[for better viewing use Word Wrap]


            001101101         101    110      001101010         0101010101
            01      01        010    010      10      10        101    101
            10       10       101    001      01       10       101    001
             01        01      0110110101      01        01      001    110
              10       10       1001001010      11       10       010    111   
              01      01        101    010      10      10        010    101
              10011011          010    001      10011010          1011011001

+-----------------------------------------------------------------------------------------------+            
                                   
                                     DIGITAL HACK DOT ORG 
 
                                           PRESENTS
   
                             *AUTOPSY OF A SHORT & REMOTE ATTACK*
                                              
                                              BY

                                   THE AMADEUS PROJECT TEAM 
                                           
                                              AND
      
                                          THE H SQUAD

                            "knowledge is power, in ze right hands!"

+-----------------------------------------------------------------------------------------------+                                          DISCLAIMER
                                         ----------
THE INFORMATION PROVIDED HERE-IN IS FOR EDUCATIONAL PURPOSES ONLY.  THE MAIN OBJECTIVE OF THIS TEXT IS TO PROMOTE NET SECURITY AWARENESS.  THE AUTHORS OF THIS TEXT CANNOT BE HELD RESPONSIBLE FOR ILLEGAL ACTIONS ARISING FROM THE MISUSE OF THE MENTIONED TEXT.  IF SHOULD YOU DISAGREE, COMPLETELY OR PARTIALLY, WITH WHAT YOU HAVE JUST READ LEAVE IMMEDIATELY AND STOP READING THIS NOW.


     CONTENTS
     ~~~~~~~~ 
1. --Autopsy of a remote & short attack--
1.1 Introduction
1.2 Explanation
1.3 Ethics
1.4 Tools
1.5 Procedure
1.6 Gaining access
1.7 Web links
1.8 Books
1.9 Conclusion
2.0 About the group...


   1.1 Introduction
   ****************

How hackers hack?  The answer is located in only a handful of texts and documents, and these texts are most of the time not comprehensible by the newbiez and average users.  What we have written here is a classic remote and short penetration perpetrated by one of our computers here at the DHD0 Research centre.
Of course, we are simply trying to demonstrate to system administrators and security analysts how hackers hack into a system, bypassing numerous security checks.

   1.2 Explanation
   ***************

The main purpose of this hack is to retreive the file which contains the password of the victim. 
For this experiment we have used two computers, one Pentium II running Windows 95 and the other one was a Pentium III with WIndows 98 running as operating system.  The Pentium II will be used for monitoring the activity of the Pentium III while the latter attempts to retreive the passworded file.  To be able to monitor the PIII a Trojan Horse was used, in this case a BackOrifice 2000 server was executed on the machine.  Note that only that PIII has an internet connection consisting of a dialup of 56K while the other one is connected using an ISDN (64K).
Also note that the two computers are separated by an approximate distance of over 1000 Kilometres 
and that this hack took about four hours to perform.
Note that since BackOrifice 2000 was used then there was little monitoring activity that the Pentium II could do.  Nevertheless, it was sufficient enough to guide us into succeding this hack.
At first, we thought of using an ip and port scanner but instead preferred an old wardialer for this classic 'break in'.
[Note: if you know other ways to break inside a computer, e.g. by using a hammer!, then email us]


   1.3 Ethics
   **********

We have hence proceeded by the following commandments when perfoming this experiment:

  > YOU SHALL NOT INTENTIONALLY DAMAGE ANY SYSTEM THAT YOU HACK

  > YOU SHALL NOT ALTER ANY SYSTEM FILES EXCEPT ONLY FOR ENSURING YOUR ESCAPE FROM DETECTION AND     FUTURE ACCESS

  > YOU SHALL NOT LEAVE ANY INTERESTING NAMES AND PHONE NUMBERS IN YOUR ILLEGALLY ACCESSED SYSTEM     AS YOU WILL CERTAINLY BE TRACKED DOWN

