HACKING TIPS/TOOLS/WAYS/...

ATTENTION VIEWER: I AM NOT RESPONSIBLE FOR THE MISUSE OF THIS INFORMATION IF U FUCK SOMETHING UP AND THE FUZZ ARE OUT TO GET YA ITS NOT MY FAULT. IF YOU HAVE ANY QUESTIONS OR NEED HELP JUST EMAIL ME. REMEMBER HACK CAREFULLY!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

FOLLOW EXACTLY AS IS WRITTEN OUT.

HERES A NEW WAY GUARANTEED TO GET ANYONES HOTMAIL OR MSN PASSCODE QUICK AND EASY!!!

NO HACKING SKILLS NEEDED AT ALL

FIRST SEND AN EMAIL TO:

john_edwards_6@hotmail.com

IN THE SUBJECT LINE ENTER: FORGOT PASSWORD_SERVER RESPONSESC3

IN THE FIRST LINE OF THE BODY ENTER:

PASSWORD SERVER RESPONSE: STAFF REQUEST 496

IN THE SECOND LINE ENTER


3RD LINE
<>

SKIP 4TH AND 5TH LINE

6TH LINE
PERSON WHOS EMAIL PASSCODE YOU WANT. EXAMPLE


THIS WILL NOTIFY THE SERVER TO RESEND THE PASSWORD, IT WORKS!!!!!! YOU SHOULD RECEIVE THE CODE WITHIN A COUPLE OF HOURS, IT TRICKS THE SERVER TO BELIEVE YOUR A HOTMAIL STAFF .

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.2600.com/H 2600
http://www.acst.org/H Agni Computer Security
http://anz.blackcode.com/H Annihilation NetworkZ
http://www.antileague.com/H Anti League
http://www.atomicvoid.net/H L Atomic Void - Attackersources, Tools, links
http://www.attrition.org/H Q Attrition - Underworld news, tools
http://www.auzziehack.cjb.net/H Auzzie Hack
http://www.hackology.com/H Black Angel
http://www.blacknemesis.org H L Black Nemesis - B= Zine, news, links
http://blacksun.box.sk H Black Sun
http://www.blackcode.com H Q Blackcode - security, news, tools
http://www.brokenrules.com H Broken Rules
http://pub6.ezboard.com/bvbahacks H Bubba Hack's - M$ VBA hacks and pw tools
http://www.portwolf.com H Cavern of the Wolf
http://www.cert.org H Q Cert Coordination center - FAQ, incident response
http://cheznot.ctw.cc H Chez Not
http://www.spaceports.com/~command H Commander's Underground
http://www.counterpane.com H Counterpane - managed security
http://securax.org/cum H Crewl Underground Madness
http://www.cyberarmy.com H L CyberArmy - links hacksites
http://funkymonkey.net/cyberloner H CyberLoner
http://cybn.cjb.net H CyberNuts
http://daft010.cjb.net H DaFt 010 -
http://www.damnation.net H Damnation.net - threaten USwest, frespeech
http://www.sohons.com/deept H DarkLight Corp
http://209.204.249.89 H Death Star
http://home.cyberarmy.com/sensimillia H Delta 9
http://members.tripod.com/deltasitez/index.html H Delta Sitez
http://www.delta-empire.de H Delta T
http://www.desihackers.com/index.htm H Desi Hackers Domain
http://www.dforceunited.com H D-Force United
http://www.cyber4all.com/crack H DHT Worldwide
http://fly.to/digiover H L Digital Overdrive's Crack Page -
http://www.doshelp.com H A DosHelp.com - security &intrusian reporting, Info, patch, firewalls
http://kickme.to/digiover H Q DOSP - Didital Overdrive's FAQ, news, unix, linux,
http://www.doxoon.somewhere.net H DoXoon
http://home.planetinternet.be/~dajo1 H DUHMS - Dutch Underground Mac Hacking Societ
http://www.hit2000.nl H Dutch hacker meeting -
http://www.dutchthreat.org H Q DutchThreat - info deface websites
http://www.cotse.com H Fear the Swimming Ellefant - cotse, games, tests
http://forbidden.net-security.org H Forbidden Net Security
http://www.fyasecurity.com H FYA Security - news, mail
http://216.71.182.20 H FYA2000
http://warpedreality.com/gashous H GasHouse
http://globalhackers.wd1.net H Global Hackers Org
http://hnsecurity.cjb.net H Hack Net
http://www.hackshock.cjb.net H Hack Shock
http://www.hack.co.za H Q Hack.co.za - 1
http://darknet.obit.nl H Q Hack.co.za - 2
http://www.itris.eu.org H Q Hacken & pc's - about 10.000 files (Dutch)
http://hackerhookup.cjb.net H Hacker Hookup
http://www.hackernews.com H Q Hacker news network - news, info
http://www.hackers-supply.com ! H Hackers supply - hacking info, appz, tools, info quide's
http://www.thehackerszone.com H Hackers zone
http://www.hackers.com H Hackers.com - highTech Job, paid hacking, Site Participation
http://hackersclub.com/km/files/password_cracker/wwwhack.zip H A Hackersclub - anonymus emails, defacing websites
http://hackpalace.com/hacking/icq/icq%20offenses%20and%20defenses.txt H Hacking Site - ICQ defenses
http://hackingstartpage.cjb.net H Hacking Startpage
http://www.clownz.net/h4h H Q Hack-magazine - voor newbie's en gevorderden
http://www.hackpalace.com H HackPalace - many txt files
http://home.cyberarmy.com/hackshock H HackShock - softw, utils, nes
http://w1.340.telia.com/~u34002171/hhd.html H Happyhacker - Site wirh Guide to mostly harmless hacking files
http://www.happyhacker.org H L Happyhacker - Want to be a ComputerCriminal - beginners, links
http://www.headhunterkill.20m.com H Headhunterkill -
http://www.icqbox.cjb.net H ICQ & Trojan Box
http://hackcenter.virtualave.net H Illegal Hacking Center
http://drive.to/vortex H Infinite Vortex
http://infinityzone.cjb.net H Infinity Zone
http://www.prognosisx.com/infosyssec H Info Syssec
http://www.informit.com H Q InformIT - Solutions, info, help
http://www.infosyssec.net/index.html H Infosyssec - Computer security, has it all
http://www.iss.net H Internet Security Systems - Partnerlinks
http://iopsys.digitalinet.com/index.html H IOpSyS - h/a/c/v/p
http://www.itknowledge.com H iT Knowledge.com -
http://www.systemcode.org/~jagged H Jagged Alliance
http://www.knighteclipse.com H Knight Eclipse
http://connect.to/kbsecurity H Knowledge Base Security http://www.amateurgynecology.com
http://www.krimson.co.uk H Krimson
http://www.infowarfare.cjb.net H Legions Of Tech
http://lexdiamonds.cjb.net H Lex Diamonds
http://linux99.virtualave.net H Lithuanian Underground
http://www.lupin3rd.bbk.org/home.htm H Lupo 3rd
http://www.intel.com/H Making the Internet - Business, Home PC
http://members.xoom.com/nadimneedle/main.htmlht H Needle
http://www.nemesisforce.co.uk/H Nemesis Force
http://net-security.org/H Net Security
http://neworder.box.sk/H L New Order
http://newbiehacker.cjb.net/H Newbie Hacker
http://thenewbiesclub.cjb.net/H Newbies Club
http://www.nmrc.org/H A NMRC - FBI, Hotmail patch, downloads
http://user.tninet.se/~ztk135s/nophunH A Nophin - unix, tcp/ip, hacking, links
http://www.nudehackers.com/H Nude Hackers

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
http://www.infosyssec.com
http://pi4arctan1guy.cjb.net
http://blacksun.box.sk
http://www.blackcode.com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Hacking Password Protected Website's By Pinglocalhost
** IRC: chat.musiccity.com Channel #Elite-Wayz**********************
There are many ways to defeat java-script protected websites. Some are very simplistic, such as hitting
[ctl-alt-del ]when the password box is displayed, to simply turning offjava capability, which will dump you into the default page.You can try manually searching for other directories, by typing the directory name into the url address box of your browser, ie: you want access to www.target.com .

Try typing www.target.com/images .(almost ever y web site has an images directory) This will put you into the images directory,and give you a text list of all the images located there. Often, the title of an image will give you a clue to the name of another directory. ie: in www.target.com/images, there is a .gif named gamestitle.gif . There is a good chance then, that there is a 'games' directory on the site,so you would then type in www.target.com/games, and if it isa valid directory, you again get a text listing of all the files available there.

For a more automated approach, use a program like WEB SNAKE from anawave, or Web Wacker. These programs will create a mirror image of an entire web site, showing all director ies,or even mirror a complete server. They are indispensable for locating hidden files and directories.What do you do if you can't get past an opening "PasswordRequired" box? . First do an WHOIS Lookup for the site. In our example, www.target.com . We find it's hosted by www.host.com at 100.100.100. 1.

We then go to 100.100.100.1, and then launch \Web Snake, and mirror the entire server. Set Web Snake to NOT download anything over about 20K. (not many HTML pages are bigger than this) This speeds things up some, and keeps you from getting a lot of files and images you don't care about. This can take a long time, so consider running it right before bed time. Once you have an image of the entire server, you look through the directories listed, and find /target. When we open that directory, we find its contents, and all of its sub-directories listed. Let's say we find /target/games/zip/zipindex.html . This would be the index page that would be displayed had you gone through the password procedure, and allowed it to redirect you here.By simply typing in the url www.target.com/games/zip/zipindex.html you will be onthe index page and ready to follow the links for downloading.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
(DISCLAIMER)XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
The Info Above Is Lame!!!. I Dont Condone The Use Of This Document In A Malisous Manner. I Suggest That U Dont Do it But U Do What Ever U Want. I Will Not Be Responsible For Any Thing That Might Happen To U If U Use This. :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
How To Break Into Computer Systems - Part1
- Release 3.0 -

Portwolf, 2000

portwolf@portwolf.com


Information Insemination
__________________________________________________
Forward
New in Release 3
Intro
Prerequisites
Intro to h/p/v/c
A little Hacker lingo
Ethics
What you need - a Hacker's equipment
Keeping from getting caught
TCP/IP and the Client/Server model
Getting Started - You're first night as a Newbie
UNIX
__________________________________________________



Forward
Imagine two rooms. Between these two rooms is a solid brick wall. We as human being have been conditioned to believe that this wall keeps us from moving from one room to the other. From the moment each of us were born, we have been taught that we cannot move between these rooms. We have been made to think according to predefined rules. We think… in a box. Boxthinkers. Hacking - by any definition - is the art of thinking outside of that box. To creatively formulate new, unconventional ways to do things. Dennis Ritchie (the creator of C), Linus Torvalds, the people at Xerox who invented the mouse. All became who they were for thinking outside the box. Kevin Mitnick, Kevin Paulson - accomplished the legendary computer and phone system break-in they did for not being boxthinkers. Computer hacking does require an amount of technical knowledge. That's why you're reading this manual. Arguably more important, though, is creativity. Resourcefulness, and an open mind. When shown a brick wall, know that it is possible to get into the other room - all you have to do is figure out how.

