Originally written by Raven Edited and updated by Cyberwolf Converted to HTML by Penguin Note: whenever you see something like this: blah(1), it means that if you don't understand the meaning of the word blah there's an explanation for it just for you, located at the newbies corner on section 1. Author's notes Visit http://blacksun.box.sk for more tutorials, free hacking/programming/unix books to download and much more. Disclaimer We do not encourage any kinds of illegal activities. If you believe that breaking the law is a good way to impress someone, please stop reading now and grow up. There is nothing impressive or cool in being a criminal, besides ending up in a small room with a cellmate named Bubba who hasnt had any fun in a couple of months isnt cool at all. Contents Sendmail? Huh? What is Sendmail? What is it used for? Why would I want to learn about Sendmail? How do I create authentically-looking fake mails? You mean I can send Emails from bgates@microsoft.com or president@whitehouse.gov?! Relaying Denied What did the person I send the email to get? How can I learn raw Sendmail commands by myself? But what if I'm lazy? Can you pleeease teach me? How do I track down carelessly-made fake mails? How do I track down more sophisticated fake mails? Newbies corner What is a daemon? What is a port? What is a service? What is a daemon banner? What is a timeout (in computer terms)? What is TCP and how does it work? What is UDP and how does it work? What is ICMP and how does it work? What is an IP address? What is a hostname? How to find out what your ISP's mail servers are? What is a portscanner? What is a services scanner? What/who is root? What is bandwidth? What is a client program? What is a DNS server? What is Telnet (the Telnet daemon and the Telnet program) What is a command interpreter? What is a shell account? Who is a sysadmin? What is hyper text? What is an RFC? What is InterNIC? What is a sub domain (and how much does a domain really cost?)? What is SSH? What is a moderated mailing list / message board? What is a DoS attack? What is DUN? What is a dial-up account? What is a Unix password file? What is a thread? Appendix A: Fake Daemons Fake Sendmail daemon Fake Telnet daemon Appendix B: Routing Mail How can I route my mail? How would that help me? Appendix C: Faking the sender's IP How can I fake my IP on the Email's header? Where can I read more about this kind of stuff? Appendix D: Reply-to What does the Reply-to option do? How do I use it? Appendix E: CC and BCC What do these commands do? How do I use them? References RFC 821 Bibliography Sam Spade's Library Various online magazines Packet Storm Security Sendmail? Huh? Sendmail is a daemon(1) which waits for connections on port(2) 25. It is used to send outgoing mail. For example: your Email provider (probably your ISP (Internet Service Provider)) probably uses two servers (unless it's a web-based mail account such as Hotmail.com): 1) pop.boring-ISP.net (probably port 110): for incoming mail (POP service). 2) mail.boring-ISP.net (port 25): for outgoing mail (SMTP service). Most of the time mail servers look pretty much like this, but the addresses vary from different ISPs. pop.boring-ISP.net would require a username and a password so people won't be able to read your emails, so let's skip this one . mail.boring-ISP.net is used for outgoing mail and usually doesnt require a username and password for sending the email. I say usually because there are some mailservers (eg. mail.yahoo.com) that want to know if you have the rights to use their service for sending mail. In order to achieve this authentication scheme they're telling you to login to your account for incoming mail first, because this service requires a valid username / password combination. If username / password combination is correct then the incoming mailserver tells the outgoing mailserver that you have to rights to send mail. Usually your emailclient takes care of this authentication process. How can I create authentically-looking fake mails? All you need to know is the IP Address(9) / Hostname(10) of the mail server and Sendmail commands. So far we assume that you know the IP/hostname of your target. If you still don't know this important detail, please find out(11). Now, let's get on with it. This time, unlike previous tutorials, I will "learn" all over again how to do everything I describe here and walk you through the entire process of learning and using what you have learnt. Alright, let's begin. Our target outgoing mail server for today is mail.someone.com on port 25. First, let's telnet into that port by either typing 'telnet mailgw.someone.com 25' (without the quotes) on a standard Unix text-based system, running C:\Windows\telnet.exe or your favorite telnet application and typing in mail.someone.com in the host field and 25 in the port field, or executing your favorite telnet application from XWindows (a graphical interface for Unix. If you're smart enough to be running some version of Unix you shouldn't have a hard time finding one. If you don't like the default telnet programs you could always go to http://www.linuxberg.com and grab one) and typing in the correct details (host and port). Note about VT: you might be asked to choose a terminal type during the connection process. Something with VT and some number in it... hmm... VT stands for Virtual Terminal. Since there are several types of terminals (all sorts of monitors, old printer terminals etc') you are asked to choose a terminal type (compatibility issues). VT100 should suite most people just fine. Note about shell accounts(21): if you're not running Unix and you wish to use Unix tools on Unix systems while you work, telnet to nether.net on port 23, login as newuser and get yourself a free shell account. If you'd rather user Window's tools (I use Window's stuff when I work from Windows, except certain conditions when I really NEED Unix and I don't want to reboot and boot it up. In that case, I get myself a shell account so I am able to use Unix stuff while working from Windows) go ahead (things will work faster since the tools are actually located on your machine, not on some distant computer which runs a shell account), but I still recommend that you will get a shell account at nether.net (in fact they teach you a lot of great Unix-newbies stuff when you sign up). Note about Telneting from Macintosh: Macintosh does not come with a Telnet program. However, you can download one from: http://www.ncsa.uiuc.edu/SDG/Software/MacTelnet/ (thanks to little_v for this one!). Now, let's see what we get after we telnet(19) to mail.someone.com:25 (in this case, the character : stands for 'on port', so mail.someone.com:25 means mail.someone.com on port 25). 