|
Hacking Menu |
||||
| rules | notes WWWBoard | beginer | math teory | net password |
| unix pass | ISP Pass | Web Pages | NT Passwd | PC Hacking FAQ |
|
Crack Menu |
||||
| crack faq | inside crack | Crack mail | TakeoverChan/nick | Program Files |
Originally an Email to me.
this one is on hacking web pages, and I included alot more information on other
methods than the traditional passwd file method, which most the web page
texts are on in the library right now. I fixed this one so it
doesn't scroll on and on like my text on passwd files.
Hacking Web Pages By Goat
Introduction
Please know that hacking webpages is consitered lame in many's opinions, and it
will most likly not give
you a good reputation. People can always check logs once notified of hacking and
most likly your address
will come up and then at worst they will press charges for some elaborate
computer crimes law and you will
goto prison for up to 10 years and owe alot of $. So please attempt to refrain
from abusing your knowlage
on this subject. This is for informational purposes only.
"Free" Web Pages
Free webpages is web page hosting companies like Tripod and Geocities that host
peoples web pages
for free and make money off advertising. There is ways to hack these companies
and have access to all users,
but it would be to complex for most people. This way is simply social
engineering which is not very hard to
do, so don't proclaim yourself an Uberhacker because you vandalised a poor guy's
webpage, who just happened
to have his information on his site. All you have to do is set up an account
with a free email service like
hotmail and find your target. On your targets page up need to have the date of
birth, name, and their old
email, or instead of the DOB there address (I have lost my pass to a smaller
company, and they needed the
address i had registered with). All these free web page companies have their
"verification" for people who have
lost there password to their page. All their is to it is once you have this
information is you either email
the company telling them you changed your email address and once that is done
wait about 2 weeks and then email them again saying that you lost your password.
Most will email you telling you that you need some sort of
verification, like the DOB or Address. In which you email them back and tell
them and get a new password.
On the other hand, companies like Geocities are too busy for email so they have
set up a web site where
members can get there password back
(http://www.oocities.org/help/pass_form.html).
User's Pages
There is many different methods of hacking users web pages on a server. I will
attempt to list as many
ways possible but don't expect very much in depth information.
Getting Passwords
Okay suppose you found a page you want to hack, that is on someone elses server
thats a basic server,
light security. Okay very light security. I will be truthful. This pretty much
works on servers with no
security [=.
Getting a passwd file is pretty easy. Simply telnet into the servers FTP
anonymously and look in the ETC
directory and get the file called Passwd. Another way to get them is to find
your target and in
a WWW browser type cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd after
the servers name. For example the name may be http://www.hackme.com/, you
would goto
http://www.hackme.com/cgi-bin/phf?Qalias=x%0a/bin/cat%20/etc/passwd except instead of www.hackme.com you would replace that with your targets URL.
You may get a passwd file that has no user accounds,
but only defaults which where the encrypted password should be a * would be in
its place. On certain servers
with this you may have a shadowed passwd but on all passwd files i have come
across there is some user
names like FTP and NEWS that have no encrypted passwords which is replaced with
*. If you find only this and no encrypted passwds you probably have found a
fixed passwd file and you must try another method of hacking
the server. You need to examine this file and look for a line in the text that
looks like this:
rrc:uXDg04UkZgWOQ:201:4:Richard
Clark:/export/home/rrc:/bin/ksh does not need to
look exactly like that, the only important part it needs it the uXDg04UkZgWOQ
and rcc, which is the login part. Get a program
called John the Ripper whcih can be found on any hacking site on the web. If you
are to lazy, or stupid to find one on the web heres a good place to go for
newbies http://www.hackersclub.com/km/
I will not go in depth right here on passwd files, but i have written a text on
passwd's going good into the
subject which can be found at
http://www.xtalwind.net/~lmclaulin/ugpasswd.txt.
Anyway, using John the Ripper is easy, if you want to quickly hack something
give the command (in DOS prompt) "john passwd -single" Replace "passwd" in there
with the name of the passwd file, you may have saved it as
passwd.txt or something. An
important thing to remember is that the passwd file needs to be in the same
directory as John. To see a list of other methods for cracking a passwd file,
just type John and it will give
you a list of commands. I have found john won't work for me with wordlists but
other people say that it
works fine for them. You can use incremental mode (to use that the command is
"John passwd -incremental"
It takes like a few days to finish so I wouldn't really want it to let it go on
forever and ever if it was
just some normal passwd file. Unless its like NASA's passwd file (keep dreaming,
they probably change
passwords everyday and that file is very outdated) I wouldn't want to use that
too much. To see a
complete list of John's cracking capabilities, just type john and it will give
you a list of commands
that you may use.
If you Have an Account with the Users Server.
The next section is on how you can hack a webpage if you already have an account
with the server.
This was taken from a text by Lord Somer and since i don't want to butcher
something important out of it
I will just keep the text in its whole form.Exploiting Net Adminstration CGI
(taken from a text by Lord Somer)
#######################################
# Exploiting Net
Administration Cgi's
#
# like nethosting.com
#
# Written by:Lord Somer
#
# Date:5/23/97
#
#######################################
Well since nethosting.com either shutdown or whatever I figured what the
hell before I forget how I did the more recent hacks etc... I'd tell you how so
maybe you'll find
the same sys elsewhere or be able to use it for ideas.
