GUIDE TO HARMLESS HACKING
Vol. 1 Number 1
written by outburn
Hacking
tip of this column: how to finger a user via telnet.
_______________________________________________________
Hacking. The word conjures up evil computer geniuses plotting the downfall of civilization while squirreling away billions in electronically stolen funds in an Antigua bank.
But I define hacking as taking a playful, adventurous approach to computers. Hackers don't go by the book. We fool around and try odd things, and when we stumble across something entertaining we tell our friends about it. Some of us may be crooks, but more often we are good guys, or at least harmless.
Furthermore, hacking is surprisingly easy. I’ll give you a chance to prove it to yourself, today!
But regardless of why you want to be a hacker, it is definitely a way to have fun, impress your buddies, and get dates. If you are a female hacker you become totally irresistible to all men. Take my word for it!;^D
This column can become your gateway into this world. In fact, after reading just this first Guide to (mostly) Harmless Hacking, you will be able to pull off a stunt that will impress the average guy or gal unlucky^H^H^H^H^H^H^H fortunate enough to get collared by you at a party.
So what do you need to become a hacker? Before I tell you, however, I am going to subject you to a rant.
Have you ever posted a message to a news group or email list devoted to hacking? You said something like “What do I need to become a hacker?” right? Betcha you won’t try *that* again!
It gives you an education in what “flame” means, right?
Yes, some of these 3l1te types like to flame the newbies. They act like they were born clutching a Unix manual in one hand and a TCP/IP specification document in the other and anyone who knows less is scum.
*********************
Newbie note: 3l1t3, 31337, etc. all mean “elite.” The idea is to
take either the word “elite” or “eleet” and substitute
numbers for some or all the letters. We also like zs. Hacker d00dz do this
sor7 of th1ng l0tz.
********************
Now maybe you were making a sincere call for help. But there is a reason many hackers are quick to flame strangers who ask for help.
What we worry about is the kind of guy who says, "I want to become a hacker. But I *don't* want to learn programming and operating systems. Gimme some passwords, d00dz! Yeah, and credit card numbers!!!"
Honest, I have seen this sort of post in hacker groups. Post something like this and you are likely to wake up the next morning to discover your email box filled with 3,000 messages from email discussion groups on agricultural irrigation, proctology, collectors of Franklin Mint doo-dads, etc. Etc., etc., etc....arrrgghhhh!
The reason we worry about wannabe hackers is that it is possible to break into other people’s computers and do serious damage even if you are almost totally ignorant.
How can a clueless newbie trash other people’s computers? Easy. There are public FTP and Web sites on the Internet that offer canned hacking programs.
Thanks to these canned tools, many of the “hackers” you read about getting busted are in fact clueless newbies.
This column will teach you how to do real, yet legal and harmless hacking, without resorting to these hacking tools. But I won’t teach you how to harm other people’s computers. Or even how to break in where you don’t belong.
******************************
You can go to jail tip: Even if you do no harm, if you break into a portion
of a computer that is not open to the public, you have committed a crime.
If you telnet across a state line to break in, you have committed a federal
felony.
*************************************
I will focus on hacking the Internet. The reason is that each computer on the Internet has some sort of public connections with the rest of the Net. What this means is that if you use the right commands, you can *legally* access these computers.
That, of course, is what you already do when you visit a Web site. But I will show you how to access and use Internet host computers in ways that most people didn’t know were possible. Furthermore, these are *fun* hacks.
In fact, soon you will be learning hacks that shed light on how other people (Not you, right? Promise?) may crack into the non-public parts of hosts. And -- these are hacks that anyone can do.
But, there is one thing you really need to get. It will make hacking infinitely easier:
A SHELL ACCOUNT!!!!
A “shell account” is an Internet account in which your computer becomes a terminal of one of your ISP’s host computers. Once you are in the “shell” you can give commands to the Unix operating system just like you were sitting there in front of one of your ISP’s hosts.
Warning: the tech support person at your ISP may tell you that you have a “shell account” when you really don’t. Many ISPs don’t really like shell accounts, either. Guess why? If you don’t have a shell account, you can’t hack!
But you can easily tell if it is a real shell account. First, you should use a “terminal emulation program” to log on. You will need a program that allows you to imitate a VT 100 terminal. If you have Windows 3.1 or Windows 95, a VT 100 terminal program is included as one of your accessory program.
Any good ISP will allow you to try it out for a few days with a guest account. Get one and then try out a few Unix commands to make sure it is really a shell account.
You don’t know Unix? If you are serious about
understanding hacking, you’ll need some good reference books. No, I
don't mean the kind with breathless titles like “Secrets of Super
hacker.” I’ve bought too many of that kind of book. They are full
of hot air and thin on how-to. Serious hackers study books on:
a) Unix. I like "The Unix Companion" by Harley Hahn.
b) Shells. I like "Learning the Bash Shell" by Cameron Newham and Bill
Rosenblatt. A “shell” is the command interface between you and
the Unix operating system.
c) TCP/IP, which is the set of protocols that make the Internet work.
I like "TCP/IP for Dummies" by Marshall Wilensky and Candace Leiden.
OK, rant is over. Time to hack!
How would you like to start your hacking career with one of the simplest, yet potentially hairy, hacks of the Internet? Here it comes: telnet to a finger port.
Have you ever used the finger command before? Finger will sometimes tell you a bunch of stuff about other people on the Internet. Normally you would just enter the command:
finger [email protected]
But instead of Joe Schmoe, you put in the email address of someone you would like to check out. For example, my email address is [email protected]. So to finger me, give the command:
finger [email protected]
Now this command may tell you something, or it may fail with a message such as “access denied.”
But there is a more elite way to finger people. You can give the command:
telnet llama.swcp.com 79
What this command has just done is let you get on a computer with an Internet address of llama.swcp.com through its port 79 -- without giving it a password.
But the program that llama and many other Internet hosts are running will usually allow you to give only ONE command before automatically closing the connection. Make that command:
cmeinel
This will tell you a hacker secret about why port 79 and its finger programs are way more significant than you might think. Or, heck, maybe something else if the friendly neighborhood hacker is still planting insulting messages in my files.
Now, for an extra hacking bonus, try telnetting to some other ports. For example:
telnet kitsune.swcp.com 13
That will give you the time and date here in New Mexico, and:
telnet slug.swcp.com 19
Will show you a good time!
OK, I'm signing off for this column. And I promise to tell you more about what the big deal is over telnetting to finger -- but later. Happy hacking!
*******************************************************
Want to share some kewl hacker stuph? Tell me I’m terrific? Flame me?
For the first two, I’m at [email protected]. Please direct flames
to dev/[email protected]. Happy hacking!
_______________________________________________________
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS
HACKING Ezine as long as you leave this notice at the end. To subscribe,
email [email protected] with message "subscribe hacker
<[email protected]>" substituting your real email address for Joe
Blow's.
________________________________________________________
_____________________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 2
Written by outburn
In this issue we
learn how to forge email -- and how to spot
forgeries. I promise, this hack is spectacularly easy!
______________________________________________________________
Heroic Hacking in Half an Hour
How would you like to totally blow away your friends? OK, what is the hairiest thing you hear that super hackers do?
It's gaining unauthorized access to a computer, right?
So how would you like to be able to gain access and run a program on the almost any of the millions of computers hooked up to the Internet? How would you like to access these Internet computers in the same way as the most notorious hacker in history: Robert Morris!
It was his “Morris Worm” which took down the Internet in 1990. Of course, the flaw he exploited to fill up 10% of the computers on the Internet with his self-mailing virus has been fixed now -- on most Internet hosts.
But that same feature of the Internet still has lots of fun and games and bugs left in it. In fact, what we are about to learn is the first step of several of the most common ways that hackers break into private areas of unsuspecting computers.
But I’m not going to teach you to break into private parts of computers. It sounds too sleazy. Besides, I am allergic to jail.
So what you are about to learn is legal, harmless, yet still lots of fun. No pulling the blinds and swearing blood oaths among your buddies who will witness you doing this hack.
But -- to do this hack, you need an on-line service which allows you to telnet to a specific port on an Internet host. Netcom, for example, will let you get away with this.
But Compuserve, America Online and many other Internet Service Providers (ISPs) are such good nannies that they will shelter you from this temptation.
But your best way to do this stuph is with a SHELL ACCOUNT! If you don’t have one yet, get it now!
***********************************
Newbie note #1; A shell account is an Internet account that lets you give
Unix commands. Unix is a lot like DOS. You get a prompt on your screen and
type out commands. Unix is the language of the Internet. If you want to be
a serious hacker, you have to learn Unix.
****************************
Even if you have never telnetted before, this hack is super simple. In fact, even though what you are about to learn will look like hacking of the most heroic sort, you can master it in half an hour -- or less. And you only need to memorize *two* commands.
To find out whether your Internet service provider will let you do this stuph, try this command:
telnet callisto.unm.edu 25
This is a computer at the University of New Mexico. My Compuserve account gets the vapors when I try this. It simply crashes out of telnet without so much as a "tsk, tsk."
But at least today Netcom will let me do this command. And just about any cheap "shell account" offered by a fly-by-night Internet service provider will let you do this. Many college accounts will let you get away with this, too.
******************************
Newbie note #2: How to Get Shell Accounts
Try your yellow pages phone book. Look under Internet. Call and ask for a “shell account.”
They’ll usually say, “Sure, can do.” But lots of times they are lying. They think you are too dumb to know what a real shell account is. Or the underpaid person you talk with doesn’t have a clue.
The way around this is to ask for a free temporary
guest account. Any worthwhile ISP will give you a test drive. Then try out
today’s hack.
*******************************
OK, let's assume that you have an account that lets you telnet someplace serious. So let's get back to this command:
telnet callisto.unm.edu 25
If you have ever done telnet before, you probably just put in the name of the computer you planned to visit, but didn't add in any numbers afterward. But those numbers afterward are what makes the first distinction between the good, boring Internet citizen and someone slaloming down the slippery slope of hackerdom.
What that 25 means is that you are commanding telnet to take you to a specific port on your intended victim, er, computer.
***********************************
Newbie note #3: Ports
A computer port is a place where information goes in or out of it. On your
home computer, examples of ports are your monitor, which sends information
out, your keyboard and mouse, which send information in, and your modem,
which sends information both out and in.
