Happy Hacker Digest Feb. 20, 1997
This is a moderated list for discussions of *legal* hacking.
Carolyn Meinel. Please don't send us anything you wouldn't email
friendly neighborhood narc, OK? Send posts to .
To subscribe or unsubscribe,
use the subscribe boxes on the menubar. If you decide you
just want to
use the forum and not get these mailings, I promise my feelings
hurt if you unsubscribe from this list.
Happy hacking! "Nature has buried truth at the bottom of
the sea" -- Democritus
URL 'O the Day: http://www.dgl.com/docs/antispam.html
Table of Contents
IRC GTMHH Update
Urgent Active Server Pages Security Alert!
Social Engineering Dissed
IRC 7th Sphere Question
Hints for Crackers
More on Mac
IRC GTMHH UPDATE
Moderator: We have gotten some really great additional information
as corrections (and flames) on the GTMHH on IRC. Hang on, I'm
asbestos and trying to verify and sort out the conflicting information.
Since so many people contributed to the writing of that Guide,
to print the
flames would violate our rules for no flaming unless people consent.
when we have agreed upon the improved version, we'll send it
out again. We
also have two Beginner Series Guides in the works on how to get
using a shell account and how to hack from Windows. If
I could only figure
out how to get along without sleep we'll get soem more advanced
too. Remember, any one who wants to write tutorials of their
own is welcome
to submit them to this list, or to collaborate with me.
MICROSOFT IIS AND ACTIVE SERVER ADVISORY
Security Hole in ASP Discovered in Microsoft ASP
February 20, 1997
A serious security hole was found in Microsoft's Active Server
by Juan T. Llibre <email@example.com>. This hole
allows Web clients to
download unprocessed ASP files potentially exposing user ids
ASP files are the common file type used by Microsoft's IIS and
to perform server-side processing.
How it works:
To download an unprocessed ASP file, simply append a period
to the asp URL.
For example: http://www.domain1.com/default.asp becomes
http://www.domain1.com/default.asp. With the period appendage,
Information Server (IIS) will send the unprocessed ASP file to
client, wherein the source to the file can be examined at will.
source includes any security parameter designed to allow access
system processes, such as an SQL database, they will be
There are two known ways to stop this behavior:
1.Turn read permissions off of the ASP directory in the Internet
Manager. This may not be a practical solution since many sites
mix ASP and
HTML files. If your site mixes these files together in the same
you may want to segregate them immediately. Now and in the future,
your ASP files like any other Web based executable, and keep
separate directories wherein permissions can be adjusted accordingly.
2.Download this filter written by Christoph Wille
Christoph.Wille@unileoben.ac.at which can be located at
http://www.ntshop.net/security/tools/sechole.zip or from
(Taken from http://www.ca-probate.com/faxlaw.htm)
Broadcast Fax and Junk Email Illegal
Under United States law, it is unlawful "to use any telephone
machine, computer, or other
device to send an unsolicited advertisement" to any "equipment
which has the
capacity (A) to
transcribe text or images (or both) from an electronic signal
a regular telephone line
onto paper." The law allows individuals to sue the sender
of such illegal
"junk mail" for $500 per
copy. Most states will permit such actions to be filed in Small
Here is the text of the federal law:
>From the U.S. Code Online via GPO Access [wais.access.gpo.gov]
effect as of January
24, 1994] [Document affected by Public Law 103-414 Section 303(a)(11)]
TELEPHONES, AND RADIOTELEGRAPHS
CHAPTER 5--WIRE OR RADIO COMMUNICATION
SUBCHAPTER II--COMMON CARRIERS
Sec. 227. Restrictions on use of telephone equipment
As used in this section-- * * *
term ``telephone facsimile machine'' means equipment which
has the capacity
transcribe text or images, or both, from paper into an
electronic signal and to
that signal over a regular telephone line, or (B) to
transcribe text or images (or
from an electronic signal received over a regular telephone
line onto paper. * * *
term ``unsolicited advertisement'' means any material
availability or quality of any property, goods, or
services which is
to any person without that person's prior express
invitation or permission.
