What's New!

Chat with

How to Defend
Your Computer 

The Guides
to (mostly) 
Harmless Hacking

Happy Hacker 
Digests (old stuff) 

Hacker Links 


Meet the 
Happy Hacksters 

Help for 



It Sucks 
to Be Me!

How to Commit
Computer Crime (not)! 

What Is a 
Hacker, Anyhow? 

Have a 
Great Life! 

News from the 
Hacker War Front

Carolyn's most
popular book,
in 4th edition now!

For advanced
hacker studies,
read Carolyn's
Google Groups
Subscribe to Happy Hacker
Visit this group

Happy Hacker Digest, March 30, 1999

Visit the Happy Hacker site at http://www.happyhacker.org

Opening Comments
Reader Submissions
I want my PGP!
SamSpade Update
NT Commands (Unix-like and networking)
Win9x shares on the Internet
NT Tools You Can Use
Perl Corner
Editor's Comments

Opening Comments

I guess you could say that this edition of the HHD is sort ofthe NT
sysadmins' edition.  Yes, most of what's in this edition seems to be
directed toward NT sysadmins...but hopefully this sort of thing will open up
opportunities for our readers...as NT sysadmins.  After all, isn't that the
only 100%, guaranteed method of 'getting root'?


Project Independence - Linux with the newbie in mind...
Having trouble with nbtstat?  Can't get it to work? Packet
<scottn@iodine.ucia.gov> suggests you try Essential Net Tools:
Want to see what mobile code can do?  Want to see Java applets that can
write to your hard drive?  Be lucky none of these pages include an ActiveX
component that turns the security of your IE browser off: http://www.signal7.com

An analysis of web-page hacking (URL wraps):

Remove GUIDs from MS Office files: http://www.vecdev.com/guideon.html

Common System Intrusion Methods (URL wraps):

Using IE5?  One of many things to be aware of (URL wraps):

Articles on all sorts of web-based programming:

Reader Submissions

From: kliber@eldish.net
Subj: netcat

Hi Happy Hackers! :) in the feb. 14 HH Windows edition our editor put
something about Netcat, an Interesting and Obscure Network Tool; this tool
like Hobbit say in his .txt, had many uses (1001) heh! well i found this
tiny sotfware very interesting, and I had made many experiments with it.
Waiting for the promised "Innovative ways to use" i put here some of the
uses i had discovered for NetCat:

C:\nc11nt>nc -v -v -L -p 23

DNS fwd/rev mismatch: localhost != darkstar listening on [any] 23 ...
DNS fwd/rev mismatch: localhost != darkstar connect to [] from
localhost [] 1131
login: sniff password: Hehe!!

Well, what we have here? it looks like a sniffer!!! :) the option -v
(verbose) in combination with the option -L (listen and listen again) Let
netcat listen in any ports for conections , then if i do telnet to localhost
( from another window, netcat let me see what its happening in
this port. B-]

         A quick one:

C:\nc11nt>nc -v -v -z 53 25 21

DNS fwd/rev mismatch: localhost != darkstar
localhost [] 53 (domain): connection refused
localhost [] 25 (smtp): connection refused
localhost [] 21 (ftp): connection refused
sent 0, rcvd 0: NOTSOCK

Hmmm... A little Port scanner!. Yes, you can scan any port you want, or you
can do a simple scan-range of ports like in this example:

C:\nc11nt>nc -v -v -z 1-53

DNS fwd/rev mismatch: localhost != darkstar
localhost [] 53 (domain): connection refused
localhost [] 52 (?): connection refused
localhost [] 51 (?): connection refused
localhost [] 50 (?): connection refused
localhost [] 49 (?): connection refused

Also, you can use netcat as a "Doctor_X Scanner Detector" (tm), let him
listen in any port and redirect the input to a file:

C:\nc11nt>nc -v -L  hostname  -p 54 > intrudres.txt

Yes, if someone is scanning your Box, netcat capture his IP address and put
it in a file called "intruders.txt" Hehe!! then you can use your favorite
LART againts the little one who spy you... B-]

There are many others uses for this proggie, any one with others "Innovative
Ways"?? :)