But an Internet host computer such as callisto.unm.edu
has many more ports than a typical home computer. These ports are identified
by numbers. Now these are not all physical ports, like a keyboard or RS232
serial port (for your modem). They are virtual (software) ports.
***********************************
But there is phun in that port 25. Incredible phun. You see, whenever you telnet to a computer's port 25, you will get one of two results: once in awhile, a message saying "access denied" as you hit a firewall. But, more often than not, you get something like this:
Trying 129.24.96.10...
Connected to callisto.unm.edu.
Escape character is '^]'.
220 callisto.unm.edu Smail3.1.28.1 #41 ready at Fri, 12 Jul 96
12:17 MDT
Hey, get a look at this! It didn't ask us to log in. It just says...ready!
Notice it is running Smail3.1.28.1, a program used to compose and send email.
Ohmigosh, what do we do now? Well, if you really want to look sophisticated, the next thing you do is ask callisto.unm.edu to tell you what commands you can use. In general, when you get on a strange computer, at least one of three commands will get you information: "help," "?", or "man." In this case I type in:
help
... and this is what I get
250 The following SMTP commands are recognized:
250
250 HELO hostname startup
and give your hostname
250 MAIL FROM:<sender address> start transaction
from sender
250 RCPT TO:<recipient address>
name recipient for message
250 VRFY
<address>
verify deliverability of address
250 EXPN
<address>
expand mailing list address
250
DATA
start text of mail message
250
RSET
reset state, drop transaction
250
NOOP
do nothing
250 DEBUG
[level]
set debugging level,default 1
250
HELP
produce this help message
250
QUIT
close SMTP connection
250
250 The normal sequence of events in sending a message is to state the
250 sender address with a MAIL FROM command, give the recipients with
250 as many RCPT TO commands as are required (one address per command)
250 and then to specify the mail message text after the DATA command.
250 Multiple messages may be specified. End the last one with a
QUIT.
Getting this list of commands is pretty nifty. It makes you look really kewl because you know how to get the computer to tell you how to hack it. And it means that all you have to memorize is the "telnet <hostname> 25 " and "help" commands. For the rest, you can simply check up on the commands while on-line. So even if your memory is as bad as mine, you really can learn and memorize this hack in only half an hour. Heck, maybe half a minute.
OK, so what do we do with these commands? Yup, you figured it out, this is a very, very primitive email program. And guess why you can get on it without logging in? Guess why it was the point of vulnerability that allowed Robert Morris to crash the Internet?
Port 25 moves email from one node to the next across the Internet. It automatically takes incoming email and if the email doesn't belong to someone with an email address on that computer, it sends it on to the next computer on the net, eventually to wend its way to the person to who this email belongs.
Sometimes email will go directly from sender to recipient, but if you email to someone far away, email may go through several computers.
There are millions of computers on the Internet that forward email. And you can get access to almost any one of these computers without a password! Furthermore, as you will soon learn, it is easy to get the Internet addresses of these millions of computers.
Some of these computers have very good security, making it hard to have serious fun with them. But others have very little security. One of the joys of hacking is exploring these computers to find ones that suit ones fancy.
OK, so now that we are in Morris Worm country, what can we do with it?
********************************
Evil Genius note: Morris used the “DEBUG” command. Don’t try
this at home. Nowadays if you find a program running on port 25 with the
DEBUG command, it is probably a trap. Trust me.
********************************
Well, here's what I did. (My commands have no number in front of them, whereas the computer’s responses are prefixed by numbers.)
helo [email protected]
250 callisto.unm.edu Hello [email protected]
mail from:[email protected]
250 <[email protected]> ... Sender Okay
rcpt to:[email protected]
250 <[email protected]> ... Recipient Okay
data
354 Enter mail, end with "." on a line by itself
It works!!!
.
250 Mail accepted
What happened here is that I sent some fake email to myself. Now let's take a look at what I got in my mailbox, showing the complete header:
Here's what I saw using the free version of Eudora:
X POP3 Rcpt: cmeinel@socrates
This line tells us that X-POP3 is the program of my ISP that received my email, and that my incoming email is handled by the computer Socrates.
*****************************
Evil Genius Tip: email which comes into your email reading program is handled
by port 110. Try telnetting there someday. But usually POP, the program running
on 110, won’t give you help with its commands and boots you off the
minute you make a misstep.
*****************************
Return Path: <[email protected]>
This line above is my fake email address.
Apparently From: [email protected]
Date: Fri, 12 Jul 96 12:18 MDT
But note that the header lines above say "Apparently-From" This is important
because it alerts me to the fact that this is fake mail.
Apparently To: [email protected]
X Status:
It works!!!
Now here is an interesting fact. Different email reading programs show different headers. So how good your fake email is depends on part on what email program is used to read it. Here's what Pine, an email program that runs on Unix systems, shows with this same email:
Return Path: <[email protected]>
Received:
from callisto.unm.edu by nmia.com
with smtp
(Linux Smail3.1.28.1 #4)
id m0uemp4 000LFGC; Fri, 12 Jul
96 12:20 MDT
This identifies the computer on which I ran the smail program. It also tells what version of the smail program was running.
Apparently From: [email protected]
And here is the "apparently-from" message again. So both Pine and Eudora show this is fake mail.
Received: from [email protected] by
callisto.unm.edu with smtp
(Smail3.1.28.1 #41) id m0uemnL 0000HFC; Fri, 12
Jul 96 12:18 MDT
Message Id: <m0uemnL [email protected]>
Oh, oh! Not only does it show that it may be fake mail -- it has a message ID! This means that somewhere on Callisto there will be a log of message IDs telling who has used port 25 and the smail program. You see, every time someone logs on to port 25 on that computer, their email address is left behind on the log along with that message ID.
Date: Fri, 12 Jul 96 12:18 MDT
Apparently From: [email protected]
Apparently To: [email protected]
It works!!!
If someone were to use this email program to do a dastardly deed, that message ID is what will put the narcs on his or her tail. So if you want to fake email, it is harder to get away with it if you send it to someone using Pine than if they use the free version of Eudora. (You can tell what email program a person uses by looking at the header of their email.)
But -- the email programs on port 25 of many Internet hosts are not as well defended as callisto.unm.edu. Some are better defended, and some are not defended at all. In fact, it is possible that some may not even keep a log of users of port 25, making them perfect for criminal email forgery.
So just because you get email with perfect-looking headers doesn’t mean it is genuine. You need some sort of encrypted verification scheme to be almost certain email is genuine.
******************************************
You can go to jail note: If you are contemplating using fake email to commit
a crime, think again. If you are reading this you don’t know enough
to forge email well enough to elude arrest.
*******************************************
Here is an example of a different email program, sendmail. This will give you an idea of the small variations you'll run into with this hack.
Here’s my command:
telnet ns.Interlink.Net 25
The computer answers:
Trying 198.168.73.8...
Connected to NS.INTERLINK.NET.
Escape character is '^]'.
220 InterLink.NET Sendmail AIX 3.2/UCB 5.64/4.03 ready at Fri, 12
Jul 1996 15:45
T>
@north.pole.org
And it responds:
250 InterLink.NET Hello [email protected] (plato.nmia.com)
Oh, oh! This sendmail version isn't fooled at all! See how it puts "(plato.nmia.com)" -- the computer I was using for this hack -- in there just to let me know it knows from what computer I've telnetted? But what the heck, all Internet hosts know that kind of info. I'll just bull ahead and send fake mail anyhow. Again, my input has no numbers in front, while the responses of the computer are prefaced by the number 250:
mail from:[email protected]
250 [email protected]... Sender is valid.
rcpt to:[email protected]
250 [email protected]... Recipient is valid.
data
354 Enter mail. End with the . character on a line by itself.
It works!
.
250 Ok
quit
221 InterLink.NET: closing the connection.
OK, what kind of email did that computer generate? Here's what I saw using Pine:
Return Path: <[email protected]>
Received:
from InterLink.NET by nmia.com
with smtp
(Linux Smail3.1.28.1 #4)
id m0ueo7t 000LEKC; Fri, 12 Jul
96 13:43 MDT
Received: from plato.nmia.com by InterLink.NET (AIX 3.2/UCB
5.64/4.03)
id AA23900; Fri, 12
Jul 1996 15:43:20 0400
Oops. Here the InterLink.NET computer has revealed the computer I was on when I telnetted to its port 25. However, many people use that Internet host computer.
Date: Fri, 12 Jul 1996 15:43:20 0400
From: [email protected]
Message Id: <[email protected]>
Apparently To: [email protected]
It worked!
OK, here it doesn't say "Apparently-From," so now I know the computer ns.Interlink.Net is a pretty good one to send fake mail from. An experienced email aficionado would know from the Received: line that this is fake mail. But its phoniness doesn’t just jump out at you.
I'm going to try another computer. Hmmm, the University
of California at Berkeley is renowned for its computer sciences research.
I wonder what their hosts are like? Having first looked up the numerical
Internet address of one of their machines, I give the command:
telnet 128.32.152.164 25
It responds with:
Trying 128.32.152.164...
Connected to 128.32.152.164.
Escape character is '^]'.
220 remarque.berkeley.edu ESMTP Sendmail 8.7.3/1.31 ready at Thu, 11
Jul 1996 12
help
214 This is Sendmail version 8.7.3
214 Commands:
214 HELO
EHLO MAIL RCPT DATA
214 RSET
NOOP QUIT HELP VRFY
214 EXPN VERB
214 For more info use "HELP <topic>".
214 To report bugs in the implementation send email to
214 [email protected].
214 For local information send email to Postmaster at your site.
214 End of HELP info
Oh, boy, a slightly different sendmail program! I wonder what more it will tell me about these commands?
HELP mail
214 MAIL FROM: <sender>
214 Specifies the sender.
214 End of HELP info
Big f***ing deal! Oh, well, let's see what this computer (which we now know is named remarque) will do to fake mail.
MAIL FROM:[email protected]
250 [email protected]... Sender ok
Heyyy... this is interesting ... I didn't say "helo" and this sendmail program didn't slap me on the wrist! Wonder what that means...
RCPT TO:[email protected]
250 Recipient ok
DATA
354 Enter mail, end with "." on a line by itself
This is fake mail on a Berkeley computer for which I do not have
a password.
.