(b) Restrictions on use of automated
be unlawful for any person within the United States -- to
use any telephone
machine, computer, or other device to send an
unsolicited advertisement to a
facsimile machine; * * *
(c) to use any telephone facsimile machine,
computer, or other device
to send an unsolicited
advertisement to a telephone facsimile
machine; * * *
right of action
or entity may, if otherwise permitted by the laws or
rules of court of a State,
in an appropriate court of that State--
(A) an action based on a violation of this subsection or the
prescribed under this subsection to enjoin such violation,
(B) an action to recover for actual monetary loss from such a
violation, or to
receive $500 in damages for each such violation, whichever is
(C) both such actions.
court finds that the defendant willfully or knowingly
violated this subsection or the
prescribed under this subsection, the court may, in
its discretion, increase
of the award to an amount equal to not more than 3
times the amount
under subparagraph (B) of this paragraph. * * *
(e) Effect on State law
law not preempted
for the standards prescribed under subsection (d) of this
section and subject to
(2) of this subsection, nothing in this section or in
the regulations prescribed
this section shall preempt any State law that imposes more
or regulations on, or which prohibits--
(A) the use of telephone facsimile machines or other
electronic devices to send
unsolicited advertisements; * * *
[ Amended 1992: Subsec. (b)(2)(C). Pub. L. 102-556 added subpar.
SOCIAL ENGINEERING DISSED
> From: Bernz <firstname.lastname@example.org>
> Maybe it's just me. It probably is. Remote exploits (unless
> them yourself) aren't a really good way of getting into
a system. They
> are fixed damn quick. I'm relatively experienced at this
and I have to
I would dare say you aren't relatively experienced. Right
now I can tell
you of a certain college system that has just over a dozen machines
vulnerable to 'froot'. Some systems keep up to date with advisory
patch those holes. More often than not, they go untouched.
> say that social engineering is the only way to absolutely
get into a
> remote system. I always see that people have questions about
how to get
What?! Fine. Call me up and social engineer your way into
my system since
it is "the only way to absolutely get into a remote system".
When you are
banging your head against the wall in frustration because I won't
what you want, then reconsider your thoughts.
> into systems and this aspect is continually overlooked.
> through a dumb security guard is just as good as sneaking
in through a
> sendmail bug. People should realize that. There's a world
No it isn't. Physical trespassing is a world apart from a
piece of email
exploiting a weak sendmail.
> scamming/hacking that's hardly been explored.
Hardly been explored?! Come on! I haven't run into a hacker
know the value of SE attacks. And I think you will find that
Teams not only do it, but push it as an essential part of security
testing. I know my team does.
> it is running. It may say something like 8.6.4, or 8.7.5..
Those two versions
> mentioned are both well known for bugs/exploits which are
commonly used to
> illicit access to system.. Do another web search for "hacking
> similar, and check whether the system is running an exploitable
> so you should,
> as always, let your sysadmin know..
You really should mention that with sendmail, versions like
8.7.5 are good
as a LOCAL way of getting increased access. Remote 8.7.5 vulnerabilities
are basically unheard of to the 'underground' as well as security
IRC 7th SPHERE QUESTION
From: Redington <email@example.com>
I went to 7th sphere the other day a downloaded their sphere.zip
I unzipped it and tried to open in and to install it inside of
app, but it keeps giving me error messages like "Setup is
find_SETUP.DLL, which is needed to complete the installation,
103." What is that? The thing is that the SETUP.DLL
file is right
there. If anyone can help me out on how to set that up
it is very much
HINTS FOR CRACKERS
From: Tim Cilibrasi <firstname.lastname@example.org>
>From: k1neTiK <email@example.com>
>Subject: RE: passswd file question
>>I've found a server that allows for it's passwd file
>>read/downloaded with an anon. ftp connection. Is
this unusual, or
>>standard? Is it illegal for me to download the
file to my home computer?
>> What would one do with the passwd file?
>It is not unusual for a server to allow it's passwd file
to be downloaded,
>but you will find that 99 times out of a 100, it will be
shadowed. Open it
>with a text file, and if you see something like this:
>Then it is shadowed. Normally you would see encrypted
characters where the
>* was. Oh yeah, and after running it through a passwd
>hopefully would get some valid passwords and then you could
use them to login.
The passed file is NOT shadowed. The * in the password field
login has been disabled for that account. Have you noticed that
view a password file on some systems (not through ftp), some
have * and others have jumbled text? And in the case that you
the file, it is useless. You can not "decrypt" the
passwords, nor can
you log into the accounts.
From: " Intergalactic <--" <firstname.lastname@example.org>
>From: Bernz <email@example.com>
>Maybe it's just me. It probably is. Remote exploits (unless
you >discover them
yourself) aren't a really good way of getting into a >system.