Basically Nethosting.com did all it's administration via cgi's at net-admin.nethosting.com,
well you need an account, card it if necessary, log in to net-administration,
you'll see craplike ftp administration, email, etc... who really cares about
e-mail so we'll go to ftp Click on ftp administration. Lets say you were logged
in as 7thsphere.com your url would be something like:
http://net-admin.nethosting.com/cgi-bin/add_ftp.cgi?7thsphere.com+ljad32432jl
Just change the 7thsphere.com to any domain on the sys or if in the chmod cgi
just del that partbut keep the + sign and you edit the /usr/home dir. In the ftp
administration make a backdoor account to that domain by creating
an ftp who's dir is / since multiple /// still means /.
Once you have your backdoor have fun. Oh yeah and in the email you can add
aliases like I did to rhad's e-mail account at 7thsphere, why the hell is he on
that winsock2.2 mailing list?
Well the basic theory of this type of exploitation is that:
- the cgi is passed a paramater which wwwe change to something else to edit it's
info
- since it uses the stuff after the + ttto check that it's a valid logged
in account(like hotmail does), it dosen't check the password again.
- multiple> ///'s in
unix just mean a /,, thus we can get access to people's dir or the entire
/usr/home dir
I used this method for hacking a few well known places:
7thsphere.com
sinnerz.com
hawkee.com
warez950.org
lgn.com
and several other unknown sites.
Please remember
if you ever use a method of mine please credit me and link to my site thanks.
########################################
# Contact Info: #
# E-mail:
webmaster@lordsomer.com
#
# ICQ: 1182699
#
# Site: The Hackers Layer
#
#
http://www.lordsomer.com
#
# Other Sites:
#
# Hackers Club #
#
http://www.hackersclub.com/km #
########################################
Other Ways Of Hacking User Pages
Another method that may work with really stupid Admins is sometimes, when you
FTP to a server, you can
leave your home directory and go back a few directories and find your targets
directory. Once you have done
that if you can access the HTML files and save them to disk and then "edit
them". The HTML files may or
may not be stored on FTP but with smarter admins they are not accessable by
other users.
Things that Don't Fit In Other Catagories
There are many more ways of hacking web pages. Peoples stupidity is a good way.
Many passwords are
guessable if they are not hackable. Its not hacking but simply using a persons
stupidity. If you were to
get root on a server you could have access to everything on the server, so if
you wanted to hack a
servers webpage (or access anything else you want on the server) you would
probably have to get an account
and you could run an exploit on the server, but that is something newbies should
probably not try until you
know more about what you are doing.
Why Hacking Web Pages (and other things) is
a
Bad Idea...
Hacking web pages is an obvious signal that someone has hacked your server,
which can reminer to
forgetful admins to check there logs and immediatly call your
ISP to cancel your
account along with the FBI
to
come bust you on some elaborate computer crime law. Hacking school grades
is another stupid thing you should
never do. I know its off topic but its important to remember, because they are
two things that both get
people busted alot. Don't believe me? Let me show you a few pieces of articles
from news at the hackersclub. The entire article (instead of the parts where the
hacker got busted) may be read from the address beneath each
section.
"Kubojima is accused of taking over seven web pages of the Osaka-based
television network Asahi Broadcasting Company on May 18 and replacing five of
the seven weather charts on the pages with
pornographic pictures. He also faces charges under Japan's anti-obscenity laws.
If convicted, Kubojima faces a fine of one million yen ($8,600) and a prison
term of up to five
years under tough penalties against hackers adopted in 1992. "
http://web5.hackersclub.com/km/news/1997/may/news4.txt
"He is 18, and may be looking at up to 10 years in prison. He hasn't stolen
anything, he hasn't hurt anybody and many familiar with the crime that he is
accused of committing say the possible punishment borders on the absurd.
The 18-year-old and a 17-year-old friend, police say, broke into a computer
network.
They added some funny pictures to a World Wide
Web site run by the network operator, a Texas
Internet service provider called FlashNet, police say. The two figured out some
of the user names and passwords used by FlashNet customers.
Then they left.
The 18-year-old was arrested on suspicion of third-degree felonies that carry a
sentence of two to 10 years in prison and a fine of up to $10,000. His friend,
who was arrested on suspicion of a less severe
misdemeanor, faces up to a year in jail and a $4,000 fine.
"http://web6.hackersclub.com/km/news/1997/august/news3.txt
"Student faces felony for hacking grades
>From NewsTalk 750 WSB
A 15-year-old Florida High School student faces felony charges for allegedly
hacking his way into the school
computer to change "F's" into "A's." Jason Westerman claims it was only a joke,
but he faces felony charges
for offenses against intellectual property and computer users. He's been
suspended for ten days. Westwood high
school administrators want to expel him. "
http://web6.hackersclub.com/km/news/1997/june/news4.txt
Getting busted hacking will not be a fun process unless you like paying $10,000
and having a date with
someone names Spike in the prison's cafateria for the next 3 years. Be wise
about what you leave behind,
because soon you may be suprised by a knock at the door by your neighborly
FBI agent.
- = - = - = - = - = - = - = - =
- = - = - = - = - = - = -
StopWar
Contact information:
Email - MohamadAzmie@Hotmail.Com
Http:// - MasterZCrew.Cjb.Net & HackerMasterZ.Cjb.Net
- = - = - = - = - = - = - = - = - = - == - = - = - = - = -
Copy Rights by StopWar
MasterZCrew, Inc.