220 alpha.someone.com ESMTP Sendmail 8.9.3/8.8.6; Thu, 8 Jul 1999 21:46:04 +0000 (GMT). AHA! This is... this is... ugh... WHAT THE HELL IS THIS THING?! This, my friends, is a daemon banner(4), and it just gave us tons of valuable pieces of information! Normally, this info is intended for a client program(16) to determine what version of Sendmail the target is running and how to communicate with it (the program should know that, for example, every Sendmail version below 7.0.0 uses the command 'halb' instead of the command 'blah', etc'). This daemon banner thing is also great for hackers and crackers, since they can determine what version the server is running. Okay, let's analyze what we've got... 220... we don't know what this is right now... alpha.someone.com... no luck, can't make anything out of it so far... ESMTP... hmm... SMTP stands for Simple Mail Transfer Protocol. It is the protocol(18) used by email clients to communicate with Sendmail daemons, and this is what we're trying to learn right now. ESMTP is Extended SMTP. It's the same as SMTP, only it contains some more commands. Let's leave this alone for the time being. Okay, so let's move on... umm... how do I communicate with this thing? Er... let's try typing 'help' (without the quotes). Oh, by the way, it is normal not to see what you type when you talk to Sendmail since it won't send back your keystrokes. You have to turn on "local echo" in your telnet program in order to see what you type. (Some mailservers might have disabled the help command for security-issues.) 214-This is Sendmail version 8.9.3 214-Topics: 214- HELO EHLO MAIL RCPT DATA 214- RSET NOOP QUIT HELP VRFY 214- EXPN VERB ETRN DSN 214-For more info use "HELP ". 214-To report bugs in the implementation send email to 214- sendmail-bugs@sendmail.org. 214-For local information send email to Postmaster at your site. 214 End of HELP info Wee! This is cool!! By this time you should have guessed that this number (the 220 in the daemon banner and the 214 here) is actually a 'message type'. It states the type of the message you got. Each type of message (error because of this, error because of that, help page for this, confirmation message for that etc') has it's own number. Okay, let's move on. Let's try typing 'help helo'. 214-HELO 214- Introduce yourself. 214 End of HELP info See? I told you so. 214 is the message type number for help messages. Okay, so that way you can practically teach yourself what every Sendmail command does. Stop right now, read all the help pages and then continue. It is important that you'll learn how to learn things by yourself. You might see some notes concerning the word RFC(24) and some numbers. You can find RFCs at http://www.rfc-editor.org Note about ESMTP: remember that ESMTP thing we came across? You'll be able to get a good clue on what ESMTP is by reading the help pages. Yes, I am trying to force you to read them... so please do. They contain tons of great information for newbies as well as pros. Okay, I'm assuming you've finished reading all those help pages. Now let's move on. It's important that you dont make spelling mistakes at this point, because you cant use the BackSpace-key to undo your mistakes. In your Telnet-client you will see that you erased the character, but the daemon doesnt recognize the BackSpace and things will screw up. First we need to enter a sender. We do this by typing 'MAIL FROM: ' (remove the quotes and replace fake Email address with the fake Email address of your choice, say... bgates@microsoft.com (but leave the < and the >)). The mail server should reply with this message: 250 bgates@microsoft.com... Sender ok Next we type 'RCPT TO: '. Replace recipient with the target, say victim@victim.com. We should get 250 victim@victim.com... Recipient ok You can add recipient by simply doing this command several times, only with different recipients. Now, let's move on to the actual message body. Type 'data' to start writing the body of the message. 354 Enter mail, end with "." on a line by itself Now let's type in some stuff... Subject: fake message (note about this line: in this line you get to determine what subject you want to give for your message). Hello. This is a fake Email message. I'm bored. Gimme something to hack!! . Now we get this 250 CAA15313 Message accepted for delivery You must be wondering right now what the heck is that number after the 250. This is called the message ID (or MID). It's just a stupid number, but we'll use them later... don't you worry your pretty head about this. RELAYING DENIED This sucks, if you get this (or a similar message) then it means that the mailserver is on to you and that it wont relay / send the email you've just written to your victim. Why does it give you that message? Well, if the mailserver you are trying to use is mail.example.com and the emailaddress you are writing the message to is turtle@blah.com then the mailserver doesnt see the recipient in its database and it doesnt forward that message for you. One thing you could do is to to find a vulnerable mailserver. Most emailbombers ship with a list of vulnerable mailservers, the problem is that that most of these programs are outdated and that the mailservers on the list are patched up, but you could always give it a go. Only download a mailbomber in order to obtain the list of mailservers, DON'T use the mailbomber itself, its just as lame as using trojans. Option two in your quest for finding vulnerable mailservers. Linux is becoming more and more popular these days and lots of ppl are experimenting with it. Some distributions install sendmail by default and newbie's to Linux are not aware of this, if they have installed an older version of Linux then they've probably installed an old version of sendmail as well. Then how do I get their IP's in order to exploit their mailserver? This is where your socialengineering skills come in, go on IRC and talk to ppl, ask them what OS they are running and which version, if the person suits your needs then convince them to accept a file (picture, sound, textfile, doesnt matter) from you through DCC. If they accept it then use the netstat command (netstat -a -n) to see their what IP they have. Option 3, there are programs that scan ranges of IP's for vulnerable mailservers, do a search on http://www.packetstormsecurity.com. Remember that while portscanning or service-scanning isnt illegal its considered to be rude and if your ISP is strict in its policy then they might terminate your account! Option 4, use the mailserver of the ISP of your victim. This actually works most of the times. Have a look at the victims emailaddress and try to determine the what the SMTP server of that ISP is, most ISP's use prefixes mail and smtp (mail.ISP.com or smpt.ISP.com) or