Happy Hacker Digest April 10-11, 1997
This is a moderated list for discussions
of *legal* hacking.
Moderator: Carolyn Meinel
Please don't send us anything you wouldn't
email to your friendly neighborhood narc, OK?
To subscribe or
unsubscribe, use the
subscribe boxes on the menu bars, please.. If you
decide you just want to use the forum and not get
we promise our feelings won't get hurt if you unsubscribe
from this list.
H a p p y h a c k i n g !
`O the Day: http://www.sun.rhbnc.ac.uk/~phac107/c50a-nt-0.10.tgz
to download Crack 5.0 for Windows NT
Table of Contents
· Legal Opportunity to Fight Hacker War
· Windoze Hacking
· Hacking Port 110
· Mapping the Internet
· HH Archive URLS
· Port 25 Stuph
· More on Social Engineering
· Linux Woes
· Shell Account Stuph
· Port 19 Woes
· IRC Question
· Guilty of Using Jargon
· Looking for Jakarta Hackers
*** Legal Opportunity to Fight Hacker War!!!!!
From: Warpy <email@example.com>
This might be the opportunity to redeem yourself Carolyn..
out the attached file..
Mail Me to Join We Will update Results every week through
Now this will Be like a Hacker Internet which will make hacking
these servers legal We will have competition
- 6 or less hackers per team.
- Each team has 1 or more system.
- The system must run Linux/BSD/SunOS, and be up at least
till 11:30 pm. - The game is played for on week then expires
- On systems owned by the team, each user may have one
account, with any systems privileges.
- Each team has 1 account on each enemy system
- 2.5mb quota per account
- must be a normal user
-must be a file saying "you got me"
file must be called victory.yes
-victory.yes can be chomoded to any user even root
but the uid or gid must exist
-victory.yes can be in any dir
-any find utility must must be only allowed
-to win u must change the motd to say the this
"takeover by <your team name>
the victory.yes location is <the location here>"
then you must contact a judge to see the MOTD
-victory.yes location has to be submitted to a judge before
begin. You must let the judge login to make sure its there.
the judge must have a login so he can frequently check
and make sure victory.yes is still there and to see if anyone
- super users on opposing teams are NOT allowed to
intervene with other hackers, this includes killing,
writing to their terminals, or disturbing them in
any way shape or form, however, super users are
allowed to use snoop and other programs to monitor
opposing team members, but they cannot DIRECTLY
step in and kill the user. super users CANNOT delete
files created by the opposing team members.
if you shut a system down
: 100 points
if your system gets shut down
: -50 points
On Sunday midnight, all points are worked out, and
the league positions are calculated.
Users will be kicked from hacknet and team will loose 50
1.denial of service attacks
2.removing system files
3.rebooting a machine
4.e mail bombing
5.Killing Opponent's Connection at any time.
6.Echoing to opponent's tty and distracting or screwing up the
opponent 7.Moving Victory.yes 8.Killing judges 9.Echoing to judges
and distracting or screwing up the judge.
============================================== U MAY NOT INTERACT
OPPONENTS ON A SYSTEM IN ANY WAY!!!! EXCEPT FOR SPYING!!!
Carolyn: Warpy, I consider it a badge of honor that a group
who hide behind their hacker handles flame me. Especially when
flaming me they are making truly egregious technical errors!
don't feel much need to "redeem" myself.
Latest thing is that jericho is claiming in his dc-stuff flames
keyboards are not ports! Sheesh. The *only* thing a keyboard
create an input interface with the user. If that isn't a port,
baked potato. Hmmm, I wonder, will this incite yet another flame
over my definition of a keyboard as an "interface"?;^)
At least he did
admit that I was right that you can hack some kinds of printers.
