What a hacker needs to know. ][-guide: choose the best programming language for your tasks
This tutorial will cover the following two topics: introduction and hacker tools.
Introduction
Hello reader. A year ago, I came to HZ, and really wanted to become a hacker. No one could explain many simple things to me, I saw many experienced ones, but literally a few helped me get on the path of a hacker. And I can name them: PinkPanther, DrWeb, R_a_ID_e_R. I taught myself, without relying on anyone's help, trying to describe my knowledge in articles for beginners. So time went on, generations changed... I don't want to complicate the lives of the newbies, I've always been good to them, and I think that newbies have a right to know. Anyone who says that I'm wrong, that they say "let them figure it out themselves, only this way they will grow up", is both right and wrong. Yes, the stubborn will achieve their goal, but a person who does not need it simply will not read this article. For those who still torment search engines with questions like "how to become a hacker", I decided to dedicate a series of lessons, and maybe a book. You will go from a lammer to a hacker, learn programming technologies, hacking and much, much more. Follow this path through my lessons, and everything will be OK. This is the first lesson on the basics of hacking, it is rather enticing. Remember, these are all just toys, and the real hacking will come later. And at this stage you have to decide whether you need it or not. Gradually, we will study network technologies, you will learn how the Internet works, what you can find interesting in it, what is possible and what is not. Welcome to our world!
hacker tools
In this section, I will describe the hacker's gentleman's kit. We will occasionally use these tools in what follows.
brute force
- Port Scanner
- Security Scanner
- Joyner
- Mail Bomber
- Hack Windows passwords
- View passwords
- Trojan
- keylogger
- IP hider (proxy/socks)
- HTTP request spoofing
Let's start in order:
[Brute force]. Bruteforce (translated from English as "brute force") is used to select passwords from e-mail and ftp servers. There are many types of brute force programs, but their abilities are similar. When using such programs on dial-up connections, where the speed does not exceed 56 Kbps, the selection can take a long time and tedious, while using high-speed Internet (ADSL, fiber optic, satellite, etc.), the selection speed increases, but then consumes a lot of traffic. The best option is dictionary selection. The cracker creates a text document from the victim's possible passwords, the program connects to the server specified by it and sorts through the passwords from the file one by one. If passwords are being guessed for the mailbox, you need to specify the victim's incoming message server to brute force, for example, if we break soap, then most often the server will be pop.pupkin.ru. If we break not e-mail, but the site pupkin.ru, then we need to specify an ftp server, it will be ftp.pupkin.ru . Brute-forces have a lot of useful settings, for example, if you spied that your friend enters a password of 5 characters, and his first character is L, then you need to use mask selection. The mask will look like this: L#### . I gave a general description, and for a closer acquaintance, I advise you to download wwwHack.
[Port Scanner]
Since this lesson is an introduction, I will torture you with network technologies another time, but you still need to know this.
Port scanners check a given range of IP addresses for a given open port. If the port is open, that IP is added to the list.
Where does it apply? The creators of so-called "trojans" sometimes include a port scanner in their creations. The point is that the server
When a Trojan enters a machine, it opens a port in the system through which it receives client commands. For those who have not yet guessed, I will explain: Knowing
what port our trojan opens, we "ask each computer in the range" if this port is open, and if it is, then on this machine
our troy is sitting - you can safely connect and control this computer. I recommend using Essential Net Tools as it
a good scanner with an additional set of functions. This is not just a scanner - keep in mind. During its existence, it has become
legendary, and still does not lose its relevance. He is paid. My brother bought and gave me a serial from version 1.1:
Name: Jan Klaassen
S/N: 2957888021
[Security Scanner]
There are two types of pages on the Internet: static (HTML) and dynamic (PHP, ASP, CGI). If the page extension is htm, html, it means that the content of the page does not depend on the user and is always unchanged - "static". Dynamic pages process data received from the user, roughly speaking, they know how to think. Naturally, there can be no talk of any holes in html pages, holes are only in the scripts of dynamic pages. The most common vulnerabilities are XSS. They were well described by DrWeb in the article "XSS for beginners", so I will not explain their essence. To automate the search for XSS vulnerabilities (and not only), hackers use security scanners. I recommend XSpider.
[Joyner] - (English Join - connect, unite).
Joyner is a program that allows you to combine several files into one, with the ability to stick an arbitrary icon to the resulting file. Thus, using a joyner, a hacker can glue a Trojan horse with some useful utility and push it to the victim. She, in turn, opening the file, believes that she is launching her own program, although in fact two of them are launched (three, four, etc.), the Trojan simply does not give itself away. The downside of this approach is that most joiners are detected by antiviruses.
This type of program is designed to "bomb" e-mail, ie. bombarding with a huge number of letters. Mail bombers are widely used by spammers. Personally, I am not a spammer, but I use Ganja Spammer to spoof the sender's address. Very handy for phishing. What is it - I'll tell you later.
[Windows passwords]
I respect InsidePro products, and I advise you to download them. These are: PasswordsPro, MD5Inside, PWLInside, SAMInside. The purpose of the programs is already in their name, but I will talk about each separately.
SAMinside is a program for hacking the SAM file. In Windows 2k/XP, user passwords are stored in the windowssystem32config directory, and are called resp. SAM and SYSTEM, no extension. To copy them for decryption, you will have to use dos or an alternative OS, like Windows PE. So, passwords are stored in encrypted form, and in order to decrypt them, you must have copies of these files. It is necessary to score them in SAMinside, put the enumeration method, and wait.
PWLinside - similar, only for the now dead Windows 95/98, where passwords (including those for the Internet) are stored in the Windows directory in files with the *.PWL extension.
MD5inside - decrypts the MD5 hash used in many authorization systems. After decrypting the hash, you can get the password. By the way, in the IPB forums, approximately this hash is stored in cookies.
