Copy Link
Add to Bookmark
Report
Antidote Vol. 01 Issue 01
ÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜ
ÛÛ²ÜܲÜܲÜܲÜܲÜܲÜܲܰTHE°Ü²ÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÜܲÛÛ
ÛÛ²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²°²ÛÛ
ÛÛ²° ÜÜÜ ÜÜÜ Ü ÜÜÜÜÜÜ ÜÜÜÜ ÜÜÜÜ ÜÜÜ ÜÜÜÜÜÜ ÜÜÜÜÜÜ °²ÛÛ
ÛÛ²° ÛÛ ÛÛ Û ÛÜ Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ ÛÛ Û ÛÛ Û ÛÛ °²ÛÛ
ÛÛ²° ÜÛÛÜÛÛÜ Û ÛÜÛ ÛÛ ÛÛ Û ÛÛ ÛÛ ÛÛ ÛÛ ÛÛÜÜ °²ÛÛ
ÛÛ²° ÛÛ ÛÛ Û ÛÛ ÛÛ ÛÛ Û ÛÛ ÛÛ ÛÛ ÛÛ ÛÛ °²ÛÛ
ÛÛ²° ÛÛ ÛÛ Û Û ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛ ÛÛ ÛÛÛÛÛÛ °²ÛÛ
ÛÛÛÛ ÛÛÛÛ
ÛÜÛÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛÛÜÛ
Û -|The Antidote|- Û
ÛÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÜÛ
|===================| *Issue: 1*
|=The Antidote======|
|===================|
|=Founded By:=======|
|=LoRD OaK & Duece==|
|===================|
Contents-
Introduction
Writing Antidote
Current News
Chinese hackers sentenced to death- Skaman
Remote Explorer III- LoRD OaK
Cyber War- LoRD OaK
Submittings
Windows NT security Tips- z0mbie
Assebly in a NuTSHeLL- skatebs
A legal hack with Remote Wall- PBBSER
|*******************|
|*Introduction******|
|*******************|
This ezine is made in .txt and .bat files. If you wish to get one or the other instead of
the one you are using now, please visit www.thepoison.org/antidote and click on issues.
I am first going to thank Macro Imperatore for making the ASCII art above. He does a nice
job and thanx! You can e-mail him at: spaggy64@hotmail.com His webpage is located at:
http://www.micwarez.cjb.net so please go check it out!
Please feel free to submit your articals to the Antidote. You can send your articals to:
lordoak@thepoison.org or duece@thepoison.org . If we see that the artical will fit in our
magazine, we will post it and give you full credit. You can write news stories to us, or
like z0mbie did this "NT security Tips", you can write us with questions, news, comments,
or even hacking/phreaking stories. You will get fill credit or you can stay anonymous
(please specify the information on what you want to be listed as in your e-mail).
|*******************|
|*Current News******|
|*******************|
Chinese Hackers Sentenced To Death
Two brothers from Yangzhou City China are the first, in an expected coming wave of high tech criminals, to be handed down a
stiff sentence from the Chinese courts.
Hao Jingrong connected a homemade modem to the Industrial and Commercial bank where he was employed. Then his
brother Hao Jingwen used a personal computer from a remote location to hack into the banks computer system and transfer a
total amount of 720,000 yuan, which is equivalent to 86,700 US dollars into several banks accounts which they had set up
using false names. They were able to withdraw 260,000 yaun before being apprehended by police. This type of bank robbery
has been the first of its type in china. The courts fined the brothers 40,000 yuan and sentenced them to Death although all
the stolen money was recovered
Skaman (skaman1@hotmail.com)
Remote Explorer III
Remote Explorer III can be used as a worm or a virus if run/ran by a Windows NT user. it will locate executable files,
insert a compressed copy of the original executable into a copy of itself as a resource, then replace the original
(including file attributes and access times). If a server admin runs this worm/virus, it will install itself as a service
and when it runs as a service, it is operating under System user context, and so will then open the shell process
(typically explorer) and copy the process taken, which it then uses to duplicate a new copy of itself running under the
context of the logged in user. Then it will duplicate itself and try to run itself again whether it is installing itself as
a service remotely or is merely corrupting files isn't known. It could be doing either or both. If it achieves running as
a service, it qualifies as a worm (actively spreads itself, rather than passively).