For those of you who were on when some d00dz were flaming
Infowar IRC for saying Robert Morris Sr. invented hacking --
the straight stuff. Guess who invented the game Core War (in
no less)? It was Morris. Guess what he must have been doing that
inspired him to figure out a legal way to do it instead:)
Note on flame policy: I only will respond to correct extreme
errors! Don't believe more than 10% of what you read on the dc-stuff
list. The OK to believe rate on this HH list, however, probably
over 50%, so don't take what we say here as gospel truth either:)
Again, remember, we have designated the dc-stuff list to carry
flame wars. Email firstname.lastname@example.org with message "subscribe
*** Windoze Hacking
Carolyn: Security alert! If you are using Norton Utilities
Windows 95 and get on the World Wide Web through Microsoft Corp.'s
Internet Explorer, you have a problem. Check with either McAfee
Associates or Norton to get the patch.
Anonymous reply to Imagekiwi@hotmail.com
I've got port scanners , perl 5, telnet, tracert, ftp, visual
what else to you need to hack properly.
These programs are all in windows 95, what else does Unix have
windows 95 doesn't in the above list.
Continuing in my efforts to make a stable hacking envoroment
windows 95. That has all the fetures of unix.
Carolyn: Folks, reply to this one without flaming if you want
posted in the Digest. Also, I'm writing a GTMHH right now that
answer that question. IMNSHO: Unix rules!
From: dAVe burlingame <email@example.com>
> From: Erica Douglass <firstname.lastname@example.org>
> Hi! I was reading some time ago in the HH Digest that there
> book called _Secrets of Windows 95_ that tells how to edit
Try _Windows 95 Secrets Gold_ by Brian Livingston, a staffer
InfoWorld, an industry bible...
From: D-LUX <email@example.com>
>From: Erica Douglass <firstname.lastname@example.org>
>Hi! I was reading some time ago in the HH Digest that there
is a book
>called _Secrets of Windows 95_ that tells how to edit the
You can get all this information for free by downloading the
95 resource kit from Microsoft's web site. (www.microsoft.com).
help file and provides an incredible amount of information regarding
Win95, including the registry. I've seen better, but this one
*** Hacking Port 110
From: "Johnny Johansson" <email@example.com>
U forgot a very important command in your list....
LIST = list number of mail you have... :)
*** Mapping the Internet
I do tracert on a remote computer. It works and gives me the
details etc., including the IP No. of the remote computer I am
at. I go to whois.internic.net and enter the IP No. of that remote
computer. I get the following message: No match found for ..........(
IP No.). Can you please tell me what is happening here?
Carolyn: There are several possibilities. Your best bet is
either the commands dig or nslookup instead. You can find those
commands on most Unix boxes. For details see GTMHH Vol.3 #2,
the Internet." Note that this whois
trick doesn't work any more, but there is another way to do it.
Click here to find out how.
*** HH Archive URLS
From: k1neTiK <samk5@IDT.NET>
Announcement: I have registered http://base.kinetik.org
as my web
page. It will bring you to my regular site, and is just
typing in my entire address. For those who don't know,
I archive all
the GTMHHs and Happy Hacker Digests on my site since October.
you for not booing.
Carolyn: Other archive sites include:
http://infowar.com (click "new" button)
From: "NK" <firstname.lastname@example.org>
More on the old old phf exploit - Theoretically one should
be able to
execute a shell using phf , and if very lucky the web daemon
owned by root so a root shell might be obtained. I decided to
out a while back - however for a shell to operate , a silly web
browser obviously isn't the solution.
I went to http://target.server/cgi-bin/phf?Qalias=x%0a/bin/sh%20/
a web browser to check (I already knew that this server isn't
for phf use). And got no error.
Next I telnetted to port 80 of the target.server and first
sent a few
random chars to see if I got an error and that it was working
time I telnetted I used the command GET
/cgi-bin/phf?Qalias=x%0a/bin/sh%20/ Nothing happened. However
checking all the open connections I found that there was still
connection to the target.server open. Normally the connection
closed after an error , or after the operation completes.
Am I to assume that a shell was actually started on the targer.server
, if so how would I access it. The telnet session stays open
Carolyn: Thank you for fubaring the URL of your target. Your
as borderline as I ever want to run on this list. Unless you
permission to hack, you need to back off NOW. Honest, guys, it
that hard to get permission to hack somewhere. How about trying
Corewars competition instead?
