Monday, December 17, 2007

Exposing Scams

Exposing Scams


Methods of Cracking Email Passwords


One of the most successful method is achieved with the used of k*ylo**ers and s** software. There are lots of s*y*are, lo**ing tools available today such as 007, RemoteSpy, Netvizor, Email Spy, Chat Spy, Spector Pro, eBlaster, Invisible Keylogger, to name a few. This software will create a self extracting or installation file, you can then run it in the computer for surveillance, or email it to your target. The only question is, how can you convinced the recipient to open it?

Most hackers does not really HACK passwords by penetrating Yahoo, Hotmail, Gmail, and AOL servers, instead they will go for the easy way - the end user, that's you. It's not what you see on the movies such like "Hackers," "SwordFish," and so on. Too good to be true! They don't actually hack, but logs every stroke on your keyboard including the passwords you have input.
Keep in mind that computer surveillance Programs should be used only if necessary, it was not created to invade someone's privacy. If you are going to use it, be a responsible user.



Warning

I am not at all endorsing hacking or spying, this article was written to exposed the scam behind the Email Hacking Business.

Novell security hacking

Novell security hacking

Shared from www

1. Introduction (PLEASE READ)
2. Novell - What You Need to Know
3. The Basics of Novell Hacking
i. Navigating the Network
ii. Command Prompt
iii. Floppy / CD
iv. Gaining Admin
v. Other stuff...
4. Advanced Novell Hacking
i. Tools

ii. File / Print Sharing
iii. SAM
iv. Access the Server
v. Viewing "restricted" drives

========================================================================
INTRODUCTION
========================================================================

Before we get started, let me get a couple of things straight. First of all, I hate it when I
surf the web and can't ever access any site without having shit like "This site is for
educational purposes only" pop up. For you people who are like me, I'll do you all a favour.

Which brings me to my next point. Admins. Most schools across the world have admins that think
they're the smartest things on two legs because they got some diploma that says they know how to
turn on a computer. Well, for any admins that think this way and are reading this tutorial, let
me say this: your diploma or certificate or whatever doesn't mean shit. Sure, it makes you look
smart on paper, but in the real world, if you're lazy or just plain stupid, you will get 0wned
by a person that you think is too young or too stupid to do any real damage to your network.
Make no mistake: if you stop learning, if you stop surfing the web to sharpen your skills, if
you stop caring about your network, sooner or later, some punk who's gonna try and have some
fun's gonna make your life really shit really fast when you find out that you are way out of
your depth real quick. Enough said. Always keep up with what's happening on the web, no matter
how much time you have to put into it.

Moving on. Now I would like to get some things straight about myself. Although I have made this
tutorial for people wishing to gain privileges in Novell, this tutorial isn't for everybody.
Although I like to think I'm a nice guy, there are certain people I dislike. These are the
people who always want you to do things for them. They never want to learn because they "can't
be bothered" so they always come to you for help. This tutorial is not for people who want the
easy way out. If the only reason you want to know how to do this is so you can impress your
friends, close this tutorial and click on it's icon. Now press Shift+DEL. There we go. That
probably got rid of some of them. Anyway, this tutorial is being written for serious people who
have little or no knowledge of Novell simply because they haven't come across it. No problem.
Enjoy.

========================================================================
Novell - What You Need To Know
========================================================================

Let's start off with the question "What is Novell?" Novell is basically a program that you
install over windows that works over a network to give users appropriate access. For example,
many schools use Novell because it allows them to give students limited rights so they can only
do what the admin allows them to (erhem). There is always at least one administrator to
supervise the network and manage student accounts.

Novell is a respected company that has been making security related programs for a long time.
Unfortunately, in recent years, Novell has been slipping up when it comes to the integrity of
their programs. Not surprisingly, many security holes have been found and many more are on their
way.

========================================================================
The Basics of Novell Hacking
========================================================================

As with any hack, we must first decide on the objective ie what do we want to achieve? Well,
let's go through it. Since you have physical access to the network, chances are you use it quite
often. Therefore you probably wouldn't want to install a virus as you would only be doing
yourself a bad favour. In places like schools, it is very common for admins to restrict access
to the floppy or cd drives as they don't want people bringing in stuff like viruses, corrupt
files or even games. We will soon see how to access these files anyway. Maybe you want admin
rights? If the admin is stupid, even this is possible. Do you want to install a game? Do you
want to look at other users files? All these things and more are possible on some Novell
networks. What you have to understand as either a user or an admin is that networks will always
have flaws. I have classified Novell networks into three basic categories:

* shit security
* ok security
* perfect flawless security

In my experience, I have come across two of the above mentioned types of networks. Guess which
two. Note that many systems start off in the "shit security" category but move up into the "ok
security" category. When this happens, a hacker that had gotten used to a certain system may be
depressed for a while. Until he or she finds new holes. There is only so much an admin can
disable on your computer before it becomes a vegetable and of absolutely no use to anyone.
That's why we use whatever programs we have left to our advantage. If you are a student then you
will undoubtedly have programs that aid in study, such as Notepad, MS Word, you may have
Powerpoint etc. All these programs can be used to our advantage.

First of all, let me cover the "shit" network class. In this network class, you should be able
to do anything. If something you do comes up with the message "This operation has been cancelled
by the Administrator" or "You have insufficient rights to execute this command" or something to
that effect, then the network falls into the "ok" class. Anyway, if your network falls into the
"shit" class, you should be able to open Internet Explorer then go File > Open then Browse...
When you do this, you will be able to see the entire C: drive of the computer, though you may
not necessarily be able to open any of the files.

***Note: This tutorial assumes that the Desktop has been stripped of all icons and the start
menu is almost bare if not completely removed.

OK. Now that we can see the path of all the files, we click Browse... again and attempt to open
a file using IE. Pick a useful file like "command.com" if you are using winnt. When you find the
file, click ok and you will have a little box with the full pathname of the file. You can either
OK, Cancel or Browse... Do neither. Copy the pathname. Now open MS Word. Go to View > Toolbars
then go to Visual Basic. A toolbox will pop up. Click "Design Mode". A new toolbox should pop up
again. This time click the "Command Button" which just looks like a small rectangle. When the
button pops up, double click it. You should be taken to a VB screen with the following in the
middle:

Private Sub CommandButton1_Click()

End Sub

Now type in...
SHELL("C:\winnt\system32\command.com")
...and hit F5 (Debug), so your screen looks like

Private Sub CommandButton1_Click()
SHELL("C:\winnt\system32\command.com")
End Sub

Hopefully, a minimized command screen will come up. If it doesn't, try this:

Private Sub CommandButton1_Click()
a = SHELL("C:\winnt\system32\command.com",vbNormalFocus)
End Sub

Hit F5 again. If this doesn't work there could be a number of things wrong. If a screen comes up
saying macros have been disabled, go back to your first Visual Basic toolbar. One of the buttons
says "Security...". Click it, then select the option that says "Low". Try again. If this was the
problem, you are lucky. If it still doesn't work, read on. If it says "Run-time error:'53'---
File not found" you are in trouble. It means you either fucked up the pathname or it isn't
there. Of course, if your computer is running win2k or xp you will have to slightly adjust your
pathname to the one above.

***Note: I recommend you use command.com as apposed to cmd.exe. The main reason is that cmd.exe
can be blocked off by your administrator, so as soon as you open it you will get something that
says "CMD has been restricted by your administrotor. Press any key to continue...". If this
happens, cmd is useless.

Now we move on to Powerpoint. This is a very simple way of opening files. You create any slide,
then right clock and go "Hyperlink" or whatever it says. From there you are able to link it to
any file on the computer. When you view the slide show, click on the hyperlink and you will open
the file.

Now we move on to Notepad. Notepad is one of those things that I would kill for. It is just so
versatile that it can be used for anything and everybody has it, so there are never any problems
with compatibility. That's part of the reason most tutorials, including this one, are written in
Notepad. The way we will use Notepad in this example is by creating a hyperlink to a document,
much like what we did with Powerpoint. So we open Notepad then type:

click

We then go to File > Save as... then we type in "link.html" in our private drive (the drive the
admin has allocated to each user for storage of personal files, sometimes also called My
Documents). When we refresh the drive, we should be able to see an IE icon called "link.html".
Double click it, then click the hyperlink. Hope it works!

Now we will try creating shortcuts. This is probably the easiest method to use to get into DOS
(strictly speaking this is not true DOS, but for the purpose of this tutorial I will refer to it as such).
That's the reason I saved it for last. The earlier methods allow you to fish around inside the
network and get to know how it works, what makes it tick. Not to mention that the previous
methods were not limited to accessing command, but allowed us to open ANYTHING. Now let's take a
look at how shortcuts work. Open your local drive, then right click and go to New > Shortcut
(if you have right click disabled go to File > New > Shortcut). In the space provided type
"command" and hit next. Now click finish. You should have a shortcut placed on your drive that
takes you to DOS.