===========================          \   \   \   \    \
  \    /   /
         Kliber                       \  \    \  \    
\  \   /  /
         Hackers Venezuela             \  =====\  \    
\  \ /  /
         members.xoom.com/kliber/hack   \  \=====  \   
 \  x  /
         El Conocimiento es Poder!!!     \  \    \  \  
  \   /
___________________________               \   \   \   \
   \  /

From: kazantsev@mail.primorye.ru
Sugj: Boot execute program potential vulnerability


that's me again. I think you have a lot of post from the list subscribers,
so it's a good idea to not bother you without a reason. I've been studying
some books on Windows programming, but I still can't get the things
together. Maybe I am too dumb for that.  However, I noticed something that
had attracted my attention. There is a kind of NT programs, called "Boot
execute" 'cause they run at the system sturtup, like CheckDisk does. Since
the LSA subsistem hasn't started yet, the processes run by those programs
can bypass security restrictions. Now the hard part. For a boot execute
program to be executed, it must have a matching string in the registry, but
Write access to that part of the  registry is restricted to the privilegied
users. However, there  is a possibility (at least, theoretically) to
exchange chkdsk.exe  with a Trojan due to defaul permissions to this file.
Hence, an attacker writes a Trojan which is intended to copy  contents of
SAM file to a file with Full Control for Everyone,  compiles it as Boot
execute, calls it chkdsk.exe and overwrite  the original chkdsk.exe file
with it.  When the system is rebooted,  the trojan is being executed. Since
SAM file is not locked yet (I suppose so), it contents can be easily copied.

Unfortunately, I don't have enough programmer's skills to prove or refute
this. Would it be a good idea to ask the list for help in  this matter?


[Editor:  Sure, there are lots of ways to 'trojan' NT, even if you are just
a user.  Changing the Aedebug Registry key, etc. I haven't seen this
one...maybe you could send an email to L0pht and see if they've done any
work in this area.  Of course, there are other things you can do...run rdisk
to get the latest SAM file, etc.]

I want my PGP!

Having trouble finding the freeware PGP at the NAI site?  Yeah, me too.
Thanks to NAI, no less.  No roads lead to PGP.  But try checking out:

http://www.pgp.com/products/pgpfreeware.cgi (ver 5.5)
http://web.mit.edu/network/pgp.html (ver. 5.0 and

SamSpade Update

SamSpade, a great tool for Windows users, has moved from the  Blighty site
to http://www.samspade.org.  If you check out the site, you can d/l the
latest version of SamSpade or use any of the online tools that the author
has provided...tools such as an online ping, traceroute, and even a DNS
query tool.  Check it out, and d/l the latest version of SamSpade.

NT Commands (Unix-like and networking)

Let's continue our look at NT commands - and in doing so, I want to briefly
mention some Unix-like commands that you can get  from the NT Resource Kit.
Now, these aren't the same as those you can find at NT-Unix web sites...but
if you do a lot of Unix  administration, pull these programs off of the RK,
and it might make you life a little easier:

>From the Resource Kit, native Win32 commands (have POSIX  versions):
cat.exe, cp.exe, ls.exe, mv.exe, touch.exe, wc.exe, vi.exe

>From the Resource Kit, as POSIX: chmod.exe, chown.exe, find.exe, grep.exe,
ln.exe mkdir.exe, rm.exe, rmdir.exe, sh.exe

As long as we're on the subject of RK commands, you might want to check out
the following Microsoft KnowledgeBase articles:

Q171591:  Syntax Examples of WinNT Server Registry Resource Kit Utilities 
Q158388:  Useful Resource Kit Utilities for Domain Administrators

Also, check out utilities such as NewSID.exe from Systems Internals at
http://www.sysinternals.com, and DumpACL, DumpReg, and DumpEvt from
Somarsoft, Inc, at http://www.somarsoft.com.

NOTE:  For a pretty good list of programs in general, check out:

Networking commands nbtstat.exe, net.exe, ping.exe, tracert.exe, nslookup.exe

The online help with NT does a pretty fair job of providing a  look at what
all of these commands do.  In the past, we have  looked at Perl scripts that
made use of nbtstat.exe, and you  can also use Perl to tie net.exe into
scripts as well.  Net.exe has several configuration options which can be
found in the  online help, or by simply typing 'net /?' at the command
prompt. Getting further information on the various configuration options is
just as easy...simply type 'net view /?' or 'net use /?', or whichever
option you choose.