goto the website of the ISP and see if their is a helpfile that tells you the name of the mailserver. Or if the person has send you an email then you could determine the mailserver by reading the headers of the emailmessage, read on for more info on how to read emailheaders. However from now we assume that everything went well and that the mailserver has send the message... Let's take a look at what the recipient would get... Hmm... welp, looks like an ordinary message to me. At least it does to the ordinary user. Now let's look at the headers. Headers are a couple of lines which come with every Email address. Most of today's Email clients show only the simpler parts of the header (sender, subject, date and time etc'), but right now we need the full header. In Netscape Messenger displaying the full headers is done by going to View ==> Headers ==> All. In Eudora this is done by clicking on the button which displays the "blah blah blah" caption when you put your mouse cursor above it for a second or two. Compuserve automatically displays the full header. On Outlook, right click the message on your inbox, choose properties and choose details. On pine, you should have an option somewhere in the configuration screens that let's you choose what kind of header you want to view (full or briefed). In webbased emailaccounts, search for a link that says "Options", this is usually the place where you can alter the settings of the appearances of your received emails. By default the setting for headers will be "Basic", you want to switch it to "Full" or &qout;Advanced". Note that this will differ based on what webbased emailservice you are using, but it should be something similar. Now let's take a look at the full header, shall we? Received: from alpha.netvision.net.il (alpha.netvision.net.il [194.90.1.13]) by cmx.netvision.net.il (8.9.3/8.9.3) with ESMTP id CAA15313 for victim@victim.com>; Sat, 10 Jul 1999 02:49:59 +0300 (IDT) From: bgates@microsoft.com Received: from some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT) Date: Sat, 10 Jul 1999 02:55:46 +0300 (IDT) Message-ID: <199907092355. CAA15313@alpha.someone.com> X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO protocol Subject: Fake mail Status: X-Mozilla-Status: 8001 X-Mozilla-Status2: 00000000 X-UIDL: 3752da3b000002ff Yeehaw! Look at all those numbers and letters and shiny things! Let's start from the top, shall we? Received: from alpha.someone.com (alpha.someone.com [194.90.1.13]) by cmx.someone.com (8.9.3/8.9.3) with ESMTP id CAA16970 for >; Sat, 10 Jul 1999 02:49:59 +0000 (GMT) Okay, so the mail was received from alpha.someone.com (alpha.someone.com [194.90.1.13]). What does that mean? A quick checkup on InterNIC(25)'s databases (type 'whois alpha.someone.com' without the quotes on a Unix system or download SamSpade for Windows at http://www.samspade.org) reveals that it is owned by someone.com. This is probably some kind of a sub-server they use to send mail. Let's leave it alone, it's not important to us right now. The (alpha.someone.com [194.90.1.13]) part shows you the hostname(10) and the IP address (9) of the server the Email was sent from. Ooh, ooh, wait! Wasn't the mail supposed to be sent from microsoft.com? I mean, the sender is bgates@microsoft.com! If we did the mail forging thing on microsoft.com instead of on someone.com this wouldn't have happened, now would it? It would have seemed like an ordinary Email... from Bill Gates... well, at least so far. Anyway, the rest is just the MID (which we will get to later) and the date of the message (the sending date) according to the server which the message was sent from. The +0000 (GMT) part means that it was sent from the Greenwich time zone. If it was sent, for example, from the +0200 time zone it would have meant that this time zone's time is actually Greenwich time plus 2 hours. Find our your time zone first so you'll be able to switch time zones and find out when was the message sent in your time. Now, on to more important things. From: bgates@microsoft.com Well, I guess this line is obvious... let's move on. Received: from some.hostname.crap.com (some.hostname.crap.com [62.0.146.225]) by alpha.someone.com (8.9.3/8.8.6) with SMTP id CAA15313 for victim@victim.com; Sat, 10 Jul 1999 02:55:46 +0300 (IDT) Okay, now this is really interesting. Now we get the sender's hostname and IP address. Note about the hostname: a dial-up(31) user will have a long and twisted hostname. For example: my hostname right now (at least when I was writing these lines) is RAS4-p97.hfa.netvision.net.il. Netvision.net.il is my ISP, and the rest is mostly crap (pay close attention to the hfa thing. Hfa stands for Haifa, which is my home town. It means that I'm connected through Netvision's Haifa server. See? Hostnames can be interesting). You must have noticed by now that the hostname we got is certainly not from microsoft.com, and that the mail server who sent this isn't exactly microsoft.com or a microsoft sub-domain(26) either, which clearly shows that this Email is completely fake. Another note about the hostname: sometimes you might not get a hostname, but you will always get an IP address. You can find the IP's hostname (most IP addresses do have a hostname) by doing 'nslookup ip-address' without the quotes on a Unix system or going to http://www.samspade.org and using their DNS(17) Lookup Tool. If you still can't get it, try doing a whois. To overcome this problem, you need to do two things: 1) Send this mail from Microsoft's Sendmail server. 2) Send this mail from an account that is connected to the web through Microsoft. If you can't get one, it will clearly show in the headers that the mail wasn't sent from Microsoft. Note: nice trick to pull on someone: if your ISP is blah.com, you can send your friends an Email from admin@blah.com which will look 100% authentic! Anyway, the next few characters give us the MID (Message ID), as well as other pieces of info. I promised we'll get to the MID, didn't I? If you think someone is trying to trick you into thinking he's somebody else, send an Email to abuse@your.ISP.com or abuse@the.ISP.where.the.message.came.from.com (in this case Microsoft.com) or abuse@the.server.who.stores.the.MID.com. To know which server stores the MID, we'll need to skip a few lines (two lines actually - time and date) and get straight to this: Message-ID: <199907092355. CAA15313@alpha.someone.com> Aha! Look at these interesting numbers! And check this out: CAA15313@alpha.someone.com! This means all the info regarding the MID is stored at alpha.someone.com! Let's send an Email to abuse@alpha.someone.com and tell them that we think we received a fake mail, and include the entire header. Next thing we'll do the same with the