HACKING BLUEPRINT FOR n00b

I keep seeing the n00bs ask "How to hack" -- The folks who've been into this scene for awhile get tired of these questions. So what's a n00b to do?

Well I'm here to help.
While this short tut will not give you a step-by-step, hold-your-hand solution ( such a solution is impossible for reasons you'll find out in this text. ) This text will give you a serious guideline to developing your own techniques and methodologies for hacking.

Next I must tell you the following: With penalties for hacking going up and up all over the world, in every nation (almost) doing a sloppy hack can get you from 20 years to LIFE IMPRISONMENT. The ball game has changed since I first got into it. Security is harder and tighter, penalties are going sky high. I'm reminded of the bad-old-days of the '60's in the USA when posession of a marijuana *seed* could get you life in prison. Those days have changed for you tokers, but the 'bad old days' are right now for hackers. It's easier than ever to get caught and you'll seriously screw up your life if you do get caught.





Tell me -- is doing that DDOS or crashing some SOB who 'wronged' you or publishing those warez to be leet -- is that worth the prison time? How much reward or inducement would someone have to give you before you'd agree to rob a bank at gunpoint and risk 20 years to life in jail? Don't laugh, The penalties for armed robbery of a federal depository such as a bank and hacking your neighbor's PC are the same - 20 to life!!!

The only difference is that you stand a better chance of a reduced sentence for robbing a bank. Therefore I do not advocate you doing any exploits until and unless you really know what you are doing and are willing to take total responsibility for your actions. Bottom line -- do whatever the heck you want -- I'll not really change your mind because you won't/don't believe me and you 'know better' than I. I'll just leave you with this -- I've been hacking for 30 years now and I've never been caught nor charged - because I'm careful - I would never do any exploit without a proper investigation of the target - it's suicide.

So now I'll give you an outline of the do's and don't's as well as a little advice... Doing a real exploit involves much, much more than finding a vulnerable system and running a script to root it. Before you even consider using an exploit you must do the following MINIMUM:

1) Ensure that you are as hidden as possible, Chain of proxies; hidden cutouts; work thru a rhost or shell on a previously rooted machine; spoofed the hell out of everything; and last but definately not least -- NEVER EVER UNDER ANY CIRCUMSTANCES RUN AN EXPLOIT FROM YOUR HOME, SCHOOL OR OFFICE. In fact never run one from an inet cafe for obvious reasons. This is because you can and will be traced if your hack is noticed. This is because, no matter what you do, no matter how well you try to hide, in order to enter and snoop around in someone's PC you *must* establish a connection from you to them. Even if you work through a chain of proxies you can be traced. Those machines have logs, the machines they connect to have logs and so on and so on. which brings us to point 2.....

2) Clean up after yourself. This involves some very delicate surgery on the target. You should try to remove any log entries that pertain to you out of ALL logs. This is almost impossible without root access to the target. So if you got in, but didn't get root -- you could be screwed big time. Don't just erase the logs, that's way to crass. Edit the logs to remove your entries. Very time consuming, but very much worth it. Next clean up is your proxies/cut-outs, etc. Well you probably don't have root access on each machine in your chain of proxies. this is a problem because anyone who finds the first link of a back trace to one of the proxies will track you. If you can you must break the chain by destroying one or more of the proxies. This is not easy in and of itself as it involves compromising the proxy and wiping the HDD. However, even doing this you're not totally in the clear as recovery of the HDD may be possible or logs may be kept on external devices/media for that proxy. So even if you do crash it -- you're still screwed (potentially). Now to the 3rd point, how to find a suitable target...

3) Find a vulnerable system by UNOBTRUSIVE scanning techniques. Most of the regular scanners use very blatant scanning techniques that would wake the dead. They do this because they're made for security admins to test their networks, not for hackers to be sneaky. To scan a target use a scanner that allows very fine grain control of the scanning techniques and has several different techniques. Scanners like Xscan, GFI LanGuard and the like are totally unsuited for hacking. Be sure you really know HOW to use the scanner, all it's options and how it works. Select the most delicate of scans first and go from there after analyzing the results. You may want to do several types of scans, I know I do. 4th point -- Watch your back...