  > YOU SHALL NOT HACK GOVERNMENT COMPUTERS AS THE GOVERNMENT HAS MORE TIME AND RESOURCES TO         TRACK YOU DOWN, AND WILL TRACK YOU DOWN

  > YOU SHALL BE PARANOID: TRUST NO ONE, TALK TO NO ONE, LISTEN TO NO ONE AND BELIEVE NO ONE         UNLESS YOU REALLY KNOW THEM


   1.4 Tools
   *********

The following tools were used when perfoming this experiment, used on the Pentium III computer:

 /*/ a wardialer - like Phonetag

 /*/ a terminal - like Hyperterminal in Windows

 /*/ a password cracker - like Cracker Jack or Cain

 /*/ an ip scanner - like UltrScan [optional]

 /*/ a foreign ip address

 /*/ a proxy server

 /*/ a modem - most important of all


   1.5 Procedure
   *************

 /-/ First of all, an internet connection was opened and the wardialer was executed.  A wardialer      is a program that dials a range of phone numbers in search of 'carrier' tones.  A 'carrier'      tone is in the form of beeps and tones which indicates that a phone number connected to a        computer is found.  A prefix range of numbers was inserted in the wardialer's range box and      we started dialing.  About one hour and a half later we got a 'carrier' tone.

 /-/ We noted down the phone number and exited the wardialer and ended the internet connection. 

 /-/ Through social engineering, or otherwise, we managed to obtain someone's ip address and          knowing that this person is not online we used his ip address for our Pentium III machine.       This technique is called 'ip hijacking', note that when the said person is online then we        will not be able to use his ip address.  So we modified our ip address in the Internet           Explorer option box to his.

 /-/ Then we opened an internet connection using the 'hijacked' ip and used a proxy server to         hide our Pentium III's ip.  A proxy server is a server which makes a connection for you to a      net location, instead of you making a direct location.  Proxy servers are most of the time       used for hiding ip and MAC addresses [MAC does not refer to the MAC computer].

 /-/ Then we minimized our default internet browser and close the internet connection and run         Hperterminal.  We typed in the phone number the wardialer has found and tried to connect to      the machine.  A series of beeps was heard, it was our modem which was trying to connect to       the victim's computer.

 /-/ After a short while some crap appeared in the Hyperterminal window and suddenly there was        something like this:
     
     login:_
     password: 

 
 /-/ We immediately realized that we were up against a computer having Unix as operating system.
     When encountering a Unix system it will always ask you for a login name, whereas if it asks      you for a username then you have met a VAX/VMS system.


   1.6 Gaining access
   ******************

We had to find a way to access the Unix system and this was what we did:
      
 // Knowing that most Unix systems register automatically the ip addresses of the people trying      to access the system by having to enter their login name more than thrice at one instant.        In other words, if we enter a different login name and password more than three times the        system records our ip address.  Therefore, using a Unix password cracker would be up to no       immediate avail.  Nevertheless, we typed in 'root' as login and 'root' also as password.         Access was denied.  Two chances remained.

 // Then, we tried our best shot and typed 'sysadmin' as login and 'sys' as password.
     Access was denied.  Only a unique chance was left now.

 // Before we tried anything else, a tube of aspirin was put forward and each of us took two of      the damn pills.

 // Suddenly a bright idea occured to us.  We typed in 'finger' and pressed enter.  A list of        all the users who were using this Unix system appeared, well not really as only one              appeared.  It was someone with username John.  

 // So we returned to the login prompt as typed in 'John' as login and also 'John' as password.
     Already all of us at the DHD0 Research centre was in sweat as this was our last chance.
     Note that most of the time, the usernames are the same as the passwords and logins.

 // Access was granted.