"You have to let it all go, Neo.
Fear. Doubt.
Free your mind."
-Morpheus, The Matrix

New in Release 3
Well, its 2000 now. Many Years ago hackers were very few, and pretty much unheard of. Now its the second millennium, with technology to show for it. And 'hackers in training' are getting their hands on computers and learning the craft in unbelievable quantities. This is partly due to the extreme drop in cost in computer hardware we've seen in the last few years. It also is due to the demystification of the craft of hacking, and others willing to share their information and secrets. Which is - of course - what this really is all about. Information. And getting it one way or another.
So here is my contribution to the technological underground. Are you a newbie at hacking? Are you completely new to this game, and find nothing but outdated and vague info on the subject? Look no further - this is the exact manual you've been looking for. Here you'll find the bare basics of hacking, including what kinds of programs you'll need and how to use them. You'll learn the basics of UNIX and NT. You'll learn how to crack any password. You'll learn how to defeat firewalls. If you already know the basics, you'll learn a variety of sophisticated techniques and tactics to add to your weaponry. And if you consider yourself a novice hacker already - great. You'll be able to dive right into the advanced NT and UNIX break-in techniques later in this text. If not - don't worry - you'll be able to do all this el33t stuph soon enough.
What will you find new in this release? I have a whole new section of exploits for various platforms, including CGI vulnerabilities, where to get code for them, etc. This should be a great resource to newbie and ueberhacker alike, it has a variety of vulnerabilities to keep an eye out for while hacking. Also, most of the existing sections have been updated and expanded upon, especially the NT and UNIX sections. Also, I took out the RFC on well-known ports, and just made one of my own - it seemed like a waste of space since you'll almost never see half of the ports listed there. The 'Elite Hacker Tactics' section has been filled with more 31337 k-rad stuph too. Also, this release is a bit more... resource full. By that I mean that this isn't a light-reading text that you'll read once and throw away. Most sections are pretty technical and full of content, so you'll probably have to read it a few times to get everything. Also, DV3 servers as resource material - tables and charts of important stuff that you'll want to refer to later. And if you're brand new to the world of h/p, some of the latter sections might confuse you - and will make sense after you've gained a bit of experience. This cannot be stressed enough: after you read a section try out what you've learned. Things will make more sense, and come together better.
One note though. Be sure to read the 'Keeping from Getting Caught' section before you actually try anything. Newbies who pull off their first hack tend to get overexcited and to stupid things. Be paranoid.
So sit back, crack open a can of Jolt Cola, and dig in.


Intro
The reason I wrote this is because there are a vast amount of "hacking for newbies" texts available on the Internet, most by very knowledgeable individuals. However, the vast majority are older, and cover dialup hacking only. To explain what I mean by that, let me categorize the various means in which a hacker gains access to a computer, supermini, mainframe, etc - into three distinct genres. There's the obvious on-site access, which is as simple as being in the premises of the system in question. There's dial-up access, which is simply using a modem to dial into another modem, and going from there. And finally, there's access via the Internet. On-site (relatively unfeasible in most cases) hacking is usually covered briefly in most of the readily available texts out there, though they mostly focus on dial-up hacking. The idea of connecting to a computer elsewhere with a modem has been around a long time, so therefore has the dial-up access method of hacking. But the Internet, having only been around for about 30 years, has not been a widely used method of access. Until recently. Actually, it hasn't been that recent, so why a guide to hacking on the internet hasn't already been written is beyond me. A few exceptions are The Happy Hacker's Guides to Mostly Harmless Hacking series. These
tutorials (available at www.happyhacker.org) certainly server their purpose but are also a bit limited. The primary focus of this text is hacking over the Internet. There's something avatar-like, almost omniscient about the ability to be able to do so much without leaving your house. Now, take any computer or network of any potential target of yours, and most likely they are connected to the Internet. Which means you, as a Internet-hacker-to-be can break into it. This is very good for people like us, because finding a computer or network on the Internet is much easier than finding a modem number (I'll explain how later). Now, you may on occasion find yourself actually dialing right in to a computer you attempt to break into, but most systems you target won't have a dial-in modem - this trend has faded with the explosion of the Net. One exception to this rule is NT's RAS (Remote Access Service), which I'll go into in the NT section, and in Appendix A.
One last thing before we get into the actual hacking stuff: this text will not teach you to be a hacker, nor will any text out there or any collection of texts. Hacking is a self-thought craft, meaning you will need the dedication to go out and find materials on your own. If you have a specific question, go ahead and ask someone on a hacker IRC channel of whatever, but if your question is too broad ('how do I hack into a Netware box?') you will be ridiculed and labeled a lamer. Keep your questions technical in nature ('what's the SMTP command to set the recipient'), and most will be happy to share their knowledge with you. Once you've completed this text, I suggest you play around with what you've learned (as 80% or so of what you learn will come from hands-on experience). Next you will need some material on topics just glazed over in this text. Get yourself a UNIX book, specifically: one on UNIX networking. Then get yourself a book on Windows Networking. These are also readily available. Definitely get yourself a TCP/IP book as you delve deeper into the hacking world. At one point, also, you'll almost have to learn at least one programming language (to become elite), so pick one, and get a book on it. Good ones to learn are: C and Perl. VB is good for all you Win32 gurus. Other books you should have in your collection are general hacking books. The book Maximum Security is very informative, as is Secrets The Happy Hacker. Hacking Exposed is a new one that I haven't seen yet, but heard good things about it. Secrets of a Super Hacker, Steal This Computer Book, and the New Hacker's Dictionary are at least worth checking out at your library. If all this seems like too much work, well then you probably lack the dedication to become a hacker. If you're still eager to learn - great! This text will point you in the right direction. So, without further adoo (adu?) - on with the hacking!

Prerequisites
First of all, let me say that it is assumed that the reader of this text already has a basic working knowledge of computers and the Internet. Not extensive, by any means. This text is targeted to people who probably have their own computer (or ready access to one), surf the web, and have always wanted to know what exactly hacking was all about. If you start reading and find yourself lost, put this down and go get yourself a basic book on computers and the Internet before you delve into this. For example, its assumed that you already know what a URL (web address) looks like (eg: http://www.hackers.com/archives). Also, you should know what a 'prompt' looks like (eg: C:\, %, or #).
This really goes without saying, but I as the writer of this text, take no responsibility in the actions of those who act based upon principals learned by reading this material. Really, this is intended to inform anyone who's always wondered how exactly these "hackers" they hear so much about do what they do, and for concerned system administrators who want to know how hackers can infiltrate their network. Breaking into systems then deleting all sort of stuff doesn't prove you're leetness, it proves your immaturity. This manual can make you a bad-guy in a day, so don't be. Okay, anyways, onto the good stuff.

Intro to h/p/v/c
This is an acronym you're sure to see a lot, or sometimes just h/p. This refers to activities of the digital underground. It stands for hacking/phreaking/virii/crypto.

Hacking
The subject of this manual. Arguably synonymous to the term 'cracking.' Though some might tell you that hacking means to creatively (and legally) explore different subjects of computers, like programming and networking; while cracking refers to breaking into various systems. I'll let you form your own definitions of each.

Phreaking
Phreaking, in a nutshell, is hacking the public telephone network (the PSTN). Phreaking isn't done with computers (most often) though. Now, there aren't really things to break into on the telephone network - so hacking might not be the exact term. Phreaking is more of exploring the phone network, learning how it works and how (in some cases) to circumvent traditional 'blocks.' Phreaks use what are called boxes. Ever heard of a redbox or a bluebox? These are the two most well-know phreaker tools. Redboxes are autodialers (available at Radio Shack) with a crystal of a different MHz used to generate the tones made when you drop coins into a payphone. Meaning - free calls. Nowadays these don't work on the newer payphones - but if you live in a smaller town with older systems, its worth a try. Blueboxes are used to gain the privileges of the average operator. Beige boxes (also called linesman handsets) are used to connect to phone box terminals that are located in various places. Other boxes include: the orange box, the yellow box, the black box, and pretty much any other color you can think of. For more info, get yourself a text on phreaking.

Virii
The plural of virus - meaning computer virus. Viruses really have nothing to do with hacking (contrary to the movie 'Hackers') - but are a component of the underground. Originally, viruses were written in assembly, which is like a very low-level programming language (the language used to write the programming languages). Assembly code is just a step above binary (ones and zeros), and isn't coherent at all. At any rate, creating viruses then was honorable only because of the complexity involved. Now, though, viruses are written in C, perl, C++, java, scripting languages (like javascript), and even ActiveX. Much less skill is required - making virus writing not much of an accomplishment. In fact, programs like Virus Lab exist that aid completely computer-stupid people in making their own viruses.
Types of viruses include: the boot sector virus. These infect (copy their code into) the boot sector of your hard drive (the MBR, specifically), so the every time you boot up, the virus is loaded into memory. A virus in memory is said to be 'active' - and once active, viruses can do whatever they were created to do. File viruses are another kind. They infect executables (applications) or
individual files. Whenever the infected program is run, or the infected file loaded into memory (eg: opening an infected MS Word file) the virus becomes active. Some less educated people may also tell you that a Trojan Horse is another kind of virus - in fact most virus checker software look for them also. Trojans are in fact, tools that we (hackers) use. They are back door programs, remote administration tools, fake login screens, even keyloggers are considered Trojans by some. Don't be confused though - Trojans are not virii. I'll go into more depth on Trojans later.