PasswordsPro is a powerful tool for working with passwords, has all the functions of MD5inside, hash generation, it can also show passwords hidden behind asterisks, for this you need to enable resp. mode and hover over the password box.
[View passwords]
If you are interested in knowing what a friend writes to your bride by e-mail, just go to his house and send him to make coffee, and at this time we take out a floppy disk and launch a program that shows all his passes, including soap. Magic? Not! The thing is that for convenience, in order to save you from the buzz every time you log in to the site, in ICQ, etc. enter a password, browsers / ICQ / mailers remember it. This is what they are being punished for. There are many programs that show all kinds of saved passwords. To see what IE and Outgluk Express saved there, you can use the PSPV program. For TheBat - TheBatPasswordViewer, for ICQ/Trillian/Miranda etc. - Advanced Instant Messenger Password Recovery, AIMPR for short.
[Trojan horse]
So we got to the most interesting). This subspecies of animals is so called because it acts like the famous Trojan horse. Penetrating into the user's system, he gets used to it and works for the owner. What I mean? Unlike a virus, a Trojan is harmless if you are not online. It is activated when its creator sends commands to it via LAN or the Internet, for example, it can send your passwords to the owner on command, and many other interesting things, it also allows the cracker to climb your files and registry, in general, you understand the essence, but they have the capabilities everyone is different. The most popular Trojans are ALB, NetBus, LamerDeath. But only now they have all been scorched for a long time. And my own is called LamerHack, you can search on my site, and it doesn’t burn, but a weak beta version is still available, in addition, the incombustibility is compensated by the size of the server.
Keylogger is Russian for "keylogger". It catches all your keystrokes and writes them to a file, after which it can send them to its creator, or save them to screw. It is useful to put it with a friend - he will write down everything that she writes to whom on ICQ.
If you are doing something not entirely legal, then you are unlikely to be satisfied with the fact that your IP address will remain on the server you hacked, by which you can’t figure it out. And what in that case? There is such a thing called a proxy server, or a sox server. I will not go into details and explain to you how they differ - at this stage it does not matter to you. The essence is the same - your IP-address is replaced by the address of the proxy-server. This is used when there are some restrictions on your IP, for example, the amount of music to download, or a limited number of attempts to register ICQ. And for the very first case, you need to use anonymous or elite proxies. Their disadvantage is inconsistency. They change every n hours. Always a fresh list of proxies is located. As a program for using a proxy, I recommend .
[HTTP packet spoofing]
I will also describe this in more detail in future lessons. All information on the Web will be transferred to the so-called. "packages". Like secret information packets in war, HTTP packets have a filling and an inscription: to / where, etc. , with the only difference that THIS information is not considered particularly secret, but is of interest. The packet header contains information about the browser, where we came from, and to which scripts what data is transmitted. As you understand, we will talk about the substitution of these data. The question arises: "Why?" . And then. Let's take a better look at an example. We have a very popular Internet provider "Alkar Teleport" in Dnepropetrovsk. It contains several sites with interesting resources that are available only to its users. When entering from other wires, they send nafig. But how do these sites check where I came from? By IP. If, say, an IP like 212.15.x.x , then access is allowed. And if we replace the referer (where I came from) with the address of the server itself, then, most likely, it will not forbid us anything. The program InetCrack is used, download it.
Of course, not all programs were described in this section, but the main ones.
Vladislav Novik aka VladUha::HackZona.Ru
Programming is the main tool of a hacker. If you do not yet know any computer language, then I recommend starting with Python "a. It is clearly designed, thoroughly documented and relatively kind to beginners. Despite its kind attitude towards beginners, this is not just a toy, but a very powerful and flexible language, which is excellent for large projects. I have already written a more detailed evaluation of Python "in . There is a great beginner's guide and an official tutorial on the Python website, and you can also find excellent tutorials elsewhere, one of them is Computer Science Circles.
I used to recommend Java as an early learning language but changed my mind in response to these criticisms (search also: “The Pitfalls of Java as a First Programming Language”). A hacker cannot approach a problem the way a plumber in a store solves it, he must know what exactly does every component. Therefore, now I'm leaning that it would be better to learn C and Lisp in the beginning, and after them Java.
There is perhaps a more general approach to this. When there is a good tool to create something, but there is too much language for this and learning it causes difficulties. Not only programming languages can do the job, but different web frameworks like RubyOnRails, CakePHP, Django can solve the problem easily but leave you with superficial knowledge and you won't be able to solve more complex problem or figure out the problem if it's fast and an easy solution will not work correctly.
If you decide to dive into serious programming, then you should learn the core of the Unix OS - the C language (pronounced Xi). C++ (pronounced Sea Plus Plus) is very closely related to C, if you know one, then learning the other will not be difficult. Although they are not languages for beginners. And, in fact, the more you avoid C programming, the more productive you will be.
C is very efficient and very frugal in terms of machine resources. However, the use of the C language will be effective where manual management of low-level resources, such as memory, is required. All this low-level code is complex and easy to make mistakes, and also requires a huge amount of your debugging time (finding and fixing errors). Taking into account the power of modern computers, you can make a compromise decision - the smarter thing to do is to choose a language that uses computer resources less efficiently, but more effective for the time spent on implementation. That compromise is Python.
Other languages of paramount importance to hackers are Perl and LISP. Perl is worth learning for practical reasons: it's very widely used for active web pages and system administration, so even if you never have to write Perl, you should learn to read it. Many people use Perl in this capacity, and I advise you to use Python and avoid programming in C unless the task requires economical use of machine resources. You need to understand such code.