250 MAA23472 Message accepted for delivery
quit
221 remarque.berkeley.edu closing connection
Now we go to Pine and see what the header looks like:
Return Path: <[email protected]>
Received:
from nmia.com by nmia.com
with smtp
(Linux Smail3.1.28.1 #4)
id m0ueRnW 000LGiC; Thu, 11 Jul
96 13:53 MDT
Received:
from remarque.berkeley.edu by
nmia.com
with smtp
(Linux Smail3.1.28.1 #4)
id m0ueRnV 000LGhC; Thu, 11 Jul
96 13:53 MDT
Apparently To: <[email protected]>
Received: from merde.dis.org by remarque.berkeley.edu (8.7.3/1.31)
id MAA23472; Thu, 11 Jul 1996
12:49:56 0700 (PDT)
Look at the three “received” messages. My ISP’s computer received this email not directly from Remarque.berkeley.edu. but from merde.dis.com, which in turn got the email from Remarque.
Hey, I know who owns merde.dis.org! So the Berkeley computer forwarded this fake mail through famed computer security expert Pete Shipley's Internet host computer! Hint: the name "merde" is a joke. So is “dis.org.”
Now let’s see what email from remarque looks like. Let’s use Pine again:
Date: Thu, 11 Jul 1996 12:49:56 0700 (PDT)
From: [email protected]
Message Id: <[email protected]>
This is fake mail on a Berkeley computer for which I do not have
a password.
Hey, this is pretty kewl. It doesn't warn that the Santa address is phony!
Even better, it keeps secret the name of the originating computer:
plato.nmia.com. Thus remarque.berkeley.edu was a really good computer from
which to send fake mail. (Note: last time I checked, they had fixed remarque,
so don’t bother telnetting there.)
But not all sendmail programs are so friendly to fake mail. Check out the email I created from atropos.c2.org!
telnet atropos.c2.org 25
Trying 140.174.185.14...
Connected to atropos.c2.org.
Escape character is '^]'.
220 atropos.c2.org ESMTP Sendmail 8.7.4/CSUA ready at Fri, 12 Jul 1996
15:41:33
help
502 Sendmail 8.7.4 HELP not implemented
Gee, you're pretty snippy today, aren't you... What the heck, let's plow ahead anyhow...
helo [email protected]
501 Invalid domain name
Hey, what's it to you, buddy? Other sendmail programs don't give a darn what name I use with "helo." OK, OK, I'll give you a valid domain name. But not a valid user name!
helo [email protected]
250 atropos.c2.org Hello [email protected] [198.59.166.165],
pleased to meet you
Verrrry funny, pal. I'll just bet you're pleased to meet me. Why the #%&@ did you demand a valid domain name when you knew who I was all along?
mail from:[email protected]
250 [email protected]... Sender ok
rcpt to: [email protected]
250 Recipient ok
data
354 Enter mail, end with "." on a line by itself
Oh, crap!
.
250 PAA13437 Message accepted for delivery
quit
221 atropos.c2.org closing connection
OK, what kind of email did that obnoxious little sendmail program generate? I rush over to Pine and take a look:
Return Path: <[email protected]>
Well, how very nice to allow me to use my fake address.
Received:
from atropos.c2.org by nmia.com
with smtp
(Linux Smail3.1.28.1 #4)
id m0ueqxh 000LD9C; Fri, 12 Jul
96 16:45 MDT
Apparently To: <[email protected]>
Received: from satan.unm.edu ([email protected]
[198.59.166.165])
Oh, how truly special! Not only did the computer
atropos.c2.org blab out my true identity, it also revealed that satan.unm.edu
thing. Grump...
that will teach me.
by atropos.c2.org (8.7.4/CSUA) with SMTP id
PAA13437 for [email protected]; Fri, 12
Jul 1996 15:44:37 0700 (PDT)
Date: Fri, 12 Jul 1996 15:44:37 0700 (PDT)
From: [email protected]
Message Id: <[email protected]>
Oh, crap!
So, the moral of that little hack is that there are
lots of different email programs floating around on port 25 of Internet hosts.
So if you want to have fun with them, it's a good idea to check them out
first before you use them to show off with.
_________________________________________________________
Want to share some kewl stuph? Tell me I’m terrific? Correct errors
in this tutorial? Flame me? For the first three, you may email me at
[email protected]. Please direct flames to dev/[email protected].
Happy hacking! Copyright 1997 Carolyn P. Meinel. You may forward the GUIDE
TO (mostly) HARMLESS HACKING as long as you leave this notice at the end.
To subscribe, email [email protected] with message "subscribe hacker
<[email protected]>" substituting your real email address for
Joe Blow's.
________________________________________________________
_______________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 3
Written by outburn
How
finger can be used to crack into an Internet host.
_______________________________________________________
Before you get too excited over learning how finger can be used to crack an Internet host, will all you law enforcement folks out there please relax. I’m not giving step-by-step instructions. I’m certainly not handing out code from those publicly available canned cracking tools that any newbie could use to gain illegal access to some hosts.
What you are about to read are some basic principles and techniques behind cracking with finger. In fact, some of these techniques are fun and legal as long as they aren’t taken too far. And they might tell you a thing or two about how to make your Internet hosts more secure.
You could also use this information to become a cracker. Your choice. Just keep in mind what it would be like to be the “girlfriend” of a cell mate named “Spike.”
*********************************
Newbie note #1: Many people assume “hacking” and “cracking”
are synonymous. But “cracking” is gaining illegal entry into a
computer. “Hacking” is the entire universe of kewl stuff one can
do with computers, often without breaking the law or causing harm.
*********************************
What is finger? It is a program which runs on port 79 of many Internet host computers. It is normally used to provide information on people who are users of a given computer.
For review, let’s consider the virtuous but boring way to give your host computer the finger command:
finger [email protected]
This causes your computer to telnet to port 79 on the host boring.ISP.net. It gets whatever is in the .plan and .project files for Joe Blow and displays them on your computer screen.
But the Happy Hacker way is to first telnet to boring.ISP.net port 79, from which we can then run its finger program:
telnet boring.ISP.net 79
If you are a good Internet citizen you would then give the command:
Joe_Blow
or maybe the command:
finger Joe_Blow
This should give you the same results as just staying on your own computer and giving the command “finger [email protected].”
But for a cracker, there are lots and lots of other things to try after gaining control of the finger program of boring.ISP.net by telnetting to port 79.
Ah, but I don’t teach how to do felonies. So we will just cover general principles of how finger is commonly used to crack into boring.ISP.net. You will also learn some perfectly legal things you can try to get finger to do.
For example, some finger programs will respond to the command:
finger @boring.ISP.net
If you should happen to find a finger program old enough or trusting enough to accept this command, you might get something back like:
[boring.ISP.net]
Login
Name TTY
Idle When Where
happy Prof. Foobar
co 1d Wed 08:00 boring.ISP.net
This tells you that only one guy is logged on, and he’s doing nothing. This means that if someone should manage to break in, no one is likely to notice -- at least not right away.
Another command to which a finger port might respond is simply:
finger
If this command works, it will give you a complete list of the users of this host. These user names then can be used to crack a password or two.
Sometimes a system will have no restrictions on how lame a password can be. Common lame password habits are to use no password at all, the same password as user name, the user’s first or last name, and “guest.” If these don’t work for the cracker, there are widely circulated programs which try out every word of the dictionary and every name in the typical phone book.
********************************
Newbie Note #2: Is your password easy to crack? If you have a shell account,
you may change it with the command:
passwd
Choose a password that isn’t in the dictionary or phone book, is at least 6 characters long, and includes some characters that are not letters of the alphabet.
A password that is found in the dictionary but has
one extra character is *not* a good password.
********************************
Other commands which may sometimes get a response out of finger include:
finger @
finger 0
finger root
finger bin
finger ftp
finger system
finger guest
finger demo
finger manager
Or, even just hitting <enter> once you are into port 79 may give you something interesting.
There are plenty of other commands that may or may not work. But most commands on most finger programs will give you nothing, because most system administrators don’t want to ladle out lots of information to the casual visitor. In fact, a really cautious sysadmin will disable finger entirely. So you’ll never even manage to get into port 79 of some computers
However, none of these commands I have shown you will give you root access. They provide information only.
************************
Newbie note #3: Root! It is the Valhalla of the hard-core cracker.
“Root” is the account on a multi-user computer which allows you
to play god. It is the account from which you can enter and use any other
account, read and modify any file, run any program. With root access, you
can completely destroy all data on boring.ISP.net. (I am *not* suggesting
that you do so!)
*************************
It is legal to ask the finger program of boring.ISP.net just about anything you want. The worst that can happen is that the program will crash.
Crash...what happens if finger crashes?
Let’s think about what finger actually does. It’s the first program you meet when you telnet to boring.ISP.net’s port 79. And once there, you can give it a command that directs it to read files from any user’s account you may choose.
That means finger can look in any account.
That means if it crashes, you may end up in root.
Please, if you should happen to gain root access to someone else’s host, leave that computer immediately! You’d better also have a good excuse for your systems administrator and the cops if you should get caught!
If you were to make finger crash by giving it some command like ///*^S, you might have a hard time claiming that you were innocently seeking publicly available information.
*****************
YOU CAN GO TO JAIL TIP #1: Getting into a part of a computer that is not
open to the public is illegal. In addition, if you use the phone lines or
Internet across a US state line to break into a non-public part of a computer,
you have committed a Federal felony. You don’t have to cause any harm
at all -- it’s still illegal. Even if you just gain root access and
immediately break off your connection -- it’s still illegal.
***************
Truly elite types will crack into a root account from finger and just leave immediately. They say the real rush of cracking comes from being *able* to do anything to boring.ISP.net -- but refusing the temptation.
The elite of the elite do more than just refrain from taking advantage of the systems they penetrate. They inform the systems administrator that they have cracked his or her computer, and leave an explanation of how to fix the security hole.
************************************
YOU CAN GO TO JAIL TIP #2: When you break into a computer, the headers on
the packets that carry your commands tell the sysadmin of your target who
you are. If you are reading this column you don’t know enough to cover
your tracks. Tell temptation to take a hike!
************************************
Ah, but what are your chances of gaining root through finger? Haven’t zillions of hackers found all the crashable stuph? Doesn’t that suggest that finger programs running on the Internet today are all fixed so you can’t get root access through them any more?
No.
The bottom line is that any systems adminstrator that leaves the finger service running on his/her system is taking a major risk. If you are the user of an ISP that allows finger, ask yourself this question: is using it to advertise your existence across the Internet worth the risk?
