XP Hacking With Windows XP

So you have the newest, glitziest, "Fisher Price" version of Windows: XP. Howcan you use XP in a way that sets you apart from the boring millions of ordinaryusers?The key to doing amazing things with XP is as simple as D O S. Yes, that'sright, DOS as in MS-DOS, as in MicroSoft Disk Operating System. Windows XP (aswell as NT and 2000) comes with two versions of DOS. Command.com is an old DOSversion. Various versions of command.com come with Windows 95, 98, SE, ME,Window 3, and DOS only operating systems.The other DOS, which comes only with XP, 2000 and NT, is cmd.exe. Usuallycmd.exe is better than command.com because it is easier to use, has morecommands, and in some ways resembles the bash shell in Linux and other Unix-typeoperating systems. For example, you can repeat a command by using the up arrowuntil you back up to the desired command. Unlike bash, however, your DOS commandhistory is erased whenever you shut down cmd.exe. The reason XP has bothversions of DOS is that sometimes a program that won?t run right in cmd.exe willwork in command.comnote : m not comparing bash to dosDOS is your number one Windows gateway to the Internet, and the open sesame tolocal area networks. From DOS, without needing to download a single hackerprogram, you can do amazingly sophisticated explorations and even break intopoorly defended computers.****************You can go to jail warning: Breaking into computers is against the law if you donot have permission to do so from the owner of that computer. For example, ifyour friend gives you permission to break into her Hotmail account, that won'tprotect you because Microsoft owns Hotmail and they will never give youpermission.********************************You can get expelled warning: Some kids have been kicked out of school just forbringing up a DOS prompt on a computer. Be sure to get a teacher's WRITTENpermission before demonstrating that you can hack on a school computer.****************So how do you turn on DOS?Click All Programs -> Accessories -> Command PromptThat runs cmd.exe. You should see a black screen with white text on it, sayingsomething like this:Microsoft Windows XP [Version 5.1.2600](C) Copyright 1985-2001 Microsoft Corp.C:\>Your first step is to find out what commands you can run in DOS. If you type"help" at the DOS prompt, it gives you a long list of commands. However, thislist leaves out all the commands hackers love to use. Here are some of thoseleft out hacker commands.TCP/IP commands:telnetnetstatnslookuptracertpingftpNetBIOS commands (just some examples):nbtstatnet usenet viewnet localgroupTCP/IP stands for transmission control protocol/Internet protocol. As you canguess by the name, TCP/IP is the protocol under which the Internet runs. alongwith user datagram protocol (UDP). So when you are connected to the Internet,you can try these commands against other Internet computers. Most local areanetworks also use TCP/IP.NetBIOS (Net Basic Input/Output System) protocol is another way to communicatebetween computers. This is often used by Windows computers, and by Unix/Linuxtype computers running Samba. You can often use NetBIOS commands over theInternet (being carried inside of, so to speak, TCP/IP). In many cases, however,NetBIOS commands will be blocked by firewalls. Also, not many Internet computersrun NetBIOS because it is so easy to break in using them. I will cover NetBIOScommands in the next article to XP Hacking.The queen of hacker commands is telnet. To get Windows help for telnet, in thecmd.exe window give the command:C:\>telnet /?Here's what you will get:telnet [-a][-e escape char][-f log file][-l user][-t term][host[port]]-a Attempt automatic logon. Same as --l option except uses the currently loggedon user's name.-e Escape character to enter telnet cclient prompt.-f File name for client side logging-l Specifies the user name to log in with on the remote system. Requires thatthe remote system support the TELNET ENVIRON option.-t Specifies terminal type. Supportedd term types are vt100, vt52, ansi and vtntonly.host Specifies the hostname or IP address of the remote computer to connect to.port Specifies a port number or service name.****************Newbie note: what is a port on a computer? A computer port is sort of like aseaport. It's where things can go in and/or out of a computer. Some ports areeasy to understand, like keyboard, monitor, printer and modem. Other ports arevirtual, meaning that they are created by software. When that modem port ofyours (or LAN or ISDN or DSL) is connected to the Internet, your computer hasthe ability to open or close any of over 65,000 different virtual ports, and hasthe ability to connect to any of these on another computer - if it is runningthat port, and if a firewall doesn?t block it.********************************Newbie note: How do you address a computer over the Internet? There are twoways: by number or by name.****************The simplest use of telnet is to log into a remote computer. Give the command:C:/>telnet targetcomputer.com (substituting the name of the computer you want totelnet into for targetcomputer.com)If this computer is set up to let people log into accounts, you may get themessage:login:Type your user name here, making sure to be exact. You can't swap between lowercase and capital letters. For example, user name Guest is not the same as guest.