LISP is valuable to learn for another reason - you will gain deep knowledge by learning this language to the end. This knowledge will make you an excellent programmer for the rest of your life, even if you never really use LISP itself. (Basic LISP programming skills can be fairly easily acquired by creating and modifying extensions to the Emacs text editor or by creating Script-Fu plugins for GIMP.)
In fact, it's best to learn all five: Python, C/C++, Java, Perl, and LISP. In addition to being the most important hacker languages, they exhibit very different approaches to programming and each will teach valuable approaches.
But keep in mind that you won't reach the level of a hacker or even an ordinary programmer just by collecting languages - you must learn to think about how to program in a general way, regardless of any language. To be a real hacker, you have to get to the point where you can learn a new language in a matter of days by simply looking at that language's manual and linking it to what you already know. And to become such, you need to know several very different languages in their essence.
I can't give full instructions here on how to learn programming - it's a complex art. But I can tell you that books and courses won't do that either - many, perhaps majority the best self-taught hackers. You can learn the functionality of languages (a small part of knowledge) from books, but the kind of thinking that makes this knowledge applicable to life can only be gained through practice and through a certain period of study. What can actually teach programming is (a) reading source code and (b) writing source code .
Peter Norvig, one of Google's top hackers and co-author of the popular AI (Artificial Intelligence) textbook, wrote a great article called Teach Yourself Programming in Ten Years. It is worth paying special attention to his "recipe for successful programming".
Learning to program is like learning to write good natural language. The best way to do this is to read something written by recognized masters of literature, then write some yourself; read more, write a little more; read more - write more... And repeat until your programs look like a powerful and organized model.
I covered more about this process in How To Learn Hacking. This is a simple set of instructions that is not very easy to follow.
Finding good source code to study used to be difficult because there were very few large programs available in source code that young hackers could study and experiment with. Now the situation has changed dramatically: programs in source code, development tools and entire operating systems (all created by hackers) are now widely available. Which brings me straight to the next section...
In this chapter, I will try to outline very briefly what a hacker and a competent system administrator, who has the task of securing a network, needs to know. It is impossible to describe all these things in full within the scope of this manual.
3.1. Programming languages
The basis of hacking is not the ability to sit picturesquely in front of the monitor screen, recklessly trampling the keyboard, but knowledge of programming languages. Which ones? Let's briefly talk about the languages that are used for hacking.
The year ARPANET was born was also the year that a Bell Labs hacker named Ken Thompson created Unix. Thompson was involved in the development of an operating system called Multics. Multics was supposed to make computers easier to use and program in order to increase productivity. This project was put up for sale, but never enjoyed the same success as the operating system. Thompson abandoned the Multics environment and began to play with a mixture of Multics ideas with his own.
Another hacker named Dennis Ritchie came up with a new language called "C" for use under Thompson's "original" Unix'oM. Like Unix, "C" was designed to be natural and flexible. Interest in these tools spread within Bell Labs, and they gained popularity in 1971 when Thompson and Ritchie won a tender for what we now call a business-to-business office automation system.
Traditionally, operating systems were written in assembly language to extract the highest possible efficiency (EFP) from the host machines. Thompson and Ritchie were among the first to realize that the hardware and compilation technology had become good enough that an entire operating system could be written in C, and by 1974 the entire environment had been successfully ported to several different types of machines.
This has never happened before and the results have been impressive. Since Unix could present the same interface, the same capabilities on many different types of machines, it could become the standard software environment for all of them. Users didn't have to pay more to develop new software whenever machines became obsolete.
In addition to portability, Unix and "C" had another important strength. They were designed as a "for the dumbest" philosophy. The programmer could easily keep the full logical structure of "C" in his head (unlike most other languages), instead of constantly referring to reference books; and Unix was structured as a flexible toolkit of simple programs designed to be combined with each other in the desired ways.
At the beginning of 1996, a new programming language appeared - "Java". On the Consortium's home page, Java was included in the list of so-called Mobile Codes, one of the promising directions for the development of World Wide Web technology. And at the end of 1996, the Java boom began in the West, which had reached our country by the time the Unix-Expo-96 exhibition was held. According to the history, Java (coffee) technology was born from the Oak (oak) project, the main goal of which was the development of object-oriented tools for describing and communicating various kinds of electronic devices. Due to the failure of Oak in 1994, the experience gained from its implementation was decided to be applied to products focused on the Internet. Since April 1995, Hotjava, the World Wide Web browsing interface for Sun platforms, has been freely distributed over the web.
Literally a month later, Netscape Communication - then a trendsetter in the development of Internet programming interfaces - buys a license for Java. From this moment begins the golden time for this technology. Currently, Hotjava is implemented not only for Sun-. OS and Solaris, but also for many other platforms and Windows.
The Java programming system allows you to compile programs for the computer platform on which it stands in the same vein as any other, such as C or C ++. In this case, the main difference between Java programs, which are called Java applications, is the use of a Java class library that enables the development of secure, distributed systems. At the same time, it is argued that the language allows you to make much fewer mistakes when developing programs. The main thing is the fact that in Java there is no address arithmetic at all. Much more interesting is the development of mobile Java bytecodes, which in terms of Java technology are called applets.
The programming language Modula-2, known in its time, was created by N. Wirth in 1979 and was first implemented on a PDP-11 minicomputer. In the 1970s Pascal was widely accepted by computer users and teachers, but it was originally developed for teaching programming and as a software development language had many drawbacks. In Module-2, these shortcomings have been eliminated, while maintaining the logical structure and characteristics of its predecessor. In addition, powerful new language features have been introduced in Module-2.
The Modula-2 programming language belongs to the so-called machine-independent languages. N. Wirth applied Modula-2 in writing a complete operating system for the Lilith mini-computer. A characteristic feature of Modula-2 is separate compilation, which allows you to develop and store programs in libraries that can be reused.