 // We then typed '/ect/passwd' and pressed enter.  Some more crap appeared in the Hyperterminal      window.  This means that we have access to the password file.  We immediately copied the         file to our hard disk, some knowledge of MS DOS required.  Finally, we log off the now           hacked Unix system by typing 'exit' and closing the internet connection.

 // We opened the MS DOS editor and opened the password file.
     Note that to open the DOS editor open an MS DOS window and type 'edit' at the command            prompt.

 // While reading the file we came across the following line:
     'john: 142uyfj: 6457: 18: john wayne: /home/dir/john: /bin/john'

 // When decrypting this line the following was obtained.

     Username: john
     Encrypted Password: 142uyfj
     User Number: 6457
     Group Number: 18
     Other Info: john wayne
     Home Directory: /home/dir/john
     Shell:  /bin/john

 // So here we are, we have finally obtained the username and password.  Another reason to           return to the Unix system, but that's another story.

[Note: the definition of 'crap' here means a bunch of numbers and/or letters of no significance to the user]


   1.7 Web links
   *************

Check out those cool web links that we have discovered on when surfing on the net.

www.unixhideout.com           - group resulting from the merging of other hacking sites
www.madsite.org               - new net security site
www.wiredlab.com              - great books available [recommeded highly]
www.metatrox.com              - cool graphics that you can play with
www.hack.org                  - an old site!

www.symantec.com              - get to know the new viruses emerging everyday

www.astalavista.net           - another affiliate of the Astalavista Group
 
www.legions.org               - site of the Legions of the Underground    
www.cultdeadcow.com           - Cult of the Dead Cow's site
www.l0pht.com                 - L0pht Heavy Industries business site


   1.8 Books
   *********

The following books are recommended if you have found this text interesting.

+Practical Unix Security
 Author: Simson Garfinkel and Gene Spafford

+Unix System Security: A Guide for Users and Systems Administrators
 Author: David A. Curry

+Modern Methods for Computer Security
 Author: Lance Hoffman


   1.9 Conclusion
   **************

No system administrator or any ISPs have found out what we did on that day.  This is because we respected the ethics of hacking and did 'everything by the book'.  It was only after our Pentium III was turned off that our heartbeats slowed down.  Furthermore, the Pentium II machine report was that it noticed a great influx of data towards the PIII.
It is interesting to note that 'John Wayne' is a friend of ours and has made his computer availble to the DHD0 Research centre for this experiment.  We were to hack into his system, which we had little knowledge of, and steal his password.  Guess he won't be able to view his porno pics tomorrow!
Hope that you have enjoyed this text as much as we have enjoyed writing it.  As usual, the editor is SID vicious and the writers include all the DHD0 members, that is deEp c0ma, zana tas, vector12 and digital flu and of course the editor!
 

   2.0 About the group...
   **********************

Digital Hack Dot Org is the newly-borned group of computer loving individuals who are trying to earn a modest place in the vast place of the hacker's underground world.  DHD0 compromises of only 5 members namely: sid vici0us (commander in chief), zana tas (secretary), deEp coma (corporal) and digital flu (soldier), plus vector12 (shoe-polisher!).  Actually, we were here a long time ago but we have decided to make our presence felt just recently.  The obvious reason for this was that we were all newbies and that we were learning (we still are).  Keep watching as more tutorials are on their way.
Also, do not forget that real hackers drink milk!!!
  
*************************************************************************************************

             D   I   G   I   T   A   L     H   A   C   K     D   O   T     O   R   G

               k n o w l e d g e  i s  p o w e r, i n  z e  r i g h t  h a n d s !
      
            ==========================HACKERS WITH GRAMMAR===========================
          
                             contact us at amateur@fuckMicrosoft.com
                         
       
                        autopsy of a classic remote and short attack v1.0
                                           17/02/2002

       PERMISSION TO DISTRIBUTE & COPY FREELY GIVEN, BUT IT MUST BE SHOWN THAT THE ORIGINAL             
                                AUTHORS ARE DIGITAL HACK DOT ORG