Now let's take a look at QBasic. QBasic is a primitive sequential programming language used to
create really crappy programs. Luckily, most schools have QBasic in their syllabus, so you
should have the icon. If you do, you are lucky. Open QBasic, then when you get to the main
screen, type...

SHELL

...and Hit F5

This will immediately open up DOS for you. Cool huh? So, what can we do with DOS? If you need to
be asking that question then you shouldn't be reading this tutorial, but briefly I will tell you
that DOS is very helpful when accessing anything, whether it be on a hardrive, floppy, cd or
anywhere else.

Speaking of floppy, you may be wondering how to access it or cds on a network that appears to be
completely locked down. There are a couple of ways. First of all, if you can see any drives as
icons, try right clicking on them. You might have an option that says "Map Network Drive" and
"Disconnect Network Drive". If this is the case, find out which one is the floppy drive (try a:
or b: first) and disconnect it. Now, in the address bar in any window, type "a:" and you should
be taken to the floppy.

If this doesn't work, then don't worry. Heaps of things definitely will. Of course it depends
greatly on the network, but generally the principle is the same. In a network where you don't
have the luxury of being able to freely browse everything, you have to be shifty. In your
private drive, try creating a shortcut to a:. This will almost definitely not work but is worth
a try. Also, try going to File > Winzip > Zip to file. This will allow you to transfer files
to your floppy.

Lastly, we can use DOS. This is my favourite method because it's hell hard to disable shit in
DOS, at least, effectively, so there aren't heaps of ways around it. In DOS type:

C:\>a:
A:\>dir

Volume in A has no label
Volume Serial Number is 0001-0AA0
Directory of A:

BO2k.zip 111,111 1/1/04
Netbus.zip 111,111 1/1/04

C:\>

So now we can see what's on the disk. If you wanna run it you can type:

A:\>Netbus.zip

However, a more efficient way of opening it would be to first copy it to your private drive. We
do this by typing:

A:\>copy a:\*.zip h:

Assuming h: is your private drive. The wildcard will copy all files with the extension ".zip".
The same way, we can open cds. Exactly the same. Sometimes when we copy it to our drives we get
the message that "This operation has been cancelled by your administrator". In this case, we go
back to MS Word and open a VB macro. Type in the path and you open it. No questions asked and no
crappy prompts. By the way, you can also use a macro to open files directly from the floppy or
cd. I just prefer not to. I think it's easier to just copy them directly. Also you don't have to
check the pathname every time you want to open a new file. But whatever. Do what you feel
comfortable with. There is another way of getting access to the a: drive using the "net use"
command, but more about that later.

Another extremely useful thing you can do with DOS access is type something like:

C:\>copy c:\winnt\*.pwl a:

This command copies all the .pwl (password) files that are stored in the winnt directory. We can
now take the disk home and crack the password files in our own time at our own leisure. This
only works on crappy networks though. Most reasonably secure or just new networks no longer
store their passwords in .pwl files. In win2k, there's a new thing called SAM (Security Accounts
Manager). This is much harder to break, so more on that later.

Now for a quick lesson on network file sharing. In some networks, the admin allows you access to
all drives. If this is the case, there should be a drive which contains the files of all people
who have access to the network. Once you find the drive, simply scroll down to the folder with
the same name as the targets login name and you can browse their personal files. It should be
noted, however, that this kind of file sharing is only allowed on the shittiest of crappy
networks. I have come across it only once in my life =)

Now let's move on to something that may seem obvious, yet many people don't even consider.
Downloading off the web. As an admin, it is really very simple to turn off downloads. However,
you would be surprised how many admins forget about it and leave the web open to all their users
for all intents and purposes. I think the usefulness of being able to download files off the
internet is quite obvious, so I won't go on for long. In case you have absolutely no
imagination, the internet could be used for downloading backdoor programs, viruses (again,
what's the point?), password crackers or even just simple things like DOS =)

On a slightly different topic, DOS has many features that the common happy internet user doesn't
know, or doesn't need to know about. The most interesting one of these is Netstat. Netstat is a
time honoured command that allows the user to see all the inbound and outbound connections his
computer is engaged in. Netstat has many uses, but we will only quickly look at the most useful.
For the common internet user, Netstat can be used to find out, for example, whether or not they
have a trojan installed on their computer. For example, if they type in Netstat and see that
some computer has established a connection with them on a high numbered port such as 12345, they
know they're in trouble. Although by this time it may be too late, the person could then
terminate his internet connection and run down to the store to buy the latest anti-virus. Just
an example. For people who have malicious intentions, Netstat is an invaluable tool for quickly
and easily finding out someone's IP address or hostname. The trick is to send them a file and
execute the command. This file can be sent using anything; IRC, MSN etc.

***Note: Netstat usually shows only the hostname of the target. For an actual IP, type
Netstat -n.

At this point, you may be wondering why I'm wasting time in showing off my DOS skills. The
reason is that if you're connected to a network, Netstat can show you the IP of the server ie
the "big daddy" computer which runs and maintains the network. In theory, if you wanted to and
you knew the IP of the server, you could create a DoS (Denial of Service) attack on the server.
In the old days this could be achieved by pinging the server with large packets in an infinite loop.
You might me less lucky these days... but hey, it's worth a shot.

Something really cool with DOS is that you can create batch files that execute commands in DOS.
Batch files are basically little programs that you can get to fire off commands. For example, I
can create a batch file that pings the server until I turn off the file. I can, of course, use
all the same commands that I could in an actual DOS window. Thus I can specify how many packets
I send, the timeout, packet size etc.

Creating batch files is incredibly simple. Open up Notepad, then type:

@echo.on
ping 10.15.196.26 -t -l 1000 [This is the command you want to run]
@echo.off
ping.bat [Creates a loop to repeat command forever]

Now save this file as ping.bat, or anything you want it to be called but make sure you change
the filename at the bottom of the bat file to ensure a loop. The cool thing about this is that
it doesn't wait for the command to be completed. It immediately starts the next command
regardless of the result of the previous one. This method can, of course, be used to execute any
command, and the loop can be stopped by removing the "ping.bat" at the end of the file. If you
wanna have some fun, try typing in "net send [username] [message]" in the command prompt. If the
user is currently logged on, a message will appear on his screen. It's really funny if you can
see their monitor from where you are sitting if you type a crazy message like "You have just
been owned!!!". Be aware however that the person receiving the message will know what computer
the message has come from. Your computer name will be something crazy like LIB00123. Although
the user may not be able to tell exactly who sent the message (then again, if he's smart he
will), he can type in the computer name instead of the username and create a .bat file to spam
you to hell.

Let's get back on track. It's time to show you how to create admin accounts in Novell if the OS
is winnt, assuming the Control Panel is disabled. Note however that this is easy to disable, but
most admins forget about it. Go into any folder and go to the help menu, the Help Topics.
Search anything related to users, passwords etc. You will then find a topic that contains a hyperlink
to "Users and Passwords". Click it. The crappy thing about winnt security is that when changing
a password, you don't have to know the old one! Anyway, once you either create a new account
or change the password on an existing account, restart the computer. When the logon screen
appears, type your login name and password. Now look around for a checkbox that says
"Workstation". Check it and press OK.

***Note: you will only have admin access on that particular computer. "Workstation" means that
you log onto an account on that workstation. If the checkbox isn't on the login screen, then you
cannot create admin accounts in this way. You will have to try certain programs described later
in the "Advanced Novell Hacking" section.

Lastly, I will show you how to access telnet. As you may have seen, most of my methods involve
DOS. Telnet is no different. In a DOS screen, type "telnet" and you will be taken to the Telnet
screen. From here try telnetting to the server and punch in a few commands to see what you can
do. Find out as much info as you can about what programs he's using and go online to look for
some tutorials.

========================================================================
Advanced Novell Hacking
========================================================================

This short section will discuss various advanced Novell hacking techniques. These involve using
programs such as port scanners, keyloggers, trojans and password crackers. I will also be looking
at File and Print Sharing (Legion V2.1, Sid2User - User2Sid, DumpSec), as well as some tips and
tricks with navigating around the network, including the "net use" command.

Firstly, let's look at various methods of hacking the network using specific programs. Although
this section may offend some people, it is nevertheless an essential part of Novell security. It
is an unfortunate fact that many people these days want to hack someone to be "cool" in the eyes
of their friends. These people have little or no morals, and almost always possess absolutely no
skill what so ever. All they care about is getting what they want, and they don't care how they
get it. Because of their lack of skill, these people usually rely solely on programs to do their
dirty work (if they don't have a friend who does it for them). If anybody like this is reading
this, I spit on you.

On the other hand, there are many skilled hackers out there who also turn to programs which
automate the process for a variety of reasons, usually because it is easier and usually more
effective to use programs.