The command that deserves a good review is nslookup.exe.  This  command is
used to submit DNS queries, and troubleshoot DNS problems.

Here is the text of the Guide To (mostly) Harmless Hacking on  DNS regarding

----- begin -----

Nslookup is a great little tool for making DNS queries that comes with NT,
Linux, etc.  The easiest way to use nslookup is in non- interactive mode.
This means that you submit a request at the command line, and you get a
response back with no other input. For example, from the command prompt, type:

$nslookup foobar.edu

Server:  localhost

Name:    foobar.edu

The Server and Address response you see above will vary depending upon your
operating system, and how it's set up.  But you can see that this is a quick
and easy way to look up the IP address of  a host given the name...we have
performed a query for the "A"  resource record.  We can do a "reverse
lookup" by entering the  IP address at the command prompt, rather than the
host name:


Server:  localhost

Name:     www.foobar.edu

Wait a minute!  What's this "www.foobar.edu" stuff?  Well,  what we've found
is an alias for the host "foobar.edu".  A  single host can have multiple
host names that all point to  the same IP address. 

The other way to play with nslookup is to enter interactive mode  by typing
"nslookup" (with no arguments) at the command prompt, and then hitting
<Enter>.  You will get a prompt back that looks 


>From here you can enter commands.  For example, type:


Wow!  We get the same information back as we did for the non- interactive
mode query.  To look up specific resource records  for the foobar.edu
domain, all we need to do is tell nslookup which RR type we want:

>set type=<RR>

where <RR> refers to the resource record type, as we saw listed above (A,
PTR, MX, CNAME, etc).  This way you can look up just those records you are
interested in.  Note:  If you enter "ANY" in place of "<RR>", you will be
doing a lookup in the domain for all resource records...mail exchangers
(email servers), name servers, etc.

Now, let's try one more little trick.  This involves listing hosts  within
the domain we are interested in...it doesn't mean _all_ of  the hosts,
though.  We already know the names and IP addresses of the nameservers that
point to foobar.edu, so start nslookup in  interactive mode.  Then change
the nameserver used to resolve  queries to the nameserver that points to the
foobar.edu domain:


Once you're in interactive mode, change the default nameserver that is used
to resolve your queries to a nameserver that points to the foobar.edu
domain...this information was retrieved using the whois query above:


Now we want to list the hosts in the domain that have records available, so

>ls foobar.edu

You will see something similar to:

foobar.edu.           server = ns.nameserver.org       
foobar.edu.           server = ns2.nameserver.org     
foobar.edu.           server = ns3.nameserver.org

In the real world (vice the "example" world) you will likely get a lot more
hosts back than this...in fact, you may get  upwards to 500 or more hosts!
However, what this tells us is that the host "foobar.edu" has the same IP
address as the hosts listed as "ftp", "smtp", and "www".  This means that
these are services aliased to the host...performing a lookup on
"ftp.foobar.edu" or trying to connect to "ftp.foobar.edu" will
point or connect you to the host "foobar.edu".

If you do list the hosts in the domain, you may want to use  redirection to
save this information in a file, so that you can read over it:

>ls foobar.edu > foobar.txt
----- end -----

This is a very basic overview of how to use nslookup.  The  NT online help
has a some further information, specifically on how to configure specific
queries from the command line. For example, to lookup information on a
particular computer in another domain, type in something similar to:

nslookup -querytype=any domain server

where 'domain' is the domain you are interested in, and 'server'  is the
name server to be queried for the information.  If this is  left blank, the
default name server will be used.  This makes  the nslookup tool great for
scripting and using with Perl...