The first versions of the C++ programming language (then called C with Classes) were developed in the early 1980s. Bjarne Stroustrup, an employee of the famous AT&T Bell Labs, where the Unix operating system and the C programming language were previously developed. According to the author of the language himself, C++ was never developed on paper. The design, implementation, and documentation of new features happened virtually simultaneously. The sole purpose of the development was to create a language in which it would be convenient to program the author and his friends. The C programming language, popular among professional developers, was taken as a basis. The first means by which C was extended were the means to support data abstractions and object-oriented programming. As is customary at AT&T, a description of the new language was not published immediately. Its first users were the employees of Bell Labs themselves.
perl. When it comes to writing system-level applications, in particular Web server scripts, the Perl programming language comes to the fore, primarily because of its proven and rich features. Perl (Practical Extraction and Reporting Language, or, as the name is sometimes deciphered by the creator of Perl and his other fanatical adherents - Pathologically Eclectic Rubbish Lister) is one of the most powerful and popular programming languages.
The history of Perl began in 1987, when a man named Larry Wall began developing the language he needed to solve the system programming problems he faced as a Unix system administrator. Despite such humble beginnings, Perl has grown into a full-featured, complex language. It is attractive because it bridges the gap between Unix shell programming methods and C applications, with the simplicity of the former and the functionality of the latter. Wall describes it this way: “Perl is an interpreted language optimized for scanning arbitrary text files, extracting information from those files, and printing reports based on that information. It can also be used to solve many system management tasks. In designing this language, the goal was not so much beauty (small volume, elegance and optimality) as practicality (ease of use, efficiency and completeness)." Wall also points out that Perl's expression syntax is exactly like C's expression syntax; Perl does not arbitrarily limit the amount of your data - "if you have memory, Perl can load your entire file into it as a single line"; recursion can be of unlimited depth, and in addition, the language uses sophisticated pattern matching techniques to quickly scan large amounts of data.
3.2. Why break networks?
The strengths of Russian crackers are still collectivism and mutual assistance, as well as a powerful flight of imagination, which in most cases their Western counterparts are deprived of. They act as a friendly crowd (herd), which you can even pile on the dad. Designed for the most part by rather infantile Western standards, the hacking protection systems of dashing and incredibly resourceful Russians are usually powerless. A guard with a rubber baton can't stop a gang armed with tire irons and nail pullers. As such, only a few are still involved in the theft of money from accounts, and then from case to case. But in a couple of years, with the expansion of computer communications in Russia, such things can be put on stream. Anticipating such a turn of events, the leaders of the FBI and others like them are already making a fuss and, accordingly, demanding additional appropriations. And, oddly enough, our hackers act here as voluntary and very effective assistants.
A few years ago, information passed through the Fidonet network that a certain member of it climbed into the computer for managing the Immarsat network of international satellites (serves navigation, space, communications, SOS signals, etc.). He not only “walked” there himself, but also issued all the instructions and passwords for entering the database to the network. What this could mean for the satellite network is still unclear.
The impudence of our computer hooligans is not least due to the fact that there is no fight against them at home. Moreover, it cannot be said that nothing is being done at all. In 2001, a special presidential decree was issued on the protection of information. Russia has pledged to cooperate with Interpol in this area. At the beginning of 1995, a special unit to combat hackers was created under the Ministry of Internal Affairs, consisting of eight people. There was even a special meeting of the Security Council on this issue. A good illustration of the effectiveness of such measures is that, when asked by a correspondent about the results of the capture of the villains, the responsible officer of the Ministry of Internal Affairs answered directly: “Young man, we are arrested and tried according to laws, not decrees.”
In 1997, the FBI approached Russia's law enforcement agencies. The fact is that American global commercial information networks, such as America Online and Microsoft Network, suffered significant losses in 4 months of 1996 from hackers using fake credit cards to enter the network. After tracing the links, the security services of these networks passed all the information to the FBI, since it was revealed that most of the illegal connections are made by Russia. To be honest, it is quite simple to determine the connection source on the Internet, but it is expensive (you have to keep additional staff). In AOL and MSN, such units exist. So what? The first step is to check all official points of entry to the network, i.e., if the city has an official representative of the network with its own phone number to connect to a particular network, all connections begin to be controlled automatically. At the same time, caller ID or CID works (if dialing is tonal). If the subscriber is officially connected to the network, everything is fine. If the number is not determined, the subscriber is “thrown off the line”. If the phone number does not match the database of official users, the connection is automatically taken under control. The connection via the Internet (through intermediate networks) does not save either, since the current link is always fixed upon connection (this moment is used by the network for automatic roaming of data packets). In Moscow alone in 1996, more than 360 people were identified as illegally using communications services. There is a legal subtlety here - sitting at home, a person commits a crime in the United States. The requirement to bring them to justice in accordance with US law, even in our senile times, is savagery. Here you can figure it out for years. Theoretically, the articles of the Criminal Code of the Russian Federation relating to financial crimes are applicable here, i.e., if a hacker cannot be prosecuted for hacking the network, he can be prosecuted under other articles (for example, for hooliganism, counterfeiting banknotes, etc.).
At the moment, all identified subscribers continue to roam commercial networks via the Internet, most often completely unaware that they are already under control. In any case, in order to fight against hacking and its consequences, one must understand that in the hands of both hackers and ordinary users, there is, in principle, the same weapon. You just need to apply it correctly.
3.3. TCP/IP protocol
The TCP/IP family of protocols is widely used around the world to connect computers to the Internet. More information about TCP/IP protocols can be found in RFCs (Requests For Comments), special documents issued by the Network Information Center (NIC).
