Happy Hacker Digest April 19-20, 1997
This is a moderated list for discussions
of *legal* hacking.
Moderator: Matt Hinze
Send posts to: email@example.com (Matt Hinze)
[if you can, include a "HH"
in the subject header]
Please don't send us anything you wouldn't
email to your friendly neighborhood narc, OK?
To subscribe or
unsubscribe, use the subscribe boxes on the menu bars, please..
If you decide you just want to use the forum and not get these
mailings, we promise our feelings won't get hurt if you unsubscribe
from this list.
H a p p y H
a c k i n g !
URL of the day: http://main.succeed.net/~coder/
Packet sniffing and IP Spoofing by Brecht Claerhout (thanks for the
heads-up, Bronc Buster!)
Table of Contents:
* Happy Hacker Digest Webpage
* [NTSEC] ALERT - NT security flaw announcement (with fix ;>)
* Disconnecting From Telnet
* SMTP COmmands for Cisco Multinet 4.0
* PGP Question
* Do I Need a Domain Name?
* More Windows 95 Net Utils (What are the for?)
* Beta Testers Wanted
* Sometimes it is just that easy.
* Linux & Netscape
* Note From Matt
*** Happy Hacker Digest Website
Ok, ok, I messed up. The correct URL for the Happy Hacker Digest
Website is: http://www.cs.utexas.edu/users/matt/hh.html
This will not be my last mistake. :)
*** [NTSEC] ALERT - NT security flaw announcement
From: Aleph One <aleph1@DFW.NET> [As seen on the BUGTRAQ mailing
To subscribe to Bugtraq, send an email message to
firstname.lastname@example.org with "subscribe bugtraq" in the message body.]
April 18, 1997
MWC, Inc.- NTsecurity.com would like to inform Internet
that MWC, Inc. has discovered a security flaw ("RedButton Bug") in
Microsoft Windows NT v 3.5x, 4.0. The security problem affects the
majority of NT based networks.
The "RedButton Bug" enables a remote user to get
access to a part of the NT system including registry and file system.
The "RedButton" utility, which is available for download at
http://www.NTsecurity.com/RedButton/ demonstrates the possibility of
such an access:
* It logs on remotely on a Target computer without presenting
User Name and Password
* gains access to some of the resources available to Everyone
* determines the current name of Built-in Administrator
(thus demonstrating that it is useless to
* reads several registry entries (i.e. displays the name
* lists all shares (including the hidden ones)
Microsoft has already been notified about this flaw.
MWC, Inc - NTsecurity.com
Network Security Team
From: Russ <Russ.Cooper@RC.ON.CA>
Here's more on how to fix (hopefully) the Red Button problem.
First of all, some important notes;
1. YOU CAN COMPLETELY STOP THE RED BUTTON PROGRAM by stopping or
unbinding the Server service. Andy points this out in his help file
(together with other useful security suggestions). Clearly this is
very difficult for many, but in an Internet situation it is something
you should be doing already. Of course unbinding the Server service
means that no shares will be available from that box. This IS
effective for Workstations, however, and is something that should be
(or AutoShareWks for workstations) will disable the default hidden
administrative shares in NT 4.0 (i.e. c$, admin$), however, this does
not prevent Red Button from getting other information as it accesses
is enabled by default, but does not restrict Red Button at all. I am
still working through the combinations in NullSessionPipes to see if
something there can prevent access.
I have set up two methods to retrieve David's program,
1. Go to http://ntbugtraq.rc.on.ca/david.htm
2. Send an email to mailto:Everyone2user@rc.on.ca and the program will
be emailed back to you in UUEncode format. Most MIME capable email
clients will automatically convert this to an executable for you.
Please note, I personally have tested David's program on my own NT 4.0
machines. It did not adversely affect my ability to use any of the
machines. HOWEVER, despite the wide variety of applications which I
use on these machines, its not possible for me to test it with all
applications that run on NT. It is EXTREMELY possible that there may
be applications in use on your machine which DEMAND that the group
Everyone has access. Should you be using such a program (and no, I
not know of any programs that do this today but that doesn't mean they
do not exist), then using David's program on your machine WILL STOP
THAT APPLICATION FROM WORKING.
I give you this strong caution because neither David nor I have any
desire to have any of you find yourselves in the unenviable position
of not being able to use one, or more, of your currently running
Therefore, before you run this program make sure that you do a
complete backup of your Registry. Update your Emergency Repair
Diskette by using RDISK /S, or better still, use a backup program
capable of backing up the registry to tape. Make sure that you test
this on a NON-PRODUCTION system first if at all possible.
You have been warned, so please be smart and use caution BEFORE you
use this program (or any program for that matter). If you are at all
unsure about whether or not you have received the real program, then
retrieve the program using BOTH methods above, and then compare them.
They should both be the same size and show the same modified date of
Friday, April 18th, 1997 at 11:21:22pm, yet they will each have
different creation dates.