As with any hack, there is one tool that you simply cannot live without. A port scanner. There
has been much debate over which port scanner is the best, what the pro's and con's of each
scanner are etc. Many say Nmap, but I often there's no need to waste time with such an advanced
scanner. The problem with Nmap is that it is too complicated for quick and easy use. Nmap is
good for home use, when you have a lot of time on your hands to try out various scans. In my
humble opinion, the best scanner for a Novell network is Angry IP Scanner by Angryziber
(angryziber@angryziber.com). Angry IP allows for lightning fast port scans on huge networks,
with great accuracy. It has some built in features like being able to establish connections over
HTTP, FTP and Telnet, as well as being able to Traceroute. It also has cool things like
"favourites" and being able to tell you many things about the target, such as Hostname, Comp.
Name, Group Name, User Name, MAC address and TTL. On top of all this, it can be used from the
command line! Anyway, it has many more features that you need to explore yourself. For now, all
we really need to be focussing on is its efficient simple port scanning features.

First of all, you will need to get the IP of some computers on your network. If you have been
reading this tutorial carefully instead of just skip to this section, you will remember that this
can be done using the netstat command in DOS (btw, if you still can't get DOS then you are really
dumb - no offence). You really only need one IP, because most, if not all of the IP's on the
network will have the same Network Number and Host Number. So, if you can see that your IP is
123.123.12.123, you should only scan IP's that have the same Network Number and Host Number. In
the case of the example, you would enter the start IP as 123.123.12.1 and the end IP as
123.123.12.255. First you should scan using only one port because you want to know exactly how
many computers you are potentially dealing with. If you put too many ports, you will be waiting
ages for your results if there are heaps of computers on the network. An alternative to this
would be to use the "net view" command.

C:\>net view

This displays all the computers connected to the network that you are currently on. This command
can be used to get further information about an individual machine by typing:

C:\>net view \\SOMECOMPUTER
==============================
Disk | share name

C:\>net view \\workgroup:TARGETWG (gives all computers in workgroup)
C:\>net view \\domain:TARGETD (gives all computers in domain)

Anyway, it would be best to specify the port as TCP 139, which you should all know as NetBIOS.
If this is open on any computers (and it damn well should be, you are on a network), you may be
able to get access to that computers hard drive. Go into DOS, and type in:

C:\>net use \\ADMINCOMPUTER\IPC$ "" /u:""

If you have even the slightest experience in hacking, you would have seen this command a
thousand times before. For those haven't, all you are doing is attempting to connect to computer
"ADMINCOMPUTER" using the inbuilt IPC$ share with a null password "" and an anonymous user
/u:"". If this doesn't work, you can try substituting the password for a wilcard * or even the
account, so you can have:

C:\>NET USE \\ADMINCOMPUTER\IPC$ "" /u:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:

They all do the same thing, but sometimes only certain ones will work on certain machines. If
you are unlucky, you could try to substitute the IPC$ for ADMIN$ or C$. These are just
additional default shares. The difference between ADMIN$, C$ and IPC$ is that IPC$ cannot be
removed. This means that you should always be able to establish a connection. Of course, the
admin may want to create additional shares such as such as A$ (remote floppy drive), E$ (remote
CD drive) and really anything he wants. An admin can quite easily create and delete shares using
the "net share" command:

C:\>net share ADMIN$ /delete
Command completed successfully

This command deletes the remote administrator ADMIN$ share. Shares can be added by typing:

C:\>net share A$ a:
Command completed successfully.

This tells the computer to create a share A$ with the target to the a: drive.

I said earlier that it is possible to disconnect the a: drive from the network, thus enabling it
for our own usage. This can be done using the command:

C:\>net use a: /delete

Unfortunately, this command can be restricted by the administrator. Once it is, no command with
the prefix "net" will work. On the bright side, it is rare for an admin to realise that anybody
has been fucking with net use commands and establishing connections, yet alone disable the
command. If the command does get disabled, we are forced to turn to programs to do our dirty
work.

Although there are a number of Netbios scanners, most of them are rather dated as these days few
hackers seriously rely on Netbios as their main weapon. Sure, it can be fun and rewarding, but
most computers these days have patches to guard against unauthorised access, or simply block
access to TCP 139 through their firewall or router. As a result, most people have stopped making
new Netbios programs. Because of this, most of the programs for Netbios are old. REALLY old.
We're talking old as in 1999 old. Sure, doesn't seem like that long ago, but in the computer
world, that is an eternity. Luckily for us, this is slightly different for networks. Because a
network has to be tied together very closely, it usually depends on port 139 to handle all the
traffic. As a result, most old programs will work like a charm. Although there are many, many
different programs you can use to try and get the shares, I recommend you use Legion V2.1 from
the now dead Rhino9 Security Group. It generally floats among internet sites.

Now let's take a quick look at the Security Accounts Manager (SAM). SAM is a way of storing
users details on the computer. It has usernames and password hashes inside, so it is very
important to keep safe from prying eyes. If you're the one with those eyes, SAM may just be your
goal. To cut the long story short, SAM cannot be accessed while anyone is logged onto that
computer. So what you have to do is restart it in DOS and try and copy it from there onto
floppy. The only problem with this is that sometimes SAM can be very big - a couple of Mb even
so floppy disk is an unlikely alternative. If the computer doesn't have a burner then it is
unlikely that you will be able to extract the hashes, so try and make the best of it any way you
can. Sometimes it's even possible to rename the SAM file by restarting in DOS and typing:

ren C:\winnt\repair\sam wateva

This will make the SAM file unreadable, so if the passwords are stored on the computer rather
than the server, they will all be useless. If this works, you will be able to log on without a
username or password. If you are able to extract the SAM file, there are many different password
crackers that you can use to take a peek at what's insisde. L0pht, Cain and Abel and many more
do a splendid job. Try them out and see what works for you.

Finally, I'll just show you one last thing that will freak the hell out of your admin if he ever
sees it. It is ridiculously easy to access the server on most networks and nobody even considers
this method. Simply create a shortcut to it!!! If you can find a way to find the hostname of
your server, all you have to do it right click, select new then click on shortcut. In the space
provided, type the hostname of the server. For example, if the server is called "server-1" then
in the shotcut type:

\\server-1

Then click next and that's it! You can double click on the shortcut and you will have access to
all the files on the server!!! As I said before, this will scare the hell out of any admin
because he wouldn't have thought of it himself and has definately not seen this before.
As for how much you can actually do - that depends entirely on the server. Most times
you will just browse but sometimes, who knows?

Lastly, we will take a quick look at the the SUBST command. The SUBST command associates
a path with a drive letter. This means it creates a virtual drive on top of an actual one. This can
be extremely handy when the administrator has blocked of say the C: drive from being viewed.
Often the admin simply restricts access to the C: drive by not showing the icon for the drive. If this
is the case simple open up a command prompt and type:

explorer c:

This will open explorer to the C: drive. Generally one will not be so lucky. The C: drive itself is
often restricted and trying to open explorer through command will tell us we don't have permission.
SUBST allows us to get passed this. Open up a command prompt and type in:

subst z: C:\

where z: is the virtual drive you wish to create and C:\ is the path of the drive you wish to view.
Now all you have to do is type...

explorer z:

...and an explorer window will pop up showing you the contents of C: but in the z: drive. You may
navigate this at will just as you would normally on an unrestricted computer. Although
useful, SUBST really only gives you a graphic interface since we may the entire contents of a
drive through command.

***Note: SUBST will also add the virtual drive to My Computer. If you have access to My Computer
you will see z: as well.

If you are having trouble with command because you cannot scroll up
whilst trying to use dir, try using dir /w or /p instead. Otherwise...

dir >> H:\dir.txt

...will send the results of the dir to a file called dir.txt (or will create the file if it does not already
exist) on the H: drive. Also note that on large networks net view can also be a pain, but using

net view >> H:\net.txt

we can see all the computers in a text file!

Novell security hacking

Novell security hacking

Shared from www

1. Introduction (PLEASE READ)
2. Novell - What You Need to Know
3. The Basics of Novell Hacking
i. Navigating the Network
ii. Command Prompt
iii. Floppy / CD
iv. Gaining Admin
v. Other stuff...
4. Advanced Novell Hacking
i. Tools

ii. File / Print Sharing
iii. SAM
iv. Access the Server
v. Viewing "restricted" drives

========================================================================
INTRODUCTION
========================================================================

Before we get started, let me get a couple of things straight. First of all, I hate it when I
surf the web and can't ever access any site without having shit like "This site is for
educational purposes only" pop up. For you people who are like me, I'll do you all a favour.

Which brings me to my next point. Admins. Most schools across the world have admins that think
they're the smartest things on two legs because they got some diploma that says they know how to
turn on a computer. Well, for any admins that think this way and are reading this tutorial, let
me say this: your diploma or certificate or whatever doesn't mean shit. Sure, it makes you look
smart on paper, but in the real world, if you're lazy or just plain stupid, you will get 0wned
by a person that you think is too young or too stupid to do any real damage to your network.
Make no mistake: if you stop learning, if you stop surfing the web to sharpen your skills, if
you stop caring about your network, sooner or later, some punk who's gonna try and have some
fun's gonna make your life really shit really fast when you find out that you are way out of
your depth real quick. Enough said. Always keep up with what's happening on the web, no matter
how much time you have to put into it.