Each machine on a TCP/IP network (IP network) has a unique address assigned by the administrator, and all data is sent and received by the machine using this unique address. The second, no less important parameter that characterizes the machine is the subnet mask - a value that determines the maximum number of machines that can be in one local network segment.
The administrator assigns IP addresses to machines according to which IP networks they are connected to. The upper bits of the 4-byte IP address define the IP network number. The rest of the IP address is the node number (host number). There are 5 classes of IP addresses, differing in the number of bits in the network number and the host number. The class of an address is determined by the value of its first byte. Of these 5 classes, only the first three are widely used.
Class A addresses are intended for use on large public networks. They allow a large number of node numbers. Class "B" addresses are used in medium-sized networks, such as networks of universities and large companies. Class C addresses are used on networks with a small number of computers.
Within the address range of each class, there are so-called "dummy" or "reserved" address ranges, data from which is not transmitted to the global network, and you can use them for your own purposes.
| Class | Range start | End of range | Mask |
| BUT | 10.0.0.0 | 10.255.255 | 255.255.0.0.0 |
| AT | 172.16.0.0 | 172.31.255 | 255.255.255.0.0 |
| FROM | 192.168.1120 | 192.168.112.255 | 255.255.255.0 |
Before you can start using a network with TCP/IP, you must obtain one or more official network numbers. Allocation of numbers (as well as many other issues) on the Internet is handled by the DDN Network Information Center (NIC). Allocation of rooms is free of charge and takes about a week. You can get a network number regardless of what your network is for. Even if your network does not have a connection to the Internet, obtaining a unique number is desirable, as this ensures that there will be no address conflict when you turn on the Internet or connect to another organization's network in the future. The address for your network can be provided by your ISP. Most often, this is how it is done.
The address space of the network can be divided into non-overlapping parts - "subnets", each of which can be operated as with a normal TCP/IP network. Thus, a single IP-network of an organization can be built as a union of subnets.
Typically, a subnet corresponds to a single physical network, such as a single Ethernet network. Subnetting is optional. You can simply assign a different network number to each physical network, such as a class "C" number. However, this solution has two drawbacks. The first is the waste of network numbers. A more serious disadvantage is that if your organization has multiple network numbers, then machines outside the organization must maintain records of access routes to each of these IP networks. Thus, the organization's IP network structure becomes visible to the whole world. If there are any changes in the IP network, information about them must be taken into account in each of the machines that support access routes to this IP network.
3.4. Ports
Interaction between application processes in the network is carried out through the so-called ports. Ports are numbered starting from zero. An application process that provides some services to other application processes (server) waits for messages to arrive on a port dedicated specifically for these services.
Messages must contain a request for the provision of services. They are sent by client processes. For example, an SMTP server always listens for messages on port 25. If an SMTP client wishes to receive a service, it sends a request on port 25 to the machine where the server is running. This port number is a publicly known, ie, fixed number officially allocated for SMTP services. Such well-known numbers are defined by Internet standards.
| |
Just thinking about getting into coding? Are you lost in the variety of languages and technologies? Rejoice, your day has come: we have been a little tense and the whole editorial board has rolled out for you an interactive guide on choosing a programming language depending on your needs. It doesn't matter if you want to write mobile games, look for backdoors in ZTE firmware or just make a living coding - we have provided all the options. Spin the scheme, answer questions, choose your technology... And then don't forget to transfer us a percentage of the first salary. So to speak, for the tip!
Regardless of which direction you prefer - if you have no programming experience at all, you will have to start from the very basics. Learn the terms, learn how to compose algorithms and turn them into code. And it will help you with this - an online platform that is designed to teach programming.
Consists of four lessons and lasts two weeks. During this time, you will learn the very basics of programming, write your first program, and also learn what languages are and what a programmer can specialize in. And to consolidate you will be provided with the necessary materials: you will have video recordings of lessons and manuals. Why, you will even receive a certificate of completed class, if you suddenly want to brag to someone!
If the development of the basics is behind, then you can choose one of the professions and undergo a full-fledged training from several courses.
Web developer
https://geekbrains.ru/professions/web_developer
Is it easy to be a web developer? It may seem that it is not very difficult - after all, anyone can make a website. However, to become a real full-stack developer today, you need to know much more than HTML and some server-side language. In ten months, this set of Geekbrains courses will take you from mastering HTML and CSS to learning PHP - from the very beginning to professional web development using the YII2 framework. In addition, this includes courses on the study of Javascript - both client-side and server-side (Node.js), as well as the Angular and D3.js frameworks.
Mobile developer
https://geekbrains.ru/professions/mobile_developer
Do you want to make mobile applications for iOS and Android? This set of courses is designed specifically for people like you and lasts 11 months. It includes two Java courses (from basics to advanced OOP, networking and multithreading) and two Android courses (UI development, working with graphics and sensors, and so on). The second half of the course is devoted to Objective-C - this language is necessary for those who plan to make applications for iOS. A course on Swift, a new Apple language that is already beginning to be used in software development, has been added to it.
Java programmer
https://geekbrains.ru/professions/java_developer
The creators of the Java language thought it was so good that it would be used everywhere. This did not happen: as a result, Java is used on Android and in serious server development - the backends of highly loaded applications and multiplayer games are written in this language. Hence the conclusion: Java programmers still have a very good life! Become one of them with this six-month pack of Geekbrains courses. Two Java courses in it coincide with the Android software developers lesson plan, but it is the third course that will help you become a real Java guru. It focuses on databases, building GUIs, and complex stuff like multithreading, reflections, and inner classes.
Python programmer
https://geekbrains.ru/professions/python_developer
They say that you can start programming in Python without any training, but at the same time a couple of important details are silent: only someone who already knows a couple of languages \u200b\u200bwill really succeed, and you won’t become a professional like that. The five-month Geekbrains course includes not only learning Python from basics to subtleties like decorators, but also touches on HTML / CSS, Javascript and the Django framework. So you will learn not just to write programs in Python, but you will be able to make full-fledged dynamic sites on it.