OK, I'm signing off for this column. I look forward to your contributions to this list. Happy hacking -- and don’t get busted!
__________________________________________________________________
Want to share some kewl stuph? Tell me I’m terrific?
Flame me? For the first two, I’m at [email protected]. Please direct
flames to dev/[email protected]. Happy hacking!
_______________________________________________________
Copyright 1996 Carolyn P. Meinel. You may forward the GUIDE TO (mostly) HARMLESS
HACKING as long as you leave this notice at the end. To subscribe, email
[email protected] with message "subscribe hacker
<[email protected]>" substituting your real email address for
Joe Blow's.
___________________________________________________________________
_______________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 4
Written by outburn
It’s vigilante phun
day! How get
Usenet spammers kicked off their ISPs.
_______________________________________________________
How do you like it when your sober news groups get hit with 900 number sex ads and Make Money Fast pyramid schemes? If no one ever made those guys pay for their effrontery, soon Usenet would be inundated with crud.
It’s really tempting, isn’t it, to use our hacking knowledge to blow these guys to kingdom come. But many times that’s like using an atomic bomb to kill an ant. Why risk going to jail when there are legal ways to keep these vermin of the Internet on the run?
This issue of Happy hacker will show you some ways to fight Usenet spam.
Spammers rely on forged email and Usenet posts. As we learned in the second Guide to (mostly) Harmless Hacking, it is easy to fake email. Well, it’s also easy to fake Usenet posts.
*****************
Newbie Note #1: Usenet is a part of the Internet consisting of the system
of on-line discussion groups called "news groups." Examples of news groups
are rec.humor, comp.misc, news.announce.newusers, sci.space.policy, and alt.sex.
There are well over 10,000 news groups. Usenet started out in 1980 as a Unix
network linking people who wanted -- you guessed it -- to talk about Unix.
Then some of the people wanted to talk about stuff like physics, space flight,
barroom humor, and sex. The rest is history.
*****************
Here’s a quick summary of how to forge Usenet posts. Once again, we use the technique of telnetting to a specific port. The Usenet port usually is open only to those with accounts on that system. So you will need to telnet from your ISP shell account back into your own ISP as follows:
telnet news.myISP.com nntp
where you substitute the part of your email address that follows the @ for “myISP.com.” You also have the choice of using “119” instead of “nntp.”
With my ISP I get this result:
Trying 198.59.115.25 ...
Connected to sloth.swcp.com.
Escape character is '^]'.
200 sloth.swcp.com InterNetNews NNRP server INN 1.4unoff4 05-
Mar-96 ready (posting)
Now when we are suddenly in a program that we don’t know too well, we ask for:
help
And we get:
100 Legal commands
authinfo user Name|pass Password|generic <prog>
<args>
article [MessageID|Number]
body [MessageID|Number]
date
group newsgroup
head [MessageID|Number]
help
ihave
last
list [active|newsgroups|distributions|schema]
listgroup newsgroup
mode reader
newgroups yymmdd hhmmss ["GMT"] [<distributions>]
newnews newsgroups yymmdd hhmmss
["GMT"] [<distributions>]
next
post
slave
stat [MessageID|Number]
xgtitle [group_pattern]
xhdr header [range|MessageID]
xover [range]
xpat header range|MessageID pat [morepat...]
xpath MessageID
Report problems to <[email protected]>
Use your imagination with these commands. Also, if you want to forge posts from an ISP other than your own, keep in mind that some Internet host computers have an nntp port that requires either no password or an easily guessed password such as “post.” But-- it can be quite an effort to find an undefended nntp port. So, because you usually have to do this on your own ISP, this is much harder than email forging.
Just remember when forging Usenet posts that both faked email and Usenet posts can be easily detected -- if you know what to look for. And it is possible to tell where they were forged. Once you identify where spam really comes from, you can use the message ID to show the sysadmin who to kick out.
Normally you won’t be able to learn the identity of the culprit yourself. But you can get their ISPs to cancel their accounts!
Sure, these Spam King types often resurface with yet another gullible ISP. But they are always on the run. And, hey, when was the last time you got a Crazy Kevin “Amazing Free Offer?” If it weren’t for us Net vigilantes, your email boxes and news groups would be constantly spambombed to kingdom come.
And -- the spam attack I am about to teach you is perfectly legal! Do it and you are a certifiable Good Guy. Do it at a party and teach your friends to do it, too. We can’t get too many spam vigilantes out there!
The first thing we have to do is review how to read headers of Usenet posts and email.
The header is something that shows the route that email or Usenet post took to get into your computer. It gives the names of Internet host computers that have been used in the creation and transmission of a message. When something has been forged, however, the computer names may be fake. Alternatively, the skilled forger may use the names of real hosts. But the skilled hacker can tell whether a host listed in the header was really used.
First we’ll try an example of forged Usenet spam. A really good place to spot spam is in alt.personals. It is not nearly as well policed by anti-spam vigilantes as, say, rec.aviation.military. (People spam fighter pilots at their own risk!)
So here is a ripe example of scam spam, as shown with
the Unix-based Usenet reader, “tin.”
Thu, 22 Aug 1996 23:01:56
alt.personals Thread 134 of
450
Lines 110 >>>>FREE INSTANT COMPATIBILITY CHECK FOR
SEL No responses
[email protected] glennys e clarke at OzEmail
Pty Ltd - Australia
CLICK HERE FOR YOUR FREE INSTANT COMPATIBILITY CHECK!
http://www.perfect-partners.com.au
WHY SELECTIVE SINGLES CHOOSE US
At Perfect Partners (Newcastle) International we are private and
confidential. We introduce ladies and gentlemen for friendship
and marriage. With over 15 years experience, Perfect Partners is one
of the Internet's largest, most successful relationship consultants.
Of course the first thing that jumps out is their return email address. Us net vigilantes used to always send a copy back to the spammer’s email address.
On a well-read group like alt.personals, if only one in a hundred readers throws the spam back into the poster’s face, that’s an avalanche of mail bombing. This avalanche immediately alerts the sysadmins of the ISP to the presence of a spammer, and good-bye spam account.
So in order to delay the inevitable vigilante response, today most spammers use fake email addresses.
But just to be sure the email address is phony, I exit tin and at the Unix prompt give the command:
whois ozemail.com.au
We get the answer:
No match for "OZEMAIL.COM.AU"
That doesn’t prove anything, however, because the “au” at the end of the email address means it is an Australian address. Unfortunately “whois” does not work in much of the Internet outside the US.
The next step is to email something annoying to this address. A copy of the offending spam is usually annoying enough. But of course it bounces back with a no such address message.
Next I go to the advertised Web page. Lo and behold, it has an email address for this outfit, [email protected]. Why am I not surprised that it is different from the address in the alt.personals spam?
We could stop right here and spend an hour or two emailing stuff with 5 MB attachments to [email protected]. Hmmm, maybe gifs of mating hippopotami?
***************************
You can go to jail note! Mailbombing is a way to get into big trouble. According
to computer security expert Ira Winkler, “It is illegal to mail bomb
a spam. If it can be shown that you maliciously caused a financial
loss, which would include causing hours of work to recover from a spamming,
you are criminally liable. If a system is not configured properly,
and has the mail directory on the system drive, you can take out the whole
system. That makes it even more criminal.”
***************************
Sigh. Since intentional mailbombing is illegal, I can’t send that gif of mating hippopotami. So what I did was email one copy of that spam back to perfect.partners. Now this might seem like a wimpy retaliation. And we will shortly learn how to do much more. But even just sending one email message to these guys may become part of a tidal wave of protest that knocks them off the Internet. If only one in a thousand people who see their spam go to their Web site and email a protest, they still may get thousands of protests from every post. This high volume of email may be enough to alert their ISP’s sysadmin to spamming, and good-bye spam account.
Look at what ISP owner/operator Dale Amon has to say about the power of email protest:
“One doesn't have to call for a ‘mail bomb.’ It just happens. Whenever I see spam, I automatically send one copy of their message back to them. I figure that thousands of others are doing the same. If they (the spammers) hide their return address, I find it and post it if I have time. I have no compunctions and no guilt over it.”
Now Dale is also the owner and technical director of the largest and oldest ISP in Northern Ireland, so he knows some good ways to ferret out what ISP is harboring a spammer. And we are about learn one of them.
Our objective is to find out who connects this outfit to the Internet, and take out that connection! Believe me, when the people who run an ISP find out one of their customers is a spammer, they usually waste no time kicking him or her out.
Our first step will be to dissect the header of this post to see how it was forged and where.
Since my newsreader (tin) doesn’t have a way to show headers, I use the “m” command to email a copy of this post to my shell account.
It arrives a few minutes later. I open it in the email program “Pine” and get a richly detailed header:
Path:
sloth.swcp.com!news.ironhorse.com!news.uoregon.edu!vixen.cso.uiuc.edu!news.stealth.net!nntp04.primenet.com!nntp.primenet.com!gatech!nntp0.mindspring.com!news.mindspring.com!uunet!in2.uu.net!OzEmail!OzEmail-In!news
From: glennys e clarke <[email protected]>
NNTP-Posting-Host: 203.15.166.46
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 1.22 (Windows; I; 16bit)
The first item in this header is definitely genuine: sloth.swcp.com. It’s
the computer my ISP uses to host the news groups. It was the last link in
the chain of computers that have passed this spam around the world.
*******************
Newbie Note #2: Internet host computers all have names which double as their
Net addresses. “Sloth” is the name of one of the computers owned
by the company which has the “domain name” swcp.com. So
“sloth” is kind of like the news server computer’s first name,
and “swcp.com” the second name. “Sloth” is also kind
of like the street address, and “swcp.com” kind of like the city,
state and zip code. “Swcp.com” is the domain name owned by Southwest
Cyberport. All host computers also have numerical versions of their names,
e.g. 203.15.166.46.
*******************
Let’s next do the obvious. The header says this post was composed on the host 203.15.166.46. So we telnet to its nntp server (port 119):
telnet 203.15.166.46 119
We get back:
Trying 203.15.166.46 ...
telnet: connect: Connection refused
This looks a lot like a phony item in the header. If this really was a computer that handles news groups, it should have a nntp port that accepts visitors. It might only accept a visitor for the split second it takes to see that I am not authorized to use it. But in this case it refuses any connection whatever.