Moving on. Now I would like to get some things straight about myself. Although I have made this
tutorial for people wishing to gain privileges in Novell, this tutorial isn't for everybody.
Although I like to think I'm a nice guy, there are certain people I dislike. These are the
people who always want you to do things for them. They never want to learn because they "can't
be bothered" so they always come to you for help. This tutorial is not for people who want the
easy way out. If the only reason you want to know how to do this is so you can impress your
friends, close this tutorial and click on it's icon. Now press Shift+DEL. There we go. That
probably got rid of some of them. Anyway, this tutorial is being written for serious people who
have little or no knowledge of Novell simply because they haven't come across it. No problem.
Enjoy.

========================================================================
Novell - What You Need To Know
========================================================================

Let's start off with the question "What is Novell?" Novell is basically a program that you
install over windows that works over a network to give users appropriate access. For example,
many schools use Novell because it allows them to give students limited rights so they can only
do what the admin allows them to (erhem). There is always at least one administrator to
supervise the network and manage student accounts.

Novell is a respected company that has been making security related programs for a long time.
Unfortunately, in recent years, Novell has been slipping up when it comes to the integrity of
their programs. Not surprisingly, many security holes have been found and many more are on their
way.

========================================================================
The Basics of Novell Hacking
========================================================================

As with any hack, we must first decide on the objective ie what do we want to achieve? Well,
let's go through it. Since you have physical access to the network, chances are you use it quite
often. Therefore you probably wouldn't want to install a virus as you would only be doing
yourself a bad favour. In places like schools, it is very common for admins to restrict access
to the floppy or cd drives as they don't want people bringing in stuff like viruses, corrupt
files or even games. We will soon see how to access these files anyway. Maybe you want admin
rights? If the admin is stupid, even this is possible. Do you want to install a game? Do you
want to look at other users files? All these things and more are possible on some Novell
networks. What you have to understand as either a user or an admin is that networks will always
have flaws. I have classified Novell networks into three basic categories:

* shit security
* ok security
* perfect flawless security

In my experience, I have come across two of the above mentioned types of networks. Guess which
two. Note that many systems start off in the "shit security" category but move up into the "ok
security" category. When this happens, a hacker that had gotten used to a certain system may be
depressed for a while. Until he or she finds new holes. There is only so much an admin can
disable on your computer before it becomes a vegetable and of absolutely no use to anyone.
That's why we use whatever programs we have left to our advantage. If you are a student then you
will undoubtedly have programs that aid in study, such as Notepad, MS Word, you may have
Powerpoint etc. All these programs can be used to our advantage.

First of all, let me cover the "shit" network class. In this network class, you should be able
to do anything. If something you do comes up with the message "This operation has been cancelled
by the Administrator" or "You have insufficient rights to execute this command" or something to
that effect, then the network falls into the "ok" class. Anyway, if your network falls into the
"shit" class, you should be able to open Internet Explorer then go File > Open then Browse...
When you do this, you will be able to see the entire C: drive of the computer, though you may
not necessarily be able to open any of the files.

***Note: This tutorial assumes that the Desktop has been stripped of all icons and the start
menu is almost bare if not completely removed.

OK. Now that we can see the path of all the files, we click Browse... again and attempt to open
a file using IE. Pick a useful file like "command.com" if you are using winnt. When you find the
file, click ok and you will have a little box with the full pathname of the file. You can either
OK, Cancel or Browse... Do neither. Copy the pathname. Now open MS Word. Go to View > Toolbars
then go to Visual Basic. A toolbox will pop up. Click "Design Mode". A new toolbox should pop up
again. This time click the "Command Button" which just looks like a small rectangle. When the
button pops up, double click it. You should be taken to a VB screen with the following in the
middle:

Private Sub CommandButton1_Click()

End Sub

Now type in...
SHELL("C:\winnt\system32\command.com")
...and hit F5 (Debug), so your screen looks like

Private Sub CommandButton1_Click()
SHELL("C:\winnt\system32\command.com")
End Sub

Hopefully, a minimized command screen will come up. If it doesn't, try this:

Private Sub CommandButton1_Click()
a = SHELL("C:\winnt\system32\command.com",vbNormalFocus)
End Sub

Hit F5 again. If this doesn't work there could be a number of things wrong. If a screen comes up
saying macros have been disabled, go back to your first Visual Basic toolbar. One of the buttons
says "Security...". Click it, then select the option that says "Low". Try again. If this was the
problem, you are lucky. If it still doesn't work, read on. If it says "Run-time error:'53'---
File not found" you are in trouble. It means you either fucked up the pathname or it isn't
there. Of course, if your computer is running win2k or xp you will have to slightly adjust your
pathname to the one above.

***Note: I recommend you use command.com as apposed to cmd.exe. The main reason is that cmd.exe
can be blocked off by your administrator, so as soon as you open it you will get something that
says "CMD has been restricted by your administrotor. Press any key to continue...". If this
happens, cmd is useless.

Now we move on to Powerpoint. This is a very simple way of opening files. You create any slide,
then right clock and go "Hyperlink" or whatever it says. From there you are able to link it to
any file on the computer. When you view the slide show, click on the hyperlink and you will open
the file.

Now we move on to Notepad. Notepad is one of those things that I would kill for. It is just so
versatile that it can be used for anything and everybody has it, so there are never any problems
with compatibility. That's part of the reason most tutorials, including this one, are written in
Notepad. The way we will use Notepad in this example is by creating a hyperlink to a document,
much like what we did with Powerpoint. So we open Notepad then type:

click

We then go to File > Save as... then we type in "link.html" in our private drive (the drive the
admin has allocated to each user for storage of personal files, sometimes also called My
Documents). When we refresh the drive, we should be able to see an IE icon called "link.html".
Double click it, then click the hyperlink. Hope it works!

Now we will try creating shortcuts. This is probably the easiest method to use to get into DOS
(strictly speaking this is not true DOS, but for the purpose of this tutorial I will refer to it as such).
That's the reason I saved it for last. The earlier methods allow you to fish around inside the
network and get to know how it works, what makes it tick. Not to mention that the previous
methods were not limited to accessing command, but allowed us to open ANYTHING. Now let's take a
look at how shortcuts work. Open your local drive, then right click and go to New > Shortcut
(if you have right click disabled go to File > New > Shortcut). In the space provided type
"command" and hit next. Now click finish. You should have a shortcut placed on your drive that
takes you to DOS.

Now let's take a look at QBasic. QBasic is a primitive sequential programming language used to
create really crappy programs. Luckily, most schools have QBasic in their syllabus, so you
should have the icon. If you do, you are lucky. Open QBasic, then when you get to the main
screen, type...

SHELL

...and Hit F5

This will immediately open up DOS for you. Cool huh? So, what can we do with DOS? If you need to
be asking that question then you shouldn't be reading this tutorial, but briefly I will tell you
that DOS is very helpful when accessing anything, whether it be on a hardrive, floppy, cd or
anywhere else.

Speaking of floppy, you may be wondering how to access it or cds on a network that appears to be
completely locked down. There are a couple of ways. First of all, if you can see any drives as
icons, try right clicking on them. You might have an option that says "Map Network Drive" and
"Disconnect Network Drive". If this is the case, find out which one is the floppy drive (try a:
or b: first) and disconnect it. Now, in the address bar in any window, type "a:" and you should
be taken to the floppy.

If this doesn't work, then don't worry. Heaps of things definitely will. Of course it depends
greatly on the network, but generally the principle is the same. In a network where you don't
have the luxury of being able to freely browse everything, you have to be shifty. In your
private drive, try creating a shortcut to a:. This will almost definitely not work but is worth
a try. Also, try going to File > Winzip > Zip to file. This will allow you to transfer files
to your floppy.

Lastly, we can use DOS. This is my favourite method because it's hell hard to disable shit in
DOS, at least, effectively, so there aren't heaps of ways around it. In DOS type:

C:\>a:
A:\>dir

Volume in A has no label
Volume Serial Number is 0001-0AA0
Directory of A:

BO2k.zip 111,111 1/1/04
Netbus.zip 111,111 1/1/04

C:\>

So now we can see what's on the disk. If you wanna run it you can type:

A:\>Netbus.zip

However, a more efficient way of opening it would be to first copy it to your private drive. We
do this by typing:

A:\>copy a:\*.zip h:

Assuming h: is your private drive. The wildcard will copy all files with the extension ".zip".
The same way, we can open cds. Exactly the same. Sometimes when we copy it to our drives we get
the message that "This operation has been cancelled by your administrator". In this case, we go
back to MS Word and open a VB macro. Type in the path and you open it. No questions asked and no
crappy prompts. By the way, you can also use a macro to open files directly from the floppy or
cd. I just prefer not to. I think it's easier to just copy them directly. Also you don't have to
check the pathname every time you want to open a new file. But whatever. Do what you feel
comfortable with. There is another way of getting access to the a: drive using the "net use"
command, but more about that later.