In a addition to infecting exe files, it can also and will encrpt data files. It normally shows up as "Remote
Explorer", and can be located using sc from the Resource Kit, Server Manager (point and click, so not practical for lots of
machines), and the ISS scanner will also find it (see the 'Unknown Services' check). Once you locate a copy of it running
as a service, either use sc or Server Manager to stop the service and set it to disabled. Do not log on locally on a
machine with an active Remote Explorer service. The various anti-virus people are now coming up with disinfectors.
LoRD OaK [lordoak@thepoison.org]
War declared on China and Iraq
contributed by Legion of the Underground
In a very heated and emotional discussion Legion of the Underground declared cyber-war on the information infrastructure of
China and Iraq Monday night. They cited severe civil rites abuses by the governments of both countries as well as the recent
sentencing to death of two bank robbers in China and the production of weapons of mass destruction by Iraq as the reasons
for their outrage. Quoting from the Declaration of Independence about the right of the people to govern themselves and
stating that the US government will probably stand idly by while these atrocities happen in other countries the Legion of
the Underground called for the complete destruction of all computer systems in China and Iraq.
"The Government controls what goes into our mouths lets not let them do the same with what comes out!" said one LoU member
during a press conference held on IRC Monday night.
LoU mentioned that they may seek out assistance in their war from the Hong Kong Blondes. The HKBs are a well known group
attempting to cause mayhem on China's internetworks from within the Iron Curtain. The HKBs where trained and assisted, until
recently, by the infamous Cult of the Dead Cow hacking group.
LoRD OaK [lordoak@thepoison.org]
|*******************|
|*Submittings*******|
|*******************|
Windows NT Security Tips!
=============================================
Written by: z0mbie (z0mbie@thepoison.org)
Copyrighted by: Security Warfare
=============================================
This is just a list of all the security hazards that are located
within the NT Security and how to secure those problems.
I. Information on Security Hazards.
II. Securing the Security problem
III. Some cool tips on Windows NT
Information on Security Hazards
As you all know that Windows NT is most used for hacking into and destroying the machine
you can do allot of remote exploits within Windows NT for ( example ) rollback, getadmin, IIS 3.0 ( GET ../..)
etc. etc.
RollBack : Is a program for windows NT for deleting the registry. This can be used remotely with access to the remote machine.
GetAdmin: Getadmin is a nice little tool for getting administrator passwords from the remote machine.
RedButton : Logs on remotely to a Target computer without presenting any User Name and Password
Shows that unauthorized access to sensitive information stored in file system and registry available to Every one group can be obtained. Determines the current name of Built -in Administrator account (thus demonstrating that it is useless to rename it). Read several registry entries (i.e. it displays the name of Registered Owner) Lists all shares (including the hidden ones) Shows that identifier Everyone includes not only legitimate users of the network but everyone.
Sechole: Sechole.exe allows a non-administrative user to gain debug-level access on a system process. Using this utility, the non-administrative user is able to run some code in the system security context and thereby grant himself or herself local administrative privileges on the system. Sechole.exe locates the memory address of a particular API function (OpenProcess) and modifies the instructions at that address in a running image of the exploit program on the local system. Sechole.exe requests debug rights that give it elevated privileges. The request is successful because the access check for this right is expected to be done in the API that was successfully modified by the exploit program. Sechole.exe can now add the user who invoked Sechole.exe to the local Administrators group.
Qtip: Logs on remotely to a Target computer and then gives your all the user names from the remote computer.
L0phtCrack: Cracks the administrator passwords from the .sam file from the remote computer. You can also do this remotely if you have the Administrator user name and Password
C2MYAZZ SMB Downgrade: When a Microsoft networking client creates a new connection to an NT Server, it is possible for another computer on the same physical network to `spoof' the Microsoft client into sending a clear-text password to the NT Server. It Bypasses all password encryption and allowing the client's clear-text password to be discovered by any other device on the same physical network. his
program actually runs on a Windows based system loaded with Novell ODI style drivers running in promiscuous mode. Once active, the software listens for SMB negotiations, and upon detecting one, the software sends a single packet to the client instructing it to downgrade its connection attempt to a clear text level - at which point the client silently obeys by sending its password in clear readable text. Once this happens this little piece of software actually grabs the password as it travels over the wire and displays it on the screen. The client is successfully connected to the NT Server, and the user remains none-the-wiser that its password has just been grabbed
netmonex : Breaks the NT password scheme for Microsoft's Network Monito
IIS 3.0 ( Internet Information Server ) : You can shutdown a HTTP Server by doing this command
GET ../.. ) by doing this telnet to the host on port 80 ( They half to be running IIS ) then once connected type ( GET ../.. )
Crashing IIS 3.0 & 4.0 ( Internet Information Server ) : Specially-malformed GET requests can create a Denial of Service situation in the W3 server and use all available memory on the Web server which
causes IIS to appear to hang or generate an access violation error message.