There is another explanation: there is a firewall on this computer that filters out packets from anyone but authorized users. But this is not common in an ISP that would be serving a spammer dating service. This kind of firewall is more commonly used to connect an internal company computer network with the Internet.
Next I try to email [email protected] with a copy of the spam. But I get back:
Date: Wed, 28 Aug 1996 21:58:13 -0600
From: Mail Delivery Subsystem <[email protected]>
To: [email protected]
Subject: Returned mail: Host unknown (Name server: 203.15.166.46: host not
found)
The original message was received at Wed, 28 Aug 1996 21:58:06 -0600
from cmeinel@localhost
----- The following addresses had delivery problems -----
[email protected] (unrecoverable error)
----- Transcript of session follows -----
501 [email protected]... 550 Host unknown (Name server:
203.15.166.46:
host not found)
----- Original message follows -----
Return-Path: cmeinel
Received: (from cmeinel@localhost) by kitsune.swcp.com (8.6.9/8.6.9) id
OK, it looks like the nntp server info was forged, too.
Next we check the second from the top item on the header. Because it starts with the word “news,” I figure it must be a computer that hosts news groups, too. So I check out its nntp port:
telnet news.ironhorse.com nntp
And the result is:
Trying 204.145.167.4 ...
Connected to boxcar.ironhorse.com.
Escape character is '^]'.
502 You have no permission to talk. Goodbye.
Connection closed by foreign host
OK, we now know that this part of the header references a real news server. Oh, yes, we have also just learned the name/address of the computer ironhorse.com uses to handle the news groups: “boxcar.”
I try the next item in the path:
telnet news.uoregon.edu nntp
And get:
Trying 128.223.220.25 ...
Connected to pith.uoregon.edu.
Escape character is '^]'.
502 You have no permission to talk. Goodbye.
Connection closed by foreign host.
OK, this one is a valid news server, too. Now let’s jump to the last item in the header: in2.uu.net:
telnet in2.uu.net nntp
We get the answer:
in2.uu.net: unknown host
There is something fishy here. This host computer in the header isn’t currently connected to the Internet. It probably is forged. Let’s check the domain name next:
whois uu.net
The result is:
UUNET Technologies, Inc. (UU-DOM)
3060 Williams Drive Ste 601
Fairfax, VA 22031
USA
Domain Name: UU.NET
Administrative Contact, Technical Contact, Zone Contact:
UUNET, AlterNet [Technical Support]
(OA12) [email protected]
+1 (800) 900-0241
Billing Contact:
Payable, Accounts (PA10-ORG) [email protected]
(703) 206-5600
Fax: (703) 641-7702
Record last updated on 23-Jul-96.
Record created on 20-May-87.
Domain servers in listed order:
NS.UU.NET
137.39.1.3
UUCP-GW-1.PA.DEC.COM 16.1.0.18
204.123.2.18
UUCP-GW-2.PA.DEC.COM 16.1.0.19
NS.EU.NET
192.16.202.11
The InterNIC Registration Services Host contains ONLY Internet Information
(Networks, ASN's, Domains, and POC's).
Please use the whois server at nic.ddn.mil for MILNET Information.
So uu.net is a real domain. But since the host computer in2.uu.net listed in the header isn’t currently connected to the Internet, this part of the header may be forged. (However, there may be other explanations for this, too.)
Working back up the header, then, we next try:
telnet news.mindspring.com nntp
I get:
Trying 204.180.128.185 ...
Connected to news.mindspring.com.
Escape character is '^]'.
502 You are not in my access file. Goodbye.
Connection closed by foreign host.
Interesting. I don’t get a specific host name for the nntp port. What does this mean? Well, there’s a way to try. Let’s telnet to the port that gives the login sequence. That’s port 23, but telnet automatically goes to 23 unless we tell it otherwise:
telnet news.mindspring.com
Now this is phun!
Trying 204.180.128.166 ...
telnet: connect to address 204.180.128.166: Connection refused
Trying 204.180.128.167 ...
telnet: connect to address 204.180.128.167: Connection refused
Trying 204.180.128.168 ...
telnet: connect to address 204.180.128.168: Connection refused
Trying 204.180.128.182 ...
telnet: connect to address 204.180.128.182: Connection refused
Trying 204.180.128.185 ...
telnet: connect: Connection refused
Notice how many host computers are tried out by telnet on this command! They must all specialize in being news servers, since none of them handles logins.
This looks like a good candidate for the origin of the spam. There are 5 news server hosts. Let’s do a whois command on the domain name next:
whois mindspring.com
We get:
MindSpring Enterprises, Inc. (MINDSPRING-DOM)
1430 West Peachtree Street NE
Suite 400
Atlanta, GA 30309
USA
Domain Name: MINDSPRING.COM
Administrative Contact:
Nixon, J. Fred (JFN)
[email protected]
404-815-0770
Technical Contact, Zone Contact:
Ahola, Esa (EA55)
[email protected]
(404)815-0770
Billing Contact:
Peavler, K. Anne (KAP4)
[email protected]
404-815-0770 (FAX) 404-815-8805
Record last updated on 27-Mar-96.
Record created on 21-Apr-94.
Domain servers in listed order:
CARNAC.MINDSPRING.COM 204.180.128.95
HENRI.MINDSPRING.COM
204.180.128.3
*********************
Newbie Note #3: The whois command can tell you who owns a domain name. The
domain name is the last two parts separated by a period that comes after
the “@” in an email address, or the last two parts separated by
a period in a computer’s name.
*********************
I’d say that Mindspring is the ISP from which this post was most likely forged. The reason is that this part of the header looks genuine, and offers lots of computers on which to forge a post. A letter to the technical contact at [email protected] with a copy of this post may get a result.
But personally, I would simply go to their Web site and email them a protest from there. Hmmm, maybe a 5 MB gif of mating hippos? Even if it is illegal?
But systems administrator Terry McIntyre cautions me:
“One needn't toss megabyte files back ( unless, of course, one is helpfully mailing a copy of the offending piece back, just so that the poster knows what the trouble was. )
“The Law of Large Numbers of Offendees works to your advantage. Spammer sends one post to ‘reach out and touch’ thousands of potential customers.
“Thousands of Spammees send back oh-so-polite notes about the improper behavior of the Spammer. Most Spammers get the point fairly quickly.
“One note - one _wrong_ thing to do is to post to the newsgroup or list about the inappropriateness of any previous post. Always, always, use private email to make such complaints. Otherwise, the newbie inadvertently amplifies the noise level for the readers of the newsgroup or email list.”
Well, the bottom line is that if I really want to pull the plug on this spammer, I would send a polite note including the Usenet post with headers intact to the technical contact and/or postmaster at each of the valid links I found in this spam header. Chances are that they will thank you for your sleuthing.
Here’s an example of an email I got from Netcom about a spammer I helped them to track down.
From: Netcom Abuse Department
<[email protected]>
Reply-To: <[email protected]>
Subject: Thank you for your report
Thank you for your report. We have informed this user of our policies, and have taken appropriate action, up to, and including cancellation of the account, depending on the particular incident. If they continue to break Netcom policies we will take further action.
The following issues have been dealt with:
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
Sorry for the length of the list.
Spencer
Abuse Investigator
___________________________________________________________________
NETCOM Online Communication
Services
Abuse Issues
24-hour Support Line:
408-983-5970
[email protected]
**************
OK, I'm signing off for this column. I look forward to your contributions to this list. Happy hacking -- and don’t get busted!
_______________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 5
Written by outburn
It's vigilante phun day
again! How get
email spammers kicked off their ISPs.
_______________________________________________________
So, have you been out on Usenet blasting spammers? It's phun, right?
But if you have ever done much posting to Usenet news
groups, you will
notice that soon after you post, you will often get spam email. This is
mostly thanks to Lightning Bolt, a program written by Jeff Slayton to strip
huge volumes of email addresses from Usenet posts.
Here's one I recently got:
Received:from mail.gnn.com
(70.los-angeles-3.ca.dial-access.att.net
[165.238.38.70]) by mail-e2b-service.gnn.com (8.7.1/8.6.9) with SMTP id BAA14636;
Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Date: Sat, 17 Aug 1996 01:55:06 -0400 (EDT)
Message-Id: <[email protected]>
To:
Subject: Forever
From: [email protected]
"FREE" House and lot in "HEAVEN"
Reserve yours now, do it today,
do not wait. It is FREE
just for the asking. You receive a Personalized Deed and detailed Map to
your home in HEAVEN. Send your name and address along with a one time minimum
donation of $1.98 cash, check, or money order to
help cover s/h cost
TO: Saint
Peter's Estates
P.O. Box 9864
Bakersfield,CA
93389-9864
This is a gated community and it is "FREE".
Total satisfaction for 2 thousand years to date.
>From the Gate Keeper. 9PS. See you at the Pearly Gates)
GOD will Bless you.
Now it is a pretty good guess that this spam has a
forged header. To
identify the culprit, we employ the same command that we used with Usenet
spam:
whois heaven.com
We get the answer:
Time Warner
Cable Broadband Applications (HEAVEN-DOM)
2210 W. Olive
Avenue
Burbank, CA
91506
Domain Name:
HEAVEN.COM
Administrative
Contact, Technical Contact, Zone
Contact, Billing Contact:
Melo, Michael (MM428) [email protected]
(818) 295-6671
Record last updated
on 02-Apr-96.
Record created on
17-Jun-93.
Domain servers
in listed order:
CHEX.HEAVEN.COM
206.17.180.2
NOC.CERF.NET
192.153.156.22
>From this we conclude that this is either genuine (fat chance) or a better forgery than most. So let's try to finger [email protected].
First, let's check out the return email address:
finger [email protected]
We get:
[heaven.com]
finger: heaven.com: Connection
timed out
There are several possible reasons for this. One is
that the systems
administrator for heaven.com has disabled the finger port. Another is that
heaven.com is inactive. It could be on a host computer that is turned off,
or maybe just an orphan.
*********************
Newbie note: You can register domain names without setting them up on a
computer anywhere. You just pay your money and Internic, which registers
domain names, will put it aside for your use. However, if you don't get it
hosted by a computer on the Internet within a few weeks, you may loose your
registration.
*********************
We can test these hypotheses with the ping command. This command tells you whether a computer is currently hooked up to the Internet and how good its connection is.
Now ping, like most kewl hacker tools, can be used for either information or as a means of attack. But I am going to make you wait in dire suspense for a later Guide to (mostly) Harmless Hacking to tell you how some people use ping. Besides, yes, it would be *illegal* to use ping as a weapon.