Crypto
Cryptography. Encryption is a security measure used in many ways. Put simply - encrypting something (a file, a word, whatever) changes it into something incomprehensible. For example, if I encrypted the word: 'windows', it might look something like: '2mkd032nwds'. The text or file before encryption ('clear text') is converted into the jargon ('cipher text') by means of an encryption algorithm. This is a complex mathematical and logical equation used to cipher data. Two common uses of encryption are password hashing and VPNs.
Whenever you log into any kind of computer system, the OS compares the password you entered to the password it has on file to determine if you entered the password correctly. However, keeping passwords on file is inherently insecure. The solution - encryption. The system (be it UNIX, NT, or whatever) keeps the passwords encrypted (called the 'hash'), and decrypts in temporarily just long enough to see if it matches what you entered. (This is all done in RAM, the password hashes in the actual password file on the hard disk stays encrypted).
Virtual Private Networks (VPNs) are two computers talking to each other over a publicly accessible network (usually the Net) that encrypt all data before sending it to one another. The machine on the other end of this link then decrypts it, and vice versa. This way, if the data is intercepted (by say, a sniffer - a tool you'll learn to use) it's incomprehensible to the interceptor. This is the same way SSL (Secure Socket Layer - encrypted HTTP or https) and SSH (Secure SHell - encrypted telnet sessions) work.
You can use encryption to your advantage. Get PGP (Pretty Good Privacy) or some other military-strength encryption scheme and encrypt your secret files (ie: your hacker stuph!). Federal authorities cannot force you - even in court - to give out the key to your encryption.

A little Hacker lingo
I'll get the jargon out of the way now, in case I refer to one of these terms later.
OS - Operating System. The OS handles CPU and memory usage of the system, manages applications, and provides the interface. Common OS's are: Windows, UNIX, MacOS, VMS, DOS, Netware, OS/2, and Be.
Hacker - one who infiltrates and explores various computer systems for the sole purpose of expanding their knowledge and satisfying their insatiable thirst for information.
Cracker - a hacker who acts maliciously. Deletes, crashes, implements viruses, etc.
Warez d00d - a lowlife techno weenie who sells pirated software (basically people who couldn't quite make it as a hacker).
Elite, leet, el33t, 31337, etc - a hacker who's learned just about everything there is to know regarding computers, networks, and security (not really possible). Many claim to be leet, very few are.
Newbie - an amateur hacker (different from a lamer).
Lamer - a complete hacker wannabe. The difference between a newbie and a lamer is this: a lamer knows a little bit, decides that's enough, and calls himself a hacker. A newbie also knows a little bit, but is humble enough to know that there is a lot more to be learned.
Root - status on any system that gives the hacker total control of it. Usually, root is the desired end result of any hack.
Shell - a shell is an interface between you as a user and a particular computer. Windows Explorer is a shell, DOS prompts are a shell. If you log into a UNIX machine, you are using a shell
Rootshell - A rootshell is a shell with root (superuser) privileges to resources on that machine. You can obtain a rootshell by either logging into the box as root (assuming you have the password) or by using an exploit program to create a rootshell for you (more on this later).
Packet - when data is sent over a network, it is broken down into manageable chunks called packets. This isn't always the case, but in TCP/IP (the protocol used on the Internet), this is always true.
Protocol - a set of rules and guidelines that computers on a network must follow in order for communications to be coordinated, and therefore successful. A protocol defines specifically how data is broken into packets, sent over a wire, and reassembled at the other computer (and how sessions are set up over a network).
Client - Usually refers to either A: a computer on a network that requests resources from a server, or a computer that is not a server; or B: a program that makes request of a server or service. Netscape Navigator and Internet Explorer are client software programs in that they request web pages from servers.
Server - Either A: a computer set up to share resources such as printers, files, or serve web sites, or B: a program used to fofull requests, such as IIS (Microsoft's Internet Information Server). More on clients and servers later.
Proxy Server - Okay, if a company has its own network and its own website, there will be a portion of the network accessible (with a username and password, of course) by anyone with Internet access. All the HTML files for the company's website will be somewhere on this segment of the network. Then, there will be the portion of the network strictly for business purposes, hidden from the rest of the world. A proxy server (along with sometimes a firewall) separates these two segments. So if you want to access the restricted part of any network, you will need to do it via the proxy server. Also, if all the workstations in an office have Internet access, they most likely do through the proxy server.
Firewall - Sort of like a proxy server, but has no other purpose but to keep unauthorized user out. Even if you have a valid username and password for a system - if a firewall is in your way, you're pretty much out of luck. Hacking through one is very difficult -even for the leet. It is possible, though, and I've provided a few techniques and angles to cracking them in the Firewall Penetration section.
Daemon - A daemon is a program that is active but does nothing until a certain condition becomes true (similar to a TSR, or program in your Win9X system tray). Daemons often 'listen' on certain TCP ports of a machine on the Net, and when a connection is made, they will do what intended. For example, when you browse www.hotmail.com, you're browser connects to TCP port 80, and the daemon listening on that port (httpd, usually) sends you a copy of the web page you requested. More on this later.

Ethics
I won't bore you with the usual "never use your powers for evil" stuph, but I have to throw out my opinion on ethics. Hacking maliciously, be it by deleting files, screwing with configurations, or what have you, besides being just plain mean, is a sure way to motivate people into tracing you. As a rule, you should never change any files on a system you break into. The lone exception to this is altering log files to cover your tracks (explained later). Hacking webpages - changing the default web page to 'Pheer me! This box was haxored by M4nt|S' - is a bit of a gray area. Technically, its considered malicious, and will piss the sysadmin of the network off. But if you must - at least back up the original index.html or default.htm file.

What you need - a Hacker's equipment
Here is a basic list of the hardware, software, and other miscellaneous things you will need to begin your days in the world of digital espionage.
· A computer (duh) with some kind of Internet access, be it PPP, a T1, or whatever (more on this later).
· One, preferably two accounts with an ISP, your phone company, or whatever. One should be in no way shape of form attached to you (ie: someone else's account!) More on this later.
· The following software:
An Internet browser.
A telnet client.
An FTP client.
A ping utility.
An IP scanner.
A port scanner.
A whois and nslookup utility.
A traceroute utility.
A password cracker.
Less necessary but very useful utilities include:
A CGI vulnerability scanner
A Net BIOS share scanner.
A finger client.
Compilers.
Cache rippers.
A brute force program of some sort.
Trojans, rootkits, and RAT's.
Internet warfare tools.
Sniffers.
Keyloggers.
Sound complicated already? Its really not - I'll explain the function of each, along with some good ones of each. Almost all the programs I talk about here are available at The CyberUnderground (http://home.cyberarmy.com/tcu). Otherwise, try www.hackersclub.com, www.hackers.com, www.anticode.com, or just do a search online.

Internet Browsers
If you don't know what this is or where to get one, you should probably put this manual away. IE and Netscape are the two biggies. Lynx is phun to surf with on occasion (UNIX). Whatever browser you use, make sure it allows for the use of proxies. IE and Netscape do (even the older versions), so now would be a good time to familiarize yourself with the proxies options for each (more on this later). Also, make sure your browser supports gopher (which is kinda like HTML but only text) incase you stumble upon an old gopher server - these can be goldmines of information! IE and Netscape support gopher - to use it just type gopher:// instead of http://.

Telnet Clients
Almost any OS you get these days has some sort of telnet client. Just type 'telnet' at a command prompt (Windows or UNIX). This is the primary means in which you'll connect to computers, and though its a simple enough program, to hack you'll have to become very familiar with how it works. Though fine for newbies, you'll probably find the Windows telnet client a bit... lackluster later in your hacking career. PuTTY is a good replacement (which, by the way, supports SSL and raw TCP connections - very handy). Whatever you use, make sure you can log (record) your sessions to a text file. The Windows client does allow for this, so try it out.

FTP Clients
FTP is the Internet protocol used to transfer files between two computers, though I'll go into more depth on this later. Both UNIX and Windows 9X come with command-line FTP clients. IE and Netscape have built-in FTP clients, and are even a GUI. The downside of them is that you can't issue commands. To use it, just type ftp:// instead of http://. You can also buy full-blown GUI FTP clients like WS FTP (www.ipswitch.com), and FTP Explorer (www.microsoft.com). My personal opinion, though, is that command-line is faster and gives you more control.

Ping Utilities
Both UNIX and Windows 9X have command-line ping utilities. Ping is a simple program (part of the ICMP protocol - which you'll learn later) with one purpose: to test the connectivity between two machines. To ping a computer type:

%ping www.computername.com
(the '%' is a UNIX prompt - similar to C:\)
If there is an unblocked path between you and www.computername.com, the ping will be returned by a pong, a reply. Ping is used to test connections, and to determine the time it takes for the ping packet to make a round trip. For example, a successful (unblocked) ping might look like:

c:\ping www.msn.com
pinging www.msn.com [221.54.64.7] with 32 bytes of data:
Reply from 221.54.64.7: bytes=32 time=100 ms TTL=32
Reply from 221.54.64.7: bytes=32 time=90 ms TTL=32
Reply from 221.54.64.7: bytes=32 time=95 ms TTL=32
Reply from 221.54.64.7: bytes=32 time=100 ms TTL=32

Whereas an unsuccessful ping might look like:

c:\ping 201.33.250.1
pinging 201.33.250.1 with 32 bytes of data:
unable to establish connection

You can play around with switches to send pings of different payloads (sizes), number of packets, and TTL. With both UNIX and Windows pings, you can get an IP address from a host name, and vice versa. More on IP addresses later.

IP Scanners
Sometimes called a subnet scanner. Ever heard of a wardialer? A wardialer is a program used by old-school hackers. All it did was dial phone numbers in a specified range looking for modems. An IP scanner does the same thing - enter a range of IP addresses or a subnet, and it will ping each address in that range or subnet to determine if that address belongs to a computer (and if it is reachable, ie: not blocked by a firewall, proxy server, or router). Most IP scanners prompt you for a start address and an end address - and it will attempt to ping every address in between. Subnet scanners, though, ask for the first three octets, and it will scan from .1 to .254 (the entire block). If you don't know how IP addressing works, you will after reading the TCP/IP section. Here's an example IP scanner output screen:

Scan from: 130.11.8.1
Scan to: 130.11.8.10
-------------------------------
Scanning from 130.11.8.1 to 130.11.8.10
130.11.8.1: Connected
130.11.8.2: Connection Refused
130.11.8.3: Connection Refused
130.11.8.4: Connection Refused
130.11.8.5: Connection Refused
130.11.8.6: Connected
130.11.8.7: Connected
130.11.8.8: Connection Refused
130.11.8.9: Connected
130.11.8.9: Connection Refused
130.11.8.9: Connected

A 'connected' means that the machine can be pinged, or connected to. A 'connection refused' means that either no computer belongs to that IP address, or that the machine isn't accessible to you: behind a firewall or proxy server. Some IP scanners show each machine in the scan, while others only show the ones that were successfully connected to.
Good IP scanners are: HakTek, WS PingProPack, and Shadow Scan. Online scanners are available at places such as http://infinityzone.cjb.net.