ISP of the sender (in our case, the sender is some.hostname.crap.com [62.0.146.225], meaning his ISP is probably crap.com). Now, on to the next line: X-Authentication-Warning: alpha.someone.com: some.hostname.crap.com [62.0.146.225] didn't use HELO protocol Damn! I knew we forgot something! Now let's do it all over again, but this time we'll type HELO microsoft.com at the beginning. HELO microsoft.com We get this: 250 mailgw1.netvision.net.il Hello some.hostname.crap.com [62.0.146.225], pleased to meet you The rest is exactly like in the last time (sender, rcpt to, etc' etc'). Now let's see what victim@victim.com would have gotten. Aha! No X-Authentication-Warning! Final notes I hope you enjoyed this tutorial. Now you've learnt how to play harmless and legal tricks on your friends, how to spike-down fake mails and how easy it is to catch you if you're trying to do illegal stuff. A good way to see a real life example of the use of the SMTP protocol or any other protocol for that matter is by using a packetsniffer. A packetsniffer shows all data-traffic that goes out from a computer to the network (or the Big Network commonly known as the Internet) and everything that comes in. A good packetsniffer for *nix is "Ethereal" and Windows users can use &qout;SpyNet&qout;, both programs can be found at http://www.packetstormsecurity.com. Download the sniffer of your choice, install it and launch it, next open up your favourite emailclient and send an email to someone, then observe what valuable information the sniffer will give you about the protocol thats being used. You might want to alter the settings of the sniffer so that it will show you only the traffic from and to port 25. Read this text for more information about sniffers: http://blacksun.box.sk/sniffer.txt Newbies corner 1. Daemon - a program that listens for incoming connections on a specific port(2). Some daemons may receive commands from you and interact with you, others may simply spew out some text/binary and quit. 2. Port - (for the more technical explanation of what ports are, see the end of this explanation) ports are like holes that enable things (data, in this case) to come into them. There are physical ports and software ports on your computer. Physical ports are those slots on the back of your computer, your monitor etc'. Now, software ports are used when connecting to other computers. For example: I just bought a new computer and I want to turn it into a webserver (I want to enable people to access selecetd web pages, pictures, cgi and java scripts or applets, programs etc' that are located on my computer (MY computer, not on some cheesy free webhost such as Geocities), and I want those people to be able to do that using nothing but a browser). In order for that to happen, I need to install a webserver program. The webserver program opens a port on my computer called port 80 (this number can be changed, but this is the default number). Then it listens to incoming connections on that port. When someone starts his Internet browser (Netscape, Lynx, Microsoft Explorer etc') and surfs to my website, his browser connects to my computer on port 80 and then sends HTTP commands that my webserver program can understand into it. My webserver program quickly picks up the incoming data and then sends it back into a port that the surfer's browser opened on the surfer's computer. The browser will listen on that port and wait for the data (the HTML page, the picture, the program etc') to come in through it. Note about non-default ports: if you decide to put, say, a webserver on a non-default port, it'll be harder for people to get in. If you decided to put it on port... umm... 8000 instead of 80, people will have to type in your IP address(9) or your hostname(10) if you have one and add a :8000 at the end. For example:142.30.5.79:8080. Simply typing in 142.30.5.79 inside your browser's URL field is as same as typing 142.30.5.79:80, so it's best to put a webserver on port 80 (unless you only want a specific group of people who will be given that number to access your webserver, but such a blockage can be easily cracked using a portscanner(12)). There are different ports for different services(3) so data won't mix up. Imagine your browser getting data your FTP client was supposed to get. I hope you got the main idea of what a port is. Now, there are three kinds of ports: well-known ports, registered ports and dynamic/private ports. The well known ports are those from 0 through 1023. These are default ports for several services. For example: the default port for webservers is 80. Else, how would your browser know which port he has to access? Now, the registered ports are those from 1024 through 49151. These ports are reserved for several programs. For example: ICQ (www.icq.com) reserves several ports for listening to various incoming events (messages, file transfers etc') on it. The dynamic and/or private ports are those from 49152 through 65535, and can be used by anyone for any given purpose. Important note about well-known ports: services(3) on these ports can be only ran by root, so inferior users won't start messing up with important ports. 3. Service - a daemon(1) that allows everyone who connects to it (or a specific group of people. For example: anyone from this IP(9) range, everyone who knows the secret password etc') to use some kind of service. For example: a webserver such as the one described in section one on this chapter (the explanation regarding what is a port) is a service because it allows people to come in and ask for certain pieces of data. The simplest example of a service I can think of is "daytime". Daytime waits for incoming connections on port(2) 13 and when someone goes by it immedietly announces the current time on the computer that runs it (with no need from you to type in any commands or passwords or anything). Simple. 