Ruby programmer
https://geekbrains.ru/professions/ruby_developer
The Ruby language was considered an interesting curiosity for a long time, until the Ruby on Rails framework appeared. Now Ruby is one of the best languages for web development, and thanks to Rails, it helps to speed up and simplify the development of complex web applications many times over. This semi-annual Geekbrains course will teach you how to handle HTML/CSS and client-side Javascript, as well as teach you Ruby specifically for using Rails. Controllers and templating engines are waiting for you, future web developer!
Special project with GeekBrains
Fifteen years ago, Chris Kaspersky's epic The Fundamentals of Hacking was the go-to book for every aspiring computer security researcher. However, time passes, and the knowledge published by Chris is no longer relevant. The Hacker editors tried to update this voluminous work and move it from the days of Windows 2000 and Visual Studio 6.0 to the days of Windows 10 and Visual Studio 2017.
Authenticity check
Authenticity verification (from the Greek authentikos - authentic) is the "heart" of the vast majority of defense mechanisms. We must make sure that the person for whom he claims to work with the program and whether this person is allowed to work with the program at all!
Not only the user can act as a “person”, but also his computer or storage medium that stores a licensed copy of the program. Thus, all protective mechanisms can be divided into two main categories:
- knowledge-based protections (password, serial number);
- protections based on possession (key disk, documentation).
If the defense is based on the mere assumption that its code will not be examined and/or changed, then this is a bad defense. The lack of source code is by no means an insurmountable obstacle to studying and modifying the application. Modern reverse engineering technologies allow you to automatically recognize library functions, local variables, stack arguments, data types, branches, loops, and more. And in the near future, disassemblers will probably even learn how to generate listings that are close in appearance to high-level languages.
But even today, the analysis of the binary code is not so laborious as to stop intruders for a long time. A huge number of constantly committed hacks is the best confirmation of this. In the ideal case, knowledge of the protection algorithm should not affect its durability, but this is far from always achievable. For example, if the developer of the server program decides to set a limit on the number of simultaneously processed connections in the demo version (as often happens), the attacker just needs to find the processor instruction that performs such a check and remove it. Modifications to a program can be prevented by constant checking of its integrity, but again the code that checks the integrity can be found and removed.
Step one. Warm-up
The algorithm of the simplest authentication mechanism consists in character-by-character comparison of the password entered by the user with a reference value stored either in the program itself (as often happens) or outside it, for example, in a configuration file or registry (which is less common).
The advantage of such protection is an extremely simple software implementation. Its core actually consists of a single line, which in C can be written like this:
If (strcmp(entered password, reference password)) (/* Password is incorrect */) else (/* Password is OK*/)
Let's supplement this code with the procedures for requesting a password and displaying the results of the comparison, and then test the resulting program for strength, that is, for resistance to hacking:
Listing 1. An example of a simple authentication system
#include "stdafx.h" // The simplest authentication system - // character-by-character password comparison #includeIn popular movies, tough hackers easily penetrate any terribly secure system, somehow guessing the desired password in several attempts. Why not try to follow their path?
It's not uncommon for passwords to be meaningful words like Ferrari, QWERTY, the names of your favorite hamsters, or the names of geographical locations. Guessing a password is akin to guessing on the coffee grounds - there are no guarantees for success, it remains only to rely on luck. And luck, as you know, is a proud bird - don’t put your finger in her mouth. Is there a more reliable way to hack?
Let's think. Since the reference password is stored in the body of the program, then if it is not encrypted in some tricky way, it can be detected by trivial viewing of the binary code of the program. Going through all the text lines found in it, starting with those that most of all look like a password, we will very quickly select the right key and open the program with it! Moreover, the viewing area can be significantly narrowed - in the vast majority of cases, compilers place all initialized variables in the data segment (in PE files, it is located in the .data or .rdata section). The exception is, perhaps, the early Baghdad (Borland's) compilers with their manic love to stick text lines into a code segment - directly at the place of their call. This simplifies the compiler itself, but creates a lot of problems. Modern operating systems, unlike the old MS-DOS, prohibit modification of the code segment, and all variables placed in it are read-only. In addition, on processors with a separate caching system, they "clog" the code cache, getting there during read-ahead, but the first time they are accessed, they are loaded again from slow RAM (second-level cache) into the data cache. As a result - brakes and drop in productivity.
Well, let it be the data section! It remains only to find a convenient tool for viewing the binary file. You can, of course, press the F3 key in your favorite shell (FAR, for example) and, pressing the Page Down key with a brick, admire the running numbers until you get bored.
You can use any hex-editor (QView, Hiew...) - whatever you like - but in the article, for reasons of clarity, the result of the DUMPBIN utility from the standard delivery of Microsoft Visual Studio is shown. DUMPBIN is run from the Developer Command Prompt.
Let's set the utility on the executable file of our program, which contains the password, and ask it to print the rdata section containing initialized read-only data (the /SECTION:.rdata key) in "raw" form (the /RAWDATA:BYTES key), specifying the > icon for redirecting output to a file (the program's response takes up a lot of space, and only one "tail" fits on the screen).