Another extremely useful thing you can do with DOS access is type something like:

C:\>copy c:\winnt\*.pwl a:

This command copies all the .pwl (password) files that are stored in the winnt directory. We can
now take the disk home and crack the password files in our own time at our own leisure. This
only works on crappy networks though. Most reasonably secure or just new networks no longer
store their passwords in .pwl files. In win2k, there's a new thing called SAM (Security Accounts
Manager). This is much harder to break, so more on that later.

Now for a quick lesson on network file sharing. In some networks, the admin allows you access to
all drives. If this is the case, there should be a drive which contains the files of all people
who have access to the network. Once you find the drive, simply scroll down to the folder with
the same name as the targets login name and you can browse their personal files. It should be
noted, however, that this kind of file sharing is only allowed on the shittiest of crappy
networks. I have come across it only once in my life =)

Now let's move on to something that may seem obvious, yet many people don't even consider.
Downloading off the web. As an admin, it is really very simple to turn off downloads. However,
you would be surprised how many admins forget about it and leave the web open to all their users
for all intents and purposes. I think the usefulness of being able to download files off the
internet is quite obvious, so I won't go on for long. In case you have absolutely no
imagination, the internet could be used for downloading backdoor programs, viruses (again,
what's the point?), password crackers or even just simple things like DOS =)

On a slightly different topic, DOS has many features that the common happy internet user doesn't
know, or doesn't need to know about. The most interesting one of these is Netstat. Netstat is a
time honoured command that allows the user to see all the inbound and outbound connections his
computer is engaged in. Netstat has many uses, but we will only quickly look at the most useful.
For the common internet user, Netstat can be used to find out, for example, whether or not they
have a trojan installed on their computer. For example, if they type in Netstat and see that
some computer has established a connection with them on a high numbered port such as 12345, they
know they're in trouble. Although by this time it may be too late, the person could then
terminate his internet connection and run down to the store to buy the latest anti-virus. Just
an example. For people who have malicious intentions, Netstat is an invaluable tool for quickly
and easily finding out someone's IP address or hostname. The trick is to send them a file and
execute the command. This file can be sent using anything; IRC, MSN etc.

***Note: Netstat usually shows only the hostname of the target. For an actual IP, type
Netstat -n.

At this point, you may be wondering why I'm wasting time in showing off my DOS skills. The
reason is that if you're connected to a network, Netstat can show you the IP of the server ie
the "big daddy" computer which runs and maintains the network. In theory, if you wanted to and
you knew the IP of the server, you could create a DoS (Denial of Service) attack on the server.
In the old days this could be achieved by pinging the server with large packets in an infinite loop.
You might me less lucky these days... but hey, it's worth a shot.

Something really cool with DOS is that you can create batch files that execute commands in DOS.
Batch files are basically little programs that you can get to fire off commands. For example, I
can create a batch file that pings the server until I turn off the file. I can, of course, use
all the same commands that I could in an actual DOS window. Thus I can specify how many packets
I send, the timeout, packet size etc.

Creating batch files is incredibly simple. Open up Notepad, then type:

@echo.on
ping 10.15.196.26 -t -l 1000 [This is the command you want to run]
@echo.off
ping.bat [Creates a loop to repeat command forever]

Now save this file as ping.bat, or anything you want it to be called but make sure you change
the filename at the bottom of the bat file to ensure a loop. The cool thing about this is that
it doesn't wait for the command to be completed. It immediately starts the next command
regardless of the result of the previous one. This method can, of course, be used to execute any
command, and the loop can be stopped by removing the "ping.bat" at the end of the file. If you
wanna have some fun, try typing in "net send [username] [message]" in the command prompt. If the
user is currently logged on, a message will appear on his screen. It's really funny if you can
see their monitor from where you are sitting if you type a crazy message like "You have just
been owned!!!". Be aware however that the person receiving the message will know what computer
the message has come from. Your computer name will be something crazy like LIB00123. Although
the user may not be able to tell exactly who sent the message (then again, if he's smart he
will), he can type in the computer name instead of the username and create a .bat file to spam
you to hell.

Let's get back on track. It's time to show you how to create admin accounts in Novell if the OS
is winnt, assuming the Control Panel is disabled. Note however that this is easy to disable, but
most admins forget about it. Go into any folder and go to the help menu, the Help Topics.
Search anything related to users, passwords etc. You will then find a topic that contains a hyperlink
to "Users and Passwords". Click it. The crappy thing about winnt security is that when changing
a password, you don't have to know the old one! Anyway, once you either create a new account
or change the password on an existing account, restart the computer. When the logon screen
appears, type your login name and password. Now look around for a checkbox that says
"Workstation". Check it and press OK.

***Note: you will only have admin access on that particular computer. "Workstation" means that
you log onto an account on that workstation. If the checkbox isn't on the login screen, then you
cannot create admin accounts in this way. You will have to try certain programs described later
in the "Advanced Novell Hacking" section.

Lastly, I will show you how to access telnet. As you may have seen, most of my methods involve
DOS. Telnet is no different. In a DOS screen, type "telnet" and you will be taken to the Telnet
screen. From here try telnetting to the server and punch in a few commands to see what you can
do. Find out as much info as you can about what programs he's using and go online to look for
some tutorials.

========================================================================
Advanced Novell Hacking
========================================================================

This short section will discuss various advanced Novell hacking techniques. These involve using
programs such as port scanners, keyloggers, trojans and password crackers. I will also be looking
at File and Print Sharing (Legion V2.1, Sid2User - User2Sid, DumpSec), as well as some tips and
tricks with navigating around the network, including the "net use" command.

Firstly, let's look at various methods of hacking the network using specific programs. Although
this section may offend some people, it is nevertheless an essential part of Novell security. It
is an unfortunate fact that many people these days want to hack someone to be "cool" in the eyes
of their friends. These people have little or no morals, and almost always possess absolutely no
skill what so ever. All they care about is getting what they want, and they don't care how they
get it. Because of their lack of skill, these people usually rely solely on programs to do their
dirty work (if they don't have a friend who does it for them). If anybody like this is reading
this, I spit on you.

On the other hand, there are many skilled hackers out there who also turn to programs which
automate the process for a variety of reasons, usually because it is easier and usually more
effective to use programs.

As with any hack, there is one tool that you simply cannot live without. A port scanner. There
has been much debate over which port scanner is the best, what the pro's and con's of each
scanner are etc. Many say Nmap, but I often there's no need to waste time with such an advanced
scanner. The problem with Nmap is that it is too complicated for quick and easy use. Nmap is
good for home use, when you have a lot of time on your hands to try out various scans. In my
humble opinion, the best scanner for a Novell network is Angry IP Scanner by Angryziber
(angryziber@angryziber.com). Angry IP allows for lightning fast port scans on huge networks,
with great accuracy. It has some built in features like being able to establish connections over
HTTP, FTP and Telnet, as well as being able to Traceroute. It also has cool things like
"favourites" and being able to tell you many things about the target, such as Hostname, Comp.
Name, Group Name, User Name, MAC address and TTL. On top of all this, it can be used from the
command line! Anyway, it has many more features that you need to explore yourself. For now, all
we really need to be focussing on is its efficient simple port scanning features.

First of all, you will need to get the IP of some computers on your network. If you have been
reading this tutorial carefully instead of just skip to this section, you will remember that this
can be done using the netstat command in DOS (btw, if you still can't get DOS then you are really
dumb - no offence). You really only need one IP, because most, if not all of the IP's on the
network will have the same Network Number and Host Number. So, if you can see that your IP is
123.123.12.123, you should only scan IP's that have the same Network Number and Host Number. In
the case of the example, you would enter the start IP as 123.123.12.1 and the end IP as
123.123.12.255. First you should scan using only one port because you want to know exactly how
many computers you are potentially dealing with. If you put too many ports, you will be waiting
ages for your results if there are heaps of computers on the network. An alternative to this
would be to use the "net view" command.