Win9x shares on the Internet

A while ago, I wrote an updated Guide To (mostly) Harmless Hacking that
addressed accessing 9x shares over the Internet while using  9x.  It seems
that the first edition of the Guide, which was  written for NT, was spread
wide and far, and almost no one has  seen the updated, 9x version.  That
version is at:




Now, I want to point out that much of the research for the second version
was done via the Microsoft KnowledgeBase at:


Specifically, the following articles were used:

Q178729:  How to configure Win95 to dial into a RAS/RRAS  server (pay
particular attention to steps 1 and 3a.)
Q145843:  How to connect to a remote server

Q183368:  Requirements to browse network with dial-up  networking
Other articles of interest include:

Q180099:  Troubleshooting LMHOSTS Name Resolution Issues
Q156323:  Error 3787: You Must Log on Before Performing this Operation
(applies to Win95)
Q141229:  How to use the Net View command to view shared resources

If you are having trouble accessing shares over the Internet, whether
sharing files or 'wargaming' with your friends, take a look at these articles.  

Anyone running 'nbtstat -A a.b.c.d' has likely been frustrated  with the
'host not found' response.  This can be caused by  several things...the
target host isn't connected to the Internet, a firewall is blocking the UDP
queries, etc.  However, doing a  search on the Micrsoft KnowledgeBase
(http://support.microsoft.com) leads to article Q175935 'NBTSTAT -A May
Return Host not Found Error Message'.  This article applies to NT only...and
the stated cause is that 'the NetBIOS Interface device on the target
computer is not started'.  The solution is to set the Messenger Service to
automatic, and set the NetBIOS Interface device in the Devices icon in the
Control Panel to either automatic or manual.  

I have yet to find anything similar in Win9x.

NT Tools You Can Use

NTObjective's Forensic Toolkit http://www.ntobjectives.com/
Great set of tools...especially 'hunt', which replaces RedButton.

Mnemonix's ntis.exe
(the last time I checked, the default page returned the error message
'forbidden'...) Command line tool that attempts null connection to a machine
and enumerates share and user info into an HTML file.  Replaces RedButton.

NAT (NetBIOS Audit Tool)
Brute force tool for null connections to NT boxes. Originally produced by
Secure Networks as freeware,  before they were bought by NAI.  The
functionality is now part of CyberCop Scanner (ie, Ballista).

Port scanner and more.

Scripting language that can be used to  automate almost any sysadmin funtion
on NT, or in NT domains. 

GNU C compiler and utilities
Free C compiler and tools.  Several of the utilities are already compiled.

DumpACL, DumpReg, DumpEVT
Use the tools to dump the ACLs, Registry, and Event Log (respectively) from
NT boxes across your domain.

TCP/IP swiss army knife from Weld Pond of L0pht

File wipe utility

Allow DOS access to NTFS partitions...great tool if you want to use a
bootdisk to boot to DOS, and then read the NT swap file.  Lots of other
extremely useful (and free) tools at this site.

Password cracker from L0pht

Service pack and hotfix scanner from Rhino9.  This tool  is best used by
domain admins, but if remote access to the Registry is NOT disabled, anyone
can use it.  Also check out the other tools by Rhino9, such as the UI for
NAT (see NAT above).

Other must-haves:

http://www.pgp.com/products/pgpfreeware.cgi (ver 5.5)
http://web.mit.edu/network/pgp.html (ver. 5.0 and pgpfone)  

Compression/decompression utility.

Adobe Acrobat Reader
Read PDF files.

For Win9x-specific tools, check out software sites such as  TUCOWS

Perl Corner

In this Perl Corner I'll go ahead and introduce some of the Win32  modules.
We've already looked at Win32 functions, so this time  we'll look at modules
that have been written for NT and '9x.   Now, a word of warning...most of
these modules only work on NT.  

Perl for Win32
This site has a very comprehensive list of Win32 modules.  Check it out
before writing a script of your own...there may be a  module available that
will make your life easier.

Perlwin32 Modules
Check these modules out!  PortIO, IPHelp, DES, and more!

Phillip LeBerre's site
Links to download and docs for Registry, EventLog, and  Services modules.

Dave Roth's site (Roth Consulting)
Home of the AdminMisc module, as well as Win32::ODBC and Win32::Perms...all
three of which are MUST HAVES! Also, I've been working through Dave's book,
"Windows NT Win32 Perl Programming"...it's a gold mine for NT admins!!