****************Newbie note: Lots of people email me asking how to learn what their user nameand password are. Stop laughing, darn it, they really do. If you don't know youruser name and password, that means whoever runs that computer didn't give you anaccount and doesn't want you to log on.****************Then comes the message:Password:Again, be exact in typing in your password.What if this doesn't work?Every day people write to me complaining they can't telnet. That is usuallybecause they try to telnet into a computer, or a port on a computer that is setup to refuse telnet connections. Here's what it might look like when a computerrefuses a telnet connection:C:\ >telnet 10.0.0.3Connecting To 10.0.0.3...Could not open connection to the host, on port 23. Aconnection attempt failed because the connected party did not properly respondafter a period of time, or established connection failed because connected hosthas failed to respond.Or you might see:C:\ >telnet hotmail.comConnecting To hotmail.com...Could not open connection to the host, on port23. No connection could be made because the target machine actively refused it.If you just give the telnet command without giving a port number, it willautomatically try to connect on port 23, which sometimes runs a telnet server.**************Newbie note: your Windows computer has a telnet client program, meaning it willlet you telnet out of it. However you have to install a telnet server beforeanyone can telnet into port 23 on your computer.*************If telnet failed to connect, possibly the computer you were trying to telnetinto was down or just plain no longer in existence. Maybe the people who runthat computer don't want you to telnet into it.Even though you can't telnet into an account inside some computer, often you canget some information back or get that computer to do something interesting foryou. Yes, you can get a telnet connection to succeed -without doing anythingillegal --against almost any computer, even if you don't have permission to login. There are many legal things you can do to many randomly chosen computerswith telnet. For example:C:/telnet freeshell.org 22SSH-1.99-OpenSSH_3.4p1That tells us the target computer is running an SSH server, which enablesencrypted connections between computers. If you want to SSH into an accountthere, you can get a shell account for free at http://freeshell.org . You canget a free SSH client program from http://winfiles.com .***************You can get punched in the nose warning: Your online provider might kick you offfor making telnet probes of other computers. The solution is to get a localonline provider and make friends with the people who run it, and convince themyou are just doing harmless, legal explorations.*************Sometimes a port is running an interesting program, but a firewall won't let youin. For example, 10.0.0.3, a computer on my local area network, runs an emailsending program, (sendmail working together with Postfix, and using Kmail tocompose emails). I can use it from an account inside 10.0.0.3 to send emailswith headers that hide from where I send things.If I try to telnet to this email program from outside this computer, here's whathappens:C:\>telnet 10.0.0.3 25Connecting To 10.0.0.3...Could not open connection to the host, on port 25. Noconnection could be made because the target machine actively refused it.However, if I log into an account on 10.0.0.3 and then telnet from inside toport 25, here's what I get:Last login: Fri Oct 18 13:56:58 2002 from 10.0.0.1Have a lot of fun...cmeinel@test-box:~> telnet localhost 25Trying ::1...telnet: connect to address ::1: Connection refusedTrying 127.0.0.1... [Carolyn's note: 127.0.0.1 is the numerical address meaninglocalhost, the same computer you are logged into]Connected to localhost.Escape character is '^]'.220 test-box.local ESMTP PostfixThe reason I keep this port 25 hidden behind a firewall is to keep people fromusing it to try to break in or to forge email. Now the ubergeniuses reading thiswill start to make fun of me because no Internet address that begins with 10. isreachable from the Internet. However, sometimes I place this "test-box" computeronline with a static Internet address, meaning whenever it is on the Internet,it always has the same numerical address. I'm not going to tell you what itsInternet address is because I don't want anyone messing with it. I just want tomess with other people's computers with it, muhahaha. That's also why I alwayskeep my Internet address from showing up in the headers of my emails.***************Newbie note: What is all this about headers? It's stuff at the beginning of anemail that may - or may not - tell you a lot about where it came from and when.To see full headers, in Outlook click view -> full headers. In Eudora, click the"Blah blah blah" icon.