Because of ping's potential for mayhem, your shell account may have disabled the use of ping for the casual user. For example, with my ISP I have to go to the right directory to use it. So I give the command:
/usr/etc/ping heaven.com
The result is:
heaven.com is alive
***********************
Technical Tip: On some versions of Unix,giving the command "ping" will start
your computer pinging the target over and over again without stopping. To
get out of the ping command, hold down the control key and type "c". And
be patient, next Guide to (mostly) Harmless Hacking will tell you more about
the serious hacking uses of ping.
***********************
Well, this answer means heaven.com is hooked up to the Internet right now. Does it allow logins? We test this with:
telnet heaven.com
This should get us to a screen that would ask us to
give user name and
password. The result is:
Trying
198.182.200.1 ...
telnet: connect: Connection timed
out
OK, now we know that people can't remotely log in to heaven.com. So it sure looks as if it was an unlikely place for the author of this spam to have really sent this email.
How about chex.heaven.com? Maybe it is the place where spam originated? I type in:
telnet chex.heaven.com 79
This is the finger port. I get:
Trying
206.17.180.2 ...
telnet: connect: Connection timed
out
I then try to get a screen that would ask me to login with user name, but once again get "Connection timed out."
This suggests strongly that neither heaven.com or chex.heaven.com are being used by people to send email. So this is probably a forged link in the header.
Let's look at another link on the header:
whois gnn.com
The answer is:
America Online (GNN2-DOM)
8619 Westwood Center Drive
Vienna, VA 22182
USA
Domain Name: GNN.COM
Administrative Contact:
Colella, Richard (RC1504)
[email protected]
703-453-4427
Technical Contact, Zone Contact:
Runge, Michael (MR1268) [email protected]
703-453-4420
Billing Contact:
Lyons, Marty (ML45) [email protected]
703-453-4411
Record last updated on 07-May-96.
Record created on 22-Jun-93.
Domain servers in listed order:
DNS-01.GNN.COM
204.148.98.241
DNS-AOL.ANS.NET
198.83.210.28
Whoa! GNN.com is owned by America Online. Now America
Online, like
Compuserve, is a computer network of its own that has gateways into the
Internet. So it isn't real likely that heaven.com would be routing email
through AOL, is it? It would be almost like finding a header that claims
its email was routed through the wide area network of some Fortune 500
corporation. So this gives yet more evidence that the first link in the
header, heaven.com, was forged.
In fact, it's starting to look like a good bet that our spammer is some
newbie who just graduated from AOL training wheels. Having decided there
is money in forging spam, he or she may have gotten a shell account offered
by the AOL subsidiary, GNN. Then with a shell account he or she could get
seriously into forging email.
Sounds logical, huh? Ah, but let's not jump to conclusions. This is just a hypothesis and it may be wrong. So let's check out the remaining link in this header:
whois att.net
The answer is:
AT&T EasyLink Services (ATT2-DOM)
400 Interpace Pkwy
Room B3C25
Parsippany, NJ 07054-1113
US
Domain Name: ATT.NET
Administrative Contact, Technical Contact, Zone Contact:
DNS Technical Support (DTS-ORG)
[email protected]
314-519-5708
Billing Contact:
Gardner, Pat (PG756)
[email protected]
201-331-4453
Record last updated on 27-Jun-96.
Record created on 13-Dec-93.
Domain servers in listed order:
ORCU.OR.BR.NP.ELS-GMS.ATT.NET199.191.129.139
WYCU.WY.BR.NP.ELS-GMS.ATT.NET199.191.128.43
OHCU.OH.MT.NP.ELS-GMS.ATT.NET199.191.144.75
MACU.MA.MT.NP.ELS-GMS.ATT.NET199.191.145.136
Another valid domain! So this is a reasonably ingenious forgery. The culprit could have sent email from any of heaven.com, gnn.com or att.net. We know heaven.com is highly unlikely because we can't get even the login port to work. But we still have gnn.com and att.net as suspected homes for this spammer.
The next step is to email a copy of this spam *including headers* to both [email protected] (usually a good guess for the email address of the person who takes complaints) and [email protected], who is listed by whois as the technical contact. We should also email either [email protected] (the good guess) or [email protected] (technical contact). Also email [email protected], [email protected] and [email protected] to let them know how their domain name is being used.
Presumably one of the people reading email sent to these addresses will use the email message id number to look up who forged this email. Once the culprit is discovered, he or she usually is kicked out of the ISP.
But here is a shortcut. If you have been spammed by
this guy, lots of other people probably have been, too. There's a news group
on the Usenet where people can exchange information on both email and Usenet
spammers,
news.admin.net-abuse.misc. Let's pay it a visit and see what people may have
dug up on [email protected]. Sure enough, I find a post on this heaven
scam:
From: [email protected] (Matt Bartley)
Newsgroups: news.admin.net-abuse.misc
Subject: junk email - Free B 4 U - [email protected]
Supersedes: <[email protected]>
Date: 15 Aug 1996 14:08:47 -0700
Organization: Interstate Electronics Corporation
Lines: 87
Message-ID: <[email protected]>
NNTP-Posting-Host: helium.iecorp.com
(snip)
No doubt a made-up From: header which happened to hit
a real domain
name.
Postmasters at att.net, gnn.com and heaven.com notified. gnn.com has already stated that it came from att.net, forged to look like it came from gnn. Clearly the first Received: header is inconsistent.
Now we know that if you want to complain about this spam, the best place to send a complaint is [email protected].
But how well does writing a letter of complaint actually work? I asked ISP owner Dale Amon. He replied, "From the small number of spam messages I have been seeing - given the number of generations of exponential net growth I have seen in 20 years - the system appears to be *strongly* self regulating. Government and legal systems don't work nearly so well.
"I applaud Carolyn's efforts in this area. She is absolutely right. Spammers are controlled by the market. If enough people are annoyed, they respond. If that action causes problems for an ISP it puts it in their economic interest to drop customers who cause such harm, ie the spammers. Economic interest is often a far stronger and much more effective incentive than legal requirement.
"And remember that I say this as the Technical Director of the largest ISP in Northern Ireland."
How about suing spammers? Perhaps a bunch of us could get together a class action suit and drive these guys into bankruptcy?
Systems administrator Terry McIntyre argues, "I am opposed to attempts to sue spammers. We already have a fairly decent self-policing mechanism in place.
"Considering that half of everybody on the internet are newbies (due to the 100% growth rate), I'd say that self-policing is marvelously effective.
"Invite the gov't to do our work for us, and some damn
bureaucrats will
write up Rules and Regulations and Penalties and all of that nonsense. We
have enough of that in the world outside the 'net; let's not invite any of
it to follow us onto the 'net."
So it looks like Internet professionals prefer to control spam by having net vigilantes like us track down spammers and report them to their ISPs. Sounds like phun to me! In fact, it would be fair to say that without us net vigilantes, the Internet would probably grind to a halt from the load these spammers would place on it.
OK, I'm signing off for this column. I look forward
to your contributions to this list. Have some vigilante phun -- and don't
get busted!
_______________________________________________________
GUIDE TO (mostly) HARMLESS HACKING
Vol. 1 Number 6
Written by outburn
It’s vigilante phun day one more
time! How to nuke offensive
Web sites.
_______________________________________________________
How do we deal with offensive Web sites?
Remember that the Internet is voluntary. There is no law that forces an ISP to serve people they don’t like. As the spam kings Jeff Slayton, Crazy Kevin, and, oh, yes, the original spam artists Cantor and Siegal have learned, life as a spammer is life on the run. The same holds for Web sites that go over the edge.
The reason I bring this up is that a Happy Hacker list member has told me he would like to vandalize kiddie porn sites. I think that is a really, really kewl idea -- except for one problem. You can get thrown in jail! I don’t want the hacker tools you can pick up from public Web and ftp sites to lure anyone into getting busted. It is easy to use them to vandalize Web sites. But it is hard to use them without getting caught!
*****************
YOU CAN GO TO JAIL NOTE: Getting into a part of a computer that is not open
to the public is illegal. In addition, if you use the phone lines or Internet
across a US state line to break into a non-public part of a computer, you
have committed a Federal felony. You don’t have to cause any harm at
all -- it’s still illegal. Even if you just gain root access and immediately
break off your connection -- it’s still illegal. Even if you are doing
what you see as your civic duty by vandalizing kiddie porn -- it’s still
illegal.
***************
Here’s another problem. It took just two grouchy hacker guys to get the DC-stuff list turned off . Yes, it *will* be back, eventually. But what if the Internet were limited to carrying only stuff that was totally inoffensive to everyone? That’s why it is against the law to just nuke ISPs and Web servers you don’t like. Believe me, as you will soon find out, it is really easy to blow an Internet host off the Internet. It is *so* easy that doing this kind of stuph is NOT elite!
So what’s the legal alternative to fighting kiddie porn? Trying to throw Web kiddie porn guys in jail doesn’t always work. While there are laws against it in the US, the problem is that the Internet is global. Many countries have no laws against kiddie porn on the Internet. Even if it were illegal everywhere, in lots of countries the police only bust people in exchange for you paying a bigger bribe than the criminal pays.
*******************
They can go to jail note: In the US and many other countries, kiddie porn
is illegal. If the imagery is hosted on a physical storage device within
the jurisdiction of a country with laws against it, the person who puts this
imagery on the storage device can go to jail. So if you know enough to help
the authorities get a search warrant, by all means contact them. In the US,
this would be the FBI.
*******************
But the kind of mass outrage that keeps spammers on the run can also drive kiddie porn off the Web. *We* have the power.
The key is that no one can force an ISP to carry kiddie porn -- or anything else. In fact, most human beings are so disgusted at kiddie porn that they will jump at the chance to shut it down. If the ISP is run by some pervert who wants to make money by offering kiddie porn, then you go to the next level up, to the ISP that provides connectivity for the kiddie porn ISP. There someone will be delighted to cut off the b*****ds.
So, how do you find the people who can put a Web site on the run? We start with the URL.
I am going to use a real URL. But please keep in mind that I am not saying this actually is a web address with kiddie porn. This is being used for purposes of illustration only because this URL is carried by a host with so many hackable features. It also, by at least some standards, carries X-rated material. So visit it at your own risk.
http://www.phreak.org
Now let’s say someone just told you this was a kiddie porn site. Do you just launch an attack? No.