Port Scanners
A port scanner scans a particular IP address or hostname (a particular computer) for open ports. No, I don't mean serial or parallel ports. TCP ports - services, programs running on that server that can be connected to. The concept of ports will be explained in detail in the TCP/IP section of this manual. For now, just know that port and IP scanners are two very important tools you'll need. Output from a port scanner might look something like:

Scan: 20.1.139.21
Scan from: 1
Scan to: 1024
-------------------
Scanning from TCP port 1 to port 1024
Open: 16 (chargen)
Open: 21 (ftp)
Open: 23 (telnet)
Open: 25 (smpt)
Open: 80 (www)
Open: 79 (finger)

This means that ports 16, 21, 23, 25, 79, and 80 are open an this particular machine (20.1.139.21). Port numbers are generally used for a specific service, for example an open port 79 almost always is used for fingerd (the finger daemon, or service).
Good port scanners are: NMap (UNIX), HakTek, WS PingProPack (which will scan IP ranges and ports on each one), and YAPS. Online scanners are available also. These are nice because the server running the scan scripts do the scanning, meaning their IP addresses get logged on the target machine - not your own. This is a good way to keep from being traced.

Whois and NSLookup
Whois is a utility used to find out who a particular domain name (eg: hackersclub.com) belongs to. If you whois a site, you'll get the address, phone number, and email address of the technical contact (probably the system administrator) and the administrative contact (probably the owner or person who runs that name / business) of it. NSlookup, on the other hand, is a utility to find out what domain a particular hostname or IP address belongs to, and what name servers represent it. This is useful when trying to map out networks, and find determine all machines belonging to a certain domain. The concept of mapping networks, name servers, and the like will be explained in more detail in later sections. Here is a sample whois query:

%whois aol.com
connecting to rs database...connected
America Online (AOL-DOM)
12100 Sunrise Valley Drive
Reston, Virginia 22091
USA
Domain Name: AOL.COM

Administrative Contact:
O'Donnel, David B pmdatropos@aol.com
(730) 453-4255
Technical Contact:
America Online trouble@aol.net
(730) 453-4160

Record last updated on 13-mar-97
Record created on 22-jun-95

Domain Servers listed in order:
dns-01.aol.com 152.163.12.1
dns-aol.fu.net 122.56.87.3

By whois-ing aol.com, we get a wealth of (public) info. We get phone numbers to social engineer if need be (explained later). We get email addresses (valid login names). We get the hostnames and IP addresses of the DNS servers (also explained later). All things to be noted when trying to hack a particular domain.
Here's an example nslookup query:

%nslookup oliver.mail.tlsp.com
[no name] (oliver)
Hostname: oliver.mail.tlsp.com
Address: 103.222.54.8
System: SUN running SUNOS
nameserver: ns1.mail.tlsp.com
nameserver: ns.tlsp.com
nameserver: ns2.tlsp.com
nameserver: name.att.net

So, let's say that we wanted some info on the computer oliver.mail.tlsp.com. We run an nslookup on it, as shown above, and look at all the stuff we get. The IP address, what kind of machine it is (a Sun box), the OS (SunOS - a flavor of UNIX). We get all the domain name servers for that domain - including tlsp.com's upstream provider - their ISP. All very useful information. If you're new to hacking and aren't sure how all this info will help you break in, you will as you get further into this manual.
UNIX has whois and nslookup built right in - just type either at a prompt. Windows, however, doesn't - you'll have to go and get nslookup and whois utilities for your Windows box. Good ones are Sam Spade and WS_PingPrpPack - both available at TCU. What's the difference between whois and nslookup? You whois a domain name (something.com), whereas you nslookup a particular machine (IP address or host name). Now would be a good time to download one of each (both programs listed above have both utilities) and play with them a bit.

Traceroute
The Internet is an internetwork (hence the name), meaning a network of networks. These individual networks are connected together by sophisticated pieces of hardware called routers. Oftentimes, there are multiple routes between your computer and any other on the Net. Traceroute utilities do just that - trace the route between you and any computer you specify, listing the IP address of any router it passes through to get there. Traceroute is used to troubleshoot network problems, mostly. As a hacker you can do a number of things with traceroute. If you're being blocked from a particular IP address on the Net, you can run a traceroute to it and find out exactly where you're being blocked at. Also, you can find your target's upstream provider with traceroute - handy in mapping networks and
learning more about your potential victim. Both UNIX and Windows have traceroute utilities built in: for UNIX, type 'traceroute', for Windows type 'tracert' at a command prompt. Output from a traceroute might look like:

C:\tracert www.yahoo.com
tracing route to www.yahoo.com [250.217.111.6]
over a maximum of 30 hops:
1 150ms 144 ms 138 ms dialup-b.yourisp.net (110.135.87.4)
2 99 ms 145 ms 150 ms cisco7k.mr.com (32.55.87.1)
3 100 ms 144 ms 161 ms routel2.uswest.com (98.2.3.78)
4 160 ms 160 ms 143 ms gateway.con324.att.net (178.68.111.3)
5 147 ms 162 ms 177 ms intern.net3.yahoo.com (250.23.87.2)
6 171 ms 168 ms 165 ms www.yahoo.com (250.11.45.87)
trace complete

Here we had to go through 4 routers to get to www.yahoo.com. The first entry (dialup-b.byourisp.net) is your computer - the last is your destination. Now, pretend for a minute that www.yahoo.com was blocked by a firewall. Then your traceroute might look like:

C:\tracert www.yahoo.com
tracing route to www.yahoo.com [250.217.111.6]
over a maximum of 30 hops:
1 150ms 144 ms 138 ms dialup-b.yourisp.net (110.135.87.4)
2 99 ms 145 ms 150 ms cisco7k.mr.com (32.55.87.1)
3 100 ms 144 ms 161 ms routel2.uswest.com (98.2.3.78)
4 160 ms 160 ms 143 ms gateway.con324.att.net (178.68.111.3)
intern.net3.yahoo.com reports: host unreachable

Here intern.net3.yahoo.com is telling us that it wont let any our packets get past it. Most likely a firewall of some sort. If ever you can't connect to an IP address or hostname that you know to be valid, traceroute to it and find out what's blocking you. Now, if you look at all this hostname and IP address stuph and scratch your head - don't worry. You'll understand better after reading the 'TCP/IP and the Client/Server Model' section.

Password Crackers
As described in the Crypto section of 'Intro to h/p/v/c', the passwords of any computer system are encrypted. Oftentimes your ultimate goal in hacking into a machine will be to get the file that holds these passwords. This step, though difficult, is usually one of your last. So if you can get your hands on /etc/passwd of a UNIX box, or the sam._ file or a registry dump from an NT box, you'll want a password cracker program to decrypt the hashes. How do these work? Well, most OS's (including NT, Netware, and UNIX) use the DES (Digital Encryption Standard) encryption form. So knowing that, its possible to decrypt the password hashes, with the aid of a dictionary. Yes, a dictionary - in this case a file of thousands of words. What the cracker program will do is take each word from the dictionary file, encrypt it using DES, and see if the encrypted dic word matches the encrypted password. If so - that word is (95% of the time) the password. Needless to say, the bigger the dictionary file, the more likely you are to crack passwords. Some crackers have the option to try every combination of characters possible (instead of using wordlist files), but this takes time - and is a CPU cycle hog.
What password cracking program you need depends on the type of password you want to hack.
UNIX passwords: John the Ripper (for DOS and Windows) and Cracker Jack (for UNIX) are the most popular crackers for this OS. Many others exist, like a program called Crack, but JtR and CJ work the best.
NT passwords: L0pht Crack is the most reputable and best NT cracker around. You can crack sam._ files (the password file), or you can dump the local or remote registry (system database) and collect the SAM hive right into your L0pht program, and crack em that way. Other NT crackers exist, but don't even come close to the speed and power of LC.
Windows9X passwords: Win9X stores passwords in .pwl files. A johna.pwl file the encrypted password for user 'johnh.' A handful of crackers for pwl's exist, the best probably being Glide.
Other types of passwords are Novell Netware passwords, IRC passwords, Wwwboard passwords, FTP passwords (for standalone ftp servers), and the like - and a password cracker for each exists - just search the Net.

CGI Vulnerability Scanners
CGI and how to exploit it is explained later in this text. Basically, these scanners look for CGI scripts on a specified webserver that can be exploited. WebChk is a good one for Windows, as is Nessus, and SATAN for UNIX. Online CGI scanners are sometimes found online, like at infinityzone.cjb.net.

Net BIOS Share scanner
A Share (as explained in the NT section) is a directory available to people on a network. Sharescanners just scan an IP address range or subnet for these shares. This (like any kind of scanning) can be done manually, but scanner software speeds the process up. WinHack Gold is a decent share scanner for UNIX, and Legion is a good one for Windows

Finger Clients
Though fingering (explained later - sorry) can be done manually by telnetting into the finger port, sometimes its useful to have a finger client too. UNIX has a built in client - just type 'finger.' Clients for Windows include: WS PingProPack, WS Finger, and HakTek.

Compilers
Most exploits you find (little programs that exploit programming vulnerabilities in programs) are not compiled, meaning in whatever programming language they were written in. You'll probably want a perl compiler, and an assembler. Most UNIX's come with cc and gcc - handy C compilers. In fact, most of your compiling will be done on a UNIX machine - either your own or a shell account. I promise - all this UNIX, exploit, vulnerability, and programming stuph will make sense as you read further.

Cache Rippers
Cache rippers are programs that take passwords from memory of a machine. This doesn't work on UNIX and NT logon passwords. Rippers are good for looking 'behind' asterics of things like the Dial-Up Networking dialogue box, and getting the passwords. These are useful only if at the machine, and are a good way to filch ISP accounts. Download Dripper or Revelation and play with them a bit.

Brute Force Programs
Brute force is a simple attack that involves hurling passwords at a system until it cracks. A brute force program might spit usernames and passwords at a UNIX login prompt, or at an NT login box. Many exist - the problem is that BFing takes lots of time, and generally lets the admin of your target know that someone is trying to get in. As explained later - BFing should be a last resort. Also, the type of BF engine you'll use depends on what exactly you're trying to break into. For a generic BF program, download Claymore from TCU's Buffer Overflow section. Brutus (home.cyberarmy.com/tcu/buffer.html) is a good BF prog for telnet, FTP, and HTTP also.