Listing 2
> dumpbin /RAWDATA:BYTES /SECTION:.rdata passCompare1.exe > rdata.txt 004020E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .............. .. 004020F0: 18 30 40 00 68 30 40 00 45 6E 74 65 72 20 70 61 [email protected]@.Enter PA 00402100: 73 73 77 6F 72 64 3A 00 6D 79 47 47 44 70 61 SSWORD: .MYGOODPA 00402110: 73 73 77 64 0a 00 57 72 67 20 70 61 SSWORD..WrONG PA 00402120 : 73 73 77 6F 72 64 0A 00 50 61 73 73 77 6F 72 64 ... 00402140: 00 00 00 00 90 0A C1 5B 00 00 00 00 02 00 00 00 ......A[........ 00402150: 48 00 00 00 24 22 00 00 24 14 00 00 00 00 00 00 H...$"..$.......Among other things, there is one line here, painfully similar to the reference password (in the text it is highlighted in bold). Shall we test it? However, what's the point - judging by the source code of the program, this is really the desired password that opens the protection, like a golden key. The compiler chose too prominent a place to store it - it would not hurt to hide the password better.
One way to do this is to forcefully place the master password in a section of our own choosing. This possibility is not provided by the standard, and therefore each compiler developer (strictly speaking, not a compiler, but a linker, but this is not important) is free to implement it in his own way or not to implement it at all. Microsoft Visual C++ provides a special data_seg pragma for this purpose, which specifies in which section to place the initialized variables following it. Uninitialized variables are located in the .bss section by default and are controlled by the bss_seg pragma, respectively.
In Listing 1, before the main function, add a new section in which we will store our password:
// From now on, all initialized variables will // be placed in section.kpnc #pragma data_seg(".kpnc") #define PASSWORD_SIZE 100 #define PASSWORD "myGOODpassword\n" char passwd = PASSWORD; #pragma data_seg()
Inside the main function, initialize the array:
// Now all initialized variables will again be // placed in the default section, i.e. rdata char buff="";
The string comparison condition in the loop has changed slightly:
If (strcmp(&buff,&passwd))
Let's set the DUMPBIN utility on a new executable file:
> dumpbin /RAWDATA:BYTES /SECTION:.rdata passCompare2.exe > rdata.txt 004020C0: D3 17 40 00 00 00 00 00 D8 11 40 00 00 00 00 00 [email protected]@..... 004020D0: 00 00 00 00 2C 11 40 00 D0 11 40 00 00 00 00 00 ...., [email protected][email protected] 004020E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 70 61 [email protected]@.Enter PA 00402100: 73 73 77 6F 72 64 3A 00 57 72 6F 67 20 70 61 SSWORD: .wrong PA 00402110: 73 73 77 64 0A 00 50 61 73 77 64 SSWORD..PASSWORD 00402120 : 20 4F 4B 0A 00 00 00 00 00 00 00 00 00 00 00 00 OK............. 00402130: 00 00 00 00 ...oEA[........ 00402140: 48 00 00 00 14 22 00 00 14 14 00 00 00 00 00 00 H....".......... 00402150: 6F CB C4 5B 00 00 00 00 0C 00 00 00 14 00 00 00 oEA[............
Yeah, now there is no password in the data section and the hackers are "resting"! But don't jump to conclusions. Let's first display a list of all the sections in the file:
> dumpbin passCompare2.exe Summary 1000 .data 1000 .kpnc 1000 .rdata 1000 .reloc 1000 .rsrc 1000 .text
The non-standard .kpnc section immediately draws attention to itself. Let's see what's in it, shall we?
> dumpbin /SECTION:.kpnc /RAWDATA passCompare2.exe RAW DATA #4 00404000: 6D 79 47 4F 4F 44 70 61 73 73 77 6F 72 64 0A 00 myGOODpassword..
Here it is, the password! They hid it, it’s called ... You can, of course, pervert and shove secret data into the uninitialized data section (.bss) or even the code section (.text) - not everyone will guess to look there, and such placement will not violate the program’s performance. But do not forget about the possibility of automated search for text strings in a binary file. Whichever section contains the reference password, the filter will easily find it (the only problem is to determine which of the many text lines is the desired key; you may need to sort through a dozen or two potential "candidates").
Step two. Introduction to the disassembler
Okay, we got the password. But how tedious to enter it every time from the keyboard before starting the program! It would be nice to hack it so that no password is requested at all, or the program would perceive any entered password as correct.
Hack, you say? Well, it's easy! It is much more problematic to decide what exactly to hack it. The tools of hackers are extremely diverse, which is just not there: disassemblers, and debuggers, and API, and message spies, and monitors for accessing files (ports, registry), and unpackers of executable files, and ... It's difficult for a novice code digger to deal with all this stuff figure out!
However, spies, monitors, unpackers are secondary utilities of the background, and the main weapon of a cracker is a debugger and a disassembler.
So, the disassembler is applicable for the study of compiled programs and is partially suitable for the analysis of pseudo-compiled code. If so, it should be suitable for opening passCompare1.exe password protection. The whole question is which disassembler to choose.
Not all disassemblers are the same. There are also “intellectuals” among them who automatically recognize many constructions, such as prologues and epilogues of functions, local variables, cross-references, and there are also “simpletons” whose abilities are limited only by translating machine instructions into assembler instructions.
The most logical thing is to use the services of an intellectual disassembler (if there is one), but ... let's not rush, but try to do all the analysis manually. Equipment, of course, is a good thing, but it is not always at hand, and it would be nice to learn how to work in the field in advance. In addition, communication with a bad disassembler is the best way to emphasize the “goodies” of a good one.
Let's use the already familiar DUMPBIN utility, a real "Swiss knife" with many useful functions, among which there is also a disassembler. Let's disassemble the code section (named .text, as we remember), redirecting the output to a file, since it obviously won't fit on the screen:
> dumpbin /SECTION:.text /DISASM passCompare1.exe > code-text.txt
Let's look again at the data section (or another one, depending on where the password is stored): see Listing 2.
Remember the found password: myGOODpassword . Unlike Visual C++ 6.0, which Chris used, Visual C++ 2017 does not refer to initialized variables by hexadecimal offset, but substitutes the value directly into the code section. Thus, let's try to find the previously revealed password in the disassembled listing by trivial contextual search using any text editor.