They are fixed
damn quick. I'm relatively experienced at this >and I have
to say that social
engineering is the only way to >absolutely get into a remote
system. I always
see that people have >questions about how to get into systems
and this aspect
is >continually overlooked. Sneaking in through a dumb security
guard is >just
as good as sneaking in through a sendmail bug. People should
There's a world of scamming/hacking that's hardly been >explored.
It's not just you. I find that social engineering and "physical"
the best ways in. Without a doubt, the human interface is the
weakest link in
almost all systems I have ever seen. We recently had a friendly
the CIS department at my school (professor approved) to see if
any one could
gain root access to our experimental server. Being quite green
in the area of
exploits, I opted for a "physical" hack. I "found"
my professor's briefcase and
after sifting thru loads of junk, found scribbled on a post-it
pass 68 81 85 77 65 88 73 70
...gee I wonder. Well, no one else was able to gain access,
but everyone said I
cheated. Is there a moral? Sysadmins, sometimes hackers cheat,
Moderator: I decided to approve the following post because
Rogue Agent gives
better hints for people who need to secure their systems than
he does for
those who want to break in. A big plus with RA is that he encourages
readers to think and learn for themselves -- just enough to tantalize,
not so much that you could immediately land in jail trying this
And, for those of you new to the list, when you see the flames
worry. We only allow flames against people who *like* to get
flamed on this
From: Rogue Agent <firstname.lastname@example.org>
I'm taking a whack at several posts here; see if you can detect
| From: k1neTiK <email@example.com>
| Subject: RE: passswd file question
| p.s.s Are there any known bugs/vulnerabilities in Identd?
I did a websearch at www.excite.com with "identd AND
security AND hole"
and came up with 469 hits. There's some overlap, duplicates
positives, but still more than enough valid hits to satisfy you.
| Moderator: I made this one anonymous. Sheesh, guys, please
remember what I
| have in the header of every digest: "Please don't send
us anything you
| wouldn't email to your friendly neighborhood narc, OK?"
Sure, this guy has
| an explanation for why he is trying to crack into this box,
but if he is
| fibbing, anyone who helps him would be in danger of being charged
| accessory to crime.
Oh please. They would not, any more than you would if
a bank robber asked
you for the fastest way to the next town because his wife had
there, and you gave him directions.
To answer his question, here's hints on some potential holes
| echo on port 7
| discard on port 9
echo kicks out a constant stream of characters. discard
takes in any
characters you feed it. Figure out how to hook one into
the other, and
you've got an excellent denial of service attack as his machine
network overload on feeding stuff to itself.
| exec on port 512
| login on port 513
| shell on port 514
exec is for rexec, login is for rlogin, shell is for rsh.
All 3 have
abusable trust relationship problems ("+ +" in .rhosts
and anyone anywhere on the Net can do anything they want on the
All 3 also have other problems, including hostname spoofing,
overflows, inherited environment variables. Don't forget
rlogin -froot linux/AIX hole.
There's a world of possibility here, if you know how to exploit
| finger on port 79
Hey, now you know some usernames for use with the last 3.
Always a bonus.
| ftp on port 21
wu-ftpd has had several problems, for instance the infamous
| smtp on port 25
sendmail -is- a hole. It gets a security upgrade once
a month, on
| sunrpc on port 111
RPC stands for Remote Procedure Call. It's a way to
run part of a command
on a remote machine. NFS and NIS are the two best-known
services that use
RPC. Both have holes you can drive a truck through.
| telnet on port 23
telnet's had a few problems too; accepting environment variables,
| uucp on port 540--
What with all the increase in speed and connections all over,
of a dinosaur. But it's got its share of holes too.
Lots of way old ones
written up years ago in g-philes and Phrack, and probably some
of the same
newer ones every other service is prone to (overflows, env vars,
| What direction should I head in next?
First off I'd stop listening to Carolyn's blather about how
are, and start looking at the services behind them. She's
given the false
impression that finding a port that accepts connections is central
breaking security on a machine. "Hey, you've got ftp
open. ftp has
holes. I can break into your machine!", "Hey,
you've got ssh open. ssh
has holes. I can break into your machine!", "Hey,
you've got finger open.
finger has holes. I can break into your machine!".
Do you notice that she never says -how- to exploit ftp, ssh
or finger to
break into machines? She says it's an ethics thing, that
would be irresponsible. But what she doesn't tell you is
that SHE DOESN'T
KNOW HOW. Carolyn Meinel is a clueless newbie of the first
If you want to learn security (defensive or offensive), stop
about with "ports" and start learning services; how
they work, what they
do, what resources they use, what the known problems with each
most effective way to do that is to play with the program itself,
client and server, on a machine you have full (root) access to.