4. Daemon banner - most daemons(1) give away some technical info to anyone who connects to them on some point. This information can be used by anyone who connects to that daemon simply for it to know how to interact with the daemon best (which daemon is it, what version, etc'), but it can also be used by hackers. Let's try connecting to port(2) 23 on someone.com (note: I've made up this hostname(10) and all the details regarding it simply to teach you about daemon banners. I really don't know whether there is such a hostname and whether the details I'm about to give you are correct). On port 23 you would usually find Telnet(19). Telnet is a service which at first asks you for a username and a password on most cases (unless you typed in an "unpassworded" username. In that case it will simply log you in as that user without requesting for a password) and then runs a program specified by the sysadmin(22) and let's you work with it. In most cases you will get into a text-based shell (a command interpreter(20)). The problem is: you cannot do ANYTHING. It all depends on what kinds of permissions the user that you are logged in as has. The user root(14) has all permissions (read everything, write (and delete) everything, execute everything and change other people's permissions). Note about the word server: a computer is called a server if it offers any services. If not, it is called a host. 5. Timeout - okay, so I've got a daemon(1) waiting on port(2) 23 for incoming connections. Now, what happens if someone connects to it and does absolutely nothing? He would simply remain connected to that daemon until one of us either reboots or closes the connection. You don't want anyone connecting to some port on your computer and just hanging there, do you? This would only waste valuable bandwidth(15)! Most people will not want to monitor their network status 24 hours a day and disconnect everyone who decides to hang around for a while (especially on large networks). This is why timeout was invented. By setting a timeout value to a daemon (this can be done during the setup process or by running a setup program or entering some sort of an options box) you can make it close the connection on anyone who connets to it and does nothing for over than the timeout value. For example: you put a daemon on port 17 and tell it to timeout after 2.5 seconds. If someone will connect to your daemon and will not type anything for over than 2.5 seconds the daemon will close down the connection and that person will have to reconnect and start typing something before the daemon times out and throws him out. This is why webservers have a short timeout of 2 seconds (most people connect to webservers using client programs(16), and these programs "type" really fast...). 6. TCP - stands for Transfer Control Protocol. TCP is a protocol that is used for transferring data through networks (the Internet, local networks etc'). TCP is much more reliable than UDP since it uses several precautions, such as sequence numbers and all sorts of nifty header flags and all (see the excellent article called 'IP Spoofing Demystified' at the Books Section in http://blacksun.box.sk for lots of info regarding TCP (a real MUST READ!!)). TCP's only disadvantage is that it is a bit slower than UDP, but it is more reliable, hence it is used to transfer sensitive files (such as programs - if you lose a single bit of the file, the whole thing is useless). 7. UDP - stands for User Datagram Protocol. UDP is a protocol that is used for transferring data through networks (the Internet, local networks etc'). UDP is less reliable than TCP (see the excellent article called 'IP Spoofing Demystified' at the Books Section in http://blacksun.box.sk for lots of info regarding UDP (a real MUST READ!!)), but it is also a little faster, hence programs such as Real Player (see http://www.real.com) use it for streaming video and more, where losing a single packet(32) or two is not such a big deal. 8. ICMP - stands for Internet Control Message Protocol. A protocol used for transferring errors over a network (the Internet, local networks etc'). 9. IP address - every computer connected to the Internet has an IP address. If another computer wants to interact with your computer it will need your IP, just like you need another person's phone number to call him. IP addresses should look like that: x.x.x.x, where x can be a number between 0 to 255. Note: there are "special" IP addresses which aren't use to connect to other computers. For example: 127.0.0.1 means localhost, which means you (your computer). Connecting to a certain port(2) on the IP 127.0.0.1 will connect to that port on your computer. Oh, by the way, IP stands for Internet Protocol(18). 10. Hostname - hey, guess what! I just found out this really cool site! But I can't remember it's IP address, and when I do, I hate typing in these long IP addresses(9). Sure, I can bookmark it, but what if I'll want to tell my friends about it? Or what if I'll be surfing from my friend's house or from a public place and I won't have my bookmarks? The answer to all of these questions is hostnames. Hostnames are aliases to IP addresses. A list of hostnames and their IP addresses is located at InterNIC, which is a database of all hostnames and their IP addresses. When you type in a hostname, your computer will look up that hostname and find the appropriate IP address and then connect to it. But instead of having to overload InterNIC (imagine that the entire world will connect to them. This would surely overload their servers and they will have to spend money on constant upgrades and backups. And think what will happen if something bad will happen to their databases...). The solution for this problem is called DNS servers(17). 11. Finding out what your ISP's mail servers are - there are several ways to do this: 1) Call your ISP and ask them what is the IP address(9) or the hostname(10) of your outgoing mail server (this is the IP/hostname you will need to perform all the tricks in this tutorial). If you want to know a different ISP's mail server, call their tech support phone number. But what if they're on the other side of the world and you don't feel like spending tons of cash simply for calling them and being put on hold? In this case, try method 3. 2) Start up your mail client, go to your preferences page and find what it says in the 'outgoing mail' field or in the 'SMTP server' field (both are the same. SMTP stands for Simple Mail Transfer Protocl, which is a protocol(18) that is used to send Emails over the Internet). 3) Guessing. If your target server is someone.com, their mail server should either be mailgw.someone.com:25 (mailgw.someone.com on port(2) 25. Note: mailgw stands for mail gateway) or someone.com:25. If not, send an Email to admin@someone.com or support@someone.com and ask them what their mail server is (they should be happy to answer you, unless you tell them that you're an evil hacker or something. In that case they'll call the cops on you). Note: not every server on the planet has an outgoing mail server. 12. Portscanner - a program that scans a target for open ports(2) by trying to connect to it on various ports. The simplest portscanner will start at port 1 and climbs up, but you can tell more advanced portscanners to scan a specific range, give you some info on open ports it might find etc'. 