To my knowledge, this program has yet to be tested on an NT 3.51
system, and the NT 4.0 systems it has been tested on may not have the
same combination of Service Packs and Hotfixes as yours. Feedback
would be appreciated from those of you who decide to run this program,
stating your system configuration (OS version, Service Packs, and
Hotfixes installed) as well as indicating which applications you have
verified work properly after running this program. Send these messages
to mailto:Russ.Cooper@rc.on.ca and I will make sure David gets the
BE CAREFUL! Despite its lack of thorough testing, I still recommend
you back up your registries and run it, as its benefits extend beyond
just what Red Button can do.
It would seem that my bold statement about being able to stop Red
Button by just getting rid of Everyone access is not true, as Andy
pointed out. To use a Mudge-like phrase, I have strong suspicions that
I know how to prevent this program from getting anything but further
testing and discussion is required.
For those that have asked, "network access" as used by Andy, means
access to TCP139 the NBSessions port. No existing authentication is
required to exploit this information from a server, and nothing short
of disabling the SERVER service will prevent it from retrieving at
least the Administrator name and available shares. The risk is that
you have not enabled account lockout for your Administrator account
(whatever it is called), someone could attempt to brute force their
way into that account by connecting to the well-known share c$, or
of the shares that it can enumerate (hidden or otherwise).
R.C. Consulting, Inc. - NT/Internet Security
owner of the NTBugTraq mailing list:
From: David LeBlanc <dleblanc@ISS.NET>
>MWC, Inc.- NTsecurity.com would like to inform Internet Community
>that MWC, Inc. has discovered a security flaw ("RedButton Bug") in
>MWC states on their web page that they have currently not found any
>method that will 100% prevent these exploits. IMO, the common suggestion
>to remove Everyone access from everywhere and replace it with Domain
>Users should definitely do the trick. Guess their either saying this
>too difficult or that they don't know how to do it.
The problem appears to be in the well-known user of ANONYMOUS.
problem I cannot overcome at the moment is the ability of this user
attach and gather Lan Manager information which includes shares and
user names. Note that the user information does include such
as comments and whether the user is the admin, guest, and which
well-known groups they belong to.
Alas, a fix for this one will have to come from Microsoft. However,
do have code here to read and set registry permissions. Once
this app later this evening, I will post it for FREE, instead of
trying to extort $95 as MWC is doing.
The source code for this app is based on code contained within the ISS
scanner, belongs to ISS, and unless someone gives me permission, I
can't post it. At any rate, once a fix is tested, it will be
| Voice: (770)395-0150 x138
Internet Security Systems, Inc. | Fax: (404)395-1972
41 Perimeter Center East
| E-Mail: email@example.com
| www: http://www.iss.net/
Atlanta, GA 30328
[Matt: Well, well; it looks like WindowsNT has another flaw. Don't be
suprised if another one pops up in the next weeks. All of you running
NT: follow the advice of the preceding posts to make sure that, even
though still vulnerable, your machine is as secure as you can get it.]
*** Disconnecting From Telnet
From: Elizabeth Genco <firstname.lastname@example.org>
Since I'm in such a good mood (doing the Linux happy dance because I
just got PPP configured and up and running), I'll be brave and post
probably obvious question. Say you're happily port surfing, be
from a shell account or a Linux box of your very own, and all of a
sudden you forget the port number. You could very well end up
front of a login prompt, and -- oh no! -- it expects you to login.
Since I'm not in the business of trying to crack passwords, I'd love
to know how to lose the login prompt of the telnetted computer and
back to my own shell prompt! Anyone know how to do this?
I'm at it, I'll ask this: what's the deal with the "Escape Character
is '^]'" ?? How do I use that? It certainly doesn't get me out of the
login screen predicament! Point, please?
[Matt: To end a telnet session type '^]', or more simply, hold the
'Ctrl' button down while hitting the ']' key. You'll then get a
"telnet>" prompt, or something similar. You can connect to another
host or just exit the telnet program at this point.]
Thanks all -- since this is my first post, I'll mention how much I
love this list and love reading all of your informative posts.
especially to people like Bronc Buster who put up oodles of fun
information on the web for the rest of us....
.....to know, to will,
to dare, and to keep silent.....
*** SMTP Commands for Cisco Multinet 4.0
I was wondering if anybody knows the SMTP commands for CISCO Multinet
v4.0? I tried looking all over for them, and I can't seem to
It doesn't work like normal SMTP, and it doens't support help
*** PGP Question
From: "John Doe" <email@example.com>
I kept seeing the public pgp keys on the posts to the dc-stuff list,
and it finally piqued my curiosity. So, I downloaded the program
of the MIT site and installed it and started fooling around.
all of the .txt files and faq's and I figured out how to make a key
and encrypt and decrypt messages, amd I think I understand the basic
principles of encryption. What I don't understand, is how do
integrate the encrypted file into my e-mail and then how does the
receiver of my e-mail decrypt the file out of the e-mail body.