Lets you browse and download files : A URL such as 'http://www.whatever.com/..\..' allows you to browse and download files outside of the web server content root directory. A URL such http://www.whatever.com/scripts..\..\scriptname' allows you to execute a target script.
NAT ( Network Auditing Tool ) : Nat is another little nice program which brute forces the remote machine
which trys every password / login attempt until it finds the patch this can be done by doing
( C:\z0mbie\NAT> C:\nat -o z0mbie.txt -u userlist.txt -p passlist.txt 10.10.10.10-10.10.10.30)
nbtstat : Is a way to see if there running NetBios Over TCP/IP and to see what services they are running.
net view : Is a way to view the shares on the remote machine!
net use : Is a way to use a shared resource.
The way to view a list of shares on the remote machine you would type this following.
C:\>net view \\127.0.0.1
System error 5 has occurred.
Access is denied.
C:\>net use \\127.0.0.1\ipc$ "" /user:""
The command completed successfully.
C:\>net view \\127.0.0.1
Shared resources at \\127.0.0.1
That will view the shares on the machine and give a list like
Share name Type Used as Comment
-------------------------------------------------------------------------------
Accelerator Disk Agent Accelerator share for Seagate backup
Inetpub Disk
IRC Disk
NETLOG Disk Log on server share
www_root Disk
The command completed successfully.
CMD (Command Prompt) : You can stick this in the /cgi-bin/scripts of there server and then open up your web browser and execute the program by doing ( http:\\<ip_number\cgi-bin\scripts\cmd.exe )
NetBus : Is a cool little program which you can get access to anyones system by uploading or giving them the patch.exe program so when they run the program it will open a few backdoors so you can get access to anything you want. From Redirting ports, Opening CDROM, Deleting , Uploading, Downloading Files. etc.
Securing The Problem
By securing the problem in Windows NT is quite simple. I will go about telling you how to add a word string to your registry which will basically secure up your Windows NT system pretty tight.
NT Service Pack 4 : has been released. This release of Microsoft Windows NT 4.0 Service Pack 4 (SP4) is easy to apply while Windows NT is running and updates all files that are older than those included in this Windows NT Service Pack. Service Pack releases are cumulative and contain all previous Service Pack fixes and any new fixes created after Service Pack 3.
Removing Administrative shares : By default, if you delete the C$, D$, etc.. Administrative shares, they will be recreated when you reboot. To disable this feature, edit the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Paramaters
Double click on AutoShareServer and set it to 0 to disable it for a server.
Double click on AutoShareWks and set it to 0 to disable it for a workstation.
If the entries are not present, Add Value of type REG_DWORD. The Range is 0 (disable) or 1 (enable - the default).
Go to ( www.microsoft.com ) to get the latest updates and patches for your Windows NT System. This is the best I can do for you right now.
Soom Cool Windows NT Tips
Quick Setup
If you need to reinstall windows NT you can use the previous installtion's settings and let setup run unattended. To do this, type WINNT32 /U on the command line:
Ready for Rollout
If you need to deploy NT on several desktops use the windows NT 4.0 Resource Kit. This tool saves time by performing un attended NT installations.
Explore an Alternative
When you adjust Desktop properties such as screen resolution or font size, you can usually avoid rebooting by using the Task Manager to stop and restart Windows Explorer. Select EXPLORER.EXE under the Processes tab and clicking End Process. Then choose Task Manager's File/New Task (RUN) menu and enter explorer to restart your desktop
Sizing Up The Page File
For best performance, set the initial page file size to 12MB more than the physical RAM in your system. Set the maximum page file size to double the installed RAM. TO set the page file size, right click on My Computer and select Properties/Performance. Click on the Change button in the Virtual Memory section. Adjust Initial and Maximum sized, click on Set.
Commandeer Command
Create a shortcut for fast access to a command prompt by modifying the Command Prompt icon on the Start Menu. Open WINNT\USERNAME\START MENU\PROGRAMS and select the command promp icon. Under Properties, place your cursor in the Shortcut key box and press Ctrl+Shift+D to have Windows NT make the entries for you. Click on Ok
De-Automate Log-Ons
If you've enabled automatic log-ons on your NT system, you might need to override the default user occasionally. To get the default log-on prompt, simply choose "Close all programs and log on as a different user" and hold down the shift key when NT restarts
IDE Idea
NT 4.0 controls all Integrated Device Electronics (IDE) devices using the ATAPI.SYS driver. If a driver fails to start on a system upgraded from NT 3.5 or 3.51, its probably using ATDISK.SYS. Check in Event Viewer, and if ATDISK>SYS is on your system disable it in Control Panel's Device item.