C:\>net view

This displays all the computers connected to the network that you are currently on. This command
can be used to get further information about an individual machine by typing:

C:\>net view \\SOMECOMPUTER
==============================
Disk | share name

C:\>net view \\workgroup:TARGETWG (gives all computers in workgroup)
C:\>net view \\domain:TARGETD (gives all computers in domain)

Anyway, it would be best to specify the port as TCP 139, which you should all know as NetBIOS.
If this is open on any computers (and it damn well should be, you are on a network), you may be
able to get access to that computers hard drive. Go into DOS, and type in:

C:\>net use \\ADMINCOMPUTER\IPC$ "" /u:""

If you have even the slightest experience in hacking, you would have seen this command a
thousand times before. For those haven't, all you are doing is attempting to connect to computer
"ADMINCOMPUTER" using the inbuilt IPC$ share with a null password "" and an anonymous user
/u:"". If this doesn't work, you can try substituting the password for a wilcard * or even the
account, so you can have:

C:\>NET USE \\ADMINCOMPUTER\IPC$ "" /u:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:""
C:\>NET USE \\ADMINCOMPUTER\IPC$ * /USER:

They all do the same thing, but sometimes only certain ones will work on certain machines. If
you are unlucky, you could try to substitute the IPC$ for ADMIN$ or C$. These are just
additional default shares. The difference between ADMIN$, C$ and IPC$ is that IPC$ cannot be
removed. This means that you should always be able to establish a connection. Of course, the
admin may want to create additional shares such as such as A$ (remote floppy drive), E$ (remote
CD drive) and really anything he wants. An admin can quite easily create and delete shares using
the "net share" command:

C:\>net share ADMIN$ /delete
Command completed successfully

This command deletes the remote administrator ADMIN$ share. Shares can be added by typing:

C:\>net share A$ a:
Command completed successfully.

This tells the computer to create a share A$ with the target to the a: drive.

I said earlier that it is possible to disconnect the a: drive from the network, thus enabling it
for our own usage. This can be done using the command:

C:\>net use a: /delete

Unfortunately, this command can be restricted by the administrator. Once it is, no command with
the prefix "net" will work. On the bright side, it is rare for an admin to realise that anybody
has been fucking with net use commands and establishing connections, yet alone disable the
command. If the command does get disabled, we are forced to turn to programs to do our dirty
work.

Although there are a number of Netbios scanners, most of them are rather dated as these days few
hackers seriously rely on Netbios as their main weapon. Sure, it can be fun and rewarding, but
most computers these days have patches to guard against unauthorised access, or simply block
access to TCP 139 through their firewall or router. As a result, most people have stopped making
new Netbios programs. Because of this, most of the programs for Netbios are old. REALLY old.
We're talking old as in 1999 old. Sure, doesn't seem like that long ago, but in the computer
world, that is an eternity. Luckily for us, this is slightly different for networks. Because a
network has to be tied together very closely, it usually depends on port 139 to handle all the
traffic. As a result, most old programs will work like a charm. Although there are many, many
different programs you can use to try and get the shares, I recommend you use Legion V2.1 from
the now dead Rhino9 Security Group. It generally floats among internet sites.

Now let's take a quick look at the Security Accounts Manager (SAM). SAM is a way of storing
users details on the computer. It has usernames and password hashes inside, so it is very
important to keep safe from prying eyes. If you're the one with those eyes, SAM may just be your
goal. To cut the long story short, SAM cannot be accessed while anyone is logged onto that
computer. So what you have to do is restart it in DOS and try and copy it from there onto
floppy. The only problem with this is that sometimes SAM can be very big - a couple of Mb even
so floppy disk is an unlikely alternative. If the computer doesn't have a burner then it is
unlikely that you will be able to extract the hashes, so try and make the best of it any way you
can. Sometimes it's even possible to rename the SAM file by restarting in DOS and typing:

ren C:\winnt\repair\sam wateva

This will make the SAM file unreadable, so if the passwords are stored on the computer rather
than the server, they will all be useless. If this works, you will be able to log on without a
username or password. If you are able to extract the SAM file, there are many different password
crackers that you can use to take a peek at what's insisde. L0pht, Cain and Abel and many more
do a splendid job. Try them out and see what works for you.

Finally, I'll just show you one last thing that will freak the hell out of your admin if he ever
sees it. It is ridiculously easy to access the server on most networks and nobody even considers
this method. Simply create a shortcut to it!!! If you can find a way to find the hostname of
your server, all you have to do it right click, select new then click on shortcut. In the space
provided, type the hostname of the server. For example, if the server is called "server-1" then
in the shotcut type:

\\server-1

Then click next and that's it! You can double click on the shortcut and you will have access to
all the files on the server!!! As I said before, this will scare the hell out of any admin
because he wouldn't have thought of it himself and has definately not seen this before.
As for how much you can actually do - that depends entirely on the server. Most times
you will just browse but sometimes, who knows?

Lastly, we will take a quick look at the the SUBST command. The SUBST command associates
a path with a drive letter. This means it creates a virtual drive on top of an actual one. This can
be extremely handy when the administrator has blocked of say the C: drive from being viewed.
Often the admin simply restricts access to the C: drive by not showing the icon for the drive. If this
is the case simple open up a command prompt and type:

explorer c:

This will open explorer to the C: drive. Generally one will not be so lucky. The C: drive itself is
often restricted and trying to open explorer through command will tell us we don't have permission.
SUBST allows us to get passed this. Open up a command prompt and type in:

subst z: C:\

where z: is the virtual drive you wish to create and C:\ is the path of the drive you wish to view.
Now all you have to do is type...

explorer z:

...and an explorer window will pop up showing you the contents of C: but in the z: drive. You may
navigate this at will just as you would normally on an unrestricted computer. Although
useful, SUBST really only gives you a graphic interface since we may the entire contents of a
drive through command.

***Note: SUBST will also add the virtual drive to My Computer. If you have access to My Computer
you will see z: as well.

If you are having trouble with command because you cannot scroll up
whilst trying to use dir, try using dir /w or /p instead. Otherwise...

dir >> H:\dir.txt

...will send the results of the dir to a file called dir.txt (or will create the file if it does not already
exist) on the H: drive. Also note that on large networks net view can also be a pain, but using

net view >> H:\net.txt

we can see all the computers in a text file!

social engineering

Social Engineering


A Hot Term in Terms of "Ethical Hacking"
i thought may be beneficial for u..



Social engineering is quite possibly the least popular means of attacking a network currently employed in penetration testing. It certainly receives the least media attention.

These attacks, however, can prove quite costly and should be guarded against. This sort of attack can allow the attacker to bypass the security mechanisms of a network without using any script or hacking tool and without even executing a single piece of code.

Social engineering involves getting employees at target companies to voluntarily surrender their personal or corporate information. This is usually accomplished through nothing more than conversation, often over a telephone and without any direct contact at all. It is essentially a confidence game.It is a good idea to incorporate such an exploit into your penetration testing since social engineering can circumvent any logical security measures in place. It relies on exploiting employees who either do not place a high value on information security or do not understand that the information they hold (such as the IP address of their firewall or default
gateway or even their own password) can be misused to compromise the network ifdisclosed to malicious individuals.

There are various methods of social engineering. i ld like to discuss three in this article and give examples we are familiar with that are known to produce positive results. Among these are making apparently harmless telephone calls to employees of the target company, searching through the company's office trash, and casually looking at an employee's
workspace to directly obtain or deduce confidential information.









part 1 using telephone











1 Using Telephone



The telephone is the primary tool for social engineering. A talented social hacker can steal more critical information from and cause greater compromise to a target network with a telephone than a team of script kiddies armed with the latest exploit downloaded from the Internet.


This Practice is very common in US Uk and other continents
not in much practice at India but still this is what is happening around and u need to be aware of that. Hence uploading this article.


Before calling, try to get as much specific information on the target network as possible to help you impersonate an informed caller. Using the discovery tools (such as Ws PingPro Pack and Nmap), it is possible to obtain a great deal of information on the target network (such as its IP address ranges, zone transfer, name of mail servers,firewalls, and so on) that may be useful during the telephone conversation. It is not necessary to have any information at all since an obliging target of the attack can be talked into supplying all the information you need. Keep in mind, however, that the less information you have prior to the calls, the more difficult your attempt at social engineering will be. I do recommend that you script out what you are going to say, and the company information you are putting forth, prior to calling.

Among the most common phone techniques are
(1) to pose as a member of an organization's technical support division
(2) to play the role of a disgruntled user seeking a password change.
A third approach is to call the technical support department of a company and enlist their aid in getting a machine connected to their network. While the nuances of these attacks are performed differently by different hackers, the process is largely similar to what is described below.

A better trick!
Beware !! Hutch is being Brought over by (Vodaphone/hinduja/reliance/others) in India this could happen to you

Here's another technique that has worked in the past. When two companies merge,especially those with subscribers or paying customers, you can call customers of either company and pose as an employee of the newly formed company, claiming to be verifying user records. In this process, ask the target for his or her account status (such as account
history, number, and so on).

For example, suppose two telecommunications companies merge. You can pose as an employee of the merged company, call a customer of the company (any firm within the regions of those phone companies), and ask for their telephone number range(s). This information can then be used to perform war dialing(will be explaining in upcoming articles, which can, among other things, identify desktops with unauthorized modems—one of the most significant security holes
throughout America.