****************Want a computer you can telnet into and mess around with, and not get intotrouble no matter what you do to it? I've set up my techbroker.com(206.61.52.33) with user xyz, password guest for you to play with. Here's how toforge email to xyz@techbroker.com using telnet. Start with the command:C:\>telnet techbroker.com 25Connecting To Techbroker.com220 Service readyNow you type in who you want the message to appear to come from:helo santa@techbroker.comTechbroker.com will answer:250 host readyNext type in your mail from address:mail from:santa@techbroker.com250 Requested mail action okay, completedYour next command:rcpt to:xyz@techbroker.com250 Requested mail action okay, completedYour next command:data354 Start main input; end with .just means hit return. In case you can't see that littleperiod between the s, what you do to end composing your email is to hitenter, type a period, then hit enter again. Anyhow, try typing:This is a test..250 Requested mail action okay, completedquit221 Service closing transmission channelConnection to host lost.Using techbroker's mail server, even if you enable full headers, the message wejust composed looks like:Status: RX-status: NThis is a test.That's a pretty pathetic forged email, huh? No "from", no date. However, you canmake your headers better by using a trick with the data command. After you giveit, you can insert as many headers as you choose. The trick is easier to showthan explain:220 Service readyhelo santa@northpole.org250 host readymail from:santa@northpole.com250 Requested mail action okay, completedrcpt to:cmeinel@techbroker.com250 Requested mail action okay, completeddata354 Start main input; end with .from:santa@deer.northpole.orgDate: Mon, 21 Oct 2002 10:09:16 -0500Subject: RudolfThis is a Santa test..250 Requested mail action okay, completedquit221 Service closing transmission channelConnection to host lost.The message then looks like:from:santa@deer.northpole.orgDate: Mon, 21 Oct 2002 10:09:16 -0500Subject: RudolfThis is a Santa test.The trick is to start each line you want in the headers with one word followedby a colon, and the a line followed by "return". As soon as you write a linethat doesn't begin this way, the rest of what you type goes into the body of theemail.Notice that the santa@northpole.com from the "mail from:" command didn't show upin the header. Some mail servers would show both "from" addresses.You can forge email on techbroker.com within one strict limitation. Your emailhas to go to someone at techbroker.com. If you can find any way to send email tosomeone outside techbroker, let us know, because you will have broken oursecurity, muhahaha! Don't worry, you have my permission.Next, you can read the email you forge on techbroker.com via telnet:C:\>telnet techbroker.com 110+OK <30961.5910984301@techbroker.com> service readyGive this command:user xyz+OK user is knownThen type in this:pass test+OK mail drop has 2 message(s)retr 1+OK message followsThis is a test.If you want to know all possible commands, give this command:help+OK help list followsUSER userPASS passwordSTATLIST [message]RETR messageDELE messageNOOPRSETQUITAPOP user md5TOP message linesUIDL [message]HELPUnless you use a weird online provider like AOL, you can use these same tricksto send and receive your own email. Or you can forge email to a friend bytelnetting to his or her online provider's email sending computer(s).With most online providers you need to get the exact name of their emailcomputer(s). Often it is simply mail.targetcomputer.com (substitute the name ofthe online provider for targetcomputer). If this doesn't work, you can find outthe name of their email server with the DOS nslookup program, which only runsfrom cmd.exe. Here's an example:C:\ >nslookupDefault Server: DNS1.wurld.netAddress: 206.61.52.11> set q=mx> dimensional.comServer: DNS1.wurld.netAddress: 206.61.52.11dimensional.com MX preference = 5, mail exchanger =mail.dimensional.comdimensional.com MX preference = 10, mail exchanger =mx2.dimensional.comdimensional.com MX preference = 20, mail exchanger =mx3.dimensional.comdimensional.com nameserver = ns.dimensional.comdimensional.com nameserver = ns-1.dimensional.comdimensional.com nameserver = ns-2.dimensional.comdimensional.com nameserver = ns-3.dimensional.comdimensional.com nameserver = ns-4.dimensional.commail.dimensional.com internet address = 206.124.0.11mx2.dimensional.com internet address = 206.124.0.30mx3.dimensional.com internet address = 209.98.32.54ns.dimensional.com internet address = 206.124.0.10ns.dimensional.com internet address = 206.124.26.254ns.dimensional.com internet address = 206.124.0.254ns.dimensional.com internet address = 206.124.1.254ns.dimensional.com internet address = 209.98.32.54ns.dimensional.com internet address = 206.124.0.32ns.dimensional.com internet address = 206.124.0.30ns.dimensional.com internet address = 206.124.0.25ns.dimensional.com internet address = 206.124.0.15ns.dimensional.com internet address = 206.124.0.21ns.dimensional.com internet address = 206.124.0.9ns-1.dimensional.com internet address = 206.124.26.254ns-2.dimensional.com internet address = 209.98.32.54ns-3.dimensional.com internet address = 206.124.1.254ns-4.dimensional.com internet address = 206.124.0.254>The lines that tell you what computers will let you forge email to people with@dimensional.com addresses are:dimensional.com MX preference = 5, mail exchanger =mail.dimensional.comdimensional.com MX preference = 10, mail exchanger =mx2.dimensional.comdimensional.com MX preference = 20, mail exchanger =mx3.dimensional.comMX stands for mail exchange. The lower the preference number, the more theywould like you to use that address for email.If that lowest number server is toobusy, then try another server.Sometimes when you ask about a mail server, nslookup will give you this kind oferror message:DNS request timed out.timeout was 2 seconds.DNS request timed out.timeout was 2 seconds.