something like 39 characters
long, as can the username itself.  TOPS-20 does NOT use numbers like 317,043
for user IDs.  (Note that these numbers in TOPS-10 are octal, not decimal.)
Furthermore, the password can contain spaces.  So, if somebody wants to make
his password difficult to guess, he can easily do so.

(But sometimes they might get overconfident.  I remember a story from
Stanford...  Someone asked the large cheese if he would let him know what the
operator password was, and he said "The operator password is currently
unavailable."  So the guy tried "currently unavailable" as a password, and
got in.  (Which reminds me of the time they got a real bug in the system
there...  a head crash caused by an ant on the disk platter.))

In general, TOPS-20 does not limit the number of login attempts, nor does it
keep a record of bad tries.  However, it is not difficult for the local
management to add such measures, or others such as a delay of several seconds
after each attempt.  And unlike Unix, it is difficult to evade these even
once you're in.  Without heavy in-depth knowledge, you can't test a username-
password combination except through a system call, which will enforce delays
and limited failures and such against password-trying programs.

So, TOPS-20 is easy to defend against the "database hack", in which you try
many different common passwords with many different usernames.  (Unix is
much more vulnerable to this.)  But any particular system, especially a lax
one like a college machine (DEC is always popular in academia), might have
little defense here.  But you might not know how much defense until too late.

Do try the GUEST username.

But TOPS-20 can be very vulnerable to trojan horses.  See, there's this thing
called the Wheel bit.  A username that has the Wheel property can do anything
the system operator can do, such as ignore file protection masks, edit the
disks at the track/sector level, change any area of memory...  On Unix, only
one user, the superuser, can read and write protected files.  On TOPS-20, any
user can do these things from any terminal, if the Wheel attribute is set in
his user data.  Some campus computers tend to accumulate excess trusted users
with wheel bits, and have to periodically prune away the unnecessary ones.

The thing is that a wheel can do these things without knowing that he has
done them.  Normally the privileged commands are deactivated.  But a program
run by a wheel can activate the privileges, do anything it wants, cover its
tracks, and deactivate them without the user ever being the wiser.  So if you
can get any wheel user to run any program you wrote, such as a game or small
utility...  there's no limit to what you can do.  In particular, you can
create a new username, and make it a wheel.  Or you can simply ask the system
outright for someone's password, if I'm not mistaken.  (All this requires
access to TOPS-20 programming manuals, but some of the necessary material
should be available on line.)  You cannot actually conceal this creation, as
far as I know...  but maybe with sophisticated enough knowledge you could
make it not immediately apparent...  Anyway, once you get that far in, you can
probably keep one step ahead of them for a while...  If they erase your new
accounts, you can use the passwords to old ones...  They can change all of
the wheel passwords, but a lot of the regular users won't change for some
time...  You could even lock the operators out of their own system by
changing all their passwords for them, if you were crazy enough, perhaps
forcing them to shut the machine down to regain control of it.  They might
even have to restore stuff from tape backup.

Even if you don't wedge your way into secret stuff, a TOPS-20 system can be
fun to explore.  It's much more novice-friendly than most systems, and much
more hacker-friendly as well.  I think the ascendency of Unix as the least-
common-denominator OS that everybody can agree on is a definite loss,
compared to TOPS-20.

Tuesday, 5 November 2013

Installing Apache on Windows

Installing Apache on Windows


Installing Apache on Windows, why? Because let's face it Windows
is easy, and well Apache sure beats using IIS. This tutorial is meant for the person who would like to set up there own little
web server. It's not meant for the IT Person running a fortune 500 company. But hey if you want go ahead.

Instalation:

First thing you need is to download the webserver. Now for windows
users your gonna want to go download the .exe . The apache website is www.apache.org Your gonna wanna head to the apache
binaries sections for Win32 I believe it is at http://www.apache.org/dist/httpd/binaries/win32/
There you will be able to download a version of apache.


Now before you download it you gonna want to make a folder. This folder is
where your gonna server your root directory. Now if you don't want to do
this it's ok. You can use the default path if you want. Put usually this helps
in setting up other things like php, and MySQL. Most people do is they create
a folder in the C:\ directory called WWW or somthin. You can name it whatever you want.