Major Tricks ~!~
Technical Support

The goal is to contact a user of the target network and simply keep him or her talking long enough to develop a rapport before asking for his or her password. The general approach is to select a number of employees, say 30, ideally representing varying levels of access to the target network. Employees can be selected at random from a company directory if you have no prior information on the firm.

In this approach, you masquerade as a member of technical support and call unsuspecting employees, claiming to be investigating reports of network congestion in the employees' LAN or subnet and requesting their password in order to conduct tests on the network.

The first step is to call the technical support (or help desk) office and get names of a few people there (or use common names, such as Mike and Chris) and the format of a trouble ticket number. This works best if the technical support functions have been outsourced because company employees will not likely know anyone in technical support.

With this trouble ticket information and a good technical support name, call a target company employee and claim to be investigating reports of network congestion. Hopefully the target is not technically savvy and you can use technical phrases, such as “investigating congestion between the hub and the gateway router for your LAN,” to help convince the target that you are indeed who you say you are. Telling him or her that you are trying to fix the current problem so the target's network connection can be faster may help win the employee over.
Next, engage the employee in running simple “tests” that can be done from the user's desktop.

A popular test is to have the target run ping localhost and ask them to see if the TTL field is greater than 64 (it is usually 128 or 256). You then inform the target that a TTL greater than 64 is indeed indicative of network congestion. A ping of the default gateway is also commonly used, which avoids getting caught by employees knowledgeable enough to
know the localhost is their own machine. At this time, you can obtain the user's IP address and subnet mask as well as the IP address of the default gateway from the target by asking them to run ipconfig (for a Window's host) or ifconfig –a (for a UNIX machine) and read the results to you. You can justify this by stating you need to see if their IP information
corresponds to yours. Running arp –a or the netstat command are other goodtests.

The idea is to keep the user talking, making it just slightly inconvenient for him or her,before finally asking for the password so that you can continue running these “tests”without taking up any more of the employee's time. At any time, if the employee is getting suspicious, politely end the conversation by stating the last test indicated the problem may
not be on their end. Give them the trouble ticket number (make one up following the format received from technical support) and end the conversation. Then you can begin again by calling another employee.
If you happen to reach staff members who have been trained in resisting such attacks or the target happens to be technically proficient, these techniques will be more difficult.

However, in a staff of a large enough size, there are sure to be a few individuals who do not hold to such high standards. In the process of finding them, you may encounter several failed attempts. In that case, it is good to space out the telephone calls between days or, preferably, weeks. This is to avoid raising the suspicions of the target firm. When we were
engaged to perform a social engineering attack for a company with over 10,000 employees, from a random sample of 30 employees, 17 offered their passwords under such an attack.














part 2
2 Dissatisfied Customer to Cust Care


Do u know yahoo has a customer support desk to help their user who have a trouble logging in?

Well don't try to trick them as they are good in their job !

This what i present below is again a serious measure of Social engineering
Beware !

The goal of the second common social engineering attack is to get customer service to change a user's password. Specifically, have the password changed to one you know so that you can access that user's account. This can be done by posing as a dissatisfied (or disgruntled) customer and requesting a change of password to either a user-supplied password or a generic default, such as the ever-popular “password.” If you can obtain information on what the organization uses for default passwords, this technique will be even more effective.

Through this approach, you call a customer support center and pose as a user who is having trouble logging into a paid service, such as an online trading account. You then explain to the customer service operator that you have been having problems logging into your account for some time now. You have sent e-mail detailing the problem to the appropriate address (for example, support@whatever.com) and have received an e-mail reply from someone in customer support saying that by calling in, you could get your password reset and that that should begin to address the problem. (The name of a person in customer service can generally be obtained from the corporate Web page. The head of
customer service will suffice since most e-mails from anyone in customer support carry a footer from the department head.) The customer service agent will reply that the account

seems to be fine; however, this will not satisfy you.

In this exchange, you will have to convince the customer service representative that you are actually the user in question. However, you will not have to know the user's password, and if asked for it, you can respond by saying that it is insecure to give out your password to anyone. If this is done properly, the customer support representative may not even ask you to prove you are who you say you are. Remember, you are not saying you forgot your password and therefore need a new one (which generally requires you to prove your identity)—you are saying that you are having trouble with the account and have been told by customer service through e-mail that resetting the password may solve the problem. A
slightly disgruntled tone also helps legitimize the difficulty you say you're experiencing. The customer support representative may simply reset the password since taking this step allows him or her to show that the situation has been successfully resolved to the customer's satisfaction without having to escalate it to the next level.


If the help desk does not verify callers' identities, the job becomes easier. i found that often companies do not ask for user authentication if the call is coming from a phone number internal to the company. This lends itself to internal testing. During internal testing you can call from a company phone.

You can hopefully identify user IDs and associate them with actual names. You can then call the help desk toward the end of the day, representing yourself as one of these users. You indicate you have locked out your account after having changed your password and you cannot remember what you changed the password to. If the help desk does not make you verify your identity beyond checking to see that the call came from the desk phone of the person you say you are, you will be successful. Once you have obtained the new password you can log in and move on. This, however, can be easily monitored since the real user will eventually return to the computer and be unable to log in (because you just had the password changed). He or she will call in to have their password reset and this
should trigger the help desk that something is amiss. But by then the damage has been done—you have gained access to the system. Along with current user accounts, accounts that have not been used in some time are good targets, especially since no one is routinely checking these accounts. Hopefully you will have some time to use these accounts to try to elevate your privileges before someone realizes your actions.


As a countermeasure, technical support should verify the identity of any caller regardless of what they are asking or where they are calling from. It may, however, be possible to fake the authentication mechanism. The tried-and-true mother's maiden name check is too guessable (and can be discovered over the Internet through various family history Web sites). A company-supplied question and/or answer challenge where the company asks users at sign up to select one of three questions and its corresponding answer, also out of a selected group (for example, “What is my favorite color?” “Red”), is more difficult but still
susceptible to brute force attacks over time since there are a finite number of possible combinations. With time and a bit of luck, the correct combination may well be discovered. Additionally, it is easy for a technical support operator to fail or merely forget to verify identity before issuing a password change. Therefore, establishing a separate queue for issuing password changes and training the customer support representatives who answer these calls to specifically identify unauthorized password change attempts can help reduce the risk of this occurring. This will cause legitimate users some additional delay, however, it
can reduce the risk from this type of attack.















part 3
Trick an Ex Employee (Good)


A nice trick would like to Share wid u Guys !!

This approach involves a few more steps than the previous two. In this case, you call an employee who is working off-site at his or her normal office number. It may take a few calls before finding an employee who is not working at the office. Once you do find one and voicemail answers, hit “0” for the call to be forwarded to the administrative assistant.

When the administrative assistant answers, say that you are calling from an insurance company and the employee's policy is being cancelled unless the employee addresses these issues immediately. Then request a phone number where the employee can be reached (either his or her cell phone or a number at the client location).

At this stage, you can use any cover story that will convey to the receptionist that you must speak to the employee immediately. We have seen hackers call from debt collectors or banks, saying that the employee's assets would be seized immediately from Reserve bank unless the employee did something.


In either case, with the employee's number, you next call the employee, posing as a member of the human resources department of the company. Apologetically inform the employee that his or her files and paperwork have been misplaced and you need some information in order to try to track down and correct the issue. Ask the employee for his or
her full name, home address, home phone number, office address, office phone number, employee number (if appropriate), and so on. At this stage, no passwords are being requested.

Then, with this information, call the technical support division of the employee's company, pretending to be that employee. State that you're at a client site without your own machine (or say it's not working) and that you need help getting a machine logged into the network. Use the information just gathered to help prove your assumed identity. Then say that you will hand the phone to someone in technical support for the client firm where you are currently working. Now, with the aid of the representative from technical support (at the target company), you can configure a machine that can log into their network.

For this to work, it is not necessary to involve someone posing as a member of the client firm's technical support. This adds some legitimacy, at the cost of some additional
complications














part 4
4 Trash Collection

Beware!
Giving out Trash may prove a gold mine to Hackers


During Microsoft's landmark antitrust trial in the final years of the twentieth century, fellow software giant Oracle hired detectives to dig up dirt on Microsoft's activities. One of the techniques the detectives attempted was to purchase Microsoft's trash. Though this may not seem a sanitary activity, it can potentially offer an amazing wealth of information.


Almost every office with a common printer prints out separator sheets with a user's name and the file name of the printed document. A healthy percentage of these sheets wind up in the trash, allowing the brave trash diver to identify at least a partial user list and a list of documents associated with those users. Since people generally give descriptive names to their files, this can also offer many suggestive hints as to what projects the company employees may be working on. Additionally, it may offer the format of the user names. This format along with a company directory could give the hacker a sample user list for the
target network.


Further, as employees work on documents, even of a critical nature, they print multiple copies to proofread and make changes. This iterative cycle may yield several printed versions that often do not reach the paper shredder and are instead left in the normal trash. These older versions can still contain a great deal of sensitive information. This is especially true if the final revision was merely for running the spell checker.