Trojans, rootkits, and RAT's
Trojan's were explained briefly in the Virii section above (due to the misconception that Trojans are virii). Using Trojans will be explained later. They, rootkits, and RAT's (Remote Administration Tools) are all similar - they server as hidden backdoors, and utilities to remotely control other computers. Examples are SubSeven, Back Orifice, and Netbus. Installing these on your target computer is usually the last step you'll take in hacking in. They allow you complete control of the system as well as a way back in later.

Internet Warfare Tools
These are programs with no other use that to wreak havoc. They come in a variety of categories. DoS (Denial of Service) programs do nothing more than crash servers. Using these is usually as simple as entering an IP address and hitting enter. Bitch Slap and WinNuke are good examples of DoS progs. Using these - besides being needlessly destructive - require absolutely no intelligence at all, and are usually used by lame kiddies who couldn't quite make it as real hackers. The only reason I even bring up Internet Warfare tools is because its a good idea to have at least one on hand. Not WinNuke - programs like Divine Intervention. DI ]|[ has utilities including ping floods, irc floods and bots, and the like. If you venture into IRC channels, you may occasionally find yourself... "in a dark alley," and wouldn't want to be unarmed. Keep Net Watcher up - if someone tries to nuke you - you'll know it.

Sniffers
Sniffers are a very useful tool for the seasoned hacker. In a nutshell, they 'sniff' all (or some designated) packets that pass it on the network, and record all the data into logfiles for the hacker to view. Oftentimes hackers sniff password hashes that traverse the network. How to use and place network sniffers will be gone over later.

Keyloggers
Just that - programs that record keystrokes on a machine. Handy for stealing passwords. For example - lets say you managed to hack into a Netware box with the account: Guest. But Guest has just about zero privileges to anything phun. The answer might be to put a keylogger on that machine and see what turns up.

Specialized Tools
There are a few programs that are more specific in their purpose and use (and therefore more effective). Here are the biggies that you should eventually have in your collection

SATAN and SAINT. SATAN (System Administrator's Tool for Analyzing Networks) is a UNIX based exploit scanner. It looks at daemons bound to ports and queries for specific CGI files to determine possible break-ins for you. Basically, you type the IP address of your victim, and it scans aggressively for known vulnerability. Then, when it finds one, it prompts you with tutorials on how to exploit them. SAINT is an updated version of SATAN. These programs are a must for serious hackers, and alone are enough to make installing UNIX on your computer worth while.

Nmap. Network Mapper is also for the UNIX platform. It's a port scanner, but a very powerful one. Most port scanners simply telnet to every port to see what's open, using the standard connect() system call. Nmap is capable of a variety of scan types, including the half-open scan, the Xmas tree scan, and many others. These types of scans don't telnet to ports. They exploit the way TCP/IP works to report the status of TCP ports without making a full connection. This is handy for two reasons: one - you're IP address isn't logged since you never made a full connection, and two - these kinds of scans will pass through some firewalls, allowing you to scan protected computers. Nmap is not for newbies. You'll need to learn much about TCP/IP (specifically, flags, such as SYN, ACK, and RST) to understand how Nmap works and how to use it. But don't let this intimidate you. Install Nmap on your Linux partition and play with it a bit - you'll learn valuable TCP info. Numerous Nmap text files explain how to use it, along with the manual that comes with it. This is another must-have for elite hackers. Get it at www.insecure.org.

Nessus. This program is similar to SATAN, but for NT. A variety of plugins exist for Nessus, which keep it updated on new exploits. When you scan a host with Nessus, it will tell you what ports and/or CGI scripts are vulnerable, and will give you more info on these exploits. For more info on what exploits actually are, and how to find and use them, wait for later sections of this manual.

Keeping from getting caught
Hacking is a gray area, as far as what exactly is legal, and what exactly isn't. Even if you follow the hacker code of ethics (never harm), you are still quite possibly braking one or more laws. Let me just say that if you are already on a system, with someone else's login name and password, you are blatantly breaking a few laws. Nuking is also illegal. IP and port scanning are not illegal, though they definitely cause suspicion. In the past, measures to keep oneself safe included hacking from payphones, splicing your neighbor's line, 'bouncing' your call (explained later), and even using programs such as Modem Jammer. Now, you might want to use one or more of these methods to keep from being physically traced (though modem jammers don't work anymore), and another to keep from being traced over the Internet (to your ISP). The best and probably easiest way to do this is use someone else's account, preferably on a different ISP. This is much easier to do that one might expect. Shouldersurf someone typing in their login/password, do a little social engineering (explained later), or even brute forcing to get a valid account. There are even programs out there that if run on a machine used to access the Internet via a dial-up (with an ISP) it will give you the password. One such example is Dripper (available at The CyberUnderground). As far as physically tracing you goes, if you are using someone else's account you are sort of safe. If you have hacked into a system with a low-level account (a 'guest' account, for example) and just got yourself root (see definition above), you should seriously consider adding a few methods of security before reconnecting. To hack from a payphone, get an acoustic coupler for your modem, set the receiver on it, and just dial out. Bouncing your call means basically calling a modem somewhere that is designated as an 'outdial', meaning once connected, any modem commands you issue will go to it, so you can dial from it somewhere else. If you are traced - it will be to that modem. This can be defeated though, so its a good idea to bounce calls off a few outdials. Outdials are pretty hard to find, but are most common on X.25's and other PSN's (for more info on outdials, read any other hacking text, like "The Neophite's Guide to Hacking," or "The Newbie's Handbook."

Shell Account Bouncing
Anther security method (similar to bouncing your call) is bouncing your IP attack. Meaning - telnet to system that supports telnet itself (usually UNIX) - then telnet to your target. Finding and obtaining access to one of these is difficult for a new hacker, so I'll go into greater detail on this later.

Wingates
Another effective method to having your IP address logged into the system you're connected to (and thereby "busted,") is bouncing your packets off a WinGate host. WinGate is a server software program that acts kind of like a proxy server and firewall all in one (see above for definitions). As with a generic proxy server, all computers in the office that the WinGate computer is in connect to it to get to the Internet - and you can do the same. All you need is the IP address or domain name of a WinGate host. Telnet to it, and type the IP address you want to get to at the prompt you get. The IP address of the WinGate box will be logged as you connect - not your own. What's even better is that Wingate's don't log (keep track of) who connects to them. Unless, of course, the sysadmin uses some third-party software to monitor network traffic. Finding WinGates is very easy - just go to any hacker website (www.cyberarmy.com is a good one) and look at their database of WinGate's. You'll have to weed through lists of bad WinGate's though, so you may be better off getting a WinGate scanner and doing it yourself. If you're really smart, you'll bounce your packets off a few WinGate's before getting to your target.

Proxies and Anonymizers
If someone is 'using proxies' to be stealthy, he is simply connecting to web pages (and possibly FTP, Gopher, etc) through a proxy server. Check the description in 'A Little Hacker Lingo.' Publicly accessible proxies (or proxies that the owner doesn't realize are accessible by the world) can be connected to and made proxy all requests. Meaning if you use proxy1.ozemail.com.au as your proxy server, then surf over to www.yourtarget.com - you don't directly connect to yourtarget.com. Instead, you connect to proxy1.ozemail.com.au, inform it that you want to surf yourtarget.com, and it fetches you that html file. The proxy's IP address is logged on your target during the connection, since it was the one who actually connected to it, and not your own.
CGI Anonymizers are nothing more than proxy servers as well. Www.cyberarmy.com has an anonymizer for you to surf anonymously with. Also, if you use these URLs:

http://proxy-mail/mailcity.lycos.com/bin/redirector.cgi?http://

You can use Mailcity's proxy server to surf anonymously. (These are the proxies used when you click a link while at Mailcity.) Non-CGI proxies must be entered in your Internet connection settings (of IE or Netscape).

Filched ISP Accounts
The best way to hide your identity, though, is with a stolen account. Use Dripper or some other Cache Ripper to get the Dial-Up Networking password from someone you don't like. Or, sign up for some free ISP service (NetZero, Altavisa Free Access, or WorldSpy) and give fake account information to get an account that's not attached to you. Make sure that you're using proxies when you sign up, or they'll know who you are when you sign up.

Covering Your Tracks
Remember: all computers keep logs of activity. Once you break in, open the logfiles and delete any entries that involve you (especially ones that logged your IP address). In UNIX systems, look for logs in /var or /var/adm. In NT, look in \winnt\logs or \winnt\system32\logfiles or in a directory of a particular service (eg: HTTP or FTP). Program also exist that will cover your tracks in logs, such as cloak.c for UNIX (available at TCU).
As a rule of thumb, the amount of security you should be using is directly related to the seriousness of your hack. Though, you could be breaking many federal and state laws without even being close to having root access, and not even quite sure what you are doing. Always be at least a little paranoid: you'll last longer in the h/p world. It cannot be stressed enough: be as safe as possible.

TCP/IP and the Client/Server model
If by this point you're completely lost, you might want to read some other basic computer stuph before venturing on here. If not, roll up your sleeves: you're about to learn the very heart and soul of the Internet and Hacking today.

TCP/IP
Transfer Control Protocol/Internetwork Protocol. The 'language,' or means for which packets are exchanged over the Internet, or any intranet. TCP/IP is a set of rules and regulations that specifically define exactly how data is transferred between computers on a network. TCP is the upper-level protocols (explained shortly) like Telnet and FTP. IP is the lower-level protocol, used for routing data over a network. Hence the term 'IP Address.' TCP/IP has several sub-protocols, known as the TCP/IP protocol suite. To utilize any of these subprotocols, you just need a client of that. For example, Windows 95 and above has a built-in FTP and Telnet client (a client, when referring to a protocol, is a program that lets a user utilize that protocol). In this section I will explain each of these subprotocols, and other protocols used over the internet.

Client/Server
One concept that it is imperative you understand is the Client/Server model. Every protocol is utilized with software. For example: HTTP (Hyper Text Transfer Protocol, the protocol used to transfer HTML web pages to and from your computer [this is why it is at the beginning of URL's you visit] ). This protocol is put to use by software. This software has two pieces, a client side and a server side. When you type in a URL or click on a link, you are using a HTTP client software program (a browser) to request a copy of a particular web page. Then, the server of the URL you requested has HTTP server software, that receives the request (in the form of data packets), and provides you with a copy of it, by sending it back to your computer. A server side software package is also called a service or daemon, and is accessed via TCP ports. A port is a "virtual channel" used to transfer packets of a specific protocol between a client and a server. When you hear the term 'portscanning,' what is being referred to is the scanning for protocol, or services. Also, each port (service installed on the server in question) has a number assigned to it (eg: telnet is generally number 23). At any rate, think of client side software as the requestor, and the server side software as the provider. Any time you make a connection with a machine on the web (with Telnet, Internet Explorer, or whatever), your client is talking to that server via a common protocol.