Then do a
websearch for security FAQs and mailing list archives (bugtraq,
linux-security, best-of-security, etc.) and read up on the security
problems it has, taking note of what versions are vulnerable
in what OS.
Finally start building a collection of exploits, from those same
If you've done all that, you can start calling yourself a
studied the thing, played with it, understand how it works &
how to break
| Moderator: Here's another one I figured I'd better make anonymous:
| I got into a system running Unix System V.The victims password
was the same
| as his username, is this stupid or what? So I went to the /etc
| tried the "cat" command:
| cat - views the inside of a file.
| But I was given a message something like "Permission Denied"
| Could this be that the victim's password is just a user right?
| What command do I give to know my rights in Unix? (in novel
| "rights"maybe, if my memory serves me right) What
tricks do I do so that I
| can manipulated the passwd file?
Hacking isn't "tricks". I know Carolyn's given
you that impression, but
she's wrong. Hacking is knowing, because you looked at
played with it yourself, studied it yourself. Buy a book
on Unix, get it
from the library or do a websearch for online tutorials (there's
out there, some of them quite good).
DIY. You can if you want to.
| From: Bernz <firstname.lastname@example.org>
| Maybe it's just me. It probably is. Remote exploits (unless
| them yourself) aren't a really good way of getting into a system.
| are fixed damn quick.
Depends on where you look. Some places have old versions
services and even OSes that are literally years out of date.
There is a
definite trend towards increased security awareness on the part
but it's by no means universal.
| I'm relatively experienced at this and I have to
| say that social engineering is the only way to absolutely get
| remote system. I always see that people have questions about
how to get
| into systems and this aspect is continually overlooked. Sneaking
| through a dumb security guard is just as good as sneaking in
| sendmail bug. People should realize that. There's a world of
| scamming/hacking that's hardly been explored.
SEing takes b****, imagination and quick thinking. Not
think on their feet fast enough to do it effectively. But
if you can
muster up the guts to give it a go, it'll amaze you how much
do for you if you just ask them.
email@example.com (Rogue Agent - r00t/attb) - pgp key on request
The NSA is now funding research not only in cryptography, but
in all areas
of advanced mathematics. If you'd like a circular describing
research opportunities, just pick up your phone, call your mother,
ask for one.
What does the program modem jammer do exactly does anybody
I ran it then called my friend with caller I.D. He knew
who I was when I
called so it don't work against ESS or caller ID. It's
supposed to prevent
your call from being traced. But I have not observed this
could mail you a copy but it's all over the place on hack pages
so being conspiracy minded......I was just wondereing.....need
I say more?
MORE ON MAC
From: Strider <Strider@baka.com>
>I heard somewhere that Macs make up 20% of the servers
on the Internet,
>which is quite large considering that they have such a small
>I think that Macs may be hackable in the ways that NT is,
>denial-of-service attacks, freezing the machine, etc. Unlike
Unix, the Mac
>OS is not a group-oriented OS. It is a personal setup, where
>in, you're in, but it is much harder to GET in. You can't
>loopholes like finding unshadowed passwords from a password
file you get
>off FTP. Macs don't have password files to check groups and
such. So, in
>this way, the Mac is a tougher nut to crack.
True. Although Macs are as easy to DS as others, they also
conventions of not having been hacked much, and not having conventional
interfaces, conventional meaning UNIX. =) Lots of people spend
on UNIX or DOS based systems- the Mac file system and file sharing
are VERY different from them, no matter how it might seem. The
way to hack a Mac is FROM a Mac.
>> Without trying to start any
OS wars, I think it is safe to claim that
>> most technical people move on to other OSes rather than
stick with MacOS
>> and due to this there is a lack of real Mac hackers.
Give people a few
>> months, when the become bored with Unix, WinNT and Novell
>> start hearing about some more Mac exploits.
>I don't think that anyone will get bored with Unix, but I
>point. If Apple launched a major "secure server"
publicity campaign, there
>might be a lot of interest from hackers who want to prove
>Although Apple has a disproportionate "server share,"
Macs are so low
>profile that they haven't brought any major hacking attention.
>after NT gets picked over...
Think, though, how long NT has been out compared to the Mac.
selling Mac server solutions years ago... and it's still doing
the new system, I could see sales going even higher. All apple
do now is buy Quarterdeck, and make webstar part of the OS...
"A mighty storm is rising,
a darkness in the land,
but surely this must be a light,
to those who understand..."
M/B Research -- The Technology Brokers