I am a
definite newbie, and I would appreciate it if someone could explain
this to me as the text files and faq's are a little hard to
[Matt: Well, there are several programs to do just this, depending on
what OS you use. So my advice is this: go to Yahoo
(http://www.yahoo.com) and do a search for "PGP". You can narrow the
search and use "PGP shell". Of course, if you want to do all this
manually, you can save your email message as a file, use PGP
(command-line-like) and cut-and-paste it back into your email program.
What you'll find yourself doing the most is signing plaintext files
(email messages) and having them readable to others (everyone on the
list). This ensures that you are the author of the message. If you
want to practice sending PGP signed/encrypted messages, send them to
me, at firstname.lastname@example.org. My public PGP key is:
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
*** Do I Need a Domain Name?
From: deviant <email@example.com>
I have a computer that I want my friends to be able to telnet into
from other places. It has an ip address, but no domain name. Do I have
to register a domain name in order for others to access it? Any help
would be appreciated. Thanks.
[Matt: Nope. The can just telnet to the IP, like:
$ telnet 220.127.116.11
*** More Windows 95 Net Utils (What are the for?)
'More Win95 internet commands found in MS-DOS mode'
YO! Happy Hackers ;)
We all know about d ping, tracert, netstat, etc. commands from d GTmHH
beginners series. I found other commands for d 'net in my windows dir
that were not mentioned in the GTmHH's I have read. These r run in
MS-DOS mode. I don't know what exactly they do but here they r:
1. Arp.exe - Displays and modifies the IP-to-Physical address
translation tables used by address resolution protocol (ARP).
2. Net.exe - This is not probably 4 'net but 4 windows 4
3. Netdde.exe - ?
4. Route.exe - Manipulates network routing tables.
Ex. route -f print (IMHO - ur 'net connection screws up
Network Address Netmask Gateway Address
18.104.22.168 22.214.171.124 1
126.96.36.199 255.255.255.255 127.0.0.1
188.8.131.52 255.255.255.255 184.108.40.206
220.127.116.11 18.104.22.168 1
255.255.255.255 255.255.255.255 22.214.171.124 126.96.36.199
If somebody knows about these commands please post ur explainations.
*** Beta Testers Wanted
From: Alfred Huger <ahuger@SECNET.COM>
For those of you who are interested in network security auditing
tools, SNI (Secure Networks Inc.) is making an open call for Beta
testers. The software we are offering for Beta is our upcoming network
auditing tool Ballista.
Interested parties should view :
or FTP to :
Secure Networks Inc.
*** Sometimes it is just that easy.
PLEASE KEEP THIS ANONYMOUS!!!
This is just to give hope to any luckless
newbies out there like
myself. I do not advocate breaking into
other peoples systems
unless it serves some purpose - mainly to
find security flaws or
holes in the setup. The only problem was I
hadn't yet succeeded
in finding one. The other day however I actually
was able to get
in and copy the password file of a unix host.
And the way I did
it couldn't have been any simpler. I
merely used the tftp client
to go retrieve /etc/passwd. I thought
"you have got to be
kidding me, it can't be that easy" I
ran the file through
crackerjack and called the guy with his passwords
- no I did not
use them. This is what hacking is about,
not deleting files or
making sysop's lives miserable. Where
would they be without us?
*** Linux & Netscape
From: John Beal <firstname.lastname@example.org>
Netscape And Linux,
Here is something of a oddity that I have been dealing with concerning
running Netscape For linux version 3.01.Also I am running the
Slackware 2.0.27 kernel that I custom compiled for my system. For some
odd reason when I get to large of a bookmark file or something ???
I attempt to run netscape it Just locks up. I get this in my ps -a:
1235 netstat (Zombie)
So then I type Kill -9 1234 and Boom netscape and the netstat zombie
disappear it happens every time too. So then I started looking around
to see what is causing it and I noticed that I had a modified
bookmarks file so when I rm bookmarks.html and then restart netscape
bingo it loads up and runs perfectly. Any one have any ideas about
whats happening? Cause I like having a bookmark file and the only way
I can now is to bookmark things and then rename them to something else
and then use my web browser to view the bookmarked file and then can
choose the URL from there. Kinda a the hard way around it but it
works. Was mainly wondering if anyone else had the same problem and
rm'ing the bookmark file in their home dir fixed it too??
A ever curious Fox searching Learning Yearning and Hacking his way
thru the Internet One Exploit at a time.
** Note From Matt
Whew! What a day, security-wise. The digest, though, is shorter than
usual. This is common in the newsmedia when there is a big breaking
story. For example, In the days up to a Presidential election, that's
basically all you hear about, even though there is other news. I guess
it has to do with what has priority with your audience. Also, I've
been busy offline. My parents are in town and, well, I'm exhausted
from keeping them busy here in Austin.
By the way, expect the HHDigest Webpage to be fully updated the day
after you get the digest.
Matt Hinze <email@example.com>