13. Services scanner - a services scanner is much more sophisticated than a portscanner(12) since it tries to connect on predefined ports which should have the service(3) you're looking for on them. 14. Root - an account on Unix computers which has maximum priviledges (read any file, write (and delete) to any file, execute any file and change other users' permissions). Note: other accounts may have root access, and the root account may not always have root access, depending on the sysadmin(22) (but root is the default account for root access). 15. Bandwidth - the total amount of speed a network connection device (a modem, a network card, a mail pigeon etc') can get to. For example: I just bought a new modem. It has a bandwidth of 100Ks per second, meaning it can transfer up to 100Ks per second. When you use your network device to do something it will drain some of the bandwidth in order to do this operation. 16. Client program - a program that connects to a certain service(3). Most client programs would know how to communicate with that service with or without the information it will receive from the daemon banner(4). Example: an Internet browser (such as Netscape) is a client program because it connects to port(2) 80, where the webserver daemon(1) is waiting for connections, and interacts with it in order to retrieve the file you're looking for. A browser has to know how to communicate with the webserver daemon (also referred to as HTTPD, HTTP Daemon. HTTP stands for Hyper Text(23) Transfer Protocol) in order to fulfill your requests. 17. DNS server - a server that stores hostnames(10) and their IP addresses(11). Instead of having InterNIC's servers handle the entire planet, every ISP has a DNS server. When you type in a hostname and tell your modem to connect to it, your computer will perform an action called 'DNS Lookup'. In other words, it will ask your ISP's DNS server what is the appropriate IP address for the hostname you've typed in. If your ISP's DNS server will not know the answer, it will ask a higher-level DNS server. If the higher-level DNS server will not know the answer, it will ask an even higher-level DNS server, etc' etc' etc'. The highest level is InterNIC itself. If the DNS server knew the IP in the first place it would give it to you. If it didn't (and it only found it out after querying other servers), it will first add it to his own databases and then give it to you. 18. Protocol - a set of rules used for computers to interact with each other over a network of some sort (such as the Internet or a some kind of a local network) they need to know a common protocol and each computer has to assume that the other one knows this protocol and uses it. 19. Telnet - a program that in it's most simplicity allows you to form a text-based connection between your computer and another computer over a network of some sort. You may choose the IP address(9) or hostname(10) and the port(2) you wish to contact, and Telnet will establish a TCP(6) connection between both machines. Note about the Telnet daemon(1): the Telnet daemon is completely different. It waits for incoming TCP(6) or UDP(7) connections on port 23 and then asks the user for a login (often called a username) and a password (unless the user typed in an unpassworded username. In that case, he will get in without entering a password. Unpassworded accounts are often VERY limited) and then proceed to execute a program (usually a command interpreter(20)) and giving you some permissions, all depending on the username and the password you have entered (unless you gave in the wrong details. In that case, you will be told that either the username or the password are wrong and be given another try. Most systems give you three tries and then quit). 20. Command interpreter - a program that accepts commands from the user and turns them into real commands your computer understands. For example: if your command interpreter contains a command called, say, display, which accepts a single parameter which should be a filename, and you type in 'display somefile' (without the quotes, and replace somefile with a real filename) then it will translate this command into 'okay mr. computer, find the hard drive by doing this and this, go to the FAT (File Allocation Table) and find out in which sector/sectors this file is located, grab the file and send it to the terminal device (the specified output device, usually your monitor)'. Get the main idea? 21. Shell account - an account on a remote computer (a username and a password and a bunch of personal configuration files and stuff). Having a shell account on a remote computer means having the ability to telnet(19) into that computer on port 23, type in your account's login (also referred to as a username) and password and getting a command interpreter(20) with some permissions (depending on the sysadmin(22)). 22. Sysadmin / admin - the man/woman/furry creature who is in charge of a system. 23. Hyper Text - if you've ever seen an HTML document you should know what hyper text is, but you might not be aware of it. HTML stands for Hyper Text Markup Language. Hyper text is considered as "enhanced text", since you can add pictures, colors, links etc' to it. Compare that to the regular and dull text format which this tutorial uses... :D 24. RFC - stands for Request For Comment. These are draft papers by the IETF (Internet Engineering Task Force - those guys who set all those Internet standards and stuff). They contain suggestions for Internet standards. You can search for RFCs at http://www.rfc-editor.org 25. InterNIC - the domain registration database and the highest DNS(17) server on the planet (now maintained by Network Solutions. www.networksolutions.com 26. Sub domain - first class domains look like this: something.com (or other extensions, such as org, net, cc, co.uk etc'). It costs 70$ to register one (see http://www.networksolutions.com). Second class domains look like this: someone.something.com and they cost 0$ to register, if you already have something.com registered to you, of course (although you can get those for free on websites such as www.anrki.com). Third class domains look like this: blah.someone.something.com and they don't cost any money either, etc' etc' etc'. Note about the price of a first-class domain: this price does not include web hosting (someone who will host your website or whatever you want to put up on his server). 27. SSH - stands for Secure Shell. This daemon(2) waits for incoming TCP(6) or UDP(7) connections on port 22. Once you connect to it, you will be asked for a Login and a Password, just like the Telnet daemon(19) does, only SSH encrypts everything for increased security. 28. Moderated mailing list / message board - I'll explain this by giving you an example. BugTraq (see http://www.securityfocus.com) is one of the best security-related mailing list. Although people can "send things to the list" (meaning send an Email message and have it sent to all the members of the mailing list), you can't just send everything. Aleph1, the moderator, goes through all incoming messages and posts only the good ones. The same goes with moderated message boards, etc'. 