4) Get a GOOD packet sniffer. Use it to see if you're being backtraced. Set it up to watch for incomming packets not only from the target, but from at least his whole class-C subnet. In fact to be really safe, you may want to watch his class-B instead. I set my sniffer tolook at ALL incomming packets and filter to a seperate point the ones from the target and then all other incomming. I also set it to alert on any 'suspicious' packets that are common to a backtrace. In this fashion I can see if a backtrace has hit me from anywhere. If your sniffer doesn't have all these bells and whistles then do as I did and write your own. Now we start to get into the meat of hacking...

5) Education. You could be considered an idiot if you attempt a live exploit without knowing the following:
5-A) TCP/IP: how it works; packet layout; OSI model; everything. How do expect to interpret a sniffer to see if you've been backtraced if you can't read a TCP/IP packet?
5-B] Programming: You need to be able to compile the exploit yourself; you may need to do some surgery once in the target.
5-C) Assembly Language: Since most exploits rely on shell code you must know assembly to be able to handle and fix any exploits; Assembly allows you fine-grain control of the target. If you are in a chroot jail a small assembly program can bust you out and potentially give you root.
5-D) Be an EXPERT on the target's OS: How can you be expected to do all the things needed to perform a successful exploit if you can't do simple OS functions once you get in?
5-E) Be an EXPERT with all the tools you use. Know them inside out, understand how they work and what they do. Next item....

6) UNOBTRUSIVELY sniff AROUND the target. Look at machines potentially on the same subnet that may be monitoring the target extenally. Also examine for any firewall, routers or other network infrastructure that could potentially aid or hinder your exploit. Sniff the target for signs of an IDS (intrusion detection system). Insure the potential target is not a honeypot. Failure to examine the machines/network AROUND the target is a deadly sin. More n00bs get caught by honeypots and IDS's because they fail to take the time to properly investigate their target. investigation must not be limited to the target and its immediate surroundings either.....

                                                                7) Examine whois and other relevant records to determine the owners of the target. You might undercover a very well placed law-enforcement  
honeypot this way. LE *sometimes* doesn't set up their domains and such well ahead of time and so you might uncover a trail to point to the *real* owner or a lack of trail indicating you should be cautious. Additionally examining the whole 'paper trail' may lead you to other networks the target is affiliated with. Some of those may have an easier way in and a route to a backdoor on your original target. Mandmins feel a false sense of security behind their own firewalls and leave open access between various subnets inside. This is a weapon to exploit whenever possible. However without proper safety procedures you can be nailed very easily as you may be logged from many different directions behind the firewall.

8) Hardware...What do you need? My recommendation is to get the smallest, lightest, tiniest laptop avalable. Sony had a tiny one that ran Win/ME, JVC has a couple small ones that they just released recently. Also you'll need various cords: phone, ethernet, USB, etc. You'll also need a phone cord for your modem that terminates in tiny alligator clips. This is to use a junction box directly to get phone service in a quiet place. The PC should have the following ports: ethernet, wireless, bluetooth, 56kb modem and USB. The idea is that everything fits into oversized coat pockets or a ditty bag under your co

at. Right now carrying a tiny computer is still not a crime ( like burglar tools), but give the feds a chance. Carry a computer - go to jail.                                                                                                                                                  

9) Software ...What do you need? My recommendation is Linux with a hand-picked assortment of tools: scanners, sniffers, assembler, compilers and reference data on HDD. I won't go into much detail as the choice of tools is a very personal thing. Over the last 10 years or so I've been unhappy with the readily available tools and have used the available source of several to create my own versions. As you progress and are more concerned with doing an 'invisible' hack and not being noticed, you'll undoubtedly do the same. I also hesitate to recommend any of the readily bavailable tools just because of my dissatisfaction with them. While some are quite good, many do not lend themselves to stealth techniques. And last....

                                                                             

10) Ethics...Ah DAMN! The old fart is getting on his soapbox again. Well perhaps, but you'd do well to at least read what I have to say and *consider* my words. After all I've done more exploits than most of you put together and I still have my freedom. I must be doing something right.