This is how hacker wars start. What if phreak.org is actually a nice guy place? Even if they did once display kiddie porn, perhaps they have repented. Not wanting to get caught acting on a stupid rumor, I go to the Web and find the message “no DNS entry.” So this Web site doesn’t look like it’s there just now.
But it could just be the that the machine that runs the disk that holds this Web site is temporarily down. There is a way to tell if the computer that serves a domain name is running: the ping command:
/usr/etc/ping phreak.org
The answer is:
/usr/etc/ping: unknown host phreak.org
Now if this Web site had been up, it would have responded like my Web site does:
/usr/etc/ping techbroker.com
This gives the answer:
techbroker.com is alive
*************************
Evil Genius Note: Ping is a powerful network diagnostic tool. This example
is from BSD Unix. Quarterdeck Internet Suite and many other software packages
also offer this wimpy version of the ping command. But in its most powerful
form -- which you can get by installing Linux on your computer -- the ping-f
command will send out packets as fast as the target host can respond for
an indefinite length of time. This can keep the target extremely busy and
may be enough to put the computer out of action. If several people do this
simultaneously, the target host will almost certainly be unable to maintain
its network connection. So -- *now* do you want to install Linux?
*************************
*************************
Netiquette warning: “Pinging down” a host is incredibly easy.
It’s way too easy to be regarded as elite, so don’t do it to impress
your friends. If you do it anyhow, be ready to be sued by the owner of your
target and kicked off your ISP-- or much worse! If you should accidentally
get the ping command running in assault mode, you can quickly turn it off
by holding down the control key while pressing the “c” key.
*************************
*************************
You can go to jail warning: If it can be shown that you ran the ping-f command
on purpose to take out the host computer you targeted, this is a denial of
service attack and hence illegal.
************************
OK, now we have established that at least right now, http://phreak.com either does not exist, or else that the computer hosting it is not connected to the Internet.
But is this temporary or is it gone, gone, gone? We can get some idea whether it has been up and around and widely read from the search engine at http://altavista.digital.com. It is able to search for links embedded in Web pages. Are there many Web sites with links to phreak.org? I put in the search commands:
link: http://www.phreak.org
host: http://www.phreak.org
But they turn up nothing. So it looks like the phreak.org site is not real popular.
Well, does phreak.org have a record at Internic? Let’s try whois:
whois phreak.org
Phreaks, Inc. (PHREAK-DOM)
Phreaks, Inc.
1313 Mockingbird Lane
San Jose, CA 95132 US
Domain Name: PHREAK.ORG
Administrative Contact, Billing Contact:
Connor, Patrick (PC61) [email protected]
(408) 262-4142
Technical Contact, Zone Contact:
Hall, Barbara (BH340) [email protected]
408.262.4142
Record last updated on 06-Feb-96.
Record created on 30-Apr-95.
Domain servers in listed order:
PC.PPP.ABLECOM.NET
204.75.33.33
ASYLUM.ASYLUM.ORG
205.217.4.17
NS.NEXCHI.NET
204.95.8.2
Next I wait a few hours and ping phreak.org again. I discover it is now alive. So now we have learned that the computer hosting phreak.org is sometimes connected to the Internet and sometimes not. (In fact, later probing shows that it is often down.)
I try telnetting to their login sequence:
telnet phreak.org
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
______________ _______________________________ __
___ __ \__ / / /__ __ \__ ____/__
|__ //_/____________________ _
__ /_/ /_ /_/ /__ /_/ /_ __/ __ /| |_
,< _ __ \_ ___/_ __ `/
_ ____/_ __ / _ _, _/_ /___ _ ___
| /| |__/ /_/ / / _ /_/ /
/_/ /_/ /_/ /_/ |_| /_____/ /_/
|_/_/ |_|(_)____//_/ _\__, /
/____/
;
Connection closed by foreign host.
Aha! Someone has connected the computer hosting phreak.org to the Internet!
The fact that this gives just ASCII art and no login prompt suggests that this host computer does not exactly welcome the casual visitor. It may well have a firewall that rejects attempted logins from anyone who telnets in from a host that is not on its approved list.
Next I finger their technical contact:
finger [email protected]
Its response is:
[phreak.org]
It then scrolled out some embarrassing ASCII art. Finger it yourself if you
really want to see it. I’d only rate it PG-13, however.
The fact that phreak.org runs a finger service is interesting. Since finger is one of the best ways to crack into a system, we can conclude that either:
1) The phreak.org sysadmin is not very security-conscious,
or
2) It is so important to phreak.org to send out insulting messages that the
sysadmin doesn’t care about the security risk of running finger.
Since we have seen evidence of a fire wall, case 2 is probably true.
One of the Happy Hacker list members who helped me by reviewing this Guide, William Ryan, decided to further probe phreak.org’s finger port:
“I have been paying close attention to all of the "happy hacker" things that you have posted. When I tried using the port 79 method on phreak.org, it connects and then displays a hand with its middle finger raised and the comment "UP YOURS." When I tried using finger, I get logged on and a message is displayed shortly thereafter "In real life???"”
Oh, this is just *too* tempting...ah, but let’s keep out of trouble and just leave that port 79 alone, OK?
Now how about their HTML port, which would provide access to any Web sites hosted by phreak.org? We could just bring up a Web surfing program and take a look. But we are hackers and hackers never do stuph the ordinary way. Besides, I don’t want to view dirty pictures and naughty words. So we check to see if it is active with, you guessed it, a little port surfing:
telnet phreak.org 80
Here’s what I get:
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
HTTP/1.0 400 Bad Request
Server: thttpd/1.00
Content-type: text/html
Last-modified: Thu, 22-Aug-96 18:54:20 GMT
<HTML><HEAD><TITLE>400 Bad
Request</TITLE></HEAD>
<BODY><H2>400 Bad Request</H2>
Your request '' has bad syntax or is inherently impossible to
satisfy.
<HR>
<ADDRESS><A
HREF="http://www.acme.org/software/thttpd/">thttpd/1.00</A></ADDRESS
</BODY></HTML>
Connection closed by foreign host.
Now we know that phreak.org does have a web server on its host computer. This server is called thttpd, version 1.0. We also may suspect that it is a bit buggy!
What makes me think it is buggy? Look at the version number: 1.0. Also, that’s a pretty weird error message.
If I were the technical administrator for phreak.org, I would get a better program running on port 80 before someone figures out how to break into root with it. The problem is that buggy code is often a symptom of code that takes the lazy approach of using calls to root. In the case of a Web server, you want to give read-only access to remote users in any user’s directories of html files. So there is a huge temptation to use calls to root.
And a program with calls to root just might crash and dump you out into root.
************************
Newbie note: Root! It is the Valhalla of the hard-core cracker.
“Root” is the account on a multi-user computer which allows you
to play god. You become the “superuser”! It is the account from
which you can enter and use any other account, read and modify any file,
run any program. With root access, you can completely destroy all data on
boring.ISP.net or any other host on which you gain root. (I am *not* suggesting
that you do so!)
*************************
Oh, this is just too tempting. I do one little experiment:
telnet phreak.org 80
This gives:
Trying 204.75.33.33 ...
Connected to phreak.org.
Escape character is '^]'.
Because the program on port 80 times out on commands in a second or less, I was set up ready to do a paste to host command, which quickly inserted the following command:
<ADDRESS><A HREF="http://www.phreak.org/thttpd/">thttpd/1.00</A></ADDRESS</BODY></HTML>
This gives information on phreak.org’s port 80
program:
HTTP/1.0 501 Not Implemented
Server: thttpd/1.00
Content-type: text/html
Last-modified: Thu, 22-Aug-96 19:45:15 GMT
<HTML><HEAD><TITLE>501 Not
Implemented</TITLE></HEAD>
<BODY><H2>501 Not Implemented</H2>
The requested method '<ADDRESS><A' is not implemented by this server.
<HR>
<ADDRESS><A
HREF="http://www.acme.org/software/thttpd/">thttpd/1.00</A></ADDRESS
</BODY></HTML>
Connection closed by foreign host.
All right, what is thttpd? I do a quick search on Altavista and get the answer:
A small, portable, fast, and secure HTTP server. The tiny/turbo/throttling HTTP server does not fork and is very careful about memory...
But did the programmer figure out how to do all this without calls to root? Just for kicks I try to access the acme.org URL and get the message “does not have a DNS entry.” So it’s off-line, too. But whois tells me it is registered with Internic. Hmm, this sounds even more like brand X software. And it’s running on a port. Break-in city! What a temptation...arghhh...
Also, once again we see an interesting split personality. The phreak.org sysadmin cares enough about security to get a Web server advertised as “secure.” But that software shows major symptoms of being a security risk!
So what may we conclude? It looks like phreak.org does have a Web site. But it is only sporadically connected to the Internet.
Now suppose that we did find something seriously bad news at phreak.org. Suppose someone wanted to shut it down. Ah-ah-ah, don’t touch that buggy port 80! Or that tempting port 79! Ping in moderation, only!
********************************
You can go to jail note: Are you are as tempted as I am? These guys have
notorious cracker highway port 79 open, AND a buggy port 80! But, once again,
I’m telling you, it is against the law to break into non-public parts
of a computer. If you telnet over US state lines, it is a federal felony.
Even if you think there is something illegal on that thttpd server, only
someone armed with a search warrant has the right to look it over from the
root account.
********************************
First, if in fact there were a problem with phreak.org (remember, this is just being used as an illustration) I would email a complaint to the technical and administrative contacts of the ISPs that provide phreak.org’s connection to the Internet. So I look to see who they are:
whois PC.PPP.ABLECOM.NET
I get the response:
[No name] (PC12-HST)
Hostname: PC.PPP.ABLECOM.NET
Address: 204.75.33.33
System: Sun 4/110 running SunOS 4.1.3
Record last updated on 30-Apr-95
In this case, since there are no listed contacts, I would email [email protected].
I check out the next ISP:
whois ASYLUM.ASYLUM.ORG
And get:
[No name] (ASYLUM4-HST)
Hostname: ASYLUM.ASYLUM.ORG
Address: 205.217.4.17
System: ? running ?
Record last updated on 30-Apr-96.