29. DoS attack - DoS stands for Denial of Service (also referred to as a "nuke" or a "newk"). A DoS attack is some kind of an attack that causes the target computer to deny some/all kinds of services to the users of that computer (local and/or remote users). For example: Winnuke (also known as OOB), the simplest DoS in the world. (Taken from Spikeman's DoS site) This denial of service program affects Windows clients by sending an "Out of Band" exception message to port 139, which does not know how to handle it. This is a standard listening port on Windows operating systems. Users of Win 3.11, Win95, and Win NT are vulnerable to this attack. This program is basically a nuisance program, but it is being widely circulated over the internet now. It has become a bother in chatrooms and on IRC. By using your IP# and sending OOB data to port 139, malicious users can disconnect you from the net, often leaving you with low resources and the blue tinted screen. Some of you may have been victims already. If this happens to you on Win 95, you will see a Windows fatal error message similar to the following: Fatal exception 0E at 0028: in VxD MSTCP(01) + 000041AE. This was called from 0028: in VxD NDIS(01) + 00000D7C. Rebooting the comp should return it to normal state. Patches ("fixes") For WinNuke (OOB) Additional Information on WinNuke http://support.microsoft.com/support/kb/articles/Q168/7/47.asp Windows 95 Patches http://support.microsoft.com/download/support/mslfiles/Vipup11.exe http://support.microsoft.com/download/support/mslfiles/Vipup20.exe (for Winsock 2.0*) http://www.theargon.com/defense/nuke/index.html Please read notes referring to 95 patches before installing. Which version of Winsock do you have on your Windows 95 PC? http://premium.microsoft.com/support/kb/articles/Q177/7/19.asp http://www.theargon.com/defense/nuke/index.html Windows NT 4.0 Patch http://support.microsoft.com/support/kb/articles/Q143/4/78.asp http://www.theargon.com/defense/nuke/index.html Please read notes referring to Windows NT patches before installing. Windows 98 and up are not vulnerable to this attack. * I really don't know if this patch will work on newer versions of Winsock. Therefore I'd like to recommend that you will first downgrade to Winsock 1.1 (the one that comes with Windows 95) by going to Control Panel, Network and removing TCP/IP and Dial Up Adapter(30) and then re-adding them by clicking add, choose protocol and in the company frame choose Microsoft. Then look for an option called TCP/IP and double-click it. As for DUN (Dial Up Networking), do the same but choose adapter instead of protocol. After you finish downgrading re-upgrade to Winsock 2.0, apply the patch (Vipup20.exe) and then upgrade to newer versions of Winsock. 30. DUN - stands for Dial Up Adapter. DUN is the program that comes with Windows and dials to your ISP in case you have a dial-up account(31). 31. Dial-Up account - a dial-up account at an ISP means that your modem has to dial some phone number before you can get on the net. Unlike other ISP accounts (direct cables which keep you online for 24 hours a day), you get a dynamic IP address(9) (and not a static one like on direct cable connections) since you have to connect and disconnect instead of just staying online all the time. Every time you re-connect you are assigned with a different IP address. 32. Packet - a piece of data that travels over a network (such as the Internet or local/wide area networks). A packet consists of two main parts: the header and the data itself. The header contains all sorts of nifty values such as the TTL (Time To Live) and more (you can read about those in the Modem Speedup section at http://blacksun.box.sk). The data part contains the actual data that the packet is carrying. On a regular dial-up account(31), the size of a packet should be 576 bytes (including the header), but on direct cable connections a packet would be much bigger (again, see Modem Speedup section at blacksun.box.sk). 33. Unix password files - Every Unix system has a password file. They contain a list of users, their passwords and some important information about them. The password file is located at /etc/passwd. Each line represents a user. Each line consists of 7 fields, seperated by : marks (commas). A line in a password file should look like this: Username:encrypted password:UID:GID:short description:home directory:shell Username - the user's username. Encrypted password - the user's password (encrypted for higher security). An encrypted password is always 13 characters long. UID - User ID. Each user has an ID number. If your UID is 0 it means you have root access(14). GID - Group ID. You can set groups (for example: all the workers in the accounting division) and set special permissions to that entire group. Root has GID 0. Short description - short description in human language. Home directory - the directory where all of the user's personal configuration files are held. Shell - a program that is executed once the user logs in. In most cases (and in this case too) the shell is a command interpreter(20). In our case, the encrypted password field is empty, which means that the user gets to log in by simply giving a username. This can be changed after we log in by typing passwd to the command interpreter. You will then be asked for a password to be set for your account. Note: on some systems, you have to type passwd your-username instead of simply typing passwd. Note 2: root can do passwd your-username and change your-username's password, no matter who your-username is. Note 3: if you put any characters that are not of the following sets: '. / 0-9 a-z A-Z' (without the quotes) or if you don't put anything in, the account is disabled so that user cannot log in. This is used when you know you might want to enable this account in the future. 34. Thread - right now I'm talking about threads in discussion lists and message boards, not on computer programs. We'll discuss about these in a later time (maybe). A thread is a series of posts which started out from a single one. Let me demonstrate: a person starts a thread by stating a fact or making an opinion. Then, another person comes into the discussion list or into the message board and states his opinion on the subject. Then another person joins in and reply to the replier's opinion. Then another one comes, but chooses to reply to the original message instead since he has nothing to say regarding the other messages (if he does, he can post two messages). You get the picture... Appendix A: Fake Daemons(1) I found these two fake daemons (Sendmail and Telnet(19)) at http://www.packetstormsecurity.com once. They're great to fool attackers and to play tricks on your friends. These are Perl (a programming language) programs. To execute them (no, executing a file doesn't have anything to do with killing it...) on Unix, simply type ./filename and replace filename with the name of the file you wish to execute. Every Unix "flavor", "distribution" or whatever you want to call it, comes with Perl (I think. Correct me if I'm wrong: barakirs@netvision.net.il). To execute them under DOS/Windows, you have to download Active Perl from www.activeperl.com and then simply double click them. I don't know how to execute them under Mac. I guess Active Perl supports Macs, but I'm not sure. Now, on to the fake daemons. These two daemons came in a single package together with a readme file. Following are all three files. I did not alter any of those files, it's up to you to do so. Play with them and learn. Oh, by the way, if you wish to learn Perl (or any other programming language), head off to http://blacksun.box.sk and find the books section. Enjoy! == Readme == heh.. this piece is no way serious, but if anyone think it would be cool to keep working on the piece, drop a line with your ideas. We may develop it further. ;-). I basically coded it just for fun, when I had few spare minutes. The piece is supposed to be `want-to-be-Windog-Deception-toolkit' which contains sample sendmail.pl and telnetd.pl which are supposed to be fake sendmail and telnet daemons. To run this code you will need to download and install perl for windoze. (I used active perl from www.activeware.com to test it). Hope you will have fun with it C.P. fygrave@tigerteam.net Sun May 23 17:12:51 KGST 1999 == End of Readme == -- [ SendmailD ] -- #editor's notes: SendmailD stands for Sendmail Daemon(1), just like TelnetD stands for Telnet Daemon etc' #!/usr/bin/perl use Socket; $port=25; $hostname="booga.com"; # does windog have gethostbyname? $banner="220 boogaa.com ESMTP Sendmail 8.6.1/8.5.0\n\r"; # date should be aslo here $fail="500 Command unrecognized:"; socket(S,AF_INET,SOCK_STREAM,$protocol) || die "socket: $!"; $sockaddr='S n a4 x8'; $this=pack($sockaddr,AF_INET,$port,"\0\0\0\0"); bind(S,$this) || die "bind: $!"; listen(S,10) || die "listen: $!"; select(S); $|=1; select(STDOUT); while(1) { ($addr= accept(NS,S)) || die "accept: $!"; select(NS); $|=1; select(STDOUT); # #here we should fork. but damn windog doesn't support this. crap. # Any ideas? ($af,$port,$inetaddr)=unpack($sockaddr,$addr); @inetaddr=unpack('C4',$inetaddr); ($i1,$i2,$i3,$i4)=@inetaddr; $ipaddr="$i1.$i2.$i3.$i4"; print "connected from $ipaddr\n"; print NS $banner; while() { if (/EHLO/i) { print NS "Hello $ipaddr. nice to meet you\n\r"; } else { print NS "$fail $_\r"; print "tried $_"; } } print "$ipaddr disconnected\n"; close(NS); } -- [ End of SendmailD ] -- -- [ Telnetd ] -- #!/usr/bin/perl use Socket; $port=23; $login="\n\rlogin:"; $password="password:"; $banner="\n\r\n\rUnix(r) System V Release 4.0 (brooder)\n\r"; $fail="login incorrect.\n\r"; socket(S,AF_INET,SOCK_STREAM,$protocol) || die "socket: $!"; $sockaddr='S n a4 x8'; $this=pack($sockaddr,AF_INET,$port,"\0\0\0\0"); bind(S,$this) || die "bind: $!"; listen(S,10) || die "listen: $!"; select(S); $|=1; select(STDOUT); while(1) { ($addr= accept(NS,S)) || die "accept: $!"; select(NS); $|=1; select(STDOUT); # #here we should fork. but damn windog doesn't support this. crap. # Any ideas? ($af,$port,$inetaddr)=unpack($sockaddr,$addr); @inetaddr=unpack('C4',$inetaddr); ($i1,$i2,$i3,$i4)=@inetaddr; $ipaddr="$i1.$i2.$i3.$i4"; print "connected from $ipaddr\n"; print NS $banner; print NS $login; while() { print "attempt to log in as $_\n"; print NS "$password"; $ll= || last; sleep 5; print "tried password $ll. Login incorrect is given\n"; print NS $fail; print NS $login; } print "$ipaddr disconnected\n"; close(NS); } -- [ End of TelnetD ] -- Appendix B: Routing Mail You can make your mail go through many different servers in order to make the header longer and confuse people who would try to track it down. Example: if you want to send the fake mail to blah@blah.com, and route it through blaha.com, blahb.com and blahc.com, then in the 'rcpt to:' part, simply do this: @blaha.com,@blahb.com,@blahc.com:blah@blah.com Note: this will not work on every Sendmail daemon. Thanks to Magnus Kristiansen for this one! ;-) Appendix C: Faking your IP So you don't want people to find your IP and your hostname when they look at the full header? Then simply fake your IP! You can do this by using Wingates or SOCKS firewalls, or telnetting to the Sendmail daemon from a shell account. If you use either one of those, the full header will show the Wingate's/SOCKS firewall's/shell provider's IP address. If you find a shell account that allows you to telnet out of it, you can use it to fake your IP. Otherwise, use Wingates or SOCKS firewalls. To learn more about then, read our Proxy/Wingate/SOCKS tutorial and our anonymity tutorial at blacksun.box.sk. Also, we recommend going to the books section on our website and downloading the excellent item called "IP Spoofing Demystified". The stuff written in there may not be so practical, but it is very important reading (you will learn a lot of important stuff that you could use later). Appendix D: Reply-to The Reply-to option does the following: when a person receives an Email with a reply-to address and sends a reply, the reply is sent to the address specified within the Reply-to command (this does not work on really really old Email clients). To use it, simply insert this line: Reply-to: some-user@some-server.net and replace some-user and some-server.net with the appropriate user and server. You have to include this line before or after the "Subject:" part. Appendix E: CC and BCC CC is used to send a message to other people that are not the recipients of the message, but might need the information in it. BCC is used the same way, only people can only see the recipient. The B in BCC stands for Blind, while the CC stands for Carbon Copy (like when you copy a page using... nevermind). So BCC stands for Blind Carbon Copy while CC stands for Carbon Copy. Exciting, isn't it? Thanks to i2tb for this information. Want to use CCs and BCCs within your fake Emails? No problem! They work exactly the same as the Reply-to command in Appendix D. Simply put CC: or BCC: lines in your fake mail (inside the body of the message), and then insert the appropriate Email addresses. References RFC 821 - the SMTP RFC. Take a look at www.rfc-editor.org Bibliography 1) Sam Spade's library - http://www.samspade.org 2) Various online magazines. 3) Packet Storm Security - http://www.packetstormsecurity.com