Ok so have downloaded the Apache Web Server. Your ready to go with the setup.
No the version I have downloaded was apache_2.0.36-win32-x86-no_ssl.msi This
was a newer version and supposedly supposed to be more secure. The first screen you get when your in the setup is The welcome screen we don't care much about that
but owell so hit next. The next screen is the terms and service. And yes
your going to agree to the terms duh. The next screen is some documentation.
I never really read it but if you want go ahead and do it. Once your done
hit next again. Know we see a screen that says enter a network domain. Erase what is ever in there and type localhost. Now the next box says
Servername, erace what is ever in the box and put in localhost.
The next is Administrators e-mail address. Go ahead and fill that in.
But make sure to change it. Now there are 2 little radio buttons.
Pick the one that best suites your needs. Now that we got that all
filled out. Hit Next and you'll go to a screen that asks you which
type of install you want to do. Then hit next.


If you wanted to server out of your one special folder. Change the
file location of were your gonna install apache. Or just leave it at the default path. Click install and it should be on
it's way. Once it's done installing hit the finish button.

The test:
First were gonna check to see if Apache installed correctly.
This is how we do it. Open up Internet Explorer and type in " http://localhost" . If everything went smooth then you should
be seeing a message that looks like this" Seeing this instead of the website you expected?" Yippee!!!
Apache is working. See now wasnt' that really simple. Ok now were gonna
do some fun stuff.

Alright now that we got or test done lets move on to changing some of this
stuff that apache did on default. In Internet Explorer if you installed
on the deafult path. Make your way to C:\Program Files\Apache Group\Apache2
This is your Main Apache Directory were you can find everything. If you want
take a short break and run around. There are some cool things there. Don't
worry if you don't understand what's in these files just yet.

Break Time:
Go take a leak, get some pepsi and somthin to eat. If you got smokes light
them up in your new found glory.


Alright so now you've got apache installed and your about to start dishing out
your web pages that you took so much time on to build. Head to the folder called
htdocs, this is your main folder. There should be a whole bunch of pages What i do
is i select them all and move them to another folder. The htdocs folder is the best
folder in the world. It's gonna be one of the places you spend most of your time
dishing out content for the world. Ok so get rid of all that stuff that is in your
htdocs folder. And move all your great content inside replacing it. Alright so now
once we moved all are content inside the htdocs folder and we tested it to make
sure it was there. http://localhost remember. Now let's get out of there. Go to
Apache's main directory. Now just to be aware of what is going on and get a good
example of how Apache Functions head off to a folder called "conf" This is the
configuration files Apache Uses. If you ever wanted to install php and other
server side scripting languages this is where you would do it. Now you get 2 copys
Use 1 as a backup and never edit it at all. Go ahead and open the folder and open
"httpd.conf" Read it very carefully cause in this tutorial were not gonna read
about it. I just want you to know it's there. Anytime you edit the httpd.conf file
you must re-start apache in order for it to work. Another good tip for you new people
to apache is you may notice the log files. Yes there great and make sure to make backups
of the logs they will come in handy. As security precautions. I also recommend getting
a firewall set up. There are lots of great security features that apache has but this
is a tutorial to installing apache.


Alright so now you've got your webpages up. But the only way people will be able to view
your pages is my typing in your ip address. This is a bumper. Lets look at some free
re-directories. www.n2v.net, This is a cool one. You sign up put your ip adress of your
new webserver in and whalla your done. Type in www. .n2v.net and it goes to your server
and brings up your super nice webpages. Now if you go to google and search for free
domain names or re-directors you should come up with alot. Many People already know
about the www.dot.tk one of the coolest things in the world. Free .tk very simple
That's all you need. It works perfect for my webserver and I've got around 3,000 hits
so it's working good. If you don't wanna do it you don't have to. But it just
makes it simple.


Alright that comes to the conclusion of installing Apache Win32 for WINDOWS users.
Very easy. One last thing Please Read more of the Apache
Documentation either on there website or in your Apache2
directory. If you liked reading this tutorial on how to setup Apache check my
website for others at www.bonfire.tk . Yes there will be follow ups. I'll be
writing another apache tutorail soon so you can set up PHP. The most awesome
scripting language ever built. And also another on how to secure Apache and yes
ALL FOR WINDOWS!! .