Recover from Registry Blunders
Before you delve into the NT Registry, make sure you set up a safety net. NT's backups program (NTBackup) and repair disk utilities (Rdisk) can help you recover if you make a serious error, but only if you use them beforehand.
Lose the Last User
If you don't like having the last user's log-on name shown in the log-on dialog, you can blank out the User name space. Edit: KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\wWinlogon. Change the DontDisplayLastUserName (REG_SZ) to 1.
The Key to NumLock
Windows NT lets you decide if you want NumLock on or off whenever you log-on. Find the key HKCU\Control Panel\KeyBoard and change the value for InitialKeyboardIndicators. Set the value to 0 to turn NumLock off; make the value 2 if you want the NumLock on
Change the Message
You can change the text display on the NT Log-on screen above the user name and password. Set a String value at HKLN\Software\Microsoft\WindowsNT\Current Version\WinLogon\LogonPrompt to the message you want to display
Nuke NIC Error
If you add a second network interface card (NIC) into your server and get an "Error 20101" in the log, don't panic. This doesn't prevent Remote Access Service (RAS) from working, and you can eliminate the error by editing the Registry. Go to the KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Router\Interfaces\(X) key (X varies depending on the number of NICs installed). Look for the enabled value name of each key, a type REG_DWORD value. The valid entries are 0 for disabled and 4 for enabled. When you find the Enabled value name that is not set to 0 or 1, set it to 1
Logon Welcome/Legal Notice : The Registry value entries that control the log on sequence for starting Windows NT are found under the following Registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
LegalNoticeCaption REG_SZ
Default: (none)
Specifies a caption for a message to appear when the user presses CTRL+ALT+DEL during log on. Add this value entry if you
want to add a warning to be displayed when a user attempts to log on to a Windows NT system. The user cannot proceed with
logging on without acknowledging this message. To specify text for the message, you must also specify a value for Legal
Notice Text.
Note: You can use the System Policy Editor to change this value.
LegalNoticeText REG_SZ
Default: (none)
How to alter the time it takes Windows NT to shutdown :
Edit: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WaitToKillServiceTimeout (or add it as a REG_SZ) This key tells
the service control manager how long to wait for services to complete the shut-down request. The deault is 20000
milliseconds. You must wait long enough for the services to complete an orderly shutdown.
Keep your RAS connection when you logoff Windows NT :
Edit: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Add value Keep Ras Connections as a type REG_SZ. Set it to 1.
Assembly in A Nutshell
Okay Assembly is probably the most feared language out there. I mean if you think about it that's reasonable.
Every beginners programming book or 'tute says that you don't have to be a math genius or super elite genius or whatever,
because the new languages are easy/easier. Well Assembly IS hard to learn and it does involve a lot more math than a
language like BASIC. Then again after writing 1000's of lines of ASM code you can laugh at BASIC programmers. You'll even
be above the best C programmers... well maybe not, that'll take a few million lines of assembly code but you get the idea.
Here are a few definitions:
mov = mov es, ax... whatever is in ax is now in es
int = int 21h, checks what is in something and executes usually... compicated
; = a semicolon starts a comment
AX, BX, CX, DX = general purpose registers
CS = Code Segment Register
DS = Data Segment Register
ES = Extra Segment Register
SS = Stack Segment Register
Okay now for a program with many comments:
;************************START CUT HERE************************
DOSSEG ; come on figure this out for yourself...
.Model Small ; Model of the program... this is for an exe
.Stack ; Stack isn't really used here
.Data ; Starts data segment
.Code ; Starts code segment
Msg db "Hello World!$" ; Msg equals 'Hello World!$" a dollar sign ends it
START: ; take a guess
mov ax, cs ; ax now equals the code segment which is Msg
mov ds, ax ; makes the data segment equal to ax which is equal to the code segment which is Msg
mov dx, offset Msg ; okay offset is like a pointer in C
mov ah, 9 ; okay ah is the top 2 bytes of ax (al are lower 2)... 9 in ah makes the dos interrupt print a string
int 21h ; dos interrupt, since ah = 9 then it prints the string
mov ax, 4c00h ; puts 4ch in ah , that makes the dos interrupt (21h) print a string
int 21h ; call the interrupt
END START ; figure this out yourself
************************END CUT HERE************************
Now put this in a text editor, save it with an .asm extension and compile it. What you can't compile it! Okay you are
going to need an assembler and a linker. I use Tasm and Tlink cause they came with my Borland C++ compiler. For Tasm you
would do this and its fairly similar to any others:
C:\unzipped\asm> tasm helloworld.asm
some stuff...
