############################################################################ ############################## LEGIONS OF THE UNDERGROUND ################## *********************************__ *********************_____ **** ____************ ********************************/ /*********========***|___ /****/ ___/*********** *******************************/ /*********/ ___ /******/ /****/ /*************** ******************************/ /*********/ / / /******/ /****/ /**************** *****************************/ /*********/ /__/ /******/ /****/ /***************** ****************************/ <______** / /******/ <____> /****************** ***************************<__________| /_______/ *****(________/******************** (http://www.hackersclub.com/lou/) by: PLaZma Utilizing the NNTP port. Forging/reading/posting. NNTP = Network News Transfer Protocol Port 119 This assumes you have internet access, a telnet client, and about 2 ½ brain cells! --------------------------------------------------------------------------- Newbie Note~ NNTP specifies a protocol for the distribution, inquiry, retrieval, and posting of news articles using a reliable stream-based transmission of news among the Internet community. NNTP is designed so that news articles are stored in a central database allowing a subscriber to select only those items he wishes to read. ------------------------------------------------------------------------------------------------------------------------------------------- Their are two forms of NNTP, one is mailing lists, and the other is Usenet. We will focus on USENET since forging to a mailing list can be done via port 25. Unlike its mailing list companion Usenet is an efficient means of distributing information quickly and reliably. Users view documents that have been categorized / cross-referenced / sorted. Thus allowing the user to quickly find the information that they are looking for, rather than going through hundreds of emails directly to them searching for the one that pertains to their person. This ends my brainless comparison since I don't really care if it is efficient or not. The good stuff! ~~ First off commands are not case sensitive, you don't have to worry about it. Their are two types of responses: Text, and Status. Text responses are preceded by a numeric status response line (We will get into that soon). Simply, text is sent as a series of textual lines. The text input will be terminated with a "." on a line by itself. To those who don't use their brain....Its much like the hack we did on port 25, the SMTP port. Now the Status response: Status response lines begin with a 3 digit numeric code which is sufficient to distinguish all responses. Some of these may also respond with a textual message. The first digit of the response broadly indicates the success, failure, or progress of the previous command. 1xx - Informative message 2xx - Command ok 3xx - Command ok so far, send the rest of it. 4xx - Command was correct, but couldn't be performed for some reason. 5xx - Command unimplemented, or incorrect, or a serious program error occurred. The next digit in the code indicates the function response category. x0x - Connection, setup, and miscellaneous messages x1x - Newsgroup selection x2x - Article selection x3x - Distribution functions x4x - Posting x8x - Nonstandard (private implementation) extensions x9x - Debugging output In general, 1xx codes may be ignored or displayed as desired; code 200 or 201 is sent upon initial connection to the NNTP server depending upon posting permission; code 400 will be sent when the NNTP server discontinues service (by operator request, for example); and 5xx codes indicate that the command could not be performed for some unusual reason. Now, this is how you get to this. You can use some sort of windoze or linux or whatever that is designed to be a usenet reader and you can read articles with a simple point & click interface. Which is nice and easy, but not a good way for hacking or a good way to learning about NNTP. Now, the way to really "Get a feel" of the NNTP daemon is to use your favorite Telnet program and Telnet to your news server ( e.g. Telnet News.Pacbell.Net) This will connect you to the pacbell news server. Basically take your email address and chop off the front leaving the last two, Joyschmoe@foobar.com is chopped to foobar.com . Then you just add the News, so we have news.foobar.com. Now upon connect you should have an idea of which group you would like to post to, if you don't....simply give the LIST command and hold on to your hat for a LONG list of groups. If you already have a group in mind Such as alt.warez or alt.2600 ...... in which case you would enter the command : Group The response should be something like this: 211 n f l s group selected (n = estimated number of articles in group, f = first article number in the group, l = last article number in the group, s = name of the group.) 411 no such news group If successful this would then switch your "current article pointer", which is internally maintained to the first article in the designated news group. It will also return the article numbers of the first and last articles in the group, as well as a estimate of the number of articles in that group. (Note: These estimates are not always correct, it must only be the exact number or greater than the amount of articles in the group) Now we can do two things, Read or write an article. To read, if you know the article number enter this command: ARTICLE [xxxxxx] Where xxxxxx is the number of the article you would like to peruse. Or you can use the message id in this fashion: ARTICLE Where aaaaa is the message id number. These both will display the header, a blank line, followed by the body of the message. If you have any trouble with the commands, simply do a HELP command and the news server will give you a list of implemented commands. When Reading, I prefer to give a NEXT command which will set my current article pointer to the next article, and giving me a text reply which usually contains a SIX digit message number. Then I simply give the