0040107D: B9 08 21 40 00 mov ecx,offset [email protected][email protected]@[email protected] 00401082: 8A 10 mov dl,byte ptr 00401084: 3A 11 cmp dl,byte ptr 00401086: 75 1A jne 004010A2 00401088: 84 D2 test dl,dl
See, the central part of this listing is responsible for comparing the values of the EAX and ECX registers. In the latter, as we can see, in the first line of the listing, the reference password is written, therefore, in the first - entered by the user. Then a comparison occurs and jumps are made to almost the same point: 0x4010A2 and 0x40109E. Let's see what's there:
0040109E: 33 C0 xor eax,eax 004010A0: EB 05 jmp 004010A7 004010A2: 1B C0 sbb eax,eax 004010A4: 83 C8 01 or eax,1 004010A7: 85 C0 test eax,eax 004010A9: 74 63 je 0040110E 004010AB: 0F 1F 44 00 00 nop dword ptr 004010B0: 68 18 21 40 00 push offset [email protected][email protected]@[email protected] 004010B5: E8 56 FF FF FF call _printf
The test eax,eax instruction at offset 0x4010A7 plays a central role here. If eax is 0, the following JE instruction jumps to 0x40110E. Otherwise, the string Wrong password is pushed to the top of the stack:
push offset [email protected][email protected]@[email protected]
and then a function call with a telling name:
Call _printf
Hence, a non-zero value of EAX indicates a false password, and zero indicates a true one.
Okay, then let's move on to the analysis of the valid branch of the program, which is done after jumping to 0x40110E. And here is an instruction that puts the string Password OK on top of the stack, after which the _printf procedure is called, which obviously prints the string to the screen:
0040110E: 68 28 21 40 00 push offset [email protected][email protected]@[email protected] 00401113: E8 F8 FE FF FF call _printf
The operational considerations are as follows: if you replace the JE command with JNE, then the program will reject the true password as incorrect, and any incorrect password will be accepted as true. And if you replace TEST EAX,EAX with XOR EAX,EAX, then after executing this command, the EAX register will always be equal to zero, no matter what password is entered.
The point is small - to find these very bytes in the executable file and slightly correct them.
Step three. Surgical
Making changes directly to the executable is serious business. Cramped by the already existing code, we have to be content with only what we have, and neither pushing the teams apart, nor even moving them, throwing “extra spare parts” out of the defense, will not work. After all, this would lead to a shift in the offsets of all other commands, while the values of pointers and jump addresses would remain unchanged and would point to the wrong place at all!
Well, it’s just as easy to deal with “throwing out spare parts” - just fill in the code with NOP commands (the opcode of which is 0x90, and not 0x0 at all, as many novice diggers for some reason think), that is, an empty operation (actually, NOP is just another form of writing the instruction XCHG EAX,EAX - if you're interested). With "sliding" is much more difficult! Fortunately, PE files always have a lot of “holes” left over from alignment, and you can place your code or your data in them.
But wouldn't it be easier to just compile the assembled file after making the required changes to it? No, it's not simpler, and here's why: if the assembler does not recognize pointers passed to functions (and as we saw, our disassembler could not distinguish them from constants), it, accordingly, will not take care to correct them properly, and, naturally, the program will work will not.
You have to cut the program live. The easiest way to do this is with the Hiew utility, which “digests” the PE file format and thereby simplifies the search for the desired fragment. Any version of this hex editor will do. For example, I used far from the newest version 6.86, which coexists perfectly with Windows 10. Let's run it by specifying the file name on the command line hiew32 passCompare1.exe, pressing the Enter key twice, switch to assembler mode and use the F5 key to go to the required address. As we remember, the TEST command, which checks the result for equality to zero, was located at 0x4010A7.
In order for Hiew to distinguish between an address and an offset in the file itself, prefix it with a dot: .4010A7.
004010A7: 85 C0 test eax,eax 004010A9: 74 63 je 0040110E
Yep, just what we need! Press the F3 key to put Hiew into edit mode, move the cursor to the TEST EAX,EAX command, and press the Enter key to change it to XOR EAX,EAX.
004010A7: 33 C0 xor eax,eax 004010A9: 74 63 je 0040110E 
Noticing with satisfaction that the new command fits exactly into the previous one, we will press the F9 key to save the changes to disk, and then exit Hiew and try to run the program by entering the first password that came to mind:
>passCompare1 Enter password:Hi hat! Password OK
Happened! The defense has fallen! Okay, but what would we do if Hiew didn't know how to "digest" PE files? Then you would have to resort to contextual search. Let's turn our attention to the hexadecimal dump located by the disassembler to the left of the assembler commands. Of course, if you try to find the sequence 85 C0 - the TEST EAX,EAX command code, nothing good will come of it - there can be several hundred or even more of these TESTs in the program. But the transition address, most likely, is different in all branches of the program, and the substring TEST EAX,EAX/JE 0040110E has a good chance of being unique. Let's try to find the corresponding code in the file: 85 C0 74 63 (in Hiew, just press the F7 key).
Opp-s! Only one occurrence was found, which is exactly what we need. Let's now try to modify the file directly in hex mode without going into assembler. Along the way, let's take note - inversion of the least significant bit of the command code leads to a change in the transition condition to the opposite, that is, 74 JE -> 75 JNE.
Works? In a sense, the protection has completely gone crazy - it does not recognize true passwords, but joyfully welcomes the rest. Wonderful!
To be continued?
So, you've read (have you?) the opening passage of Chris Kaspersky's classic The Fundamentals of Hacking with a modern twist. Have we been able to update this knowledge to the current level? Is it worth continuing? Share your opinion on