*** Request to [207.217.120.202] timed-outTo get around this problem, you need to find out what are the domain servers foryour target online provider. A good place to start looking ishttp://netsol.com/cgi-bin/whois/whois . If this doesn't work, seehttp://happyhacker.org/HHA/fightback.shtml for how to find the domain serversfor any Internet address.****************Newbie note: A domain name server provides information on the names and numbersassigned to computers on the Internet. For example, dns1.wurld.net anddns2.wurld.net contain information on happyhacker.org, techbroker.com,securitynewsportal.com, thirdpig.com and sage-inc.com. When you querydns1.wurld.net about other computers, it might have to go hunting for thatinformation from other name servers. That's why you might get a timed outfailure.***************Once you know the domain servers for an online service, set one of them for theserver for your nslookup program. Here's how you do it:C:\ >nslookupDefault Server: DNS1.wurld.netAddress: 206.61.52.11Now give the command:> server 207.217.126.41Default Server: ns1.earthlink.netAddress: 207.217.126.41Next command should be:> set q=mx> earthlink.netServer: ns1.earthlink.netAddress: 207.217.126.41earthlink.net MX preference = 5, mail exchanger = mx04.earthlink.netearthlink.net MX preference = 5, mail exchanger = mx05.earthlink.netearthlink.net MX preference = 5, mail exchanger = mx06.earthlink.netearthlink.net MX preference = 5, mail exchanger = mx00.earthlink.netearthlink.net MX preference = 5, mail exchanger = mx01.earthlink.netearthlink.net MX preference = 5, mail exchanger = mx02.earthlink.netearthlink.net MX preference = 5, mail exchanger = mx03.earthlink.netearthlink.net nameserver = ns3.earthlink.netearthlink.net nameserver = ns1.earthlink.netearthlink.net nameserver = ns2.earthlink.netmx00.earthlink.net internet address = 207.217.120.28mx01.earthlink.net internet address = 207.217.120.29mx02.earthlink.net internet address = 207.217.120.79mx03.earthlink.net internet address = 207.217.120.78mx04.earthlink.net internet address = 207.217.120.249mx05.earthlink.net internet address = 207.217.120.31mx06.earthlink.net internet address = 207.217.120.23ns1.earthlink.net internet address = 207.217.126.41ns2.earthlink.net internet address = 207.217.77.42ns3.earthlink.net internet address = 207.217.120.43>Your own online service will usually not mind and may even be glad if you usetelnet to read your email. Sometimes a malicious person or faulty email programwill send you a message that is so screwed up that your email program can'tdownload it. With telnet you can manually delete the bad email. Otherwise techsupport has to do it for you.If you think about it, this ability to forge email is a huge temptation tospammers. How can your online provider keep the bad guys from filling up avictim's email box with garbage? The first time a bad guy tries this, probablynothing will stop him or her. The second time the online provider might blockthe bad guy at the firewall, maybe call the bad guy's online provider and kickhim or her and maybe get the bad guy busted or sued.**************You can go to jail warning: Sending hundreds or thousands of junk emails to bombsomeone's email account is a felony in the US.******************************You can get sued warning: Spamming, where you send only one email to eachperson, but send thousands or millions of emails, is borderline legal. However,spammers have been successfully sued when they forge the email addresses ofinnocent people as senders of their spam.****************Now that you know how to read and write email with telnet, you definitely havesomething you can use to show off with. Happy hacking!Oh, here's one last goodie for advanced users. Get netcat for Windows. It's afree program written by Weld Pond and Hobbit, and available from many sites, forexamplehttp://www.atstake.com/research/tools/#network_utilities . It is basicallytelnet on steroids. For example, using netcat, you can set up a port on yourWindows computer to allow people to telnet into a DOS shell by using thiscommand:C:\>nc -L -p 5000 -t -e cmd.exeYou can specify a different port number than 5000. Just make sure it doesn'tconflict with another port by checking with the netstat command. Then you andyour friends, enemies and random losers can either telnet in or netcat in withthe command:C:\>nc -v [ipaddress of target] [port]Of course you will probably get hacked for setting up this port. However, if youset up a sniffer to keep track of the action, you can turn this scary back doorinto a fascinating honeypot. For example, you could run it on port 23 and watchall the hackers who attack with telnet hoping to log in. With some programmingyou could even fake a unix-like login sequence and play some tricks on yourattackers.