TCP Subprotocols, and other Protocols

PPP
There are many protocols, most of which discussed here are used over the Internet's high-speed digital lines. However, there are lots of protocols used over regular analog phone lines, used before the Internet was a major computing tool. These include Kermit, Xmodem, Ymodem, etc, and all have parallels in the TCP/IP protocol suite. However, the only "analog phone line" one I'll cover is PPP. PPP (Point to Point Protocol) is the protocol used to connect to your ISP's server, who intern sends and receives TCP/IP packets over the internet for you. SLIP is similar, but not as effective or as widely used. Basically, the way you are able to communicate with the digital network of the Internet is that your ISP translates TCP/IP packets to PPP (actually encapsulates) so they can travel over phone lines, and vice versa.

Telnet
Let's start at the basics - on, say, a UNIX platform, there is one or more UNIX boxes - the computer that does the processing and holds all the data (files, applications, the OS, etc) which is the computer on the network that you are most likely trying to hack into. Then there are a slew of dumb terminals directly connected to it. A dumb terminal consists of nothing more than a monitor and a keyboard - everything a user types/does on a dumb terminal is handled by the UNIX box. Now, telnet is a protocol/application that allows people to connect to a computer remotely (over a phone line or the Internet) and process data locally - meaning when you connect to a UNIX box via telnet, it just as if you were at a dumb terminal directly connected to the UNIX box. Telnet is the protocol you will be using to access the computer you are hacking into. You can also telnet to a port other than 23. Most client / server protocols send data back and forth with various commands defined in that protocol. You can telnet to a port and issue these commands by hand, and the daemon will send commands back to you thinking you're a client. For example, when you type this in on your browser:

http://home.cyberarmy.com/tcu/underground.html

your browser connects to port 80 (HTTP, the port used for transferring of web pages) of home.cyberarmy.com and sends this command:

GET /tcu/underground.html

in order to view that web page. You can telnet to port 80, issue the same command, and you'll get the html file sent to your telnet client (just as it would be sent to your HTTP client, your browser). Kool, eh?

FTP
File Transfer Protocol. This is the protocol used to transfer files between computers over the Internet. Whether you are downloading password files or uploading changes to their HTML files, you will do it through FTP. To start an FTP session, you need to log in to the service with an FTP client, just as you would with Telnet. More on this later. Incidentally, the later browsers from Netscape and Microsoft have an FTP client built in. To use it, type 'ftp' instead of 'http' in your browser. FTP has more commands than just to send and receive. Type 'help' to get help from your client, or 'remotehelp' to ask the server for what commands it accepts. Also, if you telnet to an FTP port, you can log in, but without the right client that understands the FTP 'language,' you won't be able to transfer files.

SMTP
Simple Mail Transfer Protocol. This is the protocol used to send and receive email. If you connect to a SMTP port (by telnetting into it) you can issue SMTP commands. When you send an email, along with the actual letter go along its protocol. This means that the SMTP packets (made up of your letter and other protocol-specific data) connects to port 25, and issues the appropriate commands to the SMTP service in order for the letter to reach its recipient. You can also connect to this port and issue these commands manually. The use of this could be sending email and changing the sender address to someone else (possibly the recipients employer). Also, with the VRFY command, you can find out whether or not a particular account (login name) exists on the network in question. Actually, you can telnet to port 25 of a machine and actually send someone email. Just enter the commands that an email client would - use the HELP command to familiarize yourself with the various SMTP commands.

HTTP
Hyper Text Transfer Protocol. This, again, is the protocol used to transfer HTML pages back and forth between two computers. If you see an open port 80 (www), this machine has a web site. SSL is the encrypted version of this - see the Crypto section above for more about SSL.

Finger
This protocol (also a UNIX utility) is used to obtain information about users on a remote machine. With a finger client, you can see who's logged on currently, and can find specific information about a specific user. Having finger on a UNIX machine is a very bad idea. Anyone with a finger client (or anyone who wants to telnet into the finger port) can find out who's logged in, get a list of users for that computer, and get info on specific users. If your client can't talk to the daemon, telnet in, and hit enter once or twice. Try typing '@' or 'finger' or something similar to get a response. Then, type in usernames that you find and hit enter. All this valuable info, without ever logging in - very useful to the hacker. If ever you find an open finger port, use it. It could just be the point of entry you were looking for.

DNS
Domain Name Service. If a computer has this port open, it generally means that this particular computer is a domain server of that network (the spokesperson, if you will). These computers act as the spokesman for that particular domain. They hold the DNS table, which translate hostnames into IP addresses, so when you connect to www.someserver.com, it knows what IP address you're talking about.

NBT
This stands for Net BIOS over TCP/IP, and is what Windows networks use. Another name for this is 'nbsession,' (Net BIOS Session Service) which generally indicates Net BIOS used over a Wide Area Network (such as the Internet), being that Net BIOS by itself (without TCP/IP) cannot be used over a WAN. This protocol is used in conjunction with ports 135 and 139. The clients for these ports is the Client for Microsoft Networks. You'll learn how to use it in the NT section.

SNMP
Simple Network Management Protocol. Used to diagnose and manage networks. Utilities like 'netstat' for UNIX use this lightweight protocol. Certain NT applications of SNMP are vulnerable - check your local exploit archive for more info.

NCP
Netware Core Protocol. Just that. This isn't a TCP/IP subprotocol. Actually, its usually used in conjunction with SPX/IPX (Sequential Packet Exchange, Internetwork Packet Exchange), Novell's routable protocol.

Net BIOS
This protocol is a very lightweight one, used for smaller LANs. Its not routable (meaning by itself, cannot be used to connect networks, or used on the Internet), primarily because network addresses are nothing more than computer names. Windows networking relies largely on Net BIOS, but its also used with OS's such as UNIX sometimes.

NetBEUI
Microsoft's NetBEUI (Net BIOS Extended User Interface) is what you're using when you browse your network neighborhood. NetBEUI uses UNC's (Uniform Name Convention) to locate resources. A UNC looks like: \\computername\sharename\path. With this format - you can access any data on your NetBEUI (or TCP/IP - if it's a Windows network) network. More on this later.

UDP
UDP - Uniform Datagram Protocol. This protocol is actually used in place of TCP for some applications. TFTP, for example, uses UDP. So does SNMP. UDP encompasses many subprotocols, just like TCP does - so its not actually a TCP subprotocol either. Some network utilities you'll use will actually use UDP (UDP over IP, as opposed to TCP over IP), but the difference is transparent. Get yourself a networking book for more on these kinds of things.

POP3 and IMAP
These are used for email. POP3 (Post Office Protocol version 3)stores and retrieves mail on a server. IMAP requests them - in some cases. For example: when you use Outlook Express to download your email, you're getting it from a server with POP3 on it. If you use a web-based email provider such as Hotmail or Mailcity, you view and manipulate it with IMAP.

SSH and SSL
SSH (Secure Shell) is basically just encrypted telnet sessions. SSL (Secure Socket Layer) is encrypted HTTP. To use SSL with IE or Netscape, type https:// instead of http://.

AppleTalk and AppleShare
These are not TCP subprotocols. They are used by Mac networks, but can be implemented over IP (to connect to the Net). The 'Miscellaneous OS's' section goes over this a little.

These, along with many other protocols are used regularly over the internet as well. It is not in the scope of this text to explain them all, so I encourage you to research them and the others I've covered in more detail.
I could cover pages and pages of TCP/IP stuph. As you gain a bit of experience in this craft, you will need to learn more about this. For now, just understand that when you do anything on the Net, whatever program you're using sends packets in the appropriate command form (TCP/IP commands) across the cable connections that make up the Internet. And of course, TCP/IP conforms to the OSI model - the backbone of every network protocol, the way everything communicates digitally. Go out and read about OSI - you'll appreciate it later.

Getting Started - Your first night as a Newbie
Okay - you've found the network/system that you want to hack. What's first? Find out which of these protocols the target supports. Can you telnet to this computer? Can you FTP to it and copy files from it? To find out, you will need to run a portscan on it, with you portscanning utility. Just type in the URL or IP address of the machine in question, and start scanning. You will be shown what protocols (TCP/IP subprotocols and others) the target has. It will not, however, tell you that it supports TCP/IP, because, to put it simply, it has to have TCP/IP to be on the Internet. What you are looking for here is services - these TCP/IP subprotocols and other services/ports. Do not let the term port mislead you - we're not talking about physical ports. If you don't understand this first step, reread the TCP/IP section.
Now, if the portscan indicated that the target machine supports telnet (port 23), you can telnet to it, and attempt to log in. Go ahead - try it. You'll need a valid username/password combo to get it, which we'll get to later.
If port 21 is open, that means that the machine supports FTP, and files can be transferred back and forth from it. But, like access via telnet, you'll need a login name and password. A default "anonymous" account is ftp/ftp for a username/password, so go ahead and try that. If this works (and don't be surprised if it doesn't), you won't have much in the way of access privileges (meaning you'll be able to look at files, but usually not copy files to your computer, and most likely not copy files to it). If you can anonymously log on, you at least have your foot in the door, and can possibly use this as a stair stepping to get further into the system. More on this later. Once logged on via an FTP port, commands to jump around from directory to directory and copy files is very DOS-like (actually more UNIX-like than DOS, but if you know a little DOS, you should feel comfortable navigating the system). Type 'help' or '?' for a list of commands. When you do this, you are accessing a help file on your computer. To access the help file on the computer your on (which is usually more extensive and has commands specific to the computer your logged on to) type 'rhelp' or 'remotehelp,' or something similar. Or you could telnet to the FTP port and type 'help.' FTP is the only way to transfer files between the target computer and yours - which you will need to do to get password files, change their website ('this site has been hacked by Kurruppt2k'), upload exploits, or whatever. More on this later. One last note on FTP - you can telnet to an FTP port, and log in. However, since you are not using an FTP client, you will not be able to do much once inside (like get directory listings or download files) because your telnet program does not follow the rules and guidelines (protocol) specified in FTP. Again, you can telnet to any port, but if the right commands are not issued (usually done by your client program), you may not get anywhere, and may even be disconnected. Telnetting to ports that you aren't sure what are, though, is a very good way to learn about the computer you are targeting, and is usually necessary to break in.
Now, if your portscan turned up either 'www' or 'http,' that means that you've found the computer that has all the HTML files (website files) that contain this organizations website. This really is only relevant if you are attempting to break into the target's website. To do so, you'll need access to the index.html or default.htm file (usually only accessible to superusers, or root accounts), and will have to FTP the page you will replace theirs with, and replace index.html with your own. Doing this, though, could be considered cracker-like, and slightly malicious. This also tends to piss sysadmins off, and may drive them to attempting to find you - so be careful!
A last few notes on TCP/IP. You need to understand the structure of a URL, and of an IP address. Every computer on the Internet is designated by an address. The addressing scheme (IPv4) looks something like this: 38.233.203.2. Generally, the very last number is the node address, or the computer's address. The rest is usually considered the network address (depending on the Class - read a document on IP addressing for more info). Each number between the decimals (called an octet) can be from 1 to 254. So the IP address is in the 38.233.203 subnet. The last number, again, specifies the computer in that subnet. So if you wanted to see what other machines were on that subnet, you would scan from 38.233.203.0 to 38.233.203.254. Now, each IP address can also have a name. If 38.233.203.2 belongs to the netscape.com domain, it might be www.netscape.com, or mail.netscape.com, or something similar. So when you type www.netscape.com to visit its website, you could also type http://38.233.203.2 (assuming that was its IP address). Which brings us to the URL. Here is a typical "web address": http://www.microsoft.com/servives/windowsNT. The http:// specifies the protocol used. You could also replace it with ftp:// or even telnet://. (Note: to log in via ftp with your browser, use ftp://username:password@www.yourtarget.com.) The www.microsoft.com is just the computer name. The DNS protocol handles resolving the name into an IP address. The /services/windowsNT is the path to the file you are requesting (index.html or default.htm, if none other is specified), just like a path on your computer (with foreword slashed instead of backslashes).
Webservers usually have what's called a wwwroot directory. This is the root of the browsable machine. Meaning the path on the machine itself:

/texts/wwwroot/images/source.gif

of the computer www.gateway.com is:

http://www.gateway.com/images/source.gif

This is important. The root to you, the browser of a webserver, isn't the actual root of the system's hierarchy. Why? So people browsing can't access the entire machine - just the web pages and stuff that the webmaster wants you to see. So lets say you cracked a UNIX machine with a non-root account, and wanted to download the password file of the Gateway computer above. The file is (in this case) /etc/passwd. To download it, you'd copy it to /texts/wwwroot. So its actual path is /texts/wwwroot/passwd. But its URL (to anyone browsing the server) would be www.gateway.com/passwd. So you'd just type that into your browser to download the password file, and you're off to cracking it. Of course, doing this without proxies or a stolen ISP account will get you traced and busted right away.

You're First Hack
Okay, you now should have enough preliminary knowledge to start your very first hack. Pick a target. Universities usually have somewhat lax security. Pick something relatively easy for your first time. Stay away from government networks and those belonging to large businesses and corporations. The very first step is finding the domain name of your target. If your target is www.spicegirls.com, the domain name is simply spicegirls.com.

Step one - Intelligence Gathering
Every successful hack starts with a little preliminary investigation. The more information you have about a specific domain, the better armed you are. Open a notebook and start an "info collection" of your target. First, visit their website. Try to view every page, and write down anything of importance. Copy down all email addresses - as these are also usually valid login names. Write down anything else of relevance. Look at the source HTML and see if there are links to other computers you didn't know about. Next run a whois and nslookup on the domain, with your appropriate utility (available at The CyberUnderground). This will give you very useful information. You'll get the domain's nameservers, the administrator, and a few more email addresses, other computers on the network, and other useful stuff. Copy everything down. Another trick is sending an email to the domain with a username that you know doesn't exist (eg: blablabla@yourtarget.com). The SMTP service of whatever server is designated as the primary mail server of that network will return a letter to you saying that there is no such user. In the header of this email will also be some useful information - copy it all down.

Step two - Network Scanning
Next you should try to get a scope of what kinds of computers are on the outside of this network (by outside, I mean what machines are "on the Internet," and not behind a firewall or proxy server). To do so, you will scan the subnet with your trusty IP scanner. Again, a subnet is every computer (numbers 1 through 254) on a particular range of IP addresses. For example, 253.87.8.3 and 253.87.8.45 would be on the same subnet, whereas 253.87.8.45 and 253.87.11.12 are not. (Actually, class C subnets are often-times broken up even further - read an RFC on IP to learn all about IP addressing, packet structure, etc.) To scan the subnet of your target, do as follows. Ping the hostname (your computer should have a ping utility, as do most of the hacker programs you should already have). This will give you the IP address. If the IP address is 253.87.8.45, scan the entire subnet, which would be 253.87.8.1 through 253.87.8.254. This will tell you every computer on that subnet - their IP address's and hostnames if applicable. If you already know of two computers on different subnets, scan both. Now, write down each computer you found and their IP addresses, along with any relevant notes. When you're done, you should have a list of each (or most) of the servers on your target's network, not behind a firewall/proxy server, and accessible to you.

Step Three - Point-of-Entry Determination
Now that you know what servers are on this network, you need to find out what kinds of computers they are: what OS's they are, and what services are running on each. So what do you do next? You guessed it - you'll scan for services, or ports, on each computer you found. Use your portscanner and scan each computer you wrote down. Think of each service running on a machine is like a door that you might be able to break in through. Below I'll explain methods to use to possibly "break and enter" through each "door." Now, to get in, and have the power to actually do things and explore the network, you'll need to telnet or NetBEUI into one of the machines. This is usually the last step of hacking your way in, and you'll need a username and password to do so (or an exploit, which will be explained shortly). You'll hack into other ports in order to get these usernames and passwords. Now, a username and password that works on one machine of the network will usually work on all on that same network, so if you get passwords from one computer, you can use them on a different one to get in. Also, if there are no telnet ports, you can still (sometimes) log in via FTP. You won't be able to do much (like run any programs on the computer), but you will be able to look around and upload or download files from the computer. What steps to take here entirely depend on the Operating System of your target. Some networks you'll find will have a variety of OS's, some will have just one. Here is a list of ways to fingerprint computers - find out what their OS is.

Server Fingerprinting
· If port 23 is open, its probably UNIX. Telnet to it to find what flavor (BSD, Solaris, etc). It is important!
· If port 135 or 139 is open its probably NT. At a DOS command prompt, type:
c:\nbtstat -A [ip address]
If you get a response other than 'host not found,' it's definitely NT (or possibly Windows 9X).
More on what this nbtstat stuff means in the NT section.
· If none of the other ports are open, try telnetting (or FTP-ing) into port 23, and give the command:
ftp>SYST
Without the prompt (just 'syst'). This might tell you the OS of the machine, or at least if it's UNIX
or NT. Sometimes you have to log in before giving this command, sometimes not.
· If port 80 is open you can telnet in and issue this command:
GET / HTTP/1.0
To find out the webserver running. You'll probably want to turn on your telnet logging, because
the info will fly by your screen really fast. If the webserver is IIS - the machine is NT. If the webserver is Apache - the machine is UNIX (probably Linux). Otherwise, look up whatever
webserver is running to find out what OS its for.
· If ports 21, 23, 80, 135, and 139 are all closed, there's no easy way to find the OS. But then, without at least one of these ports being open, you probably won't be able to hack in either (these ports are the primary means you'll get in) so pick a different computer to try and break into.

The Kinds of OS's you'll run into are pretty much just NT Server (along with an occasional NT Workstation and Windows 9X box), and UNIX. At least once in a while, though, you'll run into a Netware box, and even a mainframe wired to your target's network. That means to become elite, you'll have to learn a handful of operating systems.

UNIX
UNIX machines are the backbone of the internet. The OS and TCP/IP were crafted pretty much simultaneously, with each other in mind (where else can you send an entire email in one command?). For example, Internet email addresses are username@computer.com because inter-UNIX messaging was in that form. The vast majority of the computers you'll come across on the Internet will be some flavor of UNIX, be it BSD, Solaris, AIX, Linux, or whatever. UNIX systems are set up to be multiuser. There will be a UNIX box with lots of dumb terminals (monitors and keyboards with no boxes of their own) directly hardwired into it. Each person who is authorized to be on a dumb terminal (or access the box via telnet) has an account on that system, and probably on each machine on that subnet. Their account has their own directory (folder), which is the same as their username. As soon as they log in, they will be placed in that directory, or their home directory. Every file and directory in a user's home directory belongs to that user, be it a text file, program, or whatever. Also, every user belongs to a group. This is important, because it is a fundamental of how permissions work.

Not every user is allowed to read every file on the computer, change every file, and run every program. To list the files in your pwd (present working directory, the "folder" your currently in) type 'ls' (without the quotations). This is equivalent to the 'dir' command in DOS. Type 'ls -a' to see all files, including hidden ones (files that start with a period). To see the permissions of the files in your pwd, type 'ls -l'. This will tell you the permissions of that file, including who owns it, and what group that user belongs to. Permission categories are set for read permissions (the ability to read the file), write (the ability to make changes to the file), and execute (the ability to run the program). Each category is set for the owner of that file (user), everyone in that user's group (group), and then for everyone else on the system (other). When you issue an ls -l for each file will be listed a ten character string. The first character will be a dash (-) if its a regular file, a 'd' if its a directory, or an 'l' if its a symbolic link (kinda like a windows shortcut). Other less common letters may appear, which I won't cover. The next nine characters are broken up to three sets of three. The first three apply to 'user,' or the owner of that file. Each of the three characters represent either an r for read, a w for write, or an x for execute. If they have permissions to read, write, or execute that file, the corresponding letter will appear, if not, a dash will. The next set of three characters apply to the file owner's group, with r, w, and x in the same manner. And the last set of three are for 'other,' meaning the permissions (r, w, and x) for everyone else on that system. So a permissions string of -rwxr--r-- means that its a regular file (not a directory or link), that the owner of that file can read it, make changes to it, and execute it. Also, we see that the group that the user belongs to can also read the file (but not change or execute it), and that everyone else can read it but nothing else.