From: Iggy Drougge <email@example.com>
> Please make
> When you make
a phf query, what do the different parts of the
>response mean. For example, when you try to get the password
>(/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd), you get
>at the top:
-m alias=x /bin/cat /etc/passwd
> What does this mean?
On some systems with the bug present, the
>file follows, while on others, it doesn't. On one system
I was on, I
>used ls to see the etc directory. Since the password file
>shadowed, I tried /cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/shadow,
>which I had just proved was present. However, all I got was
>/usr/local/bin/ph -m alias=x /bin/cat /etc/shadow and nothing
>Why is this? Is it hidden or something?
It's probably because the web server is run as a user with
privileges, such as nobody. Nobody doesn't have the rights to
files readable only to superusers, such as /etc/shadow, nor should
have writing privileges or a homec directory.
> I know that
only some UNIX commands work like this. Does rm
>(I'm curious; I would have just tried if I wanted to delete
>something)? What kind of commands don't work? By the way,
>anybody know of any good web sites/text files on this kind
>that they could post? Thanks.
Rm would probably work if you have high enough privileges.
depends on your privileges.
>From: "Macey's" <firstname.lastname@example.org>
>Me again, I scanned some ports with a win 95 port scanner
>188.8.131.52 port 21
>184.108.40.206 port 23
>now what do I do. Can I get into any of these computers,
how? ( I'm
>a newbie remember)
Try to get some info in their HINFO records, by looking at
records. That could tell the system type. Port 23 is telnet,
prompt should also tell you the system type. Also, some things
Sendmail (25) might tell you the system type.
*** Port 25 Stuph
From: "Michael Paul" <email@example.com>
I think someone asked this a while ago, but Carolyn misunderstood
question. When I send mail from a program such as Eudora,
contains a sender's name and address, subject, and a from: line.
I telnet to port 25 and send mail, the header contains a sender's
e-mail address but NO name, NO subject, and an APPARENTLY-from:
What does Eudora do differently? Does anyone know of a
program to log
data transferred, so I can find out what it's sending to the
Also, the header contains a line called X-TCP-IDENTITY that
my username on my ISP. Is there a way to change this?
Carolyn: When forging email, after the "data" command,
you can insert
that name, subject and any other headers by typing in like this:
subject: Whee, I'm forging email!
favorite-color: polka dot
X-comment: go soak your head
Received: from ender (slip2.worldaxes.com [220.127.116.11]) by
locke.ccil.org (8.8.5/8.7.3) with ESMTP id RAA16791 for
<> ; Wed, 9 Apr 1997 17:46:08 -0400
The basic trick is to either use only one word or else link
hyphens, followed by a colon, for each entry in your forged header.
As for X-TCP-IDENTITY, I don't know of any way to change it
having root. Anyone have ideas?
Before you get worried about me wanted some major secret Hacking
Let me explain. I am a network engineer who hacks to 1)learn
about the systems I work with and 2) find potential problems
systems and my customer's systems. I have a question.
What are the
potential methods someone would use to hack port 25. Is
escape character that will drop them out of s-mail and into a
Or is it a more involved process?
Carolyn: It's more involved. It depends on what program is
25. While new flaws in sendmail are found with alarming frequency,
have heard that smail and qmail are secure (as of today). Does
on the list know of exploits for them?
*** More on Social Engineering
From: "Stainless Steel Rat" <firstname.lastname@example.org>
>I have some comments on social engineering.
>It seems that a lot of misconceptions about social engineering.
>sound as if people want to believe that social engineering
>learned like a new programming language or by simply reading
>kind of "Beginners Guide to Social Engineering".
I never tried to imply that social engineering was easy or
that it can
be done by reading my FAQ. It requires a talent for people, pure
simple. Those talents CAN be improved by practice and learning
in the way people operate. That's why I always suggest the book,
"Interpersonal Communication" by Joseph Devitto. It
just lists the
trends in the way people speak and says, in no clear terms, how
manipulate them. Any hacker who tries to social engineer the
sysadmin is a moron anyhow. It really cannot be done. If it can
done, fire the sysadmin. You social engineer the little people
and then use exploits and real hacking to get root or whatever
you're trying to grab. It is a skill to be used with hacking,
instead of it. I suggest people read the stuff that is written
it simply as an intro. It is not meant to be a guide. the only
are psychology books and practice.