C:\unzipped\asm> tlink helloworld.obj
some stuff...
C:\unzipped\asm> helloworld.exe
Hello World!
C:\unzipped\asm>
Have fun? Okay here are some more explanations of what you did. '.model small' makes the program an exe file when
compiled&linked. '.model tiny' is for a com file but exe is best for this. '.stack' is equal to saying '.stack 100h'
because 100h is the default. We don't really need any stack in this program HOWEVER when this is assembled it will avoid a
'No Stack' warning. The '.data' starts the data segment and in many cases you would put the defined strings there. In fact
it probably would have been more correct to put the 'Msg db "...' in there but the code is slightly more complicated.
'.code' starts the code segment and basically the actual code that makes the program do what it does. That's enough for
this tutorial, check the Legion of Outlawed Tech's website @ http://legionoot.hypermart.net for more tutorials.
By: Post BBS Era Representative (PBBSER)
Email: skatebs@cyberspace.org
Webpages: http://legionoot.hypermart.net, http://www.angelfire.com/pa/skatebs
What's the deal with web design t hese days?
The Internet: a bustling network of information, hackers, IP addresses and servers. New web pages spring up every day,
taking up the space of the previous tenant in web space. From these pages, we see new, creative ideas, layouts, and images. Wait a second!! Creative? New? Sure, we see new things every day...or so we think. Chances are that the cool new layout you're seeing right now is just a rip-off of another site or image. It happens more than you think.
The question you may be asking right now is: yeah, so, who cares? If it looks good, then why not use it? Well, here's my
answer. If everyone on the Internet keeps this up, we're not going to see the eye-candy that we have come to love that much
longer. Challenging as it may be, why not think of an innovative layout or image yourself? You'll get much more praise if
you do. Take my word for it. OK, so you're still not convinced. Try this: takes a look at all of the Quake II pages that
have sprung up. Start at www.planetquake.com, then click on any user-made page from there. Notice anything? They ALL have
the same backgrounds, same basic layout, and same general idea. The only page that differs is the ACE bot page, going with
a white background and a white-and-blue color scheme. Does it really take THAT long to do something different? The answer
is no. Web page design and graphic layout are two of the key factors that draw traffic. The same with content, but we won't
go there. If your page is well designed, nice to look at, and original, people are going to love to visit your page. I
admire the people and companies who always are changing their designs it brings something new every time you see it, and a
reason to come back.
SCoRPyaN [scropyan@thepoison.org]
A legal hack with Remote Wall
All of us are paranoid to some level of getting caught hacking. However there are some legal ways to hack too. Now, I am
not saying don't ever to illegal things I am just saying you can do stuff legally that has cool results. I had known about
the wall command and as you probably know it can issue a message to all the people on your system. Now rwall or remote wall
does it on a remote system. I tested it on a system without having root privaleges and it worked. I used a library computer
with the necessary port open. First you make a text file in which you include all the text you want to post on the remote
system. Now open a window and telnet to the system if you want proof that rwall is going to actually do what i say it will.
Now type: rwall [host] ./file.txt. The ./file.txt isn't your average execute so watch what happens in the other system.
It will say broadcast message from remote: [stuff], with a lot of other junk added in. Now that isn't going to be much of a
hack but say you know some lamer who cracks servers and pulls the dreaded rm -rf / a lot and you want him to stop. In that
case change your hostname to fbi.gov or something like that and have the message be: Failure to stop will cause in
appropriate legal actions. Won't hurt him, just scare him. Or to a library computer (this is what I did) send some message
like "pornography books are not to be searched for on this system". And think about what your teachers will think when "the
principal" tells them they are fired... The list goes on and on. Please no flaming if you knew about this, it's a little
idea for newbies.
Greets to: Duece, The Loot, Antidote, Tainted Angel, aL, r8ven, Loki, Kheops, Tatiana, Tag, Trunks_x99 for convincing me to
start assembly and not getting mad that I am 10 times better at it than him :~), #linux on dalnet - malloc is the man, Zafar,
Tatiana, and everyone else that I forgot.
http://legionoot.hypermart.net
By: Post BBS Era Representative
aka
PBBSER