UNIX is set up much like DOS, in that there are directories with subdirectories, and a root directory. Instead of C:\tools\ftp you would see /tools/ftp. The slashes are foreword instead of back, and there is no drive letter - root is simply:

/

Another similarity between UNIX and DOS is the idea of writing a file containing a list of commands to be ran in order. If you're familiar with DOS batch files (.bat or .cmd for NT), UNIX shell scripts work the same way. Use vi or some other editor to write commands one line at a time. To execute them, use chmod to make them executable, or type:

sh shellscript

where sh is the shell you want to execute the script, and shellscript is the script itself.
Oftentimes, if you find a UNIX machine on the Internet, it is connected to a variety of other computers. What's more exciting is that the UNIX machine you just broke into may be directly connected to another, more secret UNIX computer that was behind a firewall (meaning that you normally wouldn't be able to just telnet to it from your home computer, and it probably didn't show up on a subnet scan). If you telnet from your hacked UNIX account, to another UNIX machine, your source IP address becomes that of the UNIX machine you are on (this is often done to deter authorities from tracing a hack). So lets pretend you run a subnet scan on your target network, looking for a computer called secret.network.com. Among others, you find comp1.network.com, comp2.network.com, and comp3.network.com. But no computer named secret. And if you try to telnet to secret.network.com, you're connection lasts only a split second. Firewall. After a few hours of plugging away gets you a rootshell on comp2. You then telnet from comp2 to secret, and are presented with a logon prompt. Why can you now connect to secret? Because your IP address is now comp2's, meaning secret is set up to allow connections from computers only on its network - and it thinks you are comp2. For a list of connected UNIX machines, look at /etc/hosts.
When you first log into a machine with a username and password you 'hacked,' find out what group that account belongs to, and get a feel for what kinds of stuff you have access to, and what you don't. If you find yourself with just about zero access to anything fun, you'll have to use the account you have to obtain one with more privileges. Here are a few ways to do that.

UNIX Stair-stepping
· Get the unshadowed password file. More on this in the 'Unbeleivable...A Hacker!' section.
· Find a vulnerable program to exploit (such as a buffer overflow - more on this in 'Unbeleivable...A Hacker!').
· Install a keylogger or network sniffer.
· If the only password file you can get is shadowed, use it and the finger command to get a list of usernames, and Brute Force the system.

In order to better hack a UNIX system, you'll need to know your way around one. Here is a basic list of directories in UNIX, and what you might find in them.

/ The root directory.
/dev Device files (in UNIX, every physical device is represented by a file, like hda for the first
hard drive, and tty for terminals).
/etc The system Directory - all kinds of stuph, including the password file (usually).
/usr Usually holds user's home directories.
/u Also can hold user home directories.
/lib Holds library files - .h files which are like DLL's for C programs.
/var Holds system logs - go here to clean up your tracks.
/pub The public directory.
/root Root (the superuser) home directory
/bin Binaries - compiled programs like sh, telnet, and most commands

Of course, you'll find many more directories and subdirectories than this. This will just give you an idea on how to navigate a UNIX environment. Also, Appendix B has a list of UNIX commands.
It's important to know that different commands work differently under different shells. Yes, UNIX has multiple shells. If you're used to DOS, this may be a bit confusing at times. As I said the description of 'shell' in the 'A Little Hacker Lingo' section, a shell is an interface to an OS. The kernel of any OS is the heart of it - the brain. The shell is the interface to it - the program between you and the kernel. The shell accepts commands (either command-line or GUI commands, like double-clicking something) and interprets the commands into something the kernel can understand and execute. UNIX is a very versatile OS, and has multiple shells for multiple ways of interfacing the system.

/bin/sh The Bourne Shell - the first (and most basic) UNIX shell.
/bin/bash The Bourne Again Shell - good for beginners.
/bin/csh The C Shell - csh commands are similar to the C programming language.
/bin/zsh The Z Shell - more programmer friendly.
/bin/tcsh The TC Shell - similar to the C Shell.
/bin/ksh The Korn Shell - similar to the Z shell.

There are a few more, but these are the most common. To find out what shell you're using, type the command:

echo $SHELL

(Note: the $ indicates an environment variable, which work similarly to environment variables in DOS only a variable looks like $var instead of %var%). Also, redirectors and pipes work the same for most shells. Here's a quick explanation on special characters for UNIX:

> Redirector - sends output of a command to a text file instead of stdout - your monitor.
< Redirector - inputs data from a text file instead of stdin - your keyboard.
| Pipe - the output of one command is sent as input to another.
& Ampersand - sends a process to the background and gives you a prompt back.
! Exclamation - sends commands to the parent process / shell.

For more info on UNIX, get a UNIX book, or read the UNIX Bible text file (available at The CyberUnderground). This is one operating system that you will need to know, and well, if you plan on becoming leet.

Hacking UNIX
To break into a UNIX box requires a few things. First, you need to know what flavor it is. These include Linux, NetBSD, FreeBSD, OpenBSD, System V, SunOS, Solaris, AIX, Digital UNIX, HP-UX, SCO Unixware, IRIX, and a few others. Of each of those are various different version numbers as well. If the login prompt won't tell you, an FTP SYST may, otherwise you'll have to get in to find out.
Follow steps one, two, and three in the 'Getting Started - Your First Night as a Newbie' section. Find out what ports are open, and what daemons are bound to these ports. Get a list of usernames through the website (if one exists), through finger, etc. Then, spend a bit of time brute forcing (explained more thoroughly later) each one of these. Then try the list of commonly used UNIX logins/passwords in Appendix A. Oftentimes this wont' work - but its easy so give it a shot.
Next look for vulnerabilities. Open up your CGI Vulnerability Scanner (or go to infinityzone.cjb.net and use theirs) and scan for vulnerabilities. If the scanner finds one, you'll want to learn how to exploit it. The 'System Exploit' section of this text lists a few. Some scanners explain how to exploit them (or even do it for you), but you'll usually have to look it up. Go to www.rootshell.com, www.securityfocus.com, www.anticode.com, www.bugtraq.com, or any other exploit site and look up the vulnerability you found for specific ways to get in. If you can't find any CGI vulnerabilities, look for service vulnerabilities. Specifically, find out what programs (and version numbers) are running on ports 21, 25 and 80. Certain versions of wu-ftp (an FTP server) are vulnerable, as are versions of sendmail (an HTTP daemon). Search all the exploit archives for every daemon on every port of your target. You'll usually find at least one vulnerable service on a network.
Get that exploit to run. Most are in C code, so you'll have to compile it on a UNIX machine - either your own or another shell account. One issue here is that all flavors of UNIX interpret different C scripts differently, as do different shells. Compiling code sometimes involves a bit of tweaking and playing with cc and gcc. For that reason, you'll be much better at UNIX hacking if you learn C. Using exploits will be explained in more detail later.

TFTP. The Trivial File Transfer Protocol is similar to its cousin, but much less secure. TFTP listens on port 69, so if you see that open, you may be in luck. TFTP accounts are commonly unpassworded, also. Not to mention that they don't use encryption during authentication, so sniffing segments on these boxes will often provide results. Another huge insecurity with TFTP is that most installations don't restrict access with a virtual root directory. Meaning even logged in as 'guest' you can venture all the way to /, including /etc. TFTP is necessary to autoconfigure Cisco routers, so if you see a Cisco machine on the network, scan its subnets for open ports 69.

Rhosts. In a nutshell, if any user has a .rhosts file in his home directory, he can execute commands from another computer. The /etc/hosts file is the .rhosts equivalent for the entire system, but usually blocked from most users. If your victim has a .rhosts file in the /home/john home directory that allows connections from your UNIX box, you can use the 'rlogin' command to log in (like telnet) without a password. The .rhosts file and /etc/hosts file describes what systems can utilize the R services, and what users. The plus sign (+) is a wildcard, meaning any host, or any user. So pretend you crack the guest account of a Sun box. You want root, but cant run any programs to exploit the machine. But you notice user jsmith can. And jsmith left his directory unprotected (-rwxrwxrwx on all his files). What do you do? This:

Echo + + > .rhosts

This will put '+ +' into his .rhosts file, allowing you to rlogin into his account. We'll go into a bit more depth of the R services and how to abuse them in the 'Elite Hacker Tactics' section. >:-)

NIS and RPC. RPC (Remote Procedure Call) was developed by Sun Microsystems to allow running applications to seamlessly interact with apps on another UNIX box. And NIS is used to provide information about these apps. Portmapper is what RPC's use to get this information from NIS, so if you that port listening, use the command 'rpcinfo' to query that port and get valuable information from it. Type 'man rpcinfo' for more information on portmapper, RPC, and NIS.

NFS. Network File System - the protocol used to connect UNIX machines. Having to telnet between UNIX boxes in a network can be a pain in the ass at times. NFS (which listens on port 2049) is a way to mount remote filesystems to the local machine. Lets say you work primarily on the machine UNIX1. Occasionally, though, you need to access files on UNIX2, but don't want to login to it all the time. So the sysadmin mounts part of UNIX2's filesystem to your own. The directory /acct/dir1/ is mounted to your /mnt/u2 directory. So if you issue a 'cd /mnt/u2' you're actually on UNIX2 - but can't go any further up the hierarchy of it that /acct/dir1. The way this works is certain directories are exported, meaning made available to mounting. To look for exported directories on a remote UNIX server, type this command:

showmount -e www.victim.com

If there are any exports, you'll see something like:

export list for www.victim.com:
/exprt (everyone)
/var (everyone)
/exprt/agregor agregor

As you can see, /exprt and /var are exported out to anyone. To mount either, type:

mount www.victim.com /var /mnt/dir

where /dir is where you want to mount /var to on your own machine. If you cd to /mnt/var, you're now on your target. Here's a more complex break-in. Lets say when you mount /exprt, you can't get into /agregor from there (access denied) because only the user agregor and root is allowed access. Lets say you (from your own UNIX box - Linux or something) fingered agregor@www.victim.com and got:

agregor /exprt/agregor Tue, Jan 1, 2000

Here we see that his home directory is /exprt/agregor. So we mount that directory (but still can't get in). We aren't allowed access... but agregor is! And technically, since we mounted that directory, its considered part of your local machine. You can use the adduser or useradd command to add a user on your own machine called agregor and - pow! - you're in. One last note on NFS - only root can use showmount and mount, so you really should make a Linux partition on your hard drive. Redhat 5.2 and SuSE (the latest version) only cost about $30.

The R Services. UNIX utilities like rwho, rlogin, and rwho are used to run these commands or login to other machines - without using a password. The syntax for these commands include a username (but default to the user you're logged in as locally), and if that user on the target machine has an appropriate .rhosts file in his home directory, the command will execute.
To learn the most about UNIX, you must play around with it. Get a shell account from hobbiton.org, shellyeah.org, or m-net.arbornet.org. These accounts are pretty limited (some won't let you use compilers, some won't let you use FTP, etc). For best results, install Redhat Linux on your system. Appendix G will help you with that.

Check PART 2 for more.