From: John Doe <email@example.com>
I love this word -- I'm 30 now and never was a particularly
hacker. But I could charm the passwords off any
old ditty that
haplessly answered the phone. I never spoke to the
managers -- what
I found useful was to find companies that used a lot of
service' employees -- the end result, after talking to
newbies of the temp kind, was enough passwords/ID's that
'us' (hint) to figure out the best way to have access.
The previous posts said knowing something about psychology,
is good, but I think a better aptitude would be SALES!
Yes, that and
a little acting skill. We always had a dopey friend that
than all of us and had a deep voice that the old ladies trusted.
You aren't going to social engineer anything if you're constantly
behind the screen. If anything, with the people that I
deal/hire on a
professional level, social interaction is just as important as
Try doing it from a pay phone, i.e., a service rep. in the
and don't screw up anything, case in point being whenever I need
learn about new software, I call the very same business we hacked
years ago. It's not that way because we vandalized anything.
Great list, and kudos from Tokyo!
From: "Stainless Steel Rat" <firstname.lastname@example.org>
>You have to give up a little bit of that anonymity which
>Hackers/Phreakers/Crackers cherish so much. On top
of that, a lot of
I would disagree here. Most of the SEing I have done in the
completely anonymous to some degree or another. Sure I say I
in network support" or whatever, but I never give up anything
would compromise my identity. I would consider that fairly anonymous.
If you are doing the SEing in person though, you are dead on.
to resign to the fact that you will be seen, may have to fork
some kind of ID, or whatever else.
>Carolyn: I agree heartily with this post. As a matter
of fact, I make
>much of my living from social engineering. This Happy Hacker
>social engineering, a technique to discover and publicize
>knowledge floating around the hacker world.
Lay off the crack Carolyn. Social Engineering is roughly defined
obtaining information from someone by tricking them into thinking
are someone else.
>Guess what: the best social engineers never lie. We use
So you think. I am not the "best" by any means,
but I rarely fail when
I set my mind to it, and I never tell them my real name.
>But trust me, it is easier to get information by being
>through deceit. That's because it is really, really hard
to lie in a
It is obvious you have never had to try to social engineer
information out of someone then. If you call up and say "Hey,
Jason and I am just some random citizen, can I please have your
dialin?", you will get laughed at. Any serious or proprietary
information will not be handed out THAT easy.
Carolyn: Funny thing, I have found that if I really, really
play with someone else's computer, all I have to do is ask politely
and honestly and they will let me on it. In fact, people will
give me permission to try to crack into root! That's the best
engineering of all. Of course I go to some effort to make friends
them first. It takes more time, but it's legal and no one gets
The first account that Keith and I honestly social engineered
not always perfect like I am now:):) was by putting our home
collateral for the purchase of a PDP 11/23. The owner, John Kaur,
responded by letting us keep a terminal in our home -- with 150
modem -- on which the whole family played Adventure, Zork and
Trek. It cost us no money, slight risk, and kept us in computers
much of the 70s, back when computers were rare and expensive.
got our own, an Intel microprocessor programmer, in 1975, but
box had all the games:)
The problem of the dishonest social engineer is you start
that to get information you have to trick someone. The easiest
get information, however, is to be totally honest. How do you
I have managed to make a living at gathering information? Lying
gets you so far.
Besides, it's hard to keep your stories straight when you
Can you believe this, I actually know a guy who told me his *only*
communications with johnny xchaotic -- the nationally infamous
bomber/spammer -- were jx's unsolicited calls from a cloned cell
phone. Then later this guy told me his *only* contacts with jx
via email. Tsk, tsk.