For any of these modules, simply follow the installation  instructions
provided by the author.  Dave Roth has set up (at least some of) his modules
to be installed via the PPM script that ships with ActivePerl (see

That being said...

If you want to see what services are running on your NT box, run the
following script:

----- begin svcs.pl -----
#! c:\perl\bin\perl.exe

use Win32::Service;
my ($key, %service, %status, $part);

foreach $key (sort keys %services) {
   print "Display Name\t: $key, $services{$key}\n";

   Win32::Service::GetStatus( '',$services{$key},

   foreach $part (keys %status) {
     print "\t$part : $status{$part}\n" if ($part eq
----- end svcs.pl -----

Notice that we only look at the current state of the service. If we remove
'if ($part eq "CurrentState")' from the 13th line of the file, we'll see all
of the information that the module provides.  Also, in line 5, we see the
call to enumerate the services:


The first argument to the function is null, represented by ''.   This tells
the function to obtain the services from the local machine...we could easily
have checked other machines in the domain by providing their names via an
array or having them read from a file.

Would you like to take a look at some Registry data?  Okay, I'll use a
simple example from pg. 173 of 'Learning Perl on Win32 Systems' from
O'Reilly and Assoc:

-----  begin reg.pl  -----
#! c:\perl\bin\perl.exe

use Win32::Registry;

# If you are using Win9x, change 'Windows NT' in
# the line below to 'Windows'

$p = "SOFTWARE\\Microsoft\\Windows
$main::HKEY_LOCAL_MACHINE->Open($p, $CurrVer) || 
  die "Open:  $!\n";
foreach $k (keys %vals) {
  $key = $vals{$k};
  print "$$key[0] = $$key[2]\n";
-----  end reg.pl  -----

Dave Roth's Win32::AdminMisc module has a variety of methods that allow you
to do all sorts of things on your NT box, or within your NT domain.  You can
get drive and volume data, manage user accounts, even check to see if user's
password is in a dictionary file.  

Dave Roth's book, mentioned above, has a great little example in which he
demonstrates the use of several modules to gather errors in EventLogs on
several machines.  The script makes use of Win32::OLE to put the gathered
data into an Excel  spreadsheet.  Such a script can be set to run each
morning prior to the sysadmin's arrival, and can show such things as failed
logins, etc, from across several machines.  It's not real-time, but if you
want a simple intrusion detection tool, such a script would work.  Also,
Dave Roth wrote the Win32:: ODBC module, so you could have the data dumped
to a database instead of a spreadsheet...whatever you choose.

As I stated in the 1 Feb '99 edition of the HHD in the Perl  Corner, you can
also use Perl modules to generate information or warning events into the
Event Log on NT.   

Editor's Comments:  Over the past several weeks, there haven't been any
particularly interesting submissions from readers.  A couple of 'how do I
change my Active Desktops', and one or two 'hey, I got this new virus called
Happy99.exe' (hate to tell you this, but it isn't new, and it isn't a
virus...).  Other than  that, not too much...just what you see here in the
Reader Submissions section.  Well, 'til next time... 



This is a list devoted to *legal* hacking! If you plan to use any
information in this Digest or at our Web site to commit crime, go away!
Foo on you! Don't email us bragging about any crimes you may have committed.
We mean it. 

For Windows questions, email keydet89@yahoo.com or editor@cmeinel.com
For Unix questions, contact unixeditor@cmeinel.com.
For Macs, email Strider <s.corinth@iname.com> 

Happy Hacker staff: Unix editor, <unixeditor@cmeinel.com>;
Windows editor, Keydet89 <editor@cmeinel.com>; postmasters Jonathan D.
Zerulik and William Lewis <>; Hacker Wargame Director,
Vincent Larsen <vincent@sage-inc.com>; Wargame Sysadmin, Satori
<Satori@rt66.com>; Webmaster, Diode <webmaster@happyhacker.org>; Clown
Princess: Carolyn Meinel <>

Happy Hacker is a 501 (c) (3) tax deductible organization 
in the United States operating under Shepherd's Fold Ministries. Yes! 
This is all a plot to save your immortal souls!

 © 2013 Happy Hacker All rights reserved.