   
10-A ) Don't do the crime if you can't do the time. By this I mean for you to understand that if you attempt an exploit against a machine that you do not have rights to -- you are breaking the law. Be a man (or woman) and be prepared to accept your punishment. Nobody told you to go out and hack, in fact I tell you not to do it. Most of you are just not capable of the attention to detail, nor do most of you posess the requisite knowledge at this time. Yes, there are exceptions to what I'm saying, however I'm writing this for n00bs, not the experienced/educated.

10-B ) The benefit of your actions must outweigh the risk. -- By this I mean to take a good, hard look at REALITY. What is the punishment if you get caught? Is it worth getting caught and suffering the punishment for what I get out of doing the deed? If you're stealing millions of dollars online -- well 20 to life is about the standard risk for grand theft. But if you're just screwing with your buddy...is that worth getting caught and convicted of a felony? Remember if you are a convicted felon - no guns - no voting - no *many* things.

10-C ) Knowledge is Power and Information is Wealth. If I have to explain this one - you're pretty dense.

10-D ) TANSTAAFL -- This is an anagram -- There Ain't No Such Thing As A Free Lunch. This basically means that you don't get something for nothing. The hacker's version of Newton's law of conservation of energy. If that target seems too good to be true - it's probably a trap. Watch you back, examine everyone's motives. You're wandering into the hacker community, keep your wits about you, not everyone nor everything is what it seems. After you've done all this then it MIGHT be safe to run that exploit. But it might not -- there are other checks that I go through, but I'm sure you get the idea. If all this seems like too much trouble and there must be an easier way -- you're right. Just log on from home, crank up xscan and find a vulnerable PC and perform that exploit. But have some snacks and drinks ready, sooner or later you'll get some visitors.

--- A reply by a member

1.what flavor of linux do you prefer for the tasks you presented us in your article ? There are LOTS and LOTS of linux distro's. Though, they all work the same, so the one you use to preform the task is up to you. Some distro's are easy to setup and use (like mandrake, www.mandrake.org), others are really customisable and/or faster but they are a lot harder to install (like gentoo, www.gentoo.org). Personally I prefer gentoo. Though, for the real experts, to have FULL control on your computer, LFS (LinuxFromScratch, www.linuxfromscratch.org) is probably best. As you may have noticed, almost every distro's have www.theirname.org as website. though some sites will link to the real sites (like mandrake). One exception is redhat, which is .com. So just try www.thedistroname.org or if it doesnt exist www.thedistroname.com. Otherwise try google.
2. the proggys for the newbies. is very important to start playing with the tools of the trade, and as easy as it seems for the people here that knows how to hack it would be nice to post at least the names of the prefered software a hakcer must use, so we the nbies can google it, or even better post (again) the link. Like Daremo said specifically, you should NEVER use a tool before you have enough knowledge. I don't have enough knowledge to use tools but I do. This highly increases my chances on getting caught. And like Daremo said, if you really want to hack you should program your own tools. Then you exactly know how they work and you can make it as obsecure as possible. Most of these tools wont be released, so there are only few. An example of a tool which can do a bit unobtrusive scanning is nmap (dont know the website), but still its not unobtrusive enough. And, why the hell would you want to port scan if you do not have enough knowledge to know what to do after the portscan?
3.when are you gonna write a tutorial for C the way you did for assemble? There are lots of tutorials for C. And good ones, too. Just look around here (ebooks, programming) and read them. And he isnt done yet with the assembler one.... is he?
4. now how you delete your tracks? where are the logs in the operating systems? Most targets for a hacker a linux boxes. Linux is -- unlike windows -- customisable. You can set the places of the logs yourself. I think even windows can do it. Though most of the times the logs will be in /var/log/. In windows I don't remember where they are. I believe somewhere like "%WINDOWSDIR%/system32/logfiles/" or "%WINDOWSDIR%/system/logfiles/" or so. Im not sure. But again, I think this can, even in windows, be changed.

YOUR COMMENTS IS LOT TO MEAN FOR ME...

Posted in: Security,Tips n Tricks