*** Linux Woes
I recently installed Linux (Slackware 3.1). I was all geared
up for it
to be a very difficult task, but it was actually not too difficult
get everything up and running (after digging up all the docs
with my PC). Anyway, I used umsdos. I do not recommend
it. True, you
do not have to repartition, but it has caused me problems. I
reports of lost clusters (from Norton Disk Doctor) frequently,
have not contained anything important as of yet, and I do not
taking too many chances :P another reason I do not recommend
umsdos is linux takes up a lot more space than it would if it
its own partition... I think this has something to do with all
tiny files associated with a linux system and the FAT on an msdos
partition... to just give linux a try, umsdos is fine, but it
seem to be a good 'way around' repartitioning or getting another
BTW, if anyone knows why I get the lost clusters, I would much
appreciate it if they would post an answer. one more thing...
out there live in Gippsland?
*** Shell Account Stuph
From: Warpy <email@example.com>
On whenever some dude said this...
>when I use uname, it says SunOS, but when I telnet to localhost,
>is SystemV. What is this?
The answer to that guys question is very simple. Versions
above 4.1.3 are System V Release 4 (SVR4 for short). If he were
a uname -a he would find out what version of SunOS is running,
would see that it is one higher than 4.1.3.
Versions up to 4.1.3 are Berkeley Standard Derivative (BSD)
some spack reason Sun decided to hop onto the SVR4 wagon after
If he came up with something like SunOS 5.5.x, that means
system is running Solaris 5.5.x (which is what Sun prefers to
sunos's 4.1.4 upwards). He might also like to know that a Solaris
buffer overflow came out a while back. If he were to do sum searching
around in back issues of BUGTRAQ, or any of the other security
lists he might find it.
*** Port 19 Woes
From: neMEsis <firstname.lastname@example.org>
I was wondering what I had to change to keep from getting
people use the write command or the msg command. I also wondered
there was a way to close out peoples access to the sh >/dev/ttyp
command without keeping me from using it. One of my friends
of this trick and has been telnetting me to port 19 on our server
(which they say they have no reason to close even when I pointed
the simple denial of service attacks that can be made from them).
particular acct. is a university acct. Any help is appreciated.
Carolyn: All you sysadmins out there -- CLOSE PORT 19! CLOSE
*** IRC Question
From: playa <zeigler@ucsub.Colorado.EDU>
I run an ftp on a Mac (supplied by school) and the ftp program
not have a way to distinguish users, since they all log on as
login/pass. But, it does show their IP. The only
time that my ftp is
up is when I am on IRC. So everyone on is on IRC as well.
there a command that will give me a nick from an IP address?
would be appreciated.
*** Guilty of Using Jargon
From: email@example.com (Shun Chit [John] Sik)
I just want to begin by saying that I really like Happy
but since I an a newbie, I don't understand some of the terms
have come across. Like spammers, cookie killer and IRC. I guess
is it for now. Can you please explain this to me please. Thanks.
Carolyn: Oops, sorry for using so much jargon.
1) A spammer is someone who sends out lots of unsolicited
Usenet posts. A spammer could send thousands of posts to one
group, or one post each to thousands of news groups. A spammer
send one email each to thousands or millions of email addresses,
might send thousands or even millions of emails to one email
The most infamous Usenet spammers is the Phoenix AZ law firm
and Siegal. The most infamous email spammer who sends only a
emails each to millions of people is Cyberpromo. The most infamous
email bomber -- a guy who sends zillions of emails to each of
people he likes to bomb -- is johnny xchaotic. What every spammer
in common is that they have to find ways to forge email. This
because most people hate spammers, so spammers are always hiding.
2) "Cookie killer" refers to keeping out the stuff
that Web sites put
on your disk when you visit them. The people who put up Web sites
oftentimes like to store information on your disk about what
doing when you visited them. Then the next time you surf in,
what's on your cookies file and put more stuff there. They generally
do this to collect market research information on you. Since
us think it is none of their darn business and resent them putting
stuff on our disks, we keep them from doing this.
3) IRC stands for Internet Relay Chat. It's a wonderful way
time, make friends, and conduct flame wars.
*** Looking for Jakarta Hackers
Please reply to firstname.lastname@example.org
any hackers in the Jakarta Indonesia area, any level, especially
you go to J.I.S ( Jakarta international school ). Email the address
above if so.
*** That's all, folks. Happy Hacking!