Again, I would email [email protected]
I check out the last ISP:
whois NS.NEXCHI.NET
And get:
NEXUS-Chicago (BUDDH-HST)
1223 W North Shore, Suite 1E
Chicago, IL 60626
Hostname: NS.NEXCHI.NET
Address: 204.95.8.2
System: Sun running Unix
Coordinator:
Torres, Walter (WT51) [email protected]
312-352-1200
Record last updated on 31-Dec-95.
So in this case I would email [email protected] with evidence of the offending material. I would also email complaints to [email protected] and postmaster@ ASYLUM.ASYLUM.ORG.
That’s it. Instead of waging escalating hacker wars that can end up getting people thrown in jail, document your problem with a Web site and ask those who have the power to cut these guys off to do something. Remember, you can help fight the bad guys of cyberspace much better from your computer than you can from a jail cell.
*************************
Netiquette alert: If you are just burning with curiosity about whether thttpd
can be made to crash to root, *DON’T* run experiments on phreak.org’s
computer. The sysadmin will probably notice all those weird accesses to port
80 on the shell log file. He or she will presume you are trying to break
in, and will complain to your ISP. You will probably lose your account.
*************************
*************************
Evil Genius note: The symptoms of being hackable that we see in thttpd are
the kind of intellectual challenge that calls for installing Linux on your
PC. Once you get Linux up you could install thttpd. Then you may experiment
with total impunity.
If you should find a bug in thttpd that seriously
compromises the security of any computer running it, then what do you do?
Wipe the html files of phreak.org? NO! You contact the Computer Emergency
Response Team (CERT) at http://cert.org with this information. They will
send out an alert. You will become a hero and be able to charge big bucks
as a computer security consultant. This is much more phun than going to jail.
Trust me.
************************
OK, I'm signing off for this column. I look forward
to your contributions to this list. Happy hacking -- and don’t get busted!
Guide to (mostly) Harmless Hacking
Vol. 1 No. 7
Written by outburn
How to
Forge Email Using Eudora Pro
_________________________________________________________
One of the most popular hacking tricks is forging email. People love to fake out their friends by sending them email that looks like it is from [email protected], [email protected], or [email protected]. Unfortunately, spammers and other undesirables also love to fake email so it’s easy for them to get away with flooding our email accounts with junk.
Thanks to these problems, most email programs are good Internet citizens. Pegasus, which runs on Windows, and Pine, which runs on Unix, are fastidious in keeping the people from misusing them. Have you ever tried to forge email using Compuserve or AOL? I’m afraid to ever say something is impossible to hack, but those email programs have all resisted my attempts.
I will admit that the screen name feature of America OnLine allows one to hide behind all sorts of handles. But for industrial strength email forging there is Eudora Pro for Windows 95, Qualcomm’s gift to the Internet and the meanest, baddest email program around.
*******************************************************
In this Guide you will learn how to use Eudora Pro to fake email. This will
include how to forge:
· Who sent the mail
· Extra headers to fake the route it took though the Internet
· Even the message ID!
· And anything else you can imagine
· Plus, how to use Eudora for sending your email from other people’s
computers -- whether they like it or not.
· Plus -- is it possible to use Eudora for mail bombing?
*****************************************************************
Some Super Duper haxors will see this chapter and immediately start
making fun of it. They will assume I am just going to teach the obvious stuff,
like how to put a fake sender on your email.
No way. This is serious stuff. For example, check out the full headers of this email:
Return-Path: <[email protected]>
Received: from kizmiaz.fu.org ([email protected] [206.14.78.160])
by Foo66.com (8.8.6/8.8.6) with ESMTP id VAA09915
for <[email protected]>; Sat, 13 Sep 1997 21:54:34 -0600 (MDT)
Received: from Anteros (pmd08.foo66.com [198.59.176.41])
by kizmiaz.fu.org (8.8.5/8.8.5) with SMTP id UAA29704
for <[email protected]>; Sat, 13 Sep 1997 20:54:20 -0700 (PDT)
Date: Sat, 13 Sep 1997 20:54:20 -0700 (PDT)
Message-Id: <[email protected]>
received: from emout09.mail.ayatollah.ir (emout09.mx.aol.com [198.81.11.24])by
Foo66.com (8.8.6/8.8.6) with ESMTP id MAA29967 for <[email protected]>;
Mon, 8 Sep 1997 12:06:09 -0600 (MDT)
Favorite-color:turquoise
X-Sender: [email protected] (Unverified)
X-Mailer: Windows Eudora Pro Version 2.2 (16)
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
To: [email protected]
From: Carolyn Meinel <[email protected]>
Subject: Test of forged everything
I actually sent this email though a PPP connection with my account [email protected] to myself at that same address. Yes, this email began and ended up at the same computer. However, if you read the headers, this email looks like it was sent by a computer named Anteros, then went to kizmiaz.fu.org, then ayatollah.ir. Sender, it reports, is unverified but appears to be [email protected].
What is of particular interest is the message ID. Many people, even experienced sysadmins and hackers, assume that even with forged email, the computer name at the end of the message ID is the computer on which the email was written, and the computer that holds the record of who the guy was who forged it.
But you can quickly prove with Eudora Pro that you can forge a message ID that references almost any computer, including nonexistent computers.
Some of this Guide is clearly amateurish. For hundreds of dollars you can buy an email program from a spammer company that will forge email better and pump it out faster. Still, this learning to forge email on Eudora illustrates many basic principles of email forgery.
Let’s start with the sender’s email
address. I managed to myself three different fake addresses in this email:
[email protected]
[email protected]
[email protected]
Only the last of these, [email protected], was “real.” The other two I inserted myself.
There is a legitimate use for this power. In my case, I have several ISPs but like to have everything returned to my email address at my own domain, techbroker.com. But that ayatollah address is purely a joke. Here’s how I put in those names.
1) In Eudora, click “tools” then “options.” This will pull down a menu.
2) Click “Personal Information.” For forging email, you can make every one of these entries fake.
3) The address you put under “Pop account” is where you tell Eudora where to look to pick up your email. But guess what? When you send email you can put a phony host in there. I put “ayatollah.ir.” This generated the line in the header, “Message-Id: <[email protected]>.” Some people think the message ID is the best way to track down forged email. Just mail the sysadmin at ayatollah.ir, right? Wrong!
4) “Real name” and “Return address” are what showed up in the header lines “From: Carolyn Meinel <[email protected]>” and “Return-Path: <[email protected]>.” I could have made them fake. If they are fake, people can’t reply to you by giving the “reply” command in their email program.
5) Next, while still on the options pulldown, scroll
down to “sending mail.” Guess what, under “SMTP Server,”
you don’t have to put in the one your ISP offers you to send your email
out on. With a little experimentation you can find hundreds -- thousands
-- millions -- of other computers that you can use to send email on. However,
this must be a real computer that will really send out your email. I picked
kizmiaz.fu.org for this one. That accounts for the header lines:
Received: from kizmiaz.fu.org ([email protected] [206.14.78.160])
by Foo66.com (8.8.6/8.8.6) with ESMTP id VAA09915
for <[email protected]>; Sat, 13 Sep 1997 21:54:34 -0600 (MDT)
Received: from Anteros (pmd08.foo66.com [198.59.176.41])
by kizmiaz.fu.org (8.8.5/8.8.5) with SMTP id UAA29704
for <[email protected]>; Sat, 13 Sep 1997 20:54:20 -0700 (PDT)
How to Make Extra Headers and Fake the Path through the Internet
But maybe this doesn’t make a weird enough header for you. Want to make your email even phonier? Even really experienced Eudora users rarely know about how to make extra headers, so it’s a great way to show off.
1) Open Windows Explorer by clicking “start,” then “programs,” then “Windows Explorer.”
2) On the left hand side is a list of directories. Click on Eudora.
3) On the right hand side will be all the directories and files in Eudora. Scroll down them to the files. Click on “eudora.ini.”
4) Eudora.ini is now in Notepad and ready to edit.
5) Fix it up by adding a line at the going to the line
entitled “extra headers=“ under [Dialup]. After the “=“
type in something like this:
extraheaders=received:from emout09.mail.ayatollah.ir (emout09.mx.aol.com
[198.81.11.24])by Foo66.com (8.8.6/8.8.6) with ESMTP id MAA29967 for
<[email protected]>; Mon, 8 Sep 1997 12:06:09 -0600 (MDT)
With this set up, all your email going out from Eudora will include that line in the headers. You can add as many extra headers to your email as you want by adding new lines that also start with “extra headers=”. For example, in this case I also added “Favorite-color:turquoise.”
******************************************************
You can go to jail warning: There still are ways for experts to tell where
you sent this email from. So if someone were to use forged email to defraud,
threaten or mail bomb people, watch out for that cellmate named Spike.
*****************************************************************
Is it Possible to Mail Bomb Using Eudora?
The obvious way to mail bomb with Eudora doesn’t work. The obvious way is to put the address of your victim into the address list a few thousand times and then attach a really big file. But the result will be only one message going to that address. This is no thanks to Eudora itself. The mail daemons in common use on the Internet such as sendmail, smail and qmail only allow one message to be sent to each address per email.
Of course there are better ways to forge email with Eudora. Also, there is a totally trivial way to use Eudora to send hundreds of gigantic attached files to one recipient, crashing the mail server of the victim’s ISP. But I’m not telling you how because this is, after all, a Guide to (mostly) Harmless Hacking.
But next time those Global kOS dudes try to snooker you into using one of their mail bomber programs (they claim these programs will keep you safely anonymous but in fact you will get caught) just remember all they are doing is packaging up stuff that anyone who knows two simple tricks could do much better with Eudora. (If you are a legitimate computer security professional, and you want to join us at Infowar in solving the problem, contact me for details and we’ll think about whether to trust you.)
************************************************
Evil Genius Tip: This deadly mailbomber thingy is a feature, yes, honest-to-gosh
intended FEATURE, of sendmail. Get out your manuals and study.
************************************************
The ease with which one may forge perfect mail and commit mail bombings which crash entire ISP mail servers and even shut down Internet backbone providers such as has recently happened to AGIS may well be the greatest threat the Internet faces today. I’m not happy about revealing this much. Unfortunately, the mail forgery problem is a deeply ingrained flaw in the Internet’s basic structure. So it is almost impossible to explain the basics of hacking without revealing the pieces to the puzzle of the perfect forgery and perfect mailbombing.
If you figure it out, be a good guy and don’t
abuse it, OK? Become one of us insiders who see the problem -- and want to
fix it rather than exploit it for greed or hatred.