Sticky notes often contain a wealth of information. These notes (in yellow and other colors) stand out just as well in trash as they do on a crowded desktop and are a great source of information. On such slips of paper are scribbled names, telephone numbers, and addresses; gift ideas for special occasions; notes from meetings and telephone conversations; and various user passwords. Often valid user names and passwords to
printers, remote servers, file shares, guest accounts, and so on are clearly and neatly written on sticky notes and thrown away when either memorized or no longer needed.


However, the accounts and access privileges are often still valid.
We strongly recommend using caution when going through the trash. Trash can contain sharp objects, caustic chemicals, rotten food, and other unhealthy and potentially dangerous items. If you are going to perform dumpster diving, wear proper protective equipment; latex surgical gloves underneath thick, heavy-duty work gloves are recommended. However, even these two layers of protection may not be enough to guard
against a hypodermic needle. Use caution. If the organization recycles office paper, you will often find the most useful information
there and can avoid the unsanitary conditions of general trash. As for where to dump the trash, please do not dump the contents of the trash receptacle onto your own or a colleague's desktop. Instead, spread a sheet of plastic on a flat surface, dump the trash on the plastic, conduct your examination, and when finished, wrap up the plastic and discard it
again. Going through the trash can be done on a user-by-user basis by collecting individual trash receptacles or on a far larger scale by attacking dumpsters and recycle bins that serve entire divisions or even whole companies

Top Hacking Tools

Top Hacking Tools


Top 10 Linux Tools 1. nmap - Nmap ("Network Mapper") is a free open source utility for network exploration or security auditing. It was designed to rapidly scan large networks, although it works fine against single hosts. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. Nmap runs on most types of computers and both console and graphical versions are available.

2. Nikto - Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 3200 potentially dangerous files/CGIs, versions on over 625 servers, and version specific problems on over 230 servers. Scan items and plugins are frequently updated and can be automatically updated (if desired).

3. THC-Amap - Amap is a next-generation tool for assistingnetwork penetration testing. It performs fast and reliable application protocol detection, independant on the TCP/UDP port they are being bound to.

4. Ethereal - Ethereal is used by network professionals around the world for troubleshooting, analysis, software and protocol development, and education. It has all of the standard features you would expect in a protocol analyzer, and several features not seen in any other product.

5. THC-Hydra - Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fast.

6. Metasploit Framework - The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. This project initially started off as a portable network game and has evolved into a powerful tool for penetration testing, exploit development, and vulnerability research.

7. John the Ripper - John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are officially supported, not counting different architectures), DOS, Win32, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3) password hash types most commonly found on various Unix flavors, supported out of the box are Kerberos AFS and Windows NT/2000/XP/2003 LM hashes, plus several more with contributed patches.

8. Nessus - Nessus is the world's most popular vulnerability scanner used in over 75,000 organisations world-wide. Many of the world's largest organisations are realising significant cost savings by using Nessus to audit business-critical enterprise devices and applications.

9. IRPAS - Internetwork Routing Protocol Attack Suite - Routing protocols are by definition protocols, which are used by routers to communicate with each other about ways to deliver routed protocols, such as IP. While many improvements have been done to the host security since the early days of the Internet, the core of this network still uses unauthenticated services for critical communication.

10. Rainbowcrack - RainbowCrack is a general propose implementation of Philippe Oechslin's faster time-memory trade-off technique. In short, the RainbowCrack tool is a hash cracker. A traditional brute force cracker try all possible plaintexts one by one in cracking time. It is time consuming to break complex password in this way. The idea of time-memory trade-off is to do all cracking time computation in advance and store the result in files so called "rainbow table".


Top 10 Windows Tools 1. Cain & Abel - Cain & Abel is a password recovery tool for the Microsoft Windows Operating System. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols.

2. SuperScan - SuperScan is a powerful TCP port scanner, pinger, resolver. SuperScan 4 (Current Version) is a completely-rewritten update of the highly popular Windows port scanning tool, SuperScan.

3. GFI LANguard Network Security Scanner - GFI LANguard N.S.S. is a network vulnerability management solution that scans your network and performs over 15,000 vulnerability assessments. It identifies all possible security threats and provides you with tools to patch and secure your network. GFI LANguard N.S.S. was voted Favorite Commercial Security Tool by NMAP users for 2 years running and has been sold over 200,000 times!

4. Retina - Retina Network Security Scanner, recognised as the industry standard for vulnerability assessment, identifies known security vulnerabilities and assists in prioritising threats for remediation. Featuring fast, accurate, and non-intrusive scanning, users are able to secure their networks against even the most recent of discovered vulnerabilities.

5. SamSpade - SamSpade provides a consistent GUI and implementation for many handy network query tasks. It was designed with tracking down spammers in mind, but can be useful for many other network exploration, administration, and security tasks. It includes tools such as ping, nslookup, whois, dig, traceroute, finger, raw HTTP web browser, DNS zone transfer, SMTP relay check, website search, and more.

6. N-Stealth - N-Stealth is a commercial web server security scanner. It is generally updated more frequently than free web scanners such as whisker and nikto, but you have to pay for the privilege.

7. Solarwinds - Solarwinds contains many network monitoring, discovery and attack tools. The advanced security tools not only test internet security with the SNMP Brute Force Attack and Dictionary Attack utilities but also validate the security on Cisco Routers with the Router Security Check. The Remote TCP Reset remotely display all active sessions on a device and the Password Decryption can decrypt Type 7 Cisco Passwords. The Port Scanner allows testing for open TCP ports across IP Address and port ranges or selection of specific machines and ports.

8. Achilles - The first publicly released general-purpose web application security assessment tool. Achilles acts as a HTTP/HTTPS proxy that allows a user to intercept, log, and modify web traffic on the fly. Due to a cyber squatter, Achilles is no longer online at its original home of www.Digizen-Security.com...OOPS!

9. CookieDigger - CookieDigger helps identify weak cookie generation and insecure implementations of session management by web applications. The tool works by collecting and analyzing cookies issued by a web application for multiple users. The tool reports on the predictability and entropy of the cookie and whether critical information, such as user name and password, are included in the cookie values.

10. Netcat (The Network SwissArmy Knife) - Netcat was originally a Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.

Port names

Port names
Port are divided into three ranges: the Common Ports, the Registered Ports, and Private Ports.

The Common Ports are those from 0 through 1023.
The Registered Ports are those from 1024 through 49151
The Private Ports are those from 49152 through 65535

Common Ports
The Common Ports are assigned by the IANA and on most systems can only be used by system (or root) processes or by programs executed by privileged users.
Ports are used in the TCP [RFC793] to name the ends of logical connections which carry long term conversations. For the purpose of providing services to unknown callers, a service contact port is defined. This list specifies the port used by the server process as its contact port.


Port Assignments for Common Ports:

Port UDP TCP Definition
7 x x echo
9 x x discard
11 x x systat
13 x x daytime
17 x x quote of the day
19 x character generator
20 x ftp - data
21 x ftp - control
23 x telnet
25 x smtp mail transfer
37 x x timeserver
39 x rlp resource location
42 x x nameserver
43 x nicname whois
53 x x dommainlein name server
67 x bootpc bootstrap protocol
68 x bootpc bootstrap protocol
69 x tftp trivial file transfer
70 x gopher
79 x finger
80 x http
88 x x kerberos
101 x hostname nic
102 x iso-tsap class 0
107 x rtelnet
109 x pop2
110 x pop3
111 x x sunrpc
113 x identification protocol
117 x uucp
119 x nntp
123 x ntp
135 x x epmap
137 x x netbios - name service
138 x netbios - dgm
139 x netbios - ssn
143 x imap
158 x pcmail - srv
161 x snmp
162 x snmptrap
170 x print - srv
179 x border gateway protocol
194 x irc internet relay chat
213 x ipx
389 x ldap
443 x x https (ssl)
445 x x microsoft - ds
464 x x kpasswd
500 x isakmp key exchange
512 x x remote execute
513 x x login / who
514 x x shell cmd / syslog
515 x printer spooler
517 x talk
518 x ntalk
520 x x router / efs
525 x timeserver
526 x tempo
530 x rpc
531 x conference chat
532 x netnews newsreader
533 x netwall
540 x uucp
543 x klogin
544 x kshell
550 x new - rwho
556 x remotefs
560 x rmonitor
561 x monitor
636 x ldaps over tls/ssl
666 x x doom id software
749 x x kerberos administration
750 x kerveros version iv
1109 x kpop
1167 x phone
1433 x x ms - sql - server
1434 x x ms - sql - monitor
1512 x x wins
1524 x ingreslock
1701 x l2tp
1723 x pptp point to point
1812 x radius authentication
1813 x radius accounting
2049 x nfs server
2053 x kerberos de - multiplexor
9535 x man remote server