command: Body Where the x's are the article number given by the NEXT command. The LAST command will set your internally maintained "current article pointer" to the last article in the mailing group. Use this command to have the server give you all the news it has obtained since your designated date time… NEWNEWS newsgroups date time [GMT] [] Here are two examples of server client conversations: Example 1 - relative access with NEXT S: (listens at TCP port 119) C: (requests connection on TCP port 119) S: 200 wombatvax news server ready - posting ok (client asks for a current newsgroup list) C: LIST S: 215 list of newsgroups follows S: net.wombats 00543 00501 y S: net.unix-wizards 10125 10011 y (more information here) S: net.idiots 00100 00001 n S: . (client selects a newsgroup) C: GROUP net.unix-wizards S: 211 104 10011 10125 net.unix-wizards group selected (there are 104 articles on file, from 10011 to 10125) (client selects an article to read) C: STAT 10110 S: 223 10110 <23445@sdcsvax.ARPA> article retrieved - statistics only (article 10110 selected, its message-id is <23445@sdcsvax.ARPA>) (client examines the header) C: HEAD S: 221 10110 <23445@sdcsvax.ARPA> article retrieved - head follows (text of the header appears here) S: . (client wants to see the text body of the article) C: BODY S: 222 10110 <23445@sdcsvax.ARPA> article retrieved - body follows (body text here) S: . (client selects next article in group) C: NEXT S: 223 10113 <21495@nudebch.uucp> article retrieved - statistics only (article 10113 was next in group) (client finishes session) C: QUIT S: 205 goodbye. #2 Example 2 - absolute article access with ARTICLE S: (listens at TCP port 119) C: (requests connection on TCP port 119) S: 201 UCB-VAX netnews server ready -- no posting allowed C: GROUP msgs S: 211 103 402 504 msgs Your new group is msgs (there are 103 articles, from 402 to 504) C: ARTICLE 401 S: 423 No such article in this newsgroup C: ARTICLE 402 S: 220 402 <4105@ucbvax.ARPA> Article retrieved, text follows S: (article header and body follow) S: . C: HEAD 403 S: 221 403 <3108@mcvax.UUCP> Article retrieved, header follows S: (article header follows) S: . C: QUIT S: 205 UCB-VAX news server closing connection. Goodbye. Now the POST command. The POST command is subject to some scrutiny in my opinion. The RFC says that their are headers that are essential and headers that are voluntary. However, upon experimentation I have found that some of the ones they say are ESSENTIAL really aren't. I got away with posting a message with only a from/subject/news-group/body line! Anyway, that's no big deal. I logged on to my news server and gave the POST command. I will show you our conversation. S: 200 NNTP blah blah blah ready C: post S: post OK! C: From: plahzma@geocities.com Subject: This is kewl. NewsGroups: alt.cracks, alt.2600.warez This is a test to see if I can negotiate a deal with my news server through telnet! . S: Article Posted. C: Quit S: Connection closed by host. Goodbye! Okay, that was easy now wasn't it!? Notice how the server responded with a 200 stat response, if this had been a 201, that would mean that I could not post! So pay attention to the stat responses! The "From:" line can be whatever email address you want! That makes it a lot better for us since a lot of times when you post to a news-group and ask a stupid question you get flamed, email bombed, Spammed…. And this way any direct replies are sent to that great big trash bin in the sky! Also Notice that on the Newsgroups: line I have put the cracks news-group followed by the 2600 warez news-group, separated by a comma. This tells the Daemon to post your message to cracks AND warez. Notice that the HEADER section has been separated from the BODY section by a blank line. Now, also when I read the RFC it did not mention anything about a "." at the end to send the post. But if theirs something else were supposed to do then o-well because the "." at the end worked. Now I will get into more advanced Features! The preceding Text was how to post with the BARE minimum! Their are all sorts of other headers to fool around with. Actually anything you put in the header section will be transferred unchanged to the next server/client unless it contains a KEYWORD, the keywords are immediately used by the news host. The following is a list of HEADER KeyWords, and the format that you should use them. I have omitted the boring ones, these are just extras for you. Relay-Version This header line shows the version of the program responsible for the transmission of this article over the immediate link. For example, the header line might contain: Relay-Version: version B 2.10 2/13/83; site cbosgd.UUCP Posting-Version This header identifies the software responsible for entering this message into the network. It has the same format as Relay Version. >From The from line will be an internet address, with a full name (optional) following contained in parenthesis. For example, the header line might contain From: JoeBlow@Boringisp.com (JoeBlow) The date will be given by using this line: Date: Weekday, DD-Mon-YY HH:MM:SS TIMEZONE American Timezones are PST, PDT, MST, MDT, CST, CDT, EST, EDT (e.g. Fri, 19-Jul-97 05:36:04 PST) The Subject line should be some sort of suggestion of the contained text, but if it is in reply to something, the subject line should be: "Re: (Reference)" Where reference is the article subject you are replying too, aduhhhh Path The path command specifies where the article has been, when the HOST computer receives the message, it will add its name to it, and then sends it to another host/slave and it ands its anem to the path and the next and the next and the next… The names in the path are separated by punctuation marks. For example: cbosgd!mhuxj!mhuxt" Means the letter has gone From mhuxt then to mhuxj then to cbosgd where it now stays. However this is not always true, the right most could also be the NAME of the sender. Reply-To This line is in the same form as the From line. All letters replied to this post will be sent to this address, not to